diff -r 000000000000 -r 6474c204b198 security/sandbox/win/src/job.cc --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/sandbox/win/src/job.cc Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,116 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "sandbox/win/src/job.h" + +#include "base/win/windows_version.h" +#include "sandbox/win/src/restricted_token.h" + +namespace sandbox { + +Job::~Job() { + if (job_handle_) + ::CloseHandle(job_handle_); +}; + +DWORD Job::Init(JobLevel security_level, wchar_t *job_name, + DWORD ui_exceptions) { + if (job_handle_) + return ERROR_ALREADY_INITIALIZED; + + job_handle_ = ::CreateJobObject(NULL, // No security attribute + job_name); + if (!job_handle_) + return ::GetLastError(); + + JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {0}; + JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {0}; + + // Set the settings for the different security levels. Note: The higher levels + // inherit from the lower levels. + switch (security_level) { + case JOB_LOCKDOWN: { + jeli.BasicLimitInformation.LimitFlags |= + JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION; + } + case JOB_RESTRICTED: { + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_WRITECLIPBOARD; + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_READCLIPBOARD; + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_HANDLES; + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_GLOBALATOMS; + } + case JOB_LIMITED_USER: { + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS; + jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS; + jeli.BasicLimitInformation.ActiveProcessLimit = 1; + } + case JOB_INTERACTIVE: { + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS; + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DESKTOP; + jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_EXITWINDOWS; + } + case JOB_UNPROTECTED: { + // The JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE flag is not supported on + // Windows 2000. We need a mechanism on Windows 2000 to ensure + // that processes in the job are terminated when the job is closed + if (base::win::GetVersion() == base::win::VERSION_PRE_XP) + break; + + jeli.BasicLimitInformation.LimitFlags |= + JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE; + break; + } + default: { + return ERROR_BAD_ARGUMENTS; + } + } + + if (FALSE == ::SetInformationJobObject(job_handle_, + JobObjectExtendedLimitInformation, + &jeli, + sizeof(jeli))) { + return ::GetLastError(); + } + + jbur.UIRestrictionsClass = jbur.UIRestrictionsClass & (~ui_exceptions); + if (FALSE == ::SetInformationJobObject(job_handle_, + JobObjectBasicUIRestrictions, + &jbur, + sizeof(jbur))) { + return ::GetLastError(); + } + + return ERROR_SUCCESS; +} + +DWORD Job::UserHandleGrantAccess(HANDLE handle) { + if (!job_handle_) + return ERROR_NO_DATA; + + if (!::UserHandleGrantAccess(handle, + job_handle_, + TRUE)) { // Access allowed. + return ::GetLastError(); + } + + return ERROR_SUCCESS; +} + +HANDLE Job::Detach() { + HANDLE handle_temp = job_handle_; + job_handle_ = NULL; + return handle_temp; +} + +DWORD Job::AssignProcessToJob(HANDLE process_handle) { + if (!job_handle_) + return ERROR_NO_DATA; + + if (FALSE == ::AssignProcessToJobObject(job_handle_, process_handle)) + return ::GetLastError(); + + return ERROR_SUCCESS; +} + +} // namespace sandbox