Add sandbox support for process memory limits

sandbox/win/src/sandbox_policy_base.cc

Index: sandbox/win/src/sandbox_policy_base.cc
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index 3077604df61a1cdf981b385461a638053337351c..41dc6beabb7f74c5b8550332624592d0a7af7cd8 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -80,6 +80,7 @@ PolicyBase::PolicyBase()
       initial_level_(USER_LOCKDOWN),
       job_level_(JOB_LOCKDOWN),
       ui_exceptions_(0),
+      memory_limit_(0),
       use_alternate_desktop_(false),
       use_alternate_winstation_(false),
       file_system_init_(false),
@@ -170,11 +171,22 @@ TokenLevel PolicyBase::GetLockdownTokenLevel() const{
 }
 
 ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32 ui_exceptions) {
+  if (memory_limit_ && job_level == JOB_NONE) {
+    return SBOX_ERROR_BAD_PARAMS;
+  }
   job_level_ = job_level;
   ui_exceptions_ = ui_exceptions;
   return SBOX_ALL_OK;
 }
 
+ResultCode PolicyBase::SetJobMemoryLimit(size_t memory_limit) {
+  if (memory_limit && job_level_ == JOB_NONE) {
+    return SBOX_ERROR_BAD_PARAMS;
+  }
+  memory_limit_ = memory_limit;
+  return SBOX_ALL_OK;
+}
+
 ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) {
   use_alternate_desktop_ = true;
   use_alternate_winstation_ = alternate_winstation;
@@ -471,7 +483,8 @@ ResultCode PolicyBase::MakeJobObject(HANDLE* job) {
   if (job_level_ != JOB_NONE) {
     // Create the windows job object.
     Job job_obj;
-    DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_);
+    DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_,
+                                memory_limit_);
     if (ERROR_SUCCESS != result) {
       return SBOX_ERROR_GENERIC;
     }