Fix sandbox profile for MacOS 10.9 Mavericks.

content/renderer/renderer_v2.sb

Index: content/renderer/renderer_v2.sb
diff --git a/content/renderer/renderer_v2.sb b/content/renderer/renderer_v2.sb
index cb871b023fea888e03bfe8615c2066867357a808..341bbf3d982cd72b9c3f3baa118b71ced002adf0 100644
--- a/content/renderer/renderer_v2.sb
+++ b/content/renderer/renderer_v2.sb
@@ -16,6 +16,7 @@
 (define enable-logging "ENABLE_LOGGING")
 (define homedir-as-literal "USER_HOMEDIR_AS_LITERAL")
 (define elcap-or-later "ELCAP_OR_LATER")
+(define is-mavericks "IS_MAVERICKS")
 (define bundle-path "BUNDLE_PATH")
 (define executable-path "EXECUTABLE_PATH")
 (define chromium-pid "CHROMIUM_PID")
@@ -25,6 +26,7 @@
 
 ; Backwards compatibility for 10.9
 (define (path x) (literal x))
+(define (iokit-registry-entry-class x) (iokit-user-client-class x))
 
 ; --enable-sandbox-logging causes the sandbox to log failures to the syslog.
 (if (param-true? disable-sandbox-denial-logging)
@@ -47,7 +49,7 @@
 (if (param-defined? component-path)
   (allow file-read* (subpath (param component-path))))
 
-(allow process-exec* (path (param executable-path)))
+(allow process-exec (path (param executable-path)))
 (allow file-read* (path (param executable-path)))
 
 (allow mach-lookup (global-name (string-append (param bundle-id)
@@ -122,23 +124,30 @@
   (global-name "com.apple.system.opendirectoryd.libinfo")
   (global-name "com.apple.windowserver.active"))
 
+; MacOS dropped FontServer to replace it with the (XPC based) com.apple.fonts.
+(if (param-true? is-mavericks)
+  (allow mach-lookup (global-name "com.apple.FontServer")))
+
 ; sysctl
-(allow sysctl-read
-  (sysctl-name "hw.activecpu")
-  (sysctl-name "hw.busfrequency_compat")
-  (sysctl-name "hw.byteorder")
-  (sysctl-name "hw.cachelinesize_compat")
-  (sysctl-name "hw.cpufrequency_compat")
-  (sysctl-name "hw.cputype")
-  (sysctl-name "hw.machine")
-  (sysctl-name "hw.ncpu")
-  (sysctl-name "hw.pagesize_compat")
-  (sysctl-name "hw.physicalcpu_max")
-  (sysctl-name "hw.tbfrequency_compat")
-  (sysctl-name "hw.vectorunit")
-  (sysctl-name "kern.hostname")
-  (sysctl-name "kern.maxfilesperproc")
-  (sysctl-name "kern.osrelease")
-  (sysctl-name "kern.ostype")
-  (sysctl-name "kern.osversion")
-  (sysctl-name "kern.version"))
+(if (param-true? is-mavericks)
+  (allow sysctl-read)
+  ; else
+  (allow sysctl-read
+    (sysctl-name "hw.activecpu")
+    (sysctl-name "hw.busfrequency_compat")
+    (sysctl-name "hw.byteorder")
+    (sysctl-name "hw.cachelinesize_compat")
+    (sysctl-name "hw.cpufrequency_compat")
+    (sysctl-name "hw.cputype")
+    (sysctl-name "hw.machine")
+    (sysctl-name "hw.ncpu")
+    (sysctl-name "hw.pagesize_compat")
+    (sysctl-name "hw.physicalcpu_max")
+    (sysctl-name "hw.tbfrequency_compat")
+    (sysctl-name "hw.vectorunit")
+    (sysctl-name "kern.hostname")
+    (sysctl-name "kern.maxfilesperproc")
+    (sysctl-name "kern.osrelease")
+    (sysctl-name "kern.ostype")
+    (sysctl-name "kern.osversion")
+    (sysctl-name "kern.version")))