diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f8e7170..66c0c634 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Added - reworked CreateAppContainerToken hook to return a restricted token instead to fix [#2762](https://github.com/sandboxie-plus/Sandboxie/issues/2762) -- Note: this behaviour can be disabled with 'FakeAppContainerToken=program.exe,n' +- enabled app container compatybility in app compartment mode +-- Note: this should improve msedge compatybility ### Changed - renamed 'DropAppContainerTokens=program.exe,n' to 'DropAppContainerToken=program.exe,n' diff --git a/Sandboxie/core/dll/callsvc.c b/Sandboxie/core/dll/callsvc.c index b603600a..c14f1923 100644 --- a/Sandboxie/core/dll/callsvc.c +++ b/Sandboxie/core/dll/callsvc.c @@ -82,10 +82,8 @@ _FX BOOLEAN SbieDll_IsWow64(void) //--------------------------------------------------------------------------- -_FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent) +_FX NTSTATUS SbieDll_ConnectPort() { - static BOOLEAN ErrorReported = FALSE; - THREAD_DATA *data = Dll_GetTlsData(NULL); if (! data->PortHandle) { @@ -104,14 +102,8 @@ _FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent) &data->PortHandle, &PortName, &QoS, NULL, NULL, &data->MaxDataLen, NULL, NULL); - if (! NT_SUCCESS(status)) { - if (! ErrorReported) { - if (! Silent) - SbieApi_Log(2203, L"connect %08X", status); - ErrorReported = TRUE; - } - return FALSE; - } + if (! NT_SUCCESS(status)) + return status; NtRegisterThreadTerminatePort(data->PortHandle); @@ -141,7 +133,7 @@ _FX BOOLEAN SbieDll_ConnectPort(BOOLEAN Silent) data->MaxDataLen -= data->SizeofPortMsg; } - return TRUE; + return STATUS_SUCCESS; } @@ -194,8 +186,12 @@ _FX MSG_HEADER *SbieDll_CallServer(MSG_HEADER *req) BOOLEAN Silent = (req->msgid == MSGID_SBIE_INI_GET_VERSION || req->msgid == MSGID_SBIE_INI_GET_USER || req->msgid == MSGID_PROCESS_CHECK_INIT_COMPLETE); - if (! SbieDll_ConnectPort(Silent)) + status = SbieDll_ConnectPort(); + if (!NT_SUCCESS(status)) { + if (!Dll_AppContainerToken && !Silent) // todo: fix me make service available for appcontainer processes + SbieApi_Log(2203, L"connect %08X (msg_id 0x%04X)", status, req->msgid); return NULL; + } } // diff --git a/Sandboxie/core/dll/dll.h b/Sandboxie/core/dll/dll.h index 370a190c..c86ccd61 100644 --- a/Sandboxie/core/dll/dll.h +++ b/Sandboxie/core/dll/dll.h @@ -290,6 +290,7 @@ extern BOOLEAN Dll_IsXtAjit; extern BOOLEAN Dll_IsSystemSid; extern BOOLEAN Dll_InitComplete; extern BOOLEAN Dll_RestrictedToken; +extern BOOLEAN Dll_AppContainerToken; extern BOOLEAN Dll_ChromeSandbox; extern BOOLEAN Dll_FirstProcessInBox; extern BOOLEAN Dll_CompartmentMode; diff --git a/Sandboxie/core/dll/dllmain.c b/Sandboxie/core/dll/dllmain.c index 8b1d1847..907f3673 100644 --- a/Sandboxie/core/dll/dllmain.c +++ b/Sandboxie/core/dll/dllmain.c @@ -99,6 +99,7 @@ BOOLEAN Dll_IsXtAjit = FALSE; BOOLEAN Dll_IsSystemSid = FALSE; BOOLEAN Dll_InitComplete = FALSE; BOOLEAN Dll_RestrictedToken = FALSE; +BOOLEAN Dll_AppContainerToken = FALSE; BOOLEAN Dll_ChromeSandbox = FALSE; BOOLEAN Dll_FirstProcessInBox = FALSE; BOOLEAN Dll_CompartmentMode = FALSE; @@ -749,6 +750,8 @@ _FX void Dll_SelectImageType(void) } } + Dll_AppContainerToken = Secure_IsAppContainerToken(NULL); + Dll_SkipHook(NULL); } diff --git a/Sandboxie/core/dll/proc.c b/Sandboxie/core/dll/proc.c index eb8f2bff..beb063e3 100644 --- a/Sandboxie/core/dll/proc.c +++ b/Sandboxie/core/dll/proc.c @@ -449,7 +449,7 @@ _FX BOOLEAN Proc_Init(void) // //if (!Dll_CompartmentMode) - if(Config_GetSettingsForImageName_bool(L"FakeAppContainerToken", TRUE)) + if(Config_GetSettingsForImageName_bool(L"FakeAppContainerToken", Dll_CompartmentMode ? FALSE : TRUE)) if (Dll_OsBuild >= 9600) // Windows 8.1 and later { void* CreateAppContainerToken = NULL; @@ -674,35 +674,17 @@ _FX BOOL Proc_CreateAppContainerToken( PSECURITY_CAPABILITIES SecurityCapabilities, PHANDLE OutToken) { -#if 1 BOOL ret = FALSE; + //SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}; + //SID_AND_ATTRIBUTES Sids[3]; + //typedef BOOL (WINAPI *P_AllocateAndInitializeSid)(_In_ PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, + // _In_ BYTE nSubAuthorityCount, _In_ DWORD nSubAuthority0, _In_ DWORD nSubAuthority1, _In_ DWORD nSubAuthority2, _In_ DWORD nSubAuthority3, + // _In_ DWORD nSubAuthority4, _In_ DWORD nSubAuthority5, _In_ DWORD nSubAuthority6, _In_ DWORD nSubAuthority7, _Outptr_ PSID* pSid ); // - // App containers pose problems even in app compartment mode, - // eg. msedge.exe fails to load SbieDll.dll during initialization - // hence we return a restricted token instead. - // - - /*SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}; - SID_AND_ATTRIBUTES Sids[3]; - - typedef BOOL (WINAPI *P_AllocateAndInitializeSid)( - _In_ PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, - _In_ BYTE nSubAuthorityCount, - _In_ DWORD nSubAuthority0, - _In_ DWORD nSubAuthority1, - _In_ DWORD nSubAuthority2, - _In_ DWORD nSubAuthority3, - _In_ DWORD nSubAuthority4, - _In_ DWORD nSubAuthority5, - _In_ DWORD nSubAuthority6, - _In_ DWORD nSubAuthority7, - _Outptr_ PSID* pSid - ); - HMODULE advapi_dll = LoadLibrary(L"advapi32.dll"); - P_AllocateAndInitializeSid __sys_AllocateAndInitializeSid = (P_AllocateAndInitializeSid)GetProcAddress(advapi_dll, "AllocateAndInitializeSid"); - __sys_AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &dropSids[0].Sid) - */ + //HMODULE advapi_dll = LoadLibrary(L"advapi32.dll"); + //P_AllocateAndInitializeSid __sys_AllocateAndInitializeSid = (P_AllocateAndInitializeSid)GetProcAddress(advapi_dll, "AllocateAndInitializeSid"); + //__sys_AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &dropSids[0].Sid) HANDLE hTokenReal; if (NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), MAXIMUM_ALLOWED, &hTokenReal))) { @@ -723,23 +705,6 @@ _FX BOOL Proc_CreateAppContainerToken( } return ret; -#elif 0 - OBJECT_ATTRIBUTES objattrs; - SECURITY_QUALITY_OF_SERVICE QoS; - - InitializeObjectAttributes(&objattrs, NULL, 0, NULL, NULL); - QoS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); - QoS.ImpersonationLevel = SecurityIdentification; - QoS.ContextTrackingMode = SECURITY_STATIC_TRACKING; - QoS.EffectiveOnly = FALSE; - objattrs.SecurityQualityOfService = &QoS; - - NTSTATUS status = NtDuplicateToken(TokenHandle, MAXIMUM_ALLOWED, &objattrs, FALSE, TokenPrimary, OutToken); - return NT_SUCCESS(status); -#else - BOOL ret = __sys_CreateAppContainerToken(TokenHandle, SecurityCapabilities, OutToken); - return ret; -#endif } @@ -1313,14 +1278,9 @@ _FX BOOL Proc_CreateProcessInternalW( // if (Config_GetSettingsForImageName_bool(L"DropAppContainerToken", Dll_CompartmentMode ? FALSE : TRUE)) { - ULONG returnLength = 0; - BYTE appContainerBuffer[0x80]; - if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) { - PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer; - if (appContainerInfo->TokenAppContainer != NULL) { - hToken = NULL; - SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token"); - } + if (Secure_IsAppContainerToken(hToken)) { + hToken = NULL; + SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token"); } } diff --git a/Sandboxie/core/dll/secure.c b/Sandboxie/core/dll/secure.c index ad45b8bd..be6789c3 100644 --- a/Sandboxie/core/dll/secure.c +++ b/Sandboxie/core/dll/secure.c @@ -1424,7 +1424,7 @@ _FX NTSTATUS Secure_RtlQueryElevationFlags(ULONG *Flags) //--------------------------------------------------------------------------- -// Secure_IsRestrictedToken +// Secure_RtlCheckTokenMembershipEx //--------------------------------------------------------------------------- NTSTATUS Secure_RtlCheckTokenMembershipEx( @@ -1519,6 +1519,39 @@ _FX BOOLEAN Secure_IsRestrictedToken(BOOLEAN CheckThreadToken) } +//--------------------------------------------------------------------------- +// Secure_IsRestrictedToken +//--------------------------------------------------------------------------- + + +_FX BOOLEAN Secure_IsAppContainerToken(HANDLE hToken) +{ + BOOLEAN ret = FALSE; + BOOL bClose = FALSE; + + if (Dll_OsBuild >= 9600) { // Windows 8.1 and later + + if (hToken == NULL) { + if (!NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), TOKEN_QUERY, &hToken))) + return ret; + bClose = TRUE; + } + + ULONG returnLength = 0; + BYTE appContainerBuffer[0x80]; + if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) { + PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer; + ret = appContainerInfo->TokenAppContainer != NULL; + } + + if (bClose) + NtClose(hToken); + } + + return ret; +} + + //--------------------------------------------------------------------------- // Secure_IsTokenLocalSystem //--------------------------------------------------------------------------- diff --git a/Sandboxie/core/dll/sxs.c b/Sandboxie/core/dll/sxs.c index 0231e80b..e95091b3 100644 --- a/Sandboxie/core/dll/sxs.c +++ b/Sandboxie/core/dll/sxs.c @@ -1654,8 +1654,7 @@ _FX BOOLEAN Sxs_InitKernel32(void) // if the sandbox setting DisableBoxedWinSxS=y // - if (Dll_ImageType == DLL_IMAGE_SANDBOXIE_RPCSS || - + if (Dll_ImageType == DLL_IMAGE_SANDBOXIE_RPCSS || Dll_AppContainerToken || Config_GetSettingsForImageName_bool(L"DisableBoxedWinSxS", FALSE)) { Sxs_UseAltCreateActCtx = TRUE;