Force process to be sandboxed
Force process to be sandboxed
I don't think this had been talked about before. I didn't know which keyword to look for, to be honest.
What I'd like to suggest is the following. I'll explain by steps, and by giving an example.
1. I have my web browser forced to run in a sandbox;
2. I run the web browser outside of its sandbox;
3. I download a PDF file (example) and open it within the web browser;
4. I want the PDF file reader to be open in its own sandbox and not outside Sandboxie, as it happens.
What I'd like to suggest is the following. I'll explain by steps, and by giving an example.
1. I have my web browser forced to run in a sandbox;
2. I run the web browser outside of its sandbox;
3. I download a PDF file (example) and open it within the web browser;
4. I want the PDF file reader to be open in its own sandbox and not outside Sandboxie, as it happens.
If you're talking about a forced .pdf reader, then I believe that's actually how Disable Forced Programs used to work. Looks like the current behavior, which matches Run Outside Sandbox, was introduced in 3.44:
Changelog wrote:When Disable Forced Programs is used to start some forced program X outside the supervision of Sandboxie, then any other forced programs started by that program X will also start outside the supervision of Sandboxie.
I don't see how this feature request is different than one posted not too long ago.
http://www.sandboxie.com/phpbb/viewtopic.php?t=9853
What is the point of this topic?
http://www.sandboxie.com/phpbb/viewtopic.php?t=9853
What is the point of this topic?
tzuk
They're completely unrelated.tzuk wrote:I don't see how this feature request is different than one posted not too long ago.
http://www.sandboxie.com/phpbb/viewtopic.php?t=9853
What is the point of this topic?
I just find it stupid that Sandboxie won't sandbox the PDF reader in its sandbox, if initiated by an unsandboxed process (which is forced to its own sandbox).
So, I wonder if Sandboxie can't be aware that the process belonging to the PDF reader is being forced to run in a sandbox, and if yes, then force it to run in its sandbox?
If I start my web browser (forced to a sandbox) unsandboxed, and then I download a PDF file (example), and I open it from within the web browser, then I'd expect the PDF reader to be forced to run in its sandbox, not outside of it. I believe Sandboxie should be aware of such situation. The same way if I open a mp3 file from within the web browser (unsandboxed at a given moment), I'd expect the media player to start in its sandbox, and not outside, etc.
Or, is it something that cannot be done?
The paragraph is the following:tzuk wrote:I don't see how this isn't a repeat of the last topic. I don't know why you say completely unrelated -- to me it looks like the same. Please re-read the second paragraph of my first comment in that topic.
I'm not talking about excluding a program/list of programs from running in a sandbox. I'm talking about that, when I run my web browser unsandboxed (despite the fact it's being forced to run inside its sandbox), I would expect the PDF reader/etc to be opened in their respective sandboxes, and not outside, just because the program that triggers them (the web browser) runs outside its sandbox.tzuk wrote:As for clicking documents/programs in a sandbox folder but actually opening them in another sandbox, I don't think I will offer this feature directly. But there have been requests to be able to specify a list of programs to be excluded from running in a sandbox. So you when that feature is available you may be able to specify WINWORD.EXE as excluded in one sandbox, and as a forced program in another sandbox.
When we run a forced program outside its sandbox, Sandboxie is aware of such, correct?
Being so, when the unsandboxed program (browser) triggers the execution of one other program (PDF reader), Sandboxie should verify whether or not the process (pdf reader) has a sandbox of its own, and if so, force it to run in its sandbox.
So, what I'm suggesting is not to exclude in one sandbox and include in another (which is why I said they're unrelated), but to force the pdf reader/etc to their respective sandboxes, in the scenario I mentioned.
I just don't understand why Sandboxie doesn't do that by design. Or, doing what you mentioned others also suggested (exclude in a sandbox and force to others) will handle the scenario I mentioned? If yes, then it's great. If not, it should be looked at, IMO.
Ah, now I think I understand what you mean.
The intention here is that you can run Firefox unsandboxed and let it update and restart and run update utilities and not have to worry about any of them being started as a forced program.
Actually it is by design that when you intentionally run a program in "disable forced programs" mode, then this also applies to programs it starts._is_m00nbl00d_ wrote:I just don't understand why Sandboxie doesn't do that by design.
The intention here is that you can run Firefox unsandboxed and let it update and restart and run update utilities and not have to worry about any of them being started as a forced program.
tzuk
tzuk wrote:Ah, now I think I understand what you mean.
Actually it is by design that when you intentionally run a program in "disable forced programs" mode, then this also applies to programs it starts._is_m00nbl00d_ wrote:I just don't understand why Sandboxie doesn't do that by design.
The intention here is that you can run Firefox unsandboxed and let it update and restart and run update utilities and not have to worry about any of them being started as a forced program.
I totally understand why it is by design, and it's very welcome... I'm not asking to change that behavior... rather to improve it, by also letting the user define, via a setting, whether or not he/she wants to force other programs into their specific sandboxes, whenever they run another forced program outside of its sandbox.
Is this something you could easily do?
-edit-
Just to add something I previously forgot.
Maybe this option, to let users force other programs into their respective sandboxes, could be given when the user chooses, precisely, to run a forced program outside its sandbox.
Sandboxie could ask something like:
"You have chosen to run a forced program outside of its sandbox. Do you also wish to run other programs initated by this one unsandboxed, or would you like Sandboxie to force them to run in their respective sandboxes, if they exist?"
Well, something like that, anyway. lol
Would something like this let users update their browsers, for example, without problems, without unsandboxing other programs that have a sandbox of their own? (Just like my examples.)
Anyway, if it's something that could be done, I'm sure you'll find your way. lol
Just to add something I previously forgot.
Maybe this option, to let users force other programs into their respective sandboxes, could be given when the user chooses, precisely, to run a forced program outside its sandbox.
Sandboxie could ask something like:
"You have chosen to run a forced program outside of its sandbox. Do you also wish to run other programs initated by this one unsandboxed, or would you like Sandboxie to force them to run in their respective sandboxes, if they exist?"
Well, something like that, anyway. lol
Would something like this let users update their browsers, for example, without problems, without unsandboxing other programs that have a sandbox of their own? (Just like my examples.)
Anyway, if it's something that could be done, I'm sure you'll find your way. lol
Who is online
Users browsing this forum: No registered users and 0 guests