reinismu
commented
2 years ago I think it should be, might need to recompile with correct flags, tho haven't tried it.
Out of curiosity, why do you want to sandbox?
Closed heftig closed 2 years ago
reinismu
commented
2 years ago I think it should be, might need to recompile with correct flags, tho haven't tried it.
Out of curiosity, why do you want to sandbox?
heftig
commented
2 years ago It seemed like low-hanging security fruit.
MathieuDuponchelle
commented
2 years ago The sandbox is disabled here: https://github.com/centricular/gstcefsrc/blob/master/gstcefsrc.cc#L416 . I've never tried, but maybe just remove that line and see what happens? :)
heftig
commented
2 years ago That does seem to work in a Docker container, assuming it is privileged (so it can create namespaces) and the application does not run as root.
MathieuDuponchelle
commented
2 years ago OK. To be honest I haven't researched at all the implications of disabling or enabling that feature, it is disabled in the element because that's how CEF's offscreen rendering example works if I recall correctly. If you think something can be improved, or a property should be exposed, feel free to propose a patch :)
MathieuDuponchelle
commented
2 years ago @heftig , is there anything more we should do here, or can this be closed?
Is it possible to enable the sandbox?