Bug 1046166 - Add sandbox white list for userContent.css on MacOSX. r?haik
MozReview-Commit-ID: BVnGjaSSkEh
--- a/security/sandbox/mac/Sandbox.mm
+++ b/security/sandbox/mac/Sandbox.mm
@@ -348,27 +348,28 @@ static const char contentSandboxRules[]
"; global file-read* permission should be removed from each level.\n"
"\n"
"; level 1: global read access permitted, no global write access\n"
" (if (= sandbox-level 1) (allow file-read*))\n"
"\n"
"; level 2: global read access permitted, no global write access,\n"
"; no read/write access to ~/Library,\n"
"; no read/write access to $PROFILE,\n"
- "; read access permitted to $PROFILE/{extensions,weave}\n"
+ "; read access permitted to $PROFILE/{extensions,weave,chrome}\n"
" (if (= sandbox-level 2)\n"
" (if (not (zero? hasProfileDir))\n"
" ; we have a profile dir\n"
" (begin\n"
" (allow file-read* (require-all\n"
" (require-not (home-subpath \"/Library\"))\n"
" (require-not (subpath profileDir))))\n"
" (allow file-read*\n"
" (profile-subpath \"/extensions\")\n"
- " (profile-subpath \"/weave\")))\n"
+ " (profile-subpath \"/weave\")\n"
+ " (profile-subpath \"/chrome\")))\n"
" ; we don't have a profile dir\n"
" (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
"\n"
"; accelerated graphics\n"
" (allow-shared-preferences-read \"com.apple.opengl\")\n"
" (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
" (allow mach-lookup\n"
" (global-name \"com.apple.cvmsServ\"))\n"