Chromium 沙盒Sandbox源码介绍（2）

本篇主要说下沙箱的job：

一、JobLevel

// The Job level specifies a set of decreasing security profiles for the
// Job object that the target process will be placed into.
// This table summarizes the security associated with each level:
//
//  JobLevel        |General                            |Quota               |
//                  |restrictions                       |restrictions        |
// -----------------|---------------------------------- |--------------------|
// kUnprotected     | None                              | *Kill on Job close.|
// -----------------|---------------------------------- |--------------------|
// kInteractive     | *Forbid system-wide changes using |                    |
//                  |  SystemParametersInfo().          | *Kill on Job close.|
//                  | *Forbid the creation/switch of    |                    |
//                  |  Desktops.                        |                    |
//                  | *Forbids calls to ExitWindows().  |                    |
// -----------------|---------------------------------- |--------------------|
// kLimitedUser     | Same as kInteractive plus:        | *One active process|
//                  | *Forbid changes to the display    |  limit.            |
//                  |  settings.                        | *Kill on Job close.|
// -----------------|---------------------------------- |--------------------|
// kLockdown        | Same as kLimitedUser plus:        | *One active process|
//                  | * No read/write to the clipboard. |  limit.            |
//                  | * No access to User Handles that  | *Kill on Job close.|
//                  |   belong to other processes.      | *Kill on unhandled |
//                  | * Forbid message broadcasts.      |  exception.        |
//                  | * Forbid setting global hooks.    |                    |
//                  | * No access to the global atoms   |                    |
//                  |   table.                          |                    |
// -----------------|-----------------------------------|--------------------|
//
// In the context of the above table, 'user handles' refers to the handles of
// windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
// handles and are not affected by the job level settings.
enum class JobLevel { kLockdown = 0, kLimitedUser, kInteractive, kUnprotected };

二、job策略实现：

sandbox\win\src\job.h

sandbox\win\src\job.cc

例子：

//   Job job;

//   job.Init(JobLevel::kLockdown, 0, 0);

namespace sandbox {

Job::Job() = default;
Job::~Job() = default;

DWORD Job::Init(JobLevel security_level,
                DWORD ui_exceptions,
                size_t memory_limit) {
  if (job_handle_.is_valid())
    return ERROR_ALREADY_INITIALIZED;

  job_handle_.Set(::CreateJobObject(nullptr, nullptr));
  if (!job_handle_.is_valid())
    return ::GetLastError();

  JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};
  JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {};

  // Set the settings for the different security levels. Note: The higher levels
  // inherit from the lower levels.
  switch (security_level) {
    case JobLevel::kLockdown: {
      jeli.BasicLimitInformation.LimitFlags |=
          JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_READCLIPBOARD;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_HANDLES;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_GLOBALATOMS;
      [[fallthrough]];
    }
    case JobLevel::kLimitedUser: {
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;
      jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
      jeli.BasicLimitInformation.ActiveProcessLimit = 1;
      [[fallthrough]];
    }
    case JobLevel::kInteractive: {
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DESKTOP;
      jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_EXITWINDOWS;
      [[fallthrough]];
    }
    case JobLevel::kUnprotected: {
      if (memory_limit) {
        jeli.BasicLimitInformation.LimitFlags |=
            JOB_OBJECT_LIMIT_PROCESS_MEMORY;
        jeli.ProcessMemoryLimit = memory_limit;
      }

      jeli.BasicLimitInformation.LimitFlags |=
          JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
      break;
    }
  }

  if (!::SetInformationJobObject(job_handle_.Get(),
                                 JobObjectExtendedLimitInformation, &jeli,
                                 sizeof(jeli))) {
    return ::GetLastError();
  }

  jbur.UIRestrictionsClass = jbur.UIRestrictionsClass & (~ui_exceptions);
  if (!::SetInformationJobObject(job_handle_.Get(),
                                 JobObjectBasicUIRestrictions, &jbur,
                                 sizeof(jbur))) {
    return ::GetLastError();
  }

  return ERROR_SUCCESS;
}

bool Job::IsValid() {
  return job_handle_.is_valid();
}

HANDLE Job::GetHandle() {
  return job_handle_.get();
}

DWORD Job::SetActiveProcessLimit(DWORD processes) {
  JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};

  if (!job_handle_.is_valid())
    return ERROR_NO_DATA;

  if (!::QueryInformationJobObject(job_handle_.get(),
                                   JobObjectExtendedLimitInformation, &jeli,
                                   sizeof(jeli), nullptr)) {
    return ::GetLastError();
  }
  jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
  jeli.BasicLimitInformation.ActiveProcessLimit = processes;

  if (!::SetInformationJobObject(job_handle_.get(),
                                 JobObjectExtendedLimitInformation, &jeli,
                                 sizeof(jeli))) {
    return ::GetLastError();
  }

  return ERROR_SUCCESS;
}

}  // namespace sandbox

三、初始化job流程:

   1、使用CrateJobObject函数，创建一个作业

   2、使用SetInformationJobObject函数，为作业添加限制条件。

  BOOL SetInformationJobObject(
  [in] HANDLE             hJob,
  [in] JOBOBJECTINFOCLASS JobObjectInformationClass,
  [in] LPVOID             lpJobObjectInformation,
  [in] DWORD              cbJobObjectInformationLength
);

更多参考：SetInformationJobObject 函数 (jobapi2.h) - Win32 apps | Microsoft Learn

3、设置作业限制内容：

  JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};【定义见 “附”】

  JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {}; 【定义见 “附”】

SetInformationJobObject(job_handle_.Get(),

                                 JobObjectExtendedLimitInformation, &jeli,

                                 sizeof(jeli))；//包含作业对象的基本限制信

::SetInformationJobObject(job_handle_.Get(),

                                 JobObjectBasicUIRestrictions, &jbur,

                                 sizeof(jbur)) ；//包含作业对象的基本用户界面限制。

这样根据策略规则设置好job即可，应用到进程创建：

四、附：

  1）、JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {}; //包含作业对象的基本限制信息。

typedef struct _JOBOBJECT_BASIC_LIMIT_INFORMATION {
  LARGE_INTEGER PerProcessUserTimeLimit;
  LARGE_INTEGER PerJobUserTimeLimit;
  DWORD         LimitFlags;
  SIZE_T        MinimumWorkingSetSize;
  SIZE_T        MaximumWorkingSetSize;
  DWORD         ActiveProcessLimit;
  ULONG_PTR     Affinity;
  DWORD         PriorityClass;
  DWORD         SchedulingClass;
} JOBOBJECT_BASIC_LIMIT_INFORMATION, *PJOBOBJECT_BASIC_LIMIT_INFORMATION;

 更多参考：​​​​​​JOBOBJECT_BASIC_LIMIT_INFORMATION (winnt.h) - Win32 apps | Microsoft Learn

  2）、JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {}; //包含作业对象的基本用户界面限制。

typedef struct _JOBOBJECT_BASIC_UI_RESTRICTIONS {
  DWORD UIRestrictionsClass;
} JOBOBJECT_BASIC_UI_RESTRICTIONS, *PJOBOBJECT_BASIC_UI_RESTRICTIONS;

更多参考：JOBOBJECT_BASIC_UI_RESTRICTIONS (winnt.h) - Win32 apps | Microsoft Learn 

五、看下浏览器进程的作业情况截图：

 1、net进程收沙箱控制有job限制：

2、主进程不受沙箱控制无job限制：

3、GPU进程受沙箱控制有job限制： 

 限制了 进程内存 激活进程权限

4、storage service进程受沙箱job限制：

限制了 桌面 激活进程 内存大小 退出系统 读写剪切板 管理员权限等内容。

5、备用渲染进程受沙箱job限制： 

限制了 桌面 激活进程 内存大小 退出系统 读写剪切板 管理员权限等内容。

6、新标签进程受沙箱job限制：

限制了 桌面 激活进程 内存大小 退出系统 读写剪切板 管理员权限等内容。

7、辅助框架进程受沙箱job限制：

限制了 桌面 激活进程 内存大小 退出系统 读写剪切板 管理员权限等内容。

六、总结： 

     主要是利用SetInformationJobObject设置作业对象的基本限制信和作业对象的基本用户界面限制。最后在创建进程的时候将作业信息与子进程绑定。