macOS V2 Sandbox: Report correct sandbox profile for nacl-loader.

The nacl loader process, used only on macOS, currently tries to load an
invalid profile type under the V2 sandbox. This loads the correct type.
This also adds necessary IOKit resource access to the nacl sandbox profile.

Bug: 892554
Change-Id: I3118c00a17502efdd88545ef35e81e3a480d2f15
Reviewed-on: https://chromium-review.googlesource.com/c/1289070Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Derek Schuff <dschuff@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#601244}

components/nacl/loader/DEPS

@@ -9,6 +9,7 @@ include_rules = [
   "+sandbox/linux/services",
   "+sandbox/linux/suid",
   "+sandbox/linux/system_headers",
+  "+sandbox/mac",
   "+sandbox/sandbox_buildflags.h",
   "+sandbox/win/src",
   "+services/service_manager/sandbox",

components/nacl/loader/nacl_main_platform_delegate_mac.mm

@@ -6,13 +6,22 @@
 
 #import <Cocoa/Cocoa.h>
 
+#include "base/command_line.h"
 #include "base/logging.h"
 #include "components/nacl/common/nacl_switches.h"
 #include "content/public/common/sandbox_init.h"
+#include "sandbox/mac/seatbelt.h"
+#include "sandbox/mac/seatbelt_exec.h"
 #include "services/service_manager/sandbox/sandbox_type.h"
 
 void NaClMainPlatformDelegate::EnableSandbox(
     const content::MainFunctionParams& parameters) {
-  CHECK(content::InitializeSandbox(service_manager::SANDBOX_TYPE_NACL_LOADER))
-      << "Error initializing sandbox for " << switches::kNaClLoaderProcess;
+  if (base::CommandLine::ForCurrentProcess()->HasSwitch(
+          sandbox::switches::kSeatbeltClientName)) {
+    // Make sure the sandbox is actually enabled if the V2 flag is present.
+    CHECK(sandbox::Seatbelt::IsSandboxed());
+  } else {
+    CHECK(content::InitializeSandbox(service_manager::SANDBOX_TYPE_NACL_LOADER))
+        << "Error initializing sandbox for " << switches::kNaClLoaderProcess;
+  }
 }

services/service_manager/sandbox/mac/nacl_loader.sb

@@ -12,3 +12,10 @@
 ; Allow a Native Client application to use semaphores, specifically
 ; sem_init(), et.al.
 (allow ipc-posix-sem)
+
+(allow iokit-get-properties
+  (iokit-registry-entry-class "IORegisterForSystemPower"))
+
+(allow iokit-open
+  (iokit-user-client-class "IOSurfaceSendRight")
+  (iokit-user-client-class "RootDomainUserClient"))

services/service_manager/sandbox/sandbox_type.cc

@@ -126,6 +126,11 @@ SandboxType SandboxTypeFromCommandLine(const base::CommandLine& command_line) {
   if (process_type == switches::kPpapiPluginProcess)
     return SANDBOX_TYPE_PPAPI;
 
+#if defined(OS_MACOSX)
+  if (process_type == switches::kNaClLoaderProcess)
+    return SANDBOX_TYPE_NACL_LOADER;
+#endif
+
   // This is a process which we don't know about.
   return SANDBOX_TYPE_INVALID;
 }

services/service_manager/sandbox/switches.cc

@@ -107,6 +107,7 @@ const char kEnableSandboxLogging[] = "enable-sandbox-logging";
 
 // Flags spied upon from other layers.
 const char kGpuProcess[] = "gpu-process";
+const char kNaClLoaderProcess[] = "nacl-loader";
 const char kPpapiBrokerProcess[] = "ppapi-broker";
 const char kPpapiPluginProcess[] = "ppapi";
 const char kRendererProcess[] = "renderer";

services/service_manager/sandbox/switches.h

@@ -59,6 +59,7 @@ SERVICE_MANAGER_SANDBOX_EXPORT extern const char kEnableSandboxLogging[];
 
 // Flags spied upon from other layers.
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kGpuProcess[];
+SERVICE_MANAGER_SANDBOX_EXPORT extern const char kNaClLoaderProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiBrokerProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kPpapiPluginProcess[];
 SERVICE_MANAGER_SANDBOX_EXPORT extern const char kRendererProcess[];