sandbox/win/src/job.cc - Issue 1851213002: Remove sandbox on Windows.

Side by Side Diff: sandbox/win/src/job.cc

Issue 1851213002: Remove sandbox on Windows. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: fix nacl compile issues Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
	(Empty)
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "sandbox/win/src/job.h"

6

7 #include <stddef.h>

8 #include <utility>

9

10 #include "base/win/windows_version.h"

11 #include "sandbox/win/src/restricted_token.h"

12

13 namespace sandbox {

14

15 Job::Job() : job_handle_(NULL) {

16 };

17

18 Job::~Job() {

19 };

20

21 DWORD Job::Init(JobLevel security_level,

22 const wchar_t* job_name,

23 DWORD ui_exceptions,

24 size_t memory_limit) {

25 if (job_handle_.IsValid())

26 return ERROR_ALREADY_INITIALIZED;

27

28 job_handle_.Set(::CreateJobObject(NULL, // No security attribute

29 job_name));

30 if (!job_handle_.IsValid())

31 return ::GetLastError();

32

33 JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};

34 JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {};

35

36 // Set the settings for the different security levels. Note: The higher levels

37 // inherit from the lower levels.

38 switch (security_level) {

39 case JOB_LOCKDOWN: {

40 jeli.BasicLimitInformation.LimitFlags \|=

41 JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;

42 }

43 case JOB_RESTRICTED: {

44 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_WRITECLIPBOARD;

45 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_READCLIPBOARD;

46 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_HANDLES;

47 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_GLOBALATOMS;

48 }

49 case JOB_LIMITED_USER: {

50 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;

51 jeli.BasicLimitInformation.LimitFlags \|= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;

52 jeli.BasicLimitInformation.ActiveProcessLimit = 1;

53 }

54 case JOB_INTERACTIVE: {

55 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS;

56 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_DESKTOP;

57 jbur.UIRestrictionsClass \|= JOB_OBJECT_UILIMIT_EXITWINDOWS;

58 }

59 case JOB_UNPROTECTED: {

60 if (memory_limit) {

61 jeli.BasicLimitInformation.LimitFlags \|=

62 JOB_OBJECT_LIMIT_PROCESS_MEMORY;

63 jeli.ProcessMemoryLimit = memory_limit;

64 }

65

66 jeli.BasicLimitInformation.LimitFlags \|=

67 JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;

68 break;

69 }

70 default: {

71 return ERROR_BAD_ARGUMENTS;

72 }

73 }

74

75 if (FALSE == ::SetInformationJobObject(job_handle_.Get(),

76 JobObjectExtendedLimitInformation,

77 &jeli,

78 sizeof(jeli))) {

79 return ::GetLastError();

80 }

81

82 jbur.UIRestrictionsClass = jbur.UIRestrictionsClass & (~ui_exceptions);

83 if (FALSE == ::SetInformationJobObject(job_handle_.Get(),

84 JobObjectBasicUIRestrictions,

85 &jbur,

86 sizeof(jbur))) {

87 return ::GetLastError();

88 }

89

90 return ERROR_SUCCESS;

91 }

92

93 DWORD Job::UserHandleGrantAccess(HANDLE handle) {

94 if (!job_handle_.IsValid())

95 return ERROR_NO_DATA;

96

97 if (!::UserHandleGrantAccess(handle,

98 job_handle_.Get(),

99 TRUE)) { // Access allowed.

100 return ::GetLastError();

101 }

102

103 return ERROR_SUCCESS;

104 }

105

106 base::win::ScopedHandle Job::Take() {

107 return std::move(job_handle_);

108 }

109

110 DWORD Job::AssignProcessToJob(HANDLE process_handle) {

111 if (!job_handle_.IsValid())

112 return ERROR_NO_DATA;

113

114 if (FALSE == ::AssignProcessToJobObject(job_handle_.Get(), process_handle))

115 return ::GetLastError();

116

117 return ERROR_SUCCESS;

118 }

119

120 } // namespace sandbox

OLD	NEW

« no previous file with comments | « sandbox/win/src/job.h ('k') | sandbox/win/src/job_unittest.cc » ('j') | no next file with comments »