Skip to content

feat: add restricted token sandbox for Windows#206

Merged
domcyrus merged 5 commits into
mainfrom
feat/windows-restricted-token-sandbox
Apr 9, 2026
Merged

feat: add restricted token sandbox for Windows#206
domcyrus merged 5 commits into
mainfrom
feat/windows-restricted-token-sandbox

Conversation

@domcyrus

@domcyrus domcyrus commented Mar 26, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Remove dangerous privileges (SeDebugPrivilege, SeTakeOwnershipPrivilege, SeBackupPrivilege, SeRestorePrivilege, etc.) from the process token after initialization using SE_PRIVILEGE_REMOVED (permanent, cannot be re-enabled)
  • Apply Job Object with JOB_OBJECT_LIMIT_ACTIVE_PROCESS = 1 to block child process creation (reverse shells, exec-based exfiltration)
  • Add sandbox status to TUI security panel with warning colors for partial/unenforced states
  • Reuse existing --no-sandbox / --sandbox-strict CLI flags

Limitations

Windows sandboxing is weaker than Linux/macOS/FreeBSD — no filesystem or network restriction available at the process level. This is a best-effort defense-in-depth measure.

Test plan

  • Verify Windows build compiles via CI
  • Run on Windows with Npcap — packet capture must still work
  • Verify privilege removal shows in TUI security panel
  • Verify --no-sandbox disables cleanly
  • Verify --sandbox-strict exits if enforcement fails
  • Confirm macOS and Linux builds unaffected (CI matrix)

@domcyrus domcyrus force-pushed the feat/windows-restricted-token-sandbox branch from e01832d to 1d15c33 Compare April 9, 2026 06:47
@domcyrus domcyrus merged commit 14b305b into main Apr 9, 2026
21 checks passed
domcyrus added 5 commits April 9, 2026 09:02
@domcyrus
feat: add restricted token sandbox for Windows
862f680 
Remove dangerous privileges (SeDebugPrivilege, SeBackupPrivilege, etc.)
and apply Job Object to block child process creation after initialization.
@domcyrus
fix(windows): named error constant, job nesting comment, stricter str…
2b62eda 
…ict mode

Replace magic number 1300 with ERROR_NOT_ALL_ASSIGNED constant. Document
nested Job Object behavior on Windows 8+. Strict mode now requires
FullyEnforced (both privileges removed and job applied).
@domcyrus
fix(windows): re-export sandbox module from platform mod
32f1585 
The sandbox module was declared in windows/mod.rs but not re-exported
from the platform module, causing build failures on Windows.
@domcyrus
fix(windows): resolve build warnings and clippy errors
1d15c33
@domcyrus
fix(windows): report standard user sandbox as fully enforced
974ccec
domcyrus added a commit that referenced this pull request Apr 9, 2026
@domcyrus
Release v1.2.0
b5e2397 
- Windows restricted token sandbox (#206)
- macOS Seatbelt sandboxing, later tightened (#196, #203)
- Linux sandbox hardening: drop capabilities and clear ambient set (#208)
- UI: process privilege shown in security section (#197)
- Filter: exact port matching and regex support (#195)
- VLAN support in PKTAP/SLL parsers and L3 extraction (#202, #199)
- IGMP protocol parsing (#209)
- Process name for wildcard /proc/net entries (#218)
- CPU efficiency improvements in sort/snapshot/rate/timeout paths (#213, #220, #212, #222) — thanks @deepakpjose
- FreeBSD platform cleanup (#205)
- Fix default interface selection (#194), root detection on Unix (#192)
- Dependency updates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@domcyrus