1.14.3
This commit is contained in:
parent
b6b97a88aa
commit
1373fa4e65
|
@ -7,6 +7,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
### Changed
|
||||
- changed Qt 5 version to Qt 5.15.14 with OpenSSL 3.3.1 [#3994](https://github.com/sandboxie-plus/Sandboxie/pull/3994) (thanks offhub)
|
||||
|
||||
### Fixed
|
||||
- fixed Applications cannot be launched as admin in a sandbox with "UseCreateToken/SandboxieAllGroup" enabled when using an MSFT account [#4022](https://github.com/sandboxie-plus/Sandboxie/issues/4022)
|
||||
|
||||
|
||||
|
||||
## [1.14.2 / 5.69.2] - 2024-06-19
|
||||
|
|
|
@ -2333,13 +2333,7 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
|
|||
memcpy(LocalUser->User.Sid, proc->SandboxieLogonSid, RtlLengthSid(proc->SandboxieLogonSid));
|
||||
}
|
||||
|
||||
//UNICODE_STRING unicodeString;
|
||||
//status = RtlConvertSidToUnicodeString(&unicodeString, LocalUser->User.Sid, TRUE);
|
||||
//if (NT_SUCCESS(status)) {
|
||||
// DbgPrint("SID: %wZ\n", &unicodeString);
|
||||
// RtlFreeUnicodeString(&unicodeString);
|
||||
//}
|
||||
|
||||
retry:
|
||||
status = SbieCreateToken(
|
||||
&TokenHandle,
|
||||
TOKEN_ALL_ACCESS,
|
||||
|
@ -2362,58 +2356,28 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
|
|||
LocalSource
|
||||
);
|
||||
|
||||
if (proc->SandboxieLogonSid && status == STATUS_INVALID_PRIMARY_GROUP && LocalPrimaryGroup->PrimaryGroup != LocalUser->User.Sid)
|
||||
{
|
||||
//
|
||||
// For online accounts we must change the primary group
|
||||
//
|
||||
|
||||
if (proc->SandboxieLogonSid && status == STATUS_INVALID_PRIMARY_GROUP)
|
||||
{
|
||||
ExFreePool((PVOID)LocalPrimaryGroup);
|
||||
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)ExAllocatePoolWithTag(PagedPool, sizeof(PTOKEN_PRIMARY_GROUP), tzuk);
|
||||
LocalPrimaryGroup->PrimaryGroup = LocalUser->User.Sid;
|
||||
|
||||
status = SbieCreateToken(
|
||||
&TokenHandle,
|
||||
TOKEN_ALL_ACCESS,
|
||||
&ObjectAttributes,
|
||||
TokenType,
|
||||
&AuthenticationId,
|
||||
&ExpirationTime,
|
||||
LocalUser,
|
||||
LocalGroups,
|
||||
LocalPrivileges,
|
||||
|
||||
0, //UserAttributes,
|
||||
0, //DeviceAttributes,
|
||||
0, //DeviceGroups,
|
||||
MandatoryPolicy,
|
||||
|
||||
LocalOwner,
|
||||
LocalPrimaryGroup,
|
||||
NewDefaultDacl,
|
||||
LocalSource
|
||||
);
|
||||
goto retry;
|
||||
}
|
||||
|
||||
if (NT_SUCCESS(status))
|
||||
status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
|
||||
|
||||
else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && !NewDacl)
|
||||
{
|
||||
//
|
||||
// Retry with new DACLs on error
|
||||
//
|
||||
|
||||
if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER)
|
||||
{
|
||||
DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize;
|
||||
|
||||
// Construct a new ACL
|
||||
NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk);
|
||||
if (NULL == NewDefaultDacl)
|
||||
{
|
||||
Log_Status_Ex_Process(MSG_1222, 0xA2, status, NULL, proc->box->session_id, proc->pid);
|
||||
goto finish;
|
||||
}
|
||||
|
||||
memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length);
|
||||
|
||||
NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
|
||||
|
@ -2425,30 +2389,9 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
|
|||
|
||||
RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner);
|
||||
|
||||
status = SbieCreateToken(
|
||||
&TokenHandle,
|
||||
TOKEN_ALL_ACCESS,
|
||||
&ObjectAttributes,
|
||||
TokenType,
|
||||
&AuthenticationId,
|
||||
&ExpirationTime,
|
||||
LocalUser,
|
||||
LocalGroups,
|
||||
LocalPrivileges,
|
||||
goto retry;
|
||||
}
|
||||
|
||||
0, //UserAttributes,
|
||||
0, //DeviceAttributes,
|
||||
0, //DeviceGroups,
|
||||
MandatoryPolicy,
|
||||
|
||||
LocalOwner,
|
||||
LocalPrimaryGroup,
|
||||
NewDefaultDacl,
|
||||
LocalSource
|
||||
);
|
||||
|
||||
if (NT_SUCCESS(status))
|
||||
status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
|
@ -2456,20 +2399,28 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
|
|||
goto finish;
|
||||
}
|
||||
|
||||
if (NT_SUCCESS(status))
|
||||
status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
|
||||
|
||||
if (NT_SUCCESS(status) && NewDacl)
|
||||
{
|
||||
Token_SetHandleDacl(NtCurrentProcess(), NewDacl);
|
||||
Token_SetHandleDacl(NtCurrentThread(), NewDacl);
|
||||
Token_SetHandleDacl(KernelTokenHandle, NewDacl);
|
||||
}
|
||||
|
||||
if (NT_SUCCESS(status))
|
||||
{
|
||||
ULONG virtualizationAllowed = 1;
|
||||
status = ZwSetInformationToken(KernelTokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG));
|
||||
}
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
Log_Status_Ex_Process(MSG_1222, 0xA4, status, NULL, proc->box->session_id, proc->pid);
|
||||
goto finish;
|
||||
}
|
||||
|
||||
ULONG virtualizationAllowed = 1;
|
||||
status = ZwSetInformationToken(KernelTokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG));
|
||||
|
||||
if (Conf_Get_Boolean(proc->box->name, L"CopyTokenAttributes", 0, FALSE))
|
||||
{
|
||||
HANDLE OldTokenHandle;
|
||||
|
@ -2505,6 +2456,33 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
|
|||
finish:
|
||||
if (KernelTokenHandle) ZwClose(KernelTokenHandle);
|
||||
|
||||
//UNICODE_STRING unicodeString;
|
||||
|
||||
//DbgPrint("Create Token: 0x%08x\n", status);
|
||||
//if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalUser->User.Sid, TRUE))) {
|
||||
// DbgPrint("LocalUser: %wZ (0x%x)\n", &unicodeString, LocalUser->User.Attributes);
|
||||
// RtlFreeUnicodeString(&unicodeString);
|
||||
//}
|
||||
|
||||
//for (ULONG i = 0; i < LocalGroups->GroupCount; i++) {
|
||||
// if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalGroups->Groups[i].Sid, TRUE))) {
|
||||
// DbgPrint("LocalGroups[%d]: %wZ (0x%x)\n", i, &unicodeString, LocalGroups->Groups[i].Attributes);
|
||||
// RtlFreeUnicodeString(&unicodeString);
|
||||
// }
|
||||
//}
|
||||
|
||||
//if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalOwner->Owner, TRUE))) {
|
||||
// DbgPrint("LocalOwner: %wZ\n", &unicodeString);
|
||||
// RtlFreeUnicodeString(&unicodeString);
|
||||
//}
|
||||
|
||||
//if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalPrimaryGroup->PrimaryGroup, TRUE))) {
|
||||
// DbgPrint("LocalPrimaryGroup: %wZ\n", &unicodeString);
|
||||
// RtlFreeUnicodeString(&unicodeString);
|
||||
//}
|
||||
//DbgPrint("+++\n");
|
||||
|
||||
|
||||
if (LocalStatistics) ExFreePool((PVOID)LocalStatistics);
|
||||
if (LocalUser) ExFreePool((PVOID)LocalUser);
|
||||
if (LocalGroups) ExFreePool((PVOID)LocalGroups);
|
||||
|
|
Loading…
Reference in New Issue