Sandboxie Forum - Whitelist sandbox (9640)

Guest10:

Tue Dec 28, 2010 5:38 pm

Concerning the wild card exclusion lines that you have in the Firefox sandbox section - make sure you do not use "Run Sandboxed" for an installer program, like the Firefox installer, because your install will take place unsandboxed. ---- I was planning to check what settings might be needed for a program that I was installing in a sandbox, and I added the wild card exclusions to the sandbox settings before I installed the program. I should have waited to use the wild card settings until after the install. Anyway, the installer program was happy to make use of the wild card settings, and I wound up with the program installed outside of the sandbox, even though I had used "Run Sandboxed".

Ruhe:

Tue Dec 28, 2010 5:26 pm

InternetAccessDevices and ProcessGroup are done. All my sandboxes are adjusted with the new settings.

Mike:

Tue Dec 28, 2010 5:20 pm

]]>Quoting Ruhe: ]]>1. Where can I find information in the board regarding InternetAccessDevices? 2. In the past there were problems with long file names, like Foxit Reader.exe. Therefore the recommendation was to include the short name too. ]]> 1. InternetAccessDevices was introduced in the 3.49 betas, I think. I [url=http://sandboxie.com/phpbb/viewtopic.php?p=58329#58329]mentioned this setting[/url] but there was never any discussion. Anyway, if you create a new sandbox and block all internet access, this is the setting that Sandboxie Control adds. 2. Ah, I remember now. I thought that issue was specific to Foxit, but perhaps not. ]]>Quoting Guest10: ]]>The latest versions create their "ProcessGroup=..." lines underneath the sandbox heading, not under [GlobalSettings] ]]> Very true. But when process groups are used by multiple sandboxes, it can be convenient to leave them under [GlobalSettings]. Does anyone know if this is now deprecated? If it is, I suppose templates would be the obvious answer.

Ruhe: Re: Whitelist sandbox

Tue Dec 28, 2010 5:03 pm

]]>Quoting Guest10: ]]>I hope that the following lines are only there for some test you were planning on making, because they will allow everything to escape from the sandbox ]]> These are intentional settings. The sandbox should only control what apps may run.

Guest10: Re: Whitelist sandbox

Tue Dec 28, 2010 4:57 pm

]]>Quoting Ruhe: ]]>Is this the correct way for a "Whitelist sandbox"? ]]>My first question back to you, would be what version of Sandboxie are you using? The latest versions create their "ProcessGroup=..." lines underneath the sandbox heading, not under [GlobalSettings]: [code:1:b32f948c0b][Firefox] ProcessGroup=,firefox.exe,java.exe,plugin-container.exe,plugin~1.exe,...[/code:1:b32f948c0b]Sandboxie will create them in the individual sandbox section, if you are using a recent version. Also, there's new section in the GUI called "Program Groups", in which you can create your own Program Group for a particular sandbox. I hope that the following lines are only there for some test you were planning on making, because they will allow everything to escape from the sandbox: ]]>Quoting Ruhe: ]]>OpenFilePath=* OpenPipePath=* OpenKeyPath=* OpenIpcPath=* OpenWinClass=* OpenClsid=* ]]>Plus, the latest Sandboxie versions will create a simplified line for Internet Access: ProcessGroup=,firefox.exe,plugin-container.exe,.... and so on ClosedFilePath=!,InternetAccessDevices The "InternetAccessDevices" grouping of lines is a recent development, and may not be documented yet. It's automatically used for you, if you use the latest Sandboxie beta versions. I imagine that you need to be using one of the latest versions in order to use this, or the setting won't make any sense to the earlier Sandboxie versions.

Ruhe:

Tue Dec 28, 2010 4:31 pm

Thanks. 1. Where can I find information in the board regarding InternetAccessDevices ? 2. In the past there were problems with long file names, like Foxit Reader.exe . Therefore the recommendation was to include the short name too.

Mike:

Tue Dec 28, 2010 3:58 pm

Hi Ruhe, I haven't tried whitelisting like that so I can't comment, but a couple very minor points: 1. You might want to use ClosedFilePath=!,InternetAccessDevices to replace those 11 lines from ...Http\* to ...Afd* . 2. You probably don't need both the long- and short-format process names. For example, for plugin-container.exe I've never used the 8.3 form, plugin~1.exe. Tzuk explained it here: http://www.sandboxie.com/phpbb/viewtopic.php?t=9407

Ruhe: Whitelist sandbox

Tue Dec 28, 2010 2:18 pm

Is this the correct way for a "Whitelist sandbox"? Only allow the specified apps to run (ProcessGroup=), and allow Internet access to the ones in ProcessGroup=. There should be no further restrictions to the apps allowed to run. [code:1:6a4a3fe51d][GlobalSettings] ProcessGroup=,firefox.exe,java.exe,plugin-container.exe,plugin~1.exe ProcessGroup=,firefox.exe,jp2launcher.exe,jp2lau~1.exe,java.exe,plugin-container.exe,plugin~1.exe,dllhost.exe,foxit reader.exe,foxitr~1.exe [Firefox] ConfigLevel=7 Enabled=y BoxNameTitle=y BorderColor=#8000FF AutoDelete=y NeverDelete=n NotifyInternetAccessDenied=y DropAdminRights=y NotifyStartRunAccessDenied=y Template=BlockPorts Template=Firefox_Force OpenFilePath=* OpenPipePath=* OpenKeyPath=* OpenIpcPath=* OpenWinClass=* OpenClsid=* ClosedFilePath=!,\Device\Http\* ClosedFilePath=!,\Device\Nsi ClosedFilePath=!,\Device\RawIp6 ClosedFilePath=!,\Device\Udp6 ClosedFilePath=!,\Device\Tcp6 ClosedFilePath=!,\Device\Ip6 ClosedFilePath=!,\Device\RawIp ClosedFilePath=!,\Device\Udp ClosedFilePath=!,\Device\Tcp ClosedFilePath=!,\Device\Ip ClosedFilePath=!,\Device\Afd* ClosedIpcPath=!,*[/code:1:6a4a3fe51d]