mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

1.7.3

This commit is contained in:
DavidXanatos 2023-02-11 18:48:17 +01:00
parent 2d48c05421
commit b176e88063
4 changed files with 116 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -18,16 +18,17 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- 'OpenProtectedStorage=y' has been replaced with a template
- moved all built in access rules to a set of default templates
- moved WinInetCache control to a template OpenWinInetCache, 'CloseWinInetCache=y' is now obsolete
- added hook for CreateAppContainerToken, should also improve compatibility with other apps
- added hook for CreateAppContainerToken, should also improve compatibility with other apps [#1926](https://github.com/sandboxie-plus/Sandboxie/issues/1926)
-- note: Template_Edge_Fix is no longer required
- replaced a few icons
- moved the "Support" settings page the above "Advance Options" page and renamed it to "Support & Updates"
- when dragging and dropping a file on to the sandman UI to run it the currently selected box will be pre-selected in the box picker dialog
- improved access rule handling [#2633](https://github.com/sandboxie-plus/Sandboxie/discussions/2633)
### Fixed
- added AppContainer support for Compartment type boxes
- FIXED SECURITY ISSUE ID-22 NtCreateSectionEx was not filtered by the driver
- fixed issue starting services without a system token

8
Sandboxie/apps/start/start.cpp
View File

@ -1064,6 +1064,14 @@ int Program_Start(void)
expanded = MyHeapAlloc(8192 * sizeof(WCHAR));
ExpandEnvironmentStrings(cmdline, expanded, 8192);
//
// When the service proces has a manifest which requires elevated privileges,
// CreateProcess will fail if we did not start with a elevated token.
// To fix this issue we always fake being elevated when starting a service.
//
SbieDll_SetFakeAdmin(TRUE);
//
// If the command contains a space but no ", try to fix it
//

2
Sandboxie/core/dll/sbiedll.h
View File

@ -189,6 +189,8 @@ SBIEDLL_EXPORT BOOL SbieDll_StartBoxedService(
SBIEDLL_EXPORT BOOL SbieDll_CheckProcessLocalSystem(HANDLE ProcessHandle);
SBIEDLL_EXPORT VOID SbieDll_SetFakeAdmin(BOOLEAN FakeAdmin);
SBIEDLL_EXPORT HANDLE SbieDll_OpenProcess(ACCESS_MASK DesiredAccess, HANDLE idProcess);
SBIEDLL_EXPORT HRESULT SbieDll_ComCreateProxy(

45
Sandboxie/core/dll/secure.c
View File

@ -226,6 +226,7 @@ PSECURITY_DESCRIPTOR Secure_NormalSD = NULL;
PSECURITY_DESCRIPTOR Secure_EveryoneSD = NULL;
BOOLEAN Secure_ShouldFakeRunningAsAdmin = FALSE;
BOOLEAN Secure_IsInternetExplorerTabProcess = FALSE;
BOOLEAN Secure_Is_IE_NtQueryInformationToken = FALSE;
@ -404,21 +405,17 @@ _FX BOOLEAN Secure_Init(void)
&& (_wcsicmp(Dll_ImageName, L"msedge.exe") != 0); // never for msedge.exe
if (Secure_FakeAdmin || Dll_OsBuild >= 9600) {
void* NtAccessCheckByType = GetProcAddress(Dll_Ntdll, "NtAccessCheckByType");
void* NtAccessCheck = GetProcAddress(Dll_Ntdll, "NtAccessCheck");
void* NtQuerySecurityAttributesToken = GetProcAddress(Dll_Ntdll, "NtQuerySecurityAttributesToken");
void* NtQueryInformationToken = GetProcAddress(Dll_Ntdll, "NtQueryInformationToken");
void* NtAccessCheckByTypeResultList = GetProcAddress(Dll_Ntdll, "NtAccessCheckByTypeResultList");
SBIEDLL_HOOK(Ldr_, NtQuerySecurityAttributesToken);
SBIEDLL_HOOK(Ldr_, NtAccessCheckByType);
SBIEDLL_HOOK(Ldr_, NtAccessCheck);
SBIEDLL_HOOK(Ldr_, NtAccessCheckByTypeResultList);
SBIEDLL_HOOK(Ldr_, NtQueryInformationToken);
}
if (Dll_OsBuild >= 9600) { // Windows 8.1 and later
if (DLL_IMAGE_GOOGLE_CHROME == Dll_ImageType) {
@ -444,16 +441,17 @@ _FX BOOLEAN Secure_Init(void)
if (RtlQueryElevationFlags) {
BOOLEAN ShouldFakeRunningAsAdmin = Secure_FakeAdmin
|| Dll_ImageType == DLL_IMAGE_SANDBOXIE_SBIESVC
SBIEDLL_HOOK(Secure_,RtlQueryElevationFlags);
// $Workaround$ - 3rd party fix
Secure_ShouldFakeRunningAsAdmin =
Dll_ImageType == DLL_IMAGE_SANDBOXIE_SBIESVC
|| Dll_ImageType == DLL_IMAGE_SANDBOXIE_RPCSS
|| Dll_ImageType == DLL_IMAGE_INTERNET_EXPLORER
|| (_wcsicmp(Dll_ImageName, L"SynTPEnh.exe") == 0)
|| (_wcsicmp(Dll_ImageName, L"SynTPHelper.exe") == 0);
if (ShouldFakeRunningAsAdmin) {
SBIEDLL_HOOK(Secure_,RtlQueryElevationFlags);
if (Secure_ShouldFakeRunningAsAdmin) {
//
// if this is an Internet Explorer tab process then we always
@ -489,20 +487,25 @@ _FX BOOLEAN Secure_Init(void)
RtlCheckTokenMembershipEx =
GetProcAddress(Dll_Ntdll, "RtlCheckTokenMembershipEx");
if (RtlCheckTokenMembershipEx) {
if (Secure_FakeAdmin) {
SBIEDLL_HOOK(Secure_, RtlCheckTokenMembershipEx);
}
}
return TRUE;
}
//---------------------------------------------------------------------------
// SbieDll_SetFakeAdmin
//---------------------------------------------------------------------------
_FX VOID SbieDll_SetFakeAdmin(BOOLEAN FakeAdmin)
{
Secure_FakeAdmin = FakeAdmin;
}
//---------------------------------------------------------------------------
// SbieDll_OpenProcess
//---------------------------------------------------------------------------
@ -1108,6 +1111,7 @@ NTSTATUS Ldr_NtAccessCheckByType(PSECURITY_DESCRIPTOR SecurityDescriptor, PSID P
NTSTATUS rc;
HANDLE hTokenReal = NULL;
if (Dll_OsBuild >= 9600) {
// todo: is that right? It seems wrong
if (Dll_ImageType == DLL_IMAGE_SANDBOXIE_BITS ||
Dll_ImageType == DLL_IMAGE_SANDBOXIE_WUAU ||
@ -1117,6 +1121,7 @@ NTSTATUS Ldr_NtAccessCheckByType(PSECURITY_DESCRIPTOR SecurityDescriptor, PSID P
SetLastError(0);
return TRUE;
}
}
Ldr_TestToken(ClientToken, &hTokenReal, TRUE);
@ -1332,7 +1337,13 @@ _FX NTSTATUS Secure_RtlQueryElevationFlags(ULONG *Flags)
// - InstallerDetectEnabled (0x04) - Detection of installers
//
BOOLEAN fake = Secure_FakeAdmin; // FALSE;
BOOLEAN fake = FALSE;
if (Secure_FakeAdmin)
{
fake = TRUE;
}
else if (Secure_ShouldFakeRunningAsAdmin) {
if (Dll_ImageType == DLL_IMAGE_INTERNET_EXPLORER) {
@ -1392,6 +1403,8 @@ _FX NTSTATUS Secure_RtlQueryElevationFlags(ULONG *Flags)
fake = TRUE;
}
}
//
//
//