Add sandboxing on Windows

[zombiezen]

Not exactly sure what this will look like yet, but Windows Sandbox looks promising.

I'm basically looking for:

• Ability to run arbitrary programs inside the sandbox, read stdout/stderr, and know when they exit (and if it was successful)
• Not messing up the system registry while providing packages
• Ability to shut off network access
• Shared folders (would be nice to have read-only mounts, but not as necessary)

[Ericson2314]

I am porting Nix to Windows (upstream), btw, so I am curious what you will find.

[puetzk]

Note that windows sandbox is a full Hyper-V VM, running its own full OS instance. It doesn't have a full virtual disk image, but this seems much heavier than you'd want.

I think you'd fare better with AppContainer. But I've never found very much about the actual low-level APIs or really dug deeply into this.(https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications- has some) - the main usage is things installed via MSIX, where the app packaging does the containerizing.

[zombiezen]

Nice, thanks for the pointers! I'll take a look. I am not super well-versed in low-level Windows stuff, so learning what's out there is helpful.

[puetzk]

Linkdumping a few more things I found in the past:

• https://scorpiosoftware.net/2019/01/15/fun-with-appcontainers/

• https://github.com/zodiacon/RunAppContainer have some more more info Maybe this can even summon @zodiacon to say whether I'm crazy

• https://medium.com/that-feeling-when-it-is-compiler-fault/appcontainers-for-windows-8-what-are-they-and-how-can-you-create-them-e5970a28eea4

• https://github.com/forderud/RunInSandbox

• https://github.com/microsoft/SandboxSecurityTools/tree/main/LaunchAppContainer

• https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html

• https://blahcat.github.io/2020-12-29-cheap-sandboxing-with-appcontainers/

[puetzk]

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md and https://github.com/chromium/chromium/tree/main/sandbox/win are another reference -and this is built out of AppContainer - though not through the documented high-level API (CreateAppContainerProfile), but instead through undocumented lower-level pieces like CreateLowBoxObjectDirectory, NtCreateLowBoxToken (LowBox is an old name for AppContainer, combining the "Low" integrity level that you're restricted to with the "Box" aspect of having a separate namespace for most kernel objects.