Dragon Sandbox

Boris_3 · December 2, 2013, 9:17am

If a type dragon://sandbox in the search box to check the status of the sandbox, I get “This webpage is not available” as a result.

Does it mean that Dragon doesn’t use the chromium in-built sandbox anymore?

JoWa · December 2, 2013, 9:38am

The sandbox-URL is for Linux only.

Chromium Blog: A safer playground for your Linux and Chrome OS renderers

[attachment deleted by admin]

Boris_3 · December 2, 2013, 1:19pm

Thanks JoWa for your reply.

Do you know if there is way to see if the sandbox is active in Windows OS?

JoWa · December 2, 2013, 1:35pm

You can use Process Explorer to check the processes’ integrity-level (Vista+), which should be untrusted for renderers. You can also check that there is a tab Job in a process’s properties, and that the job has 12 limits.

Boris_3 · December 2, 2013, 6:15pm

Well,

Indeed I’ve untrusted for the integrity-level, but for the job limits I’ve:
Kill on Job Close : True
Active Process : 1

JoWa · December 2, 2013, 6:34pm

This is the expected list (see image, Dragon 30 portable, W7 64-bit).

I have no idea why you have only two of the limits. :-\ ???

[attachment deleted by admin]

Boris_3 · December 2, 2013, 8:02pm

OK,

In my previous reply, I just looked the properties of the first Dragon process and got the values in job I mentioned in that previous reply. ((1st image attached).

Now if I look the properties of the following Dragon processes, I’ve the same values than you (2d image attached). All is well then.

[attachment deleted by admin]

JoWa · December 2, 2013, 8:12pm

That’s good, but also surprising. The “broker”-process is not sandboxed, it’s the broker that sandboxes the child-processes (renderers, extensions, plugins). So the broker-process is not expected to run as a job-object. Are you using some other software to sandbox Dragon?

Boris_3 · December 2, 2013, 8:45pm

When i said the 1st Dragon process in my previous reply, I forgot to mention that it was the 1st child one. For the parent process, I haven’t Job in the properties.

I usually run Dragon in Sandboxie, but to check the in-built sandbox I ran it outside Sandboxie. When ran in Sandboxie, Job in propreties give a blank page for the child processes (attached image)

[attachment deleted by admin]

JoWa · December 2, 2013, 9:09pm

Oh, that first child-process must be the GPU-process. You can press Shift+Esc to open Dragon’s taskmanager. Check the PID for the GPU-process and compare with Process Explorer.

“Access denied” and an empty list might mean that Dragon’s (Chromium’s) sandbox is not working properly when sandboxed by Sandboxie, but I am not sure about that. :-\

Boris_3 · December 2, 2013, 9:24pm

You are right. The 1st process child has indeed the same PID as Dragon GPU process.

Thanks a lot JoWa for your help. :-TU