mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.3.3

This commit is contained in:
DavidXanatos 2022-09-06 13:45:56 +02:00
parent 3a0649ba88
commit 12e51dcef6
7 changed files with 138 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Added
- added username notation when the LogFile registry setting is applied as workaround for [#2207](https://github.com/sandboxie-plus/Sandboxie/issues/2207)
-- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log"
- added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132)
-- usage: DenyHostAccess=Program.exe,y
- added compatybility template for ReHIPS
### Changed
- improved sandman settings behaviour for non admin users [#2123](https://github.com/sandboxie-plus/Sandboxie/issues/2123)

40
Sandboxie/core/drv/obj_flt.c
View File

@ -186,16 +186,6 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
if (PreInfo->KernelHandle == 1)
return OB_PREOP_SUCCESS;
//
// Get the sandboxed process if this request comes form one,
// filter only requests from sandboxed processes
//
PROCESS *proc = NULL;
proc = Process_Find(NULL, NULL);
if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt)
return OB_PREOP_SUCCESS;
//
// Get information about the intended operation
//
@ -231,16 +221,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
if (PreInfo->ObjectType == *PsProcessType) {
HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object);
//
// Ignore requests for threads belonging to the current processes.
//
if (TargetProcessId == PsGetCurrentProcessId())
goto Exit;
PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object;
if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) {
if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) {
#ifdef DRV_BREAKOUT
//
@ -248,12 +230,16 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
//
BOOLEAN is_breakout = FALSE;
PROCESS *proc;
PROCESS *proc2;
KIRQL irql;
proc2 = Process_Find(TargetProcessId, &irql);
if (proc2 && Process_IsStarter(proc, proc2)) {
is_breakout = TRUE;
proc = Process_Find(NULL, NULL);
if (proc) {
proc2 = Process_Find(TargetProcessId, &irql);
if (proc2 && Process_IsStarter(proc, proc2)) {
is_breakout = TRUE;
}
}
ExReleaseResourceLite(Process_ListLock);
@ -290,16 +276,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
else if (PreInfo->ObjectType == *PsThreadType) {
HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object);
//
// Ignore requests that are trying to open/duplicate the current process.
//
if (TargetProcessId == PsGetCurrentProcessId())
goto Exit;
PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object);
if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) {
if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) {
*DesiredAccess = 0; // deny any access
}
//ObjectTypeName = L"PsThreadType";

2
Sandboxie/core/drv/process.h
View File

@ -333,12 +333,14 @@ ULONG Process_MatchPathEx(
// Process_GetConf: retrieves a configuration data value for a given process
// use with Conf_AdjustUseCount to make sure the returned pointer is valid
const WCHAR* Process_GetConfEx(BOX* box, const WCHAR* image_name, const WCHAR* setting);
const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting);
// Process_GetConf_bool: parses a y/n setting. this function does not
// have to be protected with Conf_AdjustUseCount
BOOLEAN Process_GetConfEx_bool(BOX* box, const WCHAR* image_name, const WCHAR* setting, BOOLEAN def);
BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def);

36
Sandboxie/core/drv/process_util.c
View File

@ -357,11 +357,11 @@ _FX const WCHAR* Process_MatchImageAndGetValue(BOX *box, const WCHAR* value, con
//---------------------------------------------------------------------------
// Process_GetConf
// Process_GetConfEx
//---------------------------------------------------------------------------
_FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting)
_FX const WCHAR* Process_GetConfEx(BOX *box, const WCHAR *image_name, const WCHAR* setting)
{
ULONG index = 0;
const WCHAR *value;
@ -370,12 +370,12 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting)
for (index = 0; ; ++index) {
value = Conf_Get(proc->box->name, setting, index);
value = Conf_Get(box->name, setting, index);
if (! value)
break;
ULONG level = -1;
value = Process_MatchImageAndGetValue(proc->box, value, proc->image_name, &level);
value = Process_MatchImageAndGetValue(box, value, image_name, &level);
if (!value || level > found_level)
continue;
found_value = value;
@ -387,18 +387,29 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting)
//---------------------------------------------------------------------------
// Process_GetConf_bool
// Process_GetConf
//---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN def)
_FX const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting)
{
return Process_GetConfEx(proc->box, proc->image_name, setting);
}
//---------------------------------------------------------------------------
// Process_GetConfEx_bool
//---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConfEx_bool(BOX *box, const WCHAR *image_name, const WCHAR* setting, BOOLEAN def)
{
const WCHAR *value;
BOOLEAN retval;
Conf_AdjustUseCount(TRUE);
value = Process_GetConf(proc, setting);
value = Process_GetConfEx(box, image_name, setting);
retval = def;
if (value) {
@ -414,6 +425,17 @@ _FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN de
}
//---------------------------------------------------------------------------
// Process_GetConf_bool
//---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def)
{
return Process_GetConfEx_bool(proc->box, proc->image_name, setting, def);
}
//---------------------------------------------------------------------------
// Process_GetPaths
//---------------------------------------------------------------------------

82
Sandboxie/core/drv/thread.c
View File

@ -28,6 +28,7 @@
#include "obj.h"
#include "session.h"
#include "api.h"
#include "util.h"
//---------------------------------------------------------------------------
@ -1129,6 +1130,87 @@ finish:
}
//---------------------------------------------------------------------------
// Thread_CheckObject_CommonEx
//---------------------------------------------------------------------------
_FX NTSTATUS Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess)
{
//
// Ignore requests for threads belonging to the current processes.
//
HANDLE cur_pid = PsGetCurrentProcessId();
if (pid == cur_pid)
return STATUS_SUCCESS;
//
// Get the sandboxed process if this request comes form one
//
PROCESS *proc = Process_Find(NULL, NULL);
//
// This functionality allows to protect boxed processes from host processes
// we need to grant access to sbiesvc.exe and csrss.exe
//
// If the calling process is sandboxed the later common check will do the blocking
//
if (!proc || proc->bHostInject) { // caller is not sandboxed
KIRQL irql;
PROCESS* proc2 = Process_Find(pid, &irql);
BOOLEAN protect_process = FALSE;
if (proc2 && !proc2->bHostInject) { // target is sandboxed
void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr);
if (nbuf) {
protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);
//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
//
if (protect_process && MyIsProcessRunningAsSystemAccount(cur_pid)) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0))
protect_process = FALSE;
}
Mem_Free(nbuf, nlen);
}
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (protect_process) {
DbgPrint("SBIE: protect boxed processes %d from %d\n", pid, cur_pid);
return STATUS_ACCESS_DENIED;
}
}
//
// filter only requests from sandboxed processes
//
if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt)
return STATUS_SUCCESS;
return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, EntireProcess, ExplicitAccess);
}
//---------------------------------------------------------------------------
// Thread_Api_OpenProcess
//---------------------------------------------------------------------------

5
Sandboxie/core/drv/thread.h
View File

@ -99,6 +99,11 @@ NTSTATUS Thread_CheckObject_Common(
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess);
NTSTATUS Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess);
//---------------------------------------------------------------------------

8
Sandboxie/install/Templates.ini
View File

@ -2287,6 +2287,14 @@ Tmpl.ScanService=pcapsvc
OpenIpcPath=*\BaseNamedObjects*\proxycap_*_event*
OpenPipePath=\Device\NamedPipe\proxycap_s_pipe
[Template_ReHIPS]
Tmpl.Title=ReHIPS
Tmpl.Class=Security
Tmpl.Url=https://rehips.com/
Tmpl.Scan=s
Tmpl.ScanService=ReHIPSService
DenyHostAccess=HIPSAgent64.exe,y
[Template_RoboForm]
Tmpl.Title=RoboForm
Tmpl.Class=Security