diff --git a/CHANGELOG.md b/CHANGELOG.md index 75039ee8..bb1149c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ This project adheres to [Semantic Versioning](http://semver.org/). -- usage: in "HKLM\SYSTEM\CurrentControlSet\Services\SbieSvc" add REG_SZ "LogFile" with "3;[path]\Sandboxie.log" - added option to block host processes from accessing sandboxed once [#2132](https://github.com/sandboxie-plus/Sandboxie/issues/2132) -- usage: DenyHostAccess=Program.exe,y +-- note: by default this protection only applyied for write access, that is unsandboxed processes will still be able to obtain read only access +-- to prevent host processes from obtaining read access ConfidentialBox=y must also be set, which require a supporter certificate - added compatybility template for ReHIPS ### Changed diff --git a/Sandboxie/core/drv/obj_flt.c b/Sandboxie/core/drv/obj_flt.c index e9c08e88..48bd9f8b 100644 --- a/Sandboxie/core/drv/obj_flt.c +++ b/Sandboxie/core/drv/obj_flt.c @@ -222,65 +222,13 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( HANDLE TargetProcessId = PsGetProcessId((PEPROCESS)PreInfo->Object); PEPROCESS ProcessObject = (PEPROCESS)PreInfo->Object; - if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE))) { - -#ifdef DRV_BREAKOUT - // - // Check if this is a break out process - // - - BOOLEAN is_breakout = FALSE; - PROCESS *proc; - PROCESS *proc2; - KIRQL irql; - - proc = Process_Find(NULL, NULL); - if (proc) { - proc2 = Process_Find(TargetProcessId, &irql); - if (proc2 && Process_IsStarter(proc, proc2)) { - is_breakout = TRUE; - } - } - - ExReleaseResourceLite(Process_ListLock); - KeLowerIrql(irql); - - if (is_breakout) { - - // - // this is a BreakoutProcess in this case we need to grant some permissions - // - - *DesiredAccess = InitialDesiredAccess & (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | - /**/PROCESS_TERMINATE | - //PROCESS_CREATE_THREAD | - //PROCESS_SET_SESSIONID | - /**/PROCESS_VM_OPERATION | // needed - PROCESS_VM_READ | - /**/PROCESS_VM_WRITE | // needed - //PROCESS_DUP_HANDLE | - PROCESS_CREATE_PROCESS | - //PROCESS_SET_QUOTA | - /**/PROCESS_SET_INFORMATION | // needed - PROCESS_QUERY_INFORMATION | - /**/PROCESS_SUSPEND_RESUME | // needed - PROCESS_QUERY_LIMITED_INFORMATION | - //PROCESS_SET_LIMITED_INFORMATION | - 0); - } else -#endif - *DesiredAccess = 0; // deny any access - } - //ObjectTypeName = L"PsProcessType"; + *DesiredAccess = Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, TRUE, TRUE); } else if (PreInfo->ObjectType == *PsThreadType) { HANDLE TargetProcessId = PsGetThreadProcessId ((PETHREAD)PreInfo->Object); PEPROCESS ProcessObject = PsGetThreadProcess((PETHREAD)PreInfo->Object); - if (!NT_SUCCESS(Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE))) { - *DesiredAccess = 0; // deny any access - } - //ObjectTypeName = L"PsThreadType"; + *DesiredAccess = Thread_CheckObject_CommonEx(TargetProcessId, ProcessObject, InitialDesiredAccess, FALSE, TRUE); } else { DbgPrint("Sbie ObCallback: unexpected object type\n"); @@ -288,7 +236,6 @@ _FX OB_PREOP_CALLBACK_STATUS Obj_PreOperationCallback( } Exit: - return OB_PREOP_SUCCESS; } diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c index e5ae8ad9..896aa8f3 100644 --- a/Sandboxie/core/drv/process.c +++ b/Sandboxie/core/drv/process.c @@ -740,6 +740,7 @@ _FX PROCESS *Process_Create( proc->use_privacy_mode = Conf_Get_Boolean(proc->box->name, L"UsePrivacyMode", 0, FALSE); proc->use_rule_specificity = proc->restrict_devices || proc->use_privacy_mode || Conf_Get_Boolean(proc->box->name, L"UseRuleSpecificity", 0, FALSE); #endif + proc->confidential_box = Conf_Get_Boolean(proc->box->name, L"ConfidentialBox", 0, FALSE); // // check certificate @@ -764,6 +765,8 @@ _FX PROCESS *Process_Create( #endif if (proc->bAppCompartment) exclusive_setting = L"NoSecurityIsolation"; + else if (proc->confidential_box) + exclusive_setting = L"ConfidentialBox"; if (exclusive_setting) { diff --git a/Sandboxie/core/drv/process.h b/Sandboxie/core/drv/process.h index b075c8c8..6684ac71 100644 --- a/Sandboxie/core/drv/process.h +++ b/Sandboxie/core/drv/process.h @@ -148,6 +148,7 @@ struct _PROCESS { BOOLEAN use_rule_specificity; BOOLEAN use_privacy_mode; #endif + BOOLEAN confidential_box; ULONG call_trace; diff --git a/Sandboxie/core/drv/thread.c b/Sandboxie/core/drv/thread.c index 49ecf756..835c12fc 100644 --- a/Sandboxie/core/drv/thread.c +++ b/Sandboxie/core/drv/thread.c @@ -1135,9 +1135,9 @@ finish: //--------------------------------------------------------------------------- -_FX NTSTATUS Thread_CheckObject_CommonEx( +_FX ACCESS_MASK Thread_CheckObject_CommonEx( HANDLE pid, PEPROCESS ProcessObject, - ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, + ACCESS_MASK DesiredAccess, BOOLEAN EntireProcess, BOOLEAN ExplicitAccess) { // @@ -1146,7 +1146,7 @@ _FX NTSTATUS Thread_CheckObject_CommonEx( HANDLE cur_pid = PsGetCurrentProcessId(); if (pid == cur_pid) - return STATUS_SUCCESS; + return DesiredAccess; // // Get the sandboxed process if this request comes form one @@ -1169,33 +1169,42 @@ _FX NTSTATUS Thread_CheckObject_CommonEx( if (proc2 && !proc2->bHostInject) { // target is sandboxed - void* nbuf = 0; - ULONG nlen = 0; - WCHAR* nptr = 0; - Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr); - if (nbuf) { + ACCESS_MASK WriteAccess; + if (EntireProcess) + WriteAccess = (DesiredAccess & PROCESS_DENIED_ACCESS_MASK); + else + WriteAccess = (DesiredAccess & THREAD_DENIED_ACCESS_MASK); - protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE); + if (WriteAccess || proc2->confidential_box) { - // - // in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe - // and a few others - // + void* nbuf = 0; + ULONG nlen = 0; + WCHAR* nptr = 0; + Process_GetProcessName(proc2->pool, (ULONG_PTR)cur_pid, &nbuf, &nlen, &nptr); + if (nbuf) { - if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) { - if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0) - || (_wcsicmp(nptr, L"conhost.exe") == 0) - || (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0)) - protect_process = FALSE; + protect_process = Process_GetConfEx_bool(proc2->box, nptr, L"DenyHostAccess", FALSE); + + // + // in case use specified wildcard "*" always grant access to sbiesvc.exe and csrss.exe + // and a few others + // + + if (protect_process /*&& MyIsProcessRunningAsSystemAccount(cur_pid)*/) { + if ((_wcsicmp(nptr, SBIESVC_EXE) == 0) || (_wcsicmp(nptr, L"csrss.exe") == 0) + || (_wcsicmp(nptr, L"conhost.exe") == 0) + || (_wcsicmp(nptr, L"taskmgr.exe") == 0) || (_wcsicmp(nptr, L"sandman.exe") == 0)) + protect_process = FALSE; + } + + if (protect_process) { + WCHAR msg_str[256]; + RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d) requesting 0x%08X", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid, DesiredAccess); + Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, pid); + } + + Mem_Free(nbuf, nlen); } - - if (protect_process) { - WCHAR msg_str[256]; - RtlStringCbPrintfW(msg_str, sizeof(msg_str), L"Protect boxed processes %s (%d) from %s (%d)", proc2->image_name, (ULONG)pid, nptr, (ULONG)cur_pid); - Session_MonitorPut(MONITOR_IMAGE | MONITOR_TRACE, msg_str, PsGetCurrentProcessId()); - } - - Mem_Free(nbuf, nlen); } } @@ -1203,7 +1212,7 @@ _FX NTSTATUS Thread_CheckObject_CommonEx( KeLowerIrql(irql); if (protect_process) - return STATUS_ACCESS_DENIED; + return 0; // deny access } // @@ -1211,9 +1220,58 @@ _FX NTSTATUS Thread_CheckObject_CommonEx( // if (!proc || (proc == PROCESS_TERMINATED) || proc->bHostInject || proc->disable_object_flt) - return STATUS_SUCCESS; + return DesiredAccess; - return Thread_CheckObject_Common(proc, ProcessObject, GrantedAccess, EntireProcess, ExplicitAccess); + if (!NT_SUCCESS(Thread_CheckObject_Common(proc, ProcessObject, DesiredAccess, EntireProcess, ExplicitAccess))) { + +#ifdef DRV_BREAKOUT + if (EntireProcess) { + // + // Check if this is a break out process + // + + BOOLEAN is_breakout = FALSE; + PROCESS* proc2; + KIRQL irql; + + proc2 = Process_Find(pid, &irql); + if (proc2 && Process_IsStarter(proc, proc2)) { + is_breakout = TRUE; + } + + ExReleaseResourceLite(Process_ListLock); + KeLowerIrql(irql); + + if (is_breakout) { + + // + // this is a BreakoutProcess in this case we need to grant some permissions + // + + return DesiredAccess & (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | + /**/PROCESS_TERMINATE | + //PROCESS_CREATE_THREAD | + //PROCESS_SET_SESSIONID | + /**/PROCESS_VM_OPERATION | // needed + PROCESS_VM_READ | + /**/PROCESS_VM_WRITE | // needed + //PROCESS_DUP_HANDLE | + PROCESS_CREATE_PROCESS | + //PROCESS_SET_QUOTA | + /**/PROCESS_SET_INFORMATION | // needed + PROCESS_QUERY_INFORMATION | + /**/PROCESS_SUSPEND_RESUME | // needed + PROCESS_QUERY_LIMITED_INFORMATION | + //PROCESS_SET_LIMITED_INFORMATION | + 0); + } + } +#endif + + return 0; + } + + return DesiredAccess; } diff --git a/Sandboxie/core/drv/thread.h b/Sandboxie/core/drv/thread.h index 91a7e421..9df467f1 100644 --- a/Sandboxie/core/drv/thread.h +++ b/Sandboxie/core/drv/thread.h @@ -99,9 +99,9 @@ NTSTATUS Thread_CheckObject_Common( ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, BOOLEAN ExplicitAccess); -NTSTATUS Thread_CheckObject_CommonEx( +ACCESS_MASK Thread_CheckObject_CommonEx( HANDLE pid, PEPROCESS ProcessObject, - ACCESS_MASK GrantedAccess, BOOLEAN EntireProcess, + ACCESS_MASK DesiredAccess, BOOLEAN EntireProcess, BOOLEAN ExplicitAccess); //---------------------------------------------------------------------------