Page 1 of 1

Allow sandbox in subprocess, regardless of browser process

PostPosted: Fri Jan 17, 2020 6:04 pm
by Tonygeek
My app process, which is also a browser process, on Windows requires /MD flag for MSVC++ compiler.
For various reasons (mostly third party libraries used by my app) I can't afford to link CRT statically.

This means one can't use sandbox because sandbox static library was built with statically linked CRT.

However, I have no such limitation on sub-processes. My sub process app is simple:

Code: Select all
int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
                     _In_opt_ HINSTANCE hPrevInstance,
                     _In_ LPWSTR    lpCmdLine,
                     _In_ int       nCmdShow)
{
    CefMainArgs main_args(hInstance);
    return CefExecuteProcess(main_args, nullptr, nullptr);
}

Per cef_sandbox_win.h:

The sandbox is used to restrict sub-processes (renderer, plugin, GPU, etc) from directly accessing system resources
but then it also states that one must use the same executable for the browser process and all sub-processes.

Re: Allow sandbox in subprocess, regardless of browser proce

PostPosted: Sat Jan 18, 2020 1:35 am
by magreenblatt
This is a limitation of the Chromium sandbox implementation on Windows and not something that we can fix in CEF.