1.7.0c

2023-01-28 22:38:14 +01:00 · 2023-01-28 22:38:14 +01:00 · abb905bb09
parent effaaea8f6
commit abb905bb09
9 changed files with 37 additions and 23 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,6 +14,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - added ability to open all com classes [#2448](https://github.com/sandboxie-plus/Sandboxie/issues/2448)
 -- use OpenClsid={00000000-0000-0000-0000-000000000000} to open all
 - the SandMan UI now indicates if a sandboxed process has a Elevated(Admin) or System token
+- DropAdminRights can now be configured per process [#2293](https://github.com/sandboxie-plus/Sandboxie/issues/2293)

 ### Changed
 - refactored network blocking code in driver
@ -62,7 +63,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).

 ### Fixed
 - fixed issue with Hebrew language (Classic UI) [#2608](https://github.com/sandboxie-plus/Sandboxie/issues/2608)
- fixed issue with start menu integration and snapshots
+- fixed issue with start menu integration and snapshots [#2589](https://github.com/sandboxie-plus/Sandboxie/issues/2589)



--- a/Sandboxie/core/dll/config.c
+++ b/Sandboxie/core/dll/config.c
@ -216,6 +216,14 @@ _FX WCHAR* Config_MatchImageAndGetValue(WCHAR* value, const WCHAR* ImageName, UL

        BOOLEAN inv, match;

+        //
+        // ignore all process specific presets when no image name was provided
+        // keep searching for a global default
+        //
+
+        if (!ImageName)
+            return NULL;
+
        //
        // exclamation marks negates the matching
        //
--- a/Sandboxie/core/drv/process_low.c
+++ b/Sandboxie/core/drv/process_low.c
@ -262,6 +262,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)

        if (proc) {

+            //
+            // the service synamically allocates a per box SID to be used,
+            // if no SID is provided thsi feature is eider disabled or failed
+            // then we fall back to using the default anonymous SID
+            //
+
            __try {

                PSID pSID = (PSID)(ULONG_PTR)parms[2];
@ -279,6 +285,13 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
                status = GetExceptionCode();
            }

+            //
+            // the service tells us if we should drop admin rights for this process, 
+            // howeever if security mode is enabled we always drop admin rights
+            //
+
+            proc->drop_rights = proc->use_security_mode || parms[3] != FALSE;
+
            KeSetEvent(Process_Low_Event, 0, FALSE);
            status = STATUS_SUCCESS;

--- a/Sandboxie/core/drv/token.c
+++ b/Sandboxie/core/drv/token.c
@ -519,19 +519,8 @@ _FX void *Token_FilterPrimary(PROCESS *proc, void *ProcessObject)

    // DbgPrint("   Process Token %08X - %d <%S>\n", PrimaryToken, proc->pid, proc->image_name);

-    proc->drop_rights = proc->use_security_mode || Conf_Get_Boolean(proc->box->name, L"DropAdminRights", 0, FALSE);
-
    DropRights = (proc->drop_rights ? -1 : 0);

-    //
-    // special allowance for MSIServer - it does not seem to be needed with the CreateWaitableTimerW hook
-    //
-    //if (DropRights && !proc->image_from_box && _wcsicmp(proc->image_name, L"msiexec.exe") == 0
-    //    && Conf_Get_Boolean(proc->box->name, L"MsiInstallerExemptions", 0, FALSE)) 
-    //{
-    //    DropRights = 0;
-    //}
-
    // DbgPrint("   Drop rights %d - %d <%S>\n", proc->drop_rights, proc->pid, proc->image_name);

    ReturnToken = Token_Filter(
--- a/Sandboxie/core/svc/DriverAssistInject.cpp
+++ b/Sandboxie/core/svc/DriverAssistInject.cpp
@ -69,8 +69,9 @@ void DriverAssist::InjectLow(void *_msg)
 		goto finish;
 	}

-	WCHAR boxname[48];
-	errlvl = SbieApi_QueryProcessEx2((HANDLE)msg->process_id, 0, boxname, NULL, NULL, NULL, NULL);
+	WCHAR boxname[BOXNAME_COUNT_48];
+    WCHAR exename[99];
+	errlvl = SbieApi_QueryProcessEx2((HANDLE)msg->process_id, 96, boxname, exename, NULL, NULL, NULL);
 	if (errlvl != 0)
 		goto finish;

@ -117,10 +118,12 @@ void DriverAssist::InjectLow(void *_msg)
    // notify driver that we successfully injected the lowlevel code
    //

+    BOOL drop_rights = SbieDll_GetSettingsForName_bool(boxname, exename, L"DropAdminRights", FALSE);
+
    if (GetSandboxieSID(boxname, SandboxieLogonSid, sizeof(SandboxieLogonSid)))
-        status = SbieApi_Call(API_INJECT_COMPLETE, 2, (ULONG_PTR)msg->process_id, SandboxieLogonSid);
+        status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, SandboxieLogonSid, drop_rights);
    else // if that fails or is not enabled we fall back to using the anonymous logon token
-        status = SbieApi_Call(API_INJECT_COMPLETE, 1, (ULONG_PTR)msg->process_id);
+        status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, drop_rights);

    if (status == 0)
        errlvl = 0;
--- a/Sandboxie/core/svc/comserver.cpp
+++ b/Sandboxie/core/svc/comserver.cpp
@ -275,7 +275,7 @@ MSG_HEADER *ComServer::GetClassObjectHandler(
        exc = 0;
        pMap->ProcNum = 0;
        if (req->elevate) {
-            if (CheckDropRights(slave->BoxName))
+            if (CheckDropRights(slave->BoxName, NULL))
                exc = ERROR_ELEVATION_REQUIRED;
            else
                pMap->ProcNum = 1;
--- a/Sandboxie/core/svc/main.cpp
+++ b/Sandboxie/core/svc/main.cpp
@ -513,21 +513,21 @@ finish:
 //---------------------------------------------------------------------------


-bool CheckDropRights(const WCHAR *BoxName)
+bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName)
 {
    // Allow setting of DropAdminRights to supress UAC prompts / elevation from the sandboxed realm
    //if (SbieApi_QueryConfBool(BoxName, L"NoSecurityIsolation", FALSE))
    //    return false; // if we are not swapping the token we can not drop admin rights so keep this consistent
    if (SbieApi_QueryConfBool(BoxName, L"UseSecurityMode", FALSE))
        return true;
-    if (SbieApi_QueryConfBool(BoxName, L"DropAdminRights", FALSE))
+    if (SbieDll_GetSettingsForName_bool(BoxName, ExeName, L"DropAdminRights", FALSE))
        return true;
    return false;
 }


 //---------------------------------------------------------------------------
-// CheckDropRights
+// IsProcessWoW64
 //---------------------------------------------------------------------------


--- a/Sandboxie/core/svc/misc.h
+++ b/Sandboxie/core/svc/misc.h
@ -23,7 +23,7 @@
 void LogEvent(ULONG msgid, ULONG level, ULONG detail);
 void AbortServer(void);
 bool RestrictToken(void);
-bool CheckDropRights(const WCHAR *BoxName);
+bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName);

 bool IsProcessWoW64(HANDLE pid);
 bool IsHostPath(HANDLE idProcess, WCHAR* dos_path);
--- a/Sandboxie/core/svc/serviceserver2.cpp
+++ b/Sandboxie/core/svc/serviceserver2.cpp
@ -50,7 +50,7 @@ bool ServiceServer::CanCallerDoElevation(
    if (0 != SbieApi_QueryProcess(idProcess, boxname, exename, NULL, pSessionId))
        return false;

-    bool DropRights = CheckDropRights(boxname);
+    bool DropRights = CheckDropRights(boxname, exename);

    if (ServiceName) {

@ -72,7 +72,7 @@ bool ServiceServer::CanCallerDoElevation(
            // not be started with a system token allow it to be start
            //

-            if (DropRights && SbieApi_QueryConfBool(boxname, L"FakeAdminRights", FALSE))
+            if (DropRights && SbieDll_GetSettingsForName_bool(boxname, exename, L"FakeAdminRights", FALSE))
                DropRights = false;

            //