search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.44k stars 1.5k forks source link

Clipboard separation #2385

Open Derk92 opened 1 year ago

Derk92 commented 1 year ago

Is your feature request related to a problem or use case?

I want to use sandboxie for passwords - to have a sandbox with my password manager and a browser, then to copy paste passwords from the password manager to the browser and the other way around, but to keep the clipboard just within the sandbox so it does not leak outside. I would like for the other programs outsite of the sandbox to not be able to capture that clipboard (nor keystrokes). Can this be achieved at this point? I can see a setting that disables clipboard within the sandbox (OpenClipboard=n), this is not what I am looking for. I would like to protect what's inside the sandbox against the surrounding system, not vice versa.

This is possible in Windows Sandbox with the Group Policy, by setting the property "Computer Configuration\Administrative Templates\Windows Components\Windows Sandbox\Allow clipboard sharing with Windows Sandbox" to Disable. Then it basically creates two different clipboards - one for Windows and one for the sandbox that do not interfere with each other.

Just an additional question - currently when I interfere with a sandboxed app, can programs outside of that sandbox capture the keystrokes? If yes, can this be restricted?

Describe the solution you'd like

Two separate clipboards, one for the sandbox, second for the surrounding system. Ability to enable and disable this behavior at any time (to separate the two clipboards and to join them again) (as is possible in a typical virtualization like Virtual Box). When clipboards are separated, ability to run one time action to copy clipboard from windows to a sandbox and from a sandbox to Windows.

Describe alternatives you've considered

Windows Sandbox, but it does not have persistence.

DavidXanatos commented 1 year ago

hen it basically creates two different clipboards - one for Windows and one for the sandbox that do not interfere with each other.

No it always has two clipboards one on the host and one in the guest VM acting as a sandbox, this policy only disables the synchronization of clipboard content.

As sandboxie does not run a full blown VM which would consume 4+ GB of memory.... creating a fully isolated clipboard is not that easy. We could try to emulate all clipboard functionality in userspace but that would be a lot of work, if you waht this feature become a patreon on the legendary tier and I'll look into it

Just an additional question - currently when I interfere with a sandboxed app, can programs outside of that sandbox capture the keystrokes? If yes, can this be restricted?

currently they could, preventing keylogging on the host is currently outside the scope of sandboxie. This could be added though based on this sample: https://github.com/Microsoft/Windows-driver-samples/tree/main/input/kbfiltr