Add sandbox support for process memory limits

sandbox/win/src/broker_services.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/broker_services.h"
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/threading/platform_thread.h"
 #include "base/win/scoped_handle.h"
@@ skipping 119 matching lines @@
 
   if (WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_, 1000)) {
     // Cannot clean broker services.
     NOTREACHED();
     return;
   }
 
   JobTrackerList::iterator it;
   for (it = tracker_list_.begin(); it != tracker_list_.end(); ++it) {
     JobTracker* tracker = (*it);
-    FreeResources(tracker);
+    FreeResources(tracker, SBOX_ALL_OK);
     delete tracker;
   }
   ::CloseHandle(job_thread_);
   delete thread_pool_;
   ::CloseHandle(no_targets_);
 
   // Cancel the wait events and delete remaining peer trackers.
   for (PeerTrackerMap::iterator it = peer_map_.begin();
        it != peer_map_.end(); ++it) {
     DeregisterPeerTracker(it->second);
   }
 
   // If job_port_ isn't NULL, assumes that the lock has been initialized.
   if (job_port_)
     ::DeleteCriticalSection(&lock_);
 }
 
 TargetPolicy* BrokerServicesBase::CreatePolicy() {
   // If you change the type of the object being created here you must also
   // change the downcast to it in SpawnTarget().
   return new PolicyBase;
 }
 
-void BrokerServicesBase::FreeResources(JobTracker* tracker) {
+void BrokerServicesBase::FreeResources(JobTracker* tracker, UINT exit_code) {
   if (NULL != tracker->policy) {
-    BOOL res = ::TerminateJobObject(tracker->job, SBOX_ALL_OK);
+    BOOL res = ::TerminateJobObject(tracker->job, exit_code);
     DCHECK(res);
     // Closing the job causes the target process to be destroyed so this
     // needs to happen before calling OnJobEmpty().
     res = ::CloseHandle(tracker->job);
     DCHECK(res);
     // In OnJobEmpty() we don't actually use the job handle directly.
     tracker->policy->OnJobEmpty(tracker->job);
     tracker->policy->Release();
     tracker->policy = NULL;
   }
@@ skipping 32 matching lines @@
       // that jobs can send and some of them depend on the job attributes set.
       JobTracker* tracker = reinterpret_cast<JobTracker*>(key);
 
       switch (events) {
         case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO: {
           // The job object has signaled that the last process associated
           // with it has terminated. Assuming there is no way for a process
           // to appear out of thin air in this job, it safe to assume that
           // we can tell the policy to destroy the target object, and for
           // us to release our reference to the policy object.
-          FreeResources(tracker);
+          FreeResources(tracker, SBOX_ALL_OK);
           break;
         }
 
         case JOB_OBJECT_MSG_NEW_PROCESS: {
           ++target_counter;
           if (1 == target_counter) {
             ::ResetEvent(no_targets);
           }
           break;
         }
 
         case JOB_OBJECT_MSG_EXIT_PROCESS:
         case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: {
           {
             AutoLock lock(&broker->lock_);
             broker->child_process_ids_.erase(reinterpret_cast<DWORD>(ovl));
           }
           --target_counter;
           if (0 == target_counter)
             ::SetEvent(no_targets);
 
           DCHECK(target_counter >= 0);
           break;
         }
 
         case JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT: {
           break;
         }
 
+        case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT: {
+          if(tracker->policy->WillTerminateOnJobMemoryLimit())
+            FreeResources(tracker, SBOX_FATAL_MEMORY_EXCEEDED);

[cpu_(ooo_6.6-7.5), 2014/06/06 19:44:05]

The code seems structured such that FreeResources() is only called once, that is
don't we also get JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO after this?

[jschuh, 2014/06/06 20:13:14]

Calling FreeResources here terminates the process without generating another
JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO event. That seemed cleaner than terminating
the process and then firing the event and doing the cleanup in another handler.

+          break;
+        }
+
         default: {
           NOTREACHED();
           break;
         }
       }
     } else if (THREAD_CTRL_REMOVE_PEER == key) {
       // Remove a process from our list of peers.
       AutoLock lock(&broker->lock_);
       PeerTrackerMap::iterator it =
           broker->peer_map_.find(reinterpret_cast<DWORD>(ovl));
@@ skipping 242 matching lines @@
     return SBOX_ERROR_UNSUPPORTED;
 
   base::string16 name = LookupAppContainer(sid);
   if (name.empty())
     return SBOX_ERROR_INVALID_APP_CONTAINER;
 
   return DeleteAppContainer(sid);
 }
 
 }  // namespace sandbox