Sandboxie Support

Support Forum for Sandboxie
https://forums.sandboxie.com/phpBB3/

[.01] Changes to OpenWinClass=*

https://forums.sandboxie.com/phpBB3/viewtopic.php?f=39&t=15837

Page 1 of 1

[.01] Changes to OpenWinClass=*

Posted: Tue Jun 25, 2013 5:34 am
by tzuk
As you may know, in version 4, the process in the sandbox is confined into a "job" concept which prevents interacting with window objects outside the sandbox.

This has two major implications:

- All interactions with window objects outside the sandbox have to go through a SbieSvc proxy process.

- Lower level requests such as simulating keyboard input, registering a hotkey or changing system parameters are not supported.

Version 4.03 revises this by treating the OpenWinClass=* case as a special case. In version 4.03, when the sandbox settings include OpenWinClass=*, the process is not put into a job, which means normal access to window objects, and the lower level requests are permitted.

This new special case is intended primarily at people who want to take advantage of filesystem/registry isolation when installing trusted programs into the sandbox.

To enable: Sandbox Settings > Resource Access > Window Access > Click Add, enter * (a single wildcard star), click OK.

Posted: Tue Jun 25, 2013 5:38 am
by tzuk
Some problems which should be fixed with the new OpenWinClass=* setting are discussed in these topics:

http://www.sandboxie.com/phpbb/viewtopic.php?t=15709

http://www.sandboxie.com/phpbb/viewtopic.php?t=15750

http://www.sandboxie.com/phpbb/viewtopic.php?t=15767

http://www.sandboxie.com/phpbb/viewtopic.php?t=15806

Posted: Fri Aug 02, 2013 5:13 am
by tzuk
Quoting BUCKAROO from another topic:
BUCKAROO wrote:Decreased security? Not that I've found. This setting is purported to allow "full communication with all windows outside the sandbox" but Sandboxie v4 processes can't so much as (directly) show/hide an existing window outside... I don't know if that's a bug.
Not really a bug, more like an oversight. The process in the sandbox is still running at untrusted integrity level even when OpenWinClass=* so the UAC/UIPI mechanism prevents it from accessing window objects that have a higher integrity level. And most window objects outside the sandbox should have at least medium integrity level.

This means that on systems where UAC is enabled, OpenWinClass=* doesn't really mean the process in the sandbox has more access to window objects. However it can "see" and "read" window objects outside the sandbox directly without going through SbieSvc. Whereas without OpenWinClass=*, it cannot see or read window objects outside the sandbox directly, and has to go through the SbieSvc helper process.

If UAC is disabled, and on Windows XP, integrity levels don't come into play for window objects, and OpenWinClass=* does give the process in the sandbox full access to window objects outside the sandbox.
All times are UTC-04:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/