Closed menaquinoneK2 closed 11 months ago
I have looked into this issue and IMHO there is no safe way wound it. to make it work the process's primary token must have the original user SID and have a non 0 integrity level
AnonymousLogon=n
KeepTokenIntegrity=y
This pretty much already breaks most of the security isolation, so at this point its best to use the box in app compartment mode, there at least one gets additionally improved compatibility
NoSecurityIsolation=y
The access denied comes from the NtCreateFile call directly, while it is impersonating the original user token through the sbie driver. Meaning if that is not enough nothing will be, at this point the kernel is checking the primary process token and that must remain for security reasons heavily restricted.
There would be a workaround using a broker process that runs as the user and handing out handles to encrypted files to other process, but that's quite a lot of work for IMHO little benefit.
there is a fix for that in the insider build: https://github.com/sandboxie-plus/Sandboxie/issues/1980 in due time it wil find its way to the public build
examples from within firefox:
One more example encountered in this comment seen in the log(expand the
Details
by clicking on it) asfailed(5)
(ie.5 (ERROR_ACCESS_DENIED 5 (0x5) Access is denied.
)Note: encrypted means they show up as green in explorer.exe (win7 x64) or seen as having
e
attribute in total commander.