browser sandbox profile too restrictive on OSX 10.12.2

A user reported via a blog comment that the browser fails to start via ./start-browser-with-sandbox on OSX 10.2.2. See: https://blog.torproject.org/blog/tor-browser-65a6-released#comment-225250

As I commented on the blog, moving the line that reads (subpath "/usr/lib") within tb.sb from the (allow file-read-metadata ... ) section to the (allow file-read* ...) section seems to fix the problem.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information