[.01] Changes to OpenWinClass=*

Listing issues addressed in beta version 4.03
Locked
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 5:57 pm

[.01] Changes to OpenWinClass=*

Post by tzuk » Tue Jun 25, 2013 10:34 am

As you may know, in version 4, the process in the sandbox is confined into a "job" concept which prevents interacting with window objects outside the sandbox.

This has two major implications:

- All interactions with window objects outside the sandbox have to go through a SbieSvc proxy process.

- Lower level requests such as simulating keyboard input, registering a hotkey or changing system parameters are not supported.

Version 4.03 revises this by treating the OpenWinClass=* case as a special case. In version 4.03, when the sandbox settings include OpenWinClass=*, the process is not put into a job, which means normal access to window objects, and the lower level requests are permitted.

This new special case is intended primarily at people who want to take advantage of filesystem/registry isolation when installing trusted programs into the sandbox.

To enable: Sandbox Settings > Resource Access > Window Access > Click Add, enter * (a single wildcard star), click OK.
tzuk

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 5:57 pm

Post by tzuk » Tue Jun 25, 2013 10:38 am

tzuk

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 5:57 pm

Post by tzuk » Fri Aug 02, 2013 10:13 am

Quoting BUCKAROO from another topic:
BUCKAROO wrote:Decreased security? Not that I've found. This setting is purported to allow "full communication with all windows outside the sandbox" but Sandboxie v4 processes can't so much as (directly) show/hide an existing window outside... I don't know if that's a bug.
Not really a bug, more like an oversight. The process in the sandbox is still running at untrusted integrity level even when OpenWinClass=* so the UAC/UIPI mechanism prevents it from accessing window objects that have a higher integrity level. And most window objects outside the sandbox should have at least medium integrity level.

This means that on systems where UAC is enabled, OpenWinClass=* doesn't really mean the process in the sandbox has more access to window objects. However it can "see" and "read" window objects outside the sandbox directly without going through SbieSvc. Whereas without OpenWinClass=*, it cannot see or read window objects outside the sandbox directly, and has to go through the SbieSvc helper process.

If UAC is disabled, and on Windows XP, integrity levels don't come into play for window objects, and OpenWinClass=* does give the process in the sandbox full access to window objects outside the sandbox.
tzuk

Locked

Who is online

Users browsing this forum: No registered users and 1 guest