macOS V2 Sandbox: Allow cfprefs and gamecontrollerd for perf experiment.

This experimental CL allows cfprefs and gamecontrollerd to observe how the perf bots respond. This will likely be reverted once the results show up. Bug: 689306 Change-Id: I8e0ab2919e4cf7e65217be1169b63a7bde806df4 Reviewed-on: https://chromium-review.googlesource.com/764394 Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Mike Pinkerton <pinkerton@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#515997}
Denger-Network · Nov 13, 2017 · 49c0741 · 49c0741
1 parent 8715f13
commit 49c0741
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/content/renderer/sandbox_mac_v2_unittest.mm b/content/renderer/sandbox_mac_v2_unittest.mm
@@ -134,10 +134,11 @@ void SetParametersForTest(sandbox::SandboxCompiler* compiler,
       bootstrap_port, "com.apple.system.logger", &service_port);
   CHECK_EQ(status, BOOTSTRAP_SUCCESS) << bootstrap_strerror(status);
 
-  mach_port_t forbidden_mach;
-  status = bootstrap_look_up(bootstrap_port, "com.apple.cfprefsd.daemon",
-                             &forbidden_mach);
-  CHECK_NE(BOOTSTRAP_SUCCESS, status);
+  // This test case temporarily disabled for performance experiments.
+  //  mach_port_t forbidden_mach;
+  //  status = bootstrap_look_up(bootstrap_port, "com.apple.cfprefsd.daemon",
+  //                             &forbidden_mach);
+  //  CHECK_NE(BOOTSTRAP_SUCCESS, status);
 
   // Read bundle contents.
   base::FilePath bundle_path = base::mac::MainBundlePath();

diff --git a/services/service_manager/sandbox/mac/renderer_v2.sb b/services/service_manager/sandbox/mac/renderer_v2.sb
@@ -181,3 +181,11 @@
     (sysctl-name "kern.usrstack64")
     (sysctl-name "kern.version")
     (sysctl-name "sysctl.proc_cputype")))
+
+; These are just part of a temporary experiment to see the perf
+; implications of allowing these resources.
+(allow mach-lookup (global-name "com.apple.cfprefsd.agent"))
+(allow mach-lookup (global-name "com.apple.cfprefsd.daemon"))
+(allow ipc-posix-shm-read-data (ipc-posix-name "apple.shm.cfprefsd.daemon"))
+(allow ipc-posix-shm-read-data (ipc-posix-name "apple.shm.cfprefsd.501"))
+(allow mach-lookup (global-name "com.apple.GameController.gamecontrollerd"))