Index: chrome/browser/gpu.sb |
diff --git a/chrome/browser/gpu.sb b/chrome/browser/gpu.sb |
index ce5b2d2f727472959c692847b43dd0bf945472a0..d27b2512bb33f98bd970a96dba2d996c639b927e 100644 |
--- a/chrome/browser/gpu.sb |
+++ b/chrome/browser/gpu.sb |
@@ -6,5 +6,14 @@ |
; *** The contents of chrome/common/common.sb are implicitly included here. *** |
-; TODO(thakis): Deny most things by default. |
-(allow default) |
+; The GPU process opens a shared memory file to communicate with the renderer. |
+; This is backed by a file in /var/folders. |
+; TODO(thakis): It would be better if the browser allocated the pipe and handed |
+; the handles to renderer and GPU process. Then this would'be be |
+; needed. http://crbug.com/65344 |
jeremy
2010/12/05 08:04:50
I think giving the GPU process full access to /tmp
|
+(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)")) |
+ |
+; Allow communication between the GPU process and the UI server. |
+(allow mach-lookup (global-name "com.apple.tsm.uiserver")) |
+ |
+(allow file-read-metadata (literal "/")) |