Bug 1387233 - restrict access to ipc-posix-shm APIs in the content process; r=haik

This removes /tmp/com.apple.csseed access entirely, ipc-posix-shm-read-metadata
from CFPBS:, and ipc-posix-shm-write-{create,unlink} from AudioIO and CFPBS:.

MozReview-Commit-ID: Eahx6guqGos

--HG--
extra : rebase_source : 621e81eb00411ae39882504db7d10a50eef30b27

security/sandbox/mac/SandboxPolicies.h

@@ -175,10 +175,10 @@ static const char contentSandboxRules[] = R"(
     (allow file-read*
            (home-regex (string-append "/Library/Preferences/" (regex-quote domain)))))
 
-  (allow ipc-posix-shm
-      (ipc-posix-name-regex "^/tmp/com.apple.csseed:")
-      (ipc-posix-name-regex "^CFPBS:")
-      (ipc-posix-name-regex "^AudioIO"))
+  (allow ipc-posix-shm-read-data ipc-posix-shm-write-data
+    (ipc-posix-name-regex "^CFPBS:"))
+  (allow ipc-posix-shm-read* ipc-posix-shm-write-data
+    (ipc-posix-name-regex "^AudioIO"))
 
   (allow signal (target self))