Sandbox Level in various browsers and operating systems

Discussion in 'sandboxing & virtualization' started by Sampei Nihira, May 22, 2022.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    Would it be possible to post a screen to compare with the sandbox of various browsers?
    Thanks in advance.

    Edge in W.10 x64:


    2.jpg
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Edge Version 101.0.1210.53 (Official build) (64-bit)

    winver.png

    edge sandbox.png
     
    Last edited: May 22, 2022
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    @wat0114

    Thank you for the availability.:thumb:
    You can see that the Renderer does not have Integrity Level AppContainer.

    Network Service + Audio Service are not protected by internal sandbox.

    Any other forum members want to post an image for comparison?
    :)
     
    Last edited: May 23, 2022
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Thanks @Sampei Nihira

    fwiw, these are my Edge registry keys:

    Edge registry keys.png

    I see several Edge renderers with IL AppContainer using PE.

    Edge integrity levels.png

    Is there something I'm missing?
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    If you've made adjustments you should see the results in

    Edge://sandbox

    You miss:

    NetworkServiceSandboxEnabled to 1
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Okay now enabled, so I have this:

    edge sandbox.png

    Thanks!
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    Audio Service is not listed in sandbox.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Strange, it is now, and I didn't change anything except to reboot pc.

    edge sandbox.png
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    :thumb:
    You have greatly increased the security of your Edge.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    Thanks again :thumb:
     
  11. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    Uhm, any takers for the pretty browser over there in red and green?... :p
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,173
    sandbox level is tied to system "integrity", firefox is using "low", chrome is using "anonymous". there exist 5 levels.
    https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
    "anonymous" is below "low", check with Process Hacker or Process Explorer.

    thats reason why firefox had issues in sandboxie with its default sandbox levels - no access.
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,556
    How do we enable Network Service to be sandboxed with Edge?
     
  14. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,173
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,556
    Yes sir got it. Was not sure of the registry key but just looked that up. Mine is enabled now.

    upload_2022-5-24_14-5-55.png
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,911
    Location:
    Outer space
    Brave on Windows 10:
    upload_2022-5-24_18-24-18.png
    As you can see, compared to Edge, Audio Service is sandboxed by default.

    Firefox does not really seem to have a page like this.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,911
    Location:
    Outer space
    Chromium chrome://sandbox on Fedora 35:
    Screenshot_2022-05-24_20-33-26.png
    Firefox about:support on Fedora 35:
    Screenshot_2022-05-24_20-36-51.png

    EDIT: Firefox about:support on Windows is nothing special to see, compared to Linux, only the bottom 3 items exist. The first 2 are level 6 and 3rd one says Win32k lockdown enabled - default setting.
     
    Last edited: May 24, 2022
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,565
    Are you guys testing on admin or SUA?

    When testing on admin, Edge showed the appcontainer info. But on SUA, it didn’t.
     
  20. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,556
    How exactly is this protecting us with the NetworkService set to be sandboxed?

    EDIT: @Azure Phoenix I am testing as admin, not SUA.
     
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    3,007
    Location:
    the Netherlands
    Same on Kubuntu 20.04 (about:support)
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    The registry keys have local validity,you have to edit them locally not in the administrator account if you use the Standard account instead.
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,643
    Location:
    Italy
    Not only sandboxed but it is also at the AppContainer level.
    The best protection is obvious.
     
  24. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,556
    Is there a flag for this as well? I have my registry similar to your but AudioService is not listed.

    upload_2022-5-24_16-53-13.png

    Strange enough, AudioService now appears for me in sandbox settings.
     
    Last edited: May 24, 2022
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,096
    Location:
    Canada
    @Trooper

    these are my Edge registry values:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge]
    "RendererAppContainerEnabled"=dword:00000001
    "DefaultFileSystemReadGuardSetting"=dword:00000002
    "DefaultFileSystemWriteGuardSetting"=dword:00000002
    "AudioSandboxEnabled"=dword:00000001
    "DnsOverHttpsMode"="automatic"
    "DnsOverHttpsTemplates"="https://dns.quad9.net/dns-query"
    "NetworkServiceSandboxEnabled"=dword:00000001
    I first renamed Edge.reg to Edge.txt, then copy & pasted contents here. I use Quad9 DNS, thus the user-specific string for it.

    EDIT

    Process Explorer can be used to check Type and Integrity levels of the individual Edge renderers or utility processes.

    AppContainer Network service.png
     
    Last edited: May 24, 2022
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.