services/service_manager/sandbox/mac/gpu_v2.sb - chromium/src - Git at Google

 ; Copyright 2017 The Chromium Authors. All rights reserved.
 ; Use of this source code is governed by a BSD-style license that can be
 ; found in the LICENSE file.

 ; --- The contents of common.sb implicitly included here. ---

 ; Allow communication between the GPU process and the UI server.
 (allow mach-lookup
   (global-name "com.apple.CoreServices.coreservicesd")
   (global-name "com.apple.coreservices.launchservicesd")
   (global-name "com.apple.cvmsServ")
   (global-name "com.apple.system.notification_center")
   (global-name "com.apple.tsm.uiserver")
   (global-name "com.apple.windowserver.active"))

 ; Needed for WebGL - crbug.com/75343
 (allow iokit-open
   (iokit-connection "IOAccelerator")
   (iokit-user-client-class "AGPMClient")
   (iokit-user-client-class "AppleGraphicsControlClient")
   (iokit-user-client-class "AppleMGPUPowerControlClient")
   (iokit-user-client-class "IOAccelerationUserClient")
   (iokit-user-client-class "IOFramebufferSharedUserClient")
   (iokit-user-client-class "IOHIDParamUserClient")
   (iokit-user-client-class "IOSurfaceRootUserClient")
   (iokit-user-client-class "IOSurfaceSendRight"))
   (iokit-user-client-class "RootDomainUserClient")

 (allow ipc-posix-shm-read-data
   (ipc-posix-name "apple.shm.notification_center"))

 ; https://crbug.com/515280
 (if (>= os-version 1011)
   (allow file-read* (subpath "/System/Library/Extensions")))

 ; Needed for VideoToolbox usage - https://crbug.com/767037
 (if (>= os-version 1013)
   (allow mach-lookup (global-name "com.apple.coremedia.videodecoder")))

 (if (> os-version 1009)
   (allow sysctl-read (sysctl-name "hw.model")))
	; Copyright 2017 The Chromium Authors. All rights reserved.
	; Use of this source code is governed by a BSD-style license that can be
	; found in the LICENSE file.

	; --- The contents of common.sb implicitly included here. ---

	; Allow communication between the GPU process and the UI server.
	(allow mach-lookup
	(global-name "com.apple.CoreServices.coreservicesd")
	(global-name "com.apple.coreservices.launchservicesd")
	(global-name "com.apple.cvmsServ")
	(global-name "com.apple.system.notification_center")
	(global-name "com.apple.tsm.uiserver")
	(global-name "com.apple.windowserver.active"))

	; Needed for WebGL - crbug.com/75343
	(allow iokit-open
	(iokit-connection "IOAccelerator")
	(iokit-user-client-class "AGPMClient")
	(iokit-user-client-class "AppleGraphicsControlClient")
	(iokit-user-client-class "AppleMGPUPowerControlClient")
	(iokit-user-client-class "IOAccelerationUserClient")
	(iokit-user-client-class "IOFramebufferSharedUserClient")
	(iokit-user-client-class "IOHIDParamUserClient")
	(iokit-user-client-class "IOSurfaceRootUserClient")
	(iokit-user-client-class "IOSurfaceSendRight"))
	(iokit-user-client-class "RootDomainUserClient")

	(allow ipc-posix-shm-read-data
	(ipc-posix-name "apple.shm.notification_center"))

	; https://crbug.com/515280
	(if (>= os-version 1011)
	(allow file-read* (subpath "/System/Library/Extensions")))

	; Needed for VideoToolbox usage - https://crbug.com/767037
	(if (>= os-version 1013)
	(allow mach-lookup (global-name "com.apple.coremedia.videodecoder")))

	(if (> os-version 1009)
	(allow sysctl-read (sysctl-name "hw.model")))