Force process to be sandboxed

Ideas for enhancements to the software
Post Reply
is_m00nbl00d_

Force process to be sandboxed

Post by is_m00nbl00d_ » Thu Apr 14, 2011 10:31 pm

I don't think this had been talked about before. I didn't know which keyword to look for, to be honest.

What I'd like to suggest is the following. I'll explain by steps, and by giving an example.

1. I have my web browser forced to run in a sandbox;
2. I run the web browser outside of its sandbox;
3. I download a PDF file (example) and open it within the web browser;
4. I want the PDF file reader to be open in its own sandbox and not outside Sandboxie, as it happens.

Mike
Posts: 592
Joined: Mon Nov 16, 2009 1:27 pm

Post by Mike » Thu Apr 14, 2011 11:02 pm

If you're talking about a forced .pdf reader, then I believe that's actually how Disable Forced Programs used to work. Looks like the current behavior, which matches Run Outside Sandbox, was introduced in 3.44:
Changelog wrote:When Disable Forced Programs is used to start some forced program X outside the supervision of Sandboxie, then any other forced programs started by that program X will also start outside the supervision of Sandboxie.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Fri Apr 15, 2011 5:53 am

I don't see how this feature request is different than one posted not too long ago.

http://www.sandboxie.com/phpbb/viewtopic.php?t=9853

What is the point of this topic?
tzuk

_is_m00nbl00d

Post by _is_m00nbl00d » Fri Apr 15, 2011 11:24 am

tzuk wrote:I don't see how this feature request is different than one posted not too long ago.

http://www.sandboxie.com/phpbb/viewtopic.php?t=9853

What is the point of this topic?
They're completely unrelated.

I just find it stupid that Sandboxie won't sandbox the PDF reader in its sandbox, if initiated by an unsandboxed process (which is forced to its own sandbox).

So, I wonder if Sandboxie can't be aware that the process belonging to the PDF reader is being forced to run in a sandbox, and if yes, then force it to run in its sandbox?

If I start my web browser (forced to a sandbox) unsandboxed, and then I download a PDF file (example), and I open it from within the web browser, then I'd expect the PDF reader to be forced to run in its sandbox, not outside of it. I believe Sandboxie should be aware of such situation. The same way if I open a mp3 file from within the web browser (unsandboxed at a given moment), I'd expect the media player to start in its sandbox, and not outside, etc.

Or, is it something that cannot be done?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sat Apr 16, 2011 1:22 pm

I don't see how this isn't a repeat of the last topic. I don't know why you say completely unrelated -- to me it looks like the same. Please re-read the second paragraph of my first comment in that topic.
tzuk

_is_m00nbl00d_

Post by _is_m00nbl00d_ » Sat Apr 16, 2011 5:14 pm

tzuk wrote:I don't see how this isn't a repeat of the last topic. I don't know why you say completely unrelated -- to me it looks like the same. Please re-read the second paragraph of my first comment in that topic.
The paragraph is the following:
tzuk wrote:As for clicking documents/programs in a sandbox folder but actually opening them in another sandbox, I don't think I will offer this feature directly. But there have been requests to be able to specify a list of programs to be excluded from running in a sandbox. So you when that feature is available you may be able to specify WINWORD.EXE as excluded in one sandbox, and as a forced program in another sandbox.
I'm not talking about excluding a program/list of programs from running in a sandbox. I'm talking about that, when I run my web browser unsandboxed (despite the fact it's being forced to run inside its sandbox), I would expect the PDF reader/etc to be opened in their respective sandboxes, and not outside, just because the program that triggers them (the web browser) runs outside its sandbox.

When we run a forced program outside its sandbox, Sandboxie is aware of such, correct?

Being so, when the unsandboxed program (browser) triggers the execution of one other program (PDF reader), Sandboxie should verify whether or not the process (pdf reader) has a sandbox of its own, and if so, force it to run in its sandbox.

So, what I'm suggesting is not to exclude in one sandbox and include in another (which is why I said they're unrelated), but to force the pdf reader/etc to their respective sandboxes, in the scenario I mentioned.

I just don't understand why Sandboxie doesn't do that by design. Or, doing what you mentioned others also suggested (exclude in a sandbox and force to others) will handle the scenario I mentioned? If yes, then it's great. If not, it should be looked at, IMO.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sun Apr 17, 2011 3:04 pm

Ah, now I think I understand what you mean.
_is_m00nbl00d_ wrote:I just don't understand why Sandboxie doesn't do that by design.
Actually it is by design that when you intentionally run a program in "disable forced programs" mode, then this also applies to programs it starts.

The intention here is that you can run Firefox unsandboxed and let it update and restart and run update utilities and not have to worry about any of them being started as a forced program.
tzuk

_is_m00nbl00d_

Post by _is_m00nbl00d_ » Sun Apr 17, 2011 4:26 pm

tzuk wrote:Ah, now I think I understand what you mean.
_is_m00nbl00d_ wrote:I just don't understand why Sandboxie doesn't do that by design.
Actually it is by design that when you intentionally run a program in "disable forced programs" mode, then this also applies to programs it starts.

The intention here is that you can run Firefox unsandboxed and let it update and restart and run update utilities and not have to worry about any of them being started as a forced program.

I totally understand why it is by design, and it's very welcome... I'm not asking to change that behavior... rather to improve it, by also letting the user define, via a setting, whether or not he/she wants to force other programs into their specific sandboxes, whenever they run another forced program outside of its sandbox.

Is this something you could easily do?

_is_m00nbl00d

Post by _is_m00nbl00d » Sun Apr 17, 2011 4:36 pm

-edit-

Just to add something I previously forgot.

Maybe this option, to let users force other programs into their respective sandboxes, could be given when the user chooses, precisely, to run a forced program outside its sandbox.

Sandboxie could ask something like:

"You have chosen to run a forced program outside of its sandbox. Do you also wish to run other programs initated by this one unsandboxed, or would you like Sandboxie to force them to run in their respective sandboxes, if they exist?"

Well, something like that, anyway. lol

Would something like this let users update their browsers, for example, without problems, without unsandboxing other programs that have a sandbox of their own? (Just like my examples.)

Anyway, if it's something that could be done, I'm sure you'll find your way. lol

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests