New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: AppContainer "Capabilities" Selection #2

Closed
WildByDesign opened this Issue Sep 10, 2018 · 16 comments

Comments

Projects
None yet
3 participants
@WildByDesign

WildByDesign commented Sep 10, 2018

Thank you for your great program.

The AppContainer launching works well and is successful, but I think that it can be improved by adding the ability to choose/select from a list of different AppContainer "Capabilities" to give more power and flexibility to your AppContainer launching functionality.

It would be good to have a button which brings up a dialog to choose different AppContainer "Capabilities".

Some example concepts:

Blog link: https://www.andrea-allievi.com/blog/first-week-of-june/

Relevant source code: https://github.com/AaLl86/retroware/tree/master/AppContainers

Image example (AppContainer Capabilities list: Select):

alt text

That "Select" button would bring up a multi-list of capabilities to choose from and select prior to launching an app within an AppContainer.

Thank you for your time.

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Sep 11, 2018

Good idea, If I have time, I might consider this feature.

@WildByDesign

This comment has been minimized.

WildByDesign commented Nov 11, 2018

@fcharlie I see that you have done some recent development on AppContainer capabilities. Everything looks great visually. I also like how you have added support for parsing of appxmanifest files to pull in capabilities as well. Excellent work! Thank you.

AppContainer creation still seems to be working but it seems that I cannot see the capabilities within Process Hacker nightly build. I assume this must be related to the Windows 10 AppContainer bug which you mentioned in recent commits.

Can you share some brief details on this Windows 10 AppContainer bug and how this bug may affect Privexec?

@MouriNaruto

This comment has been minimized.

MouriNaruto commented Nov 11, 2018

@WildByDesign

Can you share some brief details on this Windows 10 AppContainer bug and how this bug may affect Privexec?

I don't know, but if that bug is from AppContainer APIs, it will affect this tool. I can't believe the bug is from the AppContainer APIs becuase these APIs seldom changed after Windows 10 Build 10240, But this is the Windows 10 era's Microsoft, everything is possible, lol.
(PS: There is a bug which can replace the access token in the normal Administrator token (Normally, only the System token can do it) in Windows 10 Insider Preview Build 10162, fixed in build 10166. It had misdirected me in the development of NSudo.)

Mouri

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Nov 12, 2018

@WildByDesign @MouriNaruto Yes. https://github.com/M2Team/Privexec/blob/master/Privexec.Core/AppContainers.cpp#L161 AppConatiner create success but cannot set capabilities. But in Windows 8, this is OK.

@MouriNaruto

This comment has been minimized.

MouriNaruto commented Nov 12, 2018

@WildByDesign @fcharlie You can read something about the AppContainer which I have discovered in https://github.com/M2Team/M2-SDK/blob/master/M2.NSudo.h

There is a creation implementation of the AppContainer which is reversed from Windows 8's CreateProcessInternal API in the line 1022. And I can set capabilities and work well in Windows 10 Build 10586 and 14393.

I hope I can help you.

Mouri.

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Nov 12, 2018

@WildByDesign @MouriNaruto Sorry, Create AppConatiner API is OK, fix it. Member value override local value.

image

@WildByDesign

This comment has been minimized.

WildByDesign commented Nov 12, 2018

@fcharlie @MouriNaruto Excellent, thank you. I have used the latest Process Hacker Nightly Build under Token - Token Properties - Capabilities and everything is showing correctly now with regard to capabilities. Great work!

Question: If I create a sample Package.appxmanifest file and add additional capabilities which are not included in the UI checkboxes, will Privexec add these capabilities after parsing that file?

Example section from Package.appxmanifest file:

<Capabilities> <Capability Name="internetClient" /> <rescap:Capability Name="broadFileSystemAccess" /> </Capabilities>

I added the "broadFileSystemAccess" capability just for testing purposes. As I learn more, I would like to add more capabilities to my own custom Package.appxmanifest file. But I am just wondering if Privexec will enforce these capabilities as well.

Thank you! :)

@fcharlie fcharlie closed this Nov 14, 2018

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Nov 25, 2018

@WildByDesign wsudo also support AppContainer Capabilities from AppManifest

@WildByDesign

This comment has been minimized.

WildByDesign commented Nov 25, 2018

@fcharlie Thank you so much. This is excellent with wsudo now also supporting AppContainer Capabilities from AppManifest because a user can, for example, create a shortcut that contains wsudo command opening an app within AppContainer sandbox. This is great news.

You have done amazing work and I see that you have been working at this with many code commits each day. I am thankful for your time and for sharing this great open source work. Your time and work is greatly appreciated.

One remaining question:

In the code, it appears to parse rescap:Capability (Restricted Capabilities) but I have not been able to get it to show anything more than the default 12 Well Known SID type capabilities.

For example, here is my testing configuration which I always add to Privexec when testing the AppContainer development:

  <Capabilities>
    <Capability Name="internetClient" />
    <Capability Name="internetClientServer" />
    <Capability Name="privateNetworkClientServer" />
    <Capability Name="documentsLibrary" />
    <Capability Name="picturesLibrary" />
    <Capability Name="videosLibrary" />
    <Capability Name="musicLibrary" />
    <Capability Name="enterpriseAuthentication" />
    <Capability Name="sharedUserCertificates" />
    <Capability Name="removableStorage" />
    <Capability Name="appointments" />
    <Capability Name="contacts" />
    <rescap:Capability Name="broadFileSystemAccess" />
    <rescap:Capability Name="inputInjectionBrokered" />
    <rescap:Capability Name="enterpriseDataPolicy"/>
    <rescap:Capability Name="locationHistory"/>
    <rescap:Capability Name="runFullTrust" />
  </Capabilities>

This is all really just for testing purposes at the moment. It always adds the first 12 basic capabilities, but does not seem to add the restricted capabilities (rescap:Capability).

Are these restricted capabilities supposed to be working? Or is this something that would require future development in the code base?

Thank you.

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Nov 26, 2018

@WildByDesign Currently I don't know the addition details of the restricted feature, so I can't create a SID for it. If you know these details, you can share it with me, thank you.

@WildByDesign

This comment has been minimized.

WildByDesign commented Nov 26, 2018

@fcharlie Thank you. You might find some of the most complete information on Capabilities and SIDs in the research work of Google Project Zero's James Forshaw:

Particularly
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs
https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/Sid.cs

  • You might have to copy/paste those links since Github links never seem to work for me.

Much of his work is impressive.

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Nov 27, 2018

@WildByDesign Thanks. Github URL style is

[text](url)
#so -->
[https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs)

We should use RtlDeriveCapabilitySidsFromName create sids.

Need to know the details of DeriveCapabilitySidsFromName

//https://github.com/nta/immersive-host/blob/master/host/src/ActivationClient.cpp
//https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/3ad55c9452d469a507286968985c264dc7e2c7c1/NtApiDotNet/NtSecurity.cs#L2677
//https://github.com/Microsoft/Windows-universal-samples/blob/fe8567faf2efdea3672c2ba642ba7b925ff6467e/Samples/CustomCapability/Service/Server/RpcServer.cpp#L54

NTSTATUS(NTAPI* _RtlDeriveCapabilitySidsFromName)(PUNICODE_STRING capabilityName, PSID ntSid, PSID appPackageSid);

auto	_RtlDeriveCapabilitySidsFromName = (decltype(_RtlDeriveCapabilitySidsFromName))GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlDeriveCapabilitySidsFromName");

P4086.pptx

@WildByDesign

This comment has been minimized.

WildByDesign commented Nov 27, 2018

@fcharlie You're welcome. Thank you for those details and slides as well. Excellent stuff. I will try to do some more research on these.

FWIW, the capabilities that start with 'lpac' such as lpacAppExperience, lpacClipboard, etc. are related to Low Privilege AppContainer (LPAC). I was speaking with James Forshaw recently because he is the one who designed Google Chrome's AppContainer sandbox architecture on Windows and more recently, he created the AppContainer for the Chrome GPU process which is LPAC specifically. He told me that LPAC is not much more difficult to implement compared to regular AppContainer.

Anyway, in the PDF below that James released just recently, some pages cover the specifics on LPAC details:

The Inner Workings of the Windows Runtime.pdf (by James Forshaw)

See pages 34, 35, 44, 45, 67 for excellent Low Privilege AppContainer (LPAC) details and more.

Also, some of James' open source tools are beneficial in confirming much of the recent AppContainer work that you have been doing. Notably, oleviewdotnet and TokenViewer which is part of his sandbox analysis tools. Both of these help me when testing and verifying token details such as AppContainer and more.

@WildByDesign

This comment has been minimized.

WildByDesign commented Dec 12, 2018

I found some more details today on AppContainer SID calculation. I don't know if this is relevant or not, but thought I would share anyway just in case it may be helpful.

Link: https://twitter.com/FlowerCode_/status/1072783212097691648

One interesting bit of Child AC is how the SIDs are calculated. Here is a Python version if you don't want to call DeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedName. It beats RtlWriteDecodedUcsDataIntoSmartLBlobUcsWritingContext BTW. https://gist.github.com/FlowerCode/b655e8e256862e384a0bcc2be4e41bd1

Link: https://gist.github.com/FlowerCode/b655e8e256862e384a0bcc2be4e41bd1

@fcharlie

This comment has been minimized.

Collaborator

fcharlie commented Dec 13, 2018

@WildByDesign Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment