1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "sandbox/src/job.h"
#include "sandbox/src/restricted_token.h"
namespace sandbox {
Job::~Job() {
if (job_handle_)
::CloseHandle(job_handle_);
};
DWORD Job::Init(JobLevel security_level, wchar_t *job_name,
DWORD ui_exceptions) {
if (job_handle_)
return ERROR_ALREADY_INITIALIZED;
job_handle_ = ::CreateJobObject(NULL, // No security attribute
job_name);
if (!job_handle_)
return ::GetLastError();
JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {0};
JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {0};
// Set the settings for the different security levels. Note: The higher levels
// inherit from the lower levels.
switch (security_level) {
case JOB_LOCKDOWN: {
jeli.BasicLimitInformation.LimitFlags |=
JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;
}
case JOB_RESTRICTED: {
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_READCLIPBOARD;
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_HANDLES;
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_GLOBALATOMS;
}
case JOB_LIMITED_USER: {
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;
jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
jeli.BasicLimitInformation.ActiveProcessLimit = 1;
}
case JOB_INTERACTIVE: {
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS;
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DESKTOP;
jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_EXITWINDOWS;
}
case JOB_UNPROTECTED: {
OSVERSIONINFO version_info = {0};
version_info.dwOSVersionInfoSize = sizeof(version_info);
GetVersionEx(&version_info);
// The JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE flag is not supported on
// Windows 2000. We need a mechanism on Windows 2000 to ensure
// that processes in the job are terminated when the job is closed
if ((5 == version_info.dwMajorVersion) &&
(0 == version_info.dwMinorVersion)) {
break;
}
jeli.BasicLimitInformation.LimitFlags |=
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
break;
}
default: {
return ERROR_BAD_ARGUMENTS;
}
}
if (FALSE == ::SetInformationJobObject(job_handle_,
JobObjectExtendedLimitInformation,
&jeli,
sizeof(jeli))) {
return ::GetLastError();
}
jbur.UIRestrictionsClass = jbur.UIRestrictionsClass & (~ui_exceptions);
if (FALSE == ::SetInformationJobObject(job_handle_,
JobObjectBasicUIRestrictions,
&jbur,
sizeof(jbur))) {
return ::GetLastError();
}
return ERROR_SUCCESS;
}
DWORD Job::UserHandleGrantAccess(HANDLE handle) {
if (!job_handle_)
return ERROR_NO_DATA;
if (!::UserHandleGrantAccess(handle,
job_handle_,
TRUE)) { // Access allowed.
return ::GetLastError();
}
return ERROR_SUCCESS;
}
HANDLE Job::Detach() {
HANDLE handle_temp = job_handle_;
job_handle_ = NULL;
return handle_temp;
}
DWORD Job::AssignProcessToJob(HANDLE process_handle) {
if (!job_handle_)
return ERROR_NO_DATA;
if (FALSE == ::AssignProcessToJobObject(job_handle_, process_handle))
return ::GetLastError();
return ERROR_SUCCESS;
}
} // namespace sandbox
|