From d780bdfd174f10228b0672ddf35ffed2944a0894 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Wed, 13 Sep 2023 16:54:30 -0400 Subject: [PATCH 1/8] Intro update --- docs/README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/README.md diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..0462749 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,19 @@ +# Welcome to Win32 App Isolation Introduction + +### Target Applications + +* Win32 +* Centennial apps. + +### Minimum requirements: + +* Windows insider version >= 25357 +* [MPT v1.2023.517.0] (https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) +* If is needed to know which capabilities are required, one will use ACP (check the MPT link) and [WPR] (https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) + +### Creating a Silo App: + +[Detailed instructions] (https://github.com/microsoft/win32-app-isolation/blob/v0.1.1/docs/packaging/msix-packaging-tool.md) +1. Create an MSIX package from Win32 installer (if the app is not already MSIX) +2. Turning the MSIX Package to Win32 App Isolation +3. Identifying the Required Capabilities Using [ACP] (https://github.com/microsoft/win32-app-isolation/blob/v0.1.1/docs/profiler/application-capability-profiler.md) From a84ee3cc43d263bad4e3e85f862186e4f4a01b3c Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Wed, 11 Oct 2023 14:48:44 -0400 Subject: [PATCH 2/8] Intro2 --- docs/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/README.md b/docs/README.md index 0462749..267e8a4 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,19 +1,19 @@ -# Welcome to Win32 App Isolation Introduction +# Win32 App Isolation Introduction ### Target Applications * Win32 -* Centennial apps. +* Centennial ### Minimum requirements: * Windows insider version >= 25357 -* [MPT v1.2023.517.0] (https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) -* If is needed to know which capabilities are required, one will use ACP (check the MPT link) and [WPR] (https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) +* [Customized MSIX Packaging Tool](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) This version is required to build a Win32 App Isolation application +* If is needed to know which capabilities are required, one can use [ACP](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) and [WPR](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) ### Creating a Silo App: -[Detailed instructions] (https://github.com/microsoft/win32-app-isolation/blob/v0.1.1/docs/packaging/msix-packaging-tool.md) -1. Create an MSIX package from Win32 installer (if the app is not already MSIX) -2. Turning the MSIX Package to Win32 App Isolation -3. Identifying the Required Capabilities Using [ACP] (https://github.com/microsoft/win32-app-isolation/blob/v0.1.1/docs/profiler/application-capability-profiler.md) +1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](docs/packaging/msix-packaging-tool.md#win32---msix)) +2. Turn the MSIX Package to Win32 App Isolation ([step 2](docs/packaging/msix-packaging-tool.md#msix---isolated-win32)) +3. Identify the Required Capabilities Using [ACP](docs/profiler/application-capability-profiler.md) +4. Repackage the app with the capabilities just found From 22435659de33cf7a1b9efa9a40dd87b9e26d6d80 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Thu, 2 Nov 2023 13:33:42 -0400 Subject: [PATCH 3/8] intro v3 --- docs/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/README.md b/docs/README.md index 267e8a4..51837ab 100644 --- a/docs/README.md +++ b/docs/README.md @@ -5,15 +5,15 @@ * Win32 * Centennial -### Minimum requirements: +### Minimum Requirements: * Windows insider version >= 25357 * [Customized MSIX Packaging Tool](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) This version is required to build a Win32 App Isolation application * If is needed to know which capabilities are required, one can use [ACP](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) and [WPR](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) -### Creating a Silo App: +### Creating a Win32 App Isolation App: -1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](docs/packaging/msix-packaging-tool.md#win32---msix)) -2. Turn the MSIX Package to Win32 App Isolation ([step 2](docs/packaging/msix-packaging-tool.md#msix---isolated-win32)) -3. Identify the Required Capabilities Using [ACP](docs/profiler/application-capability-profiler.md) +1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](/docs/packaging/msix-packaging-tool.md#win32---msix)) +2. Turn the MSIX Package to Win32 App Isolation ([step 2](/docs/packaging/msix-packaging-tool.md#msix---isolated-win32)) +3. Identify the required capabilities using [ACP](/docs/profiler/application-capability-profiler.md) 4. Repackage the app with the capabilities just found From 395330fedfa9c599b1fe1764f68bf15137d627f8 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Thu, 2 Nov 2023 14:09:18 -0400 Subject: [PATCH 4/8] intro4 --- docs/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/README.md b/docs/README.md index 51837ab..85d6452 100644 --- a/docs/README.md +++ b/docs/README.md @@ -13,7 +13,7 @@ ### Creating a Win32 App Isolation App: -1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](/docs/packaging/msix-packaging-tool.md#win32---msix)) -2. Turn the MSIX Package to Win32 App Isolation ([step 2](/docs/packaging/msix-packaging-tool.md#msix---isolated-win32)) -3. Identify the required capabilities using [ACP](/docs/profiler/application-capability-profiler.md) +1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](packaging/msix-packaging-tool.md#win32---msix)) +2. Turn the MSIX Package to Win32 App Isolation ([step 2](packaging/msix-packaging-tool.md#msix---isolated-win32)) +3. Identify the required capabilities using [ACP](profiler/application-capability-profiler.md) 4. Repackage the app with the capabilities just found From b23cc1795afa4f1157970cb3a8226eafe4f7ffd0 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Thu, 2 Nov 2023 14:23:37 -0400 Subject: [PATCH 5/8] Intro5 --- docs/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index 85d6452..cc090da 100644 --- a/docs/README.md +++ b/docs/README.md @@ -8,12 +8,12 @@ ### Minimum Requirements: * Windows insider version >= 25357 -* [Customized MSIX Packaging Tool](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) This version is required to build a Win32 App Isolation application +* [Customized MSIX Packaging Tool](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) This version is required to build a Win32 app isolation application * If is needed to know which capabilities are required, one can use [ACP](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) and [WPR](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) ### Creating a Win32 App Isolation App: 1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](packaging/msix-packaging-tool.md#win32---msix)) -2. Turn the MSIX Package to Win32 App Isolation ([step 2](packaging/msix-packaging-tool.md#msix---isolated-win32)) +2. Turn the MSIX Package to Win32 app isolation ([step 2](packaging/msix-packaging-tool.md#msix---isolated-win32)) 3. Identify the required capabilities using [ACP](profiler/application-capability-profiler.md) 4. Repackage the app with the capabilities just found From 86c2d1120ec567b5feaface4b0aa1627abfb5db3 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Tue, 7 Nov 2023 10:14:53 -0500 Subject: [PATCH 6/8] Intro6 --- docs/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/README.md b/docs/README.md index cc090da..b2ea838 100644 --- a/docs/README.md +++ b/docs/README.md @@ -3,17 +3,17 @@ ### Target Applications * Win32 -* Centennial +* Desktop Bridge (Centennial) ### Minimum Requirements: -* Windows insider version >= 25357 +* Windows insider version >= 25357 (Canary channel only) * [Customized MSIX Packaging Tool](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) This version is required to build a Win32 app isolation application * If is needed to know which capabilities are required, one can use [ACP](https://github.com/microsoft/win32-app-isolation/releases/tag/v0.1.1) and [WPR](https://learn.microsoft.com/en-us/windows-hardware/test/wpt/windows-performance-recorder) ### Creating a Win32 App Isolation App: 1. Create an MSIX package from Win32 installer *if the app is not already MSIX* ([step 1](packaging/msix-packaging-tool.md#win32---msix)) -2. Turn the MSIX Package to Win32 app isolation ([step 2](packaging/msix-packaging-tool.md#msix---isolated-win32)) +2. Turn the MSIX Package to isolated Win32 app ([step 2](packaging/msix-packaging-tool.md#msix---isolated-win32)) 3. Identify the required capabilities using [ACP](profiler/application-capability-profiler.md) 4. Repackage the app with the capabilities just found From 52c0e4385582cbc372e737a05ab18ee72e65621e Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Thu, 20 Jun 2024 16:58:43 -0400 Subject: [PATCH 7/8] pushing readme for risky-capabilities --- docs/packaging/Risky-capabilities.md | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 docs/packaging/Risky-capabilities.md diff --git a/docs/packaging/Risky-capabilities.md b/docs/packaging/Risky-capabilities.md new file mode 100644 index 0000000..1bf9ef1 --- /dev/null +++ b/docs/packaging/Risky-capabilities.md @@ -0,0 +1,30 @@ +# Risky Capabilities + +This page specifically focuses on capabilities that are incompatible with win 32 app isolation. The following capabilities can lower the security offered by win32 app isolation and application developers should refrain from using them when onboarding to win32 app isolation. + +* "uiAccess" +* "allowElevation" +* "inputInjectionBrokered" +* "oemDeployment" +* "packagedServices" +* "localSystemServices" +* "enterpriseAuthentication" + +The following capabilities are not compatible with Win32 app isoltaion. They may cause the application not to work + +* "packageManagement" +* "cortanaPermissions" +* "backgroundVoIP" +* "broadFileSystemAccess" +* "deviceEncryptionManagement" +* "deviceLockManagement" +* "deviceManagementAdministrator" +* "deviceManagementDeclaredConfiguration" +* "deviceManagementDeviceLockPolicies" +* "deviceManagementDmAccount" +* "deviceManagementEmailAccount" +* "deviceManagementFoundation" +* "deviceManagementRegistration" +* "deviceManagementWapSecurityPolicies" +* "devicePortalProvider" +* "deviceUnlock" \ No newline at end of file From 06a85e5dcd0c1e19e96e14741cf7a68cacbcaaf3 Mon Sep 17 00:00:00 2001 From: Christian Chavez Date: Wed, 7 Aug 2024 14:56:08 -0400 Subject: [PATCH 8/8] risky capabilities v2 --- docs/packaging/Risky-capabilities.md | 50 +++++++++++++++------------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/docs/packaging/Risky-capabilities.md b/docs/packaging/Risky-capabilities.md index 1bf9ef1..b78ea33 100644 --- a/docs/packaging/Risky-capabilities.md +++ b/docs/packaging/Risky-capabilities.md @@ -1,30 +1,32 @@ # Risky Capabilities -This page specifically focuses on capabilities that are incompatible with win 32 app isolation. The following capabilities can lower the security offered by win32 app isolation and application developers should refrain from using them when onboarding to win32 app isolation. +This page specifically focuses on capabilities that are incompatible with Win 32 app isolation. The following +capabilities can lower the security offered by win32 app isolation and application developers should refrain from +using them when onboarding to win32 app isolation. -* "uiAccess" -* "allowElevation" -* "inputInjectionBrokered" -* "oemDeployment" -* "packagedServices" -* "localSystemServices" -* "enterpriseAuthentication" +* 'uiAccess' +* 'allowElevation' +* 'inputInjectionBrokered' +* 'oemDeployment' +* 'packagedServices' +* 'localSystemServices' +* 'enterpriseAuthentication' The following capabilities are not compatible with Win32 app isoltaion. They may cause the application not to work -* "packageManagement" -* "cortanaPermissions" -* "backgroundVoIP" -* "broadFileSystemAccess" -* "deviceEncryptionManagement" -* "deviceLockManagement" -* "deviceManagementAdministrator" -* "deviceManagementDeclaredConfiguration" -* "deviceManagementDeviceLockPolicies" -* "deviceManagementDmAccount" -* "deviceManagementEmailAccount" -* "deviceManagementFoundation" -* "deviceManagementRegistration" -* "deviceManagementWapSecurityPolicies" -* "devicePortalProvider" -* "deviceUnlock" \ No newline at end of file +* 'packageManagement' +* 'cortanaPermissions' +* 'backgroundVoIP' +* 'broadFileSystemAccess' +* 'deviceEncryptionManagement' +* 'deviceLockManagement' +* 'deviceManagementAdministrator' +* 'deviceManagementDeclaredConfiguration' +* 'deviceManagementDeviceLockPolicies' +* 'deviceManagementDmAccount' +* 'deviceManagementEmailAccount' +* 'deviceManagementFoundation' +* 'deviceManagementRegistration' +* 'deviceManagementWapSecurityPolicies' +* 'devicePortalProvider' +* 'deviceUnlock' \ No newline at end of file