Request: Option to Retain AppContainer Profile
Closed this issue · 2 comments
Would you please be able to make it so that there is an option to retain the AppContainer profile?
There are a few examples of how to do this if the AppContainer profile exists:
RunAppContainer from zodiacon: https://github.com/zodiacon/RunAppContainer/blob/master/RunAppContainer/RunAppContainerDlg.cpp#L214-L217
LaunchAppContainer from Microsoft: https://github.com/microsoft/SandboxSecurityTools/blob/main/LaunchAppContainer/LaunchAppContainer/LaunchAppContainer.cpp#L222-L227
Also, Pavel (zodiacon) talks about containerName failing due to existing AC profile and how to use DeriveAppContainerSidFromAppContainerName to extract existing AC profile SID here (https://scorpiosoftware.net/2019/01/15/fun-with-appcontainers/).
If possible, it would be great it wsudo could have a command line flag (eg. -r) to retain AppContainer profile.
Thank you for your time.
I added an experimental flag, but it wasn't tested, if you can, please help me verify it
branch: master commit: e123494
The Github Actions build was failing. So I just added the changes for wsudo.cc, wsudo.hpp, appcontainer.cc and exec.hpp to my local build for testing and that compiled properly. So I think it was the bela changes causing builds to fail.
I tested to make sure all previous AppContainer profile behavior is working good and there are no regressions.
I tested with the new --retain flag to make sure the AC profile is kept and that is working good as well.
So from all of my testing, this new change is working 100% with no regressions. I will close this issue now. Thank you so much.
Reminder: The README also needs to be updated to add the --retain flag under the wsudo options.