Cherry-pick certain macOS V2 sandbox rules into the V1 sandbox rules

Certain UI controls weren't displayed correctly (like select fields,
radio boxes, checkboxes) when the macOS sandbox was enabled.

These were fixed for the second version of the sandbox "V2", but
WebEngine does not currently work with it (missing code and
additional rules to allow accessing Qt files).

Backport the necessary sandbox permission rules from the "V2"
version to the "V1" version, to allow correctly drawing the previously
mentioned UI controls.

Task-number: QTBUG-70715
Change-Id: I329433a311de58ea97e4e719e8c330568d578fa8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 14 insertions, 0 deletions

diff --git a/chromium/services/service_manager/sandbox/mac/renderer.sb b/chromium/services/service_manager/sandbox/mac/renderer.sb
index 09f142e19c2..bae2989545d 100644
--- a/chromium/services/service_manager/sandbox/mac/renderer.sb
+++ b/chromium/services/service_manager/sandbox/mac/renderer.sb
@@ -50,3 +50,17 @@
 ; file-read-metadata /System/Library/LinguisticData/en/US/hyphenation.dat
 ; for CFStringIsHyphenationAvailableForLocale and CFStringGetHyphenationLocationBeforeIndex
 (allow file-read* (subpath "/System/Library/LinguisticData"))
+
+; https://crbug.com/850021
+(allow mach-lookup (global-name "com.apple.cvmsServ"))
+
+; Reads of signed Mach-O blobs created by the CVMS server.
+; https://crbug.com/850021
+(allow file-read*
+  (extension "com.apple.cvms.kernel")
+  (prefix "/private/tmp/cvmsCodeSignObj")
+  (subpath "/private/var/db/CVMS"))
+
+; Reads from /Library.
+(allow file-read-data
+  (subpath "/Library/GPUBundles"))  ; https://crbug.com/850021