Sandbox build

[FRANCOIS GODIN]

Hello,

I am currently trying to build my own version of the chromium sandbox. My goal is to produce and develop a standalone sandbox (i don't want to build all the chromium project) that is able to run another executable in a sandboxed environment.
But i'm getting stuck, as my sandbox.lib file seems corrupted and unusable. It's worth mentioning that I successfully built sandbox_poc project and made it run without errors.

This is my configuration :
⦁    Windows 10 Education Build 10240
⦁    Visual Studio 2017 15.9.10
⦁    Python 2.7
⦁    Windows 10 SDK

These are the steps I followed, as described on the instructions here https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md
⦁    Installations of MFC/ATL support and Desktop development with C++, both command line and via Visual GUI
⦁    Installation of Windows 10 SDK separately and via Visual GUI
⦁    Download depot_tools
⦁    Run gclient, with Windows Defender disabled, and proxy properly configured (all tools were successfully installed without any error or warning)

⦁    gclient sync
⦁    git configs, mkdir chromium && cd chromium, fetch chromium, cd src
⦁    I run gn gen --ide=vs--filters=//sandbox --no-deps out\Default (or respectively autoninja -C out\Default sandbox/win:sandbox). It's ok for this point : "Generating Visual Studio projects took 10ms; Done. Made 10902 targets from 1852 files in 11701ms" (also tested without --no-deps arg)
⦁    Then i run the all.sln project in the newly created out/Default folder. The 499 .obj files are created without any errors or warnings.
⦁    Until now, everything looks good. This is where things are getting worse : when I create a new Visual Studio project, using the new sandbox.lib stored in out/Default/obj/sandbox/win (along with base.dll and header files linked), i get the (only) LNK1107 error : invalid or corrupt file : can't reat at 0xFDE90.

Did I miss something? Is there another step you followed to build this sandbox and produce a fully usable .lib file?
If it  can help base.dll size is is 44Mo, and sandbox.lib size is 1Mo

Thank you in advance,

Best regards

François Godin

[Daniel Bratell]

Try setting

use_lld=false 

and/or

use_ghash=false

in your args.gn. Windows builds right now default to a custom toolchain and it might not be fully compatible with the Microsoft tools.

/Daniel

--

/* Opera Software, Linköping, Sweden: CET (UTC+1) */

[Dominik Czarnota]

Hey,

I am not into the Chromium Sandbox, but if your goal is to be able to "run another executable in a sandboxed environment" on Windows, you might want to try out Microsoft Sandbox: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849 

jfyi I haven't used it so idk if it fits your needs.

best regards,

disconnect3d

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

[Dominik Czarnota]

You might also want to check out:
* https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/appcontainer-isolation

* https://github.com/trailofbits/appjaillauncher-rs or https://blog.trailofbits.com/2017/08/02/microsoft-didnt-sandbox-windows-defender-so-i-did/

(disclaimer: I work for Trail of Bits // I haven't used this tool either :P)