mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.3.3

This commit is contained in:
DavidXanatos 2022-09-06 13:45:56 +02:00
parent 3a0649ba88
commit 12e51dcef6
7 changed files with 138 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Added ### Added
- added username notation when the LogFile registry setting is applied as workaround for [#2207](https://github.com/sandboxie-plus/Sandboxie/issues/2207) - added username notation when the LogFile registry setting is applied as workaround for [#2207](https://github.com/sandboxie-plus/Sandboxie/issues/2207)
-- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log" -- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log"
- added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132)
-- usage: DenyHostAccess=Program.exe,y
- added compatybility template for ReHIPS
### Changed ### Changed
- improved sandman settings behaviour for non admin users [#2123](https://github.com/sandboxie-plus/Sandboxie/issues/2123) - improved sandman settings behaviour for non admin users [#2123](https://github.com/sandboxie-plus/Sandboxie/issues/2123)

40
Sandboxie/core/drv/obj_flt.c
View File

@ -186,16 +186,6 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
if (PreInfo->KernelHandle == 1) if (PreInfo->KernelHandle == 1)
return OB_PREOP_SUCCESS; return OB_PREOP_SUCCESS;
//
// Get the sandboxed process if this request comes form one,
// filter only requests from sandboxed processes
//
PROCESS *proc = NULL;
proc = Process_Find(NULL, NULL);
if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt)
return OB_PREOP_SUCCESS;
// //
// Get information about the intended operation // Get information about the intended operation
// //
@ -231,16 +221,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
if (PreInfo->ObjectType == *PsProcessType) { if (PreInfo->ObjectType == *PsProcessType) {
HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object); HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object);
//
// Ignore requests for threads belonging to the current processes.
//
if (TargetProcessId == PsGetCurrentProcessId())
goto Exit;
PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object; PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object;
if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) { if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) {
#ifdef DRV_BREAKOUT #ifdef DRV_BREAKOUT
// //
@ -248,12 +230,16 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
// //
BOOLEAN is_breakout = FALSE; BOOLEAN is_breakout = FALSE;
PROCESS *proc;
PROCESS *proc2; PROCESS *proc2;
KIRQL irql; KIRQL irql;
proc2 = Process_Find(TargetProcessId, &irql); proc = Process_Find(NULL, NULL);
if (proc2 && Process_IsStarter(proc, proc2)) { if (proc) {
is_breakout = TRUE; proc2 = Process_Find(TargetProcessId, &irql);
if (proc2 && Process_IsStarter(proc, proc2)) {
is_breakout = TRUE;
}
} }
ExReleaseResourceLite(Process_ListLock); ExReleaseResourceLite(Process_ListLock);
@ -290,16 +276,8 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
else if (PreInfo->ObjectType == *PsThreadType) { else if (PreInfo->ObjectType == *PsThreadType) {
HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object); HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object);
//
// Ignore requests that are trying to open/duplicate the current process.
//
if (TargetProcessId == PsGetCurrentProcessId())
goto Exit;
PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object); PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object);
if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) { if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) {
*DesiredAccess = 0; // deny any access *DesiredAccess = 0; // deny any access
} }
//ObjectTypeName = L"PsThreadType"; //ObjectTypeName = L"PsThreadType";

2
Sandboxie/core/drv/process.h
View File

@ -333,12 +333,14 @@ ULONG Process_MatchPathEx(
// Process_GetConf: retrieves a configuration data value for a given process // Process_GetConf: retrieves a configuration data value for a given process
// use with Conf_AdjustUseCount to make sure the returned pointer is valid // use with Conf_AdjustUseCount to make sure the returned pointer is valid
const WCHAR* Process_GetConfEx(BOX* box, const WCHAR* image_name, const WCHAR* setting);
const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting); const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting);
// Process_GetConf_bool: parses a y/n setting. this function does not // Process_GetConf_bool: parses a y/n setting. this function does not
// have to be protected with Conf_AdjustUseCount // have to be protected with Conf_AdjustUseCount
BOOLEAN Process_GetConfEx_bool(BOX* box, const WCHAR* image_name, const WCHAR* setting, BOOLEAN def);
BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def); BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def);

36
Sandboxie/core/drv/process_util.c
View File

@ -357,11 +357,11 @@ _FX const WCHAR* Process_MatchImageAndGetValue(BOX *box, const WCHAR* value, con
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Process_GetConf // Process_GetConfEx
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
_FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting) _FX const WCHAR* Process_GetConfEx(BOX *box, const WCHAR *image_name, const WCHAR* setting)
{ {
ULONG index = 0; ULONG index = 0;
const WCHAR *value; const WCHAR *value;
@ -370,12 +370,12 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting)
for (index = 0; ; ++index) { for (index = 0; ; ++index) {
value = Conf_Get(proc->box->name, setting, index); value = Conf_Get(box->name, setting, index);
if (! value) if (! value)
break; break;
ULONG level = -1; ULONG level = -1;
value = Process_MatchImageAndGetValue(proc->box, value, proc->image_name, &level); value = Process_MatchImageAndGetValue(box, value, image_name, &level);
if (!value || level > found_level) if (!value || level > found_level)
continue; continue;
found_value = value; found_value = value;
@ -387,18 +387,29 @@ _FX const WCHAR* Process_GetConf(PROCESS *proc, const WCHAR* setting)
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Process_GetConf_bool // Process_GetConf
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN def) _FX const WCHAR* Process_GetConf(PROCESS* proc, const WCHAR* setting)
{
return Process_GetConfEx(proc->box, proc->image_name, setting);
}
//---------------------------------------------------------------------------
// Process_GetConfEx_bool
//---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConfEx_bool(BOX *box, const WCHAR *image_name, const WCHAR* setting, BOOLEAN def)
{ {
const WCHAR *value; const WCHAR *value;
BOOLEAN retval; BOOLEAN retval;
Conf_AdjustUseCount(TRUE); Conf_AdjustUseCount(TRUE);
value = Process_GetConf(proc, setting); value = Process_GetConfEx(box, image_name, setting);
retval = def; retval = def;
if (value) { if (value) {
@ -414,6 +425,17 @@ _FX BOOLEAN Process_GetConf_bool(PROCESS *proc, const WCHAR* setting, BOOLEAN de
} }
//---------------------------------------------------------------------------
// Process_GetConf_bool
//---------------------------------------------------------------------------
_FX BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN def)
{
return Process_GetConfEx_bool(proc->box, proc->image_name, setting, def);
}
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Process_GetPaths // Process_GetPaths
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

82
Sandboxie/core/drv/thread.c
View File

@ -28,6 +28,7 @@
#include "obj.h" #include "obj.h"
#include "session.h" #include "session.h"
#include "api.h" #include "api.h"
#include "util.h"
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
@ -1129,6 +1130,87 @@ finish:
} }
//---------------------------------------------------------------------------
// Thread_CheckObject_CommonEx
//---------------------------------------------------------------------------
_FX NTSTATUS Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess)
{
//
// Ignore requests for threads belonging to the current processes.
//
HANDLE cur_pid = PsGetCurrentProcessId();
if (pid == cur_pid)
return STATUS_SUCCESS;
//
// Get the sandboxed process if this request comes form one
//
PROCESS *proc = Process_Find(NULL, NULL);
//
// This functionality allows to protect boxed processes from host processes
// we need to grant access to sbiesvc.exe and csrss.exe
//
// If the calling process is sandboxed the later common check will do the blocking
//
if (!proc || proc->bHostInject) { // caller is not sandboxed
KIRQL irql;
PROCESS* proc2 = Process_Find(pid, &irql);
BOOLEAN protect_process = FALSE;
if (proc2 && !proc2->bHostInject) { // target is sandboxed
void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr);
if (nbuf) {
protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);
//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
//
if (protect_process && MyIsProcessRunningAsSystemAccount(cur_pid)) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0))
protect_process = FALSE;
}
Mem_Free(nbuf, nlen);
}
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (protect_process) {
DbgPrint("SBIE: protect boxed processes %d from %d\n", pid, cur_pid);
return STATUS_ACCESS_DENIED;
}
}
//
// filter only requests from sandboxed processes
//
if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt)
return STATUS_SUCCESS;
return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, EntireProcess, ExplicitAccess);
}
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// Thread_Api_OpenProcess // Thread_Api_OpenProcess
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

5
Sandboxie/core/drv/thread.h
View File

@ -99,6 +99,11 @@ NTSTATUS Thread_CheckObject_Common(
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess); BOOLEAN ExplicitAccess);
NTSTATUS Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess);
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------

8
Sandboxie/install/Templates.ini
View File

@ -2287,6 +2287,14 @@ Tmpl.ScanService=pcapsvc
OpenIpcPath=*\BaseNamedObjects*\proxycap_*_event* OpenIpcPath=*\BaseNamedObjects*\proxycap_*_event*
OpenPipePath=\Device\NamedPipe\proxycap_s_pipe OpenPipePath=\Device\NamedPipe\proxycap_s_pipe
[Template_ReHIPS]
Tmpl.Title=ReHIPS
Tmpl.Class=Security
Tmpl.Url=https://rehips.com/
Tmpl.Scan=s
Tmpl.ScanService=ReHIPSService
DenyHostAccess=HIPSAgent64.exe,y
[Template_RoboForm] [Template_RoboForm]
Tmpl.Title=RoboForm Tmpl.Title=RoboForm
Tmpl.Class=Security Tmpl.Class=Security