[1.12.6] Symlink and open path issue

[offhub]

Describe what you noticed and did

If a path without a drive letter is used as a symlink target and this path is defined as an open path, file access problems occur. (e.g. file duplication)

Firefox profile folder <=(symlink)=> Mounted VHD (no drive letter) and OpenFilePath will result in file duplication.

1. Install Firefox
2. Run Firefox once and close it
3. Create VHDX
4. Mount the VHDX to any folder (TestFolder) [do not assing any drive letter]
5. Move the Firefox Profiles folder to the mounted VHDX.
6. Create a symlink to the moved folder (Admin required)
   mklink /D "%AppData%\Mozilla\Firefox\Profiles" "C:\TestFolder\Profiles"
7. Add the OpenFilePath for the Profiles folder
   OpenFilePath=*\Profiles\*
8. Run Firefox as sandboxed
9. Some files will be duplicated (e.g. prefs.js)

sbie3537sym01.mp4

How often did you encounter it so far?

Every time

Affected program

msedge, firefox, etc.

Download link

https://www.mozilla.org/en-US/firefox/download/thanks/

Where is the program located?

The program is installed only outside the sandbox.

Expected behavior

Files in the open path must be accessible properly.

What is your Windows edition and version?

Windows 11 Pro 22H2 64-bit (22621.2861)

In which Windows account you have this problem?

A local account (Administrator).

Please mention any installed security software

Microsoft Windows Defender

What version of Sandboxie are you running?

Sandboxie-Plus 1.12.6 64-bit

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

Sandboxie-Plus 1.12.5 worked fine

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

OpenFilePath=*\Profiles\*

[DavidXanatos]

this is not so easy to fix, as we need to be able to generate a valid copy path,
and for devices without a drive letter wen kind of can not
We can't use paths like \Device\HarddiskVolume4... as these may be subject to change
I will have to think about how to fix this properly we could use the volume serial number but it being only 32 bit is a slightly bit risky

[DavidXanatos]

please try the SbieDll.dll from the latest CI build it should fix the issue

[offhub]

I've been using it for a while and haven't had any problems.

[offhub]

Some browser add-ons do not seem to work properly. (with OpenFilePath)

[isaak654]

Some browser add-ons do not seem to work properly. (with OpenFilePath)

Is there anything to improve with the fix?

[offhub]

The same problem occurs even without OpenFilePath. (without a drive letter)

1. Run Firefox sandboxed
2. Install the following addons
   • Offline QR Code Generator
   • Containers Helper
3. Open extensions from the Extensions menu (puzzle icon)

sbie3537ff01.mp4

[DavidXanatos]

is the issue symlink related or a general firefox addon problem?

[offhub]

Once the drive letter is assigned, it works properly.

[offhub]

is the issue symlink

Probably not. I tried using the mounted folder directly as the profile path, without the symbolic link, and had the same problem.

general firefox addon problem?

Some extensions do not seem to work properly because the storage-sync-v2.sqlite(-shm|wal) database files cannot be accessed when the drive letter is not assigned.

Two videos:
https://drive.proton.me/urls/G1PN618HDC#KAONsqNPIg9P

[DavidXanatos]

please try the latest CI build: it should fix the issue: https://github.com/sandboxie-plus/Sandboxie/actions/runs/7467567960

[offhub]

I tried the latest CI (c9bd260) version on the virtual machine, it fixed the problem in Firefox. Now I've installed it on the host, I'll let you know if I run into any more problems.

[profucius]

I think I've found a regression with this regarding symbolic links within Windows. It may be more directly related to #3181 although that ticket is closed and this one is still open.

My testing is done on 1.12.3 vs 1.12.7. I had a fully working system on .3 which was broken by upgrading directly to .7

On 1.12.3, having a symbolic linked folder within a sandbox properly allows any apps run within that sandbox to access those files, even when they exist outside of the sandbox.

After updating to 1.12.7, these same existing symbolic links now no longer provide file access to apps run within that sandbox. The apps report that no files can be found.

I have confirmed that nothing else has changed. The symbolic links are accessible fine within the host OS. The issue is directly related to updating to 1.12.7 (or perhaps 1.12.6, which .7 is reported to fix)

If I can do any testing or provide any logs, let me know.

[DavidXanatos]

can you make a guide how to reproduce it so what to link where where to put which files and what where try to access which file,

[profucius]

Apologies I may have erroneously attributed the issue to this ticket. After deeper testing, it seems that the regression occurs in 1.12.4. I believe this may be related to #3481 instead. I will update my findings over on that ticket. You can probably revert the status of this ticket. Thanks

[offhub]

@DavidXanatos

This problem (#3537 (comment)) reappeared after version 1.2.7. (path without a drive letter is used as a symlink target)

Some plugins do not work properly because storage-sync-v2.sqlite, storage-sync-v2.sqlite-shm, storage-sync-v2.sqlite-wal files cannot be sandboxed.

Normal	Open
Fail	Ok

1. Install Firefox
2. Run Firefox once and close it
3. Create VHDX
4. Mount the VHDX to any folder (TestFolder) [do not assing any drive letter]
5. Move the Firefox Profiles folder to the mounted VHDX.
6. Create a symlink to the moved folder (Admin required)

mklink /D "%AppData%\Mozilla\Firefox\Profiles" "C:\TestFolder\Profiles"

7. Run Firefox as sandboxed
8. Install the following addon
   • Offline QR Code Generator
9. Open the extension from the Extensions menu (puzzle icon)
10. If the QR code is visible, close and reopen the browser.
11. This time the QR code field should be empty. (Fail)

[DavidXanatos]

please try the sbiedll from the latest ci build: https://github.com/sandboxie-plus/Sandboxie/actions/runs/7979739815

[DavidXanatos]

ps i'm not sure if this chaneg gig not break somethign else so please check other symlinc cases to be sure

[offhub]

I have not encountered any problems in my testing.

Windows 11 23H2 22631.3155
Firefox 123.0
Sandboxie-Plus v1.13.0 with CI DLLs

Box/Access	NormalFile (Outside/Inside)	OpenFile (Outside)	OpenPipe (Inside)
Standard	OK/OK	OK	OK
Privacy	OK/OK*	OK	OK
Std+Conf	OK/OK	OK	OK
Prv+Conf	OK/OK*	OK	OK
Std+Ram	OK/OK	OK	OK
Prv+Ram	OK/OK*	OK	OK

* NormalFilePath=*\Profiles\*
* xcopy /e "C:\Program Files\Mozilla Firefox\" "C:\Program Files\Mozilla Firefox 2\"
* C:\Program Files\Mozilla Firefox 2\firefox.exe