Add GPU job object restriction

content/common/sandbox_policy.cc

Index: content/common/sandbox_policy.cc
===================================================================
--- content/common/sandbox_policy.cc	(revision 98433)
+++ content/common/sandbox_policy.cc	(working copy)
@@ -287,16 +287,25 @@
 // TODO(cpu): Lock down the sandbox more if possible.
 // TODO(apatrick): Use D3D9Ex to render windowless.
 bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-
   if (base::win::GetVersion() > base::win::VERSION_XP) {
     policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                           sandbox::USER_LIMITED);
     if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
-          gfx::kGLImplementationDesktopName)
+        gfx::kGLImplementationDesktopName) {
+      policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
+      policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    } else {
+      // UI restrictions break when we access Windows from outside our job.
+      // However, we don't want a proxy window in this process because it can
+      // introduce deadlocks. So, the only job restriction we pick up here is

[brettw, 2011/08/27 23:06:47]

It might be nice to mention here quickly how such deadlocks can occur, and also
how these settings avoid a proxy window.

[jschuh, 2011/08/29 16:13:58]

Done.

+      // to prevent child processes.
+      policy->SetJobLevel(sandbox::JOB_LIMITED_USER,
+                          JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
+                          JOB_OBJECT_UILIMIT_DESKTOP |
+                          JOB_OBJECT_UILIMIT_EXITWINDOWS |
+                          JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
       policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-    else
-      policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    }
   } else {
     policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
                           sandbox::USER_LIMITED);