Debug Mac V2 GPU sandbox issues by crashing the process.

This enumerates all known denials encountered with local testing and
makes unknown denials fatal. This will enable crash data collection to
identify resources that we do not know about. It also turns on sandbox
logging to make it easier to identify issues.

Also allows reading the SubmitDiagInfo search tree in /System/Library
because the file in /Library is already allowed.

Change-Id: If14054b213c65064d971f717089731ad6e3c2bb2
Bug: 1126350
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2398915
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#813591}

content/browser/sandbox_parameters_mac.mm

@@ -224,10 +224,19 @@ void SetupSandboxParameters(sandbox::policy::SandboxType sandbox_type,
     case sandbox::policy::SandboxType::kRenderer:
       SetupCommonSandboxParameters(client);
       break;
-    case sandbox::policy::SandboxType::kGpu:
+    case sandbox::policy::SandboxType::kGpu: {
       SetupCommonSandboxParameters(client);
+      // Temporary for https://crbug.com/1126350.
+      CHECK(client->SetParameter("PARENT_DIR",
+                                 sandbox::policy::SandboxMac::GetCanonicalPath(
+                                     base::mac::OuterBundlePath().DirName())
+                                     .value()));
+      base::FilePath pwd;
+      CHECK(base::GetCurrentDirectory(&pwd));
+      CHECK(client->SetParameter("PWD", pwd.value()));
       AddDarwinDirs(client);
       break;
+    }
     case sandbox::policy::SandboxType::kCdm:
       SetupCDMSandboxParameters(client);
       break;

sandbox/policy/mac/gpu_v2.sb

@@ -4,6 +4,9 @@
 
 ; --- The contents of common.sb implicitly included here. ---
 
+(deny default (with partial-symbolication))
+(debug deny)
+
 ; Allow cf prefs to work.
 (allow user-preference-read)
 
@@ -11,6 +14,40 @@
 
 (allow ipc-posix-shm)
 
+; TODO(https://crbug.com/1126350): Remove this after debugging. These blocks
+; enumerate known denials, while turning unknown denials into fatal crashes.
+(define crash-on-unknown-denials #t) ; Single-line kill switch.
+(if crash-on-unknown-denials
+  (begin
+    (deny mach-lookup (with no-report)
+      (global-name "com.apple.GameController.gamecontrollerd")
+      (global-name "com.apple.analyticsd")
+      (global-name "com.apple.diagnosticd")
+      (global-name "com.apple.pasteboard.1") ; For tests only.
+      (global-name "com.apple.tccd.system")
+    )
+    (deny mach-lookup (with send-signal SIGABRT))
+    (deny iokit-open (with send-signal SIGTRAP))
+    ; Added in 10.14, but only needed on 10.15+. Partial compatibility
+    ; definition.
+    (unless (defined? 'path-ancestors) (define (path-ancestors x) (path x)))
+    (deny file-read* (with no-report)
+      (path (param "PARENT_DIR"))
+      (path (param "PWD"))
+      (path-ancestors (param "PARENT_DIR")) ; libxpc.dylib`_xpc_bundle_resolve_sync walks the dir tree.
+      (subpath "/Library/Application Support/CrashReporter")
+      (subpath "/usr/share/locale")
+    )
+    (deny file-read* (with send-signal SIGFPE))
+    (deny file-write-data (with no-report)
+      ; CoreServicesInternal`prepareValuesForBitmap() calls getattrlist(), which
+      ; results for some reason in a file-write-data evaluation in the kernel.
+      (subpath (param bundle-path))
+    )
+    (deny file-write* (with send-signal SIGSYS))
+  )
+)
+
 ; Allow communication between the GPU process and the UI server.
 (allow mach-lookup
   (global-name "com.apple.bsd.dirhelper")
@@ -91,6 +128,7 @@
 
 (allow file-read-data
   (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
+  (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
   (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
 )