commit 3baf47ac1ff60ef3dbe14e6c59b16eebdef8e9ae
author thakis@chromium.org <thakis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Sun Dec 05 19:40:53 2010
committer thakis@chromium.org <thakis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Sun Dec 05 19:40:53 2010
tree 94f95908e1dad8337ed5fff35a3d480061e4bb63
parent afd1042e141fb5fe5bddae75b9dfa33aa1e94592

Mac: Tell the GPU sandbox to deny a few things.

It's now no longer allowed to do network requests and can't access most files.

Here are the stacks that it prints if I patch in http://codereview.chromium.org/1765005/show: http://codepad.org/6zrJfnlB

BUG=48607
TEST=GPU stuff still works. When you run with --enable-sandbox-logging, quite a bunch of stuff is logged as "denied".

Review URL: http://codereview.chromium.org/5580002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@68321 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/gpu.sb

diff --git a/chrome/browser/gpu.sb b/chrome/browser/gpu.sb
index ce5b2d2..346bcfa 100644
--- a/chrome/browser/gpu.sb
+++ b/chrome/browser/gpu.sb
@@ -6,5 +6,13 @@
 
 ; *** The contents of chrome/common/common.sb are implicitly included here. ***
 
-; TODO(thakis): Deny most things by default.
-(allow default)
+; The GPU process opens a shared memory file to communicate with the renderer.
+; This is backed by a file in /var/folders.
+; TODO(thakis): Let the browser allocated the pipe and hand the handles to
+;               renderer and GPU process and remove this: http://crbug.com/65344
+(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))
+
+; Allow communication between the GPU process and the UI server.
+(allow mach-lookup (global-name "com.apple.tsm.uiserver"))
+
+(allow file-read-metadata (literal "/"))