Bug 1083344 - Add "allow" sandbox rules to fix mochitests on OSX 10.9 and 10.10. r=smichaud

security/sandbox/mac/Sandbox.mm

@@ -72,7 +72,7 @@ static const char contentSandboxRules[] =
   "    (define container-path appPath)\n"
   "    (define appdir-path appDir)\n"
   "    (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
-  "    (define var-folders2-re (string-append var-folders-re \"/[^/]*/[^/]\"))\n"
+  "    (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
   "\n"
   "    (define (home-regex home-relative-regex)\n"
   "      (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
@@ -126,9 +126,10 @@ static const char contentSandboxRules[] =
   "        (regex \"^/private/tmp/KSInstallAction\\.\")\n"
   "        (var-folders-regex \"/\")\n"
   "        (home-subpath \"/Library\"))\n"
-  "    \n"
+  "\n"
   "    (allow signal (target self))\n"
   "    (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
+  "    (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
   "\n"
   "    (allow mach-lookup\n"
   "        (global-name \"com.apple.coreservices.launchservicesd\")\n"
@@ -149,9 +150,11 @@ static const char contentSandboxRules[] =
   "        (global-name \"com.apple.cache_delete\")\n"
   "        (global-name \"com.apple.pluginkit.pkd\")\n"
   "        (global-name \"com.apple.bird\")\n"
+  "        (global-name \"com.apple.ocspd\")\n"
+  "        (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
   "        (global-name \"com.apple.DesktopServicesHelper\")\n"
   "        (global-name \"com.apple.printtool.daemon\"))\n"
-  "    \n"
+  "\n"
   "    (allow iokit-open\n"
   "        (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
   "        (iokit-user-client-class \"IOHIDParamUserClient\")\n"
@@ -175,7 +178,10 @@ static const char contentSandboxRules[] =
   "; depending on systems, the 1st, 2nd or both rules are necessary\n"
   "    (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
   "    (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
-  "    \n"
+  "\n"
+  "    (allow-shared-preferences-read \"com.apple.ATS\")\n"
+  "    (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
+  "\n"
   "    (allow file-read*\n"
   "        (subpath \"/Library/Fonts\")\n"
   "        (subpath \"/Library/Audio/Plug-Ins\")\n"
@@ -210,10 +216,16 @@ static const char contentSandboxRules[] =
   "    (allow device-camera)\n"
   "\n"
   "    (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
-  "    (allow file-read* (var-folders2-regex \"/com\\.apple\\.IconServices/\"))\n"
+  "    (allow file-read*\n"
+  "        (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
+  "        (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
   "\n"
   "    (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
-  "    \n"
+  "    (allow file-read*\n"
+  "        (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
+  "        (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
+  "        (home-regex \"/Library/Application Support/Firefox/Profiles/[^/]+/extensions/\"))\n"
+  "\n"
   "; the following rules should be removed when printing and \n"
   "; opening a file from disk are brokered through the main process\n"
   "    (allow file*\n"
@@ -221,7 +233,7 @@ static const char contentSandboxRules[] =
   "            (subpath home-path)\n"
   "            (require-not\n"
   "                (home-subpath \"/Library\"))))\n"
-  "    \n"
+  "\n"
   "; printing\n"
   "    (allow authorization-right-obtain\n"
   "           (right-name \"system.print.operator\")\n"