[Feature]: Default run in AppSilo, but allow to show `run as administrator` in content menu

[AndromedaMelody]

Summary

We want our application run in AppContainer by default, but some features only work under high privileges. Users should have the right of choice.

Pitch

• If runFullTrust capability is declared, show Run as standard user in the content menu when users right-click it in Start Menu/File Explorer/TaskBar.
• If allowElevation capability is declared, show Run as administrator in the content menu.

In most cases, for example, isolatedWin32-promptForAccess, isolatedWin32-volumeRootMinimal and isolatedWin32-shellExtensionContextMenu is enough to NanaZip, But it need administrators' privileges for NanaZip to read ext4/apfs... volume by access physical drives directly (\\.\PhysicalDrive0\...).

[MouriNaruto]

NanaZip original author here.

First, I want to clearify AndromedaMelody is co-author of NanaZip. So, AndromedaMelody also represents the NanaZip is OK.

I think NanaZip is a file manager which users may want to use it in non-AppSilo mode. For example, people want to do some CRUD (a.k.a. create, read, update and delete) for managing some files to resolving their issues.

But I am also loving the idea of Principle of Least Privilege. So, I also hope NanaZip can support AppSilo mode. (I am also the original author of NSudo. I hope people can respect Windows security mechanism with that tool because people don't need to break the Windows ACL settings for file system and registry. But actually, many, many, many people abuse NSudo.)

I think AndromedaMelody's request for AppSilo is necessary for NanaZip to support AppSilo mode. But I also have some requests for AppSilo mode.

• I hope AppSilo mode can support Windows Safe Mode.
• I also hope AppSilo mode can support older Windows. (>= 25357 is too new.)

Kenji Mouri

[tiangao-ms]

We'll discuss the elevation part and see if it's possible. Managing files is not only supported but prioritized by App Silo. Could you elaborate on why doing that would require non-AppSilo mode?

I don't believe that we can support Win32 app isolation on older Windows because it requires OS support and by definition that won't work on older Windows.

[MouriNaruto]

@tiangao-ms

Thank you for replying.

Could you elaborate on why doing that would require non-AppSilo mode?

For example, the file manager, users may want to use it to do some CRUD (a.k.a. create, read, update and delete) for managing some files to resolving their issues.

Here are the issues may users met which needs non-AppSilo mode, even the Administrator or SYSTEM:

• Remove the malicious software or other things which is not recognized by the current day security software manually.
• Read the physical partition which file system is not supported by Windows to extract files from that easily.
• Backup the other Windows image instances or other partitions which need Volume Shadow Service.

Kenji Mouri

[tiangao-ms]

@tiangao-ms

Thank you for replying.

Could you elaborate on why doing that would require non-AppSilo mode?

For example, the file manager, users may want to use it to do some CRUD (a.k.a. create, read, update and delete) for managing some files to resolving their issues.

Here are the issues may users met which needs non-AppSilo mode, even the Administrator or SYSTEM:

• Remove the malicious software or other things which is not recognized by the current day security software manually.
• Read the physical partition which file system is not supported by Windows to extract files from that easily.
• Backup the other Windows image instances or other partitions which need Volume Shadow Service.

Kenji Mouri

Seems like a very powerful tool :). I believe the general rule here is - what if it's trying to do something malicious? I know you are not going to write malicious code in your program, but even a trusted app can have potential vulnerabilities which could be exploited.

From our point of view, it's about end users' security. We are trying to provide a platform where the users can be confident that it's very difficult to get their data.

So, I don't think it's feasible to have an isolated app that can read everything on the disk in the background - that's against the isolation purpose. It is possible to grant the access explicitly by the users - if they have the access of course. We will have to discuss about the elevation to admin, not sure if that's something we are pursuing as that also gives unlimited access to many things.

With more security, comes more constraint, we are trying to get a good balance between them.

[MouriNaruto]

@tiangao-ms

I know you are not going to write malicious code in your program, but even a trusted app can have potential vulnerabilities which could be exploited.

This is why I hope we can introduce AppSilo mode to NanaZip for users who care the security and privacy. (Also, non-AppSilo mode is necessary for professional users who need more power.)

Kenji Mouri

[AndromedaMelody]

Could you elaborate on why doing that would require non-AppSilo mode?

Not only NanaZip, most applications need this. Provide basic features to most users by default, and provide full features to users who need restricted capabilities when they choose to run as administrator. For example, Microsoft PowerToys run as standard user by defalut, but some advanced features can't work. If we have a demand to use these features, we can run it as administrator. Secondly, from Vista, Windows provide the choice to users, and users can decide to run application as standard user or administrator. I think AppSilo can learn from this design. We use AppSilo to reduce the potential attack surface. But it doesn't mean that we must abandon all features which need high permission. Last, UWP is allowed to use Desktop Bridge (Full Trust) to extend features which need high permission from Win10 Version1607, and Full Trust Application can use XAML Islands from Win10 Version1809/1903. If AppContainer can do everything, why we need Desktop Bridge(to extend UWP) & XAML Islands.

[AndromedaMelody]

I also hope AppSilo mode can support older Windows. (>= 25357 is too new.)

I don't believe that we can support Win32 app isolation on older Windows because it requires OS support and by definition that won't work on older Windows.

This has been mentioned in #31 , maybe it is a good solution to allow developer to workaround in AppxManifest. Develop can choose Windows.PartialTrustApplication or Windows.FullTrustApplication for older system. On supported operating systems, it would use AppSilo.