Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to enable sandbox behind a setting and validate it works #154006

Closed
3 tasks
bpasero opened this issue Jul 3, 2022 · 2 comments
Closed
3 tasks

Allow to enable sandbox behind a setting and validate it works #154006

bpasero opened this issue Jul 3, 2022 · 2 comments
Assignees
@bpasero @deepak1556
Labels
on-testplan plan-item VS Code - planned item for upcoming sandbox Running VSCode in a node-free environment
Milestone
July 2022

Comments

@bpasero
Copy link
Member

bpasero commented Jul 3, 2022
edited
Loading

The idea is to eventually enable this by default in insiders.

Things to check:

  • 🏃 There are no issues from the contextBridge when using the exposed API from our preload script
  • 🏃 Investigate the impact on running as admin when sandbox: true
  • 🏃 Performance validation & tuning
@bpasero bpasero added plan-item VS Code - planned item for upcoming sandbox Running VSCode in a node-free environment labels Jul 3, 2022
@bpasero bpasero added this to the July 2022 milestone Jul 3, 2022
@bpasero bpasero self-assigned this Jul 3, 2022
@bpasero bpasero mentioned this issue Jul 3, 2022
Closed
@bpasero bpasero mentioned this issue Jul 3, 2022
Closed
2 tasks
@bpasero bpasero changed the title Allow to enable sandbox behind a setting Allow to enable sandbox behind a setting and validate it works Jul 3, 2022
This was referenced Jul 4, 2022
Closed
Merged
@bpasero
Copy link
Member Author

bpasero commented Jul 5, 2022

From @deepak1556 on running as admin:

Running the application as elevated on macOS and windows will work, the problematic scenarios are the following,

  • On Linux, if a user the installed the application as root technically they should be able to launch the application but the issue would be the sandbox will now run under admin privilege and access to files which are owned by a different user will fail and most often the user data directory would not be owned by root and chrome's internal logic would abort when not being able to read/write to this folder.
  • The second scenario on linux is when application was installed as normal user but then tried to launch with sudo, in this case the sandbox which uses execve would fail to stat the executable after launching a process and lead to a hard crash. This makes chrome unable to launch child processes. The decision was then made to never allow running as elevated on linux under sandbox, https://bugs.chromium.org/p/chromium/issues/detail?id=638180
  • On Windows, when running the application as elevated while applocker is enabled will cause the sandboxed process to fail launch https://bugs.chromium.org/p/chromium/issues/detail?id=740132

@kieferrm kieferrm mentioned this issue Jul 9, 2022
Closed
98 tasks
@bpasero bpasero mentioned this issue Jul 21, 2022
Closed
3 tasks
@bpasero
Copy link
Member Author

bpasero commented Jul 21, 2022

Test plan item: #155827

@bpasero bpasero closed this as completed Jul 21, 2022
@0xCCY 0xCCY mentioned this issue Aug 9, 2022
Open
@github-actions github-actions bot locked and limited conversation to collaborators Sep 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bpasero bpasero

@deepak1556 deepak1556

Labels
on-testplan plan-item VS Code - planned item for upcoming sandbox Running VSCode in a node-free environment
Projects
None yet
Milestone
July 2022
Development

No branches or pull requests
2 participants
@bpasero @deepak1556