macOS Sandbox: Fix iokit property rules.

This adds the no-log directive to the iokit property restrictions, and
allows two harmless properties to be read as well.

Bug: 1008423
Change-Id: I4707befc1f566d109dd4cb5e1e9a116c148edbd6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1835688Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#702629}

services/service_manager/sandbox/mac/renderer.sb

@@ -7,8 +7,10 @@
 ; Put the denials first.
 ; crbug.com/799149: These operations are allowed by default.
 (if (>= os-version 1013)
-  (deny iokit-get-properties process-info* nvram*)
-)
+  (if (param-true? disable-sandbox-denial-logging)
+    (deny iokit-get-properties process-info* nvram* (with no-log))
+    (deny iokit-get-properties process-info* nvram*)
+))
 
 ; Allow cf prefs to work.
 (allow user-preference-read)
@@ -85,10 +87,12 @@
 (if (>= os-version 1013)
   (allow iokit-get-properties
     (iokit-property "CaseSensitive")
+    (iokit-property "CoreStorage Encrypted")
     (iokit-property "Ejectable")
     (iokit-property "Encrypted")
     (iokit-property "IOClassNameOverride")
     (iokit-property "IOMediaIcon")
+    (iokit-property "Product Identification")
     (iokit-property "Protocol Characteristics")
     (iokit-property "Removable")
     (iokit-property "image-encrypted")