Open W1K23 opened 1 year ago
Could you reproduce the same issue with another Firefox-based browser like Tor Browser? Knowing this would be the perfect reason to reach out the Tor developer GeKo who helped Sandboxie users in the past on the #tor IRC channel.
I've tried it before, but I tried it again today. When I change security.sandbox.gpu.level to 0, HW acceleration in Sandboxie still doesn't work. It's weird because Firefox in Sandboxie - about:support writes: Graphics : WebRender, but it still doesn't work in reality. YouTube videos high CPU usage, GPU decoding is not used and the machine gets very hot...
It's the same with Waterfox.
have you tried a green compartment type box?
have you tried a green compartment type box?
Yes, I already wrote it to you in pm. (forum.xanasoft.com) "I installed Plus. HW works in this mode - >("App Compartment <- green icon"), but it's not free, I don't have a certificate for it. :\ There is no other option? pls I don't need any special features, I just want to run the browser normally in Sandboxie."
I noticed that HW acceleration (Video Decode) doesn't work in Edge either when running in the "standard" Sandboxie. Edge and Vivaldi are based on Chromium. But Vivaldi works fine.
Currently the only option to get this working is a green box, future work may improve on that but that's not gong to happen any time soon, there are more pressing things to fix
I really have no idea how the green box works differently than the standard Sandbox. How does it work, how safe is it? I don't need extra features. I don't want to turn anything off, I don't want to turn anything on. I just want to run the browser as is, normally. It may not be an important problem for you, but it's actually a big problem because it slows down and heats up Laptops (and PCs) because it disables the GPU. What's the reason, why HW acceleration doesn't work when it's turned on? It works in one type of browser, but not in another. HW acceleration is a feature that an application uses to perform its tasks more effectively using computer hardware. When running an application like web browser most of its processes and jobs are handled by the CPU. Internal hardware such as graphics and the sound card will handle operations that a CPU struggles with when you enable hw acceleration in some programs. If you turn on this setting, the CPU will have still have enough resources to run another process smoothly. If you watch a video on a web browser with hw acceleration turned off, the CPU will handle everything. The CPU will struggle to deliver if the workload is heavy. HW acceleration improves application performance, improves CPU health as there is less load, increases battery life.... But, I can't use the green box because it only works for 5 minutes and it's not even safe. Do I have to pay to be able to run a browser normally in Sandboxie? I don't understand.
HW acceleration requires access to API's which apparently don't work when called by restricted processes, simply put a program running in a yellow box does not have the permissions to use some of the API's it needs for hardware acceleration.
A green box which is less restrictive (to be clear its still very secure on par with other Sandboxing solutions like comodo) allows the process to use its regular security token and those it can access those API's hence HW acceleration works.
Using a green box is safe, just using a yellow one is even safer.
Do I have to pay to be able to run a browser normally in Sandboxie?
Yes apparently that would be the easiest option.
Alternatively you could research which API calls are failing on a yellow box, and devise a scheme to make them succeed, perhaps proxying them through a SbieSvc worker in the users session would do the trick, or may be you could change the DACLs of some securable objects accessed by that API, and commit the changes to the project allowing more people to run software with HW acceleration in a yellow box.
We have over a hundred todo's in the open issues, a quarter of them urgent, so on what we work depends on how relevant it is, and if there is a workaround.
As long as the browser works its not a critical issue, HW acceleration is just a nice to have.
"put a program running in a yellow box does not have the permissions to use some of the API's it needs for hardware acceleration."
Temporarily there isn't a command line that would enable this if I typed it into the Sandboxie.ini configuration file? In the past, when there were any issues in SBoxie, typing a command line into the Sandboxie.ini config file was usually the solution.
have you tried a green compartment type box?
Yes, I already wrote it to you in pm. (forum.xanasoft.com) "I installed Plus. HW works in this mode - >("App Compartment <- green icon"), but it's not free, I don't have a certificate for it. :\ There is no other option? pls I don't need any special features, I just want to run the browser normally in Sandboxie."
I don't understand what happened, but I tried again. Currently HW acceleration doesn't work in the Green Box either, only about:support says WebRender, (just like when I change the security.sandbox.gpu.level value to 0), but it doesn't work actually. No video decoding on YouTube, cpu usage and temperature are high. This is weird. When I tried it before (May 04, 2023), it still worked. Since then there have been 1-2 Firefox updates.
Firefox in Green Box: (60% high CPU usage and temp, no video decode) pic 1 pic 2 Vivaldi in Green Box: (9% low CPU usage and temp, video decode works) pic 3 pic 4
This is strange, for me the green box works just fine, perhaps you have miss configured something, try deleting the box content.
Also a note on the security of a green box, while generally a yellow box is more secure, when used with security minded software like FireFox or Chromium (which try to set up an own user mode sandbox anyways) on windows 10 systems using a green box in combination with the built in sand-boxing, can be more secure, depending on the attack vector. The only in any scenario more secure configuration is a red box with data protection.
The reason for this unexpected behavior is the use of app container Isoaltion by the built in sand-boxing schemes, its not compatible with a yellow box and those downgraded to a restricted token when possible. So what happens is that in case of an exploit in a worker process an attacker can easier escalate their access to take over the sandbox. Of cause deleting the content of said sandbox takes reliably care of that. But in a sandbox without data protection this means they can read everything the user would have regularly access to.
On the other hand when starting something downloaded of the web which does not try to constrain itself a yellow box is more secure. Its a trade of...
This lets me think I should add a feature based on process breakout that would allow the user to run a web browser in a green box but automatically run everything that is downloaded of the web i.e. not part of the web browser in a separate box.
@DavidXanatos Is Video Decode
being used in the GPU section of the Task Manager when playing videos (vp9) in MS Edge or Firefox running in the sandbox? It is not being used on my system.
Tested with: Windows 10 22H2 Sandboxie Plus 1.10.0e (with App Comp) Firefox 115 (with security.sandbox.gpu.level=0) Ms Edge 115
"perhaps you have miss configured something, try deleting the box content."
I can't configure it incorrectly. Create a new box - green - next - finish. I always delete the content of the box after exiting. (In the Settings, I set the automatic deletion of the content... and also manually.) But, I deleted the GreenBox and created a new one. I tried it again and same result. HW acc doesn't work...
@DavidXanatos > HW acceleration requires access to API's which apparently don't work when called by restricted processes, simply put a program running in a yellow box does not have the permissions to use some of the API's it needs for hardware acceleration.
I can't believe that the HW acceleration is still not fixed and not working on Firefox, despite several updates since then! What's the problem? Why can't it be fixed? Meanwhile it works smoothly on Vivaldi. Is there no security risk on Vivaldi? Do they not require access to APIs for HW acceleration? I don't understand. I just want to use Firefox normally again.
It works with the h264ify extension, but it cannot reach a resolution higher than 1080p. Nowadays 4K is already a standard resolution on YouTube. However if hardware acceleration works with H.264, then it might be some issue with VP8/VP9/AV1 codecs in Sandboxie.
Hardware-Acceleration (GPU) also seems to work suboptimally by SandBoxie+ with these two other Web-Browser-Projects - mentioned in this Context:
With Firefox running in software mode inside Sandboxie, many Youtube videos do not play smoothly, e.g., you can feel the fps drop to a noticeable level every few seconds. This doesn't happen when running Firefox outside Sandboxie. I have attached the about:support page comparison below. When in Sandboxie, many of the codecs show as unsupported. Hopefully this gets more urgency as an issue, because video quality is quite important to today's browsing experience. I have Ryzen 5600 CPU and AMD RX 5700 GPU with a 4K monitor.
Firefox can be used for webpages that don't play any video content. Otherwise, I recommend Edge instead of Chrome.
Edge has different, harder to reproduce issue with HW acceleration.
Describe what you noticed and did
For a long time, I was angry with Firefox for playing YouTube videos with a much higher CPU usage than Edge, Chrome. I thought Youtube was optimized for chromium. Today I finally found the cause of the problem. I always run Firefox in Sandboxie. Hardware acceleration doesn't work in SandBoxie. Therefore the CPU usage is 3 times higher and my computer gets very hot while playing 4K videos. When Firefox is started in the normal way, there is no high CPU usage and the notebook doesn't heat up, the fan doesn't spin. I tried Vivaldi running in Sandboxie and it uses hw acceleration normally. Why? What's the difference? How to turn on Firefox hardware acceleration in Sandboxie?
Firefox by default, about:support , Graphics - Compositing: WebRender Test video 4K, CPU usage 4-8%, 55°C
Firefox in Sandboxie, Graphics - Compositing: WebRender (software) Test video 4K, CPU usage 34%, 91°C
Still no solution? VP9 Hardware Acceleration Broken for Firefox and Edge
I asked about this on the Xanasoft forum on Apr 28, 2023, but I didn't get any meaningful answers! I can't believe there isn't a setting, e.g. in config.ini... I've been using Sandboxie for about 10 years, but it's been a while I (and my family) can't use it normally because it slows down our new laptops. Please help!
How often did you encounter it so far?
all the time
Affected program
Firefox
Download link
Not relevant
Where is the program located?
Not relevant to my request.
Expected behavior
Keep HW acceleration available in firefox even when running in Sandboxie.
What is your Windows edition and version?
Win 10, 11
In which Windows account you have this problem?
Not relevant to my request.
Please mention any installed security software
Comodo IS
What version of Sandboxie are you running?
currently SandBoxie Plus 1.9.8
Is it a new installation of Sandboxie?
I just updated Sandboxie from a previous version (I remember which one it is).
Is it a regression?
I don't remember.
In which sandbox type you have this problem?
In a standard isolation sandbox (yellow sandbox icon).
Can you reproduce this problem on a new empty sandbox?
I can confirm it also on a new empty sandbox.
Did you previously enable some security policy settings outside Sandboxie?
.
Crash dump
.
Trace log
.
Sandboxie.ini configuration