Chromium Code Reviews Chromium Code Reviews
Issue 2672003002:
Remove the --allow-no-sandbox-job flag in favor of automatic recognition. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/sandbox_win.h" | 5 #include "content/common/sandbox_win.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 | 10 |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 244 CloseHandle(token); | 244 CloseHandle(token); |
| 245 if (session_id) | 245 if (session_id) |
| 246 s_session_id = session_id; | 246 s_session_id = session_id; |
| 247 } | 247 } |
| 248 | 248 |
| 249 return base::StringPrintf(L"\\Sessions\\%lu%ls", s_session_id, object); | 249 return base::StringPrintf(L"\\Sessions\\%lu%ls", s_session_id, object); |
| 250 } | 250 } |
| 251 | 251 |
| 252 // Checks if the sandbox should be let to run without a job object assigned. | 252 // Checks if the sandbox should be let to run without a job object assigned. |
| 253 bool ShouldSetJobLevel(const base::CommandLine& cmd_line) { | 253 bool ShouldSetJobLevel(const base::CommandLine& cmd_line) { |
| 254 if (!cmd_line.HasSwitch(switches::kAllowNoSandboxJob)) | |
| 255 return true; | |
| 256 | |
| 257 // Windows 8 allows nested jobs so we don't need to check if we are in other | 254 // Windows 8 allows nested jobs so we don't need to check if we are in other |
| 258 // job. | 255 // job. |
| 259 if (base::win::GetVersion() >= base::win::VERSION_WIN8) | 256 if (base::win::GetVersion() >= base::win::VERSION_WIN8) |
| 260 return true; | 257 return true; |
| 261 | 258 |
| 262 BOOL in_job = true; | 259 BOOL in_job = true; |
| 263 // Either there is no job yet associated so we must add our job, | 260 // Either there is no job yet associated so we must add our job, |
| 264 if (!::IsProcessInJob(::GetCurrentProcess(), NULL, &in_job)) | 261 if (!::IsProcessInJob(::GetCurrentProcess(), NULL, &in_job)) |
| 265 NOTREACHED() << "IsProcessInJob failed. " << GetLastError(); | 262 NOTREACHED() << "IsProcessInJob failed. " << GetLastError(); |
| 266 if (!in_job) | 263 if (!in_job) |
| 267 return true; | 264 return true; |
| 268 | 265 |
| 269 // ...or there is a job but the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit is set. | 266 // ...or there is a job but the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit is set. |
| 270 JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_info = {}; | 267 JOBOBJECT_EXTENDED_LIMIT_INFORMATION job_info = {}; |
| 271 if (!::QueryInformationJobObject(NULL, | 268 if (!::QueryInformationJobObject(NULL, |
| 272 JobObjectExtendedLimitInformation, &job_info, | 269 JobObjectExtendedLimitInformation, &job_info, |
| 273 sizeof(job_info), NULL)) { | 270 sizeof(job_info), NULL)) { |
| 274 NOTREACHED() << "QueryInformationJobObject failed. " << GetLastError(); | 271 NOTREACHED() << "QueryInformationJobObject failed. " << GetLastError(); |
| 275 return true; | 272 return true; |
| 276 } | 273 } |
| 277 if (job_info.BasicLimitInformation.LimitFlags & JOB_OBJECT_LIMIT_BREAKAWAY_OK) | 274 if (job_info.BasicLimitInformation.LimitFlags & JOB_OBJECT_LIMIT_BREAKAWAY_OK) |
| 278 return true; | 275 return true; |
| 279 | 276 |
| 277 // Lastly in place of the flag which was supposed to be used only for running | |
| 278 // Chrome in remote sessions we do this check explicitly here. | |
| 279 // According to MS this flag can be false for a remote session only on Windows | |
| 280 // Server 2012 and newer so if we do the check last we should be on the safe | |
| 281 // side. See: https://msdn.microsoft.com/en-us/library/aa380798.aspx. | |
| 282 if (!::GetSystemMetrics(SM_REMOTESESSION)) { | |
| 283 // TODO(pastarmovj): Remove this check and the flag altogether once we are | |
| 284 // convinced that the automatic logic is good enough. | |
| 285 return !cmd_line.HasSwitch(switches::kAllowNoSandboxJob); | |
| 286 } | |
| 287 | |
| 288 // Allow running without the sandbox in this case. This slightly reduces the | |
| 289 // ability of the sandbox to protect its children from spawning new processes | |
| 290 // or preventing them from shutting down Windows or accessing the clipboard. | |
| 280 return false; | 291 return false; |
| 281 } | 292 } |
| 282 | 293 |
| 283 // Adds the generic policy rules to a sandbox TargetPolicy. | 294 // Adds the generic policy rules to a sandbox TargetPolicy. |
| 284 sandbox::ResultCode AddGenericPolicy(sandbox::TargetPolicy* policy) { | 295 sandbox::ResultCode AddGenericPolicy(sandbox::TargetPolicy* policy) { |
| 285 sandbox::ResultCode result; | 296 sandbox::ResultCode result; |
| 286 | 297 |
| 287 // Add the policy for the client side of a pipe. It is just a file | 298 // Add the policy for the client side of a pipe. It is just a file |
| 288 // in the \pipe\ namespace. We restrict it to pipes that start with | 299 // in the \pipe\ namespace. We restrict it to pipes that start with |
| 289 // "chrome." so the sandboxed process cannot connect to system services. | 300 // "chrome." so the sandboxed process cannot connect to system services. |
| (...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 563 return base::StartsWith(appcontainer_group_name, "Enabled", | 574 return base::StartsWith(appcontainer_group_name, "Enabled", |
| 564 base::CompareCase::INSENSITIVE_ASCII); | 575 base::CompareCase::INSENSITIVE_ASCII); |
| 565 } | 576 } |
| 566 | 577 |
| 567 } // namespace | 578 } // namespace |
| 568 | 579 |
| 569 sandbox::ResultCode SetJobLevel(const base::CommandLine& cmd_line, | 580 sandbox::ResultCode SetJobLevel(const base::CommandLine& cmd_line, |
| 570 sandbox::JobLevel job_level, | 581 sandbox::JobLevel job_level, |
| 571 uint32_t ui_exceptions, | 582 uint32_t ui_exceptions, |
| 572 sandbox::TargetPolicy* policy) { | 583 sandbox::TargetPolicy* policy) { |
| 573 if (!ShouldSetJobLevel(cmd_line)) | 584 const bool should_set_job = ShouldSetJobLevel(cmd_line); |
| 585 UMA_HISTOGRAM_BOOLEAN("Process.Sandbox.ShouldSetJobNone", should_set_job); | |
|
Will Harris
2017/02/16 23:48:17
I feel like I'm being a terrible reviewer here and
| |
| 586 if (!should_set_job) | |
| 574 return policy->SetJobLevel(sandbox::JOB_NONE, 0); | 587 return policy->SetJobLevel(sandbox::JOB_NONE, 0); |
| 575 | 588 |
| 576 #ifdef _WIN64 | 589 #ifdef _WIN64 |
| 577 sandbox::ResultCode ret = | 590 sandbox::ResultCode ret = |
| 578 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024); | 591 policy->SetJobMemoryLimit(4ULL * 1024 * 1024 * 1024); |
| 579 if (ret != sandbox::SBOX_ALL_OK) | 592 if (ret != sandbox::SBOX_ALL_OK) |
| 580 return ret; | 593 return ret; |
| 581 #endif | 594 #endif |
| 582 return policy->SetJobLevel(job_level, ui_exceptions); | 595 return policy->SetJobLevel(job_level, ui_exceptions); |
| 583 } | 596 } |
| (...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 833 } | 846 } |
| 834 | 847 |
| 835 delegate->PostSpawnTarget(target.process_handle()); | 848 delegate->PostSpawnTarget(target.process_handle()); |
| 836 | 849 |
| 837 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); | 850 CHECK(ResumeThread(target.thread_handle()) != static_cast<DWORD>(-1)); |
| 838 *process = base::Process(target.TakeProcessHandle()); | 851 *process = base::Process(target.TakeProcessHandle()); |
| 839 return sandbox::SBOX_ALL_OK; | 852 return sandbox::SBOX_ALL_OK; |
| 840 } | 853 } |
| 841 | 854 |
| 842 } // namespace content | 855 } // namespace content |
| OLD | NEW |
