Skip to content

Commit bcb5e51

Browse files
cchavez-msftcchavez-msft
authored
Clean up (#82)
* Intro update * Intro2 * intro v3 * intro4 * Intro5 * Intro6 * pushing readme for risky-capabilities * risky capabilities v2 * cleanUp * cleanUpv2
1 parent e667556 commit bcb5e51

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

43 files changed

+44
-1237
lines changed

README.md

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -3,21 +3,7 @@ Win32 app isolation is a new security feature on Windows that helps contain the
33
application compromise.
44
Win32 app isolation is built on the foundation of [AppContainers](https://learn.microsoft.com/en-us/windows/win32/secauthz/implementing-an-appcontainer), which offer a security boundary,
55
and components that virtualize resources and provide brokered access to other resources.
6-
This repo contains the documentation and tools to help you isolate your applications.
7-
8-
## Getting started
9-
* The first step to isolating your application is to package it to run isolated by following the instructions
10-
11-
* [using the MSIX packaing tool](docs/packaging/msix-packaging-tool.md)
12-
* or [using Visual Studio](docs/packaging/packaging-with-visual-studio.md)
13-
14-
* Once you have your application packaged, use [Application Capability Profiler](docs/profiler/application-capability-profiler.md) to update the application to grant it access to additional resources.
15-
* We also have additional documentation about the [fundamentals](docs/fundamentals) including file access consent.
16-
* You're now ready to deploy and run your application on Windows.
17-
18-
Binaries for the tools used to package applications to run isolated are shared under the [releases](https://github.com/microsoft/win32-app-isolation/releases) section of the repo.
19-
20-
Release notes for supported Windows builds and tools can be found [here](relnotes/windows-release-notes.md).
6+
This repo should be used only to file bugs or feature requests, and to ask questions. To learn more about the feature and how to enable it for your app, visit the main Win32 app isolation page at [MS Learn](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview).
217

228
## Communicating with the team
239
We'd love to hear your feedback and answer your questions!
@@ -27,6 +13,7 @@ Please search for similar discussions and issues before creating new ones.
2713

2814
## Resources
2915
You can find additional information about Win32 app isolation using the following resources:
16+
* [MS Learn](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview)
3017
* [Win32 app isolation Build session](https://www.youtube.com/watch?v=w6VwHGPz12w&pp=ygUTd2luMzIgYXBwIGlzb2xhdGlvbg%3D%3D&ab_channel=MicrosoftDeveloper)
3118
* [Win32 app isolation blog](https://blogs.windows.com/windowsdeveloper/2023/06/14/public-preview-improve-win32-app-security-via-app-isolation/)
3219

docs/fundamentals/consent.md renamed to consent.md

Lines changed: 42 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -1,42 +1,42 @@
1-
# Consent for Isolated Win32 Apps
2-
3-
## How file access consent is granted
4-
5-
Consent is granted for Isolated Win32 Apps in three ways.
6-
7-
1. Implicit-Consent: Apps are implicitly granted access to files and folders through the flows
8-
listed below.
9-
10-
* File Dialog: Files and folders that are selected or created through Window's file dialog
11-
created from an isolated app.
12-
13-
* File Type Assocition: Apps that register FTA in the manifest will show up under the open-with
14-
context menu and can be set as the default app.
15-
* Apps that do this through a COM extension will need the
16-
`isolatedWin32-shellExtensionContextMenu` capability.
17-
18-
* Drag and Drop: Apps that register drag and drop handlers will have access to any files and
19-
folders dragged onto them.
20-
* There is currently no support for dragging between different Isolated Win32 Apps.
21-
22-
2. Publisher Directory: If the application has the `isolatedWin32-accessToPublisherDirectory`
23-
capability, then the app will have full access to:
24-
25-
* Network shares whose share name ends with the publisher ID of the app.
26-
27-
* Directories with names ending with the publisher ID of the app located in
28-
`\Device\BootDevice\ProgramData`.
29-
30-
3. Prompting: If the application has the `isolatedWin32-promptForAccess` capability, the first time
31-
the app attempts to access a file or directory, a prompt will be generated for the user to accept
32-
or decline. The choice will be saved until the consent is revoked
33-
34-
## How consent is revoked
35-
36-
Consent can currently be revoked in two ways.
37-
38-
1. Settings: Through the settings, navigate to "Reset file permissions on isolated Win32
39-
applications". On this page you can fully reset the consent granted to specific isolated apps. This
40-
will reset both prompted and implicit consent, but won't affect the publisher directory.
41-
42-
2. Uninstall: During uninstall, all consent will be revoked.
1+
# Consent for Isolated Win32 Apps
2+
3+
## How file access consent is granted
4+
5+
Consent is granted for Isolated Win32 Apps in three ways.
6+
7+
1. Implicit-Consent: Apps are implicitly granted access to files and folders through the flows
8+
listed below.
9+
10+
* File Dialog: Files and folders that are selected or created through Window's file dialog
11+
created from an isolated app.
12+
13+
* File Type Assocition: Apps that register FTA in the manifest will show up under the open-with
14+
context menu and can be set as the default app.
15+
* Apps that do this through a COM extension will need the
16+
`isolatedWin32-shellExtensionContextMenu` capability.
17+
18+
* Drag and Drop: Apps that register drag and drop handlers will have access to any files and
19+
folders dragged onto them.
20+
* There is currently no support for dragging between different Isolated Win32 Apps.
21+
22+
2. Publisher Directory: If the application has the `isolatedWin32-accessToPublisherDirectory`
23+
capability, then the app will have full access to:
24+
25+
* Network shares whose share name ends with the publisher ID of the app.
26+
27+
* Directories with names ending with the publisher ID of the app located in
28+
`\Device\BootDevice\ProgramData`.
29+
30+
3. Prompting: If the application has the `isolatedWin32-promptForAccess` capability, the first time
31+
the app attempts to access a file or directory, a prompt will be generated for the user to accept
32+
or decline. The choice will be saved until the consent is revoked
33+
34+
## How consent is revoked
35+
36+
Consent can currently be revoked in two ways.
37+
38+
1. Settings: Through the settings, navigate to "Reset file permissions on isolated Win32
39+
applications". On this page you can fully reset the consent granted to specific isolated apps. This
40+
will reset both prompted and implicit consent, but won't affect the publisher directory.
41+
42+
2. Uninstall: During uninstall, all consent will be revoked.

docs/README.md

Lines changed: 0 additions & 25 deletions
This file was deleted.

docs/packaging/images/01-packaging-main-menu.png

-27.5 KB
Binary file not shown.

docs/packaging/images/02-packaging-prepare.png

-60.5 KB
Binary file not shown.

docs/packaging/images/03-packaging-installer.png

-55.1 KB
Binary file not shown.

docs/packaging/images/04-packaging-package-info.png

-48.5 KB
Binary file not shown.

docs/packaging/images/05-packaging-create-package.png

-45.7 KB
Binary file not shown.

docs/packaging/images/10-packaging-package-editor.png

-40.5 KB
Binary file not shown.

docs/packaging/images/11-packaging-manifest.png

-162 KB
Binary file not shown.

0 commit comments

Comments
 (0)