macOS V2 Sandbox: Expand the V2 GPU sandbox.

This adds additional resource access to the V2 GPU sandbox to address crashes. Bug: 915934 Change-Id: Icf346f03e32523549e5cb9c0806dce1a51794da4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1506390 Commit-Queue: Robert Sesek <rsesek@chromium.org> Auto-Submit: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#638675}

macOS V2 Sandbox: Expand the V2 GPU sandbox.
This adds additional resource access to the V2 GPU sandbox to address crashes. Bug: 915934 Change-Id: Icf346f03e32523549e5cb9c0806dce1a51794da4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1506390 Commit-Queue: Robert Sesek <rsesek@chromium.org> Auto-Submit: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#638675}
6bec1731 · Greg Kerr · Commit Bot · e6d38028 · 6bec1731 · 6bec1731
Commit 6bec1731 authored Mar 07, 2019 by Greg Kerr Committed by Commit Bot Mar 07, 2019
Showing with 33 additions and 5 deletions

services/service_manager/sandbox/mac/common.sb services/service_manager/sandbox/mac/common.sb +12 -4

services/service_manager/sandbox/mac/gpu_v2.sb services/service_manager/sandbox/mac/gpu_v2.sb +21 -1

No files found.
--- a/services/service_manager/sandbox/mac/common.sb
+++ b/services/service_manager/sandbox/mac/common.sb
@@ -68,10 +68,13 @@
 ; https://crbug.com/850021
 (define (allow-cvms-blobs)
  (if (>= os-version 1014)
+    (begin
+      (allow file-read* file-write-unlink
+        (prefix "/private/tmp/cvmsCodeSignObj"))
      (allow file-read*
        (extension "com.apple.cvms.kernel")
-      (subpath "/private/var/db/CVMS")
+        (prefix "/private/var/db/CVMS/cvmsCodeSignObj"))
-    )))
+)))
 ; Allow logging for all processes.
 (allow file-write*
@@ -191,3 +194,8 @@
  (sysctl-name "sysctl.proc_cputype")
  (sysctl-name (string-append "kern.proc.pid." (param current-pid)))
 )
+(allow network-outbound
+  (literal "/private/var/run/asl_input")
+  (literal "/private/var/run/syslog")
+)
--- a/services/service_manager/sandbox/mac/gpu_v2.sb
+++ b/services/service_manager/sandbox/mac/gpu_v2.sb
@@ -14,6 +14,7 @@
  (global-name "com.apple.CoreServices.coreservicesd")
  (global-name "com.apple.coreservices.launchservicesd")
  (global-name "com.apple.cvmsServ")
+  (global-name "com.apple.gpumemd.source")
  (global-name "com.apple.system.notification_center")
  (global-name "com.apple.tsm.uiserver")
  (global-name "com.apple.windowserver.active")
@@ -24,7 +25,10 @@
  (iokit-connection "IOAccelerator")
  (iokit-user-client-class "AGPMClient")
  (iokit-user-client-class "AppleGraphicsControlClient")
+  (iokit-user-client-class "AppleGraphicsPolicyClient")
+  (iokit-user-client-class "AppleIntelMEUserClient")
  (iokit-user-client-class "AppleMGPUPowerControlClient")
+  (iokit-user-client-class "AppleSNBFBUserClient")
  (iokit-user-client-class "IOAccelerationUserClient")
  (iokit-user-client-class "IOFramebufferSharedUserClient")
  (iokit-user-client-class "IOHIDParamUserClient")
@@ -33,6 +37,16 @@
  (iokit-user-client-class "RootDomainUserClient")
 )
+(allow iokit-set-properties
+  (require-all (iokit-connection "IODisplay")
+    (require-any (iokit-property "brightness")
+      (iokit-property "linear-brightness")
+      (iokit-property "commit")
+      (iokit-property "rgcs")
+      (iokit-property "ggcs")
+      (iokit-property "bgcs")
+)))
 (allow ipc-posix-shm-read-data
  (ipc-posix-name "apple.shm.notification_center"))
@@ -51,7 +65,13 @@
 (allow sysctl-read
  (sysctl-name "hw.logicalcpu_max")
  (sysctl-name "hw.model")
+  (sysctl-name "kern.osvariant_status")
 )
 (allow file-read-data
-  (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")))
+  (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
+)
+(allow file-read*
+  (subpath "/Library/GPUBundles")
+)