Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData% #40

Open
AndromedaMelody opened this issue Jun 9, 2023 · 7 comments
Open

[Bug]: Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData% #40

AndromedaMelody opened this issue Jun 9, 2023 · 7 comments
Labels
bug Something isn't working

Comments

@AndromedaMelody
Copy link

AndromedaMelody commented Jun 9, 2023
edited
Loading

Version

Windows Version: 10.0.25370.1
Win32 app isolation release version: 0.1.0

Repro Steps

Tested Application: NanaZip

  1. Modify the AppX Manifest
    • Modify about AppSilo ... (omit)
    • Delete virtualization:FileSystemWriteVirtualization to enable MSIX File System Virtualization.
    • Delete all rescap:Capability, especially isolatedWin32-promptForAccess and broadFileSystemAccess
  2. Run NanaZip and directly navigate to "C:\Users\$(user_name)\AppData\Local" by address bar.

Unexpected Results

I find Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData%(including files/folders don't located in $(LocalCache)) without isolatedWin32-promptForAccess and broadFileSystemAccess. According to MSIX Doc, is it the feature of MSIX File System Virtualization in order to compatibility? Although the files and sub-folders which aren't in LocalCache can't be accessed. If this is a feature for compatibility, maybe it is better for MSIX to support declaring specific folders that the developer want to be virtualized (#36).
Screenshot 2023-06-09 112017
@AndromedaMelody AndromedaMelody added the bug Something isn't working label Jun 9, 2023
@tiangao-ms
Copy link
Contributor

Can you share your full manifest file so it's easier for us to reproduce this issue? Our packaged NanaZip can't access %LocalAppData%/%AppData% without explicit consent. We probably need to take a look at the modifications for the virtualization part.

@AndromedaMelody
Copy link
Author

AndromedaMelody commented Jun 14, 2023
edited
Loading

Hi @tiangao-ms , I recorded a video to show steps. (due to the limits of GitHub, the video is coded by HEVC, some browser may not play.)

Recording.2023-06-14.mp4 
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Package
  xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
  xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
  xmlns:uap10="http://schemas.microsoft.com/appx/manifest/uap/windows10/10"
  xmlns:previewsecurity2="http://schemas.microsoft.com/appx/manifest/preview/windows10/security/2"
  IgnorableNamespaces="uap uap10 previewsecurity2">
  <Identity
    Name="40174MouriNaruto.NanaZipPreview"
    Publisher="CN=E310A153-74A9-4D81-800B-857A8D58408A"
    Version="2.1.451.0"
    ProcessorArchitecture="x64" />
  <Properties>
    <DisplayName>NanaZip Preview</DisplayName>
    <PublisherDisplayName>Kenji Mouri</PublisherDisplayName>
    <Logo>Assets\StoreLogo.png</Logo>
  </Properties>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.25229.0" MaxVersionTested="10.0.25387.0" />
  </Dependencies>
  <Applications>
    <Application Id="NanaZip" Executable="NanaZip.exe" uap10:TrustLevel="appContainer" previewsecurity2:RuntimeBehavior="appSilo">
      <uap:VisualElements DisplayName="NanaZip Preview" Description="NanaZip" BackgroundColor="transparent" Square150x150Logo="Assets\Square150x150Logo.png" Square44x44Logo="Assets\Square44x44Logo.png">
        <uap:DefaultTile Wide310x150Logo="Assets\Wide310x150Logo.png" Square310x310Logo="Assets\LargeTile.png" Square71x71Logo="Assets\SmallTile.png">
          <uap:ShowNameOnTiles>
            <uap:ShowOn Tile="wide310x150Logo" />
            <uap:ShowOn Tile="square150x150Logo" />
            <uap:ShowOn Tile="square310x310Logo" />
          </uap:ShowNameOnTiles>
        </uap:DefaultTile>
      </uap:VisualElements>
    </Application>
  </Applications>
</Package>

@tiangao-ms
Copy link
Contributor

Okay I've done some experiments in this. I think this is the expected behavior.

Yes, as AppSilo is built on AppContainer, it inherits some of the AppContainer behaviors. For example, it will by default virtualize AppData and LocalAppData directory (but not subdirectories if the app does not have access to them). Therefore, with the full virtualization, the app can access AppData and LocalAppData, but no their subdirectories.

The way that virtualization works is to combine the virtualized directories and the real ones together - when you created the directory D3DSCache in the localcache folder in your app profile (which the app has access to), the combined folder mentioned above will use that folder when you try to access.

(Not sure if I explained it well, it's how current virtualization system work)

So which piece of the behavior did you think was a bug or unexpected?

MSIX does not support virtualizing an arbitrary directory now - all the virtualizations happen in directories like AppData. Is there a specific usage for the feature?

@starchturrets
Copy link

@AndromedaMelody I'm trying to repackage NanaZip following the docs, but I keep running into corrupted manifest errors. The one you shared works, but ofc I can't access files. Could you share how you did it?

@tiangao-ms
Copy link
Contributor

@AndromedaMelody I'm trying to repackage NanaZip following the docs, but I keep running into corrupted manifest errors. The one you shared works, but ofc I can't access files. Could you share how you did it?

Can you share your corrupted manifest so we can take a look at it? It might be that you did not include the headers you need?

@starchturrets
Copy link

Of course, here's a pastebin: https://pastebin.com/YCLf73xu

I am running it in a Hyper V VM on Windows Pro, on the latest insider canary build as of this writing (2591.1010).

I downloaded NanaZip from https://github.com/M2Team/NanaZip/releases, then unzipped the msixbundle so I could edit the x64 msix directly.

Changes made:

  • Add , OID.2.25.311729368913984317654407730594956997722=1 to the publisher field, as I am only testing so I am not signing this package.
  • xmlns:previewsecurity2="http://schemas.microsoft.com/appx/manifest/preview/windows10/security/2" added to the Package element
  • previewsecurity2 added to IgnorableNamespaces
  • TargetDeviceFamily changed to <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.25357.0" MaxVersionTested="10.0.25357.0" />
  • All EntryPoints replaced with uap10:TrustLevel="appContainer" previewsecurity2:RuntimeBehavior="appSilo"
  • Add the isolatedWin32-promptForAccess capability

On saving the manifest, I get the following error:

image

@lilybarkley-msft
Copy link
Contributor

Of course, here's a pastebin: https://pastebin.com/YCLf73xu

We're currently tracking this issue. It's a bug in some extension handlers, appExecutionAlias in your case, where if you specify the executable as a parameter for it, it doesn't accept previewsecurity2:RuntimeBehavior.

The current work around is to not specify RTB/TL/Executable and let it inherit everything from the application element, but this prevents you from using multiple binaries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@starchturrets @AndromedaMelody @tiangao-ms @lilybarkley-msft