cleanup
This commit is contained in:
parent
970b22a6df
commit
e7ddd1dadd
24
CHANGELOG.md
24
CHANGELOG.md
|
@ -2,21 +2,6 @@
|
|||
All notable changes to this project will be documented in this file.
|
||||
This project adheres to [Semantic Versioning](http://semver.org/).
|
||||
|
||||
## [1.14.2 / 5.69.2] - 2024-??-??
|
||||
|
||||
### Added
|
||||
- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes.
|
||||
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
|
||||
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
|
||||
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
|
||||
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
|
||||
- Add new box type "Maximize Isolation Sandbox".
|
||||
- Add new option "AllowCoverTaskbar" for #3975.
|
||||
|
||||
### Changed
|
||||
- Extend "Temp Template" to make it could delete local template section.
|
||||
|
||||
|
||||
|
||||
## [1.14.2 / 5.69.2] - 2024-06-??
|
||||
|
||||
|
@ -25,6 +10,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|||
- usage: set|append|insert|delete [/passwd:********] <section> <setting> <value>
|
||||
- note: use /passwd without the password to have SbieIni prompot for the password on the console, this hides the password from view and from bing captured with the command line
|
||||
- added checkbox for PromptForInternetAccess option to the New Box Wizard
|
||||
- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes.
|
||||
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
|
||||
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
|
||||
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
|
||||
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
|
||||
- Add new option "AllowCoverTaskbar" for #3975.
|
||||
|
||||
### Changed
|
||||
- Extend "Temp Template" to make it could delete local template section.
|
||||
|
||||
### Fixed
|
||||
- fixed security issue with the newly introduced experimental "UseCreateToken=y" machanism
|
||||
|
|
|
@ -3516,11 +3516,7 @@ ReparseLoop:
|
|||
// open, for a CopyPath that does not exist, must also include
|
||||
// write access, or else it would have been handled earlier already)
|
||||
//
|
||||
|
||||
if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE))
|
||||
status = File_MigrateFile(
|
||||
TruePath, CopyPath, IsWritePath, TRUE);
|
||||
|
||||
|
||||
if (FileType & TYPE_REPARSE_POINT) {
|
||||
|
||||
status = File_MigrateJunction(
|
||||
|
|
|
@ -208,7 +208,8 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
|
|||
}
|
||||
|
||||
|
||||
if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) {
|
||||
if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) {
|
||||
|
||||
HKEY hKey=NULL;
|
||||
PVOID lpData=NULL;
|
||||
DWORD dwLen = 0;
|
||||
|
@ -245,9 +246,11 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
|
|||
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
// SysInfo_DiscardProcesses
|
||||
// Sysinfo_IsTokenAnySid
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken);
|
||||
|
||||
_FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
@ -289,6 +292,13 @@ _FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare)
|
|||
|
||||
return return_value;
|
||||
}
|
||||
|
||||
|
||||
//---------------------------------------------------------------------------
|
||||
// SysInfo_DiscardProcesses
|
||||
//---------------------------------------------------------------------------
|
||||
|
||||
|
||||
_FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
|
||||
{
|
||||
SYSTEM_PROCESS_INFORMATION *curr = buf;
|
||||
|
@ -336,26 +346,23 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
|
|||
next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset);
|
||||
if (next == curr)
|
||||
break;
|
||||
|
||||
WCHAR* imageFileName = NULL;
|
||||
SbieApi_QueryProcess(next->UniqueProcessId, boxname,imageFileName, tempSid, &tempSession);
|
||||
SbieApi_QueryProcess(next->UniqueProcessId, boxname, imageFileName, tempSid, &tempSession);
|
||||
BOOL hideProcess = FALSE;
|
||||
if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) {
|
||||
hideProcess = TRUE;
|
||||
}
|
||||
else
|
||||
if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) {
|
||||
hideProcess = TRUE;
|
||||
} else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) {
|
||||
hideProcess = TRUE;
|
||||
}
|
||||
else
|
||||
if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) {
|
||||
|
||||
else if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) {
|
||||
hideProcess = TRUE;
|
||||
}
|
||||
else if(hiddenProcesses && next->ImageName.Buffer) {
|
||||
WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\');
|
||||
if (imagename) imagename += 1; // skip L'\\'
|
||||
else imagename = next->ImageName.Buffer;
|
||||
if ( !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) {
|
||||
if (!*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) {
|
||||
for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) {
|
||||
if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) {
|
||||
hideProcess = TRUE;
|
||||
|
|
|
@ -247,7 +247,6 @@ CSandMan::CSandMan(QWidget *parent)
|
|||
SetupHotKeys();
|
||||
|
||||
m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
|
||||
m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139);
|
||||
m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
|
||||
m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
|
||||
m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
|
||||
|
@ -1551,9 +1550,6 @@ QString CSandMan::GetBoxDescription(int boxType)
|
|||
QString Info;
|
||||
|
||||
switch (boxType) {
|
||||
case CSandBoxPlus::eIsoationMax:
|
||||
Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later.");
|
||||
break;
|
||||
case CSandBoxPlus::eHardenedPlus:
|
||||
case CSandBoxPlus::eHardened:
|
||||
Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
|
||||
|
@ -1571,7 +1567,7 @@ QString CSandMan::GetBoxDescription(int boxType)
|
|||
break;
|
||||
}
|
||||
|
||||
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax)
|
||||
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus)
|
||||
Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
|
||||
|
||||
return Info;
|
||||
|
|
|
@ -815,21 +815,6 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const
|
|||
if (m_iUnsecureDebugging != 0)
|
||||
return eInsecure;
|
||||
|
||||
BOOL isMAX = GetBool("HideNonSystemProcesses") &&
|
||||
GetBool("HideOtherBoxes",true) &&
|
||||
GetBool("ClosePrintSpooler") &&
|
||||
!GetBool("OpenClipboard") &&
|
||||
GetBool("BlockInterferePower") &&
|
||||
GetBool("BlockInterferenceControl") &&
|
||||
GetBool("BlockScreenCapture") &&
|
||||
GetBool("UseSandboxDesktop") &&
|
||||
GetBool("ConfidentialBox") &&
|
||||
GetBool("CoverBoxedWindows") &&
|
||||
GetBool("AlertBeforeStart") &&
|
||||
GetBool("ForceProtectionOnMount") &&
|
||||
GetBool("ProtectHostImages");
|
||||
if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced)
|
||||
return eIsoationMax;
|
||||
if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
|
||||
return eHardenedPlus;
|
||||
if (m_bSecurityEnhanced)
|
||||
|
|
|
@ -146,7 +146,6 @@ public:
|
|||
{
|
||||
eHardenedPlus,
|
||||
eHardened,
|
||||
eIsoationMax,
|
||||
eDefaultPlus,
|
||||
eDefault,
|
||||
eAppBoxPlus,
|
||||
|
|
|
@ -61,7 +61,6 @@ void COptionsWindow::CreateGeneral()
|
|||
|
||||
|
||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
|
||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax);
|
||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
|
||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
|
||||
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
|
||||
|
@ -1068,24 +1067,8 @@ void COptionsWindow::UpdateBoxType()
|
|||
bool bPrivacyMode = ui.chkPrivacy->isChecked();
|
||||
bool bSecurityMode = ui.chkSecurityMode->isChecked();
|
||||
bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
|
||||
bool bIsoationMax = ui.chkHideHostProcesses->isChecked()
|
||||
&& ui.chkBlockWMI->isChecked()
|
||||
&& ui.chkHideOtherBoxes->isChecked()
|
||||
&& ui.chkBlockSpooler->isChecked()
|
||||
&& ui.chkProtectPower->isChecked()
|
||||
&& ui.chkCloseClipBoard->isChecked()
|
||||
&& ui.chkUserOperation->isChecked()
|
||||
&& ui.chkBlockCapture->isChecked()
|
||||
&& ui.chkConfidential->isChecked()
|
||||
&& ui.chkProtectWindow->isChecked()
|
||||
&& ui.chkAlertBeforeStart->isChecked()
|
||||
&& ui.chkForceProtection->isChecked()
|
||||
&& bSecurityMode && bPrivacyMode && !bAppBox;
|
||||
|
||||
int BoxType;
|
||||
if (bIsoationMax)
|
||||
BoxType = (int)CSandBoxPlus::eIsoationMax;
|
||||
else
|
||||
if (bAppBox)
|
||||
BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
|
||||
else if (bSecurityMode)
|
||||
|
@ -1111,51 +1094,13 @@ void COptionsWindow::OnBoxTypChanged()
|
|||
int BoxType = ui.cmbBoxType->currentData().toInt();
|
||||
|
||||
switch (BoxType) {
|
||||
case CSandBoxPlus::eIsoationMax:
|
||||
/*pBox->SetBool("HideNonSystemProcess", true);
|
||||
pBox->InsertText("Template", "BlockAccessWMI");
|
||||
pBox->InsertText("Template", "BlockDNS");
|
||||
pBox->SetBool("HideOtherBoxes", true);
|
||||
pBox->SetBool("ClosePrintSpooler", true);
|
||||
pBox->SetBool("OpenClipboard", false);
|
||||
pBox->SetBool("BlockInterferePower", true);
|
||||
pBox->SetBool("BlockInterferenceControl", true);
|
||||
pBox->SetBool("BlockScreenCapture", true);
|
||||
pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any");
|
||||
pBox->SetBool("UseSandboxDesktop", true);
|
||||
pBox->SetBool("ConfidentialBox", true);
|
||||
pBox->SetBool("CoverBoxedWindows", true);
|
||||
pBox->SetBool("AlertBeforeStart", true);
|
||||
pBox->SetBool("ForceProtectionOnMount", true);
|
||||
pBox->SetNum64("ProcessMemoryLimit", 80000000);
|
||||
pBox->SetNum("ProcessNumberLimit", 20);
|
||||
pBox->SetBool("ProtectHostImages", true);*/
|
||||
ui.chkBlockWMI->setChecked(true);
|
||||
ui.chkBlockDns->setChecked(true);
|
||||
ui.chkHideOtherBoxes->setChecked(true);
|
||||
ui.chkCloseClipBoard->setChecked(true);
|
||||
ui.chkBlockSpooler->setChecked(true);
|
||||
ui.chkBlockCapture->setChecked(true);
|
||||
ui.chkAddToJob->setChecked(true);
|
||||
ui.chkAlertBeforeStart->setChecked(true);
|
||||
ui.chkConfidential->setChecked(true);
|
||||
ui.chkProtectPower->setChecked(true);
|
||||
ui.chkUserOperation->setChecked(true);
|
||||
ui.chkProtectWindow->setChecked(true);
|
||||
ui.chkProtectSCM->setChecked(true);
|
||||
ui.chkProtectSystem->setChecked(true);
|
||||
ui.chkRestrictServices->setChecked(true);
|
||||
ui.chkSbieLogon->setChecked(true);
|
||||
ui.chkDropPrivileges->setChecked(true);
|
||||
ui.chkHideOtherBoxes->setChecked(true);
|
||||
ui.chkHostProtect->setChecked(true);
|
||||
case CSandBoxPlus::eHardenedPlus:
|
||||
case CSandBoxPlus::eHardened:
|
||||
ui.chkNoSecurityIsolation->setChecked(false);
|
||||
ui.chkNoSecurityFiltering->setChecked(false);
|
||||
ui.chkSecurityMode->setChecked(true);
|
||||
//ui.chkRestrictServices->setChecked(true);
|
||||
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax);
|
||||
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus);
|
||||
//SetTemplate("NoUACProxy", false);
|
||||
SetTemplate("RpcPortBindingsExt", false);
|
||||
break;
|
||||
|
|
|
@ -182,25 +182,6 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
|
|||
if (!disableWizardSettings || sharedTemplateMode == 0) {
|
||||
switch (BoxType)
|
||||
{
|
||||
case CSandBoxPlus::eIsoationMax:
|
||||
pBox->SetBool("HideNonSystemProcesses", true);
|
||||
pBox->InsertText("Template", "BlockAccessWMI");
|
||||
pBox->InsertText("Template", "BlockDNS");
|
||||
pBox->SetBool("HideOtherBoxes", true);
|
||||
pBox->SetBool("ClosePrintSpooler", true);
|
||||
pBox->SetBool("OpenClipboard", false);
|
||||
pBox->SetBool("BlockInterferePower", true);
|
||||
pBox->SetBool("BlockInterferenceControl", true);
|
||||
pBox->SetBool("BlockScreenCapture", true);
|
||||
pBox->InsertText("Template","BlockLocalConnect");
|
||||
pBox->SetBool("UseSandboxDesktop", true);
|
||||
pBox->SetBool("ConfidentialBox", true);
|
||||
pBox->SetBool("CoverBoxedWindows", true);
|
||||
pBox->SetBool("AlertBeforeStart", true);
|
||||
pBox->SetBool("ForceProtectionOnMount", true);
|
||||
pBox->SetNum64("ProcessMemoryLimit", 80000000);
|
||||
pBox->SetNum("ProcessNumberLimit", 20);
|
||||
pBox->SetBool("ProtectHostImages", true);
|
||||
case CSandBoxPlus::eHardenedPlus:
|
||||
pBox->SetBool("UsePrivacyMode", true);
|
||||
case CSandBoxPlus::eHardened:
|
||||
|
@ -266,16 +247,12 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
|
|||
}
|
||||
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
|
||||
|
||||
|
||||
|
||||
|
||||
bool bAllowNetwork = field("blockNetwork").toInt() == 0;
|
||||
if (field("promptAccess").toBool() && !bAllowNetwork)
|
||||
pBox->SetBool("PromptForInternetAccess", true);
|
||||
|
||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax);
|
||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
|
||||
bool bAppBox = (BoxType == CSandBoxPlus::eAppBoxPlus || BoxType == CSandBoxPlus::eAppBox);
|
||||
|
||||
bool bDropAdmin = field("dropAdmin").toBool();
|
||||
if (field("dropAdmin").toBool() && !bHardened)
|
||||
pBox->SetBool("DropAdminRights", true);
|
||||
|
@ -413,10 +390,7 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent)
|
|||
//return qMakePair(pW, pIcon);
|
||||
return pC;
|
||||
};
|
||||
AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax,
|
||||
tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n"
|
||||
"In addition, there are other configurations that facilitate isolation,\n"
|
||||
"such as processes and image access control, and so on."));
|
||||
|
||||
AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus,
|
||||
tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
|
||||
"It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
|
||||
|
@ -827,7 +801,7 @@ void CIsolationPage::initializePage()
|
|||
{
|
||||
int BoxType = wizard()->field("boxType").toInt();
|
||||
|
||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax);
|
||||
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
|
||||
bool bDropAdmin = field("dropAdmin").toBool();
|
||||
m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
|
||||
m_pShareAccess->setEnabled(!bHardened);
|
||||
|
|
Loading…
Reference in New Issue