Closed LYingSiMon closed 1 year ago
Hello, You can inspect the permissions granted using a tool like TaskExplorer, SystemInformer, or ProcessExplorer As you can then see, the access to processes in other boxes or outside the sandbox are reduced down from PROCESS_ALL_ACCESS to only a sub set of read only permissions, see the source here: https://github.com/sandboxie-plus/Sandboxie/blob/1fc9d1c716c1ae0faaa8a0285db1b1f0ff8874d1/Sandboxie/core/dll/secure.c#L588
The code was added before my time so I don't know the exact reason for this behavior but likely this was done to facilitate better compatibility in scenarios where more rights are requested then needed and the call would succeed normally. As any process with bad intentions could after failing to get PROCESS_ALL_ACCESS just retry with SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION anyways, and get the same result, this does not pose a security risk. But its not expected window behavior, so perhaps a compatibility option should be added here to enable/disable this behavior.
I see. Thank you for your answer
Describe what you noticed and did
Test code:
screenshot:
Normally, I don't think processes in box2 should be able to get process handles in box1 or out of the sandbox, but now they can
How often did you encounter it so far?
Every time
Affected program
Each program
Download link
null
Where is the program located?
Not relevant to my request.
Expected behavior
ProcCount is always 1
What is your Windows edition and version?
1909
In which Windows account you have this problem?
Not relevant to my request.
Please mention any installed security software
null
What version of Sandboxie are you running?
1.6.3
Is it a new installation of Sandboxie?
I recently did a new clean installation.
Is it a regression?
no
In which sandbox type you have this problem?
all types box
Can you reproduce this problem on a new empty sandbox?
I can confirm it also on a new empty sandbox.
Did you previously enable some security policy settings outside Sandboxie?
no
Crash dump
No response
Trace log
No response
Sandboxie.ini configuration