sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.92k stars 1.55k forks source link

No support for UWP / Modern / Store Apps #19

Open Tragen opened 4 years ago

Tragen commented 4 years ago

What is the reason that Sandboxie isn't working with apps from the Microsoft Store? Is it possible to improve Sandboxie so that it also works with Store apps?

DavidXanatos commented 4 years ago

I haven't looked into it yet, but I would assume that Windows's own file/registry virtualization used for UWP Apps may be an issue.

To be honest the entire modern side of windows 10 is something I try to avoid as much as possible, hence it kinda have negative priority. And we have enough windows 10 bugs not related to UWP.

But that said, it surly can be added just idk. when there will be free time to spent on that.

ghost commented 3 years ago

But that said, it surly can be added just idk. when there will be free time to spent on that.

Could you please add a feature to apply to every UWP app without repeatedly adding ForceProcess or ForceFolder?

isaak654 commented 2 years ago

Sandboxie Plus 1.0.6 added the ability to run Win32 store apps in App Compartment mode, but it doesn't cover UWP apps yet.

DaneXtream commented 2 years ago

@DavidXanatos do you have an estimation when we will have this feature?

DavidXanatos commented 2 years ago

There is no ETA on this its not high priority

isaak654 commented 1 year ago

A contributor certificate in exchange for a pull request to provide initial UWP compatibility would definitely be helpful.

lmou523 commented 1 year ago

Right-click options in Windows 11 are missing image Image

Waffled-II commented 1 year ago

Any updates on this? I saw somewhere that you could possibly install through PowerShell but I can’t find it now. Would be incredibly helpful to install or run UWP apps in this.

maribox commented 1 year ago

I wonder why this is low priority, as more and more programs are moving to Microsoft Store Apps. This is especially frustrating for more and more programs that can't be installed without the Store and therefore cannot be sandboxed at all (pretty famous example: Xodo PDF Reader, running the .exe in a Sandbox get's me a SharedLibrary.dll Error)

e-t-l commented 1 year ago

I'm surprised this hasn't been explored in more depth already, seeing as how much overlap there is in both goal and execution of Sandboxie and UWPs. The reason UWPs don't work sandboxed is because they are built around the AppContainer format, which itself is a Windows sandbox (https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation). I'm guessing there's something about the AppContainer sandbox that doesn't like to run inside another software sandbox like SBIE.

On a related note, Adobe Acrobat has a setting under Preferences > Security (Enhanced) > Sandbox Protection > Run in AppContainer. If you enabled this setting, then try to open a PDF in Protected View in Sandboxie, you should get an error. Opening it outside of Sandboxie should not throw an error.

It would be cool if AppContainers/UWPs were supported, especially since Microsoft is pushing for this to be the standard format for executables moving forward. Older Win32 apps can be recompiled to operate inside AppContainers with relatively little effort, so I expect them to become more and more ubiquitous as time goes on.

EDIT: I know Sandboxie has configs like dropAppContainerToken and fakeAppContainerToken, but it was unclear to me from the documentation whether the term was actually referring to MS AppContainers, or whether it was being used as an alias for SBIE App Compartments...

tharlab commented 9 months ago

its fully store app support??, i wanna clone whatsapp / game from windows store

kokofixcomputers commented 9 months ago

Wait... UWP apps are mostly sandboxed by windows already.

e-t-l commented 3 months ago

A contributor certificate in exchange for a pull request to provide initial UWP compatibility would definitely be helpful.

I don't know if it's worth a contributor cert, but I think I required a workaround for MSIX Store apps, a workaround which doesn't necessarily require a PR or any code changes...

I definitely think UWP apps fail due to some conflict with MS AppContainers, but not all programs that are packaged with MSIX are containerized. However, many of them will still fail. This is because the MSIX package installer installs programs in the WindowsApps directory, which only privileged system processes can access; not even local admin accounts can access it (admins can forcibly grant themselves access permission, but changing the ICACLS permissions for WindowsApps can cause major system instability.

Since Sandboxie can't access WindowsApps, it returns System error code: Access is denied. (5)

The simple solution is to run Sandboxie with system-user privileges. (I believe this is different than running it in the system-user context like a scheduled task could do. In that scenario, the program would not be visible or interactable!)

The easiest way to do this is to download PSEXEC and run psexec -i -s "C:\Program Files\Sandboxie-Plus\SandMan.exe" Voila, system-privileged Sandman! (I tested this on Zenbreak, but it should work for any Windows Store app that can't be sandboxed due to an Access Denied error.)

@DavidXanatos @offhub Here's the thing, though. I have NO idea what the unintended consequences might be of running Sandboxie with system privileges instead of admin or standard user. I think every user here trusts Sandboxie to be safe, otherwise we wouldn't be using it, but I don't have a clue whether these elevated privileges might make Sandboxie a vector for some sort of attack. If it's safe, then I think my workaround could be recommended. (If it isn't, well, I offer it as inspiration - idk maybe you senior folks can figure out how to make a "system privileged sandbox token" or something that doesn't require elevating the entire app.)

Anyway, what do you think?

isaak654 commented 3 months ago

I don't know if it's worth a contributor cert, but I think I required a workaround for MSIX Store apps, a workaround which doesn't necessarily require a PR or any code changes...

I would like to clarify one thing once and for all: I'm not interested, nor will I be in the future, in any of your requests, as you tend to use personal mentions quite often than I would prefer (and for which I have modified your comment accordingly).

e-t-l commented 3 months ago

once and for all: I'm not interested, nor will I be in the future, in any of your requests

Really sorry man, I didn't know it bugged you. Just trying to help out a community project..

xuanswe commented 3 months ago

Really need this feature, especially for communication apps like WhatsApp, Facebook, Messenger, etc.

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 3 months ago

Really need this feature, especially for communication apps like WhatsApp, Facebook, Messenger, etc.

kinda offtopic: all those can be run in web browser and i'd recommended so to minimize the access they have to your computer (even with sandboxie, they still have access to all your files). i recommend a different browser profile for meta apps so that they don't track you cross-site.. or at least block 3rd party cookies with a combination of extensions: ublock+ privacy badger or even noscript/umatrix. Browsers nowadays have this option as well in their settings.

xuanswe commented 3 months ago

those can run in web browser and it's recommended to run them so

I consider this as a workaround, not an actual solution. This is also not a universal solution and only works for some apps. I have some communication apps; they don't support web browsers. This is also quite inconvenient, now I need to manage many browser profiles and confusing which account on which profile. Dual app and second space features on Android are so cool. I cannot leave without it. If Android device is so powerful as a PC/laptop, I even want to remove the limitation of "dual app" to "unlimited app".

Uj947nXmRqV2nRaWshKtHzTvckUUpD commented 3 months ago

those can run in web browser and it's recommended to run them so

I consider this as a workaround, not an actual solution. This is also not a universal solution and only works for some apps. I have some communication apps; they don't support web browsers. This is also quite inconvenient, now I need to manage many browser profiles and confusing which account on which profile. Dual app and second space features on Android are so cool. I cannot leave without it. If Android device is so powerful as a PC/laptop, I even want to remove the limitation of "dual app" to "unlimited app".

you can name the profiles and set colors (eg. in brave) you can even pin the profiles to task bar to quickly open them (eg. one profile for all Meta related apps). on android there is no multiple profiles currently (only work profile as set by the OS). There is a workaround https://gist.github.com/Akianonymus/1fb3c040080f79e7a015c7948e874499 and a tracking issue https://github.com/oasisfeng/island/issues/107

I can give you a hint if you want on how to pin the profiles to task bar like a pro in brave.

xuanswe commented 3 months ago

you can name the profiles and set colors (eg. in brave) you can even pin the profiles to task bar to quickly open them (eg. one profile for all Meta related apps).

Thank you for the help offer. I know how to do all with browser profiles. But as I wrote, I have some apps, which don't work with browsers, so this workaround will not work anyway.

On android, I have dual app and second space feature natively, so I neither need workaround with browser profiles.

joeyoropesa-dev commented 3 months ago

What's the current development of UWP support

Is it planned?

Remember, if you successfuly implement UWP support, potentially we could achieve cross-platform UWP support on any OS since Wine could also be updated to install and use sandboxie to execute modern Windows Apps ✨

It's like a dream come true

And discontinued versions of Windows could also execute appx in that case ✨

e-t-l commented 2 months ago

Since Sandboxie can't access WindowsApps, it returns System error code: Access is denied. (5)

The simple solution is to run Sandboxie with system-user privileges. (I believe this is different than running it in the system-user context like a scheduled task could do. In that scenario, the program would not be visible or interactable!)

The easiest way to do this is to download PSEXEC and run psexec -i -s "C:\Program Files\Sandboxie-Plus\SandMan.exe"

...

I don't have a clue whether these elevated privileges might make Sandboxie a vector for some sort of attack. If it's safe, then I think my workaround could be recommended. (If it isn't, well, I offer it as inspiration - idk maybe you senior folks can figure out how to make a "system privileged sandbox token" or something that doesn't require elevating the entire app.)

Can anyone clarify if running Sandboxie with System privileges is a safe/viable option here?

isaak654 commented 2 months ago

What's the current development of UWP support

Is it planned?

A link to the roadmap is available in the project history.

More specifically:

  1. Proper UWP support is planned, but it is not known when.
  2. The public roadmap should be updated more often. For example, another feature is planned, but it is not included.