From c30fd024939e19b5084993eebf949d571226f392 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Sat, 24 Feb 2024 10:25:31 +0100 Subject: [PATCH] 1.13.1 --- CHANGELOG.md | 1 + Sandboxie/core/drv/process.c | 3 +++ Sandboxie/core/svc/DriverAssistInject.cpp | 9 ++++++--- Sandboxie/core/svc/ProcessServer.cpp | 17 ++++++++++------- Sandboxie/core/svc/ProcessServer.h | 2 +- Sandboxie/core/svc/main.cpp | 1 + Sandboxie/core/svc/serviceserver2.cpp | 11 +++++++---- Sandboxie/core/svc/terminalserver.cpp | 5 ++++- 8 files changed, 33 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e21a865..291bd149 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - fixed incompatibility with Windows ARM64 Insider build 26052 and later - fixed [1.12.6] Symlink and open path issue [#3537](https://github.com/sandboxie-plus/Sandboxie/issues/3537) - In Application Compartment Box,There is a bug in file redirection,CreateDirectory Fail [#3637](https://github.com/sandboxie-plus/Sandboxie/issues/3637) +- fixed issues with appcompartment mode compatybility fallback ### Changed - changed DynData format to add flags diff --git a/Sandboxie/core/drv/process.c b/Sandboxie/core/drv/process.c index 936b2b85..047b6f12 100644 --- a/Sandboxie/core/drv/process.c +++ b/Sandboxie/core/drv/process.c @@ -813,6 +813,9 @@ _FX PROCESS *Process_Create( if (!Dyndata_Active && !proc->bAppCompartment) { proc->bAppCompartment = TRUE; + proc->always_close_for_boxed = FALSE; + proc->dont_open_for_boxed = FALSE; + proc->protect_host_images = FALSE; WCHAR info[12]; RtlStringCbPrintfW(info, sizeof(info), L"%d", Driver_OsBuild); diff --git a/Sandboxie/core/svc/DriverAssistInject.cpp b/Sandboxie/core/svc/DriverAssistInject.cpp index e76cac4d..ca854a70 100644 --- a/Sandboxie/core/svc/DriverAssistInject.cpp +++ b/Sandboxie/core/svc/DriverAssistInject.cpp @@ -94,6 +94,9 @@ void DriverAssist::InjectLow(void *_msg) goto finish; } + ULONG64 ProcessFlags = SbieApi_QueryProcessInfo((HANDLE)msg->process_id, 0); + BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0; + // // notify the box manager about a new process // @@ -114,10 +117,10 @@ void DriverAssist::InjectLow(void *_msg) #endif sbieLow.bHostInject = msg->bHostInject; // NoSysCallHooks BEGIN - sbieLow.bNoSysHooks = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE); + sbieLow.bNoSysHooks = CompartmentMode || SbieApi_QueryConfBool(boxname, L"NoSysCallHooks", FALSE); // NoSysCallHooks END // NoSbieCons BEGIN - sbieLow.bNoConsole = SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"NoSandboxieConsole", FALSE); + sbieLow.bNoConsole = CompartmentMode || SbieApi_QueryConfBool(boxname, L"NoSandboxieConsole", FALSE); // NoSbieCons END //sbieLow.bIsFirst = IsFirst; @@ -130,7 +133,7 @@ void DriverAssist::InjectLow(void *_msg) // // NoSbieDesk BEGIN - if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE)) + if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"NoSandboxieDesktop", FALSE)) // NoSbieDesk END if (!msg->bHostInject) { diff --git a/Sandboxie/core/svc/ProcessServer.cpp b/Sandboxie/core/svc/ProcessServer.cpp index 774c696b..c3887538 100644 --- a/Sandboxie/core/svc/ProcessServer.cpp +++ b/Sandboxie/core/svc/ProcessServer.cpp @@ -634,7 +634,7 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg) #endif HANDLE PrimaryTokenHandle = RunSandboxedGetToken( - CallerProcessHandle, CallerInSandbox, boxname, cmd); + CallerProcessHandle, CallerInSandbox, boxname, cmd, (HANDLE)(ULONG_PTR)CallerPid); if (PrimaryTokenHandle) { @@ -808,12 +808,12 @@ WCHAR *ProcessServer::RunSandboxedCopyString( //--------------------------------------------------------------------------- -bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname) +bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname, BOOLEAN CompartmentMode) { if (SbieApi_QueryConfBool(boxname, L"RunRpcssAsSystem", FALSE)) return true; // OriginalToken BEGIN - if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { + if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { // OriginalToken END // @@ -833,7 +833,7 @@ bool ProcessServer__RunRpcssAsSystem(const WCHAR* boxname) HANDLE ProcessServer::RunSandboxedGetToken( - HANDLE CallerProcessHandle, bool CallerInSandbox, const WCHAR *boxname, const WCHAR* cmd) + HANDLE CallerProcessHandle, bool CallerInSandbox, const WCHAR *boxname, const WCHAR* cmd, HANDLE CallerPid) { const ULONG TOKEN_RIGHTS = TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID @@ -846,10 +846,13 @@ HANDLE ProcessServer::RunSandboxedGetToken( bool ShouldAdjustSessionId = true; bool ShouldAdjustDacl = false; + ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(CallerPid, 0); + BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0; + if (CallerInSandbox) { if ((wcscmp(cmd, L"*RPCSS*") == 0 /* || wcscmp(cmd, L"*DCOM*") == 0 */) - && ProcessServer__RunRpcssAsSystem(boxname)) { + && ProcessServer__RunRpcssAsSystem(boxname, CompartmentMode)) { // // use our system token @@ -865,7 +868,7 @@ HANDLE ProcessServer::RunSandboxedGetToken( } else // OriginalToken BEGIN - if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) + if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) // OriginalToken END { // @@ -967,7 +970,7 @@ HANDLE ProcessServer::RunSandboxedGetToken( ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_ALL, TRUE); else if (SbieApi_QueryConfBool(boxname, L"AdjustBoxedSystem", TRUE)) // OriginalToken BEGIN - if(!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) + if(!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) // OriginalToken END ok = RunSandboxedSetDacl(CallerProcessHandle, NewTokenHandle, GENERIC_READ, FALSE); diff --git a/Sandboxie/core/svc/ProcessServer.h b/Sandboxie/core/svc/ProcessServer.h index f55a2a40..2ed87872 100644 --- a/Sandboxie/core/svc/ProcessServer.h +++ b/Sandboxie/core/svc/ProcessServer.h @@ -65,7 +65,7 @@ protected: WCHAR *RunSandboxedCopyString(MSG_HEADER *msg, ULONG ofs, ULONG len); HANDLE RunSandboxedGetToken( HANDLE CallerProcessHandle, bool CallerInSandbox, - const WCHAR *BoxName, const WCHAR* cmd); + const WCHAR *BoxName, const WCHAR* cmd, HANDLE CallerPid); BOOL RunSandboxedStartProcess( HANDLE PrimaryTokenHandle, LONG_PTR BoxNameOrModelPid, WCHAR *cmd, const WCHAR *dir, WCHAR *env, diff --git a/Sandboxie/core/svc/main.cpp b/Sandboxie/core/svc/main.cpp index 88ba9184..9fecc714 100644 --- a/Sandboxie/core/svc/main.cpp +++ b/Sandboxie/core/svc/main.cpp @@ -520,6 +520,7 @@ finish: bool CheckDropRights(const WCHAR *BoxName, const WCHAR *ExeName) { // Allow setting of DropAdminRights to suppress UAC prompts / elevation from the sandboxed realm + // NOTE: use the SBIE_FLAG_APP_COMPARTMENT !!!! //if (SbieApi_QueryConfBool(BoxName, L"NoSecurityIsolation", FALSE)) // return false; // if we are not swapping the token we can not drop admin rights so keep this consistent if (SbieApi_QueryConfBool(BoxName, L"UseSecurityMode", FALSE)) diff --git a/Sandboxie/core/svc/serviceserver2.cpp b/Sandboxie/core/svc/serviceserver2.cpp index 79fc0d47..2a2ca22f 100644 --- a/Sandboxie/core/svc/serviceserver2.cpp +++ b/Sandboxie/core/svc/serviceserver2.cpp @@ -113,6 +113,8 @@ bool ServiceServer::CanAccessSCM(HANDLE idProcess) SbieApi_QueryProcess(idProcess, boxname, exename, NULL, NULL); // if this fail we take the global config if present if (SbieApi_QueryConfBool(boxname, L"UnrestrictedSCM", FALSE)) return true; + ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0); + BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0; // // DcomLaunch runs as user but needs to be able to access the SCM @@ -134,7 +136,7 @@ bool ServiceServer::CanAccessSCM(HANDLE idProcess) HANDLE hToken = NULL; // OriginalToken BEGIN - if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { + if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (DWORD)(UINT_PTR)idProcess); if (hProcess != NULL) { OpenProcessToken(hProcess, TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_DUPLICATE | STANDARD_RIGHTS_READ, &hToken); @@ -328,8 +330,9 @@ ULONG ServiceServer::RunHandler2( BOOL asSys; WCHAR boxname[BOXNAME_COUNT] = { 0 }; - SbieApi_QueryProcess(idProcess, boxname, NULL, NULL, NULL); + ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0); + BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0; if (ok) { errlvl = 0x21; @@ -351,7 +354,7 @@ ULONG ServiceServer::RunHandler2( ok = OpenProcessToken(GetCurrentProcess(), TOKEN_RIGHTS, &hOldToken); } // OriginalToken BEGIN - else if (SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { + else if (CompartmentMode || SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) { HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, (ULONG)(ULONG_PTR)idProcess); if (!hProcess) ok = FALSE; @@ -393,7 +396,7 @@ ULONG ServiceServer::RunHandler2( ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_ALL, TRUE, idProcess); else if (SbieApi_QueryConfBool(boxname, L"AdjustBoxedSystem", TRUE)) // OriginalToken BEGIN - if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) + if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE)) // OriginalToken END ok = ProcessServer::RunSandboxedSetDacl(hProcess, hNewToken, GENERIC_READ, FALSE); diff --git a/Sandboxie/core/svc/terminalserver.cpp b/Sandboxie/core/svc/terminalserver.cpp index 32c93712..f3896288 100644 --- a/Sandboxie/core/svc/terminalserver.cpp +++ b/Sandboxie/core/svc/terminalserver.cpp @@ -543,8 +543,11 @@ MSG_HEADER *TerminalServer::GetUserToken(MSG_HEADER *msg) HANDLE hFilteredToken = NULL; + ULONG64 ProcessFlags = SbieApi_QueryProcessInfo(idProcess, 0); + BOOLEAN CompartmentMode = (ProcessFlags & SBIE_FLAG_APP_COMPARTMENT) != 0; + // OriginalToken BEGIN - if (!SbieApi_QueryConfBool(boxname, L"NoSecurityIsolation", FALSE) && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE) + if (!CompartmentMode && !SbieApi_QueryConfBool(boxname, L"OriginalToken", FALSE) // OriginalToken END // UnfilteredToken BEGIN && !SbieApi_QueryConfBool(boxname, L"UnfilteredToken", FALSE))