locked
Accessing named objects from an AppContainer RRS feed

  • Question

  • We have a regular Win32 application that creates a sandbox which runs at low integrity, and I would like to run the sandbox in an AppContainer. Problem is, I get an access denied when I try to access the brokers named objects from the sandbox. The objects are created with the SACL "(ML;;NW;;;LW)" in the local namespace, and the sandbox runs fine under low integrity.

    How do I need to setup the security descriptor so that the objects can be accessed from within the AppContainer?

    Thanks for any help.

    • Moved by Rob Caplan [MSFT]Microsoft employee Tuesday, April 3, 2012 8:40 PM desktop app question, not about writing a Metro style app (From:Building Metro style apps with C++ )
    Tuesday, April 3, 2012 8:04 PM

Answers

  • Hi Marius, I don't know the exact SDDL syntax, but there are a couple options:

    1) Figure out the packageSid (see AppContainerDeriveSidFromMoniker) and grant access to that.

    2) Grant access to "ALL APPLICATION PACKAGES", although this will give all AppContainers access

    3) Invent a new SID (capability), grant access to it, and include it in the list of Capabilities when creating the AppContainer.

    (pseudo-code)
    const SID vCapBaseSid = { SID_REVISION, 3, SECURITY_APP_PACKAGE_AUTHORITY, SECURITY_CAPABILITY_BASE_RID };
    SID myCustomSid = { vCapBaseSid, DWORD, DWORD };

    -tusk

    • Marked as answer by MariusAtWork Wednesday, April 4, 2012 9:58 PM
    Wednesday, April 4, 2012 3:56 PM

All replies

  • Hi Marius, I don't know the exact SDDL syntax, but there are a couple options:

    1) Figure out the packageSid (see AppContainerDeriveSidFromMoniker) and grant access to that.

    2) Grant access to "ALL APPLICATION PACKAGES", although this will give all AppContainers access

    3) Invent a new SID (capability), grant access to it, and include it in the list of Capabilities when creating the AppContainer.

    (pseudo-code)
    const SID vCapBaseSid = { SID_REVISION, 3, SECURITY_APP_PACKAGE_AUTHORITY, SECURITY_CAPABILITY_BASE_RID };
    SID myCustomSid = { vCapBaseSid, DWORD, DWORD };

    -tusk

    • Marked as answer by MariusAtWork Wednesday, April 4, 2012 9:58 PM
    Wednesday, April 4, 2012 3:56 PM
  • That works, thanks a bunch!

    Wednesday, April 4, 2012 9:58 PM
  • Hi ,

        I am having a IEBHO in win8 64bit and enabled EPM ..i have registered it as EPM compatible and it loads fine.I have  a broker process which runs at medium interigity level and creates named events,mutex,shared objects and set its label is LowIntegrity..but my bho is not able to access those because now the BHO runs in AppContainer and creates the same objects as it doesnt find them in session\xx\AppcontaineNamedObjects\some SID\myobj  ......

    i.e it creates it in its own namespace....

       So what should i do to access my events,etc of my broker running in localnamespace....how should i do IPC.

    This is important ..please reply back

    Wednesday, July 31, 2013 11:53 AM