mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.8.2

This commit is contained in:
DavidXanatos 2023-03-25 19:49:21 +01:00
parent 1b9940d1ae
commit 97bf5dc492
5 changed files with 92 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
CHANGELOG.md
View File

@ -6,6 +6,21 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [1.8.2 / 5.63.2] - 2023-03-12
### Added
- reworked CreateAppContainerToken hook to return a restricted token instead to fix [#2762](https://github.com/sandboxie-plus/Sandboxie/issues/2762)
-- Note: this behaviour can be disabled with 'FakeAppContainerToken=program.exe,n'
### Changed
- renamed 'DropAppContainerTokens=program.exe,n' to 'DropAppContainerToken=program.exe,n'
### Fixed
- issue with global ini section editing
## [1.8.1 / 5.63.1] - 2023-03-12
### Added

4
Sandboxie/common/my_version.h
View File

@ -21,8 +21,8 @@
#ifndef _MY_VERSION_H
#define _MY_VERSION_H
#define MY_VERSION_BINARY 5,63,1
#define MY_VERSION_STRING "5.63.1"
#define MY_VERSION_BINARY 5,63,2
#define MY_VERSION_STRING "5.63.2"
#define MY_ABI_VERSION 0x56000
// These #defines are used by either Resource Compiler or NSIS installer

83
Sandboxie/core/dll/proc.c
View File

@ -448,7 +448,8 @@ _FX BOOLEAN Proc_Init(void)
// \Sessions\*\AppContainerNamedObjects\* is not open
//
if (!Dll_CompartmentMode)
//if (!Dll_CompartmentMode)
if(Config_GetSettingsForImageName_bool(L"FakeAppContainerToken", TRUE))
if (Dll_OsBuild >= 9600) // Windows 8.1 and later
{
void* CreateAppContainerToken = NULL;
@ -674,6 +675,55 @@ _FX BOOL Proc_CreateAppContainerToken(
PHANDLE OutToken)
{
#if 1
BOOL ret = FALSE;
//
// App containers pose problems even in app compartment mode,
// eg. msedge.exe fails to load SbieDll.dll during initialization
// hence we return a restricted token instead.
//
/*SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
SID_AND_ATTRIBUTES Sids[3];
typedef BOOL (WINAPI *P_AllocateAndInitializeSid)(
_In_ PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
_In_ BYTE nSubAuthorityCount,
_In_ DWORD nSubAuthority0,
_In_ DWORD nSubAuthority1,
_In_ DWORD nSubAuthority2,
_In_ DWORD nSubAuthority3,
_In_ DWORD nSubAuthority4,
_In_ DWORD nSubAuthority5,
_In_ DWORD nSubAuthority6,
_In_ DWORD nSubAuthority7,
_Outptr_ PSID* pSid
);
HMODULE advapi_dll = LoadLibrary(L"advapi32.dll");
P_AllocateAndInitializeSid __sys_AllocateAndInitializeSid = (P_AllocateAndInitializeSid)GetProcAddress(advapi_dll, "AllocateAndInitializeSid");
__sys_AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &dropSids[0].Sid)
*/
HANDLE hTokenReal;
if (NT_SUCCESS(NtOpenProcessToken(NtCurrentProcess(), MAXIMUM_ALLOWED, &hTokenReal))) {
if (!__sys_CreateRestrictedToken) {
*OutToken = hTokenReal;
return TRUE;
}
ULONG returnLength = 0;
BYTE Buffer[0x400]; // we need less than 0x200 in pracis
if (NT_SUCCESS(NtQueryInformationToken(hTokenReal, TokenGroups, Buffer, sizeof(Buffer), &returnLength))) {
PTOKEN_GROUPS Groups = (PTOKEN_GROUPS)Buffer;
ret = __sys_CreateRestrictedToken(hTokenReal, DISABLE_MAX_PRIVILEGE, Groups->GroupCount, Groups->Groups, 0, NULL, 0, NULL, OutToken);
}
NtClose(hTokenReal);
}
return ret;
#elif 0
OBJECT_ATTRIBUTES objattrs;
SECURITY_QUALITY_OF_SERVICE QoS;
@ -1258,6 +1308,21 @@ _FX BOOL Proc_CreateProcessInternalW(
}
#endif
//
// don't let the caller specify a app container token
//
if (Config_GetSettingsForImageName_bool(L"DropAppContainerToken", Dll_CompartmentMode ? FALSE : TRUE)) {
ULONG returnLength = 0;
BYTE appContainerBuffer[0x80];
if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) {
PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer;
if (appContainerInfo->TokenAppContainer != NULL) {
hToken = NULL;
SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token");
}
}
}
//
// in compartment mode we don't mess around just create the process
@ -1349,22 +1414,6 @@ _FX BOOL Proc_CreateProcessInternalW(
}
}
//
// don't let the caller specify a app container token
//
if (Config_GetSettingsForImageName_bool(L"DropAppContainerTokens", TRUE)) {
ULONG returnLength = 0;
BYTE appContainerBuffer[0x80];
if (NT_SUCCESS(NtQueryInformationToken(hToken, (TOKEN_INFORMATION_CLASS)TokenAppContainerSid, appContainerBuffer, sizeof(appContainerBuffer), &returnLength))) {
PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = (PTOKEN_APPCONTAINER_INFORMATION)appContainerBuffer;
if (appContainerInfo->TokenAppContainer != NULL) {
hToken = NULL;
SbieApi_MonitorPutMsg(MONITOR_OTHER | MONITOR_TRACE, L"Dropped AppContainer Token");
}
}
}
ok = __sys_CreateProcessInternalW(
NULL, lpApplicationName, lpCommandLine,

10
SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp
View File

@ -108,10 +108,16 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
if(field("autoRecover").toBool())
pBox->SetBool("AutoRecover", true);
if (field("blockNetwork").toInt() == 1) // old style
if (field("blockNetwork").toInt() == 1) { // device based
//pBox->InsertText("AllowNetworkAccess", "<BlockNetAccess>,n");
pBox->InsertText("ClosedFilePath", "!<InternetAccess>,InternetAccessDevices");
else if (field("blockNetwork").toInt() == 2) // WFP
//pBox->InsertText("ClosedFilePath", "<BlockNetDevices>,InternetAccessDevices");
}
else if (field("blockNetwork").toInt() == 2) { // using WFP
pBox->InsertText("AllowNetworkAccess", "!<InternetAccess>,n");
//pBox->InsertText("AllowNetworkAccess", "<BlockNetAccess>,n");
//pBox->InsertText("ClosedFilePath", "<BlockNetDevices>,InternetAccessDevices");
}
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
if(field("fakeAdmin").toBool())

2
SandboxiePlus/version.h
View File

@ -2,7 +2,7 @@
#define VERSION_MJR 1
#define VERSION_MIN 8
#define VERSION_REV 1
#define VERSION_REV 2
#define VERSION_UPD 0
#ifndef STR