Add the V2 sandbox rules for renderer processes.

content/renderer/renderer_v2.sb

Index: content/renderer/renderer_v2.sb
diff --git a/content/renderer/renderer_v2.sb b/content/renderer/renderer_v2.sb
new file mode 100644
index 0000000000000000000000000000000000000000..91c11437f570a688d2c718ac0110712da9e33724
--- /dev/null
+++ b/content/renderer/renderer_v2.sb
@@ -0,0 +1,150 @@
+; Copyright 2017 The Chromium Authors. All rights reserved.
+; Use of this source code is governed by a BSD-style license that can be
+; found in the LICENSE file.
+(version 1)
+
+; The top of this will be the V2 common profile.

[Robert Sesek, 2017/06/06 14:56:00]

Why not have common_v2.sb now?

[Greg K, 2017/06/09 20:51:20]

It's not clear exactly what will be abstracted out, so I thought it made more
sense to do the abstraction as soon as another process type uses the sandbox and
I know what the actual diff is.

+
+; Helper function to check if a param is set to true.
+(define (param-true? str) (string=? (param str) "TRUE"))
+
+; Helper function to determine if a parameter is defined or not.
+(define (param-defined? str) (string? (param str)))
+
+; Define constants for all of the parameter strings passed in.
+(define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
+(define enable-logging "ENABLE_LOGGING")
+(define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
+(define elcap-or-later "ELCAP_OR_LATER")
+(define bundle-path "BUNDLE_PATH")
+(define executable-path "EXECUTABLE_PATH")
+(define chromium-pid "CHROMIUM_PID")
+(define log-file-path "LOG_FILE_PATH")
+(define bundle-id "BUNDLE_ID")
+(define component-path "COMPONENT_PATH")
+
+; Backwards compatibility for 10.9
+(define (path x) (literal x))
+
+; --enable-sandbox-logging causes the sandbox to log failures to the syslog.
+(if (param-true? disable-sandbox-denial-logging)
+    (deny default (with no-log))

[Robert Sesek, 2017/06/06 14:56:00]

Why 4-space indents instead of the usual 2?

[Greg K, 2017/06/09 20:51:20]

Done.

+    (deny default))
+
+(if (param-true? enable-logging) (debug deny))
+
+; Allow sending signals to self - https://crbug.com/20370
+(allow signal (target self))
+
+; Consumes a subpath and appends it to the user's homedir path.
+(define (user-homedir-path subpath) 
+        (string-append (param homedir-as-literal) subpath))
+
+; Allow logging for all processes

[Robert Sesek, 2017/06/06 14:56:00]

nit, and throughout this file: comments need proper punctuation.

[Greg K, 2017/06/09 20:51:20]

Done.

+(allow file-write* (path (param log-file-path)))
+
+; Allow component builds to work
+(if (param-defined? component-path)
+  (allow file-read* (subpath (param component-path))))
+
+;TODO: Are these needed once I move the code into the helper executable?
+(allow process-exec* (path (param executable-path)))
+(allow file-read* (path (param executable-path)))
+
+(allow mach-lookup (global-name (string-append (param bundle-id)
+                                               ".rohitfork."
+                                               (param chromium-pid))))
+
+; Allow realpath() to work
+(allow file-read-metadata (subpath "/"))
+
+; Allow cf prefs to work
+(allow user-preference-read)
+
+; All processes can read the bundle contents
+(allow file-read* (subpath (param bundle-path)))
+
+; This is the renderer specific stuff.

[Robert Sesek, 2017/06/06 14:56:00]

Better put as "; End of common.sb" ?

[Greg K, 2017/06/09 20:51:20]

Done.

+(allow file-ioctl file-read-data file-write-data (path "/dev/dtracehelper"))
+
+; File reads
+; Reads from the home directory.
+(allow file-read-data (path (user-homedir-path "/.CFUserTextEncoding")))
+
+; Reads of /dev devices.
+(allow file-read-data 
+       (path "/dev/autofs_nowait")

[Robert Sesek, 2017/06/06 14:56:00]

Now 8-space indents?

[Greg K, 2017/06/09 20:51:20]

Done.

+       (path "/dev/urandom"))
+
+; Reads from /usr.
+(allow file-read-data
+       (path "/usr/lib/libexpat.1.dylib")
+       (subpath "/usr/share/zoneinfo"))
+
+(allow file-read* (path "/usr/share/icu/icudt57l.dat"))
+
+; Reads from /Library.
+(allow file-read-data (subpath "/Library/Fonts"))
+
+; Reads from /System.
+(allow file-read-data 
+       (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist")
+       (path "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist")
+       (path "/System/Library/CoreServices/SystemVersion.plist")
+       (path "/System/Library/Preferences/Logging/Subsystems/com.apple.SkyLight.plist")
+       (subpath "/System/Library/ColorSync/Profiles")
+       (subpath "/System/Library/CoreServices/SystemAppearance.bundle")
+       (subpath "/System/Library/CoreServices/SystemVersion.bundle")
+       (subpath "/System/Library/Fonts")
+       (subpath "/System/Library/Frameworks"))
+
+; IOKit
+(allow iokit-open (iokit-registry-entry-class "IOSurfaceRootUserClient"))
+
+; POSIX IPC
+(allow ipc-posix-shm-read-data 
+       (ipc-posix-name "apple.cfprefs.317580v1")
+       (ipc-posix-name "apple.cfprefs.daemonv1")
+       (ipc-posix-name "apple.shm.notification_center"))
+
+; mach IPC
+(allow mach-lookup 
+       ; TODO(kerrnel): audit coreservicesd.
+       (global-name "com.apple.CoreServices.coreservicesd")
+       ; TODO(kerrnel): nix if possible.

[Robert Sesek, 2017/06/06 14:56:00]

Can these be resolved before landing?

+       (global-name "com.apple.GameController.gamecontrollerd")
+       ; TODO(kerrnel): nix if possible.
+       (global-name "com.apple.cfprefsd.agent")
+       ; TODO(kerrnel): nix if possible.
+       (global-name "com.apple.cfprefsd.daemon")
+       (global-name "com.apple.coreservices.launchservicesd")
+       ; TODO(kerrnel): nix if possible.
+       (global-name "com.apple.diagnosticd")
+       (global-name "com.apple.distributed_notifications@Uv3")
+       (global-name "com.apple.fonts")
+       (global-name "com.apple.logd")
+       (global-name "com.apple.lsd.mapdb")
+       (global-name "com.apple.system.logger")
+       (global-name "com.apple.system.notification_center")
+       (global-name "com.apple.system.opendirectoryd.libinfo")
+       (global-name "com.apple.windowserver.active"))
+
+; sysctl
+(allow sysctl-read
+       (sysctl-name "hw.activecpu")
+       (sysctl-name "hw.busfrequency_compat")
+       (sysctl-name "hw.byteorder")
+       (sysctl-name "hw.cachelinesize_compat")
+       (sysctl-name "hw.cpufrequency_compat")
+       (sysctl-name "hw.cputype")
+       (sysctl-name "hw.machine")
+       (sysctl-name "hw.ncpu")
+       (sysctl-name "hw.pagesize_compat")
+       (sysctl-name "hw.physicalcpu_max")
+       (sysctl-name "hw.tbfrequency_compat")
+       (sysctl-name "hw.vectorunit")
+       (sysctl-name "kern.hostname")
+       (sysctl-name "kern.osrelease")
+       (sysctl-name "kern.ostype")
+       (sysctl-name "kern.osversion")
+       (sysctl-name "kern.version"))