Bug 1083344 - Tighten rules for Mac OS content process sandbox on 10.9 and 10.10. r=smichaud

Allow read to whole filesystem until chrome:// and file:// URLs are brokered through another process.
Except $HOME/Library in which we allow only access to profile add-ons subdir.
Add level 2, which allows read only from $HOME and /tmp (while still restricting $HOME/Library.
Change default back to 1.

browser/app/profile/firefox.js

@@ -1231,7 +1231,7 @@ pref("security.sandbox.windows.log.stackTraceDepth", 0);
 // This setting is read when the content process is started. On Mac the content
 // process is killed when all windows are closed, so a change will take effect
 // when the 1st window is opened.
-pref("security.sandbox.content.level", 0);
+pref("security.sandbox.content.level", 1);
 #endif
 
 // This pref governs whether we attempt to work around problems caused by

security/sandbox/mac/Sandbox.mm

@@ -59,7 +59,7 @@ static const char contentSandboxRules[] =
   "(if \n"
   "  (or\n"
   "    (< macosMinorVersion 9)\n"
-  "    (= sandbox-level 0))\n"
+  "    (< sandbox-level 1))\n"
   "  (allow default)\n"
   "  (begin\n"
   "    (deny default)\n"
@@ -228,11 +228,16 @@ static const char contentSandboxRules[] =
   "\n"
   "; the following rules should be removed when printing and \n"
   "; opening a file from disk are brokered through the main process\n"
-  "    (allow file*\n"
-  "        (require-all\n"
-  "            (subpath home-path)\n"
-  "            (require-not\n"
-  "                (home-subpath \"/Library\"))))\n"
+  "    (if\n"
+  "      (< sandbox-level 2)\n"
+  "      (allow file*\n"
+  "          (require-not\n"
+  "              (home-subpath \"/Library\")))\n"
+  "      (allow file*\n"
+  "          (require-all\n"
+  "              (subpath home-path)\n"
+  "              (require-not\n"
+  "                  (home-subpath \"/Library\")))))\n"
   "\n"
   "; printing\n"
   "    (allow authorization-right-obtain\n"