This commit is contained in:
parent
fc2a93ba90
commit
add64d53e5
|
@ -33,7 +33,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
-- Note: a process must have administrative privileges to be able to use this API
|
||||
- added a UI option to switch "MsiInstallerExemptions=y" on and off
|
||||
-- just in case a future windows build breaks something for the systemless mode
|
||||
|
||||
- added sample code for ObRegisterCallbacks to the driver
|
||||
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" allowing to disable file and registry filtering
|
||||
-- Note: this options are for testing only and disable core parts of the sandbox isolation
|
||||
- added a few CommandLone options to sandman.exe
|
||||
|
||||
### Changed
|
||||
- greately improved the performanceof the trace log, but its no longer possible to log to booth sandman and sbiectrl at the same time
|
||||
|
|
|
@ -983,13 +983,13 @@ _FX NTSTATUS File_Generic_MyParseProc(
|
|||
// skip requests dealing with devices we don't care about
|
||||
//
|
||||
|
||||
if (device_type != FILE_DEVICE_DISK &&
|
||||
if ((device_type != FILE_DEVICE_DISK &&
|
||||
device_type != FILE_DEVICE_NAMED_PIPE &&
|
||||
device_type != FILE_DEVICE_MAILSLOT &&
|
||||
device_type != FILE_DEVICE_NETWORK &&
|
||||
device_type != FILE_DEVICE_MULTI_UNC_PROVIDER &&
|
||||
device_type != FILE_DEVICE_NETWORK_FILE_SYSTEM &&
|
||||
device_type != FILE_DEVICE_DFS)
|
||||
device_type != FILE_DEVICE_DFS) || proc->disable_file_flt)
|
||||
{
|
||||
if ((proc->file_trace & TRACE_IGNORE) || Session_MonitorCount) {
|
||||
|
||||
|
|
|
@ -432,7 +432,7 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation(
|
|||
status = STATUS_PROCESS_IS_TERMINATING;
|
||||
goto finish;
|
||||
}
|
||||
if (!proc || proc->bHostInject)
|
||||
if (!proc || proc->bHostInject || proc->disable_file_flt)
|
||||
goto finish;
|
||||
|
||||
//
|
||||
|
|
|
@ -228,7 +228,7 @@ _FX NTSTATUS Key_Callback(void *Context, void *Arg1, void *Arg2)
|
|||
if (status != STATUS_SUCCESS)
|
||||
return status;
|
||||
|
||||
if (!proc || proc->bHostInject)
|
||||
if (!proc || proc->bHostInject || proc->disable_key_flt)
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
//
|
||||
|
|
|
@ -726,6 +726,13 @@ _FX PROCESS *Process_Create(
|
|||
|
||||
proc->disable_monitor = Conf_Get_Boolean(proc->box->name, L"DisableResourceMonitor", 0, FALSE);
|
||||
|
||||
//
|
||||
// initialize debug options
|
||||
//
|
||||
|
||||
proc->disable_file_flt = Conf_Get_Boolean(proc->box->name, L"DisableFileFilter", 0, FALSE);
|
||||
proc->disable_key_flt = Conf_Get_Boolean(proc->box->name, L"DisableKeyFilter", 0, FALSE);
|
||||
|
||||
//
|
||||
// initialize trace flags
|
||||
//
|
||||
|
|
|
@ -145,6 +145,7 @@ struct _PROCESS {
|
|||
LIST blocked_dlls;
|
||||
ULONG file_trace;
|
||||
ULONG pipe_trace;
|
||||
BOOLEAN disable_file_flt;
|
||||
BOOLEAN file_warn_internet;
|
||||
BOOLEAN file_warn_direct_access;
|
||||
BOOLEAN AllowInternetAccess;
|
||||
|
@ -159,6 +160,7 @@ struct _PROCESS {
|
|||
LIST read_key_paths; // PATTERN elements
|
||||
LIST write_key_paths; // PATTERN elements
|
||||
ULONG key_trace;
|
||||
BOOLEAN disable_key_flt;
|
||||
|
||||
// ipc-related
|
||||
|
||||
|
|
|
@ -152,7 +152,7 @@ QStringList CSbieIni::GetTextListTmpl(const QString &Setting, const QString& Tem
|
|||
|
||||
for (int index = 0; ; index++)
|
||||
{
|
||||
QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL);
|
||||
QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL | CONF_GET_NO_EXPAND);
|
||||
if (Value.isNull())
|
||||
break;
|
||||
TextList.append(Value);
|
||||
|
|
|
@ -562,7 +562,7 @@ void CSandMan::OnMessage(const QString& Message)
|
|||
setWindowState(Qt::WindowActive);
|
||||
SetForegroundWindow(MainWndHandle);
|
||||
}
|
||||
else if (Message.left(3) == "Run")
|
||||
else if (Message.left(4) == "Run:")
|
||||
{
|
||||
QString CmdLine = Message.mid(4);
|
||||
|
||||
|
@ -572,6 +572,23 @@ void CSandMan::OnMessage(const QString& Message)
|
|||
else
|
||||
RunSandboxed(QStringList(CmdLine));
|
||||
}
|
||||
else if (Message.left(3) == "Op:")
|
||||
{
|
||||
QString Op = Message.mid(3);
|
||||
|
||||
SB_STATUS Status;
|
||||
if (Op == "Connect")
|
||||
Status = ConnectSbie();
|
||||
else if (Op == "Disconnect")
|
||||
Status = DisconnectSbie();
|
||||
else if (Op == "Shutdown")
|
||||
Status = StopSbie();
|
||||
else if (Op == "EmptyAll")
|
||||
Status = theAPI->TerminateAll();
|
||||
else
|
||||
Status = SB_ERR(SB_Message, QVariantList () << (tr("Unknown operation '%1' requested via command line").arg(Op)));
|
||||
CheckResults(QList<SB_STATUS>() << Status);
|
||||
}
|
||||
else if (Message.left(6) == "Status")
|
||||
{
|
||||
QString Status = Message.mid(7);
|
||||
|
|
|
@ -122,7 +122,7 @@ void CSandBoxPlus::UpdateDetails()
|
|||
|
||||
m_bDropRights = GetBool("DropAdminRights", false);
|
||||
|
||||
if (CheckOpenToken() || GetBool("StripSystemPrivileges", false))
|
||||
if (CheckUnsecureConfig())
|
||||
m_iUnsecureDebugging = 1;
|
||||
else if(GetBool("ExposeBoxedSystem", false) || GetBool("UnrestrictedSCM", false) /*|| GetBool("RunServicesAsSystem", false)*/)
|
||||
m_iUnsecureDebugging = 2;
|
||||
|
@ -174,7 +174,7 @@ QString CSandBoxPlus::GetStatusStr() const
|
|||
return Status.join(", ");
|
||||
}
|
||||
|
||||
bool CSandBoxPlus::CheckOpenToken() const
|
||||
bool CSandBoxPlus::CheckUnsecureConfig() const
|
||||
{
|
||||
if (GetBool("OriginalToken", false)) return true;
|
||||
if (GetBool("OpenToken", false)) return true;
|
||||
|
@ -182,6 +182,9 @@ bool CSandBoxPlus::CheckOpenToken() const
|
|||
if (!GetBool("AnonymousLogon", true)) return true;
|
||||
if (GetBool("KeepTokenIntegrity", false)) return true;
|
||||
if(GetBool("UnfilteredToken", false)) return true;
|
||||
if (GetBool("DisableFileFilter", false)) return true;
|
||||
if (GetBool("DisableKeyFilter", false)) return true;
|
||||
if (GetBool("StripSystemPrivileges", false)) return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -87,7 +87,7 @@ public:
|
|||
|
||||
protected:
|
||||
friend class CSbiePlusAPI;
|
||||
virtual bool CheckOpenToken() const;
|
||||
virtual bool CheckUnsecureConfig() const;
|
||||
|
||||
virtual bool TestProgramGroup(const QString& Group, const QString& ProgName);
|
||||
virtual void EditProgramGroup(const QString& Group, const QString& ProgName, bool bSet);
|
||||
|
|
|
@ -31,15 +31,29 @@ int main(int argc, char *argv[])
|
|||
return 0;
|
||||
}
|
||||
|
||||
QString CommandLine;
|
||||
QString PendingMessage;
|
||||
|
||||
QStringList Args = QCoreApplication::arguments();
|
||||
int BoxPos = Args.indexOf("/box:__ask__");
|
||||
if (BoxPos != -1) {
|
||||
for (int i = BoxPos + 1; i < Args.count(); i++)
|
||||
CommandLine += "\"" + Args[i] + "\" ";
|
||||
if(app.sendMessage("Run:" + CommandLine.trimmed()))
|
||||
return 0;
|
||||
int CmdPos = Args.indexOf("-op");
|
||||
if (CmdPos != -1) {
|
||||
QString Op;
|
||||
if (Args.count() > CmdPos)
|
||||
Op = Args.at(CmdPos + 1);
|
||||
PendingMessage = "Op:" + Op;
|
||||
}
|
||||
|
||||
CmdPos = Args.indexOf("/box:__ask__");
|
||||
if (CmdPos != -1) {
|
||||
QString CommandLine;
|
||||
for (int i = CmdPos + 1; i < Args.count(); i++)
|
||||
CommandLine += "\"" + Args[i] + "\" ";
|
||||
PendingMessage = "Run:" + CommandLine.trimmed();
|
||||
}
|
||||
|
||||
if (!PendingMessage.isEmpty()) {
|
||||
if(app.sendMessage(PendingMessage))
|
||||
return 0;
|
||||
}
|
||||
else if (app.sendMessage("ShowWnd"))
|
||||
return 0;
|
||||
|
||||
|
@ -50,8 +64,8 @@ int main(int argc, char *argv[])
|
|||
CSandMan* pWnd = new CSandMan();
|
||||
|
||||
QObject::connect(&app, SIGNAL(messageReceived(const QString&)), pWnd, SLOT(OnMessage(const QString&)));
|
||||
if (!CommandLine.isEmpty())
|
||||
QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, "Run:" + CommandLine));
|
||||
if (!PendingMessage.isEmpty())
|
||||
QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, PendingMessage));
|
||||
|
||||
int ret = app.exec();
|
||||
|
||||
|
|
Loading…
Reference in New Issue