New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Templates.ini (feedback requested) #294
Conversation
This introduces a new template for PDF24 Creator that should prevent this issue: https://www.wilderssecurity.com/threads/released-sandboxie-plus-sbie-fork-versions-with-signed-driver.434924/page-11#post-2976559 It should be applied manually before installing PDF24 Creator.
|
Is it done yet? Github says: |
It's done, but I'd like to find a better way to edit this new PDF24 Creator template I've added in order to be automatically recognized at Sandboxie startup. |
mmh.... I think it may be best to consider enhancing the template system with a exe name based detection, so I think of a condition that is triggered when a process with a pre defined name gets started. |
Basically this new template is meant to be applied in advance in order to work properly and it should put a band-aid on an issue in Sandboxie, because PDF24 Creator installs some keys (even if sandboxed) on the real system in different locations:
While for the first one you can execute a At the very end, I have preferred some process exclusion in the template to get the job done. But other programs out there could behave like this one. Anyway, if there is no existing method to improve the template for a better real-time detection, I'll mark this commit as ready. |
I think the way this leak works is that in order for printing from the sandbox to work at all some IPC is open that results in a sandboxed program asking an unsandboxed windows component to set up the printer and said component creates the registry entries outside. |
It would be great if you could trace & fix it without the need of a template, anyway it's up to you whether you want to merge or change something in the commit. P.S. Happy new year! |
is blocking ClosedFilePath=pdf24.exe,* required isn't ClosedFilePath=pdf24-PrinterInstall.exe,* enough? |
Both rules are needed in order to block This is the full resource log that I obtain when I only apply the ClosedFilePath to pdf24-PrinterInstall.exe and multiple ClosedClsid/ClosedIpcPath in the template. FaxPrint and PDFPrint are still exposed:
Unless you find a way to block these, my two-rules approach is the best one currently available. The problem is that I don't think many people will apply the template preventively. |
mmh... but are they open though? I'm analyzing what's happening with this PDF24 situation and well, it kind of works as designed, when doing printing related stuff sandboxed processes are allowed to talk to the real unsandboxed printer spooler which apparently for some commands creates registry entries on its own. For example a call to When the port is set up a sandboxes call to The proper fix here is
|
Thank you for the technical explanation and for giving me the full picture. |
Sync sandboxie-plus fork
I created a slack channel for sandboxie-plus, if you send me an email address than I can send you an invite. |
This introduces a new template for PDF24 Creator that should prevent this issue: https://www.wilderssecurity.com/threads/released-sandboxie-plus-sbie-fork-versions-with-signed-driver.434924/page-11#post-2976559
Right now it should be applied manually in Sandboxie.ini (most of the times) before installing PDF24 Creator, so before merging I'd like to find a way to apply this template automatically at Sandboxie startup. Otherwise for me this commit is ready to be pushed.
P.S: I've removed some obsolete templates, this is why the file is slightly smaller than before.