Add new box type.
This commit is contained in:
parent
35fa313502
commit
23737b55d8
|
@ -18,6 +18,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
||||||
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
|
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
|
||||||
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
|
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
|
||||||
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
|
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
|
||||||
|
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
|
||||||
|
- Add new box type "Maximize Isolation Sandbox".
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
- split the advanced new box wizard page in two
|
- split the advanced new box wizard page in two
|
||||||
|
|
|
@ -247,6 +247,7 @@ CSandMan::CSandMan(QWidget *parent)
|
||||||
SetupHotKeys();
|
SetupHotKeys();
|
||||||
|
|
||||||
m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
|
m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
|
||||||
|
m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139);
|
||||||
m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
|
m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
|
||||||
m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
|
m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
|
||||||
m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
|
m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
|
||||||
|
@ -1550,6 +1551,9 @@ QString CSandMan::GetBoxDescription(int boxType)
|
||||||
QString Info;
|
QString Info;
|
||||||
|
|
||||||
switch (boxType) {
|
switch (boxType) {
|
||||||
|
case CSandBoxPlus::eIsoationMax:
|
||||||
|
Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later.");
|
||||||
|
break;
|
||||||
case CSandBoxPlus::eHardenedPlus:
|
case CSandBoxPlus::eHardenedPlus:
|
||||||
case CSandBoxPlus::eHardened:
|
case CSandBoxPlus::eHardened:
|
||||||
Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
|
Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
|
||||||
|
@ -1567,7 +1571,7 @@ QString CSandMan::GetBoxDescription(int boxType)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus)
|
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax)
|
||||||
Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
|
Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
|
||||||
|
|
||||||
return Info;
|
return Info;
|
||||||
|
|
|
@ -813,6 +813,21 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const
|
||||||
if (m_iUnsecureDebugging != 0)
|
if (m_iUnsecureDebugging != 0)
|
||||||
return eInsecure;
|
return eInsecure;
|
||||||
|
|
||||||
|
BOOL isMAX = GetBool("HideNonSystemProcess") &&
|
||||||
|
GetBool("HideOtherBoxes") &&
|
||||||
|
GetBool("ClosePrintSpooler") &&
|
||||||
|
!GetBool("OpenClipboard") &&
|
||||||
|
GetBool("BlockInterferePower") &&
|
||||||
|
GetBool("BlockInterferenceControl") &&
|
||||||
|
GetBool("BlockScreenCapture") &&
|
||||||
|
GetBool("UseSandboxDesktop") &&
|
||||||
|
GetBool("ConfidentialBox") &&
|
||||||
|
GetBool("CoverBoxedWindows") &&
|
||||||
|
GetBool("AlertBeforeStart") &&
|
||||||
|
GetBool("ForceProtectionOnMount") &&
|
||||||
|
GetBool("ProtectHostImages");
|
||||||
|
if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced)
|
||||||
|
return eIsoationMax;
|
||||||
if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
|
if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
|
||||||
return eHardenedPlus;
|
return eHardenedPlus;
|
||||||
if (m_bSecurityEnhanced)
|
if (m_bSecurityEnhanced)
|
||||||
|
|
|
@ -146,6 +146,7 @@ public:
|
||||||
{
|
{
|
||||||
eHardenedPlus,
|
eHardenedPlus,
|
||||||
eHardened,
|
eHardened,
|
||||||
|
eIsoationMax,
|
||||||
eDefaultPlus,
|
eDefaultPlus,
|
||||||
eDefault,
|
eDefault,
|
||||||
eAppBoxPlus,
|
eAppBoxPlus,
|
||||||
|
|
|
@ -61,6 +61,7 @@ void COptionsWindow::CreateGeneral()
|
||||||
|
|
||||||
|
|
||||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
|
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
|
||||||
|
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax);
|
||||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
|
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
|
||||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
|
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
|
||||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
|
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
|
||||||
|
@ -1059,8 +1060,24 @@ void COptionsWindow::UpdateBoxType()
|
||||||
bool bPrivacyMode = ui.chkPrivacy->isChecked();
|
bool bPrivacyMode = ui.chkPrivacy->isChecked();
|
||||||
bool bSecurityMode = ui.chkSecurityMode->isChecked();
|
bool bSecurityMode = ui.chkSecurityMode->isChecked();
|
||||||
bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
|
bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
|
||||||
|
bool bIsoationMax = m_pBox->GetBool("HideNonSystemProcess")
|
||||||
|
&& m_pBox->GetBool("HideNonSystemProcess")
|
||||||
|
&& m_pBox->GetBool("HideOtherBoxes")
|
||||||
|
&& m_pBox->GetBool("ClosePrintSpooler")
|
||||||
|
&& m_pBox->GetBool("BlockInterferePower")
|
||||||
|
&& !m_pBox->GetBool("OpenClipboard")
|
||||||
|
&& m_pBox->GetBool("BlockInterferenceControl")
|
||||||
|
&& m_pBox->GetBool("BlockScreenCapture")
|
||||||
|
&& m_pBox->GetBool("ConfidentialBox")
|
||||||
|
&& m_pBox->GetBool("CoverBoxedWindows")
|
||||||
|
&& m_pBox->GetBool("AlertBeforeStart")
|
||||||
|
&& m_pBox->GetBool("ForceProtectionOnMount")
|
||||||
|
&& bSecurityMode && bPrivacyMode && !bAppBox;
|
||||||
|
|
||||||
int BoxType;
|
int BoxType;
|
||||||
|
if (bIsoationMax)
|
||||||
|
BoxType = (int)CSandBoxPlus::eIsoationMax;
|
||||||
|
else
|
||||||
if (bAppBox)
|
if (bAppBox)
|
||||||
BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
|
BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
|
||||||
else if (bSecurityMode)
|
else if (bSecurityMode)
|
||||||
|
@ -1086,13 +1103,51 @@ void COptionsWindow::OnBoxTypChanged()
|
||||||
int BoxType = ui.cmbBoxType->currentData().toInt();
|
int BoxType = ui.cmbBoxType->currentData().toInt();
|
||||||
|
|
||||||
switch (BoxType) {
|
switch (BoxType) {
|
||||||
|
case CSandBoxPlus::eIsoationMax:
|
||||||
|
/*pBox->SetBool("HideNonSystemProcess", true);
|
||||||
|
pBox->InsertText("Template", "BlockAccessWMI");
|
||||||
|
pBox->InsertText("Template", "BlockDNS");
|
||||||
|
pBox->SetBool("HideOtherBoxes", true);
|
||||||
|
pBox->SetBool("ClosePrintSpooler", true);
|
||||||
|
pBox->SetBool("OpenClipboard", false);
|
||||||
|
pBox->SetBool("BlockInterferePower", true);
|
||||||
|
pBox->SetBool("BlockInterferenceControl", true);
|
||||||
|
pBox->SetBool("BlockScreenCapture", true);
|
||||||
|
pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any");
|
||||||
|
pBox->SetBool("UseSandboxDesktop", true);
|
||||||
|
pBox->SetBool("ConfidentialBox", true);
|
||||||
|
pBox->SetBool("CoverBoxedWindows", true);
|
||||||
|
pBox->SetBool("AlertBeforeStart", true);
|
||||||
|
pBox->SetBool("ForceProtectionOnMount", true);
|
||||||
|
pBox->SetNum64("ProcessMemoryLimit", 80000000);
|
||||||
|
pBox->SetNum("ProcessNumberLimit", 20);
|
||||||
|
pBox->SetBool("ProtectHostImages", true);*/
|
||||||
|
SetTemplate("BlockAccessWMI", true);
|
||||||
|
ui.chkBlockDns->setChecked(true);
|
||||||
|
ui.chkHideOtherBoxes->setChecked(true);
|
||||||
|
ui.chkCloseClipBoard->setChecked(true);
|
||||||
|
ui.chkBlockSpooler->setChecked(true);
|
||||||
|
ui.chkBlockCapture->setChecked(true);
|
||||||
|
ui.chkAddToJob->setChecked(true);
|
||||||
|
ui.chkAlertBeforeStart->setChecked(true);
|
||||||
|
ui.chkConfidential->setChecked(true);
|
||||||
|
ui.chkProtectPower->setChecked(true);
|
||||||
|
ui.chkUserOperation->setChecked(true);
|
||||||
|
ui.chkProtectWindow->setChecked(true);
|
||||||
|
ui.chkProtectSCM->setChecked(true);
|
||||||
|
ui.chkProtectSystem->setChecked(true);
|
||||||
|
ui.chkRestrictServices->setChecked(true);
|
||||||
|
ui.chkSbieLogon->setChecked(true);
|
||||||
|
ui.chkDropPrivileges->setChecked(true);
|
||||||
|
ui.chkHideOtherBoxes->setChecked(true);
|
||||||
|
ui.chkHostProtect->setChecked(true);
|
||||||
case CSandBoxPlus::eHardenedPlus:
|
case CSandBoxPlus::eHardenedPlus:
|
||||||
case CSandBoxPlus::eHardened:
|
case CSandBoxPlus::eHardened:
|
||||||
ui.chkNoSecurityIsolation->setChecked(false);
|
ui.chkNoSecurityIsolation->setChecked(false);
|
||||||
ui.chkNoSecurityFiltering->setChecked(false);
|
ui.chkNoSecurityFiltering->setChecked(false);
|
||||||
ui.chkSecurityMode->setChecked(true);
|
ui.chkSecurityMode->setChecked(true);
|
||||||
//ui.chkRestrictServices->setChecked(true);
|
//ui.chkRestrictServices->setChecked(true);
|
||||||
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus);
|
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax);
|
||||||
//SetTemplate("NoUACProxy", false);
|
//SetTemplate("NoUACProxy", false);
|
||||||
SetTemplate("RpcPortBindingsExt", false);
|
SetTemplate("RpcPortBindingsExt", false);
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -182,6 +182,25 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
|
||||||
if (!disableWizardSettings || sharedTemplateMode == 0) {
|
if (!disableWizardSettings || sharedTemplateMode == 0) {
|
||||||
switch (BoxType)
|
switch (BoxType)
|
||||||
{
|
{
|
||||||
|
case CSandBoxPlus::eIsoationMax:
|
||||||
|
pBox->SetBool("HideNonSystemProcess", true);
|
||||||
|
pBox->InsertText("Template", "BlockAccessWMI");
|
||||||
|
pBox->InsertText("Template", "BlockDNS");
|
||||||
|
pBox->SetBool("HideOtherBoxes", true);
|
||||||
|
pBox->SetBool("ClosePrintSpooler", true);
|
||||||
|
pBox->SetBool("OpenClipboard", false);
|
||||||
|
pBox->SetBool("BlockInterferePower", true);
|
||||||
|
pBox->SetBool("BlockInterferenceControl", true);
|
||||||
|
pBox->SetBool("BlockScreenCapture", true);
|
||||||
|
pBox->InsertText("Template","BlockLocalConnect");
|
||||||
|
pBox->SetBool("UseSandboxDesktop", true);
|
||||||
|
pBox->SetBool("ConfidentialBox", true);
|
||||||
|
pBox->SetBool("CoverBoxedWindows", true);
|
||||||
|
pBox->SetBool("AlertBeforeStart", true);
|
||||||
|
pBox->SetBool("ForceProtectionOnMount", true);
|
||||||
|
pBox->SetNum64("ProcessMemoryLimit", 80000000);
|
||||||
|
pBox->SetNum("ProcessNumberLimit", 20);
|
||||||
|
pBox->SetBool("ProtectHostImages", true);
|
||||||
case CSandBoxPlus::eHardenedPlus:
|
case CSandBoxPlus::eHardenedPlus:
|
||||||
pBox->SetBool("UsePrivacyMode", true);
|
pBox->SetBool("UsePrivacyMode", true);
|
||||||
case CSandBoxPlus::eHardened:
|
case CSandBoxPlus::eHardened:
|
||||||
|
@ -247,7 +266,7 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
|
||||||
}
|
}
|
||||||
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
|
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
|
||||||
|
|
||||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
|
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax);
|
||||||
bool bDropAdmin = field("dropAdmin").toBool();
|
bool bDropAdmin = field("dropAdmin").toBool();
|
||||||
if (field("dropAdmin").toBool() && !bHardened)
|
if (field("dropAdmin").toBool() && !bHardened)
|
||||||
pBox->SetBool("DropAdminRights", true);
|
pBox->SetBool("DropAdminRights", true);
|
||||||
|
@ -385,7 +404,10 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent)
|
||||||
//return qMakePair(pW, pIcon);
|
//return qMakePair(pW, pIcon);
|
||||||
return pC;
|
return pC;
|
||||||
};
|
};
|
||||||
|
AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax,
|
||||||
|
tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n"
|
||||||
|
"In addition, there are other configurations that facilitate isolation,\n"
|
||||||
|
"such as processes and image access control, and so on."));
|
||||||
AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus,
|
AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus,
|
||||||
tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
|
tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
|
||||||
"It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
|
"It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
|
||||||
|
@ -790,7 +812,7 @@ void CIsolationPage::initializePage()
|
||||||
{
|
{
|
||||||
int BoxType = wizard()->field("boxType").toInt();
|
int BoxType = wizard()->field("boxType").toInt();
|
||||||
|
|
||||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
|
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax);
|
||||||
bool bDropAdmin = field("dropAdmin").toBool();
|
bool bDropAdmin = field("dropAdmin").toBool();
|
||||||
m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
|
m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
|
||||||
m_pShareAccess->setEnabled(!bHardened);
|
m_pShareAccess->setEnabled(!bHardened);
|
||||||
|
|
Loading…
Reference in New Issue