search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.69k stars 1.52k forks source link

encrypted files on the host cannot be read or deleted from within sandboxie (ie. Access Denied) #77

Closed menaquinoneK2 closed 11 months ago

menaquinoneK2 commented 4 years ago

examples from within firefox:

Win error 5 during operation open on file C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\dosekefd.default-beta\startupCache\webext.sc.lz4 (Access is denied.

) ExtensionParent.jsm:1745
    _readData resource://gre/modules/ExtensionParent.jsm:1745
    AsyncFunctionThrow self-hosted:688
Win error 5 during operation delete on file C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\dosekefd.default-beta\settings\main\ms-language-packs\asrouter.ftl (Access is denied.

) ASRouter.jsm:124
    reportError resource://activity-stream/lib/ASRouter.jsm:124
    _remoteSettingsLoader resource://activity-stream/lib/ASRouter.jsm:339
    InterpretGeneratorResume self-hosted:1142
    AsyncFunctionThrow self-hosted:688
Win error 5 during operation delete on file C:\Users\John\AppData\Local\Mozilla\Firefox\Profiles\dosekefd.default-beta\startupCache\webext.sc.lz4 (Access is denied.

) DeferredTask.jsm:335
    _runTask resource://gre/modules/DeferredTask.jsm:335
    InterpretGeneratorResume self-hosted:1142
    AsyncFunctionThrow self-hosted:688

One more example encountered in this comment seen in the log(expand the Details by clicking on it) as failed(5) (ie. 5 (ERROR_ACCESS_DENIED 5 (0x5) Access is denied.)

Note: encrypted means they show up as green in explorer.exe (win7 x64) or seen as having e attribute in total commander.

DavidXanatos commented 2 years ago

I have looked into this issue and IMHO there is no safe way wound it. to make it work the process's primary token must have the original user SID and have a non 0 integrity level

AnonymousLogon=n
KeepTokenIntegrity=y

This pretty much already breaks most of the security isolation, so at this point its best to use the box in app compartment mode, there at least one gets additionally improved compatibility

NoSecurityIsolation=y

The access denied comes from the NtCreateFile call directly, while it is impersonating the original user token through the sbie driver. Meaning if that is not enough nothing will be, at this point the kernel is checking the primary process token and that must remain for security reasons heavily restricted.

There would be a workaround using a broker process that runs as the user and handing out handles to encrypted files to other process, but that's quite a lot of work for IMHO little benefit.

DavidXanatos commented 11 months ago

there is a fix for that in the insider build: https://github.com/sandboxie-plus/Sandboxie/issues/1980 in due time it wil find its way to the public build