winws2: harden sandbox

Author: bol-van

docs/changes.txt

@@ -107,9 +107,10 @@ v0.7.2
 * nfqws2: clean lua cutoff on profile change
 * zapret-auto: separate hostkey function
 
-v0.7.3
+v0.7.4
 
 * nfqws2, zapret-lib : check tcp sequence range overflow
 * zapret-lib : seq compare functions
 * nfqws2: add l3_len, l4_len to dissect
 * nfqws2: fix broken l7proto profile rediscovery
+* winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change

nfq2/darkmagic.c

@@ -718,6 +718,29 @@ bool prepare_low_appdata()
 	return b;
 }
 
+BOOL JobSandbox()
+{
+	BOOL bRes = FALSE;
+	HANDLE hJob;
+	JOBOBJECT_BASIC_LIMIT_INFORMATION basic_limit;
+	JOBOBJECT_BASIC_UI_RESTRICTIONS basic_ui;
+
+	if (hJob = CreateJobObjectW(NULL, NULL))
+	{
+		basic_limit.LimitFlags = JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
+		// prevent child process creation
+		basic_limit.ActiveProcessLimit = 1;
+		// prevent some UI interaction and settings change
+		basic_ui.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS | JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_GLOBALATOMS | JOB_OBJECT_UILIMIT_HANDLES | JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
+		bRes = SetInformationJobObject(hJob, JobObjectBasicLimitInformation, &basic_limit, sizeof(basic_limit)) &&
+			SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &basic_ui, sizeof(basic_ui)) &&
+			AssignProcessToJobObject(hJob, GetCurrentProcess());
+		w_win32_error = GetLastError();
+		CloseHandle(hJob);
+	}
+	return bRes;
+}
+
 
 #define WINDIVERT_DEVICE_NAME "WinDivert"
 static bool b_isandbox_set = false;
@@ -734,6 +757,8 @@ bool win_sandbox(void)
 			return FALSE;
 		if (!LowMandatoryLevel())
 			return false;
+		if (!JobSandbox())
+			return false;
 		// for LUA code to find where to store files
 		b_isandbox_set = true;
 	}

nfq2/desync.c

@@ -1321,8 +1321,8 @@ static uint8_t dpi_desync_tcp_packet_play(
 		bool bDiscoveredL7;
 		if (ctrack_replay)
 		{
-			bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN;
-			ctrack_replay->l7proto_discovered = true;
+			if (bDiscoveredL7 = !ctrack_replay->l7proto_discovered && ctrack_replay->l7proto != L7_UNKNOWN)
+				ctrack_replay->l7proto_discovered = true;
 		}
 		else
 			bDiscoveredL7 = l7proto != L7_UNKNOWN;
@@ -1766,8 +1766,8 @@ static uint8_t dpi_desync_udp_packet_play(
 			bool bDiscoveredL7;
 			if (ctrack_replay)
 			{
-				bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN;
-				ctrack_replay->l7proto_discovered = true;
+				if ((bDiscoveredL7 = !ctrack_replay->l7proto_discovered && l7proto != L7_UNKNOWN))
+					ctrack_replay->l7proto_discovered = true;
 			}
 			else
 				bDiscoveredL7 = l7proto != L7_UNKNOWN;

nfq2/nfqws.c

@@ -630,14 +630,14 @@ static int win_main()
 		{
 			res=w_win32_error; goto ex;
 		}
+
 		if (!win_sandbox())
 		{
 			res=w_win32_error;
 			DLOG_ERR("Cannot init Windows sandbox\n");
 			goto ex;
 		}
 
-
 		// init LUA only here because of possible sandbox. no LUA code with high privs
 		if (!params.L && !lua_init())
 		{