1.8.2

CHANGELOG.md

@@ -11,6 +11,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 - reworked CreateAppContainerToken hook to return a restricted token instead to fix [#2762](https://github.com/sandboxie-plus/Sandboxie/issues/2762)
 -- Note: this behaviour can be disabled with 'FakeAppContainerToken=program.exe,n'
+- enabled app container compatybility in app compartment mode
+-- Note: this should improve msedge compatybility
 
 ### Changed
 - renamed 'DropAppContainerTokens=program.exe,n' to 'DropAppContainerToken=program.exe,n'

Sandboxie/core/dll/callsvc.c

@@ -82,10 +82,8 @@ _FX BOOLEAN SbieDll_IsWow64(void)
 //---------------------------------------------------------------------------
 
 
-_FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent)
+_FX NTSTATUS SbieDll_ConnectPort()
 {
-    static BOOLEAN ErrorReported = FALSE;
-
     THREAD_DATA *data = Dll_GetTlsData(NULL);
     if (! data->PortHandle) {
 
@@ -104,14 +102,8 @@ _FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent)
             &data->PortHandle, &PortName, &QoS,
             NULL, NULL, &data->MaxDataLen, NULL, NULL);
 
-        if (! NT_SUCCESS(status)) {
-            if (! ErrorReported) {
-                if (! Silent)
-                    SbieApi_Log(2203, L"connect %08X", status);
-                ErrorReported = TRUE;
-            }
-            return FALSE;
-        }
+        if (! NT_SUCCESS(status)) 
+            return status;
 
         NtRegisterThreadTerminatePort(data->PortHandle);
 
@@ -141,7 +133,7 @@ _FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent)
         data->MaxDataLen -= data->SizeofPortMsg;
     }
 
-    return TRUE;
+    return STATUS_SUCCESS;
 }
 
 
@@ -194,8 +186,12 @@ _FX MSG_HEADER *SbieDll_CallServer(MSG_HEADER *req)
         BOOLEAN Silent = (req->msgid == MSGID_SBIE_INI_GET_VERSION ||
                           req->msgid == MSGID_SBIE_INI_GET_USER ||
                           req->msgid == MSGID_PROCESS_CHECK_INIT_COMPLETE);
-        if (! SbieDll_ConnectPort(Silent))
+        status = SbieDll_ConnectPort();
+        if (!NT_SUCCESS(status)) {
+            if (!Dll_AppContainerToken && !Silent) // todo: fix me make service available for appcontainer processes
+                SbieApi_Log(2203, L"connect %08X (msg_id 0x%04X)", status, req->msgid);
             return NULL;
+        }
     }
 
     //

Sandboxie/core/dll/dll.h

@@ -290,6 +290,7 @@ extern BOOLEAN Dll_IsXtAjit;
 extern BOOLEAN Dll_IsSystemSid;
 extern BOOLEAN Dll_InitComplete;
 extern BOOLEAN Dll_RestrictedToken;
+extern BOOLEAN Dll_AppContainerToken;
 extern BOOLEAN Dll_ChromeSandbox;
 extern BOOLEAN Dll_FirstProcessInBox;
 extern BOOLEAN Dll_CompartmentMode;

Sandboxie/core/dll/dllmain.c

@@ -99,6 +99,7 @@ BOOLEAN Dll_IsXtAjit = FALSE;
 BOOLEAN Dll_IsSystemSid = FALSE;
 BOOLEAN Dll_InitComplete = FALSE;
 BOOLEAN Dll_RestrictedToken = FALSE;
+BOOLEAN Dll_AppContainerToken = FALSE;
 BOOLEAN Dll_ChromeSandbox = FALSE;
 BOOLEAN Dll_FirstProcessInBox = FALSE;
 BOOLEAN Dll_CompartmentMode = FALSE;
@@ -749,6 +750,8 @@ _FX void Dll_SelectImageType(void)
         }
     }
 
+    Dll_AppContainerToken = Secure_IsAppContainerToken(NULL);
+
     Dll_SkipHook(NULL);
 }
 

Sandboxie/core/dll/proc.c

@@ -449,7 +449,7 @@ _FX BOOLEAN Proc_Init(void)
     //
 
     //if (!Dll_CompartmentMode)
-    if(Config_GetSettingsForImageName_bool(L"FakeAppContainerToken", TRUE))
+    if(Config_GetSettingsForImageName_bool(L"FakeAppContainerToken", Dll_CompartmentMode ? FALSE : TRUE))
     if (Dll_OsBuild >= 9600) // Windows 8.1 and later
     {
         void* CreateAppContainerToken = NULL;
@@ -674,35 +674,17 @@ _FX BOOL Proc_CreateAppContainerToken(
     PSECURITY_CAPABILITIES SecurityCapabilities,
     PHANDLE OutToken)
 {
-#if 1
     BOOL ret = FALSE;
 
+    //SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
+    //SID_AND_ATTRIBUTES Sids[3];
+    //typedef BOOL (WINAPI *P_AllocateAndInitializeSid)(_In_ PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
+    //    _In_ BYTE nSubAuthorityCount, _In_ DWORD nSubAuthority0, _In_ DWORD nSubAuthority1, _In_ DWORD nSubAuthority2, _In_ DWORD nSubAuthority3, 
+    //    _In_ DWORD nSubAuthority4, _In_ DWORD nSubAuthority5, _In_ DWORD nSubAuthority6, _In_ DWORD nSubAuthority7, _Outptr_ PSID* pSid );
     //
-    // App containers pose problems even in app compartment mode, 
-    // eg. msedge.exe fails to load SbieDll.dll during initialization
-    // hence we return a restricted token instead.
-    //
-
-    /*SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
-    SID_AND_ATTRIBUTES Sids[3];
-
-    typedef BOOL (WINAPI *P_AllocateAndInitializeSid)(
-        _In_ PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
-        _In_ BYTE nSubAuthorityCount,
-        _In_ DWORD nSubAuthority0,
-        _In_ DWORD nSubAuthority1,
-        _In_ DWORD nSubAuthority2,
-        _In_ DWORD nSubAuthority3,
-        _In_ DWORD nSubAuthority4,
-        _In_ DWORD nSubAuthority5,
-        _In_ DWORD nSubAuthority6,
-        _In_ DWORD nSubAuthority7,
-        _Outptr_ PSID* pSid
-        );
-    HMODULE advapi_dll = LoadLibrary(L"advapi32.dll");
-    P_AllocateAndInitializeSid __sys_AllocateAndInitializeSid = (P_AllocateAndInitializeSid)GetProcAddress(advapi_dll, "AllocateAndInitializeSid");
-    __sys_AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &dropSids[0].Sid)
-    */
+    //HMODULE advapi_dll = LoadLibrary(L"advapi32.dll");
+    //P_AllocateAndInitializeSid __sys_AllocateAndInitializeSid = (P_AllocateAndInitializeSid)GetProcAddress(advapi_dll, "AllocateAndInitializeSid");
+    //__sys_AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &dropSids[0].Sid)
 
     HANDLE hTokenReal;
     if (NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), MAXIMUM_ALLOWED, &hTokenReal))) {
@@ -723,23 +705,6 @@ _FX BOOL Proc_CreateAppContainerToken(
     }
 
     return ret;
-#elif 0
-    OBJECT_ATTRIBUTES objattrs;
-    SECURITY_QUALITY_OF_SERVICE QoS;
-
-    InitializeObjectAttributes(&objattrs, NULL, 0, NULL, NULL);
-    QoS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
-    QoS.ImpersonationLevel = SecurityIdentification;
-    QoS.ContextTrackingMode = SECURITY_STATIC_TRACKING;
-    QoS.EffectiveOnly = FALSE;
-    objattrs.SecurityQualityOfService = &QoS;
-
-    NTSTATUS status = NtDuplicateToken(TokenHandle, MAXIMUM_ALLOWED, &objattrs, FALSE, TokenPrimary, OutToken);
-    return NT_SUCCESS(status);
-#else
-    BOOL ret = __sys_CreateAppContainerToken(TokenHandle, SecurityCapabilities, OutToken);
-    return ret;
-#endif
 }
 
 
@@ -1313,14 +1278,9 @@ _FX BOOL Proc_CreateProcessInternalW(
     //
 
     if (Config_GetSettingsForImageName_bool(L"DropAppContainerToken", Dll_CompartmentMode ? FALSE : TRUE)) {
-        ULONG returnLength = 0;
-        BYTE appContainerBuffer[0x80];
-        if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) {
-            PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer;
-            if (appContainerInfo->TokenAppContainer != NULL) {
-                hToken = NULL;
-                SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token");
-            }
+        if (Secure_IsAppContainerToken(hToken)) {
+            hToken = NULL;
+            SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token");
         }
     }
 

Sandboxie/core/dll/secure.c

@@ -1424,7 +1424,7 @@ _FX NTSTATUS Secure_RtlQueryElevationFlags(ULONG *Flags)
 
 
 //---------------------------------------------------------------------------
-// Secure_IsRestrictedToken
+// Secure_RtlCheckTokenMembershipEx
 //---------------------------------------------------------------------------
 
 NTSTATUS Secure_RtlCheckTokenMembershipEx(
@@ -1519,6 +1519,39 @@ _FX BOOLEAN Secure_IsRestrictedToken(BOOLEAN CheckThreadToken)
 }
 
 
+//---------------------------------------------------------------------------
+// Secure_IsRestrictedToken
+//---------------------------------------------------------------------------
+
+
+_FX BOOLEAN Secure_IsAppContainerToken(HANDLE hToken)
+{
+    BOOLEAN ret = FALSE;
+    BOOL bClose = FALSE;
+
+    if (Dll_OsBuild >= 9600) { // Windows 8.1 and later
+
+        if (hToken == NULL) {
+            if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken)))
+                return ret;
+            bClose = TRUE;
+        }
+
+        ULONG returnLength = 0;
+        BYTE appContainerBuffer[0x80];
+        if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) {
+            PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer;
+            ret = appContainerInfo->TokenAppContainer != NULL;
+        }
+
+        if (bClose)
+            NtClose(hToken);
+    }
+
+    return ret;
+}
+
+
 //---------------------------------------------------------------------------
 // Secure_IsTokenLocalSystem
 //---------------------------------------------------------------------------

Sandboxie/core/dll/sxs.c

@@ -1654,8 +1654,7 @@ _FX BOOLEAN Sxs_InitKernel32(void)
         // if the sandbox setting DisableBoxedWinSxS=y
         //
 
-        if (Dll_ImageType == DLL_IMAGE_SANDBOXIE_RPCSS ||
-
+        if (Dll_ImageType == DLL_IMAGE_SANDBOXIE_RPCSS || Dll_AppContainerToken ||
                 Config_GetSettingsForImageName_bool(L"DisableBoxedWinSxS", FALSE)) {
 
             Sxs_UseAltCreateActCtx = TRUE;