mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.7.3

This commit is contained in:
DavidXanatos 2023-02-06 19:10:24 +01:00
parent 504bdcd03d
commit 7249835ba6
16 changed files with 680 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
CHANGELOG.md
View File

@ -5,6 +5,22 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [1.7.3 / 5.62.3] - 2023-02-??
### Changed
- 'OpenProtectedStorage=y' has been replaced with a template
- moved all built in access rules to a set of default tempaltes
- moved WinInetCache controll to a tempalte OpenWinInetCache, 'CloseWinInetCache=y' is now obsolete
- added hook for CreateAppContainerToken, should also improve compatybility with other apps
-- note: Template_Edge_Fix is no longer required
### Fixed
- added AppContainer support for Compartment type boxes
## [1.7.2 / 5.62.2] - 2023-02-05
### Changed

4
Sandboxie/common/my_version.h
View File

@ -21,8 +21,8 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,62,2
#define MY_VERSION_STRING "5.62.2"
#define MY_VERSION_BINARY 5,62,3
#define MY_VERSION_STRING "5.62.3"
#define MY_ABI_VERSION 0x56000
// These #defines are used by either Resource Compiler or NSIS installer

15
Sandboxie/core/dll/com.c
View File

@ -1,6 +1,6 @@
/*
* Copyright 2004-2020 Sandboxie Holdings, LLC
* Copyright 2020-2021 David Xanatos, xanasoft.com
* Copyright 2020-2023 David Xanatos, xanasoft.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -426,10 +426,6 @@ _FX BOOLEAN SbieDll_IsOpenClsid(
0x3480A401, 0xBDE9, 0x4407,
{ 0xBC, 0x02, 0x79, 0x8A, 0x86, 0x6A, 0xC0, 0x51 } };
static const GUID CLSID_WinInetCache = {
0x0358B920, 0x0AC7, 0x461F,
{ 0x98, 0xF4, 0x58, 0xE3, 0x2C, 0xD8, 0x91, 0x48 } };
//
// open the null clsid to open all
//
@ -455,15 +451,6 @@ _FX BOOLEAN SbieDll_IsOpenClsid(
return TRUE;
}
//
// Sbie builds after 5.27-1 broke IE's source view and cache,
// by opening WinInetCache here and in Ipc_InitPaths.
// with CloseWinInetCache=y this change can be undone
//
if (((Dll_OsBuild >= 10240) && memcmp(rclsid, &CLSID_WinInetCache, sizeof(GUID)) == 0) && !SbieApi_QueryConfBool(NULL, L"CloseWinInetCache", FALSE)) // this breaks IE view source
return TRUE;
//
// initialize list of user-configured CLSID exclusions
//

5
Sandboxie/core/dll/cred.c
View File

@ -146,8 +146,6 @@ DEFINE_GUID(GUID_SANDBOXIE,
static const WCHAR *Cred_SimpleCred = L"SimpleCred-";
static const WCHAR *Cred_DomainCred = L"DomainCred-";
extern const WCHAR *Pst_OpenProtectedStorage;
//static BOOLEAN Cred_Trace = FALSE;
@ -177,7 +175,8 @@ _FX BOOLEAN Cred_Init_AdvApi(HMODULE module)
// don't hook anything
//
if (SbieApi_QueryConfBool(NULL, Pst_OpenProtectedStorage, FALSE))
ULONG mp_flags = SbieDll_MatchPath(L'i', L"\\RPC Control\\protected_storage");
if (PATH_IS_OPEN(mp_flags))
return TRUE;
if (SbieApi_QueryConfBool(NULL, L"OpenCredentials", FALSE))

66
Sandboxie/core/dll/proc.c
View File

@ -64,6 +64,10 @@ static BOOL Proc_SetProcessMitigationPolicy(
_In_reads_bytes_(dwLength) PVOID lpBuffer,
_In_ SIZE_T dwLength);
static BOOL Proc_CreateAppContainerToken(
HANDLE TokenHandle,
PSECURITY_CAPABILITIES SecurityCapabilities,
PHANDLE OutToken);
static BOOL Proc_AlternateCreateProcess(
const WCHAR *lpApplicationName, WCHAR *lpCommandLine,
@ -292,6 +296,12 @@ typedef BOOL (*P_SetProcessMitigationPolicy)(
_In_reads_bytes_(dwLength) PVOID lpBuffer,
_In_ SIZE_T dwLength);
typedef BOOL(*P_CreateAppContainerToken)(
HANDLE TokenHandle,
PSECURITY_CAPABILITIES SecurityCapabilities,
PHANDLE OutToken);
//---------------------------------------------------------------------------
@ -329,6 +339,8 @@ static P_UpdateProcThreadAttribute __sys_UpdateProcThreadAttribute = NULL;
static P_SetProcessMitigationPolicy __sys_SetProcessMitigationPolicy = NULL;
static P_CreateAppContainerToken __sys_CreateAppContainerToken = NULL;
//---------------------------------------------------------------------------
// Variables
//---------------------------------------------------------------------------
@ -354,7 +366,7 @@ _FX BOOLEAN Proc_Init(void)
ANSI_STRING ansi;
NTSTATUS status;
if(!Dll_CompartmentMode)
if (!Dll_CompartmentMode)
Dll_ElectronWorkaround = Config_GetSettingsForImageName_bool(L"UseElectronWorkaround", FALSE);
//
@ -417,7 +429,7 @@ _FX BOOLEAN Proc_Init(void)
// SetProcessMitigationPolicy
//
// fox for SBIE2303 Could not hook ... (33, 1655) due to mitigation policies
// fix for SBIE2303 Could not hook ... (33, 1655) due to mitigation policies
if (Dll_OsBuild >= 8400) // win8
{
void* SetProcessMitigationPolicy = NULL;
@ -428,6 +440,25 @@ _FX BOOLEAN Proc_Init(void)
SBIEDLL_HOOK(Proc_, SetProcessMitigationPolicy);
}
//
// When not in Compartment mode, windows AppContainer isolation is not supported
// hook the CreateAppContainerToken and return a regular token
// we hook CreateAppContainerToken rather then NtCreateLowBoxToken
// as we dont waht CreateAppContainerToken to fail when
// \Sessions\*\AppContainerNamedObjects\* is not open
//
if (!Dll_CompartmentMode)
if (Dll_OsBuild >= 9600) // Windows 8.1 and later
{
void* CreateAppContainerToken = NULL;
RtlInitString(&ansi, "CreateAppContainerToken");
status = LdrGetProcedureAddress(
Dll_KernelBase, &ansi, 0, (void**)&CreateAppContainerToken);
if (NT_SUCCESS(status))
SBIEDLL_HOOK(Proc_, CreateAppContainerToken);
}
//
// CreateProcessInternal
//
@ -632,6 +663,36 @@ _FX BOOL Proc_SetProcessMitigationPolicy(
}
//---------------------------------------------------------------------------
// Proc_CreateAppContainerToken
//---------------------------------------------------------------------------
_FX BOOL Proc_CreateAppContainerToken(
HANDLE TokenHandle,
PSECURITY_CAPABILITIES SecurityCapabilities,
PHANDLE OutToken)
{
#if 1
OBJECT_ATTRIBUTES objattrs;
SECURITY_QUALITY_OF_SERVICE QoS;
InitializeObjectAttributes(&objattrs, NULL, 0, NULL, NULL);
QoS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
QoS.ImpersonationLevel = SecurityIdentification;
QoS.ContextTrackingMode = SECURITY_STATIC_TRACKING;
QoS.EffectiveOnly = FALSE;
objattrs.SecurityQualityOfService = &QoS;
NTSTATUS status = NtDuplicateToken(TokenHandle, MAXIMUM_ALLOWED, &objattrs, FALSE, TokenPrimary, OutToken);
return NT_SUCCESS(status);
#else
BOOL ret = __sys_CreateAppContainerToken(TokenHandle, SecurityCapabilities, OutToken);
return ret;
#endif
}
//---------------------------------------------------------------------------
// Proc_FindArgumentEnd
//---------------------------------------------------------------------------
@ -1070,6 +1131,7 @@ _FX BOOL Proc_CreateProcessInternalW(
// const wchar_t* imageName = L"DcomLaunch.exe";
// if ((lpApplicationName && wcsstr(lpApplicationName,imageName) != NULL) || (lpCommandLine && wcsstr(lpCommandLine,imageName) != NULL)) {
//if(wcsstr(lpCommandLine, L"renderer")) {
// while (!IsDebuggerPresent())
// Sleep(500);
// __debugbreak();

6
Sandboxie/core/dll/pst.cpp
View File

@ -1,5 +1,6 @@
/*
* Copyright 2004-2020 Sandboxie Holdings, LLC
* Copyright 2021-2023 David Xanatos, xanasoft.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -48,8 +49,6 @@ static void *__sys_CoTaskMemAlloc = NULL;
static const char *Pst_PStoreCreateInstanceProcName = "PStoreCreateInstance";
extern "C" const WCHAR *Pst_OpenProtectedStorage = L"OpenProtectedStorage";
//---------------------------------------------------------------------------
// PStoreCreateInstance
@ -86,7 +85,8 @@ extern "C" _FX BOOLEAN Pst_Init(HMODULE module)
// if OpenProtectedStorage is specified, don't hook anything
//
if (SbieApi_QueryConfBool(NULL, Pst_OpenProtectedStorage, FALSE))
ULONG mp_flags = SbieDll_MatchPath(L'i', L"\\RPC Control\\protected_storage");
if (PATH_IS_OPEN(mp_flags))
return TRUE;
//

2
Sandboxie/core/drv/driver.c
View File

@ -101,7 +101,7 @@ const WCHAR *Driver_Sandbox = L"\\Sandbox";
const WCHAR *Driver_Empty = L"";
const WCHAR *Driver_OpenProtectedStorage = L"OpenProtectedStorage";
//const WCHAR *Driver_OpenProtectedStorage = L"OpenProtectedStorage";
WCHAR *Driver_RegistryPath;

4
Sandboxie/core/drv/driver.h
View File

@ -71,6 +71,8 @@
#define USE_MATCH_PATH_EX
#define USE_TEMPLATE_PATHS
#define HOOK_WIN32K
//---------------------------------------------------------------------------
@ -148,7 +150,7 @@ extern const WCHAR *Driver_Sandbox;
extern const WCHAR *Driver_Empty;
extern const WCHAR *Driver_OpenProtectedStorage;
//extern const WCHAR *Driver_OpenProtectedStorage;
extern PSECURITY_DESCRIPTOR Driver_PublicSd;
extern PACL Driver_PublicAcl;

87
Sandboxie/core/drv/file.c
View File

@ -564,6 +564,8 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
static const WCHAR *_ClosedPath = L"ClosedFilePath";
static const WCHAR *_ReadPath = L"ReadFilePath";
static const WCHAR *_WritePath = L"WriteFilePath";
#ifndef USE_TEMPLATE_PATHS
#ifdef USE_MATCH_PATH_EX
static const WCHAR *normalpaths[] = {
L"%SystemRoot%\\*",
@ -676,6 +678,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
L"\\Device\\SrpDevice", // Smart App Control
NULL
};
#endif
static const WCHAR* drive_devices[] = {
L"\\Device\\Floppy*\\*",
L"\\Device\\CdRom*\\*",
@ -693,14 +696,19 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
// normal paths
//
ok = Process_GetPaths(proc, normal_file_paths, _NormalPath, TRUE);
ok = Process_GetPaths(proc, normal_file_paths, proc->box->name, _NormalPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, normal_file_paths, _NormalPath);
#else
if (ok && proc->use_privacy_mode) {
for (i = 0; normalpaths[i] && ok; ++i) {
ok = Process_AddPath(
proc, normal_file_paths, NULL, TRUE, normalpaths[i], FALSE);
}
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
@ -712,7 +720,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
// open paths
//
ok = Process_GetPaths(proc, open_file_paths, _OpenPipe, TRUE);
ok = Process_GetPaths(proc, open_file_paths, proc->box->name, _OpenPipe, TRUE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenPipe, proc->pid);
return FALSE;
@ -720,7 +728,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
if (! proc->dont_open_for_boxed || ! proc->image_from_box) {
ok = Process_GetPaths(proc, open_file_paths, _OpenFile, TRUE);
ok = Process_GetPaths(proc, open_file_paths, proc->box->name, _OpenFile, TRUE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenFile, proc->pid);
@ -728,16 +736,25 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
}
}
if (ok && Conf_Get_Boolean(
proc->box->name, Driver_OpenProtectedStorage, 0, FALSE)) {
static const WCHAR *_PstPipe =
L"\\Device\\NamedPipe\\protected_storage";
ok = Process_AddPath(
proc, open_file_paths, NULL, TRUE, _PstPipe, FALSE);
}
//if (ok && Conf_Get_Boolean(
// proc->box->name, Driver_OpenProtectedStorage, 0, FALSE)) {
//
// static const WCHAR *_PstPipe =
// L"\\Device\\NamedPipe\\protected_storage";
//
// ok = Process_AddPath(
// proc, open_file_paths, NULL, TRUE, _PstPipe, FALSE);
//}
#ifdef USE_TEMPLATE_PATHS
if (ok) {
ok = Process_GetTemplatePaths(proc, open_file_paths, _OpenFile);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenFile, proc->pid);
return FALSE;
}
}
#else
for (i = 0; openpipes[i] && ok; ++i) {
ok = Process_AddPath(
proc, open_file_paths, NULL, TRUE, openpipes[i], FALSE);
@ -749,6 +766,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
proc, open_file_paths, NULL, TRUE, openPipesCM[i], FALSE);
}
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenPipe, proc->pid);
@ -759,7 +777,12 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
// closed paths
//
ok = Process_GetPaths(proc, closed_file_paths, _ClosedPath, TRUE);
ok = Process_GetPaths(proc, closed_file_paths, proc->box->name, _ClosedPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, closed_file_paths, _ClosedPath);
#else
if (ok) {
// the LanmanRedirector/Mup devices (when accessed without extra paths)
// is a security attack, and must be closed
@ -775,6 +798,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
for (i = 0; strWinRMFiles[i] && ok; ++i) {
ok = Process_AddPath(proc, closed_file_paths, _ClosedPath, TRUE, strWinRMFiles[i], FALSE);
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ClosedPath, proc->pid);
@ -786,10 +810,16 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
//
#ifndef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, open_file_paths, _ReadPath, TRUE);
ok = Process_GetPaths(proc, open_file_paths, proc->box->name, _ReadPath, TRUE);
if (ok)
#endif
ok = Process_GetPaths(proc, read_file_paths, _ReadPath, TRUE);
ok = Process_GetPaths(proc, read_file_paths, proc->box->name, _ReadPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, read_file_paths, _ReadPath);
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ReadPath, proc->pid);
return FALSE;
@ -800,7 +830,12 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
//
#ifdef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, write_file_paths, _WritePath, TRUE);
ok = Process_GetPaths(proc, write_file_paths, proc->box->name, _WritePath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, write_file_paths, _WritePath);
#endif
if (ok && proc->use_privacy_mode) { // in privacy mode all drive paths are set to "write"
for (i = 0; drive_devices[i] && ok; ++i) {
@ -814,7 +849,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
_WritePath, TRUE);
if (ok) {
ok = Process_GetPaths(
proc, closed_file_paths, _WritePath, TRUE);
proc, closed_file_paths, proc->box->name, _WritePath, TRUE);
}
#endif
if (! ok) {
@ -841,16 +876,32 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
&is_open, &is_closed);
if (is_closed && !proc->AllowInternetAccess) {
#ifdef USE_TEMPLATE_PATHS
ok = Process_GetPaths(proc, closed_file_paths, L"TemplateNetworkPaths", _ClosedPath, FALSE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ClosedPath, proc->pid);
return FALSE;
}
#else
for (i = 0; closedNetPipes[i] && ok; ++i) {
ok = Process_AddPath(
proc, closed_file_paths, NULL, TRUE, closedNetPipes[i], FALSE);
}
#endif
}
else {
#ifdef USE_TEMPLATE_PATHS
ok = Process_GetPaths(proc, open_file_paths, L"TemplateNetworkPaths", _OpenFile, FALSE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenFile, proc->pid);
return FALSE;
}
#else
for (i = 0; openNetPipes[i] && ok; ++i) {
ok = Process_AddPath(
proc, open_file_paths, NULL, TRUE, openNetPipes[i], FALSE);
}
#endif
}
}
@ -867,6 +918,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
// so we close all typical endpoints except a selected few.
//
#ifndef USE_TEMPLATE_PATHS
ok = Process_AddPath(proc, closed_file_paths, NULL, FALSE, File_Device, TRUE);
if (ok) {
@ -875,6 +927,7 @@ _FX BOOLEAN File_InitPaths(PROCESS *proc,
proc, normal_file_paths, NULL, FALSE, approved_devices[i], FALSE);
}
}
#endif
if (ok && !proc->use_privacy_mode) { // when not in privacy mode we need to set drive paths to "normal"
for (i = 0; drive_devices[i] && ok; ++i) {

15
Sandboxie/core/drv/gui.c
View File

@ -163,6 +163,7 @@ _FX BOOLEAN Gui_InitProcess(PROCESS *proc)
{
//static const WCHAR *_OpenClass = L"OpenWinClass";
//static const WCHAR *_Asterisk = L"*";
#ifndef USE_TEMPLATE_PATHS
static const WCHAR *openclasses[] = {
L"Shell_TrayWnd",
L"TrayNotifyWnd",
@ -191,12 +192,18 @@ _FX BOOLEAN Gui_InitProcess(PROCESS *proc)
L"MdiClass", // PowerPoint
NULL
};
#endif
ULONG i;
BOOLEAN ok;
ok = Process_GetPaths(
proc, &proc->open_win_classes, Gui_OpenClass_Name, FALSE);
proc, &proc->open_win_classes, proc->box->name, Gui_OpenClass_Name, FALSE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->open_win_classes, Gui_OpenClass_Name);
#else
if (ok) {
for (i = 0; openclasses[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->open_win_classes, NULL,
@ -211,15 +218,19 @@ _FX BOOLEAN Gui_InitProcess(PROCESS *proc)
proc, &proc->open_win_classes, NULL,
TRUE, L"Sandbox:*:ConsoleWindowClass", FALSE);
AddMSTaskSwWClass = TRUE;
} else if ((! proc->image_from_box) &&
}
#ifdef XP_SUPPORT
else if ((! proc->image_from_box) &&
( _wcsicmp(proc->image_name, L"excel.exe") == 0
|| _wcsicmp(proc->image_name, L"powerpnt.exe") == 0))
AddMSTaskSwWClass = TRUE;
#endif
if (ok && AddMSTaskSwWClass) {
ok = Process_AddPath(proc, &proc->open_win_classes, NULL,
TRUE, L"MSTaskSwWClass", FALSE);
}
}
#endif
/*if (ok) {
BOOLEAN is_closed;

73
Sandboxie/core/drv/ipc.c
View File

@ -422,6 +422,8 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
static const WCHAR* _OpenPath = L"OpenIpcPath";
static const WCHAR* _ClosedPath = L"ClosedIpcPath";
static const WCHAR* _ReadPath = L"ReadIpcPath";
#ifndef USE_TEMPLATE_PATHS
static const WCHAR* openpaths[] = {
L"\\Windows\\ApiPort",
L"\\Sessions\\*\\Windows\\ApiPort",
@ -627,6 +629,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
L"$:explorer.exe",
NULL
};
#endif
ULONG i;
BOOLEAN ok;
@ -636,14 +639,19 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
//
#ifdef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, &proc->normal_ipc_paths, _NormalPath, FALSE);
ok = Process_GetPaths(proc, &proc->normal_ipc_paths, proc->box->name, _NormalPath, FALSE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->normal_ipc_paths, _NormalPath);
#else
//if (ok && proc->use_privacy_mode) {
// for (i = 0; normalpaths[i] && ok; ++i) {
// ok = Process_AddPath(proc, &proc->normal_ipc_paths, NULL,
// TRUE, normalpaths[i], FALSE);
// }
//}
#endif
if (!ok) {
Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
@ -655,28 +663,33 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
// open paths
//
ok = Process_GetPaths(proc, &proc->open_ipc_paths, _OpenPath, FALSE);
ok = Process_GetPaths(proc, &proc->open_ipc_paths, proc->box->name, _OpenPath, FALSE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->open_ipc_paths, _OpenPath);
#else
//
// if configuration option OpenProtectedStorage applies,
// then allow access to ProtectedStorage objects
//
if (ok && Conf_Get_Boolean(
proc->box->name, Driver_OpenProtectedStorage, 0, FALSE)) {
static const WCHAR *_PstEvent =
L"*\\BaseNamedObjects*\\PS_SERVICE_STARTED";
static const WCHAR *_PstPort =
L"\\RPC Control\\protected_storage";
ok = Process_AddPath(
proc, &proc->open_ipc_paths, NULL, TRUE, _PstEvent, FALSE);
if (ok) {
ok = Process_AddPath(
proc, &proc->open_ipc_paths, NULL, TRUE, _PstPort, FALSE);
}
}
//if (ok && Conf_Get_Boolean(
// proc->box->name, Driver_OpenProtectedStorage, 0, FALSE)) {
//
// static const WCHAR *_PstEvent =
// L"*\\BaseNamedObjects*\\PS_SERVICE_STARTED";
// static const WCHAR *_PstPort =
// L"\\RPC Control\\protected_storage";
//
// ok = Process_AddPath(
// proc, &proc->open_ipc_paths, NULL, TRUE, _PstEvent, FALSE);
// if (ok) {
// ok = Process_AddPath(
// proc, &proc->open_ipc_paths, NULL, TRUE, _PstPort, FALSE);
// }
//}
//
// add default/built-in open paths
@ -720,17 +733,8 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
TRUE, openpaths_windows10[i], FALSE);
}
if (!Conf_Get_Boolean(proc->box->name, L"CloseWinInetCache", 0, FALSE)) { // this breaks IE view source, see SbieDll_IsOpenClsid
static const WCHAR* webcache_ = L"\\RPC Control\\webcache_*";
static const WCHAR* windows_webcache_counters_ = L"*\\BaseNamedObjects\\windows_webcache_counters_*";
if (ok) ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
FALSE, webcache_, FALSE);
if (ok) ok = Process_AddPath(proc, &proc->open_ipc_paths, NULL,
FALSE, windows_webcache_counters_, FALSE);
}
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenPath, proc->pid);
@ -741,7 +745,13 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
// closed paths
//
ok = Process_GetPaths(proc, &proc->closed_ipc_paths, _ClosedPath, FALSE);
ok = Process_GetPaths(proc, &proc->closed_ipc_paths, proc->box->name, _ClosedPath, FALSE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->closed_ipc_paths, _ClosedPath);
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ClosedPath, proc->pid);
return FALSE;
@ -751,8 +761,12 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
// read-only paths
//
ok = Process_GetPaths(proc, &proc->read_ipc_paths, _ReadPath, FALSE);
ok = Process_GetPaths(proc, &proc->read_ipc_paths, proc->box->name, _ReadPath, FALSE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->read_ipc_paths, _ReadPath);
#else
if (ok) {
for (i = 0; readpaths[i] && ok; ++i) {
@ -760,6 +774,7 @@ _FX BOOLEAN Ipc_InitPaths(PROCESS* proc)
TRUE, readpaths[i], FALSE);
}
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ReadPath, proc->pid);

57
Sandboxie/core/drv/key.c
View File

@ -240,12 +240,10 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
static const WCHAR *_ClosedPath = L"ClosedKeyPath";
static const WCHAR *_ReadPath = L"ReadKeyPath";
static const WCHAR *_WritePath = L"WriteKeyPath";
#ifndef USE_TEMPLATE_PATHS
#ifdef USE_MATCH_PATH_EX
static const WCHAR *normalpaths[] = {
//L"HKEY_LOCAL_MACHINE\\*",
//L"HKEY_CURRENT_USER\\software\\Microsoft\\*",
//L"HKEY_CURRENT_USER\\software\\WOW6432Node\\Microsoft\\*",
//L"\\REGISTRY\\USER\\*_Classes\\*",
NULL
};
static const WCHAR *writepaths[] = {
@ -260,6 +258,7 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
L"\\REGISTRY\\A\\*",
NULL
};
#endif
BOOLEAN ok;
@ -270,14 +269,19 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
// normal paths
//
ok = Process_GetPaths(proc, &proc->normal_key_paths, _NormalPath, TRUE);
ok = Process_GetPaths(proc, &proc->normal_key_paths, proc->box->name, _NormalPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->normal_key_paths, _NormalPath);
#else
if (ok && proc->use_privacy_mode) {
for (i = 0; normalpaths[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->normal_key_paths, NULL,
TRUE, normalpaths[i], FALSE);
}
}
#endif
if (!ok) {
Log_MsgP1(MSG_INIT_PATHS, _NormalPath, proc->pid);
@ -289,7 +293,7 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
// open paths
//
ok = Process_GetPaths(proc, &proc->open_key_paths, _OpenConf, TRUE);
ok = Process_GetPaths(proc, &proc->open_key_paths, proc->box->name, _OpenConf, TRUE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenConf, proc->pid);
return FALSE;
@ -297,21 +301,22 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
if (! proc->dont_open_for_boxed || ! proc->image_from_box) {
ok = Process_GetPaths(proc, &proc->open_key_paths, _OpenPath, TRUE);
ok = Process_GetPaths(proc, &proc->open_key_paths, proc->box->name, _OpenPath, TRUE);
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenPath, proc->pid);
return FALSE;
}
}
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->open_key_paths, _OpenPath);
#else
for (i = 0; openkeys[i] && ok; ++i) {
ok = Process_AddPath(
proc, &proc->open_key_paths, NULL, TRUE, openkeys[i], FALSE);
}
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _OpenConf, proc->pid);
Log_MsgP1(MSG_INIT_PATHS, _OpenPath, proc->pid);
return FALSE;
}
@ -319,7 +324,13 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
// closed paths
//
ok = Process_GetPaths(proc, &proc->closed_key_paths, _ClosedPath, TRUE);
ok = Process_GetPaths(proc, &proc->closed_key_paths, proc->box->name, _ClosedPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->closed_key_paths, _ClosedPath);
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ClosedPath, proc->pid);
return FALSE;
@ -330,10 +341,16 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
//
#ifndef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, &proc->open_key_paths, _ReadPath, TRUE);
ok = Process_GetPaths(proc, &proc->open_key_paths, proc->box->name, _ReadPath, TRUE);
if (ok)
#endif
ok = Process_GetPaths(proc, &proc->read_key_paths, _ReadPath, TRUE);
ok = Process_GetPaths(proc, &proc->read_key_paths, proc->box->name, _ReadPath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->read_key_paths, _ReadPath);
#endif
if (! ok) {
Log_MsgP1(MSG_INIT_PATHS, _ReadPath, proc->pid);
return FALSE;
@ -344,21 +361,27 @@ _FX BOOLEAN Key_InitProcess(PROCESS *proc)
//
#ifdef USE_MATCH_PATH_EX
ok = Process_GetPaths(proc, &proc->write_key_paths, _WritePath, TRUE);
ok = Process_GetPaths(proc, &proc->write_key_paths, proc->box->name, _WritePath, TRUE);
#ifdef USE_TEMPLATE_PATHS
if (ok)
ok = Process_GetTemplatePaths(proc, &proc->write_key_paths, _WritePath);
#else
if (ok && proc->use_privacy_mode) {
for (i = 0; writepaths[i] && ok; ++i) {
ok = Process_AddPath(proc, &proc->write_key_paths, NULL,
TRUE, writepaths[i], FALSE);
}
}
#endif
#else
ok = Process_GetPaths2(
proc, &proc->write_key_paths, &proc->closed_key_paths,
_WritePath, TRUE);
if (ok) {
ok = Process_GetPaths(
proc, &proc->closed_key_paths, _WritePath, TRUE);
proc, &proc->closed_key_paths, proc->box->name, _WritePath, TRUE);
}
#endif

39
Sandboxie/core/drv/process_util.c
View File

@ -442,7 +442,7 @@ _FX BOOLEAN Process_GetConf_bool(PROCESS* proc, const WCHAR* setting, BOOLEAN de
_FX BOOLEAN Process_GetPaths(
PROCESS *proc, LIST *list, const WCHAR *setting_name, BOOLEAN AddStar)
PROCESS *proc, LIST *list, const WCHAR *section_name, const WCHAR *setting_name, BOOLEAN AddStar)
{
ULONG index;
const WCHAR *value;
@ -461,7 +461,7 @@ _FX BOOLEAN Process_GetPaths(
// get next configuration setting for this path list
//
value = Conf_Get(proc->box->name, setting_name, index);
value = Conf_Get(section_name, setting_name, index);
if (! value)
break;
@ -499,6 +499,7 @@ _FX BOOLEAN Process_GetPaths(
//---------------------------------------------------------------------------
#ifndef USE_MATCH_PATH_EX
_FX BOOLEAN Process_GetPaths2(
PROCESS *proc, LIST *list, LIST *list2,
const WCHAR *setting_name, BOOLEAN AddStar)
@ -554,6 +555,33 @@ _FX BOOLEAN Process_GetPaths2(
return TRUE;
}
#endif
//---------------------------------------------------------------------------
// Process_GetTemplatePaths
//---------------------------------------------------------------------------
#ifdef USE_TEMPLATE_PATHS
BOOLEAN Process_GetTemplatePaths(PROCESS *proc, LIST *list, const WCHAR *setting_name)
{
BOOLEAN ok;
ok = Process_GetPaths(proc, list, L"TemplateDefaultPaths", setting_name, FALSE);
if (ok && proc->restrict_devices)
ok = Process_GetPaths(proc, list, L"TemplateSModPaths", setting_name, FALSE);
if (ok && proc->use_privacy_mode)
ok = Process_GetPaths(proc, list, L"TemplatePModPaths", setting_name, FALSE);
if (ok && proc->bAppCompartment)
ok = Process_GetPaths(proc, list, L"TemplateAppCPaths", setting_name, FALSE);
return ok;
}
#endif
//---------------------------------------------------------------------------
@ -578,7 +606,7 @@ _FX BOOLEAN Process_AddPath(
// if this is a file setting, also check the path for reparse points
//
if (setting_name) {
if (setting_name && AddStar) {
const WCHAR *setting_name_ptr = setting_name;
if (_wcsnicmp(setting_name, Process_Normal, 6) == 0 ||
@ -594,10 +622,11 @@ _FX BOOLEAN Process_AddPath(
if (setting_name_ptr) {
if (_wcsnicmp(setting_name_ptr, L"Key", 3) == 0)
if (_wcsnicmp(setting_name_ptr, L"Key", 3) == 0
|| _wcsnicmp(setting_name_ptr, L"Conf", 4) == 0) {
RemoveBackslashes = TRUE;
else if (_wcsnicmp(setting_name_ptr, L"File", 4) == 0
} else if (_wcsnicmp(setting_name_ptr, L"File", 4) == 0
|| _wcsnicmp(setting_name_ptr, L"Pipe", 4) == 0) {
RemoveBackslashes = TRUE;

391
Sandboxie/install/Templates.ini
View File

@ -65,6 +65,8 @@ Template=COM
Template=WindowsExplorer
Template=ThirdPartyIsolation
Template=BlockSoftwareUpdaters
Template=BlockWinRM
Template=OpenWinInetCache
[TemplateSettings]
@ -113,6 +115,376 @@ Tmpl.RoboForm=%Personal%\My RoboForm Data
Tmpl.KasperskyDataRoot=%AllUsersProfile%\Kaspersky Lab
#
# Default access rules
#
[TemplateDefaultPaths]
# Key
# Application Hives
OpenKeyPath=\REGISTRY\A\*
# File
# named pipe root
OpenFilePath=\Device\NamedPipe\
# mail slot root
OpenFilePath=\Device\MailSlot\
# Windows 7 fault-tolerant heap
OpenFilePath=\Device\NamedPipe\ProtectedPrefix\LocalService\FTHPIPE
# printer
OpenFilePath=\Device\NamedPipe\spoolss
OpenFilePath=\Device\NamedPipe\spooler*
OpenFilePath=%DefaultSpoolDirectory%\*
OpenFilePath=%DefaultSpoolDirectory2%\*
# doPDF
OpenFilePath=\Device\NamedPipe\*_doPDF*
# multimedia
OpenFilePath=\Device\NamedPipe\AudioSrv
# third-party software
OpenFilePath=\Device\NamedPipe\Adobe LM Service*
# Novell NetIdentity
OpenFilePath=\Device\NamedPipe\XTIERRPCPIPE
#
# the LanmanRedirector/Mup devices (when accessed without extra paths)
# is a security attack, and must be closed
ClosedFilePath=\Device\LanmanRedirector
ClosedFilePath=\Device\Mup
# IPC
OpenIpcPath=\Windows\ApiPort
OpenIpcPath=\Sessions\*\Windows\ApiPort
OpenIpcPath=\Sessions\*\Windows\SharedSection
# bSession0
OpenIpcPath=\Windows\SharedSection
# now required by Chromium browsers
OpenIpcPath=\Sessions\*\BaseNamedObjects\CrSharedMem_*
OpenIpcPath=\ThemeApiPort
OpenIpcPath=\KnownDlls\*
# _WIN64
OpenIpcPath=\KnownDlls32\*
# _M_ARM64
OpenIpcPath=\KnownDllsChpe32\*
OpenIpcPath=\NLS\*
OpenIpcPath=*\BaseNamedObjects*\ShimCacheMutex
OpenIpcPath=*\BaseNamedObjects*\ShimSharedMemory
OpenIpcPath=*\BaseNamedObjects*\SHIMLIB_LOG_MUTEX
OpenIpcPath=*\BaseNamedObjects*\msgina: ReturnToWelcome
OpenIpcPath=\Security\LSA_AUTHENTICATION_INITIALIZED
OpenIpcPath=\LsaAuthenticationPort
OpenIpcPath=\NlsCacheMutant
OpenIpcPath=\KernelObjects\*
# misc services
OpenIpcPath=\NLAPublicPort
OpenIpcPath=\RPC Control\nlaapi
OpenIpcPath=\RPC Control\tapsrvlpc
OpenIpcPath=\RPC Control\senssvc
OpenIpcPath=\RPC Control\samss lpc
OpenIpcPath=*\BaseNamedObjects*\SENS Information Cache
OpenIpcPath=*\BaseNamedObjects*\TabletHardwarePresent
OpenIpcPath=*\BaseNamedObjects*\userenv: * Group Policy has been applied
OpenIpcPath=*\BaseNamedObjects*\TermSrvReadyEvent
# network
OpenIpcPath=\RPC Control\dhcpcsvc
OpenIpcPath=\RPC Control\dhcpcsvc6
OpenIpcPath=\RPC Control\DNSResolver
OpenIpcPath=\RPC Control\RasmanRpc
OpenIpcPath=*\BaseNamedObjects*\WininetStartupMutex
OpenIpcPath=*\BaseNamedObjects*\WininetConnectionMutex
OpenIpcPath=*\BaseNamedObjects*\WininetProxyRegistryMutex
OpenIpcPath=*\BaseNamedObjects*\RasPbFile
# cicero multi-language subsystem
OpenIpcPath=*\BaseNamedObjects*\CTF.*
OpenIpcPath=*\BaseNamedObjects*\MSCTF.*
OpenIpcPath=*\BaseNamedObjects*\MSUIM.*
OpenIpcPath=*\BaseNamedObjects*\CtfmonInstMutex*
OpenIpcPath=*\BaseNamedObjects*\CiceroSharedMemDefault*
OpenIpcPath=*\BaseNamedObjects*\CicLoadWinStaWinSta*
# sysinternals dbgview
OpenIpcPath=*\BaseNamedObjects*\DBWinMutex
OpenIpcPath=*\BaseNamedObjects*\DBWIN_BUFFER
OpenIpcPath=*\BaseNamedObjects*\DBWIN_BUFFER_READY
OpenIpcPath=*\BaseNamedObjects*\DBWIN_DATA_READY
# multimedia
OpenIpcPath=\RPC Control\AudioSrv
OpenIpcPath=*\BaseNamedObjects*\mmGlobalPnpInfo
OpenIpcPath=*\BaseNamedObjects*\Guard*mmGlobalPnpInfoGuard
OpenIpcPath=*\BaseNamedObjects*\MidiMapper_modLongMessage_RefCnt
OpenIpcPath=*\BaseNamedObjects*\MidiMapper_Configure
OpenIpcPath=*\BaseNamedObjects*\SsiMidiDllCs
OpenIpcPath=*\BaseNamedObjects*\StaccatoSynthCore11Mutex
OpenIpcPath=*\BaseNamedObjects*\WDMAUD_Callbacks
OpenIpcPath=*\BaseNamedObjects*\DirectSound*
OpenIpcPath=*\BaseNamedObjects*\AMResourceMutex*
OpenIpcPath=*\BaseNamedObjects*\AMResourceMapping*
OpenIpcPath=*\BaseNamedObjects*\VideoRenderer
OpenIpcPath=*\BaseNamedObjects*\VIDEOMEMORY
OpenIpcPath=*\BaseNamedObjects*\mxrapi
OpenIpcPath=*\BaseNamedObjects*\mixercallback
OpenIpcPath=*\BaseNamedObjects*\hardwaremixercallback
OpenIpcPath=*\BaseNamedObjects*\DINPUTWINMM
OpenIpcPath=*\BaseNamedObjects*\DDrawDriverObjectListMutex
OpenIpcPath=*\BaseNamedObjects*\__DDrawExclMode__
OpenIpcPath=*\BaseNamedObjects*\__DDrawCheckExclMode__
OpenIpcPath=*\BaseNamedObjects*\DDrawWindowListMutex
OpenIpcPath=*\BaseNamedObjects*\DDrawCheckFullscreenSemaphore
OpenIpcPath=*\BaseNamedObjects*\D3D9CheckFullscreenSemaphore
OpenIpcPath=*\BaseNamedObjects*\WinMMConsoleAudioEvent
# AudioDg
OpenIpcPath=*\BaseNamedObjects*\SYSTEM_AUDIO_STREAM_*
# following resource is needed on Windows Vista and later,
# but also provided by the SRS Audio Sandbox program
OpenIpcPath=*\BaseNamedObjects*\AudioEngineDuplicateHandleApiPort*
# nComputing audio server/driver ?
OpenIpcPath=\RPC Control\NCWTSAudioServer
# printer
OpenIpcPath=\RPC Control\spoolss
OpenIpcPath=*\BaseNamedObjects*\EPSON-PrgMtr-*
OpenIpcPath=*\BaseNamedObjects*\RouterPreInitEvent
# sandboxie service
OpenIpcPath=\RPC Control\SbieSvcPort
OpenIpcPath=*\BaseNamedObjects*\Sandboxie_StartMenu_WorkArea_*
# objects in an unnamed directory
OpenIpcPath=\...\*
# misc services (vista)
# licensing
OpenIpcPath=\RPC Control\SLCTransportEndpoint-*
# parental controls
OpenIpcPath=\RPC Control\wpcsvc
#firewall
OpenIpcPath=*\BaseNamedObjects*\BFE_Notify_Event_*
# multimedia (vista)
OpenIpcPath=\UxSmsApiPort
OpenIpcPath=\MmcssApiPort
# aero
OpenIpcPath=*\BaseNamedObjects*\Dwm-*-ApiPort-*
OpenIpcPath=*\BaseNamedObjects*\DwmDxBltEvent*
OpenIpcPath=\RPC Control\AudioClientRpc
# _WIN64
# 64-bit spooler for 32-bit programs
OpenIpcPath=*\BaseNamedObjects*\WinSpl64To32Mutex*_0
OpenIpcPath=\RPC Control\splwow64_*_0
OpenIpcPath=\RPC Control\umpdproxy_*_0
#
OpenIpcPath=\ConsoleEvent-0x*
OpenIpcPath=*\BaseNamedObjects*\ConsoleEvent-0x*
OpenIpcPath=\RPC Control\console-0x*-lpc-handle
OpenIpcPath=\RPC Control\ConsoleEvent-0x*
OpenIpcPath=\RPC Control\ConsoleLPC-0x*
OpenIpcPath=\RPC Control\lsapolicylookup
OpenIpcPath=\RPC Control\lsasspirpc
OpenIpcPath=\RPC Control\LSARPC_ENDPOINT
OpenIpcPath=\RPC Control\umpo
OpenIpcPath=*\BaseNamedObjects*\FlipEx*
OpenIpcPath=*\BaseNamedObjects*\FontCachePort
OpenIpcPath=*\BaseNamedObjects*\FntCache-*
# windows8
OpenIpcPath=\Windows\Theme*
OpenIpcPath=\Sessions\*\Windows\Theme*
OpenIpcPath=\Sessions\*\Windows\DwmApiPort
OpenIpcPath=*\BaseNamedObjects*\DWM_DX_FULLSCREEN_TRANSITION_EVENT
# _WIN64
# 64-bit spooler for 32-bit programs
OpenIpcPath=*\BaseNamedObjects*\WinSpl64To32Mutex*_2000
OpenIpcPath=\RPC Control\splwow64_*_2000
OpenIpcPath=\RPC Control\umpdproxy_*_2000
#
# windows10
OpenIpcPath=*\BaseNamedObjects*\CoreMessagingRegistrar
OpenIpcPath=*\BaseNamedObjects\[CoreUI]-*
# open paths 11
# 22449.1000 accesses this before sbiedll load
OpenIpcPath=*\BaseNamedObjects\SM*:WilStaging_*
# _M_ARM64 22621.819 used by emulated processes
OpenIpcPath=\{BEC19D6F-D7B2-41A8-860C-8787BB964F2D}
#
ReadIpcPath=\??\pipe\*
ReadIpcPath=$:explorer.exe
OpenWinClass=Shell_TrayWnd
OpenWinClass=TrayNotifyWnd
# Power Meter dialog box:
OpenWinClass=SystemTray_Main
OpenWinClass=Connections Tray
OpenWinClass=MS_WebcheckMonitor
OpenWinClass=PrintTray_Notify_WndClass
OpenWinClass=CicLoaderWndClass
OpenWinClass=CicMarshalWndClass
OpenWinClass=Credential Dialog Xaml Host
# windows 7
OpenWinClass=Sandbox:*:ConsoleWindowClass
OpenWinClass=MSTaskSwWClass
#
# third party
#
OpenIpcPath=*\BaseNamedObjects*\ATITRAY_SMEM
OpenIpcPath=*\BaseNamedObjects*\ATITRAY_OSDM
OpenIpcPath=*\BaseNamedObjects*\AMCreateListenSock*
# Ad Muncher
OpenIpcPath=*\BaseNamedObjects*\AMIPC_*
# DevLdr32 sound card driver
OpenIpcPath=*\BaseNamedObjects*\devldr32
# ThreatFire
OpenIpcPath=*\BaseNamedObjects*\ThreatfireApiHookIpc2Map
# third party - key-logger-related
OpenIpcPath=*\BaseNamedObjects*\00MemoryShareKeyloggerHunter
# hardware - wacom tablet
OpenIpcPath=*\BaseNamedObjects*\WacomNewFrontAppEventName
OpenIpcPath=*\BaseNamedObjects*\WacomTouchingAppNameMutexName
OpenWinClass=CTouchPadSynchronizer
OpenWinClass=Type32_Main_Window
OpenWinClass=TForm_AshampooFirewall
# Tight VNC
OpenWinClass=WinVNC desktop sink
# Download Accelerator Plus
OpenWinClass=Afx:400000:0
# nVidia nView
OpenWinClass=NVIDIA TwinView Window
OpenWinClass=SWFlash_PlaceHolderX
# PowerPoint
OpenWinClass=MdiClass
# joystick
OpenWinClass=Logitech Wingman Internal Message Router
# devldr32 sound card driver
OpenWinClass=devldr
#
# Network access rules
# depanding on preset eider the "Open" or the "Close" directives are applied
#
[TemplateNetworkPaths]
OpenFilePath=\Device\NamedPipe\ROUTER
OpenFilePath=\Device\NamedPipe\ShimViewer
OpenFilePath=\Device\Afd
OpenFilePath=\Device\Afd\Endpoint
OpenFilePath=\Device\Afd\AsyncConnectHlp
OpenFilePath=\Device\Afd\AsyncSelectHlp
OpenFilePath=\Device\Afd\ROUTER
OpenFilePath=\Device\Afd\Mio
OpenFilePath=\Device\WS2IFSL
OpenFilePath=\Device\WS2IFSL\NifsPvd
OpenFilePath=\Device\WS2IFSL\NifsSct
OpenFilePath=\Device\Tcp
OpenFilePath=\Device\Tcp6
OpenFilePath=\Device\Ip
OpenFilePath=\Device\Ip6
OpenFilePath=\Device\Udp
OpenFilePath=\Device\Udp6
OpenFilePath=\Device\RawIp
OpenFilePath=\Device\RawIp6
OpenFilePath=\Device\NetBT_Tcpip_*
OpenFilePath=\Device\Http\*
OpenFilePath=\Device\Nsi
ClosedFilePath=\Device\afd*
ClosedFilePath=\Device\ip
ClosedFilePath=\Device\ip6
ClosedFilePath=\Device\udp
ClosedFilePath=\Device\udp6
ClosedFilePath=\Device\tcp
ClosedFilePath=\Device\tcp6
ClosedFilePath=\Device\http\*
ClosedFilePath=\Device\rawip
ClosedFilePath=\Device\rawip6
ClosedFilePath=\Device\nsi
#
# Access rules for device restricted boxes
#
[TemplateSModPaths]
ClosedFilePath=\Device\*
NormalFilePath=\Device\NamedPipe\*
NormalFilePath=\Device\CNG
NormalFilePath=\Device\ConDrv\*
NormalFilePath=\Device\DeviceApi*
NormalFilePath=\Device\DfsClient
NormalFilePath=\Device\KsecDD
NormalFilePath=\Device\MountPointManager
NormalFilePath=\Device\Ndis
NormalFilePath=\Device\PcwDrv
#Smart App Control
NormalFilePath=\Device\SrpDevice
#
# Access rules for privacy enhanced boxes
#
[TemplatePModPaths]
#NormalKeyPath=HKEY_LOCAL_MACHINE\*
#NormalKeyPath=HKEY_CURRENT_USER\software\Microsoft\*
#NormalKeyPath=HKEY_CURRENT_USER\software\WOW6432Node\Microsoft\*
#NormalKeyPath=\REGISTRY\USER\*_Classes\*
WriteKeyPath=\REGISTRY\USER\*
#
NormalFilePath=%SystemRoot%\*
NormalFilePath=%SbieHome%\*
NormalFilePath=%ProgramFiles%\*
NormalFilePath=%ProgramFiles% (x86)\*
#
# Access rules for app compartment boxes
#
[TemplateAppCPaths]
# open those in compartment mode as do not use the de-administrator-ize proxy in File_NtCreateFilePipe
OpenFilePath=\device\*pipe\lsarpc
OpenFilePath=\device\*pipe\srvsvc
OpenFilePath=\device\*pipe\wkssvc
OpenFilePath=\device\*pipe\samr
OpenFilePath=\device\*pipe\netlogon
# enable AppContainer isolation support
OpenIpcPath=\Sessions\*\AppContainerNamedObjects\*
OpenFilePath=\Device\NamedPipe\Sessions\*\AppContainerNamedObjects\*
#
# Sbie builds after 5.27-1 opens this (it breaks IE's source view and cache though)
#
[Template_OpenWinInetCache]
OpenClsid={0358B920-0AC7-461F-98F4-58E32CD89148}
OpenIpcPath=\RPC Control\webcache_*
OpenIpcPath=*\BaseNamedObjects\windows_webcache_counters_*
#
# Windows Remote Management (WinRM) is a large security hole.
# A sandboxed app running in an elevated cmd shell can send any admin command to the host.
# Block the WinRS.exe and the automation dlls to make it very difficult for someone to use.
# See ICD-10136 "Sandboxie security hole allows guest to run any command in host as admin"
#
[Template_BlockWinRM]
ClosedFilePath=|%SystemRoot%\System32\wsmsvc.dll
ClosedFilePath=|%SystemRoot%\System32\wsmauto.dll
ClosedFilePath=|%SystemRoot%\System32\winrs.exe
ClosedFilePath=|%SystemRoot%\SysWoW64\wsmsvc.dll
ClosedFilePath=|%SystemRoot%\SysWoW64\wsmauto.dll
ClosedFilePath=|%SystemRoot%\SysWoW64\winrs.exe
ClosedFilePath=|%SystemRoot%\SysArm32\wsmsvc.dll
ClosedFilePath=|%SystemRoot%\SysArm32\wsmauto.dll
ClosedFilePath=|%SystemRoot%\SysArm32\winrs.exe
#
# this template replaces OpenProtectedStorage=y
#
[Template_OpenProtectedStorage]
Tmpl.Title=Open Protected Storage
Tmpl.Class=Misc
#FuncSkipHook=PStoreCreateInstance
OpenFilePath=|\Device\NamedPipe\protected_storage
OpenIpcPath=*\BaseNamedObjects*\PS_SERVICE_STARTED
OpenIpcPath=\RPC Control\protected_storage
#
# Custom handling for special images
#
@ -123,6 +495,7 @@ Tmpl.KasperskyDataRoot=%AllUsersProfile%\Kaspersky Lab
SpecialImage=chrome,chrome.exe
SpecialImage=chrome,msedge.exe
SpecialImage=chrome,msedgewebview2.exe
SpecialImage=chrome,iron.exe
SpecialImage=chrome,dragon.exe
SpecialImage=chrome,opera.exe
@ -641,19 +1014,19 @@ OpenFilePath=msedge.exe,%Tmpl.Edge%\*
[Template_Edge_Fix]
# SBIE fix for Windows 11 KB5014019 update (May 2022)
Tmpl.Title=#4342,Microsoft Edge
Tmpl.Class=WebBrowser
Tmpl.Url=https://www.microsoft.com/en-us/edge
Tmpl.Scan=s
Tmpl.ScanProduct=Microsoft Edge
Tmpl.ScanService=edgeupdate
Tmpl.Title=#4342,Microsoft Edge (obsolete)
#Tmpl.Class=WebBrowser
#Tmpl.Url=https://www.microsoft.com/en-us/edge
#Tmpl.Scan=s
#Tmpl.ScanProduct=Microsoft Edge
#Tmpl.ScanService=edgeupdate
# ExternalManifest breaks MSEdge 111.0.1633.0
#ExternalManifestHack=msedge.exe,y
# SBIE fix for MS Edge 106.x also for Windows 10
OpenIpcPath=msedge.exe,\Sessions\*\AppContainerNamedObjects\*
OpenFilePath=msedge.exe,\Device\NamedPipe\Sessions\*\AppContainerNamedObjects\*
#OpenIpcPath=msedge.exe,\Sessions\*\AppContainerNamedObjects\*
#OpenFilePath=msedge.exe,\Device\NamedPipe\Sessions\*\AppContainerNamedObjects\*
# SBIE fix for MS Edge WebView2
ExternalManifestHack=msedgewebview2.exe,y
#ExternalManifestHack=msedgewebview2.exe,y
#
# Vivaldi

6
SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp
View File

@ -242,7 +242,8 @@ void COptionsWindow::LoadGeneral()
ui.chkOpenSpooler->setChecked(m_pBox->GetBool("OpenPrintSpooler", false));
ui.chkPrintToFile->setChecked(m_pBox->GetBool("AllowSpoolerPrintToFile", false));
ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false));
//ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false));
ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage"));
ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false));
ui.chkCloseClipBoard->setChecked(!m_pBox->GetBool("OpenClipboard", true));
ui.chkVmReadNotify->setChecked(m_pBox->GetBool("NotifyProcessAccessDenied", false));
@ -352,7 +353,8 @@ void COptionsWindow::SaveGeneral()
WriteAdvancedCheck(ui.chkOpenSpooler, "OpenPrintSpooler", "y", "");
WriteAdvancedCheck(ui.chkPrintToFile, "AllowSpoolerPrintToFile", "y", "");
WriteAdvancedCheck(ui.chkOpenProtectedStorage, "OpenProtectedStorage", "y", "");
//WriteAdvancedCheck(ui.chkOpenProtectedStorage, "OpenProtectedStorage", "y", "");
SetTemplate("OpenProtectedStorage", ui.chkOpenProtectedStorage->isChecked());
if (ui.chkOpenCredentials->isEnabled())
WriteAdvancedCheck(ui.chkOpenCredentials, "OpenCredentials", "y", "");
WriteAdvancedCheck(ui.chkCloseClipBoard, "OpenClipboard", "n", "");

2
SandboxiePlus/version.h
View File

@ -2,7 +2,7 @@
#define VERSION_MJR 1
#define VERSION_MIN 7
#define VERSION_REV 2
#define VERSION_REV 3
#define VERSION_UPD 0
#ifndef STR