Symbolic links created inside of sandbox don’t work properly

[JaGitU]

Describe what you noticed and did

Symbolic links created inside of sandbox don’t work properly.
A simple batch file for testing is given below. Just create the batch file (e.g. test.bat), put it in any empty folder, launch inside/outside of sandbox and compare the results. The message “Test passed” should appear if junction can be created and accessed normally.

@echo off & cls
if not "%~1"=="" echo %~1 & exit
mklink /j "%~dp0SymLinkDir" "%~dp0"
cmd /s /c ""%~dp0SymLinkDir\%~nx0" "Test passed""
rmdir /s /q "%~dp0SymLinkDir"
pause

Notes: The batch file creates SymLinkDir junction inside of working directory, runs the test and then removes the junction. NTFS is required (FAT32 doesn’t support symbolic links)

Result: The test fails inside of sandbox (with file system isolation inside of working directory), the junction can be created but is not accessible

How often did you encounter it so far?

Every time

Affected program

NTFS File System

Download link

Not required

Where is the program located?

The program is installed both inside and outside the sandbox.

Expected behavior

“Test passed” should appear if junction can be created and accessed normally

What is your Windows edition and version?

Windows 10 Pro 22H2 64-bit

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Microsoft Defender Antivirus

What version of Sandboxie are you running?

Release v1.10.3 / 5.65.3

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[isaak654]

0d7f76a

Sandboxie/CHANGELOG.md

Lines 18 to 19 in 0d7f76a

	### Fixed
	- fixed Symbolic links created inside of sandbox don’t work properly [#3181](https://github.com/sandboxie-plus/Sandboxie/issues/3181)

I don't think the fix is public, but the changelog says otherwise.

[DavidXanatos]

yes the fix will be included in the 11.x build line

[DavidXanatos]

you can try the CI build as soon as it finishes: https://github.com/sandboxie-plus/Sandboxie/actions/runs/5905194197
the driver part of that fix is already included in 1.10.2g: cc471f2#diff-e1185369246c126b72fdedfaf846c95c2204354bcb0395905b804adf0c1441ea
the change in the driver is incremental and safe,
the change to the sbiedll.dll may break some edge case hence it was not included in 1.10.x
in the first 1.11.0 pre release we can properly test the fix to see if it works without breaking any edge cases

[JaGitU]

The issue still persists in Release v1.11.0/5.66.0, while in changelog it's indicated as fixed

[DavidXanatos]

hmm wired... as I deployed that in steps perhaps I missed a line some ware I'll check it asap

[DavidXanatos]

au crimidy... I forgot to enable it by default,
you need to set UseNewSymlinkResolver=y for the fix to take effect will set it as default in the next build

[offhub]

I cannot run any programs under the sandbox when I set UseNewSymlinkResolver=y.

[DavidXanatos]

does that happen on windows 7 or also on 10?

[offhub]

Windows 10/11 (did not test Win 7)

[DavidXanatos]

for me that works fine could you please try around with verioue option,s like staritn giwht a empty sandboxie.ini with only that option set and see if one of your settings is conflicting

[offhub]

This issue occurs when the UseNewSymlinkResolver and AutoRecover settings are enabled at the same time.

UseNewSymlinkResolver=y
AutoRecover=y

[DavidXanatos]

indeed... I'll debug this asap

[DavidXanatos]

will be fixed in 1.11.0a

[offhub]

I tried again with versions 1.11.0 and 1.11.0a/b. The latest version fixed the problem with AutoRecover=y for systems in the virtual machine. However, on my host system (both versions), programs will not open if UseNewSymlinkResolver=y is set, regardless of AutoRecover=n/y. (All tests were done with the default configuration)

Operating System	Sandboxie Version	AutoRecover	UseNewSymlinkResolver	Result
Windows 10 (HOST)	1.11.0	N	N	OK
Windows 10 (HOST)	1.11.0	N	Y	FAIL
Windows 10 (HOST)	1.11.0	Y	Y	FAIL
Windows 10 (HOST)	1.11.0a	N	N	OK
Windows 10 (HOST)	1.11.0a	N	Y	FAIL
Windows 10 (HOST)	1.11.0a	Y	Y	FAIL
---	---	---	---	---
Windows 10 (Hyper-V)	1.11.0	N	N	OK
Windows 10 (Hyper-V)	1.11.0	N	Y	OK
Windows 10 (Hyper-V)	1.11.0	Y	Y	FAIL
Windows 10 (Hyper-V)	1.11.0a	N	N	OK
Windows 10 (Hyper-V)	1.11.0a	N	Y	OK
Windows 10 (Hyper-V)	1.11.0a	Y	Y	OK
---	---	---	---	---
Windows 11 (Hyper-V)	1.11.0	N	N	OK
Windows 11 (Hyper-V)	1.11.0	N	Y	OK
Windows 11 (Hyper-V)	1.11.0	Y	Y	FAIL
Windows 11 (Hyper-V)	1.11.0a	N	N	OK
Windows 11 (Hyper-V)	1.11.0a	N	Y	OK
Windows 11 (Hyper-V)	1.11.0a	Y	Y	OK

[offhub]

@DavidXanatos This issue occurs when a virtual disk (VHDX) mounted to any folder without a drive letter is active in the system.

sbieUseNewSymlinkResolver.mp4

[DavidXanatos]

great find will debug this scenario asap, i could already reproduce it and it seams to be a conditional dead lock

[DavidXanatos]

I have uploaded build 1.11.0e which should fix the issue with mounted vhd's
please test if now everything works as it should

PS: in this build UseNewSymlinkResolver=y is the default

[offhub]

Thanks, version 1.11.0e fixed the issue.

[offhub]

There is a problem with relative paths.

@echo off & cls

:: Set UseNewSymlinkResolver=Y
:: Open Sandboxed CMD (as Admin)

cd /d "%TEMP%"

mkdir "TEST"
mkdir "TEST2\ABSOLUTE"
mkdir "TEST2\RELATIVE"

cd /d "TEST"

mklink /D "RELATIVE" "..\TEST2\RELATIVE"
mklink /D "ABSOLUTE" "%TEMP%\TEST2\ABSOLUTE"

:: fail
echo.>"%TEMP%\TEST\RELATIVE\file.txt"
if exist "%TEMP%\TEST\RELATIVE\file.txt" ( echo RELATIVE file exists ) else ( echo RELATIVE file doesn't exist )

:: success
echo.>"%TEMP%\TEST\ABSOLUTE\file.txt"
if exist "%TEMP%\TEST\ABSOLUTE\file.txt" ( echo ABSOLUTE file exists ) else ( echo ABSOLUTE file doesn't exist )

pause

[DavidXanatos]

@offhub please test this with thelatest CI build 6c440ee for me it looks as its fixed now

[offhub]

I haven't done extensive testing but it seems to be fixed.