Is --no-sandbox disable DEP on purpose?

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

Is --no-sandbox disable DEP on purpose?

Postby lwttai » Thu Jun 23, 2022 3:56 am

OS: windows 10/11
CEF: 101

Run cefclient.exe with --no-sandbox. Then all child process such as gpu or render are mark as "DEP(data execution prevention): disabled(permanent)"
After a little digging, I found --no-sandbox will mark /disable_cetcompat/ as true to set SHADOW_STACKS policy. Providing PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY without PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE to ::CreateProcess cause the child process disabled DEP permanently.
Code: Select all
//chromium\src\base\process\launch_win.cc
  // Set PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY.
  if (options.disable_cetcompat &&
      base::win::GetVersion() >= base::win::Version::WIN10_20H1) {
    DCHECK_GT(attribute_count, 0);
    process_mitigations[1] |=
        PROCESS_CREATION_MITIGATION_POLICY2_CET_USER_SHADOW_STACKS_ALWAYS_OFF;
    if (!startup_info_wrapper.UpdateProcThreadAttribute(
            PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &process_mitigations[0],
            sizeof(process_mitigations))) {
      return Process();
    }
  }


Is this behave expected or a chromium bug?
MSDN list a tons of options for PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, will there some policies need to set on hand?

My current workaround:
add DEP policy when setting PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY
Code: Select all
process_mitigations[0] |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE;
lwttai
Techie
 
Posts: 24
Joined: Mon Oct 14, 2019 12:18 am

Re: Is --no-sandbox disable DEP on purpose?

Postby magreenblatt » Thu Jun 23, 2022 4:53 am

If you want protections why are you disabling the sandbox?
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm

Re: Is --no-sandbox disable DEP on purpose?

Postby ndesktop » Thu Jun 23, 2022 9:44 am

I second this; I am using CEF in an antimalware and we have our own protection mechanisms, and/or other details (various other dll patching).
ndesktop
Master
 
Posts: 750
Joined: Thu Dec 03, 2015 10:10 am


Return to Support Forum

Who is online

Users browsing this forum: No registered users and 36 guests