Page 1 of 1
Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 2:35 amby rcdrone
The OBS project is trying to implement the new Windows 10 window capture, but it fails when running as admin alongside CEF because they pass NULL sandbox info into CefInitialize. This results in Chromium using MITIGATION_HARDEN_TOKEN_IL_POLICY, which eventually leads to capture failure.
I am able to work around this by linking cef_sandbox.lib and using CefScopedSandboxInfo, but linking against cef_sandbox.lib is not something the OBS project wants to do if they can help it.
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 10:39 amby magreenblatt
You should also set CefSettings.no_sandbox (or pass the `--no-sandbox` command-line flag) when disabling the sandbox.
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 2:44 pmby rcdrone
no_sandbox was already set to true. This is the relevant code block from CefContext::Initialize
sandbox::SandboxInterfaceInfo sandbox_info = {0};
if (windows_sandbox_info == nullptr) {
content::InitializeSandboxInfo(&sandbox_info); // bad for OBS
windows_sandbox_info = &sandbox_info;
settings_.no_sandbox = true;
}
This is the Chromium implementation of content::InitializeSandboxInfo:
void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
info->broker_services = sandbox::SandboxFactory::GetBrokerServices();
if (!info->broker_services) {
info->target_services = sandbox::SandboxFactory::GetTargetServices();
} else {
// Ensure the proper mitigations are enforced for the browser process.
sandbox::ApplyProcessMitigationsToCurrentProcess(
sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
// Note: these mitigations are "post-startup". Some mitigations that need
// to be enabled sooner (e.g. MITIGATION_EXTENSION_POINT_DISABLE) are done
// so in Chrome_ELF.
}
}
MITIGATION_HARDEN_TOKEN_IL_POLICY is bad for OBS. The CEF version of InitializeSandboxInfo works better for us, but cef_sandbox.lib is proving problematic to build and link against.
void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
info->broker_services = sandbox::SandboxFactory::GetBrokerServices();
if (!info->broker_services) {
info->target_services = sandbox::SandboxFactory::GetTargetServices();
} else {
// Ensure the proper mitigations are enforced for the browser process.
sandbox::ApplyProcessMitigationsToCurrentProcess(
sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK);
}
}
The current solution they have arrived on is to pass uintptr_t[32]{} as windows_sandbox_info, which I am not a fan of.
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 3:55 pmby magreenblatt
The CEF implementation of InitializeSandboxInfo should match the Chromium implementation. Beyond that, it probably doesn't make sense to apply any mitigations for CEF clients if the sandbox is disabled.
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 4:15 pmby rcdrone
Can you provide a way to call CefInitialize without calling ApplyProcessMitigationsToCurrentProcess?
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Wed Mar 04, 2020 4:17 pmby magreenblatt
rcdrone wrote:Can you provide a way to call CefInitialize without calling ApplyProcessMitigationsToCurrentProcess?
You're welcome to do so, and submit a PR.
Re: Passing null for sandbox results in harsh sandboxing
Posted:
Thu Mar 05, 2020 3:16 amby rcdrone
I don't want to submit a PR until the change has been tested, but it does exist:
https://bitbucket.org/rcdrone/cef/commi ... e412da514bI'm just waiting to see if one of the OBS volunteers can make a CEF build with my change to make sure it works.