mac: Permit more resource access in the gpu_v2 sandbox profile.

These were observed in https://crbug.com/1063349#c8. Bug: 1063349 Change-Id: I86cf9b5d643812101c2d80b67096c38f76706008 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2311273Reviewed-by: Greg Kerr <kerrnel@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#790818}

mac: Permit more resource access in the gpu_v2 sandbox profile.
These were observed in https://crbug.com/1063349#c8. Bug: 1063349 Change-Id: I86cf9b5d643812101c2d80b67096c38f76706008 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2311273Reviewed-by: Greg Kerr <kerrnel@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#790818}
8063923c · Robert Sesek · Commit Bot · 5bff73a7 · 8063923c
Commit 8063923c authored Jul 22, 2020 by Robert Sesek Committed by Commit Bot Jul 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

sandbox/policy/mac/gpu_v2.sb sandbox/policy/mac/gpu_v2.sb +3 -3

No files found.
--- a/sandbox/policy/mac/gpu_v2.sb
+++ b/sandbox/policy/mac/gpu_v2.sb
@@ -65,9 +65,6 @@
 (allow ipc-posix-shm-read-data
  (ipc-posix-name "apple.shm.notification_center"))

-; https://crbug.com/515280
-(if (>= os-version 1011)
-  (allow file-read* (subpath "/System/Library/Extensions")))

 ; Needed for VideoToolbox usage - https://crbug.com/767037
 (if (>= os-version 1013)
@@ -78,6 +75,7 @@
 ))

 (allow sysctl-read
+  (sysctl-name "hw.cachelinesize")
  (sysctl-name "hw.logicalcpu_max")
  (sysctl-name "hw.memsize")
  (sysctl-name "hw.model")
@@ -92,7 +90,9 @@
 (allow file-read*
  (subpath "/Library/GPUBundles")
  (subpath "/Library/Video/Plug-Ins")
+  (subpath "/System/Library/ColorSync/Profiles")
  (subpath "/System/Library/CoreServices/RawCamera.bundle")
+  (subpath "/System/Library/Extensions")  ; https://crbug.com/515280
  (subpath "/System/Library/Video/Plug-Ins")
 )