Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System lockdown / WDAC: Use of new audit-only mode prevents use of [pscustomobject] literals, behaves as if ConstrainedLanguage mode were in effect #20768

Closed
5 tasks done
mklement0 opened this issue Nov 23, 2023 · 2 comments · Fixed by #20913
Closed
5 tasks done

System lockdown / WDAC: Use of new audit-only mode prevents use of [pscustomobject] literals, behaves as if ConstrainedLanguage mode were in effect #20768

mklement0 opened this issue Nov 23, 2023 · 2 comments · Fixed by #20913
Labels
In-PR Indicates that a PR is out for the issue Issue-Bug Issue has been identified as a bug in the product WG-NeedsReview Needs a review by the labeled Working Group WG-Security security related areas such as JEA

Comments

@mklement0
Copy link
Contributor

mklement0 commented Nov 23, 2023
edited
Loading

Prerequisites

Steps to reproduce

If I understand correctly, the new audit-only mode - despite technically reporting ConstrainedLanguage via $ExecutionContext.SessionState.LanguageMode - is meant to be a what-if constrained mode:

  • In effect behave like FullLanguageMode, but log operations that would be prevented if ConstrainedLanguage mode were actually enforced.

However, with respect to [pscustomobject] literals that isn't the case: Their use fails quietly:

#requires -RunAsAdministrator

# Simulate entering audit-only system lockdown
[Environment]::SetEnvironmentVariable("__PSLockdownPolicy", "0x80000008", 'Machine')

# Launch a new process that tries to use a [pscustomobject] literal
Start-Process -Wait pwsh '-NoProfile -C [pscustomobject] @{ foo = 1 } | Out-Host; pause'

# Turn lockdown back off
[Environment]::SetEnvironmentVariable("__PSLockdownPolicy", $null, 'Machine')

The workaround is to simply execute $ExecutionContext.SessionState.LanguageMode = 'FullLanguage' in a session that was started in audit mode. (Is the ability to do so by design?)
However, even that doesn't work in other use cases: see

As an aside:

Expected behavior

A [pscustomobject] instance should be constructed and output.

Actual behavior

No output, i.e. the expression fails quietly (but may be logged - haven't verified that).

Error details

No response

Environment data

PowerShell 7.4.0 on W11 22H2

Visuals

No response
@mklement0 mklement0 added the Needs-Triage The issue is new and needs to be triaged by a work group. label Nov 23, 2023
This was referenced Nov 23, 2023
Closed
Closed
Open
@trackd trackd mentioned this issue Nov 24, 2023
Closed
5 tasks
@nightroman nightroman mentioned this issue Nov 27, 2023
Closed
@mklement0 mklement0 mentioned this issue Nov 27, 2023
Open
5 tasks
@mklement0 mklement0 changed the title System lockdown: Use of Audit mode prevents use of [pscustomobject] literals System lockdown: Use of Audit ConstrainedLanguage mode prevents use of [pscustomobject] literals Nov 27, 2023
@mklement0 mklement0 changed the title System lockdown: Use of Audit ConstrainedLanguage mode prevents use of [pscustomobject] literals System lockdown / WDAC: Use of new audit-only mode prevents use of [pscustomobject] literals, behaves as if ConstrainedLanguage mode were in effect Nov 27, 2023
@mklement0 mklement0 mentioned this issue Nov 27, 2023
Closed
5 tasks
@SteveL-MSFT SteveL-MSFT added Issue-Bug Issue has been identified as a bug in the product WG-Security security related areas such as JEA WG-NeedsReview Needs a review by the labeled Working Group and removed Needs-Triage The issue is new and needs to be triaged by a work group. labels Nov 27, 2023
@JrndD
Copy link

JrndD commented Dec 12, 2023

Thanks. My session defaulted to ConstrainedLanguage after update.

image

@daxian-dbw daxian-dbw mentioned this issue Dec 13, 2023
Merged
13 tasks
@microsoft-github-policy-service microsoft-github-policy-service bot added the In-PR Indicates that a PR is out for the issue label Dec 13, 2023
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

microsoft-github-policy-service bot commented Dec 13, 2023
edited by unfurl-links bot
Loading

📣 Hey @mklement0, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

@mklement0 mklement0 mentioned this issue Dec 15, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
In-PR Indicates that a PR is out for the issue Issue-Bug Issue has been identified as a bug in the product WG-NeedsReview Needs a review by the labeled Working Group WG-Security security related areas such as JEA
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix four issues for the WDAC logging feature daxian-dbw/PowerShell
3 participants
@mklement0 @SteveL-MSFT @JrndD