search

microsoft / win32-app-isolation

Tools and documentation for Win32 app isolation
MIT License
1.26k stars 33 forks source link

[Bug]: Capability Access Parser doesn't seem to find anything useful for our app #30

Closed riverar closed 1 year ago

riverar commented 1 year ago

Version

Windows vNext: 25375.1 Win32 App Isolation: 0.1.0 Developer mode enabled

Repro Steps

  1. Install EarTrumpet (dev)
  2. Start-Profiling -PackageFullName 40459File-New-Project.EarTrumpet_2.2.2.38_x86__725pr5jq8wr8a
  3. Launch EarTrumpet app
  4. Left click the EarTrumpet icon in the notification area to show the flyout, adjust some volume sliders (interacts with Windows Audio APIs)
  5. Right click the icon and go to Windows Legacy > Volume mixer (shells out to Windows)
  6. Right click the icon and go to Settings > General > Mouse settings and toggle something on/off (this writes to Windows.Storage or in some cases to the system registry)
  7. Right click the icon and go to Settings > General > About and click Collect troubleshooting data (this writes to a file on disk and shell executes the resultant file)
  8. Stop-Profiling -TracePath eartrumpet.etl
  9. Get-ProfilingResults -ETLFilePaths eartrumpet.etl -ManifestPath "C:\Program Files\WindowsApps\40459File-New-Project.EarTrumpet_2.2.2.38_x86__725pr5jq8wr8a\AppxManifest.xml"
  10. Observe no AccessAttemptRecords.csv generated
  11. Observe no errors in console output
  12. Observe summary.txt generated and looks like copy included below

Expected to see capabilities around system tray access and perhaps writing to the disk/registry + shelling out to launch control panel applets/windows processes.

Unexpected Results

5/26/2023 1:26:59 PM
Microsoft.Windows.Win32Isolation.CapabilityAccessParser

Output Summary

Input parsed: C:\Users\Rafael\desktop\eartrumpet.etl
Target(s):  40459File-New-Project.EarTrumpet_2.2.2.38_x86__725pr5jq8wr8a

Capabilities identified for 40459File-New-Project.EarTrumpet_2.2.2.38_x86__725pr5jq8wr8a
<Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10" xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest" xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10" xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities" xmlns:desktop="http://schemas.microsoft.com/appx/manifest/desktop/windows10" xmlns:build="http://schemas.microsoft.com/developer/appx/2015/build" IgnorableNamespaces="uap mp rescap desktop build">
  <Identity Name="40459File-New-Project.EarTrumpet" ProcessorArchitecture="x86" Publisher="CN=File-New-Project, O=File-New-Project, L=Purcellville, S=Virginia, C=US" Version="2.2.2.38" />
  <Properties>
    <DisplayName>EarTrumpet (dev)</DisplayName>
    <PublisherDisplayName>File-New-Project</PublisherDisplayName>
    <Logo>Assets\StoreLogo.png</Logo>
  </Properties>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.14393.0" MaxVersionTested="10.0.14393.0" />
    <PackageDependency Name="Microsoft.VCLibs.140.00" MinVersion="14.0.24123.0" Publisher="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" />
  </Dependencies>
  <Resources>
    <Resource Language="EN-US" />
    <Resource uap:Scale="200" />
  </Resources>
  <Applications>
    <Application Id="EarTrumpet" Executable="EarTrumpet\EarTrumpet.exe" EntryPoint="Windows.FullTrustApplication">
      <uap:VisualElements DisplayName="EarTrumpet (dev)" Description="EarTrumpet" BackgroundColor="transparent" Square150x150Logo="Assets\Square150x150Logo.png" Square44x44Logo="Assets\Square44x44Logo.png">
        <uap:DefaultTile Wide310x150Logo="Assets\Wide310x150Logo.png" Square71x71Logo="Assets\SmallTile.png" Square310x310Logo="Assets\LargeTile.png">
          <uap:ShowNameOnTiles>
            <uap:ShowOn Tile="square150x150Logo" />
            <uap:ShowOn Tile="wide310x150Logo" />
            <uap:ShowOn Tile="square310x310Logo" />
          </uap:ShowNameOnTiles>
        </uap:DefaultTile>
        <uap:SplashScreen Image="Assets\SplashScreen.png" />
      </uap:VisualElements>
      <Extensions>
        <desktop:Extension Category="windows.startupTask" Executable="EarTrumpet\EarTrumpet.exe" EntryPoint="Windows.FullTrustApplication">
          <desktop:StartupTask TaskId="EarTrumpet" Enabled="true" DisplayName="EarTrumpet" />
        </desktop:Extension>
      </Extensions>
    </Application>
  </Applications>
  <build:Metadata>
    <build:Item Name="Microsoft.Build.DesktopBridge.Tasks.dll" Version="4.6.30319.200" />
    <build:Item Name="TargetFrameworkMoniker" Value=".NETFramework,Version=v4.5.1" />
    <build:Item Name="VisualStudio" Version="16.0" />
    <build:Item Name="OperatingSystem" Version="10.0.17763.1 (WinBuild.160101.0800)" />
    <build:Item Name="Microsoft.Build.AppxPackage.dll" Version="16.0.33328.57" />
    <build:Item Name="ProjectGUID" Value="ea5510ed-f014-4587-a505-64c59d5b2627" />
    <build:Item Name="MakePri.exe" Version="10.0.14393.795 (rs1_release_sec.170105-1850)" />
  </build:Metadata>
  <!--40459File-New-Project.EarTrumpet_2.2.2.38_x86__725pr5jq8wr8a-->
  <Capabilities>
    <!--The capability below is privacy-sensitive. Access to resources under this capability are gated by user privacy consent.-->
    <rescap:Capability Name="runFullTrust" />
  </Capabilities>
</Package>
tiangao-ms commented 1 year ago

Just to confirm, between your step 1 (start-profiling) and step 2 (stop-profiling), did you use your application? What action did you try? For example, you said maybe some file is accessed, what file did you access during your app execution?

riverar commented 1 year ago

@tiangao-ms Good catch. I updated the repro steps above with the activities I performed. Source code is also available if needed.

tiangao-ms commented 1 year ago

Another thing to confirm, sorry if it was obvious. Did you package your app according to the instructions? For the app you executed, did you change the manifest? Do you mind sharing the manifest after your change?

riverar commented 1 year ago

Oh I did not make any changes. That part of the documentation was unclear to me and read like I just needed to generally have a MSIX packaged app.

I'll re-read it more carefully, sounds like I missed something :(

tiangao-ms commented 1 year ago

Oh I did not make any changes. That part of the documentation was unclear to me and read like I just needed to generally have a MSIX packaged app.

I'll re-read it more carefully, sounds like I missed something :(

LOL that's fine. Let us know if there are specific parts that are confusing to you, we can make improvements. In order to isolate your app, you need to edit your manifest(not only "package it to MSIX") so your app can run at low privilege. Only with these changes, can you profile your app and check the accesses from your app.

riverar commented 1 year ago

OK sounds like I have to modify the app as listed here: https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/msix-packaging-tool.md#msix---isolated-win32

It's very strange that I have to silo my app, before knowing what capabilities I need, to profile my app, to then get a list of capabilities I need.

tiangao-ms commented 1 year ago

OK sounds like I have to modify the app as listed here: https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/msix-packaging-tool.md#msix---isolated-win32

It's very strange that I have to silo my app, before knowing what capabilities I need, to profile my app, to then get a list of capabilities I need.

Yes, we are aware that it is probably not the most intuitive process, but without isolating your app first, we can't intercept the "unordinary accesses" from your app (because it has access to everything) so we can't profile what capabilities the app needs. It's permissive learning mode.

riverar commented 1 year ago

Manifesting our app is not compatible with our dev workflow (https://github.com/microsoft/win32-app-isolation/issues/31) but I was able to get it working. Closing this issue as resolved.