mirrors/Sandboxie
mirrors
/
Sandboxie
mirror of https://github.com/sandboxie-plus/Sandboxie.git
1
0
Fork 0
Code Releases Activity

Update CHANGELOG.md 

Co-Authored-By: NewKidOnTheBlock <NewKidOnTheBlock@users.noreply.github.com>
This commit is contained in:
isaak654 2021-07-24 10:24:19 +02:00
parent 5b6d543404
commit e8616fa039
1 changed files with 29 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
CHANGELOG.md
View File

@ -8,60 +8,59 @@ This project adheres to [Semantic Versioning](http://semver.org/).
## [0.9.0 / 5.51.0] - 2021-07-?? ## [0.9.0 / 5.51.0] - 2021-07-??
### Added ### Added
- added support for Windows Filtering Platform (WFP) to be used instead of the device based network blocking scheme - added support for Windows Filtering Platform (WFP) to be used instead of the device-based network blocking scheme
-- to enable this support add 'NetworkEnableWFP=y' to the global section and reload the driver, or reboot -- to enable this support, add 'NetworkEnableWFP=y' to the global section and reboot or reload the driver
-- to use WFP for a specified sandbox add 'AllowNetworkAccess=n' to said box -- to use WFP for a specified sandbox, add 'AllowNetworkAccess=n' to said box
-- you can excempt certain processes from a block by using 'AllowNetworkAccess=program.exe,y' -- you can exempt certain processes from blocking by using 'AllowNetworkAccess=program.exe,y'
-- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section -- you can also enable this policy globally by adding 'AllowNetworkAccess=n' to the global section
-- in which case you can excempt entire boxes by adding 'AllowNetworkAccess=n' to said box -- in this case you can exempt entire boxes by adding 'AllowNetworkAccess=n' to said boxes
-- specifying 'AllowNetworkAccess=program.exe,n' will block the access only for the named process -- specifying 'AllowNetworkAccess=program.exe,n' will block the access only for the named process
-- note: WFP is less absolute than the old approche, using WFP will filter only TCP/UDP communication -- Note: WFP is less absolute than the old approach, using WFP will filter only TCP/UDP communication
-- restricted boxed processes will still be able to resolve domain names using the system service -- restricted boxed processes will still be able to resolve domain names using the system service
-- thay will not be howeever able to send or receive data packets directly -- however, they will not be able to send or receive data packets directly
-- the advantages of WFP is that filter rules can be implemented restricting communication only to -- the advantages of WFP is that filter rules can be implemented by restricting communication only to specified addresses or selected ports using "NetworkAccess=..."
-- specified addresses or selected ports using "NetworkAccess=..." - added fully functional rule-based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
- added fully functional rule based packet filter in user mode for the case when "NetworkEnableWFP=y" is not set
-- the mechanism replaces the old "BlockPort=..." functionality -- the mechanism replaces the old "BlockPort=..." functionality
-- note: this filter applies only to outgoing connections/traffic for incomming eider the WFP mode or a 3rd party firewall is needed -- Note: this filter applies only to outgoing connections/traffic, for incoming traffic either the WFP mode or a third-party firewall is needed
-- like the old user mode based mechanism maliciouse applications can bypass it by unhooking certein functions -- like the old user mode based mechanism, malicious applications can bypass it by unhooking certain functions
-- hence its recomended to use kernel mode WFP based mechanism when reliable isolation is required -- hence it's recommended to use the kernel mode WFP-based mechanism when reliable isolation is required
-- note: the main reason this mechanism was added also in user mode is to make it easier to debug -- Note: the main reason this mechanism was added in user mode is to allow for easier debugging
- added new trace option "NetFwTrace=*" to trace the actions of the firewall components - added new trace option "NetFwTrace=*" to trace the actions of the firewall components
-- please note that the driver trace logs only to the kernel debug output, use DbgView.exe to log it -- please note that the driver only trace logs the kernel debug output, use DbgView.exe to log
- API_QUERY_PROCESS_INFO can be now used to get the impersonation token of sandboxed thread - API_QUERY_PROCESS_INFO can now be used to get the impersonation token of a sandboxed thread
-- Note: this capability is used by TaskExplorer to allow inspecting sandbox internal tokens -- Note: this capability is used by TaskExplorer to allow inspecting sandbox-internal tokens
-- Note: a process must have administrative privileges to be able to use this API -- Note: a process must have administrative privileges to be able to use this API
- added a UI option to switch "MsiInstallerExemptions=y" on and off - added a UI option to switch "MsiInstallerExemptions=y" on and off
-- just in case a future windows build breaks something for the systemless mode -- just in case, if a future Windows build breaks something in the systemless mode
- added sample code for ObRegisterCallbacks to the driver - added sample code for ObRegisterCallbacks to the driver
- added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" allowing to disable file and registry filtering - added new debug options "DisableFileFilter=y" and "DisableKeyFilter=y" that allow to disable file and registry filtering
-- Note: this options are for testing only and disable core parts of the sandbox isolation -- Note: these options are for testing only and disable core parts of the sandbox isolation
- added a few CommandLone options to sandman.exe - added a few command line options to SandMan.exe
### Changed ### Changed
- greately improved the performanceof the trace log, but its no longer possible to log to booth sandman and sbiectrl at the same time - greatly improved the performance of the trace log, but it's no longer possible to log both SandMan and SbieCtrl at the same time
- changed code integrity verification policies - changed code integrity verification policies
-- code signature validation of user mode components is disabled when windows is booted in test signing mode -- code signature validation of user mode components is disabled when Windows is booted in test-signing mode
- reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination - reworked process creation code to use PsSetCreateProcessNotifyRoutineEx and improved process termination
### Fixed ### Fixed
- added missing hook for ConnectEx - added missing hook for ConnectEx function
## [0.8.9 / 5.50.9] - 2021-07-22 ## [0.8.9 / 5.50.9] - 2021-07-??
### Changed ### Changed
- updated a few icons - updated a few icons
- updated github build action to use qt 5.15.2 - updated GitHub build action to use Qt 5.15.2
- improved full tray icon to be more distringuishable from the empty one - improved the "full" tray icon to be more distinguishable from the "empty" one
- changed code integrity verification policies - changed code integrity verification policies
-- code signature is no longer required to change config, to protect presets use the the existing "EditAdmin -- code signature is no longer required to change config, to protect presets use the existing "EditAdminOnly=y"
### Fixed ### Fixed
- fixed issue with systemless MSI mode introduced in the last build - fixed issue with systemless MSI mode introduced in the last build
- fixed MSI installer not being able to create action server on windows 11 - fixed MSI installer not being able to create the action server mechanism on Windows 11
- fixed MSI instalelr not workign in systemless mode on windows 11 - fixed MSI installer not working in systemless mode on Windows 11