Add option to evaluate sandbox rules in file order

Ideas for enhancements to the software
Post Reply
Binky
Posts: 129
Joined: Sun Nov 14, 2010 9:21 pm

Add option to evaluate sandbox rules in file order

Post by Binky » Thu Oct 20, 2011 11:02 am

After researching Windows security for 11 years, I have relied for the last year on Sandboxie for my primary security. Really great software!

There is something I have been wishing for over the last year. Other security software (HIPS I used to use, firewall I still use) achieves surgical precision and simplicity by evaluating rules in the order they appear in file. According to tzuk (see http://www.sandboxie.com/phpbb/viewtopic.php?t=9427), Sandboxie evaluates all ClosedFilePath rules, then all ReadFilePath rules and then all OpenFilePath rules. If none of these *FilePath rules apply to a file I/O, then a read is allowed and a write is sandboxed. Thus, the order of these rules doesn't matter.

I would like a new Sandboxie.ini setting that tells Sandboxie to evaluate these rules in the order they appear in file. Without the new setting, Sandboxie would work as today for backwards compatibility. I propose that this new evaluation mode would speed up execution because 1) only one pass through is needed for the three *FilePath rules compared to three passes today, and 2) I can reduce the number of rules to achieve the same effect. More importantly, the new setting provides more surgical precision in achieving security. Here is a good example: http://www.sandboxie.com/phpbb/viewtopic.php?t=11714

I further propose adding a new rule/setting, maybe called NormalFilePath, that specifies that file I/O matching the path is allowed to read, but writes are sandboxed. Today, this behavior applies if file I/O doesn't match any *FilePath rules. This new setting, which would only when rules are evaluated in file order, could be inserted between *FilePath rules to provide more flexibility in file I/O rules. I suggest that NormalFilePath behavior would still apply if no *FilePath rules match a given file I/O.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Thu Oct 20, 2011 2:17 pm

Since I've had this discussion too many times already, you'll have to forgive me for being brief this time. The answer is no.
tzuk

gnasirator
Posts: 1
Joined: Wed Nov 02, 2011 10:29 am

Alternative

Post by gnasirator » Wed Nov 02, 2011 10:37 am

I might suggest a simpler alternative here:

Sandboxie - as it works right now - prefers denying rules over allowing ones.
Thus it is impossible to block acces to whole drives while still allowing acces to some handpicked important files.

Suggestion: Change the priority the other way round - or better: Include a checkbox that let's the user decide wether he wants to priorize the block or the allow rules.

By the way - that's a feature I really miss.
I just found sandboxie very handy to block the Origin spyware from scanning my private files (Origin - Battlefield 3). But Blocking every single sub folder and file in a specific directory just to allow the one which is necceary to run the game is VERY complicated.
This would be an (i guess) easily programmable solution which offers a BIG extra in usability.

Greetings

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests