mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

Sandboxie All SID

This commit is contained in:
DavidXanatos 2024-05-22 17:52:32 +02:00
parent baa022578f
commit 68d0254983
6 changed files with 475 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
Sandboxie/core/drv/token.c
View File

@ -78,7 +78,7 @@ static BOOLEAN Token_AssignPrimary(
static void *Token_DuplicateToken(void *TokenObject, PROCESS *proc);
static void *Token_CreateNew(void *TokenObject, PROCESS *proc);
static void *Token_CreateToken(void *TokenObject, PROCESS *proc);
//---------------------------------------------------------------------------
@ -153,6 +153,14 @@ static UCHAR AnonymousLogonSid[12] = {
//UCHAR SandboxieLogonSid[SECURITY_MAX_SID_SIZE] = { 0 }; // SbieLogin
UCHAR SandboxieAllSid[16] = { // S-1-5-100-0
1, // Revision
2, // SubAuthorityCount
0,0,0,0,0,5, // SECURITY_NT_AUTHORITY // IdentifierAuthority
100,0,0,0, // SubAuthority[0] = SBIE_RID
0,0,0,0 // SubAuthority[1] = 0
};
static UCHAR SystemLogonSid[12] = {
1, // Revision
1, // SubAuthorityCount
@ -880,14 +888,16 @@ _FX void *Token_Restrict(
// Create a heavily restricted primary token
//
if (Conf_Get_Boolean(proc->box->name, L"CreateToken", 0, FALSE)) {
if (Conf_Get_Boolean(proc->box->name, L"UseCreateToken", 0, FALSE) ||
Conf_Get_Boolean(proc->box->name, L"SandboxieAllGroup", 0, FALSE)) {
//
// Create a new token from scratch, experimental
// Create a custom restricted token from scratch
//
FixedTokenObject = Token_CreateNew(TokenObject, proc);
}
return Token_CreateToken(TokenObject, proc);
}
else {
//
@ -1272,6 +1282,8 @@ _FX NTSTATUS Token_RestrictHelper2(
if (Driver_OsVersion < DRIVER_WINDOWS_VISTA)
return STATUS_SUCCESS;
BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE);
label = (ULONG)(ULONG_PTR)Token_Query(
TokenObject, TokenIntegrityLevel, proc->box->session_id);
@ -1297,7 +1309,10 @@ _FX NTSTATUS Token_RestrictHelper2(
LabelSid[1] = 0x10000000;
// debug tip. You can change the sandboxed process's integrity level below
//LabelSid[2] = SECURITY_MANDATORY_HIGH_RID;
LabelSid[2] = SECURITY_MANDATORY_UNTRUSTED_RID;
if(NoUntrustedToken)
LabelSid[2] = SECURITY_MANDATORY_LOW_RID;
else
LabelSid[2] = SECURITY_MANDATORY_UNTRUSTED_RID;
LabelSid[3] = 0;
SidAndAttrs.Sid = LabelSid;
SidAndAttrs.Attributes = 0;
@ -1369,6 +1384,7 @@ _FX void *Token_RestrictHelper3(
BOOLEAN AnonymousLogonSidAlreadyInGroups = FALSE;
BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE);
BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE);
n = 0;
@ -1377,6 +1393,9 @@ _FX void *Token_RestrictHelper3(
if (Groups->Groups[i].Attributes & SE_GROUP_INTEGRITY)
continue;
if (KeepLogonSession && (Groups->Groups[i].Attributes & SE_GROUP_LOGON_ID))
continue;
if (RtlEqualSid(Groups->Groups[i].Sid, UserSid)) {
if (KeepUserGroup)
continue;
@ -1703,7 +1722,7 @@ _FX BOOLEAN Token_ReplacePrimary(PROCESS *proc)
#ifdef _WIN64
// OpenToken BEGIN
if (!Conf_Get_Boolean(proc->box->name, L"CreateToken", 0, FALSE)
if (!Conf_Get_Boolean(proc->box->name, L"ReplicateToken", 0, FALSE)
&& !Conf_Get_Boolean(proc->box->name, L"UnrestrictedToken", 0, FALSE)
&& Conf_Get_Boolean(proc->box->name, L"AnonymousLogon", 0, TRUE))
// OpenToken END
@ -2116,11 +2135,11 @@ _FX NTSTATUS SbieCreateToken(PHANDLE TokenHandle, ACCESS_MASK DesiredAccess, POB
//---------------------------------------------------------------------------
// Token_CreateNew
// Token_CreateToken
//---------------------------------------------------------------------------
_FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
_FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
{
HANDLE TokenHandle = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
@ -2128,6 +2147,7 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
PTOKEN_STATISTICS LocalStatistics = NULL;
PTOKEN_USER LocalUser = NULL;
PTOKEN_GROUPS LocalGroups = NULL;
PTOKEN_GROUPS OldLocalGroups = NULL;
PTOKEN_PRIVILEGES LocalPrivileges = NULL;
//PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes = NULL;
@ -2141,15 +2161,19 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
PTOKEN_SOURCE LocalSource = NULL;
PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL;
PTOKEN_OWNER NewOwner = NULL;
ULONG DefaultDacl_Length = 0;
PACL NewDacl = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
TOKEN_TYPE TokenType = TokenPrimary;
LUID AuthenticationId = ANONYMOUS_LOGON_LUID;
LARGE_INTEGER ExpirationTime;
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
//
// Get the information from the original token
// Gether informations from the original token
//
if ( !NT_SUCCESS(SeQueryInformationToken(TokenObject, TokenStatistics, &LocalStatistics))
@ -2170,6 +2194,80 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
MandatoryPolicy = (PTOKEN_MANDATORY_POLICY)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_MANDATORY_POLICY), tzuk);
if (MandatoryPolicy) MandatoryPolicy->Policy = TOKEN_MANDATORY_POLICY_NO_WRITE_UP;
//
// Create a new token from scratch
//
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_CASE_INSENSITIVE, NULL, NULL);
SecurityQos.Length = sizeof(SecurityQos);
SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
SecurityQos.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &SecurityQos;
if (Conf_Get_Boolean(proc->box->name, L"ReplicateToken", 0, FALSE))
{
SecurityQos.ImpersonationLevel = LocalStatistics->ImpersonationLevel;
TokenType = LocalStatistics->TokenType;
AuthenticationId = LocalStatistics->AuthenticationId;
ExpirationTime = LocalStatistics->ExpirationTime;
}
else
{
SecurityQos.ImpersonationLevel = SecurityAnonymous;
ExpirationTime.QuadPart = 0x7FFFFFFFFFFFFFFF;
if (!Conf_Get_Boolean(proc->box->name, L"UnstrippedToken", 0, FALSE))
{
BOOLEAN NoUntrustedToken = Conf_Get_Boolean(proc->box->name, L"NoUntrustedToken", 0, FALSE);
BOOLEAN KeepUserGroup = Conf_Get_Boolean(proc->box->name, L"KeepUserGroup", 0, FALSE);
BOOLEAN KeepLogonSession = Conf_Get_Boolean(proc->box->name, L"KeepLogonSession", 0, FALSE);
for (ULONG i = 0; i < LocalGroups->GroupCount; i++) {
if (LocalGroups->Groups[i].Attributes & SE_GROUP_INTEGRITY) {
if (!Conf_Get_Boolean(proc->box->name, L"KeepTokenIntegrity", 0, FALSE)) {
if(NoUntrustedToken)
*RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_LOW_RID;
else
*RtlSubAuthoritySid(LocalGroups->Groups[i].Sid, 0) = SECURITY_MANDATORY_UNTRUSTED_RID;
}
continue;
}
if (KeepLogonSession && (LocalGroups->Groups[i].Attributes & SE_GROUP_LOGON_ID))
continue;
if (RtlEqualSid(LocalGroups->Groups[i].Sid, LocalUser->User.Sid)) {
if (KeepUserGroup)
continue;
}
LocalGroups->Groups[i].Attributes = 0;
}
}
if (Conf_Get_Boolean(proc->box->name, L"SandboxieAllGroup", 0, FALSE)) // & Driver_SandboxieSid)
{
OldLocalGroups = LocalGroups;
ULONG NewGroupCount = OldLocalGroups->GroupCount + 1;
SIZE_T NewSize = FIELD_OFFSET(TOKEN_GROUPS, Groups) + NewGroupCount * sizeof(SID_AND_ATTRIBUTES);
LocalGroups = (PTOKEN_GROUPS)ExAllocatePoolWithTag(PagedPool, NewSize, tzuk);
RtlZeroMemory(LocalGroups, NewSize);
LocalGroups->Groups[0].Attributes = SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT;
LocalGroups->Groups[0].Sid = SandboxieAllSid; // Driver_SandboxieSid;
RtlCopyMemory(&LocalGroups->Groups[1], OldLocalGroups->Groups, OldLocalGroups->GroupCount * sizeof(SID_AND_ATTRIBUTES));
LocalGroups->GroupCount = NewGroupCount;
}
}
//
// Change the SID
//
@ -2181,37 +2279,28 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
if (proc->SandboxieLogonSid)
{
//
// free old user and create a new one with the new SID
//
ULONG Attributes = LocalUser->User.Attributes;
ExFreePool((PVOID)LocalUser);
LocalUser = ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_USER) + RtlLengthSid(proc->SandboxieLogonSid), tzuk);
LocalUser->User.Attributes = Attributes;
LocalUser->User.Sid = ((UCHAR*)LocalUser) + sizeof(TOKEN_USER);
memcpy(LocalUser->User.Sid, proc->SandboxieLogonSid, RtlLengthSid(proc->SandboxieLogonSid));
}
//
// Create a new token from scratch
//
SecurityQos.Length = sizeof(SecurityQos);
SecurityQos.ImpersonationLevel = LocalStatistics->ImpersonationLevel;
SecurityQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
SecurityQos.EffectiveOnly = FALSE;
ObjectAttributes.SecurityQualityOfService = &SecurityQos;
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
//LUID AuthenticationId = ANONYMOUS_LOGON_LUID;
status = SbieCreateToken(
&TokenHandle,
TOKEN_ALL_ACCESS,
&ObjectAttributes,
LocalStatistics->TokenType,
&LocalStatistics->AuthenticationId,
&LocalStatistics->ExpirationTime,
TokenType,
&AuthenticationId,
&ExpirationTime,
LocalUser,
LocalGroups,
LocalPrivileges,
@ -2248,18 +2337,19 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
NewDefaultDacl->DefaultDacl->AclSize += 128;
NewOwner = (PTOKEN_OWNER)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_OWNER), tzuk);
NewOwner->Owner = LocalUser->User.Sid;
ExFreePool((PVOID)LocalOwner);
LocalOwner = (PTOKEN_OWNER)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_OWNER), tzuk);
LocalOwner->Owner = LocalUser->User.Sid;
RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, NewOwner->Owner);
RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner);
status = SbieCreateToken(
&TokenHandle,
TOKEN_ALL_ACCESS,
&ObjectAttributes,
LocalStatistics->TokenType,
&LocalStatistics->AuthenticationId,
&LocalStatistics->ExpirationTime,
TokenType,
&AuthenticationId,
&ExpirationTime,
LocalUser,
LocalGroups,
LocalPrivileges,
@ -2269,7 +2359,7 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
0, //DeviceGroups,
MandatoryPolicy,
NewOwner,
LocalOwner,
LocalPrimaryGroup,
NewDefaultDacl,
LocalSource
@ -2294,17 +2384,16 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
ULONG virtualizationAllowed = 1;
status = ZwSetInformationToken(TokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG));
if (Conf_Get_Boolean(proc->box->name, L"CopyTokenAttributes", 0, FALSE))
{
HANDLE OldTokenHandle;
status = ObOpenObjectByPointer(
TokenObject, OBJ_KERNEL_HANDLE, NULL, TOKEN_ALL_ACCESS,
*SeTokenObjectType, KernelMode, &OldTokenHandle);
if (NT_SUCCESS(status))
{
void* ptr = ExAllocatePoolWithTag(PagedPool, PAGE_SIZE, tzuk);
/*HANDLE OldTokenHandle;
status = ObOpenObjectByPointer(
TokenObject, OBJ_KERNEL_HANDLE, NULL, TOKEN_ALL_ACCESS,
*SeTokenObjectType, KernelMode, &OldTokenHandle);
if (NT_SUCCESS(status)) {
__try {
void* ptr = ExAllocatePoolWithTag(PagedPool, PAGE_SIZE, tzuk);
if (ptr) {
ULONG len = 0;
status = ZwQueryInformationToken(OldTokenHandle, TokenSecurityAttributes, ptr, PAGE_SIZE, &len);
if (NT_SUCCESS(status)) {
@ -2320,23 +2409,18 @@ _FX void* Token_CreateNew(void* TokenObject, PROCESS* proc)
status = ZwSetInformationToken(TokenHandle, TokenSecurityAttributes, data, len);
}
ExFreePool(ptr);
ZwClose(OldTokenHandle);
}
if (ptr)ExFreePool(ptr);
} __except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode() + 0x01000000;
}
DbgPrint("TokenSecurityAttributes %08x", status);
ZwClose(OldTokenHandle);
}*/
}
finish:
if (LocalStatistics) ExFreePool((PVOID)LocalStatistics);
if (LocalUser) ExFreePool((PVOID)LocalUser);
if (LocalGroups) ExFreePool((PVOID)LocalGroups);
if (OldLocalGroups) ExFreePool((PVOID)OldLocalGroups);
if (LocalPrivileges) ExFreePool((PVOID)LocalPrivileges);
//if (UserAttributes) ExFreePool((PVOID)UserAttributes);
@ -2350,8 +2434,6 @@ finish:
if (LocalSource) ExFreePool((PVOID)LocalSource);
if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl);
if (NewOwner) ExFreePool((PVOID)NewOwner);
//
// get the actual token object from the handle

2
Sandboxie/core/svc/DriverAssist.cpp
View File

@ -119,6 +119,8 @@ bool DriverAssist::InitializePortAndThreads()
PSECURITY_DESCRIPTOR sd;
ULONG i, n;
InitSIDs();
//
// create a security descriptor with a limited DACL
// owner:system, group:system, dacl(allow;generic_all;system)

2
Sandboxie/core/svc/DriverAssist.h
View File

@ -122,6 +122,8 @@ private:
// SbieLogin
//
void InitSIDs();
bool GetSandboxieSID(const WCHAR* boxname, UCHAR* SandboxieLogonSid, DWORD dwSidSize);
void CleanUpSIDs();

54
Sandboxie/core/svc/DriverAssistSid.cpp
View File

@ -97,9 +97,38 @@ UCHAR SandboxieSid[12] = { // S-1-5-100-
1, // Revision
1, // SubAuthorityCount
0,0,0,0,0,5, // SECURITY_NT_AUTHORITY // IdentifierAuthority
SBIE_RID,0,0,0 // SubAuthority
SBIE_RID,0,0,0 // SubAuthority[0]
};
UCHAR SandboxieAllSid[16] = { // S-1-5-100-0
1, // Revision
2, // SubAuthorityCount
0,0,0,0,0,5, // SECURITY_NT_AUTHORITY // IdentifierAuthority
SBIE_RID,0,0,0, // SubAuthority[0]
0,0,0,0 // SubAuthority[1]
};
//---------------------------------------------------------------------------
// InitSIDs
//---------------------------------------------------------------------------
void DriverAssist::InitSIDs()
{
//
// add Sandboxie domain "Sandboxie"
//
AddSidName(SandboxieSid, SANDBOXIE, NULL);
//
// add Sandboxie box user "Sandboxie\\All Sandboxes"
//
AddSidName(SandboxieAllSid, SANDBOXIE, L"All Sandboxes");
}
//---------------------------------------------------------------------------
// GetSandboxieSID
@ -108,35 +137,28 @@ UCHAR SandboxieSid[12] = { // S-1-5-100-
bool DriverAssist::GetSandboxieSID(const WCHAR* boxname, UCHAR* pSID, DWORD dwSidSize)
{
if (!SbieApi_QueryConfBool(boxname, L"SandboxieLogon", FALSE))
if (boxname && !SbieApi_QueryConfBool(boxname, L"SandboxieLogon", FALSE))
return false;
WCHAR szUserName[256], szDomainName[256];
DWORD dwDomainSize = ARRAYSIZE(szDomainName);
SID_NAME_USE snu = SidTypeInvalid;
wcscpy(szUserName, SANDBOXIE L"\\");
wcscat(szUserName, boxname);
wcscpy(szUserName, SANDBOXIE);
if (boxname) {
wcscat(szUserName, L"\\");
wcscat(szUserName, boxname);
}
if (LookupAccountName(NULL, szUserName, pSID, &dwSidSize, szDomainName, &dwDomainSize, &snu))
return true;
//
// add Sandboxie domain "Sandboxie"
//
static bool SbieAdded = false;
if (!SbieAdded) {
AddSidName(SandboxieSid, SANDBOXIE, NULL);
SbieAdded = true;
}
//
// add Sandboxie box user "Sandboxie\\DefaultBox"
// add Sandboxie box user "Sandboxie\\[BoxName]"
//
UNICODE_STRING Name;
RtlInitUnicodeString(&Name, boxname);
RtlInitUnicodeString(&Name, boxname ? boxname : SANDBOXIE);
RtlCreateVirtualAccountSid(&Name, SBIE_RID, pSID, &dwSidSize);
return NT_SUCCESS(AddSidName(pSID, SANDBOXIE, boxname));

544
SandboxiePlus/SandMan/Forms/SettingsWindow.ui
View File

@ -6,8 +6,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>695</width>
<height>508</height>
<width>747</width>
<height>524</height>
</rect>
</property>
<property name="sizePolicy">
@ -77,7 +77,7 @@
<item>
<widget class="QCheckBox" name="chkSuspend">
<property name="text">
<string>Hotkey for suspending all processes:</string>
<string>Hotkey for suspending all process</string>
</property>
</widget>
</item>
@ -146,7 +146,6 @@
<widget class="QLabel" name="lblGeneral">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -174,7 +173,6 @@
<widget class="QLabel" name="lblRecovery">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -311,7 +309,6 @@
<widget class="QLabel" name="lblMessages">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -344,7 +341,6 @@
<widget class="QLabel" name="lblNotify">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -449,7 +445,7 @@
<item row="0" column="0">
<widget class="QTabWidget" name="tabsShell">
<property name="currentIndex">
<number>1</number>
<number>0</number>
</property>
<widget class="QWidget" name="tabWindows">
<attribute name="title">
@ -458,17 +454,29 @@
<layout class="QGridLayout" name="gridLayout_30">
<item row="0" column="0">
<layout class="QGridLayout" name="gridLayout_13">
<item row="6" column="2" colspan="3">
<widget class="QCheckBox" name="chkShellMenu2">
<property name="text">
<string>Add 'Run Un-Sandboxed' to the context menu</string>
<item row="14" column="1">
<spacer name="verticalSpacer_6">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
</widget>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>0</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="1" colspan="3">
<widget class="QCheckBox" name="chkAutoStart">
<item row="0" column="0">
<widget class="QLabel" name="lblStartUp">
<property name="font">
<font>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Start UI with Windows</string>
<string>Start Sandbox Manager</string>
</property>
</widget>
</item>
@ -485,77 +493,6 @@
</property>
</widget>
</item>
<item row="8" column="1" colspan="3">
<widget class="QCheckBox" name="chkScanMenu">
<property name="text">
<string>Scan shell folders and offer links in run menu</string>
</property>
</widget>
</item>
<item row="7" column="0">
<widget class="QLabel" name="lblStartMenu">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Start Menu Integration</string>
</property>
</widget>
</item>
<item row="11" column="1">
<spacer name="verticalSpacer_6">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>0</height>
</size>
</property>
</spacer>
</item>
<item row="9" column="2">
<widget class="QComboBox" name="cmbIntegrateMenu"/>
</item>
<item row="4" column="1" colspan="3">
<widget class="QCheckBox" name="chkShellMenu">
<property name="text">
<string>Add 'Run Sandboxed' to the explorer context menu</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="lblStartUp">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Start Sandbox Manager</string>
</property>
</widget>
</item>
<item row="3" column="3">
<spacer name="horizontalSpacer_6">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="1">
<widget class="QLabel" name="label_37">
<property name="maximumSize">
@ -569,11 +506,50 @@
</property>
</widget>
</item>
<item row="10" column="0" colspan="2">
<widget class="QLabel" name="label_29">
<property name="text">
<string>Integrate with Host Desktop</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="3">
<widget class="QCheckBox" name="chkSvcStart">
<property name="text">
<string>Start UI when a sandboxed process is started</string>
</property>
</widget>
</item>
<item row="5" column="2" colspan="3">
<widget class="QCheckBox" name="chkAlwaysDefault">
<property name="text">
<string>Always use DefaultBox</string>
</property>
</widget>
</item>
<item row="7" column="0">
<widget class="QLabel" name="lblStartMenu">
<property name="font">
<font>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Start Menu Integration</string>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="lblRunBoxed">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -583,10 +559,23 @@
</property>
</widget>
</item>
<item row="5" column="2" colspan="3">
<widget class="QCheckBox" name="chkAlwaysDefault">
<item row="14" column="3" colspan="2">
<spacer name="horizontalSpacer_2">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>0</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="1" colspan="3">
<widget class="QCheckBox" name="chkAutoStart">
<property name="text">
<string>Always use DefaultBox</string>
<string>Start UI with Windows</string>
</property>
</widget>
</item>
@ -603,39 +592,70 @@
</property>
</spacer>
</item>
<item row="11" column="3" colspan="2">
<spacer name="horizontalSpacer_2">
<item row="9" column="2">
<widget class="QComboBox" name="cmbIntegrateMenu"/>
</item>
<item row="4" column="1" colspan="3">
<widget class="QCheckBox" name="chkShellMenu">
<property name="text">
<string>Add 'Run Sandboxed' to the explorer context menu</string>
</property>
</widget>
</item>
<item row="11" column="0">
<widget class="QLabel" name="lblDesktop">
<property name="font">
<font>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Sandboxed Desktop</string>
</property>
</widget>
</item>
<item row="3" column="3">
<spacer name="horizontalSpacer_6">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>0</height>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="1" colspan="3">
<widget class="QCheckBox" name="chkSvcStart">
<property name="text">
<string>Start UI when a sandboxed process is started</string>
</property>
</widget>
</item>
<item row="10" column="2">
<widget class="QComboBox" name="cmbIntegrateDesk"/>
</item>
<item row="10" column="0" colspan="2">
<widget class="QLabel" name="label_29">
<item row="8" column="1" colspan="3">
<widget class="QCheckBox" name="chkScanMenu">
<property name="text">
<string>Integrate with Host Desktop</string>
<string>Scan shell folders and offer links in run menu</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</widget>
</item>
<item row="6" column="2" colspan="3">
<widget class="QCheckBox" name="chkShellMenu2">
<property name="text">
<string>Add 'Run Un-Sandboxed' to the context menu</string>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</widget>
</item>
<item row="12" column="1" colspan="3">
<widget class="QCheckBox" name="chkDeskAutoSwitch">
<property name="text">
<string>Switch to sandboxed desktop when starting a process</string>
</property>
</widget>
</item>
<item row="13" column="1" colspan="3">
<widget class="QCheckBox" name="chkDeskQuickSwitch">
<property name="text">
<string>Switch to sandboxed desktop with double click</string>
</property>
</widget>
</item>
@ -683,7 +703,6 @@
<widget class="QLabel" name="lblSysTray">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -956,7 +975,6 @@
</property>
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1462,7 +1480,6 @@
<widget class="QLabel" name="lblDiskImage">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1547,7 +1564,6 @@
<widget class="QLabel" name="lblCertExp">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1694,7 +1710,6 @@
<widget class="QLabel" name="lblCertGuide">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1755,7 +1770,6 @@
<widget class="QLabel" name="lblUpdates">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -1955,9 +1969,77 @@ Unlike the preview channel, it does not include untested, potentially breaking,
<layout class="QGridLayout" name="gridLayout_20">
<item row="0" column="0">
<layout class="QGridLayout" name="gridLayout_18">
<item row="11" column="4">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="11" column="2">
<spacer name="verticalSpacer_2">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="0" colspan="2">
<widget class="QLabel" name="label_16">
<property name="text">
<string>Sandbox &lt;a href=&quot;sbie://docs/keyrootpath&quot;&gt;registry root&lt;/a&gt;: </string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="lblBoxRoot">
<property name="font">
<font>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Sandbox default</string>
</property>
</widget>
</item>
<item row="1" column="2" colspan="2">
<widget class="QComboBox" name="cmbDefault"/>
</item>
<item row="4" column="2" colspan="5">
<widget class="QLineEdit" name="ipcRoot"/>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_15">
<property name="text">
<string>Sandbox &lt;a href=&quot;sbie://docs/filerootpath&quot;&gt;file system root&lt;/a&gt;: </string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</property>
</widget>
</item>
<item row="5" column="2">
<spacer name="horizontalSpacer_12">
<property name="orientation">
@ -1971,41 +2053,65 @@ Unlike the preview channel, it does not include untested, potentially breaking,
</property>
</spacer>
</item>
<item row="1" column="2" colspan="2">
<widget class="QComboBox" name="cmbDefault"/>
</item>
<item row="2" column="7">
<widget class="QPushButton" name="btnBrowse">
<property name="maximumSize">
<size>
<width>23</width>
<height>16777215</height>
</size>
</property>
<item row="1" column="0" colspan="2">
<widget class="QLabel" name="label_7">
<property name="text">
<string>...</string>
<string>Default sandbox:</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
</widget>
</item>
<item row="2" column="2" colspan="5">
<widget class="QLineEdit" name="fileRoot"/>
<item row="7" column="1" colspan="6">
<widget class="QCheckBox" name="chkObjCb">
<property name="text">
<string>Activate Kernel Mode Object Filtering</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="lblBoxRoot">
<item row="5" column="0" colspan="2">
<widget class="QLabel" name="lblBoxFeatures">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Sandbox default</string>
<string>Sandboxing features</string>
</property>
</widget>
</item>
<item row="3" column="2" colspan="5">
<widget class="QLineEdit" name="regRoot"/>
<item row="11" column="3">
<spacer name="horizontalSpacer_15">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="8" column="1" colspan="6">
<widget class="QCheckBox" name="chkWin32k">
<property name="text">
<string>Hook selected Win32k system calls to enable GPU acceleration (experimental)</string>
</property>
</widget>
</item>
<item row="9" column="1" colspan="6">
<widget class="QCheckBox" name="chkSbieLogon">
<property name="text">
<string>Use a Sandboxie login instead of an anonymous token</string>
</property>
</widget>
</item>
<item row="2" column="2" colspan="5">
<widget class="QLineEdit" name="fileRoot"/>
</item>
<item row="1" column="5" colspan="2">
<widget class="QCheckBox" name="chkAutoRoot">
@ -2027,111 +2133,7 @@ Unlike the preview channel, it does not include untested, potentially breaking,
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QLabel" name="label_7">
<property name="text">
<string>Default sandbox:</string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
</widget>
</item>
<item row="6" column="1" colspan="6">
<widget class="QCheckBox" name="chkWFP">
<property name="text">
<string>Use Windows Filtering Platform to restrict network access</string>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_15">
<property name="text">
<string>Sandbox &lt;a href=&quot;sbie://docs/filerootpath&quot;&gt;file system root&lt;/a&gt;: </string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</property>
</widget>
</item>
<item row="7" column="1" colspan="6">
<widget class="QCheckBox" name="chkObjCb">
<property name="text">
<string>Activate Kernel Mode Object Filtering</string>
</property>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QLabel" name="label_16">
<property name="text">
<string>Sandbox &lt;a href=&quot;sbie://docs/keyrootpath&quot;&gt;registry root&lt;/a&gt;: </string>
</property>
<property name="alignment">
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="openExternalLinks">
<bool>true</bool>
</property>
</widget>
</item>
<item row="10" column="2">
<spacer name="verticalSpacer_2">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
<item row="10" column="4">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="5" column="0" colspan="2">
<widget class="QLabel" name="lblBoxFeatures">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="text">
<string>Sandboxing features</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="6">
<widget class="QCheckBox" name="chkWin32k">
<property name="text">
<string>Hook selected Win32k system calls to enable GPU acceleration (experimental)</string>
</property>
</widget>
</item>
<item row="9" column="1" colspan="6">
<widget class="QCheckBox" name="chkSbieLogon">
<property name="text">
<string>Use a Sandboxie login instead of an anonymous token</string>
</property>
</widget>
</item>
<item row="10" column="1">
<item row="11" column="1">
<spacer name="horizontalSpacer_4">
<property name="orientation">
<enum>Qt::Horizontal</enum>
@ -2144,18 +2146,35 @@ Unlike the preview channel, it does not include untested, potentially breaking,
</property>
</spacer>
</item>
<item row="10" column="3">
<spacer name="horizontalSpacer_15">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<item row="3" column="2" colspan="5">
<widget class="QLineEdit" name="regRoot"/>
</item>
<item row="2" column="7">
<widget class="QPushButton" name="btnBrowse">
<property name="maximumSize">
<size>
<width>40</width>
<height>20</height>
<width>23</width>
<height>16777215</height>
</size>
</property>
</spacer>
<property name="text">
<string>...</string>
</property>
</widget>
</item>
<item row="6" column="1" colspan="6">
<widget class="QCheckBox" name="chkWFP">
<property name="text">
<string>Use Windows Filtering Platform to restrict network access</string>
</property>
</widget>
</item>
<item row="10" column="1" colspan="6">
<widget class="QCheckBox" name="chkSbieAll">
<property name="text">
<string>Add &quot;Sandboxie\All Sandboxes&quot; group to the sandboxed token (experimental)</string>
</property>
</widget>
</item>
</layout>
</item>
@ -2207,19 +2226,6 @@ Unlike the preview channel, it does not include untested, potentially breaking,
</property>
</widget>
</item>
<item row="4" column="1" rowspan="2">
<spacer name="horizontalSpacer_23">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>140</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="2">
<widget class="QCheckBox" name="chkAdminOnly">
<property name="text">
@ -2231,7 +2237,6 @@ Unlike the preview channel, it does not include untested, potentially breaking,
<widget class="QLabel" name="lblProtection">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
@ -2248,6 +2253,19 @@ Unlike the preview channel, it does not include untested, potentially breaking,
</property>
</widget>
</item>
<item row="7" column="2">
<spacer name="horizontalSpacer_24">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>40</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</widget>
@ -2431,7 +2449,7 @@ Unlike the preview channel, it does not include untested, potentially breaking,
<item row="0" column="0">
<widget class="QTabWidget" name="tabsTemplates">
<property name="currentIndex">
<number>0</number>
<number>1</number>
</property>
<widget class="QWidget" name="tabAppCompat">
<attribute name="title">

2
SandboxiePlus/SandMan/Windows/SettingsWindow.cpp
View File

@ -1007,6 +1007,7 @@ void CSettingsWindow::LoadSettings()
ui.chkObjCb->setChecked(theAPI->GetGlobalSettings()->GetBool("EnableObjectFiltering", true));
ui.chkWin32k->setChecked(theAPI->GetGlobalSettings()->GetBool("EnableWin32kHooks", true));
ui.chkSbieLogon->setChecked(theAPI->GetGlobalSettings()->GetBool("SandboxieLogon", false));
ui.chkSbieAll->setChecked(theAPI->GetGlobalSettings()->GetBool("SandboxieAllGroup", false));
ui.chkAdminOnly->setChecked(theAPI->GetGlobalSettings()->GetBool("EditAdminOnly", false));
ui.chkAdminOnly->setEnabled(IsAdminUser());
@ -1699,6 +1700,7 @@ void CSettingsWindow::SaveSettings()
WriteAdvancedCheck(ui.chkObjCb, "EnableObjectFiltering", "", "n");
WriteAdvancedCheck(ui.chkWin32k, "EnableWin32kHooks", "", "n");
WriteAdvancedCheck(ui.chkSbieLogon, "SandboxieLogon", "y", "");
WriteAdvancedCheck(ui.chkSbieAll, "SandboxieAllGroup", "y", "");
if (m_FeaturesChanged) {
m_FeaturesChanged = false;