[Bug]: Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData%

[AndromedaMelody]

Version

Windows Version: 10.0.25370.1
Win32 app isolation release version: 0.1.0

Repro Steps

Tested Application: NanaZip

1. Modify the AppX Manifest
   • Modify about AppSilo ... (omit)
   • Delete virtualization:FileSystemWriteVirtualization to enable MSIX File System Virtualization.
   • Delete all rescap:Capability, especially isolatedWin32-promptForAccess and broadFileSystemAccess
2. Run NanaZip and directly navigate to "C:\Users\$(user_name)\AppData\Local" by address bar.

Unexpected Results

I find Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData%(including files/folders don't located in $(LocalCache)) without isolatedWin32-promptForAccess and broadFileSystemAccess. According to MSIX Doc, is it the feature of MSIX File System Virtualization in order to compatibility? Although the files and sub-folders which aren't in LocalCache can't be accessed. If this is a feature for compatibility, maybe it is better for MSIX to support declaring specific folders that the developer want to be virtualized (#36).

[tiangao-ms]

Can you share your full manifest file so it's easier for us to reproduce this issue? Our packaged NanaZip can't access %LocalAppData%/%AppData% without explicit consent. We probably need to take a look at the modifications for the virtualization part.

[AndromedaMelody]

Hi @tiangao-ms , I recorded a video to show steps. (due to the limits of GitHub, the video is coded by HEVC, some browser may not play.)

Recording.2023-06-14.mp4

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Package
  xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
  xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
  xmlns:uap10="http://schemas.microsoft.com/appx/manifest/uap/windows10/10"
  xmlns:previewsecurity2="http://schemas.microsoft.com/appx/manifest/preview/windows10/security/2"
  IgnorableNamespaces="uap uap10 previewsecurity2">
  <Identity
    Name="40174MouriNaruto.NanaZipPreview"
    Publisher="CN=E310A153-74A9-4D81-800B-857A8D58408A"
    Version="2.1.451.0"
    ProcessorArchitecture="x64" />
  <Properties>
    <DisplayName>NanaZip Preview</DisplayName>
    <PublisherDisplayName>Kenji Mouri</PublisherDisplayName>
    <Logo>Assets\StoreLogo.png</Logo>
  </Properties>
  <Dependencies>
    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.25229.0" MaxVersionTested="10.0.25387.0" />
  </Dependencies>
  <Applications>
    <Application Id="NanaZip" Executable="NanaZip.exe" uap10:TrustLevel="appContainer" previewsecurity2:RuntimeBehavior="appSilo">
      <uap:VisualElements DisplayName="NanaZip Preview" Description="NanaZip" BackgroundColor="transparent" Square150x150Logo="Assets\Square150x150Logo.png" Square44x44Logo="Assets\Square44x44Logo.png">
        <uap:DefaultTile Wide310x150Logo="Assets\Wide310x150Logo.png" Square310x310Logo="Assets\LargeTile.png" Square71x71Logo="Assets\SmallTile.png">
          <uap:ShowNameOnTiles>
            <uap:ShowOn Tile="wide310x150Logo" />
            <uap:ShowOn Tile="square150x150Logo" />
            <uap:ShowOn Tile="square310x310Logo" />
          </uap:ShowNameOnTiles>
        </uap:DefaultTile>
      </uap:VisualElements>
    </Application>
  </Applications>
</Package>

[tiangao-ms]

Okay I've done some experiments in this. I think this is the expected behavior.

Yes, as AppSilo is built on AppContainer, it inherits some of the AppContainer behaviors. For example, it will by default virtualize AppData and LocalAppData directory (but not subdirectories if the app does not have access to them). Therefore, with the full virtualization, the app can access AppData and LocalAppData, but no their subdirectories.

The way that virtualization works is to combine the virtualized directories and the real ones together - when you created the directory D3DSCache in the localcache folder in your app profile (which the app has access to), the combined folder mentioned above will use that folder when you try to access.

(Not sure if I explained it well, it's how current virtualization system work)

So which piece of the behavior did you think was a bug or unexpected?

MSIX does not support virtualizing an arbitrary directory now - all the virtualizations happen in directories like AppData. Is there a specific usage for the feature?

[starchturrets]

@AndromedaMelody I'm trying to repackage NanaZip following the docs, but I keep running into corrupted manifest errors. The one you shared works, but ofc I can't access files. Could you share how you did it?

[tiangao-ms]

@AndromedaMelody I'm trying to repackage NanaZip following the docs, but I keep running into corrupted manifest errors. The one you shared works, but ofc I can't access files. Could you share how you did it?

Can you share your corrupted manifest so we can take a look at it? It might be that you did not include the headers you need?

[starchturrets]

Of course, here's a pastebin: https://pastebin.com/YCLf73xu

I am running it in a Hyper V VM on Windows Pro, on the latest insider canary build as of this writing (2591.1010).

I downloaded NanaZip from https://github.com/M2Team/NanaZip/releases, then unzipped the msixbundle so I could edit the x64 msix directly.

Changes made:

• Add , OID.2.25.311729368913984317654407730594956997722=1 to the publisher field, as I am only testing so I am not signing this package.
• xmlns:previewsecurity2="http://schemas.microsoft.com/appx/manifest/preview/windows10/security/2" added to the Package element
• previewsecurity2 added to IgnorableNamespaces
• TargetDeviceFamily changed to <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.25357.0" MaxVersionTested="10.0.25357.0" />
• All EntryPoints replaced with uap10:TrustLevel="appContainer" previewsecurity2:RuntimeBehavior="appSilo"
• Add the isolatedWin32-promptForAccess capability

On saving the manifest, I get the following error:

[lilybarkley-msft]

Of course, here's a pastebin: https://pastebin.com/YCLf73xu

We're currently tracking this issue. It's a bug in some extension handlers, appExecutionAlias in your case, where if you specify the executable as a parameter for it, it doesn't accept previewsecurity2:RuntimeBehavior.

The current work around is to not specify RTB/TL/Executable and let it inherit everything from the application element, but this prevents you from using multiple binaries.