Skip to content

phase1c: add UiJobObject + split UI policy resolution from encoding#291

Merged
MGudgin merged 1 commit into
mainfrom
user/gudge/downlevel_phase1c
May 12, 2026
Merged

phase1c: add UiJobObject + split UI policy resolution from encoding#291
MGudgin merged 1 commit into
mainfrom
user/gudge/downlevel_phase1c

Conversation

@MGudgin

@MGudgin MGudgin commented May 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

📖 Description

Splits the phase1a ui_policy module into two concerns and introduces the Windows Job Object wrapper that consumes the second one.

The policy layer (crate::ui_policy) stays platform-agnostic. It exposes:

  • EffectiveUiRestrictions, a record of ten booleans naming which UI capabilities the child must be denied.
  • resolve_ui_restrictions(&UiPolicy, &BaseProcessUiConfig) -> EffectiveUiRestrictions, replacing ui_restrictions_bitmask. No windows-crate references; ready for future macOS/Linux consumers.

The UILIMIT_* bare-u64 constants are gone.

The Windows encoding layer (crate::job_object, new) is Windows-only. It exposes:

  • UiJobObject, an RAII wrapper around a Windows Job Object that applies UI restrictions to a child and its descendants. set_ui_limits takes an &EffectiveUiRestrictions directly so callers never deal in raw bits.
  • to_job_object_uilimit_mask(&EffectiveUiRestrictions) -> u32, the encoder. Sources nine of the ten flag bits from the windows crate (Win32::System::JobObjects::JOB_OBJECT_UILIMIT_* for eight, Win32::System::SystemServices::JOB_OBJECT_UILIMIT_IME for IME). The tenth, JOB_OBJECT_UILIMIT_INJECTION, is hand-typed because the windows crate metadata does not include it; if a future release adds it, the local constant can be removed.

Side effects:

  • wxc_common::ui_policy returns to the platform-agnostic section of lib.rs. The Windows-specific encoding moved out, so the module no longer has any OS-specific code.
  • base_container_runner.rs is updated to use the new APIs (encoder's u32 is cast to u64 for the BaseContainer FlatBuffer ui_restrictions field).
  • Enables the Win32_System_JobObjects feature on the workspace windows crate dependency.
  • Drops UiJobObject::handle(); no caller used it and exposing the raw HANDLE was a footgun.

🔗 References

Stacked on top of #290 (phase1b → main).

🔍 Validation

  • cargo test -p wxc_common --lib — 336/336 pass
  • cargo build -p wxc_common clean
  • End-to-end coverage lives in Win25H2Safe-Tests.ps1 in phase5 (held)

@MGudgin MGudgin mentioned this pull request May 12, 2026
Closed
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1b branch 2 times, most recently from bb44689 to 2e7f5cc Compare May 12, 2026 20:51
@MGudgin MGudgin mentioned this pull request May 12, 2026
Merged
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1b branch from 2e7f5cc to 793b93a Compare May 12, 2026 21:00
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from 1a3f242 to 15b40af Compare May 12, 2026 21:06
@MGudgin MGudgin changed the title phase1c: add UiJobObject RAII wrapper phase1c: add UiJobObject RAII wrapper and source UILIMIT_* from windows crate May 12, 2026
Base automatically changed from user/gudge/downlevel_phase1b to main May 12, 2026 21:08
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from 15b40af to 69c3d62 Compare May 12, 2026 21:16
@MGudgin MGudgin mentioned this pull request May 12, 2026
Closed
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from 69c3d62 to 00dbfc9 Compare May 12, 2026 21:32
@MGudgin MGudgin changed the title phase1c: add UiJobObject RAII wrapper and source UILIMIT_* from windows crate phase1c: add UiJobObject + split UI policy resolution from encoding May 12, 2026
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from 00dbfc9 to e58e646 Compare May 12, 2026 21:45
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from e58e646 to dd7e0ce Compare May 12, 2026 22:06
phase1c: add UiJobObject RAII wrapper and split UI policy resolution …
4a7c83a 
…from encoding

The phase1a `ui_policy` module mixed two concerns: resolving the
cross-platform `UiPolicy` + `BaseProcessUiConfig` into a set of
intended UI restrictions (platform-agnostic logic), and encoding
those restrictions as a Windows `JOB_OBJECT_UILIMIT_*` bitmask
(Windows-specific). This change splits them so the policy layer
stays platform-agnostic and the Windows encoding lives next to the
Job Object that consumes it.

`crate::ui_policy` now exposes:

- `EffectiveUiRestrictions`, a record of ten booleans naming which
  UI capabilities the child must be denied. Platform-agnostic.
- `resolve_ui_restrictions(&UiPolicy, &BaseProcessUiConfig) ->
  EffectiveUiRestrictions`, replacing `ui_restrictions_bitmask`.
- The `UILIMIT_*` bare-`u64` constants are gone.

`crate::job_object` (new, Windows-only) exposes:

- `UiJobObject`, an RAII wrapper around a Windows Job Object used to
  apply UI restrictions to a child process and its descendants.
  `set_ui_limits` takes an `&EffectiveUiRestrictions` directly so
  callers never deal in raw bits.
- `to_job_object_uilimit_mask(&EffectiveUiRestrictions) -> u32`, the
  Windows-specific encoder. Sources nine of the ten flag bits from
  the `windows` crate (`Win32::System::JobObjects::JOB_OBJECT_UILIMIT_*`
  for eight, `Win32::System::SystemServices::JOB_OBJECT_UILIMIT_IME`
  for IME). The tenth, `JOB_OBJECT_UILIMIT_INJECTION`, is hand-typed
  because the `windows` crate metadata does not include it; if a
  future release adds it, the local constant can be removed.

Side effects:

- `wxc_common::ui_policy` returns to the platform-agnostic section
  of `lib.rs`. The Windows-specific encoding moved out, so there is
  no longer any OS-specific code in the module.
- `base_container_runner.rs` is updated to use the new APIs:
  `resolve_ui_restrictions` + `to_job_object_uilimit_mask`, with the
  encoder's `u32` cast to `u64` for the FlatBuffer `ui_restrictions`
  field (which the BaseContainer SandboxSpec schema defines as u64).
- Enables the `Win32_System_JobObjects` feature on the workspace
  `windows` crate dependency.
- Drops `UiJobObject::handle()`; no caller used it and exposing the
  raw HANDLE was a footgun.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@MGudgin MGudgin force-pushed the user/gudge/downlevel_phase1c branch from dd7e0ce to 4a7c83a Compare May 12, 2026 22:15
@MGudgin MGudgin mentioned this pull request May 12, 2026
Merged
@MGudgin MGudgin merged commit 1b53016 into main May 12, 2026
8 checks passed
@MGudgin MGudgin deleted the user/gudge/downlevel_phase1c branch May 12, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shschaefer shschaefer shschaefer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MGudgin @shschaefer