Add GPU job object restriction

Use the job object to prevent the GPU from spawning child processes on Windows. BUG=None. TEST=None. Review URL: http://codereview.chromium.org/7768004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98677 0039d316-1c4b-4281-b951-d872f2087c98

Add GPU job object restriction
Use the job object to prevent the GPU from spawning child processes on Windows. BUG=None. TEST=None. Review URL: http://codereview.chromium.org/7768004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98677 0039d316-1c4b-4281-b951-d872f2087c98
b65f5281 · jschuh@chromium.org · 8f2ffcec · b65f5281
Commit b65f5281 authored Aug 29, 2011 by jschuh@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 5 deletions

content/common/sandbox_policy.cc content/common/sandbox_policy.cc +17 -5

No files found.
--- a/content/common/sandbox_policy.cc
+++ b/content/common/sandbox_policy.cc
@@ -287,17 +287,29 @@ bool AddGenericPolicy(sandbox::TargetPolicy* policy) {
 // TODO(cpu): Lock down the sandbox more if possible.
 // TODO(apatrick): Use D3D9Ex to render windowless.
 bool AddPolicyForGPU(CommandLine* cmd_line, sandbox::TargetPolicy* policy) {
-  policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
-
  if (base::win::GetVersion() > base::win::VERSION_XP) {
    policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
                          sandbox::USER_LIMITED);
    if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
-          gfx::kGLImplementationDesktopName)
-      policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
-    else
+        gfx::kGLImplementationDesktopName) {
+      policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
      policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    } else {
+      // UI restrictions break when we access Windows from outside our job.
+      // However, we don't want a proxy window in this process because it can
+      // introduce deadlocks where the renderer blocks on the gpu, which in
+      // turn blocks on the browser UI thread. So, instead we forgo a window
+      // message pump entirely and just add job restrictions to prevent child
+      // processes.
+      policy->SetJobLevel(sandbox::JOB_LIMITED_USER,
+                          JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
+                          JOB_OBJECT_UILIMIT_DESKTOP |
+                          JOB_OBJECT_UILIMIT_EXITWINDOWS |
+                          JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
+      policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
+    }
  } else {
+    policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
    policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
                          sandbox::USER_LIMITED);
  }