Why change Sandbox Level 4 to 3/2/1/0 [FIXED in beta 5.25.4]

If it's not about a problem in the program
Post Reply
bjm
Posts: 464
Joined: Sat Aug 02, 2008 4:24 pm

Why change Sandbox Level 4 to 3/2/1/0 [FIXED in beta 5.25.4]

Post by bjm » Thu Jan 25, 2018 8:06 pm

Hi
by Barb@Invincea » Thu Aug 17, 2017 11:17 am
Also, you shouldn't need to turn off multi-process in Firefox, as it is currently supported by Sandboxie.
by Barb@Invincea » Tue Nov 14, 2017
There are some issues that come up if security.sandbox.content.level is set to 3. However, for me on Win 10 x64, it works fine with level 3. Seems to be "random" ...Still investigating.
by Barb@Invincea » Thu Jan 18, 2018
Open Firefox outside Sandboxie type about:config and accept the risk search sandbox Switch security.sandbox.content.level to 2 ( if needed switch it to 1 or 0 ). Close Firefox Relaunch it Sandboxed and re-test.
Why is it necessary for some Sandboxie users to allow web content more access to their system (by weakening Firefox built-in sandbox) by changing Sandbox Level 4 to 3/2/1/0.

Just curious.
Thanks
Last edited by bjm on Thu Jan 25, 2018 8:38 pm, edited 1 time in total.
Sandboxie 5.26 - W10 Home 1709 - WebrootSA - Chrome

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 621
Joined: Fri Nov 13, 2015 4:11 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Syrinx » Thu Jan 25, 2018 8:31 pm

I may not be a "very stable genius" but I do have a strange desire to second this request of info and hope for a few specifics on how/why internal changes like these can suddenly allow a SBIE protected instance to work without as many issues if inter-box processes are not being denied things to begin with. [/me braces for the inevitable it's their fault slight of hand ~ though I won't brush it off as also being a legit possibility!]
http://goo.gl/p8qFCf
https://www.youtube.com/watch?v=vIxWgVOCexU

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2608
Joined: Mon Nov 07, 2016 3:10 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Barb@Invincea » Fri Jan 26, 2018 11:28 am

Hello all,

Lowering the Firefox Sandbox security level is a workaround used in order to allow certain Firefox features to work with Sandboxie. For some users, a sandbox content level of 3 may trigger a crash, for others it causes audio/printing to not work. We have been seeing different behaviors per OS (I am unable to repro under Win 10, but I got the printing/audio issues when running Windows 8.1 and 7, so it is most likely a combination of OS + Firefox changes which explains why not all users need to make the changes).

The issue is still under investigation and we have not yet found a fix, that's why some users may need to lower the Firefox sandbox level in order to use it inside Sandboxie. Is not a fix, it's a workaround.

There are several threads that discuss this which contain further explanations/information/scenarios:
viewtopic.php?f=11&t=25095
viewtopic.php?f=11&t=24937
viewtopic.php?p=129898#p129898

Regards,
Barb.-

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 621
Joined: Fri Nov 13, 2015 4:11 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Syrinx » Fri Jan 26, 2018 9:42 pm

So umm...not what I expected to read at all...!

Did you actually just claim that no one there (on your end) can make heads or tails of why an open source browser runs into issues inside Sandboxie when in relation to various, increased, internal "Firefox Sandbox Levels" (and how suddenly using rule changes [to decrease its internal mechanisms] within that same program somehow aid in allowing it to function as expected when protected by Sandboxie?) beyond each point when you CAN literally, download, follow and read the related code prior to it being assembled? [No, I don't think that's what you just said..instead...I read a generic BOT type response to keywords (maybe searches?)...sigh]

/Insert disbelief smiley here followed by quite a few coughs hiding some b and s of their own.

I wasn't asking for an overnight fix [ok so this is months old] but I was actually curious as to why exactly this is so hard to understand and resolve. It just seems so silly that it remains a problem when the related source code is available publicly.

Feel free to ask Curt to dazzle us with a brain squashing one line response that would make no sense to the layperson (like me). At least then I could pretend to 'nod and agree' while I quietly nudge Mr. X and go, "Whhaaaaaaatt did he just say?"

If I was a programmer I'd read it myself and say something cool like that one doohicky expects to pass this other doohickey via the next doohickey but the recieveing doohickey gets confused when that one doohickey is altered by sandboxie and so it doesn't look the doohickey it's supposed to look like to this other doohickey so a stoopid flag is set and in turn the internal sandboxed security (of FF) rejects that other doohickeys doohickey because it doesn't match the expected doohickeys format but that is just because that other doohickey is actually as stoopid as the flag it just set so instead we have you lower the internal box level to avoid those bad routines but not because this is a totally insane drunken rant mean to go in circles.

/me is totally legit (not) /insert TS song here
http://goo.gl/p8qFCf
https://www.youtube.com/watch?v=vIxWgVOCexU

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2608
Joined: Mon Nov 07, 2016 3:10 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Barb@Invincea » Mon Jan 29, 2018 11:28 am

Hello Syrinx,
I wasn't asking for an overnight fix [ok so this is months old] but I was actually curious as to why exactly this is so hard to understand and resolve. It just seems so silly that it remains a problem when the related source code is available publicly.
If we knew exactly why is this so hard to figure out/resolve, we would have posted a fix already. On top of this issue being harder to fix than you would think, there were other priorities that delayed the investigation process (kernel patches, sbie updates to VS 2015, etc...) .

The workaround is the only option at the moment. But we have not given up on finding a solution, and we will post it once it is found.

What I can offer, once the solution/actual problem is found, is to update this thread with technical information that may help you further understand the problem (after we manage to understand it/fix it :) ).

Regards,
Barb.-

RooJ
Posts: 83
Joined: Sun Dec 21, 2014 2:47 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by RooJ » Mon Feb 05, 2018 6:37 pm

Maybe not connected but I noticed on the release notes for firefox 58.0.1 the following:

https://www.mozilla.org/en-US/firefox/5 ... easenotes/
unresolved
Users running Firefox for Windows over a Remote Desktop Connection (RDP) may find that audio playback is disabled due to increased security restrictions. Learn how to mitigate this issue until it is corrected in an upcoming release.
And in mitigation:

https://support.mozilla.org/en-US/kb/i- ... connection
I can’t play audio on a Remote Desktop Connection

If you are on a Remote Desktop Connection (RDP) on Windows, audio playback will be disabled due to increased security restrictions. This is a known issue since Firefox version 56 that we are working hard to fix.

In the meantime, you can reduce the sandbox security level by following these steps:

In the address bar, type about:config and press EnterReturn.
The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!I accept the risk! to continue to the about:config page.
Search for security.sandbox.content.level, double-click on the preference and set its value to 2.
Restart Firefox on the remote device.
Fingers crossed Mozilla's RDP audio fix resolves the issue in sandboxie too.

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2608
Joined: Mon Nov 07, 2016 3:10 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Barb@Invincea » Tue Feb 06, 2018 11:05 am

Hello RooJ ,

Thanks for the update. There were also other Firefox bugs reported when using sandbox content levels higher than 2. They are posted in the original Firefox threads under Problem Reports, and we are monitoring them.

This is going to be one of those issues that will take a while to tackle due to all of these scenarios.
The original posts will be updated as new information becomes available.

Regards,
Barb.-

martinr
Posts: 83
Joined: Sun Apr 15, 2007 8:41 am

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by martinr » Sun Feb 25, 2018 9:15 am

For a long time I have had to run the Firefox sandbox at zero so it would run in Sandboxie. Not a huge problem except it takes perhaps 2 minutes to fully open and settle down ready for browsing. If I open Firefox outside Sandboxie, it comes up in an instant.

I’ve always put up with this because of the protection Sandboxie gives me. But I ought to ask: is it at all posdible to say how the Firefox sandbox compares with Sandboxie?

I’ve used Sandboxie since I think around 2001, unless memory fails me, and I feel exposed without it, as, on the odd occasion when I can only use Microsoft Edge in irder to fully access a website.

bjm
Posts: 464
Joined: Sat Aug 02, 2008 4:24 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by bjm » Mon Mar 26, 2018 4:02 pm

Application Basics
Name: Firefox
Version: 59.0.2
Build ID: 20180323154952
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
OS: Windows_NT 10.0

Multiprocess Windows: 1/1 (Enabled by default)
Web Content Processes: 4/4

Content Process Sandbox Level: 4
Effective Content Process Sandbox Level: 4
Sandboxie 5.26 - W10 Home 1709 - WebrootSA - Chrome

bjm
Posts: 464
Joined: Sat Aug 02, 2008 4:24 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by bjm » Wed May 09, 2018 2:40 pm

Multiprocess Windows 1/1 (Enabled by default)

Content Process Sandbox Level 4
Effective Content Process Sandbox Level 4

Firefox 60.0 (64-bit)
Sandboxie 5.26 - W10 Home 1709 - WebrootSA - Chrome

bjm
Posts: 464
Joined: Sat Aug 02, 2008 4:24 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by bjm » Thu May 17, 2018 11:06 am

Multiprocess Windows 1/1 (Enabled by default)

Content Process Sandbox Level 5
Effective Content Process Sandbox Level 5

Firefox 60.0.1 (64-bit)
Sandboxie 5.26 - W10 Home 1709 - WebrootSA - Chrome

Barb@Invincea
Sandboxie Support
Sandboxie Support
Posts: 2608
Joined: Mon Nov 07, 2016 3:10 pm

Re: Why change Sandbox Level 4 to 3/2/1/0

Post by Barb@Invincea » Thu May 17, 2018 11:09 am

All,

Firefox sandbox issues have been fixed in the latest beta 5.25.4
viewtopic.php?p=133187#p133187

As promised, I reached out to the devs and asked for some clarification to provide. Here's what I got:

There is a Firefox process that is created with a restricted user's token. This token is used to communicate with a windows service called "audiodg.exe". Then, the service impersonates this process for further communication/configurations. The security settings in the sandboxed Firefox process did not allow that restricted user to perform the actions as listed above. Now they do.

Regards,
Barb.-

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 3 guests