core: expand default sandbox

[nornagon-openai]

this adds some more capabilities to the default sandbox which I feel are safe. Most are in the renderer.sb sandbox for chrome renderers, which i feel is fair game for codex commands.

Specific changes:

1. Allow processes in the sandbox to send signals to any other process in the same sandbox (e.g. child processes or daemonized processes), instead of just themselves.
2. Allow user-preference-read
3. Allow process-info* to anything in the same sandbox. This is a bit wider than Chromium allows, but it seems OK to me to allow anything in the sandbox to get details about other processes in the same sandbox. Bazel uses these to e.g. wait for another process to exit.
4. Allow all CPU feature detection, this seems harmless to me. It's wider than Chromium, but Chromium is concerned about fingerprinting, and tightly controls what CPU features they actually care about, and we don't have either that restriction or that advantage.
5. Allow new sysctl-reads:

     (sysctl-name "vm.loadavg")
     (sysctl-name-prefix "kern.proc.pgrp.")
     (sysctl-name-prefix "kern.proc.pid.")
     (sysctl-name-prefix "net.routetable.")
   

   bazel needs these for waiting on child processes and for communicating with its local build server, i believe. I wonder if we should just allow all (sysctl-read), as reading any arbitrary info about the system seems fine to me.
6. Allow iokit-open on RootDomainUserClient. This has to do with power management I believe, and Chromium allows renderers to do this, so okay. Bazel needs it to boot successfully, possibly for sleep/wake callbacks?
7. Mach lookup to com.apple.system.opendirectoryd.libinfo, which has to do with user data, and which Chrome allows.
8. Mach lookup to com.apple.PowerManagement.control. Chromium allows its GPU process to do this, but not its renderers. Bazel needs this to boot, probably relatedly to sleep/wake stuff.

[bolinfest]

@nornagon-openai As before, can you please include tests that demonstrate what is possible as a result of these changes that was not possible before?

In particular, we should verify whether Landlock and Seatbelt agree.

[nornagon-openai]

@bolinfest most of these changes aren't relevant in landlock as they are macOS-specific.

[bolinfest]

• https://github.com/openai/codex/blob/main/codex-rs/core/tests/suite/seatbelt.rs for macOS-specific sandbox tests
• https://github.com/openai/codex/blob/main/codex-rs/exec/tests/suite/sandbox.rs for sandbox tests that should hold for both macOS and Linux

Ideally most things end up in sandbox.rs.

[ithilgore]

IOKit has been historically riddled with bugs that could allow kernel compromise so we should only this if it's really necessary

[nornagon-openai]

the chromium renderer also allows this: https://source.chromium.org/chromium/chromium/src/+/main:sandbox/policy/mac/renderer.sb;l=64;drc=770eff88448123499a48ae636c323fc846a28c12. I think it's OK for us to be exposed to ~the same 0-days as chromium?

[asafyish]

Do you know if this will allow git/gh/vitest to work properly ? right now they need elevated permissions.