Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(193)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/sandbox_policy.cc

Issue 10163013: Fix DXVA2 video decoding which was broken with recent process handle brokering changes (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « content/common/gpu/client/gpu_video_decode_accelerator_host.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/sandbox_policy.h" 5 #include "content/common/sandbox_policy.h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/command_line.h" 9 #include "base/command_line.h"
10 #include "base/debug/debugger.h" 10 #include "base/debug/debugger.h"
(...skipping 321 matching lines...) Expand 10 before | Expand all | Expand 10 after
332 sandbox::USER_LIMITED); 332 sandbox::USER_LIMITED);
333 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); 333 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
334 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); 334 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
335 } else { 335 } else {
336 if (cmd_line->GetSwitchValueASCII(switches::kUseGL) == 336 if (cmd_line->GetSwitchValueASCII(switches::kUseGL) ==
337 gfx::kGLImplementationSwiftShaderName || 337 gfx::kGLImplementationSwiftShaderName ||
338 cmd_line->HasSwitch(switches::kReduceGpuSandbox)) { 338 cmd_line->HasSwitch(switches::kReduceGpuSandbox)) {
339 // Swiftshader path. 339 // Swiftshader path.
340 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, 340 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
341 sandbox::USER_LIMITED); 341 sandbox::USER_LIMITED);
342 // UI restrictions break when we access Windows from outside our job.
343 // However, we don't want a proxy window in this process because it can
344 // introduce deadlocks where the renderer blocks on the gpu, which in
345 // turn blocks on the browser UI thread. So, instead we forgo a window
346 // message pump entirely and just add job restrictions to prevent child
347 // processes.
348 policy->SetJobLevel(sandbox::JOB_LIMITED_USER,
349 JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
350 JOB_OBJECT_UILIMIT_DESKTOP |
351 JOB_OBJECT_UILIMIT_EXITWINDOWS |
352 JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
353 } else { 342 } else {
354 // Angle + DirectX path. 343 // Angle + DirectX path.
355 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, 344 policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
356 sandbox::USER_RESTRICTED); 345 sandbox::USER_RESTRICTED);
357 policy->SetJobLevel(sandbox::JOB_LOCKDOWN,
358 JOB_OBJECT_UILIMIT_HANDLES);
359 // This is a trick to keep the GPU out of low-integrity processes. It 346 // This is a trick to keep the GPU out of low-integrity processes. It
360 // starts at low-integrity for UIPI to work, then drops below 347 // starts at low-integrity for UIPI to work, then drops below
361 // low-integrity after warm-up. 348 // low-integrity after warm-up.
362 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED); 349 policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
363 } 350 }
364 351
352 // UI restrictions break when we access Windows from outside our job.
353 // However, we don't want a proxy window in this process because it can
354 // introduce deadlocks where the renderer blocks on the gpu, which in
355 // turn blocks on the browser UI thread. So, instead we forgo a window
356 // message pump entirely and just add job restrictions to prevent child
357 // processes.
358 policy->SetJobLevel(sandbox::JOB_LIMITED_USER,
359 JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS |
360 JOB_OBJECT_UILIMIT_DESKTOP |
361 JOB_OBJECT_UILIMIT_EXITWINDOWS |
362 JOB_OBJECT_UILIMIT_DISPLAYSETTINGS);
363
365 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW); 364 policy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
366 } 365 }
367 } else { 366 } else {
368 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0); 367 policy->SetJobLevel(sandbox::JOB_UNPROTECTED, 0);
369 policy->SetTokenLevel(sandbox::USER_UNPROTECTED, 368 policy->SetTokenLevel(sandbox::USER_UNPROTECTED,
370 sandbox::USER_LIMITED); 369 sandbox::USER_LIMITED);
371 } 370 }
372 371
373 // Allow the server side of GPU sockets, which are pipes that have 372 // Allow the server side of GPU sockets, which are pipes that have
374 // the "chrome.gpu" namespace and an arbitrary suffix. 373 // the "chrome.gpu" namespace and an arbitrary suffix.
(...skipping 327 matching lines...) Expand 10 before | Expand all | Expand 10 after
702 } 701 }
703 702
704 return false; 703 return false;
705 } 704 }
706 705
707 bool BrokerAddTargetPeer(HANDLE peer_process) { 706 bool BrokerAddTargetPeer(HANDLE peer_process) {
708 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK; 707 return g_broker_services->AddTargetPeer(peer_process) == sandbox::SBOX_ALL_OK;
709 } 708 }
710 709
711 } // namespace content 710 } // namespace content
OLDNEW
« no previous file with comments | « content/common/gpu/client/gpu_video_decode_accelerator_host.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698