search

microsoft / win32-app-isolation

Tools and documentation for Win32 app isolation
MIT License
1.27k stars 33 forks source link

[Docs]: Win11(Build22621) has supported AppSilo #38

Closed AndromedaMelody closed 1 year ago

AndromedaMelody commented 1 year ago

Links

https://github.com/microsoft/win32-app-isolation/blob/3e53df6e49e0086a43905ae56331636e78cd2af2/docs/packaging/msix-packaging-tool.md?plain=1#L72

Description

There is a error in the document. I tried to use AppSilo in Win11 (Build22621), I find 22621 has supported AppSilo.

  1. TrustLevel="appSilo" can work in 22621, I perfer use TrustLevel="appSilo" instead of RuntimeBehavior="appSilo". I think the document should introduce more detailed. For example: tell developers that

    AppSilo can work in 22621 and application can access file with broadFileSystemAccess but compatibility is not good. If You want to make compatibility better, you can declare isolatedWin32-promptForAccess but it needs Win11 (Build 25357).

  2. What's different between previewsecurity:TrustLevel="appSilo" and previewsecurity2:RuntimeBehavior="appSilo"?
  3. If a application target 25357, Can we write the following manifest? Is it better? 
    ……
<Application Id="…" Executable="…" previewsecurity:TrustLevel="appSilo" previewsecurity2:RuntimeBehavior="appSilo">
……

Test

Windows Version: 10.0.22631.1830 SDK Version: 10.0.22621.755 Application: NanaZip Nightly

AndromedaMelody commented 1 year ago

I think this may be a good way to solve #15 created by @JasonWei512 . We really hope AppSilo better, and older system can use it or have a perfect workaround.

lilybarkley-msft commented 1 year ago

Hey @AndromedaMelody we require 10.0.25229.0 as the minimum build for AppSilos. We're still looking into solutions for older version of windows, but using previewsecurity:TrustLevel="appSilo" can lead to system instability during updates so we strongly recommend not using it.

If the DPI scaling issue exists on 10.0.25229.0 min build packages, can you file another issue for that?

AndromedaMelody commented 1 year ago

Hi @lilybarkley-msft

We're still looking into solutions for older version of windows, using previewsecurity:TrustLevel="appSilo" can lead to system instability during updates so we strongly recommend not using it.

Thanks for your reply. Look forward to the solutions and a detailed document.

If the DPI scaling issue exists on 10.0.25229.0 min build packages, can you file another issue for that?

OK, I have submitted a new issue.

dongle-the-gadget commented 1 year ago

@AndromedaMelody can you link how you used TrustLevel="appSilo". When I tried it on 23536, it just fails with:

error 0xC00CE169: App manifest validation error: The app manifest must be valid as per schema: Line xx, Column xx, Reason: 'appSilo' violates enumeration constraint of 'appContainer mediumIL'. The attribute '{http://schemas.microsoft.com/appx/manifest/uap/windows10/10}TrustLevel' with value 'appSilo' failed to parse.