-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy patha8b22597cdd1dab5ea1d371e5b531cf66ff56ba0.diff
90 lines (79 loc) · 3.28 KB
/
a8b22597cdd1dab5ea1d371e5b531cf66ff56ba0.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index 1458fe3f435b8..c79a59e402071 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -82,6 +82,7 @@ struct JobTracker {
// As if TerminateProcess() was called for all associated processes.
// Handles are still valid.
::TerminateJobObject(policy->GetJobHandle(), sandbox::SBOX_ALL_OK);
+ policy->OnJobEmpty();
}
std::unique_ptr<sandbox::PolicyBase> policy;
diff --git a/sandbox/win/src/sandbox_policy_base.cc b/sandbox/win/src/sandbox_policy_base.cc
index 49fef2131060e..8845164b49e06 100644
--- a/sandbox/win/src/sandbox_policy_base.cc
+++ b/sandbox/win/src/sandbox_policy_base.cc
@@ -466,11 +466,7 @@ PolicyBase::PolicyBase(std::string_view tag)
dispatcher_(nullptr),
job_() {}
-PolicyBase::~PolicyBase() {
- // Ensure this is cleared before other members - this terminates the process
- // if it hasn't already finished.
- target_.reset();
-}
+PolicyBase::~PolicyBase() {}
TargetConfig* PolicyBase::GetConfig() {
return config();
@@ -698,6 +694,18 @@ ResultCode PolicyBase::ApplyToTarget(std::unique_ptr<TargetProcess> target) {
return SBOX_ALL_OK;
}
+// Can only be called if a job was associated with this policy.
+bool PolicyBase::OnJobEmpty() {
+ target_.reset();
+ return true;
+}
+
+bool PolicyBase::OnProcessFinished(DWORD process_id) {
+ if (target_->ProcessId() == process_id)
+ target_.reset();
+ return true;
+}
+
EvalResult PolicyBase::EvalPolicy(IpcTag service,
CountedParameterSetBase* params) {
PolicyGlobal* policy = config()->policy();
diff --git a/sandbox/win/src/sandbox_policy_base.h b/sandbox/win/src/sandbox_policy_base.h
index 6b4a9ec20f348..eec7a9a05aefb 100644
--- a/sandbox/win/src/sandbox_policy_base.h
+++ b/sandbox/win/src/sandbox_policy_base.h
@@ -196,6 +196,14 @@ class PolicyBase final : public TargetPolicy {
// call to TargetProcess::Init() is issued.
ResultCode ApplyToTarget(std::unique_ptr<TargetProcess> target);
+ // Called when there are no more active processes in the policy's Job.
+ // If a process is not in a job, call OnProcessFinished().
+ bool OnJobEmpty();
+
+ // Called when a process no longer needs to be tracked. Processes in jobs
+ // should be notified via OnJobEmpty instead.
+ bool OnProcessFinished(DWORD process_id);
+
EvalResult EvalPolicy(IpcTag service, CountedParameterSetBase* params);
HANDLE GetStdoutHandle();
@@ -234,6 +242,8 @@ class PolicyBase final : public TargetPolicy {
// Returns nullopt if no data has been set, or a view into the data.
std::optional<base::span<const uint8_t>> delegate_data_span();
+ // The policy takes ownership of a target as it is applied to it.
+ std::unique_ptr<TargetProcess> target_;
// The user-defined global policy settings.
HANDLE stdout_handle_;
HANDLE stderr_handle_;
@@ -246,10 +256,8 @@ class PolicyBase final : public TargetPolicy {
// This list contains handles other than the stderr/stdout handles which are
// shared with the target at times.
base::HandlesToInheritVector handles_to_share_;
- Job job_;
- // The policy takes ownership of a target as it is applied to it.
- std::unique_ptr<TargetProcess> target_;
+ Job job_;
};
} // namespace sandbox