mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.3.3

This commit is contained in:
DavidXanatos 2022-09-07 22:26:02 +02:00
parent 2f29402a62
commit 57e9d185a0
6 changed files with 97 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -12,6 +12,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
-- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log"
- added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132)
-- usage: DenyHostAccess=Program.exe,y
-- note: by default this protection only applyied for write access, that is unsandboxed processes will still be able to obtain read only access
-- to prevent host processes from obtaining read access ConfidentialBox=y must also be set, which require a supporter certificate
- added compatybility template for ReHIPS
### Changed

57
Sandboxie/core/drv/obj_flt.c
View File

@ -222,65 +222,13 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object);
PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object;
if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) {
#ifdef DRV_BREAKOUT
//
// Check if this is a break out process
//
BOOLEAN is_breakout = FALSE;
PROCESS *proc;
PROCESS *proc2;
KIRQL irql;
proc = Process_Find(NULL, NULL);
if (proc) {
proc2 = Process_Find(TargetProcessId, &irql);
if (proc2 && Process_IsStarter(proc, proc2)) {
is_breakout = TRUE;
}
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (is_breakout) {
//
// this is a BreakoutProcess in this case we need to grant some permissions
//
*DesiredAccess = InitialDesiredAccess & (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE |
/**/PROCESS_TERMINATE |
//PROCESS_CREATE_THREAD |
//PROCESS_SET_SESSIONID |
/**/PROCESS_VM_OPERATION | // needed
PROCESS_VM_READ |
/**/PROCESS_VM_WRITE | // needed
//PROCESS_DUP_HANDLE |
PROCESS_CREATE_PROCESS |
//PROCESS_SET_QUOTA |
/**/PROCESS_SET_INFORMATION | // needed
PROCESS_QUERY_INFORMATION |
/**/PROCESS_SUSPEND_RESUME | // needed
PROCESS_QUERY_LIMITED_INFORMATION |
//PROCESS_SET_LIMITED_INFORMATION |
0);
} else
#endif
*DesiredAccess = 0; // deny any access
}
//ObjectTypeName = L"PsProcessType";
*DesiredAccess = Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE);
}
else if (PreInfo->ObjectType == *PsThreadType) {
HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object);
PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object);
if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) {
*DesiredAccess = 0; // deny any access
}
//ObjectTypeName = L"PsThreadType";
*DesiredAccess = Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE);
}
else {
DbgPrint("Sbie ObCallback: unexpected object type\n");
@ -288,7 +236,6 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback(
}
Exit:
return OB_PREOP_SUCCESS;
}

3
Sandboxie/core/drv/process.c
View File

@ -740,6 +740,7 @@ _FX PROCESS *Process_Create(
proc->use_privacy_mode = Conf_Get_Boolean(proc->box->name, L"UsePrivacyMode", 0, FALSE);
proc->use_rule_specificity = proc->restrict_devices || proc->use_privacy_mode || Conf_Get_Boolean(proc->box->name, L"UseRuleSpecificity", 0, FALSE);
#endif
proc->confidential_box = Conf_Get_Boolean(proc->box->name, L"ConfidentialBox", 0, FALSE);
//
// check certificate
@ -764,6 +765,8 @@ _FX PROCESS *Process_Create(
#endif
if (proc->bAppCompartment)
exclusive_setting = L"NoSecurityIsolation";
else if (proc->confidential_box)
exclusive_setting = L"ConfidentialBox";
if (exclusive_setting) {

1
Sandboxie/core/drv/process.h
View File

@ -148,6 +148,7 @@ struct _PROCESS {
BOOLEAN use_rule_specificity;
BOOLEAN use_privacy_mode;
#endif
BOOLEAN confidential_box;
ULONG call_trace;

116
Sandboxie/core/drv/thread.c
View File

@ -1135,9 +1135,9 @@ finish:
//---------------------------------------------------------------------------
_FX NTSTATUS Thread_CheckObject_CommonEx(
_FX ACCESS_MASK Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
ACCESS_MASK DesiredAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess)
{
//
@ -1146,7 +1146,7 @@ _FX NTSTATUS Thread_CheckObject_CommonEx(
HANDLE cur_pid = PsGetCurrentProcessId();
if (pid == cur_pid)
return STATUS_SUCCESS;
return DesiredAccess;
//
// Get the sandboxed process if this request comes form one
@ -1169,33 +1169,42 @@ _FX NTSTATUS Thread_CheckObject_CommonEx(
if (proc2 && !proc2->bHostInject) { // target is sandboxed
void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr);
if (nbuf) {
ACCESS_MASK WriteAccess;
if (EntireProcess)
WriteAccess = (DesiredAccess & PROCESS_DENIED_ACCESS_MASK);
else
WriteAccess = (DesiredAccess & THREAD_DENIED_ACCESS_MASK);
protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);
if (WriteAccess || proc2->confidential_box) {
//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
// and a few others
//
void* nbuf = 0;
ULONG nlen = 0;
WCHAR* nptr = 0;
Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr);
if (nbuf) {
if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0)
|| (_wcsicmp(nptr, L"conhost.exe") == 0)
|| (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0))
protect_process = FALSE;
protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE);
//
// in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe
// and a few others
//
if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) {
if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0)
|| (_wcsicmp(nptr, L"conhost.exe") == 0)
|| (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0))
protect_process = FALSE;
}
if (protect_process) {
WCHAR msg_str[256];
RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d) requesting 0x%08X", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid, DesiredAccess);
Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, pid);
}
Mem_Free(nbuf, nlen);
}
if (protect_process) {
WCHAR msg_str[256];
RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d)", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid);
Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, PsGetCurrentProcessId());
}
Mem_Free(nbuf, nlen);
}
}
@ -1203,7 +1212,7 @@ _FX NTSTATUS Thread_CheckObject_CommonEx(
KeLowerIrql(irql);
if (protect_process)
return STATUS_ACCESS_DENIED;
return 0; // deny access
}
//
@ -1211,9 +1220,58 @@ _FX NTSTATUS Thread_CheckObject_CommonEx(
//
if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt)
return STATUS_SUCCESS;
return DesiredAccess;
return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, EntireProcess, ExplicitAccess);
if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, DesiredAccess, EntireProcess, ExplicitAccess))) {
#ifdef DRV_BREAKOUT
if (EntireProcess) {
//
// Check if this is a break out process
//
BOOLEAN is_breakout = FALSE;
PROCESS* proc2;
KIRQL irql;
proc2 = Process_Find(pid, &irql);
if (proc2 && Process_IsStarter(proc, proc2)) {
is_breakout = TRUE;
}
ExReleaseResourceLite(Process_ListLock);
KeLowerIrql(irql);
if (is_breakout) {
//
// this is a BreakoutProcess in this case we need to grant some permissions
//
return DesiredAccess & (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE |
/**/PROCESS_TERMINATE |
//PROCESS_CREATE_THREAD |
//PROCESS_SET_SESSIONID |
/**/PROCESS_VM_OPERATION | // needed
PROCESS_VM_READ |
/**/PROCESS_VM_WRITE | // needed
//PROCESS_DUP_HANDLE |
PROCESS_CREATE_PROCESS |
//PROCESS_SET_QUOTA |
/**/PROCESS_SET_INFORMATION | // needed
PROCESS_QUERY_INFORMATION |
/**/PROCESS_SUSPEND_RESUME | // needed
PROCESS_QUERY_LIMITED_INFORMATION |
//PROCESS_SET_LIMITED_INFORMATION |
0);
}
}
#endif
return 0;
}
return DesiredAccess;
}

4
Sandboxie/core/drv/thread.h
View File

@ -99,9 +99,9 @@ NTSTATUS Thread_CheckObject_Common(
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess);
NTSTATUS Thread_CheckObject_CommonEx(
ACCESS_MASK Thread_CheckObject_CommonEx(
HANDLE pid, PEPROCESS ProcessObject,
ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess,
ACCESS_MASK DesiredAccess, BOOLEAN EntireProcess,
BOOLEAN ExplicitAccess);
//---------------------------------------------------------------------------