Okay, so here's what I found about sandboxing code with Chrome.
First off, you'll need to go get the chromium source code. This is big, and will take a while to get, but I've yet to find any reliable shortcuts to checkout that still yeild usable results. Alos, it's very important that you follow the instructions on that page VERY CLOSELY. The Google crew knows what they're doing, and aren't keen on useless steps. Everything on that page is necessary. Yes. Everything.
Now, once you get the source, you don't actually have to build chrome in it's entirety (which can take hours!) to use the sandbox. Instead they've been nice enough to give you a separate sandbox solution (found in the sandbox folder) that can build standalone. Build this project and make sure everything compiles. If it does, great! If it doesn't, you didn't follow the steps on the build page, did you? Hang your head in shame and go actually do it this time. Don't worry, I'll wait...
Now that everything has built your main point of interest is the sandbox_poc project ("poc" = Proof of Concept). This project is basically a minimal GUI wrapper around a sandbox that will launch an arbitrary dll at a given entry point in a sandboxed environment. It shows all the required steps for creating and using a sandbox, and is about the best reference you've got. Refer to it often!
As you look through the code you'll probably notice that the code it actually sandboxes is itself. This is very common with all the sandbox examples, and according to this thread (which may be outdated) is possibly the only working way to sandbox at the moment. The thread describes how one would theoretically sandbox a separate process, but I haven't tried it. Just to be safe, though, having a self-calling app is the "known good" method.
sandbox_proc includes a great many static libs, but they appear to mostly be for the sample UI they've built. The only ones I've found that seem to be required for a minimal sandbox are:
sandbox.lib base.lib dbghelp.lib
There's another dependancy that's not entirely obvious from looking at the project though, and it's what I got caught up on the longest. When you built the sandbox solution, one of the output files should be a "wowhelper.exe
". Though it's never mentioned anywhere, this file must be copied to the same directory as the executable you are sandboxing! If it's not, your attempts to sandbox your code will always fail with a generic "file not found" error. This can be very frustrating if you don't know what's going on! Now, I'm developing on Windows 7 64bit, which may have something to do with the wowhelper requirement (WOW is a common acronym for interop apps between 16/32/64bit), but I don't have a good way of testing that right now. Please let me know if anyone else finds out more!
So that's all the environment stuff, here's a bit of smaple code to get you going! Please note that although I use wcout in the child process here, you can't see any console output when running in the sandbox. Anything like that needs to be communicated to the parent process via IPC.
#include <sandbox/src/sandbox.h>
#include <sandbox/src/sandbox_factory.h>
#include <iostream>
using namespace std;
int RunParent(int argc, wchar_t* argv[], sandbox::BrokerServices* broker_service) {
if (0 != broker_service->Init()) {
wcout << L"Failed to initialize the BrokerServices object" << endl;
return 1;
}
PROCESS_INFORMATION pi;
sandbox::TargetPolicy* policy = broker_service->CreatePolicy();
// Here's where you set the security level of the sandbox. Doing a "goto definition" on any
// of these symbols usually gives you a good description of their usage and alternatives.
policy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
policy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, sandbox::USER_LOCKDOWN);
policy->SetAlternateDesktop(true);
policy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
//Add additional rules here (ie: file access exceptions) like so:
policy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES, sandbox::TargetPolicy::FILES_ALLOW_ANY, "some/file/path");
sandbox::ResultCode result = broker_service->SpawnTarget(argv[0], GetCommandLineW(), policy, &pi);
policy->Release();
policy = NULL;
if (sandbox::SBOX_ALL_OK != result) {
wcout << L"Sandbox failed to launch with the following result: " << result << endl;
return 2;
}
// Just like CreateProcess, you need to close these yourself unless you need to reference them later
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
broker_service->WaitForAllTargets();
return 0;
}
int RunChild(int argc, wchar_t* argv[]) {
sandbox::TargetServices* target_service = sandbox::SandboxFactory::GetTargetServices();
if (NULL == target_service) {
wcout << L"Failed to retrieve target service" << endl;
return 1;
}
if (sandbox::SBOX_ALL_OK != target_service->Init()) {
wcout << L"failed to initialize target service" << endl;
return 2;
}
// Do any "unsafe" initialization code here, sandbox isn't active yet
target_service->LowerToken(); // This locks down the sandbox
// Any code executed at this point is now sandboxed!
TryDoingSomethingBad();
return 0;
}
int wmain(int argc, wchar_t* argv[]) {
sandbox::BrokerServices* broker_service = sandbox::SandboxFactory::GetBrokerServices();
// A non-NULL broker_service means that we are not running the the sandbox,
// and are therefore the parent process
if(NULL != broker_service) {
return RunParent(argc, argv, broker_service);
} else {
return RunChild(argc, argv);
}
}
Hopefully that's enough to get any other curious coders sandboxing! Good luck!