Nested jobs, enchanced isoaltion featuer, please test...

Discussion in 'Sandboxie (SBIE Open Source) Plus & Classic' started by DavidXanatos, Jul 19, 2021.

  1. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    Historically sandboxie prevented sandboxed applications from using job objects as it used this mechanism to apply some restrictions itself and older windows versions did not support processes withing a restricted job spawning processes in own jobs, a.k.a. nested jobs, this changed with windows 8.
    So there is no more reason to prevent boxed processes from using own job objects to apply additional isolation of their workers, like for example the chromium sandbox does.

    I would like to enable this functionality by default in one of the upcoming builds, as it enhances the isolation.


    upload_2021-7-19_20-19-15.png


    Here you can find this option, I don't expect it to break compatibility with anything but before I roll it out enabled by default, please enable it for testing and report back if it truly does not break anything.
     
  2. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
    (a) Will this affect users of Windows 7 in any way (possibly no)?

    (b) @DavidXanatos , you may want to edit the thread title to include reference to Sandboxie+ (and classic)
     
  3. henryg1

    henryg1 Registered Member

    Joined:
    Jun 14, 2020
    Posts:
    402
    Location:
    uk
    Which build?
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Where does one get this build from?
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
  7. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
  8. settttttt

    settttttt Registered Member

    Joined:
    Jan 26, 2021
    Posts:
    8
    Location:
    virginia
    Tested 4 boxes all day today, no new issues to report.
     
  9. Monica2000

    Monica2000 Registered Member

    Joined:
    May 18, 2020
    Posts:
    65
    Location:
    Spain
    36 boxes tested = 0 problems.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't get it, it looks like you are actually disabling a sandboxing feature but you also say this will enhance isolation? Seems like a contradiction, but what do apps gain by allowing the use of nested jobs?
     
  11. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    The reason job objects were disabled on windows 7 or rather made seam to work but do nothing, was that a job object was already used by sbie to apply some additional isolation on UI handles, and a process could not belong to more than one job.

    With windows 8 a process can however belong to any count of job objects, so allowing processes inside the sandbox to apply their own job object to their workers, adds additional restrictions those processes want to impose.

    Disabling the usage of job objects was not a sandboxing feature but a needed workaround to make processes that would use jobs work in sandboxie.
     
  12. Zem

    Zem Registered Member

    Joined:
    Dec 19, 2020
    Posts:
    6
    Location:
    UK
    Set this option on Monday and have not had any problems at all running with Windows 10.
     
  13. Jaiboy

    Jaiboy Registered Member

    Joined:
    Jan 1, 2021
    Posts:
    1
    Location:
    Australia
    Happy to report, "nested job objects" running on Win10 Pro, 21H1 since last Monday with no issues so far :)
     
  14. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    288
    Location:
    New Zealand
    Hi David. Enabled this option a few days ago and only one issue identified so far. That is in Chromium Edge, when sandboxed (using default box), .pdf files do not open in the browser. I tried unsandboxed & it worked, but tried again sandboxed & it didn't. Then I remembered this option I'd enabled, so I unticked the option, and found it works unticked.

    What happens when the option is enabled is the new tab for the .pdf opens and just remains white, at the same time Edge freezes and the only course of action is to delete the contents of the sandbox or terminate the processes in the sandbox - both end up killing Edge. This is on Win 10 Pro 21h1, Sandboxie Plus 0.8.8 & the latest stable version of Edge.

    Just FYI this is the page: https://sp.chorus.co.nz/system/files/resources_files/New%20ONT%20Information%20Pack.pdf


    Which I was accessing from here: Introduction of a new ONT | Chorus service providers (link to pdf is under Resources at the bottom of the page).
     
    Last edited by a moderator: Jul 27, 2021
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks, I think I now understand it. BTW, you never responded to my request to make SpyShelter and GhostPress compatible with Sandboxie, is there any reason for this, I already asked twice, so perhaps it will take too much time? For example, KeyScrambler works just fine if it's selected in the compatibility menu.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Maybe, I observed similar with "nested jobs" not enabled. Edge, Plus or Sumatra update changed something when opening .pdf in Edge. I needed to open .pdf outside sbox to then be able to open .pdf inside sbox. May be something with default app used for .pdf files after an update. Observed with 0.8.8 with "nested jobs" not enabled. I only had "nested jobs" enabled for an hour July 19th and I observed similar today with 0.8.9. I opened .pdf outside sbox to then be able to open .pdf inside sbox.
    ~ as test: "nested jobs" enabled in forced Edge sbox...opened .pdf file from desktop & opened .pdf file #14 in forced Edge sbox.
     
    Last edited: Jul 31, 2021
  17. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    288
    Location:
    New Zealand
    Thanks for the tip. I didn't open the pdf outside the browser at any stage. I simply tried the pdf in the browser sandboxed and it opened to a white screen and froze Edge. Then I tried it unsandboxed and it worked (in the browser), then sandboxed again and it didn't. Then I tried unticking the option for nested jobs and it worked (in the browser). I repeated this 3 times and the behaviour was consistent. Never downloaded it or had it open in Adobe Reader, it opens in whatever the default pdf reader in Edge is. I don't use Sumatra.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yeah, I had "white screen and froze Edge".
    -
    Edit 1: as test ~ "nested jobs" enabled in 0.8.9b Edge forced sbox.....pdf file from #14 opens okay.
    Edit 2: as test ~ "nested jobs" enabled in 0.8.9c Edge forced sbox.....pdf file from #14 does not open okay.
    I opened .pdf outside Edge sbox to then be able to open .pdf inside Edge sbox.
    as always, your mileage may vary
     
    Last edited: Jul 28, 2021
  19. Bird Watcher

    Bird Watcher Registered Member

    Joined:
    Apr 16, 2021
    Posts:
    5
    Location:
    Kansas
    I have had the same when trying to print in Edge. Blank popup print screen and frozen Edge, works fine outside sandbox.

    The difference here is although I have Sandboxie Plus installed I use the classic interface 5.50.9.

    Edit to add Edge version 92.0.902.55

    Edit 2 to add rolled back to 5.50.8 and printing works again.
     
    Last edited: Jul 29, 2021
  20. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    2,319
    Location:
    Viena
    I havn't head tome to look into those, I assume there are free 30 day trails of booth available?
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    @catspyjamas
    Curious, are you still able to reproduce "white screen and froze Edge" with "nested jobs" enabled?
    With "nested jobs" enabled in my Edge 92.0.902.62 sbox...pdf opens okay. 0.8.9c
     
    Last edited: Aug 1, 2021
  22. catspyjamas

    catspyjamas Registered Member

    Joined:
    Jul 1, 2011
    Posts:
    288
    Location:
    New Zealand
    Nope pdfs are working with nested jobs enabled now. Got your messages thanks - interestingly I had no problems with opening pdfs in Edge before the Edge update. My only problem was when nested jobs was ticked.

    Have re-ticked the option since it's working now. :)
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Thanks....just wanted to confirm "nested jobs" enabled is not breaking Edge opening .pdf.
     
    Last edited: Aug 2, 2021
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  25. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Respectfully curious,
    What's current thinking on "Allow use of nested job objects" = experimental or default?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.