New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 687147 link

Starred by 2 users
Status: Fixed
Owner:
pastarmovj@chromium.org
Closed: Mar 2017
Cc:
georgesak@chromium.org
jsc...@chromium.org
blumberg@chromium.org
penny...@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature



Sign in to add a comment

retire no-sandbox-job-flag in favor of automatic detection

Project Member Reported by pastarmovj@chromium.org, Jan 31 2017 
Today if one needs to run Chrome in Citrix or Terminal Services running on Windows Server 2008 R2 as a published app they need to run it with the --allow-no-sanbox-job flag.

This flag makes allows the sandbox to start without creating a Job around its children processes because the rdp host process creates one itself and Windows 2008 does not support nested jobs. 

Currently we check if the flag is set and we are on the affected Windows version and skip the job creation. Instead the proposal is to always attempt the job creation. If it fails we check if we are on Windows Server 2008 R2 and maybe whether we are running in a TS session (if feasible) and then ignore the error if the condition is met.

The reson behind this change is to simplify the deployment of Chrome for remote sessions and to fix issues where Chrome is invoked through file/protocol associations which don't set the required flags on the browser.
Project Member

Comment 1 by bugdroid1@chromium.org, Mar 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7091f0852e6a60119f3cdbcc7eb34c479bf93fc9

commit 7091f0852e6a60119f3cdbcc7eb34c479bf93fc9
Author: pastarmovj <pastarmovj@chromium.org>
Date: Thu Mar 02 23:24:16 2017

Deprecated the --allow-no-sandbox-job flag in favor of automatic recognition.

Instead of requiring the user to set the flag when running Chrome in TS
environment, try to recognize the environment and allow the sandbox to
run without this flag whenever needed.

Measure how often the automatic recognition for terminal services environment would have incorrectly decided that the job object should be applied when it shouldn't have been as dictated by the flag --allow-no-sanbox-job.

BUG= 687147 
TEST=Manual in TS env on Win Srv 2k8 R2.

Review-Url: https://codereview.chromium.org/2672003002
Cr-Commit-Position: refs/heads/master@{#454429}

[modify] https://crrev.com/7091f0852e6a60119f3cdbcc7eb34c479bf93fc9/content/common/sandbox_win.cc
[modify] https://crrev.com/7091f0852e6a60119f3cdbcc7eb34c479bf93fc9/tools/metrics/histograms/histograms.xml

Comment 2 by pastarmovj@chromium.org, Mar 9 2017

Status: Fixed (was: Assigned)
Marking this bug as fixed. The flag technically still exists as a last measure in case automatic detection fails but should not be needed in all cases anymore.

Sign in to add a comment