As you may know, in version 4, the process in the sandbox is confined into a "job" concept which prevents interacting with window objects outside the sandbox.
This has two major implications:
- All interactions with window objects outside the sandbox have to go through a SbieSvc proxy process.
- Lower level requests such as simulating keyboard input, registering a hotkey or changing system parameters are not supported.
Version 4.03 revises this by treating the OpenWinClass=* case as a special case. In version 4.03, when the sandbox settings include OpenWinClass=*, the process is not put into a job, which means normal access to window objects, and the lower level requests are permitted.
This new special case is intended primarily at people who want to take advantage of filesystem/registry isolation when installing trusted programs into the sandbox.
To enable: Sandbox Settings > Resource Access > Window Access > Click Add, enter * (a single wildcard star), click OK.
[.01] Changes to OpenWinClass=*
Some problems which should be fixed with the new OpenWinClass=* setting are discussed in these topics:
http://www.sandboxie.com/phpbb/viewtopic.php?t=15709
http://www.sandboxie.com/phpbb/viewtopic.php?t=15750
http://www.sandboxie.com/phpbb/viewtopic.php?t=15767
http://www.sandboxie.com/phpbb/viewtopic.php?t=15806
http://www.sandboxie.com/phpbb/viewtopic.php?t=15709
http://www.sandboxie.com/phpbb/viewtopic.php?t=15750
http://www.sandboxie.com/phpbb/viewtopic.php?t=15767
http://www.sandboxie.com/phpbb/viewtopic.php?t=15806
tzuk
Quoting BUCKAROO from another topic:
This means that on systems where UAC is enabled, OpenWinClass=* doesn't really mean the process in the sandbox has more access to window objects. However it can "see" and "read" window objects outside the sandbox directly without going through SbieSvc. Whereas without OpenWinClass=*, it cannot see or read window objects outside the sandbox directly, and has to go through the SbieSvc helper process.
If UAC is disabled, and on Windows XP, integrity levels don't come into play for window objects, and OpenWinClass=* does give the process in the sandbox full access to window objects outside the sandbox.
Not really a bug, more like an oversight. The process in the sandbox is still running at untrusted integrity level even when OpenWinClass=* so the UAC/UIPI mechanism prevents it from accessing window objects that have a higher integrity level. And most window objects outside the sandbox should have at least medium integrity level.BUCKAROO wrote:Decreased security? Not that I've found. This setting is purported to allow "full communication with all windows outside the sandbox" but Sandboxie v4 processes can't so much as (directly) show/hide an existing window outside... I don't know if that's a bug.
This means that on systems where UAC is enabled, OpenWinClass=* doesn't really mean the process in the sandbox has more access to window objects. However it can "see" and "read" window objects outside the sandbox directly without going through SbieSvc. Whereas without OpenWinClass=*, it cannot see or read window objects outside the sandbox directly, and has to go through the SbieSvc helper process.
If UAC is disabled, and on Windows XP, integrity levels don't come into play for window objects, and OpenWinClass=* does give the process in the sandbox full access to window objects outside the sandbox.
tzuk
Who is online
Users browsing this forum: No registered users and 1 guest
