Placing a Process in a Job

Previous page
Table of content
Next page
[Previous] [Next]

OK, that's it for setting and querying restrictions. Now let's get back to my StartRestrictedProcess function. After I place some restrictions on the job, I spawn the process that I intend to place in the job by calling CreateProcess. However, notice that I use the CREATE_SUSPENDED flag when calling CreateProcess. This creates the new process but doesn't allow it to execute any code. Since the StartRestrictedProcess function is being executed from a process that is not part of a job, the child process will also not be part of a job. If I were to allow the child process to immediately start executing code, it would run out of my sandbox and could successfully do things that I want to restrict it from doing. So after I create the child process and before I allow it to start running, I must explicitly place the process in my newly created job by calling the following:

 BOOL AssignProcessToJobObject( HANDLE hJob, HANDLE hProcess);

This function tells the system to treat the process (identified by hProcess) as part of an existing job (identified by hJob). Note that this function allows only a process that is not assigned to any job to be assigned to a job. Once a process is part of a job, it cannot be moved to another job and it cannot become jobless (so to speak). Also note that when a process that is part of job spawns another process, the new process is automatically made part of the parent's job. However, you can alter this behavior in the following ways:

  • Turn on the JOB_OBJECT_BREAKAWAY_OK flag in JOBOBJECT_BASIC_LIMIT_INFORMATION's LimitFlags member to tell the system that a newly spawned process can execute outside the job. To make this happen, you must call CreateProcess with the new CREATE_BREAKAWAY_FROM_JOB flag. If you call CreateProcess with the CREATE_BREAKAWAY_FROM_JOB flag but the job does not have the JOB_OBJECT_BREAKAWAY_OK limit flag turned on, CreateProcess fails. This mechanism is useful if the newly spawned process also controls jobs.

  • Turn on the JOB_OBJECT_SILENT_BREAKAWAY_OK flag in the JOBOBJECT_BASIC_LIMIT_INFORMATION's LimitFlags member. This flag also tells the system that newly spawned processes should not be part of the job. However, there is no need to pass any additional flags to CreateProcess. In fact, this flag forces new processes to not be part of the job. This flag is useful for processes that were originally designed knowing nothing about job objects.

As for my StartRestrictedProcess function, after I call AssignProcessToJobObject, my new process is part of my restricted job. I then call ResumeThread so that the process's thread can execute code under the job's restrictions. At this point, I also close the handle to the thread since I no longer need it.


Previous page
Table of content
Next page
Programming Applications for Microsoft Windows
Programming Applications for Microsoft Windows (Microsoft Programming Series)
ISBN: 1572319968
EAN: 2147483647
Year: 1999
Pages: 193
Authors: Jeffrey Richter
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
The .NET Developers Guide to Directory Services Programming
Systematic Software Testing (Artech House Computer Library)
Cisco CallManager Fundamentals (2nd Edition)
Mapping Hacks: Tips & Tools for Electronic Cartography
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy