sandbox/policy/mac/gpu.sb - chromium/src - Git at Google

 ; Copyright 2017 The Chromium Authors. All rights reserved.
 ; Use of this source code is governed by a BSD-style license that can be
 ; found in the LICENSE file.

 ; --- The contents of common.sb implicitly included here. ---

 (deny default (with partial-symbolication))
 (debug deny)

 ; Allow cf prefs to work.
 (allow user-preference-read)

 (allow-cvms-blobs)

 (allow ipc-posix-shm)

 (define disable-metal-shader-cache "DISABLE_METAL_SHADER_CACHE")

 ; Allow communication between the GPU process and the UI server.
 (allow mach-lookup
   (global-name "com.apple.bsd.dirhelper")
   (global-name "com.apple.CARenderServer")
   (global-name "com.apple.cfprefsd.agent")
   (global-name "com.apple.cfprefsd.daemon")
   (global-name "com.apple.CoreServices.coreservicesd")
   (global-name "com.apple.coreservices.launchservicesd")
   (global-name "com.apple.cvmsServ")
   (global-name "com.apple.gpumemd.source")
   (global-name "com.apple.lsd.mapdb")
   (global-name "com.apple.lsd.modifydb")
   (global-name "com.apple.powerlog.plxpclogger.xpc")
   (global-name "com.apple.PowerManagement.control")
   (global-name "com.apple.SecurityServer")
   (global-name "com.apple.system.notification_center")
   (global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5
   (global-name "com.apple.tsm.uiserver")
   (global-name "com.apple.windowserver.active")
 )

 ; Needed for metal decoding - https://crbug.com/957217
 (if (>= os-version 1014)
   (allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
 )

 ; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936
 (if (>= os-version 1016)
   (begin
     (allow mach-lookup (global-name "com.apple.trustd.agent"))
     (allow file-read* (path "/Library/Preferences/com.apple.security.plist"))
   )
 )

 ; Needed for WebGL - https://crbug.com/75343
 (allow iokit-open
   (iokit-connection "IOAccelerator")
   (iokit-user-client-class "AGPMClient")
   (iokit-user-client-class "AppleGraphicsControlClient")
   (iokit-user-client-class "AppleGraphicsPolicyClient")
   (iokit-user-client-class "AppleIntelMEUserClient")
   (iokit-user-client-class "AppleMGPUPowerControlClient")
   (iokit-user-client-class "AppleSNBFBUserClient")
   (iokit-user-client-class "IOAccelerationUserClient")
   (iokit-user-client-class "IOFramebufferSharedUserClient")
   (iokit-user-client-class "IOHIDParamUserClient")
   (iokit-user-client-class "IOSurfaceRootUserClient")
   (iokit-user-client-class "IOSurfaceSendRight")
   (iokit-user-client-class "RootDomainUserClient")
 )

 (allow iokit-set-properties
   (require-all (iokit-connection "IODisplay")
     (require-any (iokit-property "brightness")
       (iokit-property "linear-brightness")
       (iokit-property "commit")
       (iokit-property "rgcs")
       (iokit-property "ggcs")
       (iokit-property "bgcs")
 )))

 (allow ipc-posix-shm-read-data
   (ipc-posix-name "apple.shm.notification_center"))


 ; Needed for VideoToolbox usage - https://crbug.com/767037
 (if (>= os-version 1013)
   (allow mach-lookup
     (xpc-service-name "com.apple.coremedia.videodecoder")
     (xpc-service-name "com.apple.coremedia.videoencoder")
     (xpc-service-name-regex #"\.apple-extension-service$")
 ))

 (allow sysctl-read
   (sysctl-name "hw.busfrequency_max")
   (sysctl-name "hw.cachelinesize")
   (sysctl-name "hw.logicalcpu_max")
   (sysctl-name "hw.memsize")
   (sysctl-name "hw.model")
   (sysctl-name "kern.osvariant_status")
 )

 (allow file-read-data
   (path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
   (path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
   (regex (user-homedir-path #"/Library/Preferences/(.*/)?com\.apple\.driver\..*\.plist"))
   (regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
 )

 (allow file-read*
   (path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14.
   (path (user-homedir-path "/Library/Preferences/ByHost"))
   (subpath "/Library/GPUBundles")
   (subpath "/Library/Video/Plug-Ins")
   (subpath "/System/Library/ColorSync/Profiles")
   (subpath "/System/Library/CoreServices/RawCamera.bundle")
   (subpath "/System/Library/Extensions")  ; https://crbug.com/515280
   (subpath "/System/Library/Video/Plug-Ins")
 )

 ; crbug.com/980134
 (allow file-read* file-write*
   (subpath (param darwin-user-cache-dir))
   (subpath (param darwin-user-dir))
   (subpath (param darwin-user-temp-dir))
 )

 (if (param-true? filter-syscalls-debug)
   (when (defined? 'syscall-unix)
     (deny syscall-unix (with send-signal SIGSYS))
     (allow syscall-unix
       (syscall-number SYS_csrctl)
       (syscall-number SYS_getentropy)
       (syscall-number SYS_getxattr)
       (syscall-number SYS_kdebug_typefilter)
       (syscall-number SYS_sigaltstack)
       (syscall-number SYS_write)
       (syscall-number SYS_write_nocancel)
 )))

 ; crbug.com/1159113
 (if (param-true? disable-metal-shader-cache)
   (let ((metal-cache-dir (subpath (string-append (param darwin-user-cache-dir)
                                                  "/com.apple.metal"))))
     (deny file-read* metal-cache-dir)
     (deny file-write* metal-cache-dir))
 )
	; Copyright 2017 The Chromium Authors. All rights reserved.
	; Use of this source code is governed by a BSD-style license that can be
	; found in the LICENSE file.

	; --- The contents of common.sb implicitly included here. ---

	(deny default (with partial-symbolication))
	(debug deny)

	; Allow cf prefs to work.
	(allow user-preference-read)

	(allow-cvms-blobs)

	(allow ipc-posix-shm)

	(define disable-metal-shader-cache "DISABLE_METAL_SHADER_CACHE")

	; Allow communication between the GPU process and the UI server.
	(allow mach-lookup
	(global-name "com.apple.bsd.dirhelper")
	(global-name "com.apple.CARenderServer")
	(global-name "com.apple.cfprefsd.agent")
	(global-name "com.apple.cfprefsd.daemon")
	(global-name "com.apple.CoreServices.coreservicesd")
	(global-name "com.apple.coreservices.launchservicesd")
	(global-name "com.apple.cvmsServ")
	(global-name "com.apple.gpumemd.source")
	(global-name "com.apple.lsd.mapdb")
	(global-name "com.apple.lsd.modifydb")
	(global-name "com.apple.powerlog.plxpclogger.xpc")
	(global-name "com.apple.PowerManagement.control")
	(global-name "com.apple.SecurityServer")
	(global-name "com.apple.system.notification_center")
	(global-name "com.apple.system.opendirectoryd.membership") ; https://crbug.com/1126350#c5
	(global-name "com.apple.tsm.uiserver")
	(global-name "com.apple.windowserver.active")
	)

	; Needed for metal decoding - https://crbug.com/957217
	(if (>= os-version 1014)
	(allow mach-lookup (xpc-service-name "com.apple.MTLCompilerService"))
	)

	; Needed for VideoToolbox H.264 SW and VP9 decoding - https://crbug.com/1113936
	(if (>= os-version 1016)
	(begin
	(allow mach-lookup (global-name "com.apple.trustd.agent"))
	(allow file-read* (path "/Library/Preferences/com.apple.security.plist"))
	)
	)

	; Needed for WebGL - https://crbug.com/75343
	(allow iokit-open
	(iokit-connection "IOAccelerator")
	(iokit-user-client-class "AGPMClient")
	(iokit-user-client-class "AppleGraphicsControlClient")
	(iokit-user-client-class "AppleGraphicsPolicyClient")
	(iokit-user-client-class "AppleIntelMEUserClient")
	(iokit-user-client-class "AppleMGPUPowerControlClient")
	(iokit-user-client-class "AppleSNBFBUserClient")
	(iokit-user-client-class "IOAccelerationUserClient")
	(iokit-user-client-class "IOFramebufferSharedUserClient")
	(iokit-user-client-class "IOHIDParamUserClient")
	(iokit-user-client-class "IOSurfaceRootUserClient")
	(iokit-user-client-class "IOSurfaceSendRight")
	(iokit-user-client-class "RootDomainUserClient")
	)

	(allow iokit-set-properties
	(require-all (iokit-connection "IODisplay")
	(require-any (iokit-property "brightness")
	(iokit-property "linear-brightness")
	(iokit-property "commit")
	(iokit-property "rgcs")
	(iokit-property "ggcs")
	(iokit-property "bgcs")
	)))

	(allow ipc-posix-shm-read-data
	(ipc-posix-name "apple.shm.notification_center"))


	; Needed for VideoToolbox usage - https://crbug.com/767037
	(if (>= os-version 1013)
	(allow mach-lookup
	(xpc-service-name "com.apple.coremedia.videodecoder")
	(xpc-service-name "com.apple.coremedia.videoencoder")
	(xpc-service-name-regex #"\.apple-extension-service$")
	))

	(allow sysctl-read
	(sysctl-name "hw.busfrequency_max")
	(sysctl-name "hw.cachelinesize")
	(sysctl-name "hw.logicalcpu_max")
	(sysctl-name "hw.memsize")
	(sysctl-name "hw.model")
	(sysctl-name "kern.osvariant_status")
	)

	(allow file-read-data
	(path "/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
	(path "/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree")
	(regex (user-homedir-path #"/Library/Preferences/(./)?com\.apple\.driver\..\.plist"))
	(regex (user-homedir-path #"/Library/Preferences/ByHost/com.apple.AppleGVA.*"))
	)

	(allow file-read*
	(path (user-homedir-path "/Library/Preferences")) ; List contents of preference directories https://crbug.com/1126350#c14.
	(path (user-homedir-path "/Library/Preferences/ByHost"))
	(subpath "/Library/GPUBundles")
	(subpath "/Library/Video/Plug-Ins")
	(subpath "/System/Library/ColorSync/Profiles")
	(subpath "/System/Library/CoreServices/RawCamera.bundle")
	(subpath "/System/Library/Extensions") ; https://crbug.com/515280
	(subpath "/System/Library/Video/Plug-Ins")
	)

	; crbug.com/980134
	(allow file-read* file-write*
	(subpath (param darwin-user-cache-dir))
	(subpath (param darwin-user-dir))
	(subpath (param darwin-user-temp-dir))
	)

	(if (param-true? filter-syscalls-debug)
	(when (defined? 'syscall-unix)
	(deny syscall-unix (with send-signal SIGSYS))
	(allow syscall-unix
	(syscall-number SYS_csrctl)
	(syscall-number SYS_getentropy)
	(syscall-number SYS_getxattr)
	(syscall-number SYS_kdebug_typefilter)
	(syscall-number SYS_sigaltstack)
	(syscall-number SYS_write)
	(syscall-number SYS_write_nocancel)
	)))

	; crbug.com/1159113
	(if (param-true? disable-metal-shader-cache)
	(let ((metal-cache-dir (subpath (string-append (param darwin-user-cache-dir)
	"/com.apple.metal"))))
	(deny file-read* metal-cache-dir)
	(deny file-write* metal-cache-dir))
	)