Mac: Tell the GPU sandbox to deny a few things.

chrome/browser/gpu.sb

Index: chrome/browser/gpu.sb
diff --git a/chrome/browser/gpu.sb b/chrome/browser/gpu.sb
index ce5b2d2f727472959c692847b43dd0bf945472a0..d27b2512bb33f98bd970a96dba2d996c639b927e 100644
--- a/chrome/browser/gpu.sb
+++ b/chrome/browser/gpu.sb
@@ -6,5 +6,14 @@
 
 ; *** The contents of chrome/common/common.sb are implicitly included here. ***
 
-; TODO(thakis): Deny most things by default.
-(allow default)
+; The GPU process opens a shared memory file to communicate with the renderer.
+; This is backed by a file in /var/folders.
+; TODO(thakis): It would be better if the browser allocated the pipe and handed
+;               the handles to renderer and GPU process. Then this would'be be
+;               needed. http://crbug.com/65344

[jeremy, 2010/12/05 08:04:50]

I think giving the GPU process full access to /tmp and /var may be a pretty big
security hole.

I'm OK with you landing this in the interim, but I think we should plumb the
shared memory creation through the browser process and remove this line asap.

Could you reword the commend to this effect?

+(allow file-read* file-write* (regex "^/(private/)?(tmp|var)(/|$)"))
+
+; Allow communication between the GPU process and the UI server.
+(allow mach-lookup (global-name "com.apple.tsm.uiserver"))
+
+(allow file-read-metadata (literal "/"))