This commit is contained in:
DavidXanatos 2021-07-23 09:44:35 +02:00
parent fc2a93ba90
commit add64d53e5
11 changed files with 65 additions and 19 deletions

View File

@ -33,7 +33,10 @@ This project adheres to [Semantic Versioning](http://semver.org/).
-- Note: a process must have administrative privileges to be able to use this API
- added a UI option to switch "MsiInstallerExemptions=y" on and off
-- just in case a future windows build breaks something for the systemless mode
- added sample code for ObRegisterCallbacks to the driver
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" allowing to disable file and registry filtering
-- Note: this options are for testing only and disable core parts of the sandbox isolation
- added a few CommandLone options to sandman.exe
### Changed
- greately improved the performanceof the trace log, but its no longer possible to log to booth sandman and sbiectrl at the same time

View File

@ -983,13 +983,13 @@ _FX NTSTATUS File_Generic_MyParseProc(
// skip requests dealing with devices we don't care about
//
if (device_type != FILE_DEVICE_DISK &&
if ((device_type != FILE_DEVICE_DISK &&
device_type != FILE_DEVICE_NAMED_PIPE &&
device_type != FILE_DEVICE_MAILSLOT &&
device_type != FILE_DEVICE_NETWORK &&
device_type != FILE_DEVICE_MULTI_UNC_PROVIDER &&
device_type != FILE_DEVICE_NETWORK_FILE_SYSTEM &&
device_type != FILE_DEVICE_DFS)
device_type != FILE_DEVICE_DFS) || proc->disable_file_flt)
{
if ((proc->file_trace & TRACE_IGNORE) || Session_MonitorCount) {

View File

@ -432,7 +432,7 @@ _FX FLT_PREOP_CALLBACK_STATUS File_PreOperation(
status = STATUS_PROCESS_IS_TERMINATING;
goto finish;
}
if (!proc || proc->bHostInject)
if (!proc || proc->bHostInject || proc->disable_file_flt)
goto finish;
//

View File

@ -228,7 +228,7 @@ _FX NTSTATUS Key_Callback(void *Context, void *Arg1, void *Arg2)
if (status != STATUS_SUCCESS)
return status;
if (!proc || proc->bHostInject)
if (!proc || proc->bHostInject || proc->disable_key_flt)
return STATUS_SUCCESS;
//

View File

@ -726,6 +726,13 @@ _FX PROCESS *Process_Create(
proc->disable_monitor = Conf_Get_Boolean(proc->box->name, L"DisableResourceMonitor", 0, FALSE);
//
// initialize debug options
//
proc->disable_file_flt = Conf_Get_Boolean(proc->box->name, L"DisableFileFilter", 0, FALSE);
proc->disable_key_flt = Conf_Get_Boolean(proc->box->name, L"DisableKeyFilter", 0, FALSE);
//
// initialize trace flags
//

View File

@ -145,6 +145,7 @@ struct _PROCESS {
LIST blocked_dlls;
ULONG file_trace;
ULONG pipe_trace;
BOOLEAN disable_file_flt;
BOOLEAN file_warn_internet;
BOOLEAN file_warn_direct_access;
BOOLEAN AllowInternetAccess;
@ -159,6 +160,7 @@ struct _PROCESS {
LIST read_key_paths; // PATTERN elements
LIST write_key_paths; // PATTERN elements
ULONG key_trace;
BOOLEAN disable_key_flt;
// ipc-related

View File

@ -152,7 +152,7 @@ QStringList CSbieIni::GetTextListTmpl(const QString &Setting, const QString& Tem
for (int index = 0; ; index++)
{
QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL);
QString Value = m_pAPI->SbieIniGet("Template_" + Template, Setting, index | CONF_GET_NO_GLOBAL | CONF_GET_NO_EXPAND);
if (Value.isNull())
break;
TextList.append(Value);

View File

@ -562,7 +562,7 @@ void CSandMan::OnMessage(const QString& Message)
setWindowState(Qt::WindowActive);
SetForegroundWindow(MainWndHandle);
}
else if (Message.left(3) == "Run")
else if (Message.left(4) == "Run:")
{
QString CmdLine = Message.mid(4);
@ -572,6 +572,23 @@ void CSandMan::OnMessage(const QString& Message)
else
RunSandboxed(QStringList(CmdLine));
}
else if (Message.left(3) == "Op:")
{
QString Op = Message.mid(3);
SB_STATUS Status;
if (Op == "Connect")
Status = ConnectSbie();
else if (Op == "Disconnect")
Status = DisconnectSbie();
else if (Op == "Shutdown")
Status = StopSbie();
else if (Op == "EmptyAll")
Status = theAPI->TerminateAll();
else
Status = SB_ERR(SB_Message, QVariantList () << (tr("Unknown operation '%1' requested via command line").arg(Op)));
CheckResults(QList<SB_STATUS>() << Status);
}
else if (Message.left(6) == "Status")
{
QString Status = Message.mid(7);

View File

@ -122,7 +122,7 @@ void CSandBoxPlus::UpdateDetails()
m_bDropRights = GetBool("DropAdminRights", false);
if (CheckOpenToken() || GetBool("StripSystemPrivileges", false))
if (CheckUnsecureConfig())
m_iUnsecureDebugging = 1;
else if(GetBool("ExposeBoxedSystem", false) || GetBool("UnrestrictedSCM", false) /*|| GetBool("RunServicesAsSystem", false)*/)
m_iUnsecureDebugging = 2;
@ -174,7 +174,7 @@ QString CSandBoxPlus::GetStatusStr() const
return Status.join(", ");
}
bool CSandBoxPlus::CheckOpenToken() const
bool CSandBoxPlus::CheckUnsecureConfig() const
{
if (GetBool("OriginalToken", false)) return true;
if (GetBool("OpenToken", false)) return true;
@ -182,6 +182,9 @@ bool CSandBoxPlus::CheckOpenToken() const
if (!GetBool("AnonymousLogon", true)) return true;
if (GetBool("KeepTokenIntegrity", false)) return true;
if(GetBool("UnfilteredToken", false)) return true;
if (GetBool("DisableFileFilter", false)) return true;
if (GetBool("DisableKeyFilter", false)) return true;
if (GetBool("StripSystemPrivileges", false)) return true;
return false;
}

View File

@ -87,7 +87,7 @@ public:
protected:
friend class CSbiePlusAPI;
virtual bool CheckOpenToken() const;
virtual bool CheckUnsecureConfig() const;
virtual bool TestProgramGroup(const QString& Group, const QString& ProgName);
virtual void EditProgramGroup(const QString& Group, const QString& ProgName, bool bSet);

View File

@ -31,15 +31,29 @@ int main(int argc, char *argv[])
return 0;
}
QString CommandLine;
QString PendingMessage;
QStringList Args = QCoreApplication::arguments();
int BoxPos = Args.indexOf("/box:__ask__");
if (BoxPos != -1) {
for (int i = BoxPos + 1; i < Args.count(); i++)
CommandLine += "\"" + Args[i] + "\" ";
if(app.sendMessage("Run:" + CommandLine.trimmed()))
return 0;
int CmdPos = Args.indexOf("-op");
if (CmdPos != -1) {
QString Op;
if (Args.count() > CmdPos)
Op = Args.at(CmdPos + 1);
PendingMessage = "Op:" + Op;
}
CmdPos = Args.indexOf("/box:__ask__");
if (CmdPos != -1) {
QString CommandLine;
for (int i = CmdPos + 1; i < Args.count(); i++)
CommandLine += "\"" + Args[i] + "\" ";
PendingMessage = "Run:" + CommandLine.trimmed();
}
if (!PendingMessage.isEmpty()) {
if(app.sendMessage(PendingMessage))
return 0;
}
else if (app.sendMessage("ShowWnd"))
return 0;
@ -50,8 +64,8 @@ int main(int argc, char *argv[])
CSandMan* pWnd = new CSandMan();
QObject::connect(&app, SIGNAL(messageReceived(const QString&)), pWnd, SLOT(OnMessage(const QString&)));
if (!CommandLine.isEmpty())
QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, "Run:" + CommandLine));
if (!PendingMessage.isEmpty())
QMetaObject::invokeMethod(pWnd, "OnMessage", Qt::QueuedConnection, Q_ARG(QString, PendingMessage));
int ret = app.exec();