From 7b9da3f47bc8ee3189ab5eeca8f5c43721c3ef00 Mon Sep 17 00:00:00 2001
From: EdgeArcher129840 <125170682+RimacC2-EV@users.noreply.github.com>
Date: Sun, 9 Jun 2024 20:19:04 +0800
Subject: [PATCH 01/20] Update sandman_zh_CN.ts
This update adds some explanations of terms with my personal understanding.
---
SandboxiePlus/SandMan/sandman_zh_CN.ts | 27 ++++++++++++--------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index 13591b9a..bc5536c8 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -262,14 +262,10 @@
This feature may reduce compatibility as it also prevents box located processes from writing to host located ones and even starting them.该功能可能对兼容性造成影响,因为它阻止了沙盒内的进程向主机进程写入数据,以及启动它们。
-
- Prevents the sandboxed window from being captured.
- 阻止沙盒化窗口被捕获图像。
- Prevent sandboxed windows from being captured
- 阻止沙盒化窗口被捕获图像。
+ 阻止捕获沙盒中程序的窗口图像。
@@ -462,7 +458,8 @@ To disable this template for a sandbox, simply uncheck it in the template list.<
Creating new box image, please enter a secure password, and choose a disk image size.
- 正在创建新的沙盒磁盘映像。请输入强密码,并设置映像大小。
+ 正在创建新的沙盒磁盘映像。
+ 请输入强密码,并设置映像大小。
@@ -510,7 +507,7 @@ This length permits approximately 384 bits of entropy with a passphrase composed
increases to 512 bits with the application of Leet (L337) speak modifications, and exceeds 768 bits when composed of entirely random printable ASCII characters.
密码的最大长度限制为 128 个字符。
如果密码由实际的英文单词组成,这个长度允许大约 384 位的熵,
-如果使用 Leet(L337) 密语,则增加到 512 位熵,如果完全由随机的可打印 ASCII 字符组成,则超过 768 位熵。
+如果使用 Leet(L337) 密语,则增加到 512 位熵,如果完全由随机的可打印 ASCII 字符组成,则允许超过 768 位熵。
@@ -634,12 +631,12 @@ While the level of isolation is reduced compared to other box types, it offers i
Access to the virtual disk when mounted is restricted to programs running within the sandbox. Sandboxie prevents other processes on the host system from accessing the sandboxed processes.
This ensures the utmost level of privacy and data protection within the confidential sandbox environment.
该类型的沙盒使用加密的磁盘映像作为文件根目录,为安全性与隐私性提供了额外的保障。
-当虚拟磁盘被挂载时,只有沙盒内的程序可以访问,而其他进程将会被阻止访问。这确保了在该沙盒环境中最高级别的隐私和数据保护。
+当虚拟磁盘映像被挂载时,只有沙盒内的程序可以访问它,而其他进程将会被阻止访问。这确保了在该沙盒环境中最高级别的隐私和数据保护。
Hardened Sandbox with Data Protection
- 带数据保护的加固型沙盒
+ 带有数据保护的加固型沙盒
@@ -649,7 +646,7 @@ This ensures the utmost level of privacy and data protection within the confiden
Sandbox with Data Protection
- 带数据保护的沙盒
+ 带有数据保护的沙盒
@@ -659,7 +656,7 @@ This ensures the utmost level of privacy and data protection within the confiden
Application Compartment with Data Protection
- 带数据保护的应用隔间
+ 带有数据保护的应用隔间
@@ -812,7 +809,7 @@ Please browse to the correct user profile directory.
Note: you need to run the browser unsandboxed for them to get created.
Please browse to the correct user profile directory.
没有发现合适的目录
-注意:你需要在不使用沙盒的情况下运行一次浏览器,以便使它们被正确创建
+注意:你需要在不使用沙盒的情况下先运行一次浏览器,以便使它们被正确创建
请浏览并选择正确的用户资料配置文件目录
@@ -1322,7 +1319,7 @@ You can use %USER% to save each users sandbox to an own fodler.
Drop rights from Administrators and Power Users groups
- 撤销管理员和 Power Users 用户组的权限
+ 撤销管理员和 Power Users (Windows Vista 以前 及之后的 专业版 Windows 系统) 用户组的权限
@@ -1332,7 +1329,7 @@ You can use %USER% to save each users sandbox to an own fodler.
Allow MSIServer to run with a sandboxed system token
- 允许 MSIServer 在沙盒内使用系统令牌运行
+ 允许 MSIServer 使用沙盒化的系统令牌运行
@@ -1444,7 +1441,7 @@ You can use %USER% to save each users sandbox to an own fodler.
This sandbox content will be placed in an encrypted container file, please note that any corruption of the container's header will render all its content permanently inaccessible. Corruption can occur as a result of a BSOD, a storage hardware failure, or a malicious application overwriting random files. This feature is provided under a strict <b>No Backup No Mercy</b> policy, YOU the user are responsible for the data you put into an encrypted box. <br /><br />IF YOU AGREE TO TAKE FULL RESPONSIBILITY FOR YOUR DATA PRESS [YES], OTHERWISE PRESS [NO].This sandbox content will be placed in an encrypted container file, please note that any corruption of the container's header will render all its content permanently innaccessible. Corruption can occur as a result of a BSOD, a storage hadrware failure, or a maliciouse application overwriting random files. This feature is provided under a strickt <b>No Backup No Mercy</b> policy, YOU the user are responsible for the data you put into an encrypted box. <br /><br />IF YOU AGREE TO TAKE FULL RESPONSIBILITY FOR YOUR DATA PRESS [YES], OTHERWISE PRESS [NO].
- 该沙盒的文件将会存储在加密的容器文件中,注意:容器头文件的任何损坏都可能导致容器内文件不可读取。同时,可能导致不限于蓝屏、死机、存储设备故障、或沙盒中恶意程序随机覆写文件。该功能以严格遵守 <br />无备份、不宽容<br />的形式提供,您需要自行为该加密沙盒中的文件承担风险。 <br /><br />如果您同意为您的数据自行承担风险则选择 [确认], 否则 [取消].
+ 该沙盒的文件将会存储在加密的容器文件中,注意:容器头的任何损坏都可能导致容器内文件不可读取(这等同于损坏硬盘的引导分区)。同时,可能导致不限于蓝屏、死机、存储设备故障、或沙盒中恶意程序随机覆写文件。该功能以严格遵守 <br />无备份、不宽容<br />的形式提供,您需要自行为该加密沙盒中的文件承担风险。 <br /><br />如果您同意为您的数据自行承担风险则选择 [确认], 否则 [取消].
From 4023b2325ddf348ceea5b08fe50fa3df9bc77edb Mon Sep 17 00:00:00 2001
From: EdgeArcher129840 <125170682+RimacC2-EV@users.noreply.github.com>
Date: Wed, 12 Jun 2024 22:32:20 +0800
Subject: [PATCH 02/20] Update sandman_zh_CN.ts
---
SandboxiePlus/SandMan/sandman_zh_CN.ts | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index bc5536c8..e7d5c2d3 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -809,7 +809,7 @@ Please browse to the correct user profile directory.
Note: you need to run the browser unsandboxed for them to get created.
Please browse to the correct user profile directory.
没有发现合适的目录
-注意:你需要在不使用沙盒的情况下先运行一次浏览器,以便使它们被正确创建
+注意:您需要在不使用沙盒的情况下先运行一次浏览器,以便使它们被正确创建。
请浏览并选择正确的用户资料配置文件目录
@@ -2043,7 +2043,7 @@ Note: The update check is often behind the latest GitHub release to ensure that
This sandbox has been deleted hence configuration can not be saved.
- 该沙盒已被删除,因此配置无法保存
+ 该沙盒已被删除,因此无法保存配置
@@ -3018,7 +3018,7 @@ Unlike the preview channel, it does not include untested, potentially breaking,
Sandboxie-Plus applies strict application restrictions, which can lead to compatibility issues. Stay updated with Sandboxie-Plus, including compatibility templates and troubleshooting, to ensure smooth operation amid Windows updates and application changes.
- Sandboxie Plus 应用了严格的应用程序限制,这可能会导致兼容性问题。使 Sandboxie Plus (及其兼容性模板和故障排除向导)保持在最新版本,有利于在 Windows 更新和应用程序变动时保证这些应用程序限制稳定运行。
+ Sandboxie-Plus 应用了严格的应用程序限制,这可能会导致兼容性问题。使 Sandboxie-Plus (及其兼容性模板和故障排除向导)保持在最新版本,有利于在 Windows 更新和应用程序变动时保证这些应用程序限制稳定运行。
@@ -3682,7 +3682,7 @@ Do you want to do the clean up?
This box does not enforce isolation, it is intended to be used as an <a href="sbie://docs/compartment-mode">application compartment</a> for software virtualization only.This box does not enforce isolation, it is intended to be used as an application compartment for software virtualization only.
- 此类沙盒不执行隔离,它的目的是将一个应用程序虚拟化
+ 此类沙盒不执行隔离,它用于将一个应用程序虚拟化
@@ -3826,7 +3826,7 @@ Please check if there is an update for sandboxie.
Your Windows build %1 exceeds the current known support capabilities of your Sandboxie version, Sandboxie will attempt to use the last-known offsets which may cause system instability.
- 您的Windows版本 %1 超过了 Sandboxie 版本的当前已知支持范围,Sandboxie 将尝试使用上一个已知的配置,这可能会导致系统不稳定。
+ 您的 Windows 版本 %1 超过了 Sandboxie 版本的当前已知支持范围,Sandboxie 将尝试使用上一个已知的配置,这可能会导致系统不稳定。
From 5b731401e22372a25eb4ad8e229d69fc3cc6f239 Mon Sep 17 00:00:00 2001
From: isaak654
Date: Sat, 22 Jun 2024 17:45:32 +0200
Subject: [PATCH 03/20] Update .editorconfig
---
.editorconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.editorconfig b/.editorconfig
index aa6dd550..3c4b7702 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -13,6 +13,9 @@ indent_size = 4
[my_version.h]
charset = utf-8-bom
+[SandboxiePlus/SandMan/Troubleshooting/lang_*.json]
+charset = utf-8-bom
+
[*.{c,h,cpp}]
indent_style = tab
indent_size = unset
From 3079d58e1ef1612b185f7e2e774d0c826402f166 Mon Sep 17 00:00:00 2001
From: nkh0472 <67589323+nkh0472@users.noreply.github.com>
Date: Sun, 23 Jun 2024 10:15:08 +0800
Subject: [PATCH 04/20] Update sandman_zh_CN.ts
---
SandboxiePlus/SandMan/sandman_zh_CN.ts | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index 90813ad8..ac6e07ca 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -1317,7 +1317,7 @@ You can use %USER% to save each users sandbox to an own fodler.
Prompt user whether to allow an exemption from the blockade
-
+ 提示用户是否允许豁免封锁
@@ -7733,7 +7733,7 @@ If you are a great patreaon supporter already, sandboxie can check online for an
Allow sandboxed windows to cover the taskbarAllow sandboxed windows to cover taskbar
- 允许沙盒内窗口遮盖任务栏
+ 允许沙盒内窗口遮盖任务栏
@@ -7807,13 +7807,13 @@ If you are a great patreaon supporter already, sandboxie can check online for an
Prevent sandboxed processes from accessing system details through WMIPrevent sandboxed processes from accessing system deatils through WMI
- 防止沙盒内的进程通过 WMI 访问系统信息
+ 防止沙盒内的进程通过 WMI 访问系统信息Some programs retrieve system details via WMI (Windows Management Instrumentation), a built-in Windows database, rather than using conventional methods. For instance, 'tasklist.exe' can access a complete list of processes even if 'HideOtherBoxes' is enabled. Enable this option to prevent such behavior.Some programs read system deatils through WMI(A Windows built-in database) instead of normal ways. For example,"tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop these heavior.
- 一些程序通过 WMI(一个Windows内置数据库) 读取系统信息,而不是通过正常方式。例如,尽管已经打开 "隐藏其它沙盒" ,"tasklist.exe" 仍然可以通过访问 WMI 获取全部进程列表。开启此选项来阻止这些行为。
+ 一些程序通过 WMI(一个Windows内置数据库) 读取系统信息,而不是通过正常方式。例如,尽管已经打开 "隐藏其它沙盒" ,"tasklist.exe" 仍然可以通过访问 WMI 获取全部进程列表。开启此选项来阻止这些行为。
From 6ecdef1c09a5707cae95776dc9f5484ac80ca453 Mon Sep 17 00:00:00 2001
From: offhub <6871698+offhub@users.noreply.github.com>
Date: Sun, 23 Jun 2024 21:29:24 +0300
Subject: [PATCH 05/20] CodeQL fix?
[skip ci]
---
Installer/get_openssl.cmd | 4 ++--
SandboxiePlus/install_qt.cmd | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Installer/get_openssl.cmd b/Installer/get_openssl.cmd
index 5ed47076..f8a17fd9 100644
--- a/Installer/get_openssl.cmd
+++ b/Installer/get_openssl.cmd
@@ -1,6 +1,6 @@
echo %*
-IF "%~3" == "" ( set "ghSsl_repo=openssl" ) ELSE ( set "ghSsl_repo=%~3" )
-IF "%~2" == "" ( set "ghSsl_user=DavidXanatos" ) ELSE ( set "ghSsl_user=%~2" )
+IF "%~3" == "" ( set "ghSsl_repo=openssl-builds" ) ELSE ( set "ghSsl_repo=%~3" )
+IF "%~2" == "" ( set "ghSsl_user=xanasoft" ) ELSE ( set "ghSsl_user=%~2" )
IF "%~1" == "" ( set "openssl_version=3.3.1" ) ELSE ( set "openssl_version=%~1" )
set "openssl_version_underscore=%openssl_version:.=_%"
diff --git a/SandboxiePlus/install_qt.cmd b/SandboxiePlus/install_qt.cmd
index d325c678..993ea4e5 100644
--- a/SandboxiePlus/install_qt.cmd
+++ b/SandboxiePlus/install_qt.cmd
@@ -1,6 +1,6 @@
echo %*
-IF "%~7" == "" ( set "ghQtBuilds_hash_x64=f9029e02badd6a79d9bb092f9fb0772214dbcf8cd0122422514291d755860c37" ) ELSE ( set "ghQtBuilds_hash_x64=%~7" )
-IF "%~6" == "" ( set "ghQtBuilds_hash_x86=79755f2bf95d0ca305096fc33582cd557345a79aa63f9821002fdddefdc0fd94" ) ELSE ( set "ghQtBuilds_hash_x86=%~6" )
+IF "%~7" == "" ( set "ghQtBuilds_hash_x64=30290d82a02bfaa24c1bf37bcb9c074aba18a673a7176628fccdf71197cee898" ) ELSE ( set "ghQtBuilds_hash_x64=%~7" )
+IF "%~6" == "" ( set "ghQtBuilds_hash_x86=bf4124046cc50ccbbeb3f786c041e884fd4205cd6e616070a75c850105cbf1db" ) ELSE ( set "ghQtBuilds_hash_x86=%~6" )
IF "%~5" == "" ( set "ghQtBuilds_repo=qt-builds" ) ELSE ( set "ghQtBuilds_repo=%~5" )
IF "%~4" == "" ( set "ghQtBuilds_user=xanasoft" ) ELSE ( set "ghQtBuilds_user=%~4" )
IF "%~3" == "" ( set "qt6_version=6.3.1" ) ELSE ( set "qt6_version=%~3" )
From c2df90b2fd1018f8be8ce9ef103dd9cd5c0ba6a7 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 01:31:15 +0000
Subject: [PATCH 06/20] Sync SBIE Plus language files (lupdate)
---
SandboxiePlus/SandMan/sandman_zh_CN.ts | 1 -
1 file changed, 1 deletion(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index 3ae924e3..ea62ae91 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -263,7 +263,6 @@
该功能可能对兼容性造成影响,因为它阻止了沙盒内的进程向主机进程写入数据,以及启动它们。
- Prevents the sandboxed window from being captured.阻止沙盒化窗口被捕获图像。
From 0239e66827675fb967de16b34bd16c961db02dc6 Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 24 Jun 2024 14:57:04 +0200
Subject: [PATCH 07/20] ipc.c rolback to 1.14.0
https://github.com/sandboxie-plus/Sandboxie/issues/4012
---
Sandboxie/core/drv/ipc.c | 70 ++++++++++++++++++----------------------
1 file changed, 32 insertions(+), 38 deletions(-)
diff --git a/Sandboxie/core/drv/ipc.c b/Sandboxie/core/drv/ipc.c
index d6bd0d22..642da0f6 100644
--- a/Sandboxie/core/drv/ipc.c
+++ b/Sandboxie/core/drv/ipc.c
@@ -1402,30 +1402,34 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
} else if (IS_ARG_CURRENT_PROCESS(TargetProcessHandle)) {
+ //
+ // we duplicate the handle into kernel space such that that user
+ // won't be able to grab it while we are evaluaiting it
+ //
+
HANDLE SourceProcessKernelHandle;
status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
if (NT_SUCCESS(status)) {
HANDLE TargetProcessKernelHandle = ZwCurrentProcess(); // TargetProcessHandle == NtCurrentProcess();
- HANDLE SourceKernelHandle;
- status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
+ //
+ // driver verifier wants us to provide a kernel handle as process handles
+ // but the source handle must be a user handle and the ZwDuplicateObject
+ // function creates another user handle hence NtClose
+ //
+
+ status = ZwDuplicateObject(
+ SourceProcessKernelHandle, SourceHandle,
+ TargetProcessKernelHandle, &DuplicatedHandle,
+ DesiredAccess, HandleAttributes,
+ Options & ~DUPLICATE_CLOSE_SOURCE);
+
if (NT_SUCCESS(status)) {
- status = ZwDuplicateObject(
- SourceProcessKernelHandle, SourceHandle,
- TargetProcessKernelHandle, &DuplicatedHandle,
- DesiredAccess, HandleAttributes,
- Options & ~DUPLICATE_CLOSE_SOURCE);
+ status = Ipc_CheckObjectName(DuplicatedHandle, UserMode);
- if (NT_SUCCESS(status)) {
-
- status = Ipc_CheckObjectName(DuplicatedHandle, UserMode);
-
- NtClose(DuplicatedHandle);
- }
-
- ZwClose(SourceKernelHandle);
+ NtClose(DuplicatedHandle);
}
ZwClose(SourceProcessKernelHandle);
@@ -1440,40 +1444,30 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
if (NT_SUCCESS(status)) {
- HANDLE SourceProcessKernelHandle = ZwCurrentProcess();
+ HANDLE SourceProcessKernelHandle = (HANDLE)-1;
+ HANDLE TargetProcessKernelHandle = (HANDLE)-1;
+
if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle))
status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
if (NT_SUCCESS(status)) {
- HANDLE TargetProcessKernelHandle = ZwCurrentProcess();
if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
status = Thread_GetKernelHandleForUserHandle(&TargetProcessKernelHandle, TargetProcessHandle);
if (NT_SUCCESS(status)) {
- HANDLE SourceKernelHandle;
- status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
- if (NT_SUCCESS(status)) {
+ status = ZwDuplicateObject(
+ SourceProcessKernelHandle, SourceHandle,
+ TargetProcessKernelHandle, &DuplicatedHandle,
+ DesiredAccess, HandleAttributes, Options);
- status = ZwDuplicateObject(
- SourceProcessKernelHandle, SourceKernelHandle,
- TargetProcessKernelHandle, &DuplicatedHandle,
- DesiredAccess, HandleAttributes, Options & ~DUPLICATE_CLOSE_SOURCE);
-
- if (Options & DUPLICATE_CLOSE_SOURCE)
- NtClose(SourceHandle);
-
- *TargetHandle = DuplicatedHandle;
-
- ZwClose(SourceKernelHandle);
- }
-
- if (!IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
- ZwClose(TargetProcessKernelHandle);
+ *TargetHandle = DuplicatedHandle;
}
-
- if (!IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
- ZwClose(SourceProcessKernelHandle);
}
+
+ if (SourceProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
+ ZwClose(SourceProcessKernelHandle);
+ if (TargetProcessKernelHandle && !IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
+ ZwClose(TargetProcessKernelHandle);
}
//
From c1ac16f30576ce9a11f4d2be55a1ceb9466d59ee Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 24 Jun 2024 15:22:32 +0200
Subject: [PATCH 08/20] 1.14.3
---
CHANGELOG.md | 2 +-
SandboxiePlus/SandMan/Views/SbieView.cpp | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41700508..f1db9b60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).
-## [1.14.x / 5.69.x] - 2024-xx-xx
+## [1.14.3 / 5.69.3] - 2024-06-??
### Changed
- changed Qt 5 version to Qt 5.15.14 with OpenSSL 3.3.1 [#3994](https://github.com/sandboxie-plus/Sandboxie/pull/3994) (thanks offhub)
diff --git a/SandboxiePlus/SandMan/Views/SbieView.cpp b/SandboxiePlus/SandMan/Views/SbieView.cpp
index 02391219..289586d5 100644
--- a/SandboxiePlus/SandMan/Views/SbieView.cpp
+++ b/SandboxiePlus/SandMan/Views/SbieView.cpp
@@ -1786,7 +1786,7 @@ void CSbieView::OnDoubleClicked(const CSandBoxPtr &pBox)
if (!pBox->IsEnabled())
{
- if (QMessageBox("Sandboxie-Plus", tr("This sandbox is disabled, do you want to enable it?"), QMessageBox::Question, QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape, QMessageBox::NoButton, this).exec() != QMessageBox::Yes)
+ if (QMessageBox("Sandboxie-Plus", tr("This sandbox is disabled or restricted to a group/user, do you want to edit it?"), QMessageBox::Question, QMessageBox::Yes, QMessageBox::No | QMessageBox::Default | QMessageBox::Escape, QMessageBox::NoButton, this).exec() != QMessageBox::Yes)
return;
pBox->SetText("Enabled", "y");
return;
From 481ddf723b95211116f426610975b90d18ea15ea Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 13:32:20 +0000
Subject: [PATCH 09/20] Sync SBIE Plus language files (lupdate)
---
SandboxiePlus/SandMan/sandman_de.ts | 5 +++--
SandboxiePlus/SandMan/sandman_en.ts | 5 +++--
SandboxiePlus/SandMan/sandman_es.ts | 5 +++--
SandboxiePlus/SandMan/sandman_fr.ts | 5 +++--
SandboxiePlus/SandMan/sandman_hu.ts | 5 +++--
SandboxiePlus/SandMan/sandman_it.ts | 5 +++--
SandboxiePlus/SandMan/sandman_ja.ts | 3 ++-
SandboxiePlus/SandMan/sandman_ko.ts | 5 +++--
SandboxiePlus/SandMan/sandman_nl.ts | 5 +++--
SandboxiePlus/SandMan/sandman_pl.ts | 5 +++--
SandboxiePlus/SandMan/sandman_pt_BR.ts | 5 +++--
SandboxiePlus/SandMan/sandman_pt_PT.ts | 5 +++--
SandboxiePlus/SandMan/sandman_ru.ts | 5 +++--
SandboxiePlus/SandMan/sandman_sv_SE.ts | 5 +++--
SandboxiePlus/SandMan/sandman_tr.ts | 5 +++--
SandboxiePlus/SandMan/sandman_uk.ts | 5 +++--
SandboxiePlus/SandMan/sandman_vi.ts | 5 +++--
SandboxiePlus/SandMan/sandman_zh_CN.ts | 5 +++--
SandboxiePlus/SandMan/sandman_zh_TW.ts | 5 +++--
19 files changed, 56 insertions(+), 37 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_de.ts b/SandboxiePlus/SandMan/sandman_de.ts
index 90e3bbd3..bdcdbd0e 100644
--- a/SandboxiePlus/SandMan/sandman_de.ts
+++ b/SandboxiePlus/SandMan/sandman_de.ts
@@ -4966,8 +4966,9 @@ This file is part of Sandboxie and all change done to it will be reverted next t
- This sandbox is disabled, do you want to enable it?
- Diese Sandbox ist deaktiviert. Möchten Sie diese aktivieren?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Diese Sandbox ist deaktiviert. Möchten Sie diese aktivieren?
diff --git a/SandboxiePlus/SandMan/sandman_en.ts b/SandboxiePlus/SandMan/sandman_en.ts
index 2de15373..fd0d45f8 100644
--- a/SandboxiePlus/SandMan/sandman_en.ts
+++ b/SandboxiePlus/SandMan/sandman_en.ts
@@ -5107,8 +5107,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
-
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+
diff --git a/SandboxiePlus/SandMan/sandman_es.ts b/SandboxiePlus/SandMan/sandman_es.ts
index 61c98d33..59d41693 100644
--- a/SandboxiePlus/SandMan/sandman_es.ts
+++ b/SandboxiePlus/SandMan/sandman_es.ts
@@ -5694,8 +5694,9 @@ NO seleccionará: %2
- This sandbox is disabled, do you want to enable it?
- Esta sandbox esta deshabilitada, ¿desea habilitarla?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Esta sandbox esta deshabilitada, ¿desea habilitarla?
diff --git a/SandboxiePlus/SandMan/sandman_fr.ts b/SandboxiePlus/SandMan/sandman_fr.ts
index bb98d16c..37d0a112 100644
--- a/SandboxiePlus/SandMan/sandman_fr.ts
+++ b/SandboxiePlus/SandMan/sandman_fr.ts
@@ -5787,8 +5787,9 @@ Remarque : La recherche de mise à jour est souvent en retard par rapport à la
- This sandbox is disabled, do you want to enable it?
- Ce bac à sable est désactivé, voulez-vous l'activer ?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Ce bac à sable est désactivé, voulez-vous l'activer ?
diff --git a/SandboxiePlus/SandMan/sandman_hu.ts b/SandboxiePlus/SandMan/sandman_hu.ts
index 6aa0c9be..69b2fba0 100644
--- a/SandboxiePlus/SandMan/sandman_hu.ts
+++ b/SandboxiePlus/SandMan/sandman_hu.ts
@@ -5323,8 +5323,9 @@ Ez a fájl a Sandboxie része, és minden rajta végzett módosítás vissza les
- This sandbox is disabled, do you want to enable it?
- Ez a homokozó le van tiltva. Bekapcsolja?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Ez a homokozó le van tiltva. Bekapcsolja?
diff --git a/SandboxiePlus/SandMan/sandman_it.ts b/SandboxiePlus/SandMan/sandman_it.ts
index c5586390..e1382815 100644
--- a/SandboxiePlus/SandMan/sandman_it.ts
+++ b/SandboxiePlus/SandMan/sandman_it.ts
@@ -5379,8 +5379,9 @@ Questo file fa parte di Sandboxie e tutte le modifiche apportate ad esso saranno
- This sandbox is disabled, do you want to enable it?
- Quest'area virtuale è disattivata, vuoi attivarla?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Quest'area virtuale è disattivata, vuoi attivarla?
diff --git a/SandboxiePlus/SandMan/sandman_ja.ts b/SandboxiePlus/SandMan/sandman_ja.ts
index fa1f438e..60bbf592 100644
--- a/SandboxiePlus/SandMan/sandman_ja.ts
+++ b/SandboxiePlus/SandMan/sandman_ja.ts
@@ -5041,7 +5041,8 @@ This file is part of Sandboxie and all change done to it will be reverted next t
- This sandbox is disabled, do you want to enable it?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
diff --git a/SandboxiePlus/SandMan/sandman_ko.ts b/SandboxiePlus/SandMan/sandman_ko.ts
index 0788271f..07b765fc 100644
--- a/SandboxiePlus/SandMan/sandman_ko.ts
+++ b/SandboxiePlus/SandMan/sandman_ko.ts
@@ -5552,8 +5552,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
- 이 샌드박스를 사용할 수 없습니다. 사용하시겠습니까?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ 이 샌드박스를 사용할 수 없습니다. 사용하시겠습니까?
diff --git a/SandboxiePlus/SandMan/sandman_nl.ts b/SandboxiePlus/SandMan/sandman_nl.ts
index d6dee044..3eda6e03 100644
--- a/SandboxiePlus/SandMan/sandman_nl.ts
+++ b/SandboxiePlus/SandMan/sandman_nl.ts
@@ -5438,8 +5438,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
- Deze sandbox is uitgeschakeld. Wilt u hem inschakelen?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Deze sandbox is uitgeschakeld. Wilt u hem inschakelen?
diff --git a/SandboxiePlus/SandMan/sandman_pl.ts b/SandboxiePlus/SandMan/sandman_pl.ts
index 822b3124..1ea1a2b8 100644
--- a/SandboxiePlus/SandMan/sandman_pl.ts
+++ b/SandboxiePlus/SandMan/sandman_pl.ts
@@ -5653,8 +5653,9 @@ Uwaga: Sprawdzanie aktualizacji często pomija najnowsze wydania GitHub, aby zap
- This sandbox is disabled, do you want to enable it?
- Ta piaskownica jest wyłączona, czy chcesz ją teraz włączyć?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Ta piaskownica jest wyłączona, czy chcesz ją teraz włączyć?
diff --git a/SandboxiePlus/SandMan/sandman_pt_BR.ts b/SandboxiePlus/SandMan/sandman_pt_BR.ts
index 3cc45d31..db9e17ee 100644
--- a/SandboxiePlus/SandMan/sandman_pt_BR.ts
+++ b/SandboxiePlus/SandMan/sandman_pt_BR.ts
@@ -5655,8 +5655,9 @@ Não vou escolher: %2
- This sandbox is disabled, do you want to enable it?
- Essa caixa está desativada, deseja ativá-la?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Essa caixa está desativada, deseja ativá-la?
diff --git a/SandboxiePlus/SandMan/sandman_pt_PT.ts b/SandboxiePlus/SandMan/sandman_pt_PT.ts
index 94786e93..582dfec3 100644
--- a/SandboxiePlus/SandMan/sandman_pt_PT.ts
+++ b/SandboxiePlus/SandMan/sandman_pt_PT.ts
@@ -5659,8 +5659,9 @@ Não vou definir: %2
- This sandbox is disabled, do you want to enable it?
- Esta caixa está desativada, deseja ativá-la?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Esta caixa está desativada, deseja ativá-la?
diff --git a/SandboxiePlus/SandMan/sandman_ru.ts b/SandboxiePlus/SandMan/sandman_ru.ts
index decd5592..094a73ab 100644
--- a/SandboxiePlus/SandMan/sandman_ru.ts
+++ b/SandboxiePlus/SandMan/sandman_ru.ts
@@ -5098,8 +5098,9 @@ This file is part of Sandboxie and all change done to it will be reverted next t
- This sandbox is disabled, do you want to enable it?
- Эта песочница отключена, вы хотите ее включить?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Эта песочница отключена, вы хотите ее включить?
diff --git a/SandboxiePlus/SandMan/sandman_sv_SE.ts b/SandboxiePlus/SandMan/sandman_sv_SE.ts
index 6309f9bf..e110c1dc 100644
--- a/SandboxiePlus/SandMan/sandman_sv_SE.ts
+++ b/SandboxiePlus/SandMan/sandman_sv_SE.ts
@@ -5700,8 +5700,9 @@ Notera: Uppdateringskollen är ofta bakom senaste GitHub-utgivningen för att s
- This sandbox is disabled, do you want to enable it?
- Denna sandlåda är inaktiverad, vill du aktivera den?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Denna sandlåda är inaktiverad, vill du aktivera den?
diff --git a/SandboxiePlus/SandMan/sandman_tr.ts b/SandboxiePlus/SandMan/sandman_tr.ts
index 268dccf3..54ad4506 100644
--- a/SandboxiePlus/SandMan/sandman_tr.ts
+++ b/SandboxiePlus/SandMan/sandman_tr.ts
@@ -4724,8 +4724,9 @@ Lütfen Sandboxie için bir güncelleme olup olmadığını kontrol edin.
- This sandbox is disabled, do you want to enable it?
- Bu alan devre dışı, etkinleştirmek istiyor musunuz?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Bu alan devre dışı, etkinleştirmek istiyor musunuz?
diff --git a/SandboxiePlus/SandMan/sandman_uk.ts b/SandboxiePlus/SandMan/sandman_uk.ts
index 58ec41df..30358d85 100644
--- a/SandboxiePlus/SandMan/sandman_uk.ts
+++ b/SandboxiePlus/SandMan/sandman_uk.ts
@@ -5402,8 +5402,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
- Ця пісочниця вимкнена, ви хочете її увімкнути?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Ця пісочниця вимкнена, ви хочете її увімкнути?
diff --git a/SandboxiePlus/SandMan/sandman_vi.ts b/SandboxiePlus/SandMan/sandman_vi.ts
index 986db64d..5be5b3ef 100644
--- a/SandboxiePlus/SandMan/sandman_vi.ts
+++ b/SandboxiePlus/SandMan/sandman_vi.ts
@@ -5312,8 +5312,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
- Sandbox này bị vô hiệu hóa, bạn có muốn bật nó không?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ Sandbox này bị vô hiệu hóa, bạn có muốn bật nó không?
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index ea62ae91..b1142a22 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -5482,8 +5482,9 @@ Error: %1
- This sandbox is disabled, do you want to enable it?
- 此沙盒已禁用,确定启用吗?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ 此沙盒已禁用,确定启用吗?
diff --git a/SandboxiePlus/SandMan/sandman_zh_TW.ts b/SandboxiePlus/SandMan/sandman_zh_TW.ts
index 163dde58..1724b578 100644
--- a/SandboxiePlus/SandMan/sandman_zh_TW.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_TW.ts
@@ -5456,8 +5456,9 @@ This file is part of Sandboxie and all changed done to it will be reverted next
- This sandbox is disabled, do you want to enable it?
- 此沙箱已停用,是否啟用?
+ This sandbox is disabled or restricted to a group/user, do you want to edit it?
+ This sandbox is disabled, do you want to enable it?
+ 此沙箱已停用,是否啟用?
From a5803c128a335cc9e563de3daf0120d3efb14288 Mon Sep 17 00:00:00 2001
From: Michael <33252157+APMichael@users.noreply.github.com>
Date: Mon, 24 Jun 2024 17:08:22 +0200
Subject: [PATCH 10/20] Update sandman_de.ts
- Checked translation with modified source.
- Removed line.
---
SandboxiePlus/SandMan/sandman_de.ts | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_de.ts b/SandboxiePlus/SandMan/sandman_de.ts
index bdcdbd0e..2cad00f9 100644
--- a/SandboxiePlus/SandMan/sandman_de.ts
+++ b/SandboxiePlus/SandMan/sandman_de.ts
@@ -4967,8 +4967,7 @@ This file is part of Sandboxie and all change done to it will be reverted next t
This sandbox is disabled or restricted to a group/user, do you want to edit it?
- This sandbox is disabled, do you want to enable it?
- Diese Sandbox ist deaktiviert. Möchten Sie diese aktivieren?
+ Diese Sandbox ist deaktiviert oder auf andere Gruppen/Benutzer beschränkt. Möchten Sie die Sandbox bearbeiten?
From b6b97a88aa396ac7f6a20432ae94a3b4dcfdbf95 Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 24 Jun 2024 17:08:56 +0200
Subject: [PATCH 11/20] Update token.c
---
Sandboxie/core/drv/token.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c
index a45f239c..95ddc8d2 100644
--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@@ -2193,6 +2193,12 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
OBJECT_ATTRIBUTES ObjectAttributes;
SECURITY_QUALITY_OF_SERVICE SecurityQos;
+ TOKEN_PRIVILEGES AllowedPrivilege;
+ AllowedPrivilege.PrivilegeCount = 1;
+ AllowedPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
+ AllowedPrivilege.Privileges[0].Luid.HighPart = 0;
+ AllowedPrivilege.Privileges[0].Luid.LowPart = SE_CHANGE_NOTIFY_PRIVILEGE;
+
//
// Gather information from the original token
//
@@ -2290,6 +2296,15 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
RtlCopyMemory(&LocalGroups->Groups[1], OldLocalGroups->Groups, OldLocalGroups->GroupCount * sizeof(SID_AND_ATTRIBUTES));
LocalGroups->GroupCount = NewGroupCount;
}
+
+ /*for (ULONG i = 0; i < LocalPrivileges->PrivilegeCount; ++i) {
+ LUID_AND_ATTRIBUTES *entry_i = &LocalPrivileges->Privileges[i];
+
+ DbgPrint("Priv: %d-%d (0x%x)\n", entry_i->Luid.HighPart, entry_i->Luid.LowPart, entry_i->Attributes);
+ }*/
+
+ if (LocalPrivileges) ExFreePool((PVOID)LocalPrivileges);
+ LocalPrivileges = &AllowedPrivilege;
}
//
@@ -2494,7 +2509,7 @@ finish:
if (LocalUser) ExFreePool((PVOID)LocalUser);
if (LocalGroups) ExFreePool((PVOID)LocalGroups);
if (OldLocalGroups) ExFreePool((PVOID)OldLocalGroups);
- if (LocalPrivileges) ExFreePool((PVOID)LocalPrivileges);
+ if (LocalPrivileges && LocalPrivileges != &AllowedPrivilege) ExFreePool((PVOID)LocalPrivileges);
//if (UserAttributes) ExFreePool((PVOID)UserAttributes);
//if (DeviceAttributes) ExFreePool((PVOID)DeviceAttributes);
From 1373fa4e6534719bfd08f4d366241ea3bea989bd Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 24 Jun 2024 18:24:42 +0200
Subject: [PATCH 12/20] 1.14.3
---
CHANGELOG.md | 3 +
Sandboxie/core/drv/token.c | 140 ++++++++++++++++---------------------
2 files changed, 62 insertions(+), 81 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f1db9b60..680ea8e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Changed
- changed Qt 5 version to Qt 5.15.14 with OpenSSL 3.3.1 [#3994](https://github.com/sandboxie-plus/Sandboxie/pull/3994) (thanks offhub)
+### Fixed
+- fixed Applications cannot be launched as admin in a sandbox with "UseCreateToken/SandboxieAllGroup" enabled when using an MSFT account [#4022](https://github.com/sandboxie-plus/Sandboxie/issues/4022)
+
## [1.14.2 / 5.69.2] - 2024-06-19
diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c
index 95ddc8d2..6988165f 100644
--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@@ -2333,13 +2333,7 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
memcpy(LocalUser->User.Sid, proc->SandboxieLogonSid, RtlLengthSid(proc->SandboxieLogonSid));
}
- //UNICODE_STRING unicodeString;
- //status = RtlConvertSidToUnicodeString(&unicodeString, LocalUser->User.Sid, TRUE);
- //if (NT_SUCCESS(status)) {
- // DbgPrint("SID: %wZ\n", &unicodeString);
- // RtlFreeUnicodeString(&unicodeString);
- //}
-
+retry:
status = SbieCreateToken(
&TokenHandle,
TOKEN_ALL_ACCESS,
@@ -2350,7 +2344,7 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
LocalUser,
LocalGroups,
LocalPrivileges,
-
+
0, //UserAttributes,
0, //DeviceAttributes,
0, //DeviceGroups,
@@ -2362,58 +2356,28 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
LocalSource
);
- //
- // For online accounts we must change the primary group
- //
-
- if (proc->SandboxieLogonSid && status == STATUS_INVALID_PRIMARY_GROUP)
+ if (proc->SandboxieLogonSid && status == STATUS_INVALID_PRIMARY_GROUP && LocalPrimaryGroup->PrimaryGroup != LocalUser->User.Sid)
{
+ //
+ // For online accounts we must change the primary group
+ //
+
ExFreePool((PVOID)LocalPrimaryGroup);
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)ExAllocatePoolWithTag(PagedPool, sizeof(PTOKEN_PRIMARY_GROUP), tzuk);
LocalPrimaryGroup->PrimaryGroup = LocalUser->User.Sid;
- status = SbieCreateToken(
- &TokenHandle,
- TOKEN_ALL_ACCESS,
- &ObjectAttributes,
- TokenType,
- &AuthenticationId,
- &ExpirationTime,
- LocalUser,
- LocalGroups,
- LocalPrivileges,
-
- 0, //UserAttributes,
- 0, //DeviceAttributes,
- 0, //DeviceGroups,
- MandatoryPolicy,
-
- LocalOwner,
- LocalPrimaryGroup,
- NewDefaultDacl,
- LocalSource
- );
+ goto retry;
}
-
- if (NT_SUCCESS(status))
- status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
-
- //
- // Retry with new DACLs on error
- //
-
- if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER)
+ else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && !NewDacl)
{
+ //
+ // Retry with new DACLs on error
+ //
+
DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize;
-
+
// Construct a new ACL
NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk);
- if (NULL == NewDefaultDacl)
- {
- Log_Status_Ex_Process(MSG_1222, 0xA2, status, NULL, proc->box->session_id, proc->pid);
- goto finish;
- }
-
memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length);
NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
@@ -2425,51 +2389,38 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner);
- status = SbieCreateToken(
- &TokenHandle,
- TOKEN_ALL_ACCESS,
- &ObjectAttributes,
- TokenType,
- &AuthenticationId,
- &ExpirationTime,
- LocalUser,
- LocalGroups,
- LocalPrivileges,
+ goto retry;
+ }
- 0, //UserAttributes,
- 0, //DeviceAttributes,
- 0, //DeviceGroups,
- MandatoryPolicy,
- LocalOwner,
- LocalPrimaryGroup,
- NewDefaultDacl,
- LocalSource
- );
+ if (!NT_SUCCESS(status))
+ {
+ Log_Status_Ex_Process(MSG_1222, 0xA3, status, NULL, proc->box->session_id, proc->pid);
+ goto finish;
+ }
- if (NT_SUCCESS(status))
- status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
-
- if (!NT_SUCCESS(status))
- {
- Log_Status_Ex_Process(MSG_1222, 0xA3, status, NULL, proc->box->session_id, proc->pid);
- goto finish;
- }
+ if (NT_SUCCESS(status))
+ status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
+ if (NT_SUCCESS(status) && NewDacl)
+ {
Token_SetHandleDacl(NtCurrentProcess(), NewDacl);
Token_SetHandleDacl(NtCurrentThread(), NewDacl);
Token_SetHandleDacl(KernelTokenHandle, NewDacl);
}
-
+
+ if (NT_SUCCESS(status))
+ {
+ ULONG virtualizationAllowed = 1;
+ status = ZwSetInformationToken(KernelTokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG));
+ }
+
if (!NT_SUCCESS(status))
{
Log_Status_Ex_Process(MSG_1222, 0xA4, status, NULL, proc->box->session_id, proc->pid);
goto finish;
}
- ULONG virtualizationAllowed = 1;
- status = ZwSetInformationToken(KernelTokenHandle, TokenVirtualizationAllowed, &virtualizationAllowed, sizeof(ULONG));
-
if (Conf_Get_Boolean(proc->box->name, L"CopyTokenAttributes", 0, FALSE))
{
HANDLE OldTokenHandle;
@@ -2505,6 +2456,33 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
finish:
if (KernelTokenHandle) ZwClose(KernelTokenHandle);
+ //UNICODE_STRING unicodeString;
+
+ //DbgPrint("Create Token: 0x%08x\n", status);
+ //if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalUser->User.Sid, TRUE))) {
+ // DbgPrint("LocalUser: %wZ (0x%x)\n", &unicodeString, LocalUser->User.Attributes);
+ // RtlFreeUnicodeString(&unicodeString);
+ //}
+
+ //for (ULONG i = 0; i < LocalGroups->GroupCount; i++) {
+ // if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalGroups->Groups[i].Sid, TRUE))) {
+ // DbgPrint("LocalGroups[%d]: %wZ (0x%x)\n", i, &unicodeString, LocalGroups->Groups[i].Attributes);
+ // RtlFreeUnicodeString(&unicodeString);
+ // }
+ //}
+
+ //if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalOwner->Owner, TRUE))) {
+ // DbgPrint("LocalOwner: %wZ\n", &unicodeString);
+ // RtlFreeUnicodeString(&unicodeString);
+ //}
+
+ //if (NT_SUCCESS(RtlConvertSidToUnicodeString(&unicodeString, LocalPrimaryGroup->PrimaryGroup, TRUE))) {
+ // DbgPrint("LocalPrimaryGroup: %wZ\n", &unicodeString);
+ // RtlFreeUnicodeString(&unicodeString);
+ //}
+ //DbgPrint("+++\n");
+
+
if (LocalStatistics) ExFreePool((PVOID)LocalStatistics);
if (LocalUser) ExFreePool((PVOID)LocalUser);
if (LocalGroups) ExFreePool((PVOID)LocalGroups);
From a722ef353e74b92b3d91b0124fbec805c2247a21 Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 24 Jun 2024 21:19:48 +0200
Subject: [PATCH 13/20] Update CHANGELOG.md
---
CHANGELOG.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 680ea8e0..8a74277e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Fixed
- fixed Applications cannot be launched as admin in a sandbox with "UseCreateToken/SandboxieAllGroup" enabled when using an MSFT account [#4022](https://github.com/sandboxie-plus/Sandboxie/issues/4022)
+- fixed Firefox issue with Sbie 1.14.1 and 1.14.2 [#4012](https://github.com/sandboxie-plus/Sandboxie/issues/4012)
+ - rolled back the driver verifier fix added in 1.14.1
+
From c1cdaba8e48dda104690119aadcaf157e3946ce0 Mon Sep 17 00:00:00 2001
From: isaak654
Date: Tue, 25 Jun 2024 13:18:36 +0200
Subject: [PATCH 14/20] Update winget-releaser references
---
.github/workflows/winget.yml | 4 ++--
README.md | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml
index d86109de..cc0f6b8c 100644
--- a/.github/workflows/winget.yml
+++ b/.github/workflows/winget.yml
@@ -7,7 +7,7 @@ jobs:
runs-on: windows-latest # action can only be run on Windows
steps:
- name: Publish Sandboxie-Plus
- uses: vedantmgoyal2009/winget-releaser@v2
+ uses: vedantmgoyal9/winget-releaser@main
with:
identifier: Sandboxie.Plus
installers-regex: "Sandboxie-Plus.*.exe$"
@@ -23,7 +23,7 @@ jobs:
"CLASSIC_VER=$VERSION" >> $env:GITHUB_OUTPUT
shell: pwsh
- name: Publish Sandboxie-Classic
- uses: vedantmgoyal2009/winget-releaser@v2
+ uses: vedantmgoyal9/winget-releaser@main
with:
version: ${{ steps.get_version.outputs.CLASSIC_VER }}
identifier: Sandboxie.Classic
diff --git a/README.md b/README.md
index c1e0eb99..c5df999e 100644
--- a/README.md
+++ b/README.md
@@ -100,7 +100,7 @@ If you find Sandboxie useful, then feel free to contribute through our [Contribu
- DavidBerdik - Maintainer of [Sandboxie Website Archive](https://github.com/Sandboxie-Website-Archive/sandboxie-website-archive.github.io)
- Jackenmen - Maintainer of Chocolatey packages for Sandboxie ([support](https://github.com/Jackenmen/choco-auto/issues?q=is%3Aissue+Sandboxie))
-- vedantmgoyal2009 - Maintainer of Winget Releaser for Sandboxie ([support](https://github.com/vedantmgoyal2009/winget-releaser/issues?q=is%3Aissue+Sandboxie))
+- vedantmgoyal9 - Maintainer of Winget Releaser for Sandboxie ([support](https://github.com/vedantmgoyal9/winget-releaser/issues?q=is%3Aissue+Sandboxie))
- blap - Maintainer of [SandboxToys2](https://github.com/blap/SandboxToys2) addon
- diversenok - Security analysis & PoCs / Security fixes
- TechLord - Team-IRA / Reversing
From 9c2547c99246e687ed49f4fff0992f0888d919cd Mon Sep 17 00:00:00 2001
From: Michael <33252157+APMichael@users.noreply.github.com>
Date: Tue, 25 Jun 2024 21:28:39 +0200
Subject: [PATCH 15/20] Update lang_de.json
- Added new translations.
- Minor changes to translations.
---
.../SandMan/Troubleshooting/lang_de.json | 96 +++++++++----------
1 file changed, 48 insertions(+), 48 deletions(-)
diff --git a/SandboxiePlus/SandMan/Troubleshooting/lang_de.json b/SandboxiePlus/SandMan/Troubleshooting/lang_de.json
index 78af360a..16a6c90e 100644
--- a/SandboxiePlus/SandMan/Troubleshooting/lang_de.json
+++ b/SandboxiePlus/SandMan/Troubleshooting/lang_de.json
@@ -2,10 +2,10 @@
"Description Text...": "Beschreibungstext...",
"Fix current issues": "Aktuelle Probleme beheben",
"Fix issues with sandboxing": "Sandboxprobleme beheben",
-"An Application does not work properly when sandboxed": "Eine Anwendung funktioniert nicht richtig",
-"Issues with a web browser": "Probleme mit einem Webbrowser beheben",
+"An Application does not work properly when sandboxed": "Eine Anwendung funktioniert in der Sandbox nicht richtig",
+"Issues with a web browser": "Probleme mit einem Webbrowser",
"Perform Sandbox maintenance": "Sandboxwartung durchführen",
-"Fix issues with the UI or Shell": "Problemen mit der Benutzeroberfläche beheben",
+"Fix issues with the UI or Shell": "Problemen mit der Benutzeroberfläche oder Menüintegration beheben",
"Yes": "Ja",
"No": "Nein",
@@ -16,7 +16,7 @@
"Loaded %1 templates": "%1 Vorlagen geladen",
"Browser shortcut is missing from the desktop": "Browser-Verknüpfung fehlt auf dem Desktop",
-"This procedure will add a browser shortcut to the desktop": "Dieser Vorgang wird eine Browser-Verknüpfung zum Desktop hinzufügen",
+"This procedure will add a browser shortcut to the desktop": "Dieser Vorgang wird eine Browser-Verknüpfung auf dem Desktop hinzufügen",
"Default Browser": "Standardbrowser",
"Another": "Ein anderer",
"Select Browser": "Browser auswählen",
@@ -31,84 +31,84 @@
"Install legacy shell extensions": "Legacy-Menüerweiterungen installieren",
"Select which shell options should be reinstalled": "Wählen Sie aus, welche Menüoptionen neu installiert werden sollen",
-"Low FPS in sandboxed games": "Low FPS in sandboxed games",
-"This procedure will optimize the box settings for gaming": "This procedure will optimize the box settings for gaming",
-"Select which box to optimize.": "Select which box to optimize.",
-"To apply recommended settings press NEXT. \n": "To apply recommended settings press NEXT. \n",
-"The options has been applied please tryout your game in %1 and indicate if the issue has been resolved.": "The options has been applied please tryout your game in %1 and indicate if the issue has been resolved.",
-"FPS optimization not successful": "FPS optimization not successful",
+"Low FPS in sandboxed games": "Niedrige Bildrate (FPS) in sandgeboxten Spielen",
+"This procedure will optimize the box settings for gaming": "Dieser Vorgang wird die Boxeinstellungen für Spiele optimieren",
+"Select which box to optimize.": "Wählen Sie aus, welche Box optimiert werden soll.",
+"To apply recommended settings press NEXT. \n": "Um die empfohlenen Einstellungen anzuwenden, drücken Sie auf WEITER. \n",
+"The options has been applied please tryout your game in %1 and indicate if the issue has been resolved.": "Die Optionen wurden angewendet. Bitte probieren Sie Ihr Spiel in %1 aus und geben Sie an, ob das Problem behoben wurde.",
+"FPS optimization not successful": "Optimierung der Bildrate (FPS) war nicht erfolgreich",
-"Failed to install application into a sandbox": "Fehler beim Installieren der Anwendung in einer Sandbox",
-"It helps troubleshoot issues related to installing applications in the sandbox": "It helps troubleshoot issues related to installing applications in the sandbox",
+"Failed to install application into a sandbox": "Fehler beim Installieren einer Anwendung in eine Sandbox",
+"It helps troubleshoot issues related to installing applications in the sandbox": "Es hilft bei der Behebung von Problemen im Zusammenhang mit dem Installieren von Anwendungen in der Sandbox",
"Enter Installer Path": "Installerpfad eingeben",
"Select a sandbox to install into": "Wählen Sie eine Sandbox zur Installation aus",
-"This box has DropAdminRights enabled, preventing execution of installers. Do you want to disable this restriction, that will reduce the security level.": "In dieser Box ist Adminrechte abgeben aktiviert, was die Ausführung von Installern verhindert. Möchten Sie diese Einschränkung deaktivieren, was das Sicherheitsniveau senken wird?",
+"This box has DropAdminRights enabled, preventing execution of installers. Do you want to disable this restriction, that will reduce the security level.": "In dieser Box ist Adminrechte abgeben aktiviert, was die Ausführung von Installern verhindert. Möchten Sie diese Einschränkung deaktivieren, was den Sicherheitslevel reduziert wird?",
"Disable DropAdminRights": "Adminrechte abgeben deaktivieren",
"Enable FakeAdminRights": "Adminrechte abgeben aktivieren",
-"running installer, pid: %1 press NEXT once it finishes to continue": "Installer wird ausgeführt, PID: %1 drücken Sie auf WEITER, sobald dieser fertig ist, um fortzufahren",
+"running installer, pid: %1 press NEXT once it finishes to continue": "Installer wird ausgeführt, PID: %1, drücken Sie auf WEITER, sobald dieser fertig ist, um fortzufahren",
"Was the issue resolved?": "Wurde das Problem behoben?",
-"no mitigation worked": "no mitigation worked",
+"no mitigation worked": "Keine Problementschärfung hat funktioniert",
"Webcam or Sound does not work when sandboxed": "Webcam oder Ton funktioniert nicht in einer Sandbox",
-"It helps troubleshoot webcam and audio issues in the sandbox": "It helps troubleshoot webcam and audio issues in the sandbox",
-"To enable webcam support on Windows 11, the isolation level must be reduced. \nIf you want to proceed, please press NEXT and select a sandbox to modify. \n": "Um die Webcam-Unterstützung unter Windows 11 zu aktivieren, muss das Isolationsniveau reduziert werden. \nWenn Sie fortfahren möchten, drücken Sie bitte auf WEITER und wählen eine Sandbox zur Modifikation aus. \n",
-"Select which box to turn into a reduced isolation app compartment box.": "Wählen Sie, welche Box in eine Applikationsunterteilungsbox mit reduzierter Isolation umgewandelt werden soll.",
-"The mitigation has been applied please try out the web cam in %1 and indicate if the issue has been resolved.": "Die Umwandlung wurde durchgeführt, bitte testen Sie die Webcam in %1 und geben Sie an, ob das Problem behoben wurde.",
-"Webcam mitigation not successful": "Webcam mitigation not successful",
+"It helps troubleshoot webcam and audio issues in the sandbox": "Es hilft bei der Behebung von Webcam- und Audioproblemen in der Sandbox",
+"To enable webcam support on Windows 11, the isolation level must be reduced. \nIf you want to proceed, please press NEXT and select a sandbox to modify. \n": "Um die Webcam-Unterstützung unter Windows 11 zu aktivieren, muss der Isolationslevel reduziert werden. \nWenn Sie fortfahren möchten, drücken Sie bitte auf WEITER und wählen eine Sandbox zur Modifikation aus. \n",
+"Select which box to turn into a reduced isolation app compartment box.": "Wählen Sie aus, welche Box in eine Applikationsunterteilungsbox mit reduzierter Isolation umgewandelt werden soll.",
+"The mitigation has been applied please try out the web cam in %1 and indicate if the issue has been resolved.": "Die Problementschärfung wurde angewandt, bitte probieren Sie die Webcam in %1 aus und geben Sie an, ob das Problem behoben wurde.",
+"Webcam mitigation not successful": "Problementschärfung für Webcam war nicht erfolgreich",
"Select affected sandbox": "Betroffene Sandbox auswählen",
"Enter Process Name": "Prozessname eingeben",
-"SBIE1307: Program cannot access the Internet due to restrictions": "SBIE1307: Program cannot access the Internet due to restrictions",
-"Program cannot access the Internet due to restrictions": "Program cannot access the Internet due to restrictions",
+"SBIE1307: Program cannot access the Internet due to restrictions": "SBIE1307: Programm kann aufgrund von Beschränkungen nicht auf das Internet zugreifen",
+"Program cannot access the Internet due to restrictions": "Programm kann aufgrund von Beschränkungen nicht auf das Internet zugreifen",
"Internet Access restrictions are in effect for the sandbox in which the program is running. The program is prohibited from accessing the Internet.": "Für die Sandbox, in der das Programm ausgeführt wird, gelten Internetzugriffsbeschränkungen. Dem Programm ist der Zugriff auf das Internet untersagt.",
-"SBIE1308: Program cannot start due to restrictions": "SBIE1308: Program cannot start due to restrictions",
-"Program cannot start due to restrictions": "Program cannot start due to restrictions",
+"SBIE1308: Program cannot start due to restrictions": "SBIE1308: Programm kann aufgrund von Beschränkungen nicht gestartet werden",
+"Program cannot start due to restrictions": "Programm kann aufgrund von Beschränkungen nicht gestartet werden",
"Start/Run restrictions are in effect for the sandbox in which the program is running. The program is prohibited from starting or running.": "Für die Sandbox, in der das Programm ausgeführt wird, gelten Start-/Ausführungsbeschränkungen. Das Programm darf nicht gestartet oder ausgeführt werden.",
-"SBIE2102: File is too large to copy into sandbox": "SBIE2102: File is too large to copy into sandbox",
-"File is too large to copy into sandbox": "File is too large to copy into sandbox",
+"SBIE2102: File is too large to copy into sandbox": "SBIE2102: Die Datei ist zu groß, um sie in die Sandbox zu kopieren",
+"File is too large to copy into sandbox": "Die Datei ist zu groß, um sie in die Sandbox zu kopieren",
-"SBIE2113: File is too large to copy into sandbox, creating empty file": "SBIE2113: File is too large to copy into sandbox, creating empty file",
-"File is too large to copy into sandbox, creating empty file": "File is too large to copy into sandbox, creating empty file",
+"SBIE2113: File is too large to copy into sandbox, creating empty file": "SBIE2113: Die Datei ist zu groß, um sie in die Sandbox zu kopieren, erzeuge leere Datei",
+"File is too large to copy into sandbox, creating empty file": "Die Datei ist zu groß, um sie in die Sandbox zu kopieren, erzeuge leere Datei",
-"SBIE2114: File is too large to copy into sandbox, denying access": "SBIE2114: File is too large to copy into sandbox, denying access",
-"File is too large to copy into sandbox, denying access": "File is too large to copy into sandbox, denying access",
+"SBIE2114: File is too large to copy into sandbox, denying access": "SBIE2114: Die Datei ist zu groß, um sie in die Sandbox zu kopieren, verweigere Zugriff",
+"File is too large to copy into sandbox, denying access": "Die Datei ist zu groß, um sie in die Sandbox zu kopieren, verweigere Zugriff",
-"SBIE2115: File is too large to copy into sandbox, opening in read only": "SBIE2115: File is too large to copy into sandbox, opening in read only",
-"File is too large to copy into sandbox, opening in read only": "File is too large to copy into sandbox, opening in read only",
+"SBIE2115: File is too large to copy into sandbox, opening in read only": "SBIE2115: Die Datei ist zu groß, um sie in die Sandbox zu kopieren, öffne Datei nur schreibgeschützt",
+"File is too large to copy into sandbox, opening in read only": "Die Datei ist zu groß, um sie in die Sandbox zu kopieren, öffne Datei nur schreibgeschützt",
-"SBIE2181: Failed to load SbieDll.dll": "SBIE2181: Failed to load SbieDll.dll",
-"Fix the DACLs of Sandboxie's home folder": "Fix the DACLs of Sandboxie's home folder",
-"Failures to load SbieDll.dll when encountered by Chrome, or another software employing app containers, it is often caused by invalid DACL entries for the Sandboxie home directory. This mitigation measure will fix them, for this reason it will prompt for admin privileges which need to be granted for kmdutil.exe.": "Wenn Chrome oder eine andere Software, die App-Container verwendet, die Datei SbieDll.dll nicht laden kann, wird dies häufig durch ungültige DACL-Einträge für das Sandboxie-Verzeichnis verursacht. Diese Maßnahme wird die DACL-Einträge beheben. Aus diesem Grund wird sie Adminrechte anfordern, die für kmdutil.exe gewährt werden müssen.",
+"SBIE2181: Failed to load SbieDll.dll": "SBIE2181: SbieDll.dll konnte nicht geladen werden",
+"Fix the DACLs of Sandboxie's home folder": "Reparieren der DACLs des Sandboxie-Ordners",
+"Failures to load SbieDll.dll when encountered by Chrome, or another software employing app containers, it is often caused by invalid DACL entries for the Sandboxie home directory. This mitigation measure will fix them, for this reason it will prompt for admin privileges which need to be granted for kmdutil.exe.": "Wenn Chrome oder eine andere Software, die App-Container verwendet, die Datei SbieDll.dll nicht laden kann, wird dies häufig durch ungültige DACL-Einträge für das Sandboxie-Verzeichnis verursacht. Diese Problementschärfungsmaßnahme wird die DACL-Einträge reparieren. Aus diesem Grund wird sie Adminrechte anfordern, die für kmdutil.exe gewährt werden müssen.",
"The DACLs have been adjusted, please try to run your application again and indicate if the issue has been resolved.": "Die DACLs wurden angepasst. Bitte versuchen Sie, Ihre Anwendung erneut auszuführen und geben Sie an, ob das Problem behoben wurde.",
-"DACLs fix did not resolve the issue": "Korrektur der DACLs hat das Problem nicht behoben",
+"DACLs fix did not resolve the issue": "Reparatur der DACLs hat das Problem nicht behoben",
-"SBIE2204: Cannot start a specific sandboxed service": "SBIE2204: Cannot start a specific sandboxed service",
-"Sandboxie failed to start a service in the sandbox": "Sandboxie failed to start a service in the sandbox",
+"SBIE2204: Cannot start a specific sandboxed service": "SBIE2204: Kann einen bestimmten sandgeboxten Dienst nicht starten",
+"Sandboxie failed to start a service in the sandbox": "Sandboxie konnte einen Dienst in der Sandbox nicht starten",
"The message indicates that Sandboxie was unable to start one of the helper programs SandboxieRpcSs or SandboxieDcomLaunch. The name noted in the message can be rpcss or dcomlaunch.\n\nYou can submit an issue report on the next page to help us to analyze the issue.": "Die Nachricht zeigt an, dass Sandboxie nicht in der Lage war, eines der Hilfsprogramme SandboxieRpcSs oder SandboxieDcomLaunch zu starten. Der in der Nachricht angegebene Name kann rpcss oder dcomlaunch sein.\n\nAuf der nächsten Seite können Sie einen Problembericht einreichen, um uns bei der Analyse des Problems zu helfen.",
-"SBIE2313: Could not execute specific process": "SBIE2313: Could not execute specific process",
-"Sandboxie failed to start a process in the sandbox": "Sandboxie failed to start a process in the sandbox",
+"SBIE2313: Could not execute specific process": "SBIE2313: Konnte bestimmten Prozess nicht ausführen",
+"Sandboxie failed to start a process in the sandbox": "Sandboxie konnte einen Prozess in der Sandbox nicht starten",
"Sandboxie was not able to execute one of its own programs. Check access permissions to the Sandboxie installation folder and/or reinstall Sandboxie.\n\nPossible Causes:\n1. Sandboxie was configured to block access to the folder containing its program files.\n2. A third-party (HIPS) security software was configured to block the execution of the program mentioned in the message.\n\nYou can submit an issue report on the next page to help us to analyze the issue.": "Sandboxie war nicht in der Lage, eines seiner eigenen Programme auszuführen. Überprüfen Sie die Zugriffsrechte auf den Sandboxie-Installationsordner und/oder installieren Sie Sandboxie neu.\n\nMögliche Ursachen:\n1. Sandboxie wurde so konfiguriert, dass der Zugriff auf den Ordner mit seinen Programmdateien blockiert wird.\n2. Eine Sicherheitssoftware eines Drittanbieters (HIPS) wurde so konfiguriert, dass sie die Ausführung des in der Nachricht genannten Programms blockiert.\n\nAuf der nächsten Seite können Sie einen Problembericht einreichen, um uns bei der Analyse des Problems zu helfen.",
-"open config": "open config",
-"opens box config on a given page": "opens box config on a given page",
-"Do you want to open the box option dialog to change this preset?": "Möchten Sie das Dialogfeld mit den Boxoptionen öffnen, um diese Voreinstellung zu ändern?",
+"open config": "Konfiguration öffnen",
+"opens box config on a given page": "Öffnet die Boxkonfiguration auf einer bestimmten Seite",
+"Do you want to open the box option dialog to change this preset?": "Möchten Sie den Boxoptionendialog öffnen, um diese Voreinstellung zu ändern?",
"No, it is fine as it is": "Nein, es ist gut so, wie es ist",
"No, but I want to report a bug": "Nein, aber ich möchte einen Fehler melden",
"SBIE 2113/2114/2115 and 2102": "SBIE 2113/2114/2115 and 2102",
-"handle migration error messages": "handle migration error messages",
+"handle migration error messages": "Migrationsfehlernachrichten behandeln",
"The message %1 is caused by the file migration limit being reached.": "Die Nachricht %1 wird dadurch verursacht, dass das Limit für die Dateimigration erreicht wurde.",
-"fix parental controls breaking sandboxie": "fix parental controls breaking sandboxie",
-"stops AppId driver and AppIdSvc service and disables the offending policy file": "stops AppId driver and AppIdSvc service and disables the offending policy file",
+"fix parental controls breaking sandboxie": "Kindersicherungsprobleme von Sandboxie beheben",
+"stops AppId driver and AppIdSvc service and disables the offending policy file": "Stoppt den AppId-Treiber und den AppIdSvc-Dienst und deaktiviert die problemverursachende Richtliniendatei",
"It seems you are using a non-administrative user account on a system with enabled parental controls, this is known to be incompatible with Sandboxie.\nYou have the following options to resolve the issue.": "Es scheint, dass Sie ein nicht-administratives Benutzerkonto auf einem System mit aktivierter Kindersicherung verwenden, das bekanntermaßen nicht mit Sandboxie kompatibel ist.\nSie haben folgende Möglichkeiten, das Problem zu lösen.",
-"SBIEMSG, I'm getting a cryptic SBIExxxx message": "SBIEMSG, I'm getting a cryptic SBIExxxx message",
-"Handle all sbie messages...": "Handle all sbie messages...",
+"SBIEMSG, I'm getting a cryptic SBIExxxx message": "SBIEMSG, ich erhalte eine kryptische SBIExxxx Nachricht",
+"Handle all sbie messages...": "Alle SBIE Nachrichten behandeln...",
"Sbie Message Code": "SBIE Nachrichten-Code",
"Name affected process": "Name des betroffenen Prozesses",
"Please enter the SBIEMSG ID you have encountered.": "Bitte geben Sie die SBIE Nachrichten-ID ein, auf die Sie gestoßen sind.",
From bf087d236929c58639fee9e41d74a6fc3c2997de Mon Sep 17 00:00:00 2001
From: nkh0472 <67589323+nkh0472@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:41:31 +0800
Subject: [PATCH 16/20] Update sandman_zh_CN.ts
---
SandboxiePlus/SandMan/sandman_zh_CN.ts | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_CN.ts b/SandboxiePlus/SandMan/sandman_zh_CN.ts
index b1142a22..a7927244 100644
--- a/SandboxiePlus/SandMan/sandman_zh_CN.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_CN.ts
@@ -5483,8 +5483,7 @@ Error: %1
This sandbox is disabled or restricted to a group/user, do you want to edit it?
- This sandbox is disabled, do you want to enable it?
- 此沙盒已禁用,确定启用吗?
+ 此沙盒已禁用或仅限于特定组/用户,确定要编辑它吗?
From 9c25730336cea68985ec7e0f009895fb7a567b2d Mon Sep 17 00:00:00 2001
From: Tragic Life
Date: Thu, 27 Jun 2024 20:29:11 +0800
Subject: [PATCH 17/20] Update sandman_zh_TW.ts
Update Traditional Chinese translation
- Unify descriptions and terms
- Fix a confusion between Process & Thread
- Update newly added strings
---
SandboxiePlus/SandMan/sandman_zh_TW.ts | 142 ++++++++++++-------------
1 file changed, 71 insertions(+), 71 deletions(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_TW.ts b/SandboxiePlus/SandMan/sandman_zh_TW.ts
index 1724b578..6273374c 100644
--- a/SandboxiePlus/SandMan/sandman_zh_TW.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_TW.ts
@@ -57,7 +57,7 @@
Lock the box when all processes stop.
- 當全部執行緒停止後鎖定沙箱。
+ 當全部處理程序停止後鎖定沙箱。
@@ -256,7 +256,7 @@
Prevent sandboxed programs on the host from loading sandboxed DLLsPrevent sandboxed programs installed on the host from loading DLLs from the sandbox"應用程式擴充" is the actual translation showed in Windows for TradChinese
- 防止主機上安裝的沙箱化程式從沙箱載入應用程式擴充 (DLL) 檔案
+ 防止主機上被沙箱化的程式載入被沙箱化的應用程式擴充 (DLL) 檔案
@@ -1271,83 +1271,83 @@ You can use %USER% to save each users sandbox to an own fodler.
Sandbox Isolation options
-
+ 沙箱隔離選項On this page sandbox isolation options can be configured.
-
+ 在此頁面可以調整沙箱隔離選項的組態。Network Access
- 區域網路存取
+ 區域網路存取Allow network/internet access
- 允許區域網路/網際網路存取
+ 允許區域網路/網際網路存取Block network/internet by denying access to Network devices
- 透過拒絕存取區域網路裝置來阻止區域網路/網際網路
+ 透過拒絕存取區域網路裝置,以阻止區域網路/網際網路存取Block network/internet using Windows Filtering Platform
- 使用 Windows 篩選平台阻止區域網路/網際網路
+ 使用 Windows 篩選平台阻止區域網路/網際網路存取Allow access to network files and folders
- 允許存取區域網路檔案和資料夾
+ 允許存取區域網路檔案和資料夾This option is not recommended for Hardened boxes
- 不建議將此選項用於加固型沙箱
+ 不推薦將此選項用於加固型沙箱Prompt user whether to allow an exemption from the blockade
-
+ 提示使用者是否允許豁免封鎖Admin Options
- 管理員選項
+ 管理員選項Drop rights from Administrators and Power Users groups
- 廢棄來自管理員和 Power Users 使用者組的許可
+ 廢棄來自管理員和 Power Users (高權限使用者) 群組的許可Make applications think they are running elevated
- 使應用程式認為其已在權限提升狀態下執行
+ 使應用程式認為其已在權限提升狀態下運作Allow MSIServer to run with a sandboxed system token
- 允許 MSIServer 使用沙箱化系統權杖執行
+ 允許 MSIServer 使用沙箱化系統權杖運作Box Options
- 沙箱選項
+ 沙箱選項Use a Sandboxie login instead of an anonymous token
- 使用 Sandboxie 登入程序替代匿名權杖
+ 使用 Sandboxie 登入程序替代匿名權杖Using a custom Sandboxie Token allows to isolate individual sandboxes from each other better, and it shows in the user column of task managers the name of the box a process belongs to. Some 3rd party security solutions may however have problems with custom tokens.
- 使用自訂 Sandboxie 權杖可以更好地將各個沙箱相互隔離,同時可以實現在工作管理員的使用者欄位中顯示處理程序所屬的沙箱。但是,某些第三方安全性解決方案可能會與自訂權杖產生相容性問題。
+ 使用自訂 Sandboxie 權杖可以更好地將各個沙箱相互隔離,同時可以實現在工作管理員的使用者欄位中顯示處理程序所屬的沙箱。但是,某些第三方安全性解決方案可能會與自訂權杖產生相容性問題。
@@ -2331,27 +2331,27 @@ Note: The update check is often behind the latest GitHub release to ensure that
Please enter a domain to be filtered
-
+ 請輸入將要被過濾的域名Yes
- 是
+ 是No
- 否
+ 否Please enter IP and Port.
-
+ 請輸入 IP 位址和連接埠。 entry: IP or Port cannot be empty
-
+ 輸入: IP 位址或連接埠不能為空
@@ -4130,7 +4130,7 @@ No will choose: %2
Suspend All Processes
- 暫停全部執行緒
+ 暫停全部處理程序
@@ -5458,7 +5458,7 @@ This file is part of Sandboxie and all changed done to it will be reverted next
This sandbox is disabled or restricted to a group/user, do you want to edit it?This sandbox is disabled, do you want to enable it?
- 此沙箱已停用,是否啟用?
+ 此沙箱已停用或被限制到特定群組/使用者,是否啟用?
@@ -7513,18 +7513,18 @@ If you are a great patreaon supporter already, sandboxie can check online for an
Prevent sandboxed processes from interfering with power operationsPrevents processes in the sandbox from interfering with power operation
- 防止沙箱中的執行緒幹擾電源作業
+ 防止沙箱中的處理程序幹擾電源作業Prevent processes from capturing window images from sandboxed windowsPrevents getting an image of the window in the sandbox.
- 防止執行緒從沙箱化視窗擷取視窗之影像
+ 防止處理程序從沙箱化視窗擷取視窗之影像Allow useful Windows processes access to protected processes
- 允許實用 Windows 執行緒存取受保護的執行緒
+ 允許實用 Windows 處理程序存取受保護的處理程序
@@ -7564,7 +7564,7 @@ If you are a great patreaon supporter already, sandboxie can check online for an
Don't stop lingering processes with windows
- 不停止 Windows 的延遲執行緒
+ 不停止 Windows 的延遲處理程序
@@ -7763,7 +7763,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
Sandboxie's functionality can be enhanced by using optional DLLs which can be loaded into each sandboxed process on start by the SbieDll.dll file, the add-on manager in the global settings offers a couple of useful extensions, once installed they can be enabled here for the current box.Sandboxies functionality can be enhanced using optional dll’s which can be loaded into each sandboxed process on start by the SbieDll.dll, the add-on manager in the global settings offers a couple useful extensions, once installed they can be enabled here for the current box.
- Sandboxie 的功能可以透過使用可選 DLL 加以增強,這些 DLL 可在啟動時透過 SbieDll.dll 檔案載入到每個沙箱執行緒中,全域設定中的附加元件管理員提供了一些實用擴充套件,安裝後可以在此處對目前沙箱啟用。
+ Sandboxie 的功能可以透過使用可選 DLL 加以增強,這些 DLL 可在啟動時透過 SbieDll.dll 檔案載入到每個沙箱處理程序中,全域設定中的附加元件管理員提供了一些實用擴充套件,安裝後可以在此處對目前沙箱啟用。
@@ -7830,39 +7830,39 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
This feature does not block all means of obtaining a screen capture, only some common ones.This feature does not block all means of optaining a screen capture only some common once.
- 此功能不會阻止所有能夠取得螢幕擷取內容的方法,僅阻止某些常見行為一次。
+ 此功能不會阻止所有能夠取得螢幕擷取內容的方法,僅阻止某些常見行為。Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games.Prevent move mouse, bring in front, and simmilar operations, this is likely to cause issues with games.
- 防止移動滑鼠、移動視窗至前景、以及類似的作業,這可能對遊戲造成問題。
+ 防止移動滑鼠、移動視窗至前景、以及類似的作業,這可能對遊戲造成問題。Allow sandboxed windows to cover the taskbarAllow sandboxed windows to cover taskbar
-
+ 允許沙箱化視窗覆蓋工作列Isolation
-
+ 隔離Only Administrator user accounts can make changes to this sandbox
-
+ 僅管理員使用者帳戶可以對此沙箱進行變更Job Object
-
+ 工作物件<b><font color='red'>SECURITY ADVISORY</font>:</b> Using <a href="sbie://docs/breakoutfolder">BreakoutFolder</a> and/or <a href="sbie://docs/breakoutprocess">BreakoutProcess</a> in combination with Open[File/Pipe]Path directives can compromise security. Please review the security section for each option in the documentation before use.
-
+ <b><font color='red'>安全性建議</font>:</b> 使用 <a href="sbie://docs/breakoutfolder">BreakoutFolder</a> 和/或 <a href=" sbie://docs/breakoutprocess">BreakoutProcess</a> 與 Open[File/Pipe]Path 指令結合使用可能會損害安全性。使用前請檢查說明文件中每個選項的安全性章節。
@@ -7888,13 +7888,13 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
This setting can be used to prevent programs from running in the sandbox without the user's knowledge or consent.This can be used to prevent a host malicious program from breaking through by launching a pre-designed malicious program into an unlocked encrypted sandbox.
-
+ 此設定可用於防止程式在使用者不知情或未經使用者同意的情況下在沙箱中運作。Display a pop-up warning before starting a process in the sandbox from an external sourceA pop-up warning before launching a process into the sandbox from an external source.
-
+ 在從外部來源的沙箱中開始執行處理程序前,顯示一則跳出式警告
@@ -8104,17 +8104,17 @@ To specify a process use '$:program.exe' as path.
Prevent sandboxed processes from interfering with power operations (Experimental)
- 防止沙箱化執行緒干預電源作業 (試驗性)
+ 防止沙箱化處理程序干預電源作業 (實驗性)Prevent interference with the user interface (Experimental)
- 防止干預使用者介面 (試驗性)
+ 防止干預使用者介面 (實驗性)Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches)
- 防止沙箱化執行緒擷取視窗影像 (試驗性,可能造成 UI 故障)
+ 防止沙箱化處理程序擷取視窗影像 (實驗性,可能造成 UI 故障)
@@ -8139,62 +8139,62 @@ To specify a process use '$:program.exe' as path.
DNS Filter
-
+ DNS 過濾器Add Filter
-
+ 新增過濾器With the DNS filter individual domains can be blocked, on a per process basis. Leave the IP column empty to block or enter an ip to redirect.
-
+ 使用 DNS 過濾器,可以按處理程序阻止各個網域。將 IP 位址列留空以將其阻止,或輸入 IP 位址以進行重新導向。Domain
-
+ 域名Internet Proxy
-
+ 網際網路 ProxyAdd Proxy
-
+ 新增 ProxyTest Proxy
- 測試代理
+ 測試 ProxyAuth
-
+ 憑據Login
-
+ 登入Password
-
+ 密碼Sandboxed programs can be forced to use a preset SOCKS5 proxy.
-
+ 可以強制沙箱化程式使用預定義的 SOCKS5 Proxy。Resolve hostnames via proxy
-
+ 透過 Proxy 解析主機名稱
@@ -8486,7 +8486,7 @@ The process match level has a higher priority than the specificity and describes
This command runs after all processes in the sandbox have finished.
- 此命令在沙箱中所有執行緒完成後執行。
+ 此命令在沙箱中所有處理程序完成後執行。
@@ -8546,12 +8546,12 @@ The process match level has a higher priority than the specificity and describes
Exclude this sandbox from being terminated when "Terminate All Processes" is invoked.
- 當呼叫「終止所有執行緒」時,排除此沙箱。
+ 當呼叫「終止所有處理程序」時,排除此沙箱。These commands are run UNBOXED after all processes in the sandbox have finished.
- 這些指令將在沙箱內全部執行緒完成後以「未沙箱化」狀態執行。
+ 這些指令將在沙箱內全部處理程序完成後以「未沙箱化」狀態執行。
@@ -8810,50 +8810,50 @@ Please note that this values are currently user specific and saved globally for
Limit restrictions
-
+ 上限限制Leave it blank to disable the setting(Unit:KB)
-
+ 留空以停用設定 (單位: KB)Leave it blank to disable the setting
-
+ 留空以停用設定Total Processes Number Limit:
-
+ 總計處理程序數量限制:Total Processes Memory Limit:
-
+ 總計處理程序記憶體限制:Single Process Memory Limit:
-
+ 單一處理程序記憶體限制:Don't allow sandboxed processes to see processes running outside any boxes
-
+ 不允許沙箱化處理程序發現在任何沙箱外執行的處理程序Prevent sandboxed processes from accessing system details through WMIPrevent sandboxed processes from accessing system deatils through WMI
-
+ 阻止沙箱化處理程序透過 WMI 存取系統詳細資訊Some programs retrieve system details via WMI (Windows Management Instrumentation), a built-in Windows database, rather than using conventional methods. For instance, 'tasklist.exe' can access a complete list of processes even if 'HideOtherBoxes' is enabled. Enable this option to prevent such behavior.Some programs read system deatils through WMI(A Windows built-in database) instead of normal ways. For example,"tasklist.exe" could get full processes list even if "HideOtherBoxes" is opened through accessing WMI. Enable this option to stop these heavior.
-
+ 某些程式透過 WMI (Windows 管理規範),一個內建的 Windows 資料庫,檢索作業系統詳細資訊,而不是使用通常方法。例如,即使啟用了「HideOtherBoxes」(隱藏其他沙箱),「tasklist.exe」也可以存取完整的處理程序清單。啟用此選項可以防止此類行為。
@@ -9026,7 +9026,7 @@ Please note that this values are currently user specific and saved globally for
Force direct child to be sandboxed, but does not include indirect child processes that are opened through the DCOM and IPC interface.
-
+ 強制直接的子處理程序被沙箱化,但不包括非直接的由 DCOM 和 IPC 介面開啟的子處理程序。
@@ -9041,7 +9041,7 @@ Please note that this values are currently user specific and saved globally for
Force Children
-
+ 強制子處理程序
@@ -9312,13 +9312,13 @@ Please note that this values are currently user specific and saved globally for
Hotkey for suspending process/folder forcing:
- 用於暫停 強制執行緒/資料夾 的快速鍵:
+ 用於暫停 強制處理程序/資料夾 的快速鍵:Hotkey for suspending all processes:Hotkey for suspending all process
- 用於暫停全部執行緒的快速鍵
+ 用於暫停全部處理程序的快速鍵:
@@ -9893,7 +9893,7 @@ Unlike the preview channel, it does not include untested, potentially breaking,
Add "Sandboxie\All Sandboxes" group to the sandboxed token (experimental)
-
+ 將「Sandboxie\All Sandboxes (全部沙箱)」群組新增至沙箱化權杖 (實驗性)
From 7ef685629c0c6444fa43fbad19fbea4fe215d77c Mon Sep 17 00:00:00 2001
From: Tragic Life
Date: Thu, 27 Jun 2024 20:33:32 +0800
Subject: [PATCH 18/20] Update sandman_zh_TW.ts
Catch a miss
---
SandboxiePlus/SandMan/sandman_zh_TW.ts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SandboxiePlus/SandMan/sandman_zh_TW.ts b/SandboxiePlus/SandMan/sandman_zh_TW.ts
index 6273374c..70cc8d99 100644
--- a/SandboxiePlus/SandMan/sandman_zh_TW.ts
+++ b/SandboxiePlus/SandMan/sandman_zh_TW.ts
@@ -5458,7 +5458,7 @@ This file is part of Sandboxie and all changed done to it will be reverted next
This sandbox is disabled or restricted to a group/user, do you want to edit it?This sandbox is disabled, do you want to enable it?
- 此沙箱已停用或被限制到特定群組/使用者,是否啟用?
+ 此沙箱已停用或被限制到特定群組/使用者,是否編輯?
From 1b0bda4e4073ea6ecb621edc0b83aa8d01bdee61 Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Thu, 27 Jun 2024 15:11:41 +0200
Subject: [PATCH 19/20] 1.14.3
---
CHANGELOG.md | 2 +-
Sandboxie/core/dll/kernel.c | 19 +++++++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a74277e..75b20e84 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- fixed Applications cannot be launched as admin in a sandbox with "UseCreateToken/SandboxieAllGroup" enabled when using an MSFT account [#4022](https://github.com/sandboxie-plus/Sandboxie/issues/4022)
- fixed Firefox issue with Sbie 1.14.1 and 1.14.2 [#4012](https://github.com/sandboxie-plus/Sandboxie/issues/4012)
- rolled back the driver verifier fix added in 1.14.1
-
+- fixed CustomChromiumFlags and --single-argument issue [#4033](https://github.com/sandboxie-plus/Sandboxie/issues/4033)
diff --git a/Sandboxie/core/dll/kernel.c b/Sandboxie/core/dll/kernel.c
index 62f4390b..867c4cbb 100644
--- a/Sandboxie/core/dll/kernel.c
+++ b/Sandboxie/core/dll/kernel.c
@@ -112,12 +112,27 @@ _FX BOOLEAN Kernel_Init()
status = SbieApi_QueryConfAsIs(NULL, L"CustomChromiumFlags", 0, CustomChromiumFlags, ARRAYSIZE(CustomChromiumFlags));
if (NT_SUCCESS(status)) {
+ const WCHAR* lpCommandLine = ProcessParms->CommandLine.Buffer;
+ const WCHAR* lpArguments = SbieDll_FindArgumentEnd(lpCommandLine);
+ if (lpArguments == NULL)
+ lpArguments = wcsrchr(lpCommandLine, L'\0');
+
Kernel_CommandLineW.MaximumLength = ProcessParms->CommandLine.MaximumLength + (CONF_LINE_LEN + 8) * sizeof(WCHAR);
Kernel_CommandLineW.Buffer = LocalAlloc(LMEM_FIXED,Kernel_CommandLineW.MaximumLength);
- wcscpy(Kernel_CommandLineW.Buffer, ProcessParms->CommandLine.Buffer);
- if(Kernel_CommandLineW.Buffer[ProcessParms->CommandLine.Length/sizeof(WCHAR) - 1] != L' ')
+
+ // copy argument 0
+ wmemcpy(Kernel_CommandLineW.Buffer, lpCommandLine, lpArguments - lpCommandLine);
+ Kernel_CommandLineW.Buffer[lpArguments - lpCommandLine] = 0;
+
+ // add custom arguments
+ if(Kernel_CommandLineW.Buffer[lpArguments - lpCommandLine - 1] != L' ')
wcscat(Kernel_CommandLineW.Buffer, L" ");
wcscat(Kernel_CommandLineW.Buffer, CustomChromiumFlags);
+
+ // add remaining arguments
+ wcscat(Kernel_CommandLineW.Buffer, lpArguments);
+
+
Kernel_CommandLineW.Length = wcslen(Kernel_CommandLineW.Buffer) * sizeof(WCHAR);
RtlUnicodeStringToAnsiString(&Kernel_CommandLineA, &Kernel_CommandLineW, TRUE);
From 330211c3d7ffcca9e2374e1dee697b4a5f848e89 Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Thu, 27 Jun 2024 15:45:13 +0200
Subject: [PATCH 20/20] 1.14.3
---
CHANGELOG.md | 2 ++
Sandboxie/core/drv/token.c | 43 +++++++++++++++++++-------------------
2 files changed, 24 insertions(+), 21 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 75b20e84..84756f21 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- fixed Firefox issue with Sbie 1.14.1 and 1.14.2 [#4012](https://github.com/sandboxie-plus/Sandboxie/issues/4012)
- rolled back the driver verifier fix added in 1.14.1
- fixed CustomChromiumFlags and --single-argument issue [#4033](https://github.com/sandboxie-plus/Sandboxie/issues/4033)
+- fixed Sandboxie programs do not terminate after closing programs that run as admin with UseCreateToken/SandboxieAllGroup enabled [#4030](https://github.com/sandboxie-plus/Sandboxie/issues/4030)
+
diff --git a/Sandboxie/core/drv/token.c b/Sandboxie/core/drv/token.c
index 6988165f..93822db9 100644
--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@@ -2181,9 +2181,9 @@ _FX void* Token_CreateToken(void* TokenObject, PROCESS* proc)
PTOKEN_DEFAULT_DACL LocalDefaultDacl = NULL;
PTOKEN_SOURCE LocalSource = NULL;
- PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL;
- ULONG DefaultDacl_Length = 0;
- PACL NewDacl = NULL;
+ //PTOKEN_DEFAULT_DACL NewDefaultDacl = NULL;
+ //ULONG DefaultDacl_Length = 0;
+ //PACL NewDacl = NULL;
TOKEN_TYPE TokenType = TokenPrimary;
@@ -2368,26 +2368,27 @@ retry:
goto retry;
}
- else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && !NewDacl)
+ else if (proc->SandboxieLogonSid && status == STATUS_INVALID_OWNER && LocalOwner->Owner != LocalUser->User.Sid)
{
//
// Retry with new DACLs on error
//
- DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize;
-
- // Construct a new ACL
- NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk);
- memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length);
-
- NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
- NewDefaultDacl->DefaultDacl->AclSize += 128;
-
ExFreePool((PVOID)LocalOwner);
LocalOwner = (PTOKEN_OWNER)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_OWNER), tzuk);
LocalOwner->Owner = LocalUser->User.Sid;
- RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner);
+
+ //DefaultDacl_Length = LocalDefaultDacl->DefaultDacl->AclSize;
+
+ //// Construct a new ACL
+ //NewDefaultDacl = (PTOKEN_DEFAULT_DACL)ExAllocatePoolWithTag(PagedPool, sizeof(TOKEN_DEFAULT_DACL) + 8 + DefaultDacl_Length + 128, tzuk);
+ //memcpy(NewDefaultDacl, LocalDefaultDacl, DefaultDacl_Length);
+
+ //NewDefaultDacl->DefaultDacl = NewDacl = (PACL)((ULONG_PTR)NewDefaultDacl + sizeof(TOKEN_DEFAULT_DACL));
+ //NewDefaultDacl->DefaultDacl->AclSize += 128;
+
+ //RtlAddAccessAllowedAce(NewDacl, ACL_REVISION2, GENERIC_ALL, LocalOwner->Owner);
goto retry;
}
@@ -2402,12 +2403,12 @@ retry:
if (NT_SUCCESS(status))
status = Thread_GetKernelHandleForUserHandle(&KernelTokenHandle, TokenHandle);
- if (NT_SUCCESS(status) && NewDacl)
- {
- Token_SetHandleDacl(NtCurrentProcess(), NewDacl);
- Token_SetHandleDacl(NtCurrentThread(), NewDacl);
- Token_SetHandleDacl(KernelTokenHandle, NewDacl);
- }
+ //if (NT_SUCCESS(status) && NewDacl)
+ //{
+ // Token_SetHandleDacl(NtCurrentProcess(), NewDacl);
+ // Token_SetHandleDacl(NtCurrentThread(), NewDacl);
+ // Token_SetHandleDacl(KernelTokenHandle, NewDacl);
+ //}
if (NT_SUCCESS(status))
{
@@ -2499,7 +2500,7 @@ finish:
if (LocalDefaultDacl) ExFreePool((PVOID)LocalDefaultDacl);
if (LocalSource) ExFreePool((PVOID)LocalSource);
- if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl);
+ //if (NewDefaultDacl) ExFreePool((PVOID)NewDefaultDacl);
//
// get the actual token object from the handle