mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

Merge

This commit is contained in:
love-code-yeyixiao 2024-06-02 17:43:39 +08:00
parent cce9a87e1b 23737b55d8
commit aa612fde33
8 changed files with 290 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@ -14,14 +14,17 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- Add UI option to start unsandboxed process but force child processes in SelectBoxWindow.
- Add option "AlertBeforeStart".When it is set,a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself,if it is not, a warning pops up.
- Add option for EditAdminOnly in SetupWizard.
- Add option "HideNonSystemProcess" to hide processes other than some system services from processes lists for sandboxed processes.
- Add option "HideSbieProcess" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
- When "HideFirmWareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirewareValue
- Add option "HideNonSystemProcesses" to hide processes other than some system services from processes lists for sandboxed processes.
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
- Add new box type "Maximize Isolation Sandbox".
### Changed
- split the advanced new box wizard page in two
- reorganized box options a bit
- Extend "Temp Template" to make it could delete local template section.
### Fixed
- fixed issue with proxy authentication setting

8
Sandboxie/core/dll/sysinfo.c
View File

@ -206,7 +206,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
SysInfo_DiscardProcesses(Buffer);
}
if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, "HideFirmWareInfo", FALSE)) {
if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) {
HKEY hKey=NULL;
PVOID lpData=NULL;
DWORD dwLen = 0;
@ -231,7 +231,7 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW");
DWORD type;
if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, &hKey))
RegQueryValueExW(hKey, "FalseFirewareValue", 0, &type, lpData, &dwLen);
RegQueryValueExW(hKey, L"FalseFirmwareValue", 0, &type, lpData, &dwLen);
if (dwLen != 0) {
Buffer = lpData;
*ReturnLength = dwLen;
@ -336,7 +336,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
break;
SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, tempSid, &tempSession);
BOOL hideProcess = FALSE;
if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcess", FALSE)) {
if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 /* && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 */ && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE)) {
hideProcess = TRUE;
}
else
@ -357,7 +357,7 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
}
if (!hideProcess) {
if (_wcsnicmp(imagename, L"Sandboxie", 9) == 0 || _wcsnicmp(imagename, L"Sbie", 4) == 0) {
if (SbieApi_QueryConfBool(NULL, L"HideSbieProcess", FALSE))
if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE))
hideProcess = TRUE;
}
}

251
SandboxiePlus/SandMan/Forms/OptionsWindow.ui
View File

@ -6,7 +6,7 @@
<rect>
<x>0</x>
<y>0</y>
<width>787</width>
<width>835</width>
<height>588</height>
</rect>
</property>
@ -31,8 +31,8 @@
<property name="windowTitle">
<string>SandboxiePlus Options</string>
</property>
<layout class="QVBoxLayout" name="verticalLayout_2">
<item>
<layout class="QGridLayout" name="gridLayout_93">
<item row="0" column="0">
<layout class="QVBoxLayout" name="verticalLayout">
<item>
<widget class="QTabWidget" name="tabs">
@ -45,7 +45,7 @@
<enum>QTabWidget::North</enum>
</property>
<property name="currentIndex">
<number>1</number>
<number>0</number>
</property>
<widget class="QWidget" name="tabGeneral">
<attribute name="title">
@ -55,7 +55,7 @@
<item row="0" column="0">
<widget class="QTabWidget" name="tabsGeneral">
<property name="currentIndex">
<number>0</number>
<number>3</number>
</property>
<widget class="QWidget" name="tabOptions">
<attribute name="title">
@ -672,8 +672,8 @@
<attribute name="title">
<string>Restrictions</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_36">
<item row="3" column="0" colspan="2">
<layout class="QGridLayout" name="gridLayout_92">
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="lblPrinting">
<property name="font">
<font>
@ -690,14 +690,93 @@
</property>
</widget>
</item>
<item row="9" column="2">
<widget class="QCheckBox" name="chkOpenCredentials">
<item row="1" column="1" colspan="3">
<widget class="QCheckBox" name="chkBlockSpooler">
<property name="text">
<string>Open Windows Credentials Store (user mode)</string>
<string>Block access to the printer spooler</string>
</property>
</widget>
</item>
<item row="7" column="0">
<item row="2" column="2" colspan="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="3" column="2" colspan="2">
<widget class="QCheckBox" name="chkPrintToFile">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Allow the print spooler to print to files outside the sandbox</string>
</property>
</widget>
</item>
<item row="4" column="0" colspan="2">
<widget class="QLabel" name="lblLimit">
<property name="font">
<font>
<weight>75</weight>
<bold>true</bold>
<kerning>true</kerning>
</font>
</property>
<property name="toolTip">
<string>Protect the system from sandboxed processes</string>
</property>
<property name="text">
<string>Limit restrictions</string>
</property>
</widget>
</item>
<item row="5" column="1" colspan="2">
<widget class="QLabel" name="label_53">
<property name="text">
<string>Single Process Memory Limit:</string>
</property>
</widget>
</item>
<item row="5" column="3">
<widget class="QLineEdit" name="lineSingleMemory">
<property name="placeholderText">
<string>Leave it blank to disable the setting(Unit:KB)</string>
</property>
</widget>
</item>
<item row="6" column="1" colspan="2">
<widget class="QLabel" name="label_56">
<property name="text">
<string>Total Processes Memory Limit:</string>
</property>
</widget>
</item>
<item row="6" column="3">
<widget class="QLineEdit" name="lineTotalMemory">
<property name="placeholderText">
<string>Leave it blank to disable the setting(Unit:KB)</string>
</property>
</widget>
</item>
<item row="7" column="1" colspan="2">
<widget class="QLabel" name="label_86">
<property name="text">
<string>Total Processes Number Limit:</string>
</property>
</widget>
</item>
<item row="7" column="3">
<widget class="QLineEdit" name="lineTotalNumber">
<property name="placeholderText">
<string>Leave it blank to disable the setting</string>
</property>
</widget>
</item>
<item row="8" column="0">
<widget class="QLabel" name="lblOther">
<property name="font">
<font>
@ -714,85 +793,14 @@
</property>
</widget>
</item>
<item row="11" column="1" colspan="2">
<widget class="QCheckBox" name="chkVmRead">
<property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string>
</property>
</widget>
</item>
<item row="17" column="2">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>556</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="15" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockCapture">
<property name="toolTip">
<string>This feature does not block all means of obtaining a screen capture, only some common ones.</string>
</property>
<property name="text">
<string>Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches)</string>
</property>
</widget>
</item>
<item row="8" column="1" colspan="2">
<item row="9" column="1" colspan="3">
<widget class="QCheckBox" name="chkOpenProtectedStorage">
<property name="text">
<string>Open System Protected Storage</string>
</property>
</widget>
</item>
<item row="6" column="2">
<widget class="QCheckBox" name="chkPrintToFile">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Fixed">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Allow the print spooler to print to files outside the sandbox</string>
</property>
</widget>
</item>
<item row="4" column="1" colspan="2">
<widget class="QCheckBox" name="chkBlockSpooler">
<property name="text">
<string>Block access to the printer spooler</string>
</property>
</widget>
</item>
<item row="5" column="2">
<widget class="QCheckBox" name="chkOpenSpooler">
<property name="text">
<string>Remove spooler restriction, printers can be installed outside the sandbox</string>
</property>
</widget>
</item>
<item row="10" column="1" colspan="2">
<widget class="QCheckBox" name="chkCloseClipBoard">
<property name="text">
<string>Block read access to the clipboard</string>
</property>
</widget>
</item>
<item row="12" column="2">
<widget class="QCheckBox" name="chkVmReadNotify">
<property name="text">
<string>Issue message 2111 when a process access is denied</string>
</property>
</widget>
</item>
<item row="9" column="1">
<item row="10" column="1">
<widget class="QLabel" name="label_39">
<property name="minimumSize">
<size>
@ -811,14 +819,62 @@
</property>
</widget>
</item>
<item row="13" column="1" colspan="2">
<item row="10" column="2" colspan="2">
<widget class="QCheckBox" name="chkOpenCredentials">
<property name="text">
<string>Open Windows Credentials Store (user mode)</string>
</property>
</widget>
</item>
<item row="11" column="1" colspan="3">
<widget class="QCheckBox" name="chkCloseClipBoard">
<property name="text">
<string>Block read access to the clipboard</string>
</property>
</widget>
</item>
<item row="12" column="1" colspan="3">
<widget class="QCheckBox" name="chkVmRead">
<property name="text">
<string>Allow to read memory of unsandboxed processes (not recommended)</string>
</property>
</widget>
</item>
<item row="13" column="2" colspan="2">
<widget class="QCheckBox" name="chkVmReadNotify">
<property name="text">
<string>Issue message 2111 when a process access is denied</string>
</property>
</widget>
</item>
<item row="14" column="1" colspan="3">
<widget class="QCheckBox" name="chkProtectPower">
<property name="text">
<string>Prevent sandboxed processes from interfering with power operations (Experimental)</string>
</property>
</widget>
</item>
<item row="16" column="1">
<item row="15" column="1" colspan="3">
<widget class="QCheckBox" name="chkUserOperation">
<property name="toolTip">
<string>Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games.</string>
</property>
<property name="text">
<string>Prevent interference with the user interface (Experimental)</string>
</property>
</widget>
</item>
<item row="16" column="1" colspan="3">
<widget class="QCheckBox" name="chkBlockCapture">
<property name="toolTip">
<string>This feature does not block all means of obtaining a screen capture, only some common ones.</string>
</property>
<property name="text">
<string>Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches)</string>
</property>
</widget>
</item>
<item row="17" column="1">
<spacer name="verticalSpacer_12">
<property name="orientation">
<enum>Qt::Vertical</enum>
@ -831,15 +887,18 @@
</property>
</spacer>
</item>
<item row="14" column="1" colspan="2">
<widget class="QCheckBox" name="chkUserOperation">
<property name="toolTip">
<string>Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games.</string>
<item row="18" column="2" colspan="2">
<spacer name="horizontalSpacer_5">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="text">
<string>Prevent interference with the user interface (Experimental)</string>
<property name="sizeHint" stdset="0">
<size>
<width>556</width>
<height>20</height>
</size>
</property>
</widget>
</spacer>
</item>
</layout>
</widget>
@ -1088,7 +1147,7 @@
<item row="0" column="0">
<widget class="QTabWidget" name="tabsSecurity">
<property name="currentIndex">
<number>0</number>
<number>1</number>
</property>
<widget class="QWidget" name="tabHarden">
<attribute name="title">
@ -4967,8 +5026,8 @@ instead of &quot;*&quot;.</string>
<rect>
<x>0</x>
<y>0</y>
<width>98</width>
<height>28</height>
<width>75</width>
<height>16</height>
</rect>
</property>
<layout class="QGridLayout" name="dbgLayout">

14
SandboxiePlus/SandMan/SandMan.cpp
View File

@ -247,6 +247,7 @@ CSandMan::CSandMan(QWidget *parent)
SetupHotKeys();
m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139);
m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
@ -1550,6 +1551,9 @@ QString CSandMan::GetBoxDescription(int boxType)
QString Info;
switch (boxType) {
case CSandBoxPlus::eIsoationMax:
Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later.");
break;
case CSandBoxPlus::eHardenedPlus:
case CSandBoxPlus::eHardened:
Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
@ -1567,7 +1571,7 @@ QString CSandMan::GetBoxDescription(int boxType)
break;
}
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus)
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax)
Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
return Info;
@ -2308,15 +2312,21 @@ void CSandMan::OnBoxClosed(const CSandBoxPtr& pBox)
}
QString tempValPrefix = "Temp_";
QString tempValLocalPrefix = "Local_Temp_";
QStringList to_delete;
QStringList list = pBox->GetTextList("Template", FALSE);
foreach(const QString& Value, list) {
if (tempValPrefix.compare(Value.left(5)) == 0)
to_delete.append(Value);
else if (tempValLocalPrefix.compare(Value.left(11)) == 0)
to_delete.append(Value);
}
if (!to_delete.isEmpty()) {
foreach(const QString & Value, to_delete)
foreach(const QString& Value, to_delete) {
if (tempValLocalPrefix.compare(Value.left(11)) == 0)
theAPI->SbieIniSet("Template_" + tempValLocalPrefix, "*", "", CSbieAPI::eIniUpdate);
list.removeAt(list.indexOf(Value));
}
pBox->UpdateTextList("Template", list, FALSE);
}

15
SandboxiePlus/SandMan/SbiePlusAPI.cpp
View File

@ -813,6 +813,21 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const
if (m_iUnsecureDebugging != 0)
return eInsecure;
BOOL isMAX = GetBool("HideNonSystemProcess") &&
GetBool("HideOtherBoxes") &&
GetBool("ClosePrintSpooler") &&
!GetBool("OpenClipboard") &&
GetBool("BlockInterferePower") &&
GetBool("BlockInterferenceControl") &&
GetBool("BlockScreenCapture") &&
GetBool("UseSandboxDesktop") &&
GetBool("ConfidentialBox") &&
GetBool("CoverBoxedWindows") &&
GetBool("AlertBeforeStart") &&
GetBool("ForceProtectionOnMount") &&
GetBool("ProtectHostImages");
if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced)
return eIsoationMax;
if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
return eHardenedPlus;
if (m_bSecurityEnhanced)

1
SandboxiePlus/SandMan/SbiePlusAPI.h
View File

@ -146,6 +146,7 @@ public:
{
eHardenedPlus,
eHardened,
eIsoationMax,
eDefaultPlus,
eDefault,
eAppBoxPlus,

74
SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp
View File

@ -61,6 +61,7 @@ void COptionsWindow::CreateGeneral()
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
@ -281,6 +282,10 @@ void COptionsWindow::LoadGeneral()
ui.chkOpenSpooler->setChecked(m_pBox->GetBool("OpenPrintSpooler", false));
ui.chkPrintToFile->setChecked(m_pBox->GetBool("AllowSpoolerPrintToFile", false));
ui.lineSingleMemory->setText(m_pBox->GetText("ProcessMemoryLimit", ""));
ui.lineTotalMemory->setText(m_pBox->GetText("TotalMemoryLimit", ""));
ui.lineTotalNumber->setText(m_pBox->GetText("TotalNumberLimit", ""));
//ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false));
ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage"));
ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false));
@ -420,6 +425,13 @@ void COptionsWindow::SaveGeneral()
WriteAdvancedCheck(ui.chkOpenSpooler, "OpenPrintSpooler", "y", "");
WriteAdvancedCheck(ui.chkPrintToFile, "AllowSpoolerPrintToFile", "y", "");
if (!ui.lineSingleMemory->text().isEmpty())
WriteText("ProcessMemoryLimit", ui.lineSingleMemory->text());
if (!ui.lineTotalMemory->text().isEmpty())
WriteText("TotalMemoryLimit", ui.lineTotalMemory->text());
if (!ui.lineTotalNumber->text().isEmpty())
WriteText("ProcessNumberLimit", ui.lineTotalNumber->text());
//WriteAdvancedCheck(ui.chkOpenProtectedStorage, "OpenProtectedStorage", "y", "");
SetTemplate("OpenProtectedStorage", ui.chkOpenProtectedStorage->isChecked());
if (ui.chkOpenCredentials->isEnabled())
@ -797,7 +809,11 @@ void COptionsWindow::OnGeneralChanged()
ui.chkOpenSpooler->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityIsolation->isChecked());
ui.chkPrintToFile->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityFiltering->isChecked());
ui.lineSingleMemory->setEnabled(ui.chkAddToJob->isChecked());
ui.lineTotalMemory->setEnabled(ui.chkAddToJob->isChecked());
ui.lineTotalNumber->setEnabled(ui.chkAddToJob->isChecked());
ui.chkOpenCredentials->setEnabled(!ui.chkOpenProtectedStorage->isChecked());
if (!ui.chkOpenCredentials->isEnabled()) ui.chkOpenCredentials->setChecked(true);
@ -1044,8 +1060,24 @@ void COptionsWindow::UpdateBoxType()
bool bPrivacyMode = ui.chkPrivacy->isChecked();
bool bSecurityMode = ui.chkSecurityMode->isChecked();
bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
bool bIsoationMax = m_pBox->GetBool("HideNonSystemProcess")
&& m_pBox->GetBool("HideNonSystemProcess")
&& m_pBox->GetBool("HideOtherBoxes")
&& m_pBox->GetBool("ClosePrintSpooler")
&& m_pBox->GetBool("BlockInterferePower")
&& !m_pBox->GetBool("OpenClipboard")
&& m_pBox->GetBool("BlockInterferenceControl")
&& m_pBox->GetBool("BlockScreenCapture")
&& m_pBox->GetBool("ConfidentialBox")
&& m_pBox->GetBool("CoverBoxedWindows")
&& m_pBox->GetBool("AlertBeforeStart")
&& m_pBox->GetBool("ForceProtectionOnMount")
&& bSecurityMode && bPrivacyMode && !bAppBox;
int BoxType;
if (bIsoationMax)
BoxType = (int)CSandBoxPlus::eIsoationMax;
else
if (bAppBox)
BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
else if (bSecurityMode)
@ -1071,13 +1103,51 @@ void COptionsWindow::OnBoxTypChanged()
int BoxType = ui.cmbBoxType->currentData().toInt();
switch (BoxType) {
case CSandBoxPlus::eIsoationMax:
/*pBox->SetBool("HideNonSystemProcess", true);
pBox->InsertText("Template", "BlockAccessWMI");
pBox->InsertText("Template", "BlockDNS");
pBox->SetBool("HideOtherBoxes", true);
pBox->SetBool("ClosePrintSpooler", true);
pBox->SetBool("OpenClipboard", false);
pBox->SetBool("BlockInterferePower", true);
pBox->SetBool("BlockInterferenceControl", true);
pBox->SetBool("BlockScreenCapture", true);
pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any");
pBox->SetBool("UseSandboxDesktop", true);
pBox->SetBool("ConfidentialBox", true);
pBox->SetBool("CoverBoxedWindows", true);
pBox->SetBool("AlertBeforeStart", true);
pBox->SetBool("ForceProtectionOnMount", true);
pBox->SetNum64("ProcessMemoryLimit", 80000000);
pBox->SetNum("ProcessNumberLimit", 20);
pBox->SetBool("ProtectHostImages", true);*/
SetTemplate("BlockAccessWMI", true);
ui.chkBlockDns->setChecked(true);
ui.chkHideOtherBoxes->setChecked(true);
ui.chkCloseClipBoard->setChecked(true);
ui.chkBlockSpooler->setChecked(true);
ui.chkBlockCapture->setChecked(true);
ui.chkAddToJob->setChecked(true);
ui.chkAlertBeforeStart->setChecked(true);
ui.chkConfidential->setChecked(true);
ui.chkProtectPower->setChecked(true);
ui.chkUserOperation->setChecked(true);
ui.chkProtectWindow->setChecked(true);
ui.chkProtectSCM->setChecked(true);
ui.chkProtectSystem->setChecked(true);
ui.chkRestrictServices->setChecked(true);
ui.chkSbieLogon->setChecked(true);
ui.chkDropPrivileges->setChecked(true);
ui.chkHideOtherBoxes->setChecked(true);
ui.chkHostProtect->setChecked(true);
case CSandBoxPlus::eHardenedPlus:
case CSandBoxPlus::eHardened:
ui.chkNoSecurityIsolation->setChecked(false);
ui.chkNoSecurityFiltering->setChecked(false);
ui.chkSecurityMode->setChecked(true);
//ui.chkRestrictServices->setChecked(true);
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus);
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax);
//SetTemplate("NoUACProxy", false);
SetTemplate("RpcPortBindingsExt", false);
break;

28
SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp
View File

@ -182,6 +182,25 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
if (!disableWizardSettings || sharedTemplateMode == 0) {
switch (BoxType)
{
case CSandBoxPlus::eIsoationMax:
pBox->SetBool("HideNonSystemProcess", true);
pBox->InsertText("Template", "BlockAccessWMI");
pBox->InsertText("Template", "BlockDNS");
pBox->SetBool("HideOtherBoxes", true);
pBox->SetBool("ClosePrintSpooler", true);
pBox->SetBool("OpenClipboard", false);
pBox->SetBool("BlockInterferePower", true);
pBox->SetBool("BlockInterferenceControl", true);
pBox->SetBool("BlockScreenCapture", true);
pBox->InsertText("Template","BlockLocalConnect");
pBox->SetBool("UseSandboxDesktop", true);
pBox->SetBool("ConfidentialBox", true);
pBox->SetBool("CoverBoxedWindows", true);
pBox->SetBool("AlertBeforeStart", true);
pBox->SetBool("ForceProtectionOnMount", true);
pBox->SetNum64("ProcessMemoryLimit", 80000000);
pBox->SetNum("ProcessNumberLimit", 20);
pBox->SetBool("ProtectHostImages", true);
case CSandBoxPlus::eHardenedPlus:
pBox->SetBool("UsePrivacyMode", true);
case CSandBoxPlus::eHardened:
@ -247,7 +266,7 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
}
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax);
bool bDropAdmin = field("dropAdmin").toBool();
if (field("dropAdmin").toBool() && !bHardened)
pBox->SetBool("DropAdminRights", true);
@ -385,7 +404,10 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent)
//return qMakePair(pW, pIcon);
return pC;
};
AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax,
tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n"
"In addition, there are other configurations that facilitate isolation,\n"
"such as processes and image access control, and so on."));
AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus,
tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
"It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
@ -790,7 +812,7 @@ void CIsolationPage::initializePage()
{
int BoxType = wizard()->field("boxType").toInt();
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax);
bool bDropAdmin = field("dropAdmin").toBool();
m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
m_pShareAccess->setEnabled(!bHardened);