This commit is contained in:
DavidXanatos 2024-02-24 10:25:31 +01:00
parent c64fa1c147
commit c30fd02493
8 changed files with 33 additions and 16 deletions

View File

@ -12,6 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- fixed incompatibility with Windows ARM64 Insider build 26052 and later
- fixed [1.12.6] Symlink and open path issue [#3537](https://github.com/sandboxie-plus/Sandboxie/issues/3537)
- In Application Compartment Box,There is a bug in file redirection,CreateDirectory Fail [#3637](https://github.com/sandboxie-plus/Sandboxie/issues/3637)
- fixed issues with appcompartment mode compatybility fallback
### Changed
- changed DynData format to add flags

View File

@ -813,6 +813,9 @@ _FX PROCESS *Process_Create(
if (!Dyndata_Active && !proc->bAppCompartment) {
proc->bAppCompartment = TRUE;
proc->always_close_for_boxed = FALSE;
proc->dont_open_for_boxed = FALSE;
proc->protect_host_images = FALSE;
WCHAR info[12];
RtlStringCbPrintfW(info, sizeof(info), L"%d", Driver_OsBuild);

View File

@ -94,6 +94,9 @@ void DriverAssist::InjectLow(void *_msg)
goto finish;
}
ULONG64 ProcessFlags = SbieApi_QueryProcessInfo((HANDLE)msg->process_id, 0);
BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0;
//
// notify the box manager about a new process
//
@ -114,10 +117,10 @@ void DriverAssist::InjectLow(void *_msg)
#endif
sbieLow.bHostInject = msg->bHostInject;
// NoSysCallHooks BEGIN
sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
sbieLow.bNoSysHooks = CompartmentMode || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE);
// NoSysCallHooks END
// NoSbieCons BEGIN
sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieConsole", FALSE);
sbieLow.bNoConsole = CompartmentMode || SbieApi_QueryConfBool(boxname, L"NoSandboxieConsole", FALSE);
// NoSbieCons END
//sbieLow.bIsFirst = IsFirst;
@ -130,7 +133,7 @@ void DriverAssist::InjectLow(void *_msg)
//
// NoSbieDesk BEGIN
if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE))
if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE))
// NoSbieDesk END
if (!msg->bHostInject)
{

View File

@ -634,7 +634,7 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg)
#endif
HANDLE PrimaryTokenHandle = RunSandboxedGetToken(
CallerProcessHandle, CallerInSandbox, boxname, cmd);
CallerProcessHandle, CallerInSandbox, boxname, cmd, (HANDLE)(ULONG_PTR)CallerPid);
if (PrimaryTokenHandle) {
@ -808,12 +808,12 @@ WCHAR *ProcessServer::RunSandboxedCopyString(
//---------------------------------------------------------------------------
bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname)
bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname, BOOLEAN CompartmentMode)
{
if (SbieApi_QueryConfBool(boxname, L"RunRpcssAsSystem", FALSE))
return true;
// OriginalToken BEGIN
if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
// OriginalToken END
//
@ -833,7 +833,7 @@ bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname)
HANDLE ProcessServer::RunSandboxedGetToken(
HANDLE CallerProcessHandle, bool CallerInSandbox, const WCHAR *boxname, const WCHAR* cmd)
HANDLE CallerProcessHandle, bool CallerInSandbox, const WCHAR *boxname, const WCHAR* cmd, HANDLE CallerPid)
{
const ULONG TOKEN_RIGHTS = TOKEN_QUERY | TOKEN_DUPLICATE
| TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID
@ -846,10 +846,13 @@ HANDLE ProcessServer::RunSandboxedGetToken(
bool ShouldAdjustSessionId = true;
bool ShouldAdjustDacl = false;
ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(CallerPid, 0);
BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0;
if (CallerInSandbox) {
if ((wcscmp(cmd, L"*RPCSS*") == 0 /* || wcscmp(cmd, L"*DCOM*") == 0 */)
&& ProcessServer__RunRpcssAsSystem(boxname)) {
&& ProcessServer__RunRpcssAsSystem(boxname, CompartmentMode)) {
//
// use our system token
@ -865,7 +868,7 @@ HANDLE ProcessServer::RunSandboxedGetToken(
}
else
// OriginalToken BEGIN
if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
// OriginalToken END
{
//
@ -967,7 +970,7 @@ HANDLE ProcessServer::RunSandboxedGetToken(
ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_ALL, TRUE);
else if (SbieApi_QueryConfBool(boxname, L"AdjustBoxedSystem", TRUE))
// OriginalToken BEGIN
if(!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
if(!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
// OriginalToken END
ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_READ, FALSE);

View File

@ -65,7 +65,7 @@ protected:
WCHAR *RunSandboxedCopyString(MSG_HEADER *msg, ULONG ofs, ULONG len);
HANDLE RunSandboxedGetToken(
HANDLE CallerProcessHandle, bool CallerInSandbox,
const WCHAR *BoxName, const WCHAR* cmd);
const WCHAR *BoxName, const WCHAR* cmd, HANDLE CallerPid);
BOOL RunSandboxedStartProcess(
HANDLE PrimaryTokenHandle, LONG_PTR BoxNameOrModelPid,
WCHAR *cmd, const WCHAR *dir, WCHAR *env,

View File

@ -520,6 +520,7 @@ finish:
bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName)
{
// Allow setting of DropAdminRights to suppress UAC prompts / elevation from the sandboxed realm
// NOTE: use the SBIE_FLAG_APP_COMPARTMENT !!!!
//if (SbieApi_QueryConfBool(BoxName, L"NoSecurityIsolation", FALSE))
// return false; // if we are not swapping the token we can not drop admin rights so keep this consistent
if (SbieApi_QueryConfBool(BoxName, L"UseSecurityMode", FALSE))

View File

@ -113,6 +113,8 @@ bool ServiceServer::CanAccessSCM(HANDLE idProcess)
SbieApi_QueryProcess(idProcess, boxname, exename, NULL, NULL); // if this fail we take the global config if present
if (SbieApi_QueryConfBool(boxname, L"UnrestrictedSCM", FALSE))
return true;
ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0);
BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0;
//
// DcomLaunch runs as user but needs to be able to access the SCM
@ -134,7 +136,7 @@ bool ServiceServer::CanAccessSCM(HANDLE idProcess)
HANDLE hToken = NULL;
// OriginalToken BEGIN
if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (DWORD)(UINT_PTR)idProcess);
if (hProcess != NULL) {
OpenProcessToken(hProcess, TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE | STANDARD_RIGHTS_READ, &hToken);
@ -328,8 +330,9 @@ ULONG ServiceServer::RunHandler2(
BOOL asSys;
WCHAR boxname[BOXNAME_COUNT] = { 0 };
SbieApi_QueryProcess(idProcess, boxname, NULL, NULL, NULL);
ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0);
BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0;
if (ok) {
errlvl = 0x21;
@ -351,7 +354,7 @@ ULONG ServiceServer::RunHandler2(
ok = OpenProcessToken(GetCurrentProcess(), TOKEN_RIGHTS, &hOldToken);
}
// OriginalToken BEGIN
else if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
else if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (ULONG)(ULONG_PTR)idProcess);
if (!hProcess)
ok = FALSE;
@ -393,7 +396,7 @@ ULONG ServiceServer::RunHandler2(
ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_ALL, TRUE, idProcess);
else if (SbieApi_QueryConfBool(boxname, L"AdjustBoxedSystem", TRUE))
// OriginalToken BEGIN
if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE))
// OriginalToken END
ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_READ, FALSE);

View File

@ -543,8 +543,11 @@ MSG_HEADER *TerminalServer::GetUserToken(MSG_HEADER *msg)
HANDLE hFilteredToken = NULL;
ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0);
BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0;
// OriginalToken BEGIN
if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)
if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)
// OriginalToken END
// UnfilteredToken BEGIN
&& !SbieApi_QueryConfBool(boxname, L"UnfilteredToken", FALSE))