fcharlie
commented
6 years ago Good idea, If I have time, I might consider this feature.
Closed WildByDesign closed 5 years ago
fcharlie
commented
6 years ago Good idea, If I have time, I might consider this feature.
WildByDesign
commented
5 years ago @fcharlie I see that you have done some recent development on AppContainer capabilities. Everything looks great visually. I also like how you have added support for parsing of appxmanifest files to pull in capabilities as well. Excellent work! Thank you.
AppContainer creation still seems to be working but it seems that I cannot see the capabilities within Process Hacker nightly build. I assume this must be related to the Windows 10 AppContainer bug which you mentioned in recent commits.
Can you share some brief details on this Windows 10 AppContainer bug and how this bug may affect Privexec?
MouriNaruto
commented
5 years ago @WildByDesign
Can you share some brief details on this Windows 10 AppContainer bug and how this bug may affect Privexec?
I don't know, but if that bug is from AppContainer APIs, it will affect this tool. I can't believe the bug is from the AppContainer APIs becuase these APIs seldom changed after Windows 10 Build 10240, But this is the Windows 10 era's Microsoft, everything is possible, lol. (PS: There is a bug which can replace the access token in the normal Administrator token (Normally, only the System token can do it) in Windows 10 Insider Preview Build 10162, fixed in build 10166. It had misdirected me in the development of NSudo.)
Mouri
fcharlie
commented
5 years ago @WildByDesign @MouriNaruto Yes. https://github.com/M2Team/Privexec/blob/master/Privexec.Core/AppContainers.cpp#L161 AppConatiner create success but cannot set capabilities. But in Windows 8, this is OK.
MouriNaruto
commented
5 years ago @WildByDesign @fcharlie You can read something about the AppContainer which I have discovered in https://github.com/M2Team/M2-SDK/blob/master/M2.NSudo.h
There is a creation implementation of the AppContainer which is reversed from Windows 8's CreateProcessInternal API in the line 1022. And I can set capabilities and work well in Windows 10 Build 10586 and 14393.
I hope I can help you.
Mouri.
fcharlie
commented
5 years ago @WildByDesign @MouriNaruto Sorry, Create AppConatiner API is OK, fix it. Member value override local value.
WildByDesign
commented
5 years ago @fcharlie @MouriNaruto Excellent, thank you. I have used the latest Process Hacker Nightly Build under Token - Token Properties - Capabilities and everything is showing correctly now with regard to capabilities. Great work!
Question: If I create a sample Package.appxmanifest file and add additional capabilities which are not included in the UI checkboxes, will Privexec add these capabilities after parsing that file?
Example section from Package.appxmanifest file:
`
<rescap:Capability Name="broadFileSystemAccess" />`
I added the "broadFileSystemAccess" capability just for testing purposes. As I learn more, I would like to add more capabilities to my own custom Package.appxmanifest file. But I am just wondering if Privexec will enforce these capabilities as well.
Thank you! :)
fcharlie
commented
5 years ago fcharlie
commented
5 years ago @WildByDesign wsudo also support AppContainer Capabilities from AppManifest
WildByDesign
commented
5 years ago @fcharlie Thank you so much. This is excellent with wsudo now also supporting AppContainer Capabilities from AppManifest because a user can, for example, create a shortcut that contains wsudo command opening an app within AppContainer sandbox. This is great news.
You have done amazing work and I see that you have been working at this with many code commits each day. I am thankful for your time and for sharing this great open source work. Your time and work is greatly appreciated.
One remaining question:
In the code, it appears to parse rescap:Capability (Restricted Capabilities) but I have not been able to get it to show anything more than the default 12 Well Known SID type capabilities.
For example, here is my testing configuration which I always add to Privexec when testing the AppContainer development:
<Capabilities>
<Capability Name="internetClient" />
<Capability Name="internetClientServer" />
<Capability Name="privateNetworkClientServer" />
<Capability Name="documentsLibrary" />
<Capability Name="picturesLibrary" />
<Capability Name="videosLibrary" />
<Capability Name="musicLibrary" />
<Capability Name="enterpriseAuthentication" />
<Capability Name="sharedUserCertificates" />
<Capability Name="removableStorage" />
<Capability Name="appointments" />
<Capability Name="contacts" />
<rescap:Capability Name="broadFileSystemAccess" />
<rescap:Capability Name="inputInjectionBrokered" />
<rescap:Capability Name="enterpriseDataPolicy"/>
<rescap:Capability Name="locationHistory"/>
<rescap:Capability Name="runFullTrust" />
</Capabilities>This is all really just for testing purposes at the moment. It always adds the first 12 basic capabilities, but does not seem to add the restricted capabilities (rescap:Capability).
Are these restricted capabilities supposed to be working? Or is this something that would require future development in the code base?
Thank you.
fcharlie
commented
5 years ago @WildByDesign Currently I don't know the addition details of the restricted feature, so I can't create a SID for it. If you know these details, you can share it with me, thank you.
WildByDesign
commented
5 years ago @fcharlie Thank you. You might find some of the most complete information on Capabilities and SIDs in the research work of Google Project Zero's James Forshaw:
Particularly https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/Sid.cs
Much of his work is impressive.
fcharlie
commented
5 years ago @WildByDesign Thanks. Github URL style is
[text](url)
#so -->
[https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs)We should use RtlDeriveCapabilitySidsFromName create sids.
Need to know the details of DeriveCapabilitySidsFromName
//https://github.com/nta/immersive-host/blob/master/host/src/ActivationClient.cpp
//https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/3ad55c9452d469a507286968985c264dc7e2c7c1/NtApiDotNet/NtSecurity.cs#L2677
//https://github.com/Microsoft/Windows-universal-samples/blob/fe8567faf2efdea3672c2ba642ba7b925ff6467e/Samples/CustomCapability/Service/Server/RpcServer.cpp#L54
NTSTATUS(NTAPI* _RtlDeriveCapabilitySidsFromName)(PUNICODE_STRING capabilityName, PSID ntSid, PSID appPackageSid);
auto _RtlDeriveCapabilitySidsFromName = (decltype(_RtlDeriveCapabilitySidsFromName))GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlDeriveCapabilitySidsFromName");
@fcharlie You're welcome. Thank you for those details and slides as well. Excellent stuff. I will try to do some more research on these.
FWIW, the capabilities that start with 'lpac' such as lpacAppExperience, lpacClipboard, etc. are related to Low Privilege AppContainer (LPAC). I was speaking with James Forshaw recently because he is the one who designed Google Chrome's AppContainer sandbox architecture on Windows and more recently, he created the AppContainer for the Chrome GPU process which is LPAC specifically. He told me that LPAC is not much more difficult to implement compared to regular AppContainer.
Anyway, in the PDF below that James released just recently, some pages cover the specifics on LPAC details:
The Inner Workings of the Windows Runtime.pdf (by James Forshaw)
See pages 34, 35, 44, 45, 67 for excellent Low Privilege AppContainer (LPAC) details and more.
Also, some of James' open source tools are beneficial in confirming much of the recent AppContainer work that you have been doing. Notably, oleviewdotnet and TokenViewer which is part of his sandbox analysis tools. Both of these help me when testing and verifying token details such as AppContainer and more.
WildByDesign
commented
5 years ago I found some more details today on AppContainer SID calculation. I don't know if this is relevant or not, but thought I would share anyway just in case it may be helpful.
Link: https://twitter.com/FlowerCode_/status/1072783212097691648
One interesting bit of Child AC is how the SIDs are calculated. Here is a Python version if you don't want to call DeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedName. It beats RtlWriteDecodedUcsDataIntoSmartLBlobUcsWritingContext BTW. https://gist.github.com/FlowerCode/b655e8e256862e384a0bcc2be4e41bd1 …
Link: https://gist.github.com/FlowerCode/b655e8e256862e384a0bcc2be4e41bd1
fcharlie
commented
5 years ago @WildByDesign Thanks.
Thank you for your great program.
The AppContainer launching works well and is successful, but I think that it can be improved by adding the ability to choose/select from a list of different AppContainer "Capabilities" to give more power and flexibility to your AppContainer launching functionality.
It would be good to have a button which brings up a dialog to choose different AppContainer "Capabilities".
Some example concepts:
Blog link: https://www.andrea-allievi.com/blog/first-week-of-june/
Relevant source code: https://github.com/AaLl86/retroware/tree/master/AppContainers
Image example (AppContainer Capabilities list: Select):
That "Select" button would bring up a multi-list of capabilities to choose from and select prior to launching an app within an AppContainer.
Thank you for your time.