It would be nice if programs started outside of the sandbox environment could be forced to run in the current sandbox, rather than always having to run in a specific sandbox.
Could this be done by allowing ForceProcess to be specified as either a Sandbox Setting or as a Global Setting?
If specified as a Global Setting, a program could be forced to run in the current sandbox. If specified as a Sandbox Setting, it would be forced to run in the named sandbox, as now. This would make ForceProcess more flexible.
Regards
Peter
Option to force programs to run in current sandbox
-
Unknown_User_684
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
I thought you already could? if you add a ForceProcess under a particular sandbox in the ini, then that process will be forced in that particular sandbox you placed the "ForceProcess" under.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
Unknown_User_684
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
Hi SnDPhoenix,
Thanks for your reply. I think that you've misunderstood what I was trying to say - my fault for not being clear enough in the first place. I'm afraid I'm now going to have to provide a more detailed explanation to clarify my original post, so please bear with me.
As currently implemented, my understanding is that ForceProcess exhibits the following behaviour: -
(1) If ForceProcess is not specified for a program anywhere within the INI file, the program will load outside of any sandbox when started from outside of the sandbox environment.
(2) If a single ForceProcess entry is specified for a program within the INI file as a Sandbox Setting, the program will be forced to load into the specified sandbox when started from outside of the sandbox environment.
(3) If multiple ForceProcess entries are specified for a program within the INI as Sandbox Settings under different sandboxes, the program will be loaded into the first sandbox that has an entry specified when started from outside of the sandbox environment. This is therefore dependent on the order in which the sandboxes are defined within the INI file, which is usually, but not necessarily, DefaultBox. This is perfectly acceptable, as the user has created an ambiguity which Sandboxie must resolve.
(4) If a program is started from within the sandbox environment using the "Run Sandboxed" command from within Sandboxie Control, all ForceProcess entries are bypassed and the program will load in the sandbox designated as current in the "Switch to Sandbox" list.
Now whilst it is clearly pointless to explicitly specify more than one ForceProcess entry for the same program in the INI file under different sandboxes, the behaviour described in (3) above does become relevant if ForceProcess is specified as a generic Global Setting.
When specified as a Global Setting - which along with other INI file settings is a perfectly valid thing to do - the generic Global Setting is inherited by every sandbox that does not override the Global Setting explicitly with a specific Sandbox Setting. This is correct but the issue arises in the interpretation that Sandboxie places on this when deciding which sandbox to force the program to be loaded into when applying the ForceProcess setting.
I suggest that the only logical reason to want to specify ForceProcess as a generic Global Setting, rather than using a Sandbox Setting to associate it with a specific sandbox, is to enable the decision as to which sandbox to force the program to be loaded into to be made dynamically at run time, using the sandbox designated as current in the "Switch to Sandbox" list within Sandboxie Control.
What you actually get is the behaviour as described in (3) above. This is a valid interpretation of inheritance, but to me (3) is sub-optimal in this situation. IMHO there is a difference between how Global Settings should be applied to a program already running in a sandbox and how they should be applied when choosing a sandbox to start a program in, where the context needs to be considered. If I wanted to force a program to start in the first sandbox defined in the INI file, I would define ForceProcess as a specific Sandbox Setting, not a generic Global Setting.
Personally, I would like to be able to configure Sandboxie so that a program I always want to run sandboxed starts within the sandbox designated as current in the "Switch to Sandbox" list within Sandboxie Control, no matter how it has been launched. Unless I am mistaken, in order to accomplish this I think that the behaviour of ForceProcess when specified as a Global Setting would need to change.
Sorry to be so long-winded but I hope I've managed to make myself clear this time.
Regards
Peter
Thanks for your reply. I think that you've misunderstood what I was trying to say - my fault for not being clear enough in the first place. I'm afraid I'm now going to have to provide a more detailed explanation to clarify my original post, so please bear with me.
As currently implemented, my understanding is that ForceProcess exhibits the following behaviour: -
(1) If ForceProcess is not specified for a program anywhere within the INI file, the program will load outside of any sandbox when started from outside of the sandbox environment.
(2) If a single ForceProcess entry is specified for a program within the INI file as a Sandbox Setting, the program will be forced to load into the specified sandbox when started from outside of the sandbox environment.
(3) If multiple ForceProcess entries are specified for a program within the INI as Sandbox Settings under different sandboxes, the program will be loaded into the first sandbox that has an entry specified when started from outside of the sandbox environment. This is therefore dependent on the order in which the sandboxes are defined within the INI file, which is usually, but not necessarily, DefaultBox. This is perfectly acceptable, as the user has created an ambiguity which Sandboxie must resolve.
(4) If a program is started from within the sandbox environment using the "Run Sandboxed" command from within Sandboxie Control, all ForceProcess entries are bypassed and the program will load in the sandbox designated as current in the "Switch to Sandbox" list.
Now whilst it is clearly pointless to explicitly specify more than one ForceProcess entry for the same program in the INI file under different sandboxes, the behaviour described in (3) above does become relevant if ForceProcess is specified as a generic Global Setting.
When specified as a Global Setting - which along with other INI file settings is a perfectly valid thing to do - the generic Global Setting is inherited by every sandbox that does not override the Global Setting explicitly with a specific Sandbox Setting. This is correct but the issue arises in the interpretation that Sandboxie places on this when deciding which sandbox to force the program to be loaded into when applying the ForceProcess setting.
I suggest that the only logical reason to want to specify ForceProcess as a generic Global Setting, rather than using a Sandbox Setting to associate it with a specific sandbox, is to enable the decision as to which sandbox to force the program to be loaded into to be made dynamically at run time, using the sandbox designated as current in the "Switch to Sandbox" list within Sandboxie Control.
What you actually get is the behaviour as described in (3) above. This is a valid interpretation of inheritance, but to me (3) is sub-optimal in this situation. IMHO there is a difference between how Global Settings should be applied to a program already running in a sandbox and how they should be applied when choosing a sandbox to start a program in, where the context needs to be considered. If I wanted to force a program to start in the first sandbox defined in the INI file, I would define ForceProcess as a specific Sandbox Setting, not a generic Global Setting.
Personally, I would like to be able to configure Sandboxie so that a program I always want to run sandboxed starts within the sandbox designated as current in the "Switch to Sandbox" list within Sandboxie Control, no matter how it has been launched. Unless I am mistaken, in order to accomplish this I think that the behaviour of ForceProcess when specified as a Global Setting would need to change.
Sorry to be so long-winded but I hope I've managed to make myself clear this time.
Regards
Peter
-
SnDPhoenix
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Hahaha, ok, i see what you mean now. Currently, ForceProcess only works as a Sandbox Setting, so the specified process will only be forced into whatever Sandboxed you have specified the "force" under in the ini. What you would like is the ability to have ForceProcess act as an Sandbox Setting and as an Global Setting. That way if you only want for example, Opera, to be forced into the "DefaultBox" then you'd just put the ForceProcess under the "DefaultBox" section of the ini, but, if you'd prefer to have Opera forced in any sandbox then you'd specify the ForceProcess as an global setting instead, and by setting the ForceProcess as an global setting, that would mean that, ( in this case), Opera would be forced into whatever your current sandbox is, and if you switch to another sandbox during your "session" then Opera would be forced into that sandbox and so on, so do i understand correctly now? Well, if so, then i think its a good idea, as a matter fact i wonder why it hasnt been there since the beggining? Is it to hard to make one Parameter act as 2 different settings, if not, can this be done?
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
Unknown_User_684
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
Hi SnDPhoenix,
Yes, you've understood me correctly; that's exactly what I'm saying.
In fact all parameters, including ForceProcess, already function in two ways, because each can be specified in the [GlobalSettings] section of the INI file, as well as in the separate sections that define the sandboxes.
I think that the issue is to do with the way inheritance has been implemented within Sandboxie. For all parameters that control the behaviour of a program AFTER it has been started inside a sandbox, inheritance works as expected. For ForceProcess, which applies to the loading of a program BEFORE it has been started inside a sandbox, the context of where in the INI file the ForceProcess entry has been placed should be taken into account explicitly.
I would have thought that it shouldn't be too hard to change the code to make the inheritance feature of ForceProcess behave differently to take into account the context when defined in [GlobalSettings]. If the search of the INI file to find a sandbox with the ForceProcess parameter were changed to always check the current sandbox first, it would become the default in this situation. No doubt Ronen will comment on this in due course.
I'm glad you think it's a good idea.
Regards
Peter
Yes, you've understood me correctly; that's exactly what I'm saying.
In fact all parameters, including ForceProcess, already function in two ways, because each can be specified in the [GlobalSettings] section of the INI file, as well as in the separate sections that define the sandboxes.
I think that the issue is to do with the way inheritance has been implemented within Sandboxie. For all parameters that control the behaviour of a program AFTER it has been started inside a sandbox, inheritance works as expected. For ForceProcess, which applies to the loading of a program BEFORE it has been started inside a sandbox, the context of where in the INI file the ForceProcess entry has been placed should be taken into account explicitly.
I would have thought that it shouldn't be too hard to change the code to make the inheritance feature of ForceProcess behave differently to take into account the context when defined in [GlobalSettings]. If the search of the INI file to find a sandbox with the ForceProcess parameter were changed to always check the current sandbox first, it would become the default in this situation. No doubt Ronen will comment on this in due course.
I'm glad you think it's a good idea.
Regards
Peter
-
Unknown_User_684
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
-
Rasheed187
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Btw, I haven´t really read the whole topic in detail, so I might be going a bit off topic, but what I would like is that you could run certain tools that you want to protect from drive by attacks (let´s say your browser) in a certain sandbox, and all other tools that you install would show up in the defaultbox, so when sandboxing these tools they can´t make any changes to your browser (for example they can´t install a BHO).
This way you can have a "safe sandbox" which you will use to browse, and the plan is to not get infected, something that a good HIPS must be able to prevent. The other sandbox(es) are used to check out software, and you wouldn´t mind clearing this sandbox if you´d install some malicous tool.
This way you can have a "safe sandbox" which you will use to browse, and the plan is to not get infected, something that a good HIPS must be able to prevent. The other sandbox(es) are used to check out software, and you wouldn´t mind clearing this sandbox if you´d install some malicous tool.
Re: Option to force programs to run in current sandbox
Actually, you can get a process which is forced to run in a particular sandbox to run in the default box instead. If you right click on an otherwise 'forced' program (the actual executable or a shortcut to it) and select 'Run Sandboxed', it will always run in the default box, rather than the designated box.peterg wrote:It would be nice if programs started outside of the sandbox environment could be forced to run in the current sandbox, rather than always having to run in a specific sandbox.
While you can not get it to run in the 'current box', you can alter the normal 'forced' behavior by invoking it with the right click context menu. The fact that Sandboxie does not respect the 'ForcedProcess' setting when a program is started via the right click context menu might be considered a flaw by some (me for instance), but for your purposes, it may prove to be an undocumented feature.
Dan
-
Rasheed187
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
About my post, is this possible or not, and do you all understand what I´m saying? I´ve been thinking, running your browser sandboxed with protection from your HIPS is basically almost bulletproof PC protection, because first hackers must find a way to bypass your HIPS, and after that they can´t even modify the real file system and registry.
But I do need a separate sandbox for my browser (and other vulnerable tools) and other sandboxes just for testing tools, they may of course not make any modifications to my browser sandbox which must stay clean. I thought that this was already possible (with the exception of forcing processes to run in a specific sandbox) but the feature doesn´t work as expected.
http://www.sandboxie.com/phpbb/viewtopic.php?t=1731
But I do need a separate sandbox for my browser (and other vulnerable tools) and other sandboxes just for testing tools, they may of course not make any modifications to my browser sandbox which must stay clean. I thought that this was already possible (with the exception of forcing processes to run in a specific sandbox) but the feature doesn´t work as expected.
http://www.sandboxie.com/phpbb/viewtopic.php?t=1731
-
Unknown_User_807
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
-
Rasheed187
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
I´ve just looked it up and I now see that the ability to run apps from different sandboxes at the same time, is indeed a feature that is only available to registered users. However, the problem I have isn´t exactly the same. I really hope tzuk will improve this, it would make a great selling point. 
Who is online
Users browsing this forum: No registered users and 1 guest
