macOS Sandbox: Add rules for the V2 GPU Sandbox.

This CL adds access to system resources that are showing up in crash reports for the V2 GPU Sandbox. Bug: 915934 Change-Id: Ie1b9faa0fd5cacaf6fbd74f0c5a9500a55bede1f Reviewed-on: https://chromium-review.googlesource.com/c/1434920Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Auto-Submit: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#625795}

macOS Sandbox: Add rules for the V2 GPU Sandbox.
This CL adds access to system resources that are showing up in crash reports for the V2 GPU Sandbox. Bug: 915934 Change-Id: Ie1b9faa0fd5cacaf6fbd74f0c5a9500a55bede1f Reviewed-on: https://chromium-review.googlesource.com/c/1434920Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Auto-Submit: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#625795}
dc3c7b81 · Greg Kerr · Commit Bot · 1b3dece4 · dc3c7b81 · dc3c7b81
Commit dc3c7b81 authored Jan 24, 2019 by Greg Kerr Committed by Commit Bot Jan 24, 2019
3 changed files
--- a/services/service_manager/sandbox/mac/common.sb
+++ b/services/service_manager/sandbox/mac/common.sb
@@ -64,6 +64,15 @@
    ; (https://crbug.com/662686)
    (allow file-read* (extension "com.apple.app-sandbox.read"))))
+; Reads of signed Mach-O blobs created by the CVMS server.
+; https://crbug.com/850021
+(define (allow-cvms-blobs)
+  (if (>= os-version 1014)
+    (allow file-read*
+      (extension "com.apple.cvms.kernel")
+      (subpath "/private/var/db/CVMS")
+    )))
 ; Allow logging for all processes.
 (allow file-write*
  (require-all

--- a/services/service_manager/sandbox/mac/gpu_v2.sb
+++ b/services/service_manager/sandbox/mac/gpu_v2.sb
@@ -4,6 +4,11 @@
 ; --- The contents of common.sb implicitly included here. ---
+; Allow cf prefs to work.
+(allow user-preference-read)
+(allow-cvms-blobs)
 ; Allow communication between the GPU process and the UI server.
 (allow mach-lookup
  (global-name "com.apple.CoreServices.coreservicesd")
@@ -37,6 +42,14 @@
 ; Needed for VideoToolbox usage - https://crbug.com/767037
 (if (>= os-version 1013)
-  (allow mach-lookup (global-name "com.apple.coremedia.videodecoder")))
+  (allow mach-lookup (global-name "com.apple.coremedia.videodecoder"))
+  (allow mach-lookup (global-name "com.apple.coremedia.videoencoder"))
+)
+(allow sysctl-read
+  (sysctl-name "hw.logicalcpu_max")
+  (sysctl-name "hw.model")
+)
-(allow sysctl-read (sysctl-name "hw.model"))
+(allow file-read-data
+  (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*")))
--- a/services/service_manager/sandbox/mac/renderer.sb
+++ b/services/service_manager/sandbox/mac/renderer.sb
@@ -20,14 +20,7 @@
  (path "/dev/fd")
 )
-; Reads of signed Mach-O blobs created by the CVMS server.
+(allow-cvms-blobs)
-; https://crbug.com/850021
-(if (>= os-version 1014)
-  (allow file-read*
-    (extension "com.apple.cvms.kernel")
-    (prefix "/private/tmp/cvmsCodeSignObj")
-    (subpath "/private/var/db/CVMS")
-  ))
 (allow file-write-data
  (require-all