Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(303)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_policy.cc

Issue 7768004: Add GPU job object restriction (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: '' Created 9 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_policy.h" 5 #include "content/common/sandbox_policy.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/command_line.h" 9 #include "base/command_line.h"
10 #include "base/debug/debugger.h" 10 #include "base/debug/debugger.h"
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after
280 return true; 280 return true;
281 } 281 }
282 282
283 // For the GPU process we gotten as far as USER_LIMITED. The next level 283 // For the GPU process we gotten as far as USER_LIMITED. The next level
284 // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL 284 // which is USER_RESTRICTED breaks both the DirectX backend and the OpenGL
285 // backend. Note that the GPU process is connected to the interactive 285 // backend. Note that the GPU process is connected to the interactive
286 // desktop. 286 // desktop.
287 // TODO(cpu): Lock down the sandbox more if possible. 287 // TODO(cpu): Lock down the sandbox more if possible.
288 // TODO(apatrick): Use D3D9Ex to render windowless. 288 // TODO(apatrick): Use D3D9Ex to render windowless.
289 bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) { 289 bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
290 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
291
292 if (base::win::GetVersion() > base::win::VERSION_XP) { 290 if (base::win::GetVersion() > base::win::VERSION_XP) {
293 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, 291 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
294 sandbox::USER_LIMITED); 292 sandbox::USER_LIMITED);
295 if (cmd_line->GetSwitchValueASCII(switches::kUseGL) == 293 if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
296 gfx::kGLImplementationDesktopName) 294 gfx::kGLImplementationDesktopName) {
295 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
296 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
297 } else {
298 // UI restrictions break when we access Windows from outside our job.
299 // However, we don't want a proxy window in this process because it can
300 // introduce deadlocks where the renderer blocks on the gpu, which in
301 // turn blocks on the browser UI thread. So, instead we forgo a window
302 // message pump entirely and just add job restrictions to prevent child
303 // processes.
304 policy->SetJobLevel(sandbox::JOB_LIMITED_USER,
305 JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
306 JOB_OBJECT_UILIMIT_DESKTOP |
307 JOB_OBJECT_UILIMIT_EXITWINDOWS |
308 JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
297 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); 309 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
298 else 310 }
299 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
300 } else { 311 } else {
312 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
301 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, 313 policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
302 sandbox::USER_LIMITED); 314 sandbox::USER_LIMITED);
303 } 315 }
304 316
305 AddGenericDllEvictionPolicy(policy); 317 AddGenericDllEvictionPolicy(policy);
306 return true; 318 return true;
307 } 319 }
308 320
309 void AddPolicyForRenderer(sandbox::TargetPolicy* policy) { 321 void AddPolicyForRenderer(sandbox::TargetPolicy* policy) {
310 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0); 322 policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
(...skipping 226 matching lines...) Expand 10 before | Expand all | Expand 10 after
537 549
538 // Help the process a little. It can't start the debugger by itself if 550 // Help the process a little. It can't start the debugger by itself if
539 // the process is in a sandbox. 551 // the process is in a sandbox.
540 if (child_needs_help) 552 if (child_needs_help)
541 base::debug::SpawnDebuggerOnProcess(target.dwProcessId); 553 base::debug::SpawnDebuggerOnProcess(target.dwProcessId);
542 554
543 return process; 555 return process;
544 } 556 }
545 557
546 } // namespace sandbox 558 } // namespace sandbox
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698