From c3b7306ed18fa92331fceff7516032dc733f3334 Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Sun, 12 Mar 2023 19:30:28 +0100 Subject: [PATCH] 1.8.1 --- CHANGELOG.md | 1 + Sandboxie/core/drv/api_defs.h | 2 ++ Sandboxie/core/drv/conf_user.c | 15 +++++++++++++-- Sandboxie/core/svc/ProcessServer.cpp | 10 +++++++--- 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7015511f..560f6e0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). - fixed issue with NT namespace virtualization [#2701](https://github.com/sandboxie-plus/Sandboxie/issues/2701) - fixed issue with run unsandboxed [#2710](https://github.com/sandboxie-plus/Sandboxie/issues/2710) - fixed issue with new box wizard [#2729](https://github.com/sandboxie-plus/Sandboxie/issues/2729) +- fixed issue with break out processes and user restricted sandboxes [#2732](https://github.com/sandboxie-plus/Sandboxie/issues/2732) diff --git a/Sandboxie/core/drv/api_defs.h b/Sandboxie/core/drv/api_defs.h index 261d6bad..6d341f04 100644 --- a/Sandboxie/core/drv/api_defs.h +++ b/Sandboxie/core/drv/api_defs.h @@ -409,6 +409,8 @@ API_ARGS_CLOSE(API_SESSION_LEADER_ARGS) API_ARGS_BEGIN(API_IS_BOX_ENABLED_ARGS) API_ARGS_FIELD(WCHAR *,box_name) +API_ARGS_FIELD(WCHAR *,sid_string) +API_ARGS_FIELD(ULONG, session_id) API_ARGS_CLOSE(API_IS_BOX_ENABLED_ARGS) diff --git a/Sandboxie/core/drv/conf_user.c b/Sandboxie/core/drv/conf_user.c index 89dbd3fa..95fffa02 100644 --- a/Sandboxie/core/drv/conf_user.c +++ b/Sandboxie/core/drv/conf_user.c @@ -565,19 +565,30 @@ _FX NTSTATUS Conf_Api_IsBoxEnabled(PROCESS *proc, ULONG64 *parms) NTSTATUS status; ULONG SessionId; UNICODE_STRING SidString; + const WCHAR* sid; WCHAR boxname[34]; if (! Api_CopyBoxNameFromUser(boxname, (WCHAR *)args->box_name.val)) return STATUS_INVALID_PARAMETER; - status = Process_GetSidStringAndSessionId( + if (args->sid_string.val != NULL) { + sid = args->sid_string.val; + SessionId = args->session_id.val; + SidString.Buffer = NULL; + status = STATUS_SUCCESS; + } + else { + status = Process_GetSidStringAndSessionId( NtCurrentProcess(), NULL, &SidString, &SessionId); + sid = SidString.Buffer; + } + if (NT_SUCCESS(status)) { status = Conf_IsValidBox(boxname); if (NT_SUCCESS(status)) { - if (! Conf_IsBoxEnabled(boxname, SidString.Buffer, SessionId)) + if (! Conf_IsBoxEnabled(boxname, sid, SessionId)) status = STATUS_ACCOUNT_RESTRICTION; } diff --git a/Sandboxie/core/svc/ProcessServer.cpp b/Sandboxie/core/svc/ProcessServer.cpp index 33e587aa..d9735615 100644 --- a/Sandboxie/core/svc/ProcessServer.cpp +++ b/Sandboxie/core/svc/ProcessServer.cpp @@ -512,11 +512,13 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg) LONG_PTR BoxNameOrModelPid; bool CallerInSandbox; WCHAR boxname[48] = { 0 }; + WCHAR sid[96]; + ULONG session_id; BOOL FilterHandles = FALSE; if (SbieApi_QueryProcessInfo((HANDLE)(ULONG_PTR)CallerPid, 0)) { CallerInSandbox = true; - SbieApi_QueryProcess((HANDLE)(ULONG_PTR)CallerPid, boxname, NULL, NULL, NULL); + SbieApi_QueryProcess((HANDLE)(ULONG_PTR)CallerPid, boxname, NULL, sid, &session_id); BoxNameOrModelPid = -(LONG_PTR)(LONG)CallerPid; if ((req->si_flags & 0x80000000) != 0) { // bsession0 - this is only allowed for unsandboxed processes lvl = 0xFF; @@ -527,7 +529,7 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg) CallerInSandbox = false; if (*req->boxname == L'-') { int Pid = _wtoi(req->boxname + 1); - SbieApi_QueryProcess((HANDLE)(ULONG_PTR)Pid, boxname, NULL, NULL, NULL); + SbieApi_QueryProcess((HANDLE)(ULONG_PTR)Pid, boxname, NULL, sid, &session_id); BoxNameOrModelPid = -Pid; } else { BoxNameOrModelPid = (LONG_PTR)req->boxname; @@ -577,9 +579,11 @@ MSG_HEADER *ProcessServer::RunSandboxedHandler(MSG_HEADER *msg) WCHAR BoxName[34]; int index = -1; while (1) { - index = SbieApi_EnumBoxes(index, BoxName); + index = SbieApi_EnumBoxesEx(index, BoxName, TRUE); if (index == -1) break; + if (!NT_SUCCESS(SbieApi_Call(API_IS_BOX_ENABLED, 3, (ULONG_PTR)BoxName, (ULONG_PTR)sid, (ULONG_PTR)session_id))) + continue; if (SbieDll_CheckStringInList(lpProgram + 1, BoxName, L"ForceProcess") || SbieDll_CheckPatternInList(lpApplicationName, (ULONG)(lpProgram - lpApplicationName), BoxName, L"ForceFolder")) {