256lights / zb

An experiment in hermetic, reproducible build systems
MIT License
312 stars 6 forks source link

Add sandboxing on Windows #31

Open zombiezen opened 2 months ago

zombiezen commented 2 months ago

Not exactly sure what this will look like yet, but Windows Sandbox looks promising.

I'm basically looking for:

Ericson2314 commented 2 months ago

I am porting Nix to Windows (upstream), btw, so I am curious what you will find.

puetzk commented 2 months ago

Note that windows sandbox is a full Hyper-V VM, running its own full OS instance. It doesn't have a full virtual disk image, but this seems much heavier than you'd want.

I think you'd fare better with AppContainer. But I've never found very much about the actual low-level APIs or really dug deeply into this.(https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications- has some) - the main usage is things installed via MSIX, where the app packaging does the containerizing.

zombiezen commented 2 months ago

Nice, thanks for the pointers! I'll take a look. I am not super well-versed in low-level Windows stuff, so learning what's out there is helpful.

puetzk commented 2 months ago

Linkdumping a few more things I found in the past:

puetzk commented 2 months ago

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md and https://github.com/chromium/chromium/tree/main/sandbox/win are another reference -and this is built out of AppContainer - though not through the documented high-level API (CreateAppContainerProfile), but instead through undocumented lower-level pieces like CreateLowBoxObjectDirectory, NtCreateLowBoxToken (LowBox is an old name for AppContainer, combining the "Low" integrity level that you're restricted to with the "Box" aspect of having a separate namespace for most kernel objects.