256lights/zb

Add sandboxing on Windows

zombiezen opened this issue · 5 comments

Not exactly sure what this will look like yet, but Windows Sandbox looks promising.

I'm basically looking for:

  • Ability to run arbitrary programs inside the sandbox, read stdout/stderr, and know when they exit (and if it was successful)
  • Not messing up the system registry while providing packages
  • Ability to shut off network access
  • Shared folders (would be nice to have read-only mounts, but not as necessary)

I am porting Nix to Windows (upstream), btw, so I am curious what you will find.

Note that windows sandbox is a full Hyper-V VM, running its own full OS instance. It doesn't have a full virtual disk image, but this seems much heavier than you'd want.

I think you'd fare better with AppContainer. But I've never found very much about the actual low-level APIs or really dug deeply into this.(https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications- has some) - the main usage is things installed via MSIX, where the app packaging does the containerizing.

Nice, thanks for the pointers! I'll take a look. I am not super well-versed in low-level Windows stuff, so learning what's out there is helpful.

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md and https://github.com/chromium/chromium/tree/main/sandbox/win are another reference -and this is built out of AppContainer - though not through the documented high-level API (CreateAppContainerProfile), but instead through undocumented lower-level pieces like CreateLowBoxObjectDirectory, NtCreateLowBoxToken (LowBox is an old name for AppContainer, combining the "Low" integrity level that you're restricted to with the "Box" aspect of having a separate namespace for most kernel objects.