mac: Allow reading Managed Preferences within the sandbox.

This allows reading the Managed Preferences equivalent of the existing
preference path allow rules in common.sb.

This also allows reading ~/Library/Preferences/com.apple.security.plist
in network.sb.

Bug: 1134449
Change-Id: I42d414e5133c5931907d38c2bdb26d1431f837e7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2535650Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#826992}

content/browser/sandbox_mac_unittest.mm

@@ -5,16 +5,20 @@
 #import <Cocoa/Cocoa.h>
 #import <Foundation/Foundation.h>
 
+#include <fcntl.h>
+
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_file.h"
+#include "base/mac/foundation_util.h"
 #include "base/mac/mac_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/memory/ref_counted.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/process/kill.h"
+#include "base/strings/strcat.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
@@ -281,4 +285,37 @@ TEST_F(SandboxMacTest, BuiltinAvailable) {
   ExecuteInAllSandboxTypes("BuiltinAvailable", {});
 }
 
+MULTIPROCESS_TEST_MAIN(NetworkProcessPrefs) {
+  CheckCreateSeatbeltServer();
+
+  const std::string kBundleId = base::mac::BaseBundleID();
+  const std::string kUserName = base::SysNSStringToUTF8(NSUserName());
+  const std::vector<std::string> kPaths = {
+      "/Library/Managed Preferences/.GlobalPreferences.plist",
+      base::StrCat({"/Library/Managed Preferences/", kBundleId, ".plist"}),
+      base::StrCat({"/Library/Managed Preferences/", kUserName,
+                    "/.GlobalPreferences.plist"}),
+      base::StrCat({"/Library/Managed Preferences/", kUserName, "/", kBundleId,
+                    ".plist"}),
+      base::StrCat({"/Library/Preferences/", kBundleId, ".plist"}),
+      base::StrCat({"/Users/", kUserName,
+                    "/Library/Preferences/com.apple.security.plist"}),
+      base::StrCat(
+          {"/Users/", kUserName, "/Library/Preferences/", kBundleId, ".plist"}),
+  };
+
+  for (const auto& path : kPaths) {
+    // Use open rather than stat to test file-read-data rules.
+    base::ScopedFD fd(open(path.c_str(), O_RDONLY));
+    PCHECK(fd.is_valid() || errno == ENOENT) << path;
+  }
+
+  return 0;
+}
+
+TEST_F(SandboxMacTest, NetworkProcessPrefs) {
+  ExecuteWithParams("NetworkProcessPrefs",
+                    sandbox::policy::SandboxType::kNetwork);
+}
+
 }  // namespace content

sandbox/policy/mac/common.sb

@@ -152,7 +152,12 @@
 
 ; Reads from /Library.
 (allow file-read-data
+  (path "/Library/Managed Preferences/.GlobalPreferences.plist")
   (path "/Library/Preferences/.GlobalPreferences.plist")
+  (path (string-append "/Library/Managed Preferences/" (param bundle-id) ".plist"))
+  (path (string-append "/Library/Preferences/" (param bundle-id) ".plist"))
+  (regex #"/Library/Managed Preferences/.*/\.GlobalPreferences\.plist")
+  (regex (string-append #"/Library/Managed Preferences/.*/" (regex-quote (param bundle-id)) #"\.plist"))
 )
 
 ; Reads from /System.

sandbox/policy/mac/network.sb

@@ -35,14 +35,10 @@
   (path "/var/run")
 )
 
-; Local preferences.
-(allow file-read*
-  (path (user-homedir-path (string-append "/Library/Preferences/" (param bundle-id) ".plist")))
-)
-
 ; Certificate databases.
 (allow file-read*
   (path "/Library/Preferences/com.apple.security.plist")
+  (path (user-homedir-path "/Library/Preferences/com.apple.security.plist"))
   ; https://crbug.com/1024000
   (path (user-homedir-path "/Library/Preferences/com.apple.security.revocation.plist"))
   (subpath "/Library/Keychains")