跳转至

No Security Isolation

NoSecurityIsolation is a sandbox setting available since v1.0.0 / 5.55.0 that transforms Sandboxie from a secure isolation environment into an Application Compartment mode, prioritizing compatibility over security.

Usage

[DefaultBox]

NoSecurityIsolation=y

Syntax

NoSecurityIsolation=<y/n>

Where:

  • y enables compartment mode,
  • n (default) maintains security isolation.

How It Works

When enabled, the driver sets bAppCompartment = TRUE, fundamentally changing Sandboxie's operation by:

  • Bypassing token filtering: Both primary and impersonation tokens remain unmodified234
  • Excluding Job Objects: Processes avoid Windows Job Object restrictions5
  • Relaxing path controls: Default security-oriented path blocking is disabled1

Feature Matrix

Feature Standard Sandbox Application Compartment
File System Virtualization
Registry Virtualization
Object Namespace Isolation
Process Monitoring
Token-Based Security
Privilege Restrictions
Job Object Assignments
Security Path Blocking

Path Control Changes

In Application Compartment mode, three key path behaviors are automatically disabled1:

  • AlwaysCloseForBoxed: Boxed processes can access normally blocked paths6.
  • DontOpenForBoxed: Open path rules apply equally to all processes7.
  • ProtectHostImages: Host binary protection is relaxed8.

Compatibility & Integration

Automatic Activation

  • Unsupported Windows builds: Automatically enabled with warning MSG_12079.
  • Sandboxie Plus box types: Pre-configured in Application Compartment and Application Compartment with Data Protection.

Enhanced Compatibility

  • Processes interact freely with the host system.
  • Reduced conflicts with privilege-dependent applications.
  • Better support for complex software and development tools.

Security Implications

Important

Application Compartment mode significantly reduces security isolation:

  • Processes run with original security context and privileges.
  • No token-based protection or privilege dropping.
  • Sandbox provides virtualization but not security boundary.

Complementary

Job Object Limits (Disabled)

These settings become ineffective due to Job Object exclusion:

  • ProcessNumberLimit
  • ProcessMemoryLimit
  • TotalMemoryLimit

Use Cases & Troubleshooting

When to Enable:

  • Software testing and development environments.
  • Legacy applications requiring full system privileges.
  • Token restriction compatibility issues.
  • Virtualization-only scenarios (file/registry separation).

Common Triggers:

  • Applications failing to start due to token restrictions.
  • Administrative privilege requirements.
  • Complex software compatibility issues.

  1. Path Handling: Three behaviors disabled in process.c: always_close_for_boxed, dont_open_for_boxed, and protect_host_images

  2. Token Bypass: Token_ReplacePrimary returns TRUE when proc->bAppCompartment is set, bypassing all token filtering operations. 

  3. Primary Tokens: Left unmodified in token.c when Application Compartment mode is active. 

  4. Impersonation Tokens: Thread_CheckTokenForImpersonation returns STATUS_SUCCESS without restrictions when proc->bAppCompartment is enabled. 

  5. Job Object Exclusion: Condition new_proc->bAppCompartment in process.c excludes processes from Windows Job Objects. 

  6. AlwaysCloseForBoxed: proc->always_close_for_boxed = !proc->bAppCompartment && Conf_Get_Boolean(...) ensures boxed processes aren't blocked from normally closed paths. 

  7. DontOpenForBoxed: proc->dont_open_for_boxed = !proc->bAppCompartment && Conf_Get_Boolean(...) allows equal path rule application. 

  8. ProtectHostImages: proc->protect_host_images = !proc->bAppCompartment && Conf_Get_Boolean(...) disables host binary protection. 

  9. Auto Fallback: !Dyndata_Active && !proc->bAppCompartment triggers automatic compartment mode with Log_Msg1(MSG_1207, info)

  10. Security Filtering: no_filtering = proc->bAppCompartment && Conf_Get_Boolean(..., L"NoSecurityFiltering", ...) enables complete filtering bypass. 

  11. Template Paths: Process_GetPaths(proc, list, L"TemplateAppCPaths", setting_name, FALSE) applies compartment-specific template paths.