Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Feature Request: AppContainer "Capabilities" Selection #2
Thank you for your great program.
The AppContainer launching works well and is successful, but I think that it can be improved by adding the ability to choose/select from a list of different AppContainer "Capabilities" to give more power and flexibility to your AppContainer launching functionality.
It would be good to have a button which brings up a dialog to choose different AppContainer "Capabilities".
Some example concepts:
Relevant source code: https://github.com/AaLl86/retroware/tree/master/AppContainers
Image example (AppContainer Capabilities list: Select):
That "Select" button would bring up a multi-list of capabilities to choose from and select prior to launching an app within an AppContainer.
Thank you for your time.
@fcharlie I see that you have done some recent development on AppContainer capabilities. Everything looks great visually. I also like how you have added support for parsing of appxmanifest files to pull in capabilities as well. Excellent work! Thank you.
AppContainer creation still seems to be working but it seems that I cannot see the capabilities within Process Hacker nightly build. I assume this must be related to the Windows 10 AppContainer bug which you mentioned in recent commits.
Can you share some brief details on this Windows 10 AppContainer bug and how this bug may affect Privexec?
I don't know, but if that bug is from AppContainer APIs, it will affect this tool. I can't believe the bug is from the AppContainer APIs becuase these APIs seldom changed after Windows 10 Build 10240, But this is the Windows 10 era's Microsoft, everything is possible, lol.
@WildByDesign @fcharlie You can read something about the AppContainer which I have discovered in https://github.com/M2Team/M2-SDK/blob/master/M2.NSudo.h
There is a creation implementation of the AppContainer which is reversed from Windows 8's CreateProcessInternal API in the line 1022. And I can set capabilities and work well in Windows 10 Build 10586 and 14393.
I hope I can help you.
@fcharlie @MouriNaruto Excellent, thank you. I have used the latest Process Hacker Nightly Build under Token - Token Properties - Capabilities and everything is showing correctly now with regard to capabilities. Great work!
Question: If I create a sample Package.appxmanifest file and add additional capabilities which are not included in the UI checkboxes, will Privexec add these capabilities after parsing that file?
Example section from Package.appxmanifest file:
I added the "broadFileSystemAccess" capability just for testing purposes. As I learn more, I would like to add more capabilities to my own custom Package.appxmanifest file. But I am just wondering if Privexec will enforce these capabilities as well.
Thank you! :)
@fcharlie Thank you so much. This is excellent with wsudo now also supporting AppContainer Capabilities from AppManifest because a user can, for example, create a shortcut that contains wsudo command opening an app within AppContainer sandbox. This is great news.
You have done amazing work and I see that you have been working at this with many code commits each day. I am thankful for your time and for sharing this great open source work. Your time and work is greatly appreciated.
One remaining question:
In the code, it appears to parse rescap:Capability (Restricted Capabilities) but I have not been able to get it to show anything more than the default 12 Well Known SID type capabilities.
For example, here is my testing configuration which I always add to Privexec when testing the AppContainer development:
This is all really just for testing purposes at the moment. It always adds the first 12 basic capabilities, but does not seem to add the restricted capabilities (rescap:Capability).
Are these restricted capabilities supposed to be working? Or is this something that would require future development in the code base?
@fcharlie Thank you. You might find some of the most complete information on Capabilities and SIDs in the research work of Google Project Zero's James Forshaw:
Much of his work is impressive.
@WildByDesign Thanks. Github URL style is
[text](url) #so --> [https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/master/NtApiDotNet/SecurityCapabilities.cs)
We should use
Need to know the details of
//https://github.com/nta/immersive-host/blob/master/host/src/ActivationClient.cpp //https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/3ad55c9452d469a507286968985c264dc7e2c7c1/NtApiDotNet/NtSecurity.cs#L2677 //https://github.com/Microsoft/Windows-universal-samples/blob/fe8567faf2efdea3672c2ba642ba7b925ff6467e/Samples/CustomCapability/Service/Server/RpcServer.cpp#L54 NTSTATUS(NTAPI* _RtlDeriveCapabilitySidsFromName)(PUNICODE_STRING capabilityName, PSID ntSid, PSID appPackageSid); auto _RtlDeriveCapabilitySidsFromName = (decltype(_RtlDeriveCapabilitySidsFromName))GetProcAddress(GetModuleHandle(L"ntdll.dll"), "RtlDeriveCapabilitySidsFromName");
@fcharlie You're welcome. Thank you for those details and slides as well. Excellent stuff. I will try to do some more research on these.
FWIW, the capabilities that start with 'lpac' such as lpacAppExperience, lpacClipboard, etc. are related to Low Privilege AppContainer (LPAC). I was speaking with James Forshaw recently because he is the one who designed Google Chrome's AppContainer sandbox architecture on Windows and more recently, he created the AppContainer for the Chrome GPU process which is LPAC specifically. He told me that LPAC is not much more difficult to implement compared to regular AppContainer.
Anyway, in the PDF below that James released just recently, some pages cover the specifics on LPAC details:
See pages 34, 35, 44, 45, 67 for excellent Low Privilege AppContainer (LPAC) details and more.
Also, some of James' open source tools are beneficial in confirming much of the recent AppContainer work that you have been doing. Notably, oleviewdotnet and TokenViewer which is part of his sandbox analysis tools. Both of these help me when testing and verifying token details such as AppContainer and more.
I found some more details today on AppContainer SID calculation. I don't know if this is relevant or not, but thought I would share anyway just in case it may be helpful.