Mac V2 GPU Sandbox: Allow more resource accesses based off collected data.

- Allow reading the directory contents of ~/Library/Preferences and ~/Library/Preferences/ByHost - Allow reading of all com.apple.driver* plists in ~/Library/Preferences/... - Allow reading /Library/Preferences/com.apple.security.plist to read the global trust settings - Allow sysctl-read hw.busfrequency_max - Deny access to a new macOS 11 UsageTrackingAgent Mach service Bug: 1126350 Change-Id: I0be9a9f8a1830dbfac4486f9c21e05a6e5d336d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2453900Reviewed-by: Greg Kerr <kerrnel@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#814379}

Mac V2 GPU Sandbox: Allow more resource accesses based off collected data.
- Allow reading the directory contents of ~/Library/Preferences and ~/Library/Preferences/ByHost - Allow reading of all com.apple.driver* plists in ~/Library/Preferences/... - Allow reading /Library/Preferences/com.apple.security.plist to read the global trust settings - Allow sysctl-read hw.busfrequency_max - Deny access to a new macOS 11 UsageTrackingAgent Mach service Bug: 1126350 Change-Id: I0be9a9f8a1830dbfac4486f9c21e05a6e5d336d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2453900Reviewed-by: Greg Kerr <kerrnel@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#814379}
be6d6207 · Robert Sesek · Commit Bot · ad4e6170 · be6d6207
Commit be6d6207 authored Oct 06, 2020 by Robert Sesek Committed by Commit Bot Oct 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

sandbox/policy/mac/gpu_v2.sb sandbox/policy/mac/gpu_v2.sb +10 -1

No files found.
--- a/sandbox/policy/mac/gpu_v2.sb
+++ b/sandbox/policy/mac/gpu_v2.sb
@@ -21,6 +21,7 @@
  (begin
    (deny mach-lookup (with no-report)
      (global-name "com.apple.GameController.gamecontrollerd")
+      (global-name "com.apple.UsageTrackingAgent")
      (global-name "com.apple.analyticsd")
      (global-name "com.apple.diagnosticd")
      (global-name "com.apple.pasteboard.1") ; For tests only.
@@ -38,6 +39,7 @@
      (subpath "/Library/Apple")
      (subpath "/Library/Application Support/CrashReporter")
      (subpath "/usr/share/locale")
+      (subpath (user-homedir-path "/Library/Containers"))
    )
    (deny file-read* (with send-signal SIGFPE))
    (deny file-write-data (with no-report)
@@ -77,7 +79,10 @@

 ; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936
 (if (>= os-version 1016)
-  (allow mach-lookup (global-name "com.apple.trustd.agent"))
+  (begin
+    (allow mach-lookup (global-name "com.apple.trustd.agent"))
+    (allow file-read* (path "/Library/Preferences/com.apple.security.plist"))
+  )
 )

 ; Needed for WebGL - https://crbug.com/75343
@@ -120,6 +125,7 @@
 ))

 (allow sysctl-read
+  (sysctl-name "hw.busfrequency_max")
  (sysctl-name "hw.cachelinesize")
  (sysctl-name "hw.logicalcpu_max")
  (sysctl-name "hw.memsize")
@@ -130,10 +136,13 @@
 (allow file-read-data
  (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
  (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
+  (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist"))
  (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
 )

 (allow file-read*
+  (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14.
+  (path (user-homedir-path "/Library/Preferences/ByHost"))
  (subpath "/Library/GPUBundles")
  (subpath "/Library/Video/Plug-Ins")
  (subpath "/System/Library/ColorSync/Profiles")