From 330211c3d7ffcca9e2374e1dee697b4a5f848e89 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Thu, 27 Jun 2024 15:45:13 +0200 Subject: [PATCH] 1.14.3 --- CHANGELOG.md | 2 ++ Sandboxie/core/drv/token.c | 43 +++++++++++++++++++------------------- 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75b20e84..84756f21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). - fixed Firefox issue with Sbie 1.14.1 and 1.14.2 [#4012](https://github.com/sandboxie-plus/Sandboxie/issues/4012) - rolled back the driver verifier fix added in 1.14.1 - fixed CustomChromiumFlags and --single-argument issue [#4033](https://github.com/sandboxie-plus/Sandboxie/issues/4033) +- fixed Sandboxie programs do not terminate after closing programs that run as admin with UseCreateToken/SandboxieAllGroup enabled [#4030](https://github.com/sandboxie-plus/Sandboxie/issues/4030) + diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c index 6988165f..93822db9 100644 --- a/Sandboxie/core/drv/token.c +++ b/Sandboxie/core/drv/token.c @@ -2181,9 +2181,9 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc) PTOKEN_DEFAULT_DACL LocalDefaultDacl = NULL; PTOKEN_SOURCE LocalSource = NULL; - PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL; - ULONG DefaultDacl_Length = 0; - PACL NewDacl = NULL; + //PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL; + //ULONG DefaultDacl_Length = 0; + //PACL NewDacl = NULL; TOKEN_TYPE TokenType = TokenPrimary; @@ -2368,26 +2368,27 @@ retry: goto retry; } - else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && !NewDacl) + else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && LocalOwner->Owner != LocalUser->User.Sid) { // // Retry with new DACLs on error // - DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize; - - // Construct a new ACL - NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk); - memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length); - - NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL)); - NewDefaultDacl->DefaultDacl->AclSize += 128; - ExFreePool((PVOID)LocalOwner); LocalOwner = (PTOKEN_OWNER)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_OWNER), tzuk); LocalOwner->Owner = LocalUser->User.Sid; - RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner); + + //DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize; + + //// Construct a new ACL + //NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk); + //memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length); + + //NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL)); + //NewDefaultDacl->DefaultDacl->AclSize += 128; + + //RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner); goto retry; } @@ -2402,12 +2403,12 @@ retry: if (NT_SUCCESS(status)) status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle); - if (NT_SUCCESS(status) && NewDacl) - { - Token_SetHandleDacl(NtCurrentProcess(), NewDacl); - Token_SetHandleDacl(NtCurrentThread(), NewDacl); - Token_SetHandleDacl(KernelTokenHandle, NewDacl); - } + //if (NT_SUCCESS(status) && NewDacl) + //{ + // Token_SetHandleDacl(NtCurrentProcess(), NewDacl); + // Token_SetHandleDacl(NtCurrentThread(), NewDacl); + // Token_SetHandleDacl(KernelTokenHandle, NewDacl); + //} if (NT_SUCCESS(status)) { @@ -2499,7 +2500,7 @@ finish: if (LocalDefaultDacl) ExFreePool((PVOID)LocalDefaultDacl); if (LocalSource) ExFreePool((PVOID)LocalSource); - if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl); + //if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl); // // get the actual token object from the handle