2

I'm currently trying to understand the mechanics behind the AppContainer that is used to sandbox WinRT applications. I've understood that AppContainers have their own integrity level, that blocks any read and write attempts to assets with a higher integrity level. But why can't those apps then don't access the data of other apps running with in the same integrity level?

And how does the access to objects work when the app got the corresponding capability? I assume for example, that the camera is not tagged with the "appcontainer" integrity level. Therefore any access to it by an app running in an appcontainer should be directly blocked. But it's possible to declare the camera capability and the app will be able to access the camera. How is this possible? Can the capabilities that are denoted in the SID somehow "extend" the integrity level of an app?

Thanks in advance!

Fabian
  • 43
  • 2
  • 6

1 Answers1

2

But it's possible to declare the camera capability and the app will be able to access the camera. How is this possible? Can the capabilities that are denoted in the SID somehow "extend" the integrity level of an app?

According to the blog Windows 8 App Container Security Notes - Part 1. There are 2 sets of SID constants: App Container SID Constants and Capability SID Constants. These define if the resulting SID will have the capabilities such as being an Internet Client, Server (or both), access to Pictures, Music, Documents, Shared Certificates or Removable Storage.

Jeffrey Chen
  • 4,650
  • 1
  • 18
  • 22
  • Thanks for your answer! I'm aware of those two capabilities, but even if the app got the appropriate capability, it is still running on an integrity level were it shouldn't be able to access anything on a higher integrity. Afaik, the integrity checks are done before the SID checks. I came up with the following thought: The broker process through which the the app gets all "higher integrity stuff" is running on at least medium integrity; so everything the app gets is given to her by the broker. – Fabian Apr 17 '15 at 06:55
  • I agree with you. Most of the calls from the process to kernel are direct, but some of them like reading a file or accessing the webcam needs special permission. These calls are proxied through a broker that might ask the user for consent. Most resources that an app requires need to be specified as "capabilities" in a manifest file that is bundled with the binaries.[link](https://wiki.mozilla.org/Windows_8_Integration) – Jeffrey Chen Apr 17 '15 at 09:15