Add sandboxing on Windows
zombiezen opened this issue · 5 comments
Not exactly sure what this will look like yet, but Windows Sandbox looks promising.
I'm basically looking for:
- Ability to run arbitrary programs inside the sandbox, read stdout/stderr, and know when they exit (and if it was successful)
- Not messing up the system registry while providing packages
- Ability to shut off network access
- Shared folders (would be nice to have read-only mounts, but not as necessary)
I am porting Nix to Windows (upstream), btw, so I am curious what you will find.
Note that windows sandbox is a full Hyper-V VM, running its own full OS instance. It doesn't have a full virtual disk image, but this seems much heavier than you'd want.
I think you'd fare better with AppContainer. But I've never found very much about the actual low-level APIs or really dug deeply into this.(https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-for-legacy-applications- has some) - the main usage is things installed via MSIX, where the app packaging does the containerizing.
Nice, thanks for the pointers! I'll take a look. I am not super well-versed in low-level Windows stuff, so learning what's out there is helpful.
Linkdumping a few more things I found in the past:
-
https://scorpiosoftware.net/2019/01/15/fun-with-appcontainers/
-
https://github.com/zodiacon/RunAppContainer have some more more info
Maybe this can even summon @zodiacon to say whether I'm crazy -
https://github.com/microsoft/SandboxSecurityTools/tree/main/LaunchAppContainer
-
https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
-
https://blahcat.github.io/2020-12-29-cheap-sandboxing-with-appcontainers/
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/design/sandbox.md and https://github.com/chromium/chromium/tree/main/sandbox/win are another reference -and this is built out of AppContainer - though not through the documented high-level API (CreateAppContainerProfile), but instead through undocumented lower-level pieces like CreateLowBoxObjectDirectory, NtCreateLowBoxToken (LowBox is an old name for AppContainer, combining the "Low" integrity level that you're restricted to with the "Box" aspect of having a separate namespace for most kernel objects.