Update rules2 in app_resource_rules.plist.in to a set of rules that should work on 10.9.5 and 10.10

Update rules2 in app_resource_rules.plist.in to a set of rules that ought to work on 10.9.5 and 10.10, with the latest Gatekeeper policy changes.

This removes the “nested” tag from the live versioned directory, so that
it will be treated as data instead of code. There are problems with
“nested” validation of unversioned frameworks. There are other problems
with “nested” allowing components to be replaced, although these can be
overcome by creatively applying designated requirements to the nested
components. The non-“nested” version allows us to not version the
frameworks, which would introduce symbolic links and weaken v1 code
signature validation as done by pre-10.9 systems because v1 code
signatures do not consider symbolic links. This non-“nested” version is
also the simplest change to the existing set of resource rules that
works. The v2 rules2 dictionary is now identical to the v1 rules
dictionary.

In order for rules2 to be honored and for a v2 signature to be produced,
the app must be signed on 10.9 or later. (This will also produce a v1
signature to be validated on pre-10.9 systems.)

BUG=399276
R=rsesek@chromium.org

Committed: https://chromium.googlesource.com/chromium/src/+/1bc56d577247e9ca6a029dd75571e79775e80343

[Mark Mentovai, 2014-09-03 03:47:14]

mark@chromium.org changed reviewers:
+ rsesek@chromium.org

[Robert Sesek, 2014-09-03 15:23:42]

LGTM

[Mark Mentovai, 2014-09-03 16:10:03]

Committed patchset #2 (id:20001) manually as 1bc56d5 (presubmit successful).

[commit-bot: I haz the power, 2014-09-10 03:25:55]

Patchset 2 (id:??) landed as
https://crrev.com/1bc56d577247e9ca6a029dd75571e79775e80343
Cr-Commit-Position: refs/heads/master@{#293142}