OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/win/src/sandbox_policy_base.h" | 5 #include "sandbox/win/src/sandbox_policy_base.h" |
6 | 6 |
7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
8 #include "base/callback.h" | 8 #include "base/callback.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/win/windows_version.h" | 10 #include "base/win/windows_version.h" |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
73 // Initializes static members. | 73 // Initializes static members. |
74 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; | 74 HWINSTA PolicyBase::alternate_winstation_handle_ = NULL; |
75 HDESK PolicyBase::alternate_desktop_handle_ = NULL; | 75 HDESK PolicyBase::alternate_desktop_handle_ = NULL; |
76 | 76 |
77 PolicyBase::PolicyBase() | 77 PolicyBase::PolicyBase() |
78 : ref_count(1), | 78 : ref_count(1), |
79 lockdown_level_(USER_LOCKDOWN), | 79 lockdown_level_(USER_LOCKDOWN), |
80 initial_level_(USER_LOCKDOWN), | 80 initial_level_(USER_LOCKDOWN), |
81 job_level_(JOB_LOCKDOWN), | 81 job_level_(JOB_LOCKDOWN), |
82 ui_exceptions_(0), | 82 ui_exceptions_(0), |
| 83 memory_limit_(0), |
83 use_alternate_desktop_(false), | 84 use_alternate_desktop_(false), |
84 use_alternate_winstation_(false), | 85 use_alternate_winstation_(false), |
85 file_system_init_(false), | 86 file_system_init_(false), |
86 relaxed_interceptions_(true), | 87 relaxed_interceptions_(true), |
87 stdout_handle_(INVALID_HANDLE_VALUE), | 88 stdout_handle_(INVALID_HANDLE_VALUE), |
88 stderr_handle_(INVALID_HANDLE_VALUE), | 89 stderr_handle_(INVALID_HANDLE_VALUE), |
89 integrity_level_(INTEGRITY_LEVEL_LAST), | 90 integrity_level_(INTEGRITY_LEVEL_LAST), |
90 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), | 91 delayed_integrity_level_(INTEGRITY_LEVEL_LAST), |
91 mitigations_(0), | 92 mitigations_(0), |
92 delayed_mitigations_(0), | 93 delayed_mitigations_(0), |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
163 | 164 |
164 TokenLevel PolicyBase::GetInitialTokenLevel() const { | 165 TokenLevel PolicyBase::GetInitialTokenLevel() const { |
165 return initial_level_; | 166 return initial_level_; |
166 } | 167 } |
167 | 168 |
168 TokenLevel PolicyBase::GetLockdownTokenLevel() const{ | 169 TokenLevel PolicyBase::GetLockdownTokenLevel() const{ |
169 return lockdown_level_; | 170 return lockdown_level_; |
170 } | 171 } |
171 | 172 |
172 ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32 ui_exceptions) { | 173 ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32 ui_exceptions) { |
| 174 if (memory_limit_ && job_level == JOB_NONE) { |
| 175 return SBOX_ERROR_BAD_PARAMS; |
| 176 } |
173 job_level_ = job_level; | 177 job_level_ = job_level; |
174 ui_exceptions_ = ui_exceptions; | 178 ui_exceptions_ = ui_exceptions; |
175 return SBOX_ALL_OK; | 179 return SBOX_ALL_OK; |
176 } | 180 } |
177 | 181 |
| 182 ResultCode PolicyBase::SetJobMemoryLimit(size_t memory_limit) { |
| 183 if (memory_limit && job_level_ == JOB_NONE) { |
| 184 return SBOX_ERROR_BAD_PARAMS; |
| 185 } |
| 186 memory_limit_ = memory_limit; |
| 187 return SBOX_ALL_OK; |
| 188 } |
| 189 |
178 ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) { | 190 ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) { |
179 use_alternate_desktop_ = true; | 191 use_alternate_desktop_ = true; |
180 use_alternate_winstation_ = alternate_winstation; | 192 use_alternate_winstation_ = alternate_winstation; |
181 return CreateAlternateDesktop(alternate_winstation); | 193 return CreateAlternateDesktop(alternate_winstation); |
182 } | 194 } |
183 | 195 |
184 base::string16 PolicyBase::GetAlternateDesktop() const { | 196 base::string16 PolicyBase::GetAlternateDesktop() const { |
185 // No alternate desktop or winstation. Return an empty string. | 197 // No alternate desktop or winstation. Return an empty string. |
186 if (!use_alternate_desktop_ && !use_alternate_winstation_) { | 198 if (!use_alternate_desktop_ && !use_alternate_winstation_) { |
187 return base::string16(); | 199 return base::string16(); |
(...skipping 276 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
464 NOTREACHED(); | 476 NOTREACHED(); |
465 return false; | 477 return false; |
466 } | 478 } |
467 return dispatch->SetupService(manager, service); | 479 return dispatch->SetupService(manager, service); |
468 } | 480 } |
469 | 481 |
470 ResultCode PolicyBase::MakeJobObject(HANDLE* job) { | 482 ResultCode PolicyBase::MakeJobObject(HANDLE* job) { |
471 if (job_level_ != JOB_NONE) { | 483 if (job_level_ != JOB_NONE) { |
472 // Create the windows job object. | 484 // Create the windows job object. |
473 Job job_obj; | 485 Job job_obj; |
474 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_); | 486 DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_, |
| 487 memory_limit_); |
475 if (ERROR_SUCCESS != result) { | 488 if (ERROR_SUCCESS != result) { |
476 return SBOX_ERROR_GENERIC; | 489 return SBOX_ERROR_GENERIC; |
477 } | 490 } |
478 *job = job_obj.Detach(); | 491 *job = job_obj.Detach(); |
479 } else { | 492 } else { |
480 *job = NULL; | 493 *job = NULL; |
481 } | 494 } |
482 return SBOX_ALL_OK; | 495 return SBOX_ALL_OK; |
483 } | 496 } |
484 | 497 |
(...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
678 | 691 |
679 // Finally, setup imports on the target so the interceptions can work. | 692 // Finally, setup imports on the target so the interceptions can work. |
680 return SetupNtdllImports(target); | 693 return SetupNtdllImports(target); |
681 } | 694 } |
682 | 695 |
683 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { | 696 bool PolicyBase::SetupHandleCloser(TargetProcess* target) { |
684 return handle_closer_.InitializeTargetHandles(target); | 697 return handle_closer_.InitializeTargetHandles(target); |
685 } | 698 } |
686 | 699 |
687 } // namespace sandbox | 700 } // namespace sandbox |
OLD | NEW |