mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

cleanup

This commit is contained in:
DavidXanatos 2024-06-16 14:08:16 +02:00
parent 970b22a6df
commit e7ddd1dadd
8 changed files with 33 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG.md
View File

@ -2,21 +2,6 @@
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/). This project adheres to [Semantic Versioning](http://semver.org/).
## [1.14.2 / 5.69.2] - 2024-??-??
### Added
- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes.
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
- Add new box type "Maximize Isolation Sandbox".
- Add new option "AllowCoverTaskbar" for #3975.
### Changed
- Extend "Temp Template" to make it could delete local template section.
## [1.14.2 / 5.69.2] - 2024-06-?? ## [1.14.2 / 5.69.2] - 2024-06-??
@ -25,6 +10,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
- usage: set|append|insert|delete [/passwd:********] <section> <setting> <value> - usage: set|append|insert|delete [/passwd:********] <section> <setting> <value>
- note: use /passwd without the password to have SbieIni prompot for the password on the console, this hides the password from view and from bing captured with the command line - note: use /passwd without the password to have SbieIni prompot for the password on the console, this hides the password from view and from bing captured with the command line
- added checkbox for PromptForInternetAccess option to the New Box Wizard - added checkbox for PromptForInternetAccess option to the New Box Wizard
- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes.
- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
- Add new option "AllowCoverTaskbar" for #3975.
### Changed
- Extend "Temp Template" to make it could delete local template section.
### Fixed ### Fixed
- fixed security issue with the newly introduced experimental "UseCreateToken=y" machanism - fixed security issue with the newly introduced experimental "UseCreateToken=y" machanism

6
Sandboxie/core/dll/file.c
View File

@ -3516,11 +3516,7 @@ ReparseLoop:
// open, for a CopyPath that does not exist, must also include // open, for a CopyPath that does not exist, must also include
// write access, or else it would have been handled earlier already) // write access, or else it would have been handled earlier already)
// //
if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE))
status = File_MigrateFile(
TruePath, CopyPath, IsWritePath, TRUE);
if (FileType & TYPE_REPARSE_POINT) { if (FileType & TYPE_REPARSE_POINT) {
status = File_MigrateJunction( status = File_MigrateJunction(

29
Sandboxie/core/dll/sysinfo.c
View File

@ -208,7 +208,8 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
} }
if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) { if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) {
HKEY hKey=NULL; HKEY hKey=NULL;
PVOID lpData=NULL; PVOID lpData=NULL;
DWORD dwLen = 0; DWORD dwLen = 0;
@ -245,9 +246,11 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
// SysInfo_DiscardProcesses // Sysinfo_IsTokenAnySid
//--------------------------------------------------------------------------- //---------------------------------------------------------------------------
BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken); BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken);
_FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare) _FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare)
{ {
NTSTATUS status; NTSTATUS status;
@ -289,6 +292,13 @@ _FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare)
return return_value; return return_value;
} }
//---------------------------------------------------------------------------
// SysInfo_DiscardProcesses
//---------------------------------------------------------------------------
_FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf) _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
{ {
SYSTEM_PROCESS_INFORMATION *curr = buf; SYSTEM_PROCESS_INFORMATION *curr = buf;
@ -336,26 +346,23 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset); next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset);
if (next == curr) if (next == curr)
break; break;
WCHAR* imageFileName = NULL; WCHAR* imageFileName = NULL;
SbieApi_QueryProcess(next->UniqueProcessId, boxname,imageFileName, tempSid, &tempSession); SbieApi_QueryProcess(next->UniqueProcessId, boxname, imageFileName, tempSid, &tempSession);
BOOL hideProcess = FALSE; BOOL hideProcess = FALSE;
if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) { if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0 && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) {
hideProcess = TRUE; hideProcess = TRUE;
} } else if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) {
else
if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) {
hideProcess = TRUE; hideProcess = TRUE;
} }
else else if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) {
if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) {
hideProcess = TRUE; hideProcess = TRUE;
} }
else if(hiddenProcesses && next->ImageName.Buffer) { else if(hiddenProcesses && next->ImageName.Buffer) {
WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\'); WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\');
if (imagename) imagename += 1; // skip L'\\' if (imagename) imagename += 1; // skip L'\\'
else imagename = next->ImageName.Buffer; else imagename = next->ImageName.Buffer;
if ( !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) { if (!*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) {
for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) { for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) {
if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) { if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) {
hideProcess = TRUE; hideProcess = TRUE;

6
SandboxiePlus/SandMan/SandMan.cpp
View File

@ -247,7 +247,6 @@ CSandMan::CSandMan(QWidget *parent)
SetupHotKeys(); SetupHotKeys();
m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4); m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139);
m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2); m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248); m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2); m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
@ -1551,9 +1550,6 @@ QString CSandMan::GetBoxDescription(int boxType)
QString Info; QString Info;
switch (boxType) { switch (boxType) {
case CSandBoxPlus::eIsoationMax:
Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later.");
break;
case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardenedPlus:
case CSandBoxPlus::eHardened: case CSandBoxPlus::eHardened:
Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software."); Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
@ -1571,7 +1567,7 @@ QString CSandMan::GetBoxDescription(int boxType)
break; break;
} }
if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax) if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus)
Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options.")); Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
return Info; return Info;

15
SandboxiePlus/SandMan/SbiePlusAPI.cpp
View File

@ -815,21 +815,6 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const
if (m_iUnsecureDebugging != 0) if (m_iUnsecureDebugging != 0)
return eInsecure; return eInsecure;
BOOL isMAX = GetBool("HideNonSystemProcesses") &&
GetBool("HideOtherBoxes",true) &&
GetBool("ClosePrintSpooler") &&
!GetBool("OpenClipboard") &&
GetBool("BlockInterferePower") &&
GetBool("BlockInterferenceControl") &&
GetBool("BlockScreenCapture") &&
GetBool("UseSandboxDesktop") &&
GetBool("ConfidentialBox") &&
GetBool("CoverBoxedWindows") &&
GetBool("AlertBeforeStart") &&
GetBool("ForceProtectionOnMount") &&
GetBool("ProtectHostImages");
if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced)
return eIsoationMax;
if (m_bSecurityEnhanced && m_bPrivacyEnhanced) if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
return eHardenedPlus; return eHardenedPlus;
if (m_bSecurityEnhanced) if (m_bSecurityEnhanced)

1
SandboxiePlus/SandMan/SbiePlusAPI.h
View File

@ -146,7 +146,6 @@ public:
{ {
eHardenedPlus, eHardenedPlus,
eHardened, eHardened,
eIsoationMax,
eDefaultPlus, eDefaultPlus,
eDefault, eDefault,
eAppBoxPlus, eAppBoxPlus,

57
SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp
View File

@ -61,7 +61,6 @@ void COptionsWindow::CreateGeneral()
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault); ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
@ -1068,24 +1067,8 @@ void COptionsWindow::UpdateBoxType()
bool bPrivacyMode = ui.chkPrivacy->isChecked(); bool bPrivacyMode = ui.chkPrivacy->isChecked();
bool bSecurityMode = ui.chkSecurityMode->isChecked(); bool bSecurityMode = ui.chkSecurityMode->isChecked();
bool bAppBox = ui.chkNoSecurityIsolation->isChecked(); bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
bool bIsoationMax = ui.chkHideHostProcesses->isChecked()
&& ui.chkBlockWMI->isChecked()
&& ui.chkHideOtherBoxes->isChecked()
&& ui.chkBlockSpooler->isChecked()
&& ui.chkProtectPower->isChecked()
&& ui.chkCloseClipBoard->isChecked()
&& ui.chkUserOperation->isChecked()
&& ui.chkBlockCapture->isChecked()
&& ui.chkConfidential->isChecked()
&& ui.chkProtectWindow->isChecked()
&& ui.chkAlertBeforeStart->isChecked()
&& ui.chkForceProtection->isChecked()
&& bSecurityMode && bPrivacyMode && !bAppBox;
int BoxType; int BoxType;
if (bIsoationMax)
BoxType = (int)CSandBoxPlus::eIsoationMax;
else
if (bAppBox) if (bAppBox)
BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox; BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
else if (bSecurityMode) else if (bSecurityMode)
@ -1111,51 +1094,13 @@ void COptionsWindow::OnBoxTypChanged()
int BoxType = ui.cmbBoxType->currentData().toInt(); int BoxType = ui.cmbBoxType->currentData().toInt();
switch (BoxType) { switch (BoxType) {
case CSandBoxPlus::eIsoationMax:
/*pBox->SetBool("HideNonSystemProcess", true);
pBox->InsertText("Template", "BlockAccessWMI");
pBox->InsertText("Template", "BlockDNS");
pBox->SetBool("HideOtherBoxes", true);
pBox->SetBool("ClosePrintSpooler", true);
pBox->SetBool("OpenClipboard", false);
pBox->SetBool("BlockInterferePower", true);
pBox->SetBool("BlockInterferenceControl", true);
pBox->SetBool("BlockScreenCapture", true);
pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any");
pBox->SetBool("UseSandboxDesktop", true);
pBox->SetBool("ConfidentialBox", true);
pBox->SetBool("CoverBoxedWindows", true);
pBox->SetBool("AlertBeforeStart", true);
pBox->SetBool("ForceProtectionOnMount", true);
pBox->SetNum64("ProcessMemoryLimit", 80000000);
pBox->SetNum("ProcessNumberLimit", 20);
pBox->SetBool("ProtectHostImages", true);*/
ui.chkBlockWMI->setChecked(true);
ui.chkBlockDns->setChecked(true);
ui.chkHideOtherBoxes->setChecked(true);
ui.chkCloseClipBoard->setChecked(true);
ui.chkBlockSpooler->setChecked(true);
ui.chkBlockCapture->setChecked(true);
ui.chkAddToJob->setChecked(true);
ui.chkAlertBeforeStart->setChecked(true);
ui.chkConfidential->setChecked(true);
ui.chkProtectPower->setChecked(true);
ui.chkUserOperation->setChecked(true);
ui.chkProtectWindow->setChecked(true);
ui.chkProtectSCM->setChecked(true);
ui.chkProtectSystem->setChecked(true);
ui.chkRestrictServices->setChecked(true);
ui.chkSbieLogon->setChecked(true);
ui.chkDropPrivileges->setChecked(true);
ui.chkHideOtherBoxes->setChecked(true);
ui.chkHostProtect->setChecked(true);
case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardenedPlus:
case CSandBoxPlus::eHardened: case CSandBoxPlus::eHardened:
ui.chkNoSecurityIsolation->setChecked(false); ui.chkNoSecurityIsolation->setChecked(false);
ui.chkNoSecurityFiltering->setChecked(false); ui.chkNoSecurityFiltering->setChecked(false);
ui.chkSecurityMode->setChecked(true); ui.chkSecurityMode->setChecked(true);
//ui.chkRestrictServices->setChecked(true); //ui.chkRestrictServices->setChecked(true);
ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax); ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus);
//SetTemplate("NoUACProxy", false); //SetTemplate("NoUACProxy", false);
SetTemplate("RpcPortBindingsExt", false); SetTemplate("RpcPortBindingsExt", false);
break; break;

32
SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp
View File

@ -182,25 +182,6 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
if (!disableWizardSettings || sharedTemplateMode == 0) { if (!disableWizardSettings || sharedTemplateMode == 0) {
switch (BoxType) switch (BoxType)
{ {
case CSandBoxPlus::eIsoationMax:
pBox->SetBool("HideNonSystemProcesses", true);
pBox->InsertText("Template", "BlockAccessWMI");
pBox->InsertText("Template", "BlockDNS");
pBox->SetBool("HideOtherBoxes", true);
pBox->SetBool("ClosePrintSpooler", true);
pBox->SetBool("OpenClipboard", false);
pBox->SetBool("BlockInterferePower", true);
pBox->SetBool("BlockInterferenceControl", true);
pBox->SetBool("BlockScreenCapture", true);
pBox->InsertText("Template","BlockLocalConnect");
pBox->SetBool("UseSandboxDesktop", true);
pBox->SetBool("ConfidentialBox", true);
pBox->SetBool("CoverBoxedWindows", true);
pBox->SetBool("AlertBeforeStart", true);
pBox->SetBool("ForceProtectionOnMount", true);
pBox->SetNum64("ProcessMemoryLimit", 80000000);
pBox->SetNum("ProcessNumberLimit", 20);
pBox->SetBool("ProtectHostImages", true);
case CSandBoxPlus::eHardenedPlus: case CSandBoxPlus::eHardenedPlus:
pBox->SetBool("UsePrivacyMode", true); pBox->SetBool("UsePrivacyMode", true);
case CSandBoxPlus::eHardened: case CSandBoxPlus::eHardened:
@ -266,16 +247,12 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
} }
pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool()); pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
bool bAllowNetwork = field("blockNetwork").toInt() == 0; bool bAllowNetwork = field("blockNetwork").toInt() == 0;
if (field("promptAccess").toBool() && !bAllowNetwork) if (field("promptAccess").toBool() && !bAllowNetwork)
pBox->SetBool("PromptForInternetAccess", true); pBox->SetBool("PromptForInternetAccess", true);
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax); bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
bool bAppBox = (BoxType == CSandBoxPlus::eAppBoxPlus || BoxType == CSandBoxPlus::eAppBox); bool bAppBox = (BoxType == CSandBoxPlus::eAppBoxPlus || BoxType == CSandBoxPlus::eAppBox);
bool bDropAdmin = field("dropAdmin").toBool(); bool bDropAdmin = field("dropAdmin").toBool();
if (field("dropAdmin").toBool() && !bHardened) if (field("dropAdmin").toBool() && !bHardened)
pBox->SetBool("DropAdminRights", true); pBox->SetBool("DropAdminRights", true);
@ -413,10 +390,7 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent)
//return qMakePair(pW, pIcon); //return qMakePair(pW, pIcon);
return pC; return pC;
}; };
AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax,
tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n"
"In addition, there are other configurations that facilitate isolation,\n"
"such as processes and image access control, and so on."));
AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus, AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus,
tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n" tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
"It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n" "It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
@ -827,7 +801,7 @@ void CIsolationPage::initializePage()
{ {
int BoxType = wizard()->field("boxType").toInt(); int BoxType = wizard()->field("boxType").toInt();
bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax); bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
bool bDropAdmin = field("dropAdmin").toBool(); bool bDropAdmin = field("dropAdmin").toBool();
m_pMSIServer->setEnabled(!bHardened && !bDropAdmin); m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
m_pShareAccess->setEnabled(!bHardened); m_pShareAccess->setEnabled(!bHardened);