This commit is contained in:
DavidXanatos 2023-01-28 22:38:14 +01:00
parent effaaea8f6
commit abb905bb09
9 changed files with 37 additions and 23 deletions

View File

@ -14,6 +14,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- added ability to open all com classes [#2448](https://github.com/sandboxie-plus/Sandboxie/issues/2448)
-- use OpenClsid={00000000-0000-0000-0000-000000000000} to open all
- the SandMan UI now indicates if a sandboxed process has a Elevated(Admin) or System token
- DropAdminRights can now be configured per process [#2293](https://github.com/sandboxie-plus/Sandboxie/issues/2293)
### Changed
- refactored network blocking code in driver
@ -62,7 +63,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Fixed
- fixed issue with Hebrew language (Classic UI) [#2608](https://github.com/sandboxie-plus/Sandboxie/issues/2608)
- fixed issue with start menu integration and snapshots
- fixed issue with start menu integration and snapshots [#2589](https://github.com/sandboxie-plus/Sandboxie/issues/2589)

View File

@ -216,6 +216,14 @@ _FX WCHAR* Config_MatchImageAndGetValue(WCHAR* value, const WCHAR* ImageName, UL
BOOLEAN inv, match;
//
// ignore all process specific presets when no image name was provided
// keep searching for a global default
//
if (!ImageName)
return NULL;
//
// exclamation marks negates the matching
//

View File

@ -262,6 +262,12 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
if (proc) {
//
// the service synamically allocates a per box SID to be used,
// if no SID is provided thsi feature is eider disabled or failed
// then we fall back to using the default anonymous SID
//
__try {
PSID pSID = (PSID)(ULONG_PTR)parms[2];
@ -279,6 +285,13 @@ _FX NTSTATUS Process_Low_Api_InjectComplete(PROCESS *proc, ULONG64 *parms)
status = GetExceptionCode();
}
//
// the service tells us if we should drop admin rights for this process,
// howeever if security mode is enabled we always drop admin rights
//
proc->drop_rights = proc->use_security_mode || parms[3] != FALSE;
KeSetEvent(Process_Low_Event, 0, FALSE);
status = STATUS_SUCCESS;

View File

@ -519,19 +519,8 @@ _FX void *Token_FilterPrimary(PROCESS *proc, void *ProcessObject)
// DbgPrint(" Process Token %08X - %d <%S>\n", PrimaryToken, proc->pid, proc->image_name);
proc->drop_rights = proc->use_security_mode || Conf_Get_Boolean(proc->box->name, L"DropAdminRights", 0, FALSE);
DropRights = (proc->drop_rights ? -1 : 0);
//
// special allowance for MSIServer - it does not seem to be needed with the CreateWaitableTimerW hook
//
//if (DropRights && !proc->image_from_box && _wcsicmp(proc->image_name, L"msiexec.exe") == 0
// && Conf_Get_Boolean(proc->box->name, L"MsiInstallerExemptions", 0, FALSE))
//{
// DropRights = 0;
//}
// DbgPrint(" Drop rights %d - %d <%S>\n", proc->drop_rights, proc->pid, proc->image_name);
ReturnToken = Token_Filter(

View File

@ -69,8 +69,9 @@ void DriverAssist::InjectLow(void *_msg)
goto finish;
}
WCHAR boxname[48];
errlvl = SbieApi_QueryProcessEx2((HANDLE)msg->process_id, 0, boxname, NULL, NULL, NULL, NULL);
WCHAR boxname[BOXNAME_COUNT_48];
WCHAR exename[99];
errlvl = SbieApi_QueryProcessEx2((HANDLE)msg->process_id, 96, boxname, exename, NULL, NULL, NULL);
if (errlvl != 0)
goto finish;
@ -117,10 +118,12 @@ void DriverAssist::InjectLow(void *_msg)
// notify driver that we successfully injected the lowlevel code
//
BOOL drop_rights = SbieDll_GetSettingsForName_bool(boxname, exename, L"DropAdminRights", FALSE);
if (GetSandboxieSID(boxname, SandboxieLogonSid, sizeof(SandboxieLogonSid)))
status = SbieApi_Call(API_INJECT_COMPLETE, 2, (ULONG_PTR)msg->process_id, SandboxieLogonSid);
status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, SandboxieLogonSid, drop_rights);
else // if that fails or is not enabled we fall back to using the anonymous logon token
status = SbieApi_Call(API_INJECT_COMPLETE, 1, (ULONG_PTR)msg->process_id);
status = SbieApi_Call(API_INJECT_COMPLETE, 3, (ULONG_PTR)msg->process_id, NULL, drop_rights);
if (status == 0)
errlvl = 0;

View File

@ -275,7 +275,7 @@ MSG_HEADER *ComServer::GetClassObjectHandler(
exc = 0;
pMap->ProcNum = 0;
if (req->elevate) {
if (CheckDropRights(slave->BoxName))
if (CheckDropRights(slave->BoxName, NULL))
exc = ERROR_ELEVATION_REQUIRED;
else
pMap->ProcNum = 1;

View File

@ -513,21 +513,21 @@ finish:
//---------------------------------------------------------------------------
bool CheckDropRights(const WCHAR *BoxName)
bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName)
{
// Allow setting of DropAdminRights to supress UAC prompts / elevation from the sandboxed realm
//if (SbieApi_QueryConfBool(BoxName, L"NoSecurityIsolation", FALSE))
// return false; // if we are not swapping the token we can not drop admin rights so keep this consistent
if (SbieApi_QueryConfBool(BoxName, L"UseSecurityMode", FALSE))
return true;
if (SbieApi_QueryConfBool(BoxName, L"DropAdminRights", FALSE))
if (SbieDll_GetSettingsForName_bool(BoxName, ExeName, L"DropAdminRights", FALSE))
return true;
return false;
}
//---------------------------------------------------------------------------
// CheckDropRights
// IsProcessWoW64
//---------------------------------------------------------------------------

View File

@ -23,7 +23,7 @@
void LogEvent(ULONG msgid, ULONG level, ULONG detail);
void AbortServer(void);
bool RestrictToken(void);
bool CheckDropRights(const WCHAR *BoxName);
bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName);
bool IsProcessWoW64(HANDLE pid);
bool IsHostPath(HANDLE idProcess, WCHAR* dos_path);

View File

@ -50,7 +50,7 @@ bool ServiceServer::CanCallerDoElevation(
if (0 != SbieApi_QueryProcess(idProcess, boxname, exename, NULL, pSessionId))
return false;
bool DropRights = CheckDropRights(boxname);
bool DropRights = CheckDropRights(boxname, exename);
if (ServiceName) {
@ -72,7 +72,7 @@ bool ServiceServer::CanCallerDoElevation(
// not be started with a system token allow it to be start
//
if (DropRights && SbieApi_QueryConfBool(boxname, L"FakeAdminRights", FALSE))
if (DropRights && SbieDll_GetSettingsForName_bool(boxname, exename, L"FakeAdminRights", FALSE))
DropRights = false;
//