Mac: Fix WebGL in OS X 10.7 + misc. Sandbox cleanup

* Allow IOKit access in 10.7.
* Rename 10.6_ONLY to 10.6_OR_ABOVE and add a 10.7 version.
* Fix path for common.sb in one place we missed the chrome->content move.

BUG=75343
TEST=See bug


Review URL: http://codereview.chromium.org/7060002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@86410 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 30 insertions, 10 deletions

diff --git a/content/browser/gpu.sb b/content/browser/gpu.sb
index 7b6932c..b3d17d5 100644
--- a/content/browser/gpu.sb
+++ b/content/browser/gpu.sb
@@ -1,12 +1,24 @@
 ;;
-;; Copyright (c) 2010 The Chromium Authors. All rights reserved.
+;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
 ;; Use of this source code is governed by a BSD-style license that can be
 ;; found in the LICENSE file.
 ;;
 
-; *** The contents of chrome/common/common.sb are implicitly included here. ***
+; *** The contents of content/common/common.sb are implicitly included here. ***
 
 ; Allow communication between the GPU process and the UI server.
 (allow mach-lookup (global-name "com.apple.tsm.uiserver"))
 
 (allow file-read-metadata (literal "/"))
+
+; Needed for WebGL on OS X 10.7 - crbug.com/75343
+;10.7_OR_ABOVE  (allow iokit-open
+;10.7_OR_ABOVE      (iokit-connection "IOAccelerator")
+;10.7_OR_ABOVE      (iokit-user-client-class "IOAccelerationUserClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "IOFramebufferSharedUserClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "AppleGraphicsControlClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "AGPMClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "IOHIDParamUserClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "RootDomainUserClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "IOSurfaceRootUserClient")
+;10.7_OR_ABOVE      (iokit-user-client-class "IOSurfaceSendRight"))
\ No newline at end of file
diff --git a/content/common/common.sb b/content/common/common.sb
index ec97f66..5067f98 100644
--- a/content/common/common.sb
+++ b/content/common/common.sb
@@ -1,5 +1,5 @@
 ;;
-;; Copyright (c) 2010 The Chromium Authors. All rights reserved.
+;; Copyright (c) 2011 The Chromium Authors. All rights reserved.
 ;; Use of this source code is governed by a BSD-style license that can be
 ;; found in the LICENSE file.
 ;;
@@ -33,4 +33,4 @@
     (regex #"^/System/Library/CoreServices($|/)"))  ; 10.5.6
 
 ; Needed for IPC on 10.6
-;10.6_ONLY (allow ipc-posix-shm)
+;10.6_OR_ABOVE (allow ipc-posix-shm)
diff --git a/content/common/sandbox_mac.mm b/content/common/sandbox_mac.mm
index 59d4871..fd3b352 100644
--- a/content/common/sandbox_mac.mm
+++ b/content/common/sandbox_mac.mm
@@ -385,13 +385,15 @@ NSString* LoadSandboxTemplate(Sandbox::SandboxProcessType sandbox_type) {
 }
 
 // Retrieve OS X version, output parameters are self explanatory.
-void GetOSVersion(bool* snow_leopard_or_higher) {
+void GetOSVersion(bool* snow_leopard_or_higher, bool* lion_or_higher) {
   int32 major_version, minor_version, bugfix_version;
   base::SysInfo::OperatingSystemVersionNumbers(&major_version,
                                                &minor_version,
                                                &bugfix_version);
   *snow_leopard_or_higher =
       (major_version > 10 || (major_version == 10 && minor_version >= 6));
+  *lion_or_higher =
+      (major_version > 10 || (major_version == 10 && minor_version >= 7));
 }
 
 // static
@@ -505,7 +507,8 @@ bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
   }
 
   bool snow_leopard_or_higher;
-  GetOSVersion(&snow_leopard_or_higher);
+  bool lion_or_higher;
+  GetOSVersion(&snow_leopard_or_higher, &lion_or_higher);
 
   // Without this, the sandbox will print a message to the system log every
   // time it denies a request.  This floods the console with useless spew. The
@@ -528,9 +531,14 @@ bool Sandbox::EnableSandbox(SandboxProcessType sandbox_type,
       SandboxSubstring(home_dir_canonical.value(),
           SandboxSubstring::LITERAL);
 
+  if (lion_or_higher) {
+    // >=10.7 Sandbox rules.
+    [tokens_to_remove addObject:@";10.7_OR_ABOVE"];
+  }
+
   if (snow_leopard_or_higher) {
-    // 10.6-only Sandbox rules.
-    [tokens_to_remove addObject:@";10.6_ONLY"];
+    // >=10.6 Sandbox rules.
+    [tokens_to_remove addObject:@";10.6_OR_ABOVE"];
   } else {
     // Sandbox rules only for versions before 10.6.
     [tokens_to_remove addObject:@";BEFORE_10.6"];
diff --git a/content/renderer/renderer.sb b/content/renderer/renderer.sb
index 1600044..25dc100 100644
--- a/content/renderer/renderer.sb
+++ b/content/renderer/renderer.sb
@@ -12,7 +12,7 @@
 ; on 10.5 this is needed for the PDF plugin.
 (allow file-read* (regex #"^/Library/Fonts($|/)"))
 (allow mach-lookup (global-name "com.apple.FontObjectsServer"))  ; 10.5.6
-;10.6_ONLY (allow mach-lookup (global-name "com.apple.FontServer"))  ; 10.6
+;10.6_OR_ABOVE (allow mach-lookup (global-name "com.apple.FontServer"))  ; 10.6
 
 (allow file-read*
   (regex #"^/System/Library/ColorSync($|/)")  ; 10.5.6 - http://crbug.com/46648
@@ -21,7 +21,7 @@
 )
 
 ; http://crbug.com/11269
-;10.6_ONLY (allow file-read* (subpath "@USER_HOMEDIR_AS_LITERAL@/Library/Fonts"))  ; 10.6
+;10.6_OR_ABOVE (allow file-read* (subpath "@USER_HOMEDIR_AS_LITERAL@/Library/Fonts"))  ; 10.6
 
 ; http://crbug.com/60917
 (allow file-read-metadata