From e7ddd1dadd30f06cb92304fc4091efe192eaa7fd Mon Sep 17 00:00:00 2001 From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com> Date: Sun, 16 Jun 2024 14:08:16 +0200 Subject: [PATCH] cleanup --- CHANGELOG.md | 24 +++----- Sandboxie/core/dll/file.c | 6 +- Sandboxie/core/dll/sysinfo.c | 29 ++++++---- SandboxiePlus/SandMan/SandMan.cpp | 6 +- SandboxiePlus/SandMan/SbiePlusAPI.cpp | 15 ----- SandboxiePlus/SandMan/SbiePlusAPI.h | 1 - .../SandMan/Windows/OptionsGeneral.cpp | 57 +------------------ .../SandMan/Wizards/NewBoxWizard.cpp | 32 +---------- 8 files changed, 33 insertions(+), 137 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0783b8a5..6404585d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,21 +2,6 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [1.14.2 / 5.69.2] - 2024-??-?? - -### Added -- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes. -- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). -- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue -- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. -- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox. -- Add new box type "Maximize Isolation Sandbox". -- Add new option "AllowCoverTaskbar" for #3975. - -### Changed -- Extend "Temp Template" to make it could delete local template section. - - ## [1.14.2 / 5.69.2] - 2024-06-?? @@ -25,6 +10,15 @@ This project adheres to [Semantic Versioning](http://semver.org/). - usage: set|append|insert|delete [/passwd:********]
- note: use /passwd without the password to have SbieIni prompot for the password on the console, this hides the password from view and from bing captured with the command line - added checkbox for PromptForInternetAccess option to the New Box Wizard +- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes. +- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.). +- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue +- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI. +- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox. +- Add new option "AllowCoverTaskbar" for #3975. + +### Changed +- Extend "Temp Template" to make it could delete local template section. ### Fixed - fixed security issue with the newly introduced experimental "UseCreateToken=y" machanism diff --git a/Sandboxie/core/dll/file.c b/Sandboxie/core/dll/file.c index a604b60a..9709d07f 100644 --- a/Sandboxie/core/dll/file.c +++ b/Sandboxie/core/dll/file.c @@ -3516,11 +3516,7 @@ ReparseLoop: // open, for a CopyPath that does not exist, must also include // write access, or else it would have been handled earlier already) // - - if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE)) - status = File_MigrateFile( - TruePath, CopyPath, IsWritePath, TRUE); - + if (FileType & TYPE_REPARSE_POINT) { status = File_MigrateJunction( diff --git a/Sandboxie/core/dll/sysinfo.c b/Sandboxie/core/dll/sysinfo.c index 16ec7a0f..de863710 100644 --- a/Sandboxie/core/dll/sysinfo.c +++ b/Sandboxie/core/dll/sysinfo.c @@ -208,7 +208,8 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( } - if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { + if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { + HKEY hKey=NULL; PVOID lpData=NULL; DWORD dwLen = 0; @@ -245,9 +246,11 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation( //--------------------------------------------------------------------------- -// SysInfo_DiscardProcesses +// Sysinfo_IsTokenAnySid //--------------------------------------------------------------------------- + BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken); + _FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare) { NTSTATUS status; @@ -289,6 +292,13 @@ _FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare) return return_value; } + + +//--------------------------------------------------------------------------- +// SysInfo_DiscardProcesses +//--------------------------------------------------------------------------- + + _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) { SYSTEM_PROCESS_INFORMATION *curr = buf; @@ -336,26 +346,23 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset); if (next == curr) break; + WCHAR* imageFileName = NULL; - SbieApi_QueryProcess(next->UniqueProcessId, boxname,imageFileName, tempSid, &tempSession); + SbieApi_QueryProcess(next->UniqueProcessId, boxname, imageFileName, tempSid, &tempSession); BOOL hideProcess = FALSE; if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) { - hideProcess = TRUE; - } - else - if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { + hideProcess = TRUE; + } else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) { hideProcess = TRUE; } - else - if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) { - + else if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) { hideProcess = TRUE; } else if(hiddenProcesses && next->ImageName.Buffer) { WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\'); if (imagename) imagename += 1; // skip L'\\' else imagename = next->ImageName.Buffer; - if ( !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { + if (!*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) { if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) { hideProcess = TRUE; diff --git a/SandboxiePlus/SandMan/SandMan.cpp b/SandboxiePlus/SandMan/SandMan.cpp index 6257674e..31f242d5 100644 --- a/SandboxiePlus/SandMan/SandMan.cpp +++ b/SandboxiePlus/SandMan/SandMan.cpp @@ -247,7 +247,6 @@ CSandMan::CSandMan(QWidget *parent) SetupHotKeys(); m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4); - m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139); m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2); m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248); m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2); @@ -1551,9 +1550,6 @@ QString CSandMan::GetBoxDescription(int boxType) QString Info; switch (boxType) { - case CSandBoxPlus::eIsoationMax: - Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later."); - break; case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardened: Info = tr("This box provides enhanced security isolation, it is suitable to test untrusted software."); @@ -1571,7 +1567,7 @@ QString CSandMan::GetBoxDescription(int boxType) break; } - if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax) + if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus) Info.append(tr("

This box prevents access to all user data locations, except explicitly granted in the Resource Access options.")); return Info; diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.cpp b/SandboxiePlus/SandMan/SbiePlusAPI.cpp index 1c3ec384..89d6340a 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.cpp +++ b/SandboxiePlus/SandMan/SbiePlusAPI.cpp @@ -815,21 +815,6 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const if (m_iUnsecureDebugging != 0) return eInsecure; - BOOL isMAX = GetBool("HideNonSystemProcesses") && - GetBool("HideOtherBoxes",true) && - GetBool("ClosePrintSpooler") && - !GetBool("OpenClipboard") && - GetBool("BlockInterferePower") && - GetBool("BlockInterferenceControl") && - GetBool("BlockScreenCapture") && - GetBool("UseSandboxDesktop") && - GetBool("ConfidentialBox") && - GetBool("CoverBoxedWindows") && - GetBool("AlertBeforeStart") && - GetBool("ForceProtectionOnMount") && - GetBool("ProtectHostImages"); - if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced) - return eIsoationMax; if (m_bSecurityEnhanced && m_bPrivacyEnhanced) return eHardenedPlus; if (m_bSecurityEnhanced) diff --git a/SandboxiePlus/SandMan/SbiePlusAPI.h b/SandboxiePlus/SandMan/SbiePlusAPI.h index 788221c3..da3dc4f6 100644 --- a/SandboxiePlus/SandMan/SbiePlusAPI.h +++ b/SandboxiePlus/SandMan/SbiePlusAPI.h @@ -146,7 +146,6 @@ public: { eHardenedPlus, eHardened, - eIsoationMax, eDefaultPlus, eDefault, eAppBoxPlus, diff --git a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp index e2853c8b..68d656be 100644 --- a/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp +++ b/SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp @@ -61,7 +61,6 @@ void COptionsWindow::CreateGeneral() ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus); - ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault); @@ -1068,24 +1067,8 @@ void COptionsWindow::UpdateBoxType() bool bPrivacyMode = ui.chkPrivacy->isChecked(); bool bSecurityMode = ui.chkSecurityMode->isChecked(); bool bAppBox = ui.chkNoSecurityIsolation->isChecked(); - bool bIsoationMax = ui.chkHideHostProcesses->isChecked() - && ui.chkBlockWMI->isChecked() - && ui.chkHideOtherBoxes->isChecked() - && ui.chkBlockSpooler->isChecked() - && ui.chkProtectPower->isChecked() - && ui.chkCloseClipBoard->isChecked() - && ui.chkUserOperation->isChecked() - && ui.chkBlockCapture->isChecked() - && ui.chkConfidential->isChecked() - && ui.chkProtectWindow->isChecked() - && ui.chkAlertBeforeStart->isChecked() - && ui.chkForceProtection->isChecked() - && bSecurityMode && bPrivacyMode && !bAppBox; int BoxType; - if (bIsoationMax) - BoxType = (int)CSandBoxPlus::eIsoationMax; - else if (bAppBox) BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox; else if (bSecurityMode) @@ -1111,51 +1094,13 @@ void COptionsWindow::OnBoxTypChanged() int BoxType = ui.cmbBoxType->currentData().toInt(); switch (BoxType) { - case CSandBoxPlus::eIsoationMax: - /*pBox->SetBool("HideNonSystemProcess", true); - pBox->InsertText("Template", "BlockAccessWMI"); - pBox->InsertText("Template", "BlockDNS"); - pBox->SetBool("HideOtherBoxes", true); - pBox->SetBool("ClosePrintSpooler", true); - pBox->SetBool("OpenClipboard", false); - pBox->SetBool("BlockInterferePower", true); - pBox->SetBool("BlockInterferenceControl", true); - pBox->SetBool("BlockScreenCapture", true); - pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any"); - pBox->SetBool("UseSandboxDesktop", true); - pBox->SetBool("ConfidentialBox", true); - pBox->SetBool("CoverBoxedWindows", true); - pBox->SetBool("AlertBeforeStart", true); - pBox->SetBool("ForceProtectionOnMount", true); - pBox->SetNum64("ProcessMemoryLimit", 80000000); - pBox->SetNum("ProcessNumberLimit", 20); - pBox->SetBool("ProtectHostImages", true);*/ - ui.chkBlockWMI->setChecked(true); - ui.chkBlockDns->setChecked(true); - ui.chkHideOtherBoxes->setChecked(true); - ui.chkCloseClipBoard->setChecked(true); - ui.chkBlockSpooler->setChecked(true); - ui.chkBlockCapture->setChecked(true); - ui.chkAddToJob->setChecked(true); - ui.chkAlertBeforeStart->setChecked(true); - ui.chkConfidential->setChecked(true); - ui.chkProtectPower->setChecked(true); - ui.chkUserOperation->setChecked(true); - ui.chkProtectWindow->setChecked(true); - ui.chkProtectSCM->setChecked(true); - ui.chkProtectSystem->setChecked(true); - ui.chkRestrictServices->setChecked(true); - ui.chkSbieLogon->setChecked(true); - ui.chkDropPrivileges->setChecked(true); - ui.chkHideOtherBoxes->setChecked(true); - ui.chkHostProtect->setChecked(true); case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardened: ui.chkNoSecurityIsolation->setChecked(false); ui.chkNoSecurityFiltering->setChecked(false); ui.chkSecurityMode->setChecked(true); //ui.chkRestrictServices->setChecked(true); - ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax); + ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus); //SetTemplate("NoUACProxy", false); SetTemplate("RpcPortBindingsExt", false); break; diff --git a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp index 2be675f8..5542a1b3 100644 --- a/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp +++ b/SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp @@ -182,25 +182,6 @@ SB_STATUS CNewBoxWizard::TryToCreateBox() if (!disableWizardSettings || sharedTemplateMode == 0) { switch (BoxType) { - case CSandBoxPlus::eIsoationMax: - pBox->SetBool("HideNonSystemProcesses", true); - pBox->InsertText("Template", "BlockAccessWMI"); - pBox->InsertText("Template", "BlockDNS"); - pBox->SetBool("HideOtherBoxes", true); - pBox->SetBool("ClosePrintSpooler", true); - pBox->SetBool("OpenClipboard", false); - pBox->SetBool("BlockInterferePower", true); - pBox->SetBool("BlockInterferenceControl", true); - pBox->SetBool("BlockScreenCapture", true); - pBox->InsertText("Template","BlockLocalConnect"); - pBox->SetBool("UseSandboxDesktop", true); - pBox->SetBool("ConfidentialBox", true); - pBox->SetBool("CoverBoxedWindows", true); - pBox->SetBool("AlertBeforeStart", true); - pBox->SetBool("ForceProtectionOnMount", true); - pBox->SetNum64("ProcessMemoryLimit", 80000000); - pBox->SetNum("ProcessNumberLimit", 20); - pBox->SetBool("ProtectHostImages", true); case CSandBoxPlus::eHardenedPlus: pBox->SetBool("UsePrivacyMode", true); case CSandBoxPlus::eHardened: @@ -266,16 +247,12 @@ SB_STATUS CNewBoxWizard::TryToCreateBox() } pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool()); - - - bool bAllowNetwork = field("blockNetwork").toInt() == 0; if (field("promptAccess").toBool() && !bAllowNetwork) pBox->SetBool("PromptForInternetAccess", true); - bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax); + bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened); bool bAppBox = (BoxType == CSandBoxPlus::eAppBoxPlus || BoxType == CSandBoxPlus::eAppBox); - bool bDropAdmin = field("dropAdmin").toBool(); if (field("dropAdmin").toBool() && !bHardened) pBox->SetBool("DropAdminRights", true); @@ -413,10 +390,7 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent) //return qMakePair(pW, pIcon); return pC; }; - AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax, - tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n" - "In addition, there are other configurations that facilitate isolation,\n" - "such as processes and image access control, and so on.")); + AddBoxType(tr("Security Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus, tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n" "It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n" @@ -827,7 +801,7 @@ void CIsolationPage::initializePage() { int BoxType = wizard()->field("boxType").toInt(); - bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax); + bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened); bool bDropAdmin = field("dropAdmin").toBool(); m_pMSIServer->setEnabled(!bHardened && !bDropAdmin); m_pShareAccess->setEnabled(!bHardened);