From 9f57abf9c3de539a2b6f0acf0dd9d4260006b377 Mon Sep 17 00:00:00 2001
From: love-code-yeyixiao <188240888@qq.com>
Date: Sat, 22 Jun 2024 19:37:41 +0800
Subject: [PATCH] UI
---
SandboxiePlus/SandMan/Forms/OptionsWindow.ui | 481 +++++++++---------
.../SandMan/Windows/OptionsAdvanced.cpp | 15 +-
2 files changed, 261 insertions(+), 235 deletions(-)
diff --git a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui
index 64f7a61f..36e00a35 100644
--- a/SandboxiePlus/SandMan/Forms/OptionsWindow.ui
+++ b/SandboxiePlus/SandMan/Forms/OptionsWindow.ui
@@ -7,7 +7,7 @@
0
0
835
- 475
+ 575
@@ -45,7 +45,7 @@
QTabWidget::North
- 1
+ 9
@@ -1095,7 +1095,7 @@
-
- 3
+ 4
@@ -1597,6 +1597,7 @@
+ 75
true
true
@@ -1700,6 +1701,7 @@
+ 75
true
true
@@ -1719,6 +1721,7 @@
+ 50
false
true
@@ -1726,146 +1729,153 @@
Advanced Security
-
-
-
-
-
-
-
-
- Drop critical privileges from processes running with a SYSTEM token
-
-
-
- -
-
-
- Qt::Horizontal
-
-
-
- 40
- 20
-
-
-
-
- -
-
-
- Allow only privileged processes to access the Service Control Manager
-
-
-
- -
-
-
- Using a custom Sandboxie Token allows to isolate individual sandboxes from each other better, and it shows in the user column of task managers the name of the box a process belongs to. Some 3rd party security solutions may however have problems with custom tokens.
-
-
- true
-
-
-
- -
-
-
-
- true
- true
-
-
-
- (Security Critical)
-
-
-
- -
-
-
-
- true
- true
-
-
-
- Protect the sandbox integrity itself
-
-
- Privilege isolation
-
-
-
- -
-
-
- Do not start sandboxed services using a system token (recommended)
-
-
-
- -
-
-
- Use a Sandboxie login instead of an anonymous token
-
-
-
- -
-
-
- Qt::Vertical
-
-
-
- 20
- 5
-
-
-
-
- -
-
-
- Start the sandboxed RpcSs as a SYSTEM process (not recommended)
-
-
-
- -
-
-
- Protect sandboxed SYSTEM processes from unprivileged processes
-
-
-
- -
-
-
-
- true
- true
-
-
-
- (Security Critical)
-
-
-
- -
-
-
-
- true
- true
-
-
-
- Protect the sandbox integrity itself
-
-
- Sandboxie token
-
-
-
-
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ Protect the sandbox integrity itself
+
+
+ Privilege isolation
+
+
+
+ -
+
+
+ Allow only privileged processes to access the Service Control Manager
+
+
+
+ -
+
+
+ Do not start sandboxed services using a system token (recommended)
+
+
+
+ -
+
+
+ Start the sandboxed RpcSs as a SYSTEM process (not recommended)
+
+
+
+ -
+
+
+ Protect sandboxed SYSTEM processes from unprivileged processes
+
+
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ (Security Critical)
+
+
+
+ -
+
+
+ Drop critical privileges from processes running with a SYSTEM token
+
+
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ (Security Critical)
+
+
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ Protect the sandbox integrity itself
+
+
+ Sandboxie token
+
+
+
+ -
+
+
+ Use a Sandboxie login instead of an anonymous token
+
+
+
+ -
+
+
+ Using a custom Sandboxie Token allows to isolate individual sandboxes from each other better, and it shows in the user column of task managers the name of the box a process belongs to. Some 3rd party security solutions may however have problems with custom tokens.
+
+
+ true
+
+
+
+ -
+
+
+ Create a new sandboxed token instead of setting down default token
+
+
+
+ -
+
+
+ Qt::Vertical
+
+
+
+ 20
+ 185
+
+
+
+
+ -
+
+
+ Qt::Horizontal
+
+
+
+ 457
+ 20
+
+
+
@@ -4042,6 +4052,7 @@ The process match level has a higher priority than the specificity and describes
+ 50
false
true
@@ -4053,94 +4064,98 @@ The process match level has a higher priority than the specificity and describes
Compatibility
-
- -
-
-
-
-
-
- Apply ElevateCreateProcess Workaround (legacy behaviour)
-
-
-
- -
-
-
- When the global hotkey is pressed 3 times in short succession this exception will be ignored.
-
-
- Exclude this sandbox from being terminated when "Terminate All Processes" is invoked.
-
-
-
- -
-
-
- Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues)
-
-
-
- -
-
-
- Use desktop object workaround for all processes
-
-
-
- -
-
-
- Qt::Vertical
-
-
-
- 20
- 40
-
-
-
-
- -
-
-
-
- true
- true
-
-
-
- Compatibility
-
-
-
- -
-
-
- Force usage of custom dummy Manifest files (legacy behaviour)
-
-
-
- -
-
-
- Emulate sandboxed window station for all processes
-
-
-
- -
-
-
- Qt::Horizontal
-
-
-
- 40
- 20
-
-
-
-
-
+
+ -
+
+
+ When the global hotkey is pressed 3 times in short succession this exception will be ignored.
+
+
+ Exclude this sandbox from being terminated when "Terminate All Processes" is invoked.
+
+
+
+ -
+
+
+
+ 75
+ true
+ true
+
+
+
+ Compatibility
+
+
+
+ -
+
+
+ Force usage of custom dummy Manifest files (legacy behaviour)
+
+
+
+ -
+
+
+ Apply ElevateCreateProcess Workaround (legacy behaviour)
+
+
+
+ -
+
+
+ Use desktop object workaround for all processes
+
+
+
+ -
+
+
+ Emulate sandboxed window station for all processes
+
+
+
+ -
+
+
+ Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues)
+
+
+
+ -
+
+
+ Restart force process before they begin to execute
+
+
+
+ -
+
+
+ Qt::Vertical
+
+
+
+ 20
+ 263
+
+
+
+
+ -
+
+
+ Qt::Horizontal
+
+
+
+ 667
+ 20
+
+
+
@@ -5076,8 +5091,8 @@ instead of "*".
0
0
- 98
- 28
+ 75
+ 16
diff --git a/SandboxiePlus/SandMan/Windows/OptionsAdvanced.cpp b/SandboxiePlus/SandMan/Windows/OptionsAdvanced.cpp
index a726d435..c1488674 100644
--- a/SandboxiePlus/SandMan/Windows/OptionsAdvanced.cpp
+++ b/SandboxiePlus/SandMan/Windows/OptionsAdvanced.cpp
@@ -30,6 +30,8 @@ void COptionsWindow::CreateAdvanced()
connect(ui.chkOpenCOM, SIGNAL(clicked(bool)), this, SLOT(OnOpenCOM()));
connect(ui.chkComTimeout, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
+ connect(ui.chkForceRestart, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
+
connect(ui.chkNoSecurityIsolation, SIGNAL(clicked(bool)), this, SLOT(OnIsolationChanged()));
connect(ui.chkNoSecurityFiltering, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
@@ -39,7 +41,7 @@ void COptionsWindow::CreateAdvanced()
connect(ui.chkOpenLsaEndpoint, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
connect(ui.chkSbieLogon, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
-
+ connect(ui.chkCreateToken, SIGNAL(clicked(bool)), this, SLOT(OnAdvancedChanged()));
m_AdvOptions.insert("UseWin32kHooks", SAdvOption{eSpec, QStringList() << "y" << "n", tr("Enable the use of win32 hooks for selected processes. Note: You need to enable win32k syscall hook support globally first.")});
m_AdvOptions.insert("EnableMiniDump", SAdvOption{eSpec, QStringList() << "y" << "n", tr("Enable crash dump creation in the sandbox folder")});
@@ -142,6 +144,8 @@ void COptionsWindow::LoadAdvanced()
ui.chkProtectSystem->setChecked(!m_pBox->GetBool("ExposeBoxedSystem", false));
ui.chkDropPrivileges->setChecked(m_pBox->GetBool("StripSystemPrivileges", true));
+ ui.chkForceRestart->setChecked(m_pBox->GetBool("ForceRestartAll", false));
+
CheckOpenCOM();
ui.chkComTimeout->setChecked(!m_pBox->GetBool("RpcMgmtSetComTimeout", true));
@@ -373,6 +377,8 @@ void COptionsWindow::SaveAdvanced()
WriteAdvancedCheck(ui.chkComTimeout, "RpcMgmtSetComTimeout", "n", "");
+ WriteAdvancedCheck(ui.chkForceRestart, "ForceRestartAll", "y", "");
+
WriteAdvancedCheck(ui.chkNoSecurityIsolation, "NoSecurityIsolation", "y", "");
WriteAdvancedCheck(ui.chkNoSecurityFiltering, "NoSecurityFiltering", "y", "");
@@ -426,6 +432,9 @@ void COptionsWindow::SaveAdvanced()
bool bGlobalSbieLogon = m_pBox->GetAPI()->GetGlobalSettings()->GetBool("SandboxieLogon", false);
WriteAdvancedCheck(ui.chkSbieLogon, "SandboxieLogon", bGlobalSbieLogon ? "" : "y", bGlobalSbieLogon ? "n" : "");
+ bool bGlobalSandboxGroup = m_pBox->GetAPI()->GetGlobalSettings()->GetBool("SandboxieAllGroup", false);
+ WriteAdvancedCheck(ui.chkCreateToken, "UseCreateToken", bGlobalSandboxGroup ? "" : "y", "");
+
SaveOptionList();
bool bGlobalNoMon = m_pBox->GetAPI()->GetGlobalSettings()->GetBool("DisableResourceMonitor", false);
@@ -595,14 +604,16 @@ void COptionsWindow::UpdateBoxIsolation()
ui.chkNoOpenForBox->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
ui.chkSbieLogon->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
-
+ ui.chkCreateToken->setEnabled(!ui.chkNoSecurityIsolation->isChecked());
if (ui.chkNoSecurityIsolation->isChecked()) {
ui.chkCloseForBox->setChecked(false);
ui.chkNoOpenForBox->setChecked(false);
ui.chkSbieLogon->setChecked(false);
+ ui.chkCreateToken->setChecked(false)
}
else {
ReadGlobalCheck(ui.chkSbieLogon, "SandboxieLogon", false);
+ ReadGlobalCheck(ui.chkCreateToken, "UseCreateToken", false);
}
}