Reduce active process limit to zero in jobs

The active process limit is only checked on process creation so can safely be dropped to zero. This prevents reuse of the process handle to launch another process in the job after the contained process has terminated. Tested by existing tests. Bug: 1050359 Change-Id: I803ca74e6a654b46484a945925085e4444a1df07 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308174Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#790622}

Reduce active process limit to zero in jobs
The active process limit is only checked on process creation so can safely be dropped to zero. This prevents reuse of the process handle to launch another process in the job after the contained process has terminated. Tested by existing tests. Bug: 1050359 Change-Id: I803ca74e6a654b46484a945925085e4444a1df07 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2308174Reviewed-by: Will Harris <wfh@chromium.org> Commit-Queue: Alex Gough <ajgo@chromium.org> Cr-Commit-Position: refs/heads/master@{#790622}
d611d075 · Alex Gough · Commit Bot · 4ca3f22c · d611d075 · d611d075
Commit d611d075 authored Jul 22, 2020 by Alex Gough Committed by Commit Bot Jul 22, 2020
7 changed files
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -584,6 +584,17 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
    return result;
  }
+  if (job.IsValid() && policy_base->GetJobLevel() <= JOB_LIMITED_USER) {
+    // Restrict the job from containing any processes. Job restrictions
+    // are only applied at process creation, so the target process is
+    // unaffected.
+    result = policy_base->DropActiveProcessLimit(&job);
+    if (result != SBOX_ALL_OK) {
+      target->Terminate();
+      return result;
+    }
+  }
  if (lowbox_token.IsValid()) {
    *last_warning = target->AssignLowBoxToken(lowbox_token);
    // If this fails we continue, but report the error as a warning.

--- a/sandbox/win/src/job.cc
+++ b/sandbox/win/src/job.cc
@@ -114,4 +114,25 @@ DWORD Job::AssignProcessToJob(HANDLE process_handle) {
  return ERROR_SUCCESS;
 }
+// static
+DWORD Job::SetActiveProcessLimit(base::win::ScopedHandle* job_handle,
+                                 DWORD processes) {
+  JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};
+  if (!::QueryInformationJobObject(job_handle->Get(),
+                                   JobObjectExtendedLimitInformation, &jeli,
+                                   sizeof(jeli), nullptr))
+    return ::GetLastError();
+  jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
+  jeli.BasicLimitInformation.ActiveProcessLimit = processes;
+  if (!::SetInformationJobObject(job_handle->Get(),
+                                 JobObjectExtendedLimitInformation, &jeli,
+                                 sizeof(jeli)))
+    return ::GetLastError();
+  return ERROR_SUCCESS;
+}
 }  // namespace sandbox
--- a/sandbox/win/src/job.h
+++ b/sandbox/win/src/job.h
@@ -54,6 +54,10 @@ class Job {
  // If the object is not yet initialized, it returns an invalid handle.
  base::win::ScopedHandle Take();
+  // Updates the active process limit for |job_handle|.
+  static DWORD SetActiveProcessLimit(base::win::ScopedHandle* job_handle,
+                                     DWORD processes);
 private:
  // Handle to the job referenced by the object.
  base::win::ScopedHandle job_handle_;

--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -414,6 +414,16 @@ ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) {
  return SBOX_ALL_OK;
 }
+ResultCode PolicyBase::DropActiveProcessLimit(base::win::ScopedHandle* job) {
+  if (job_level_ >= JOB_INTERACTIVE)
+    return SBOX_ALL_OK;
+  if (ERROR_SUCCESS != Job::SetActiveProcessLimit(job, 0))
+    return SBOX_ERROR_CANNOT_UPDATE_JOB_PROCESS_LIMIT;
+  return SBOX_ALL_OK;
+}
 ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
                                  base::win::ScopedHandle* lockdown,
                                  base::win::ScopedHandle* lowbox) {

--- a/sandbox/win/src/sandbox_policy_base.h
+++ b/sandbox/win/src/sandbox_policy_base.h
@@ -90,6 +90,10 @@ class PolicyBase final : public TargetPolicy {
  // SetJobLevel().
  ResultCode MakeJobObject(base::win::ScopedHandle* job);
+  // Updates the active process limit on the job to zero. Has no effect
+  // if the job is allowed to spawn processes.
+  ResultCode DropActiveProcessLimit(base::win::ScopedHandle* job);
  // Creates the two tokens with the levels specified in a previous call to
  // SetTokenLevel(). Also creates a lowbox token if specified based on the
  // lowbox SID.

--- a/sandbox/win/src/sandbox_types.h
+++ b/sandbox/win/src/sandbox_types.h
@@ -139,6 +139,8 @@ enum ResultCode : int {
  SBOX_ERROR_INVALID_WRITE_VARIABLE_SIZE = 58,
  // Cannot initialize BrokerServices.
  SBOX_ERROR_CANNOT_INIT_BROKERSERVICES = 59,
+  // Cannot update job active process limit.
+  SBOX_ERROR_CANNOT_UPDATE_JOB_PROCESS_LIMIT = 60,
  // Placeholder for last item of the enum.
  SBOX_ERROR_LAST
 };

--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -38685,6 +38685,7 @@ Called by update_gpu_driver_bug_workaround_entries.py.-->
  <int value="57" label="SBOX_ERROR_CANNOT_WRITE_VARIABLE_VALUE"/>
  <int value="58" label="SBOX_ERROR_INVALID_WRITE_VARIABLE_SIZE"/>
  <int value="59" label="SBOX_ERROR_CANNOT_INIT_BROKERSERVICES"/>
+  <int value="60" label="SBOX_ERROR_CANNOT_UPDATE_JOB_PROCESS_LIMIT"/>
  <int value="1002" label="LAUNCH_RESULT_SUCCESS"/>
  <int value="1003" label="LAUNCH_RESULT_FAILURE"/>
 </enum>