Example:

[DefaultBox]

ClosedFilePath=D:\
OpenFilePath=D:\MyFolder





Where basically you are blocking [DefaultBox] from viewing everything in D: Drive except for D:\MyFolder


Is this possible?

You can create a ClosedFilePath that only applies to certain programs from:
Sandbox Settings > Resource Access > File Access > Blocked Access
by putting the program's .exe name in the "The list above ..." box, and then click on "Add".
You can repeat that process with another .exe name, as many times as you want.
Examples:
ClosedFilePath=firefox.exe,%Personal%\
ClosedFilePath=iexplore.exe,%Personal%\
where %Personal% is the "My Documents" folder, on XP. Or the "C:\Users\(user)\Documents" folder on Vista.

All other sandboxed programs using that sandbox will still have access to the folder.

Or, as in your example, you can block access to a folder for all programs using that sandbox.
What you cannot do is to block access to a folder, and also unblock a sub-folder that's under it.
A ClosedFilePath setting will over-ride an OpenFilePath setting.

Interesting. That makes complete sense that CloseFilePath > OpenFilePath.

Okay so you said that I can create a ClosedFilePath that only applies to certain programs from:

Now, what about using ClosedFilePath Blocking all programs EXCEPT for a particular program?

Is that possible?

The examples on http://www.sandboxie.com/index.php?ClosedFilePath should answer your question.

Great, thanks Ruhe

So it is possible to Close a file path for all programs except for designated exception program/s.

Now the question is, is Roboform running on Firefox a part of firefox.exe process or is it separate? I am finding robotaskbaricon.exe on my Windows Task Manager, so I don't know if Robotaskbaricon.exe is the exception program that can view the closed path which will be closed to all other programs.

The thing is, I want firefox to not be able to view Roboform's password information directory/files, while I still want Roboform to be able to view and use them so I can continue to use Roboform while blocking firefox from viewing that information...

To all, wouldn't the ability to add exceptions to blocked paths be useful? In addition to the OP's case, this could be helpful when:

* Blocking access to all user folders (not just %Personal%), except specific folders under AppData.
* Blocking access to all drives except C:\.

A default policy of denying, rather than allowing, access to folders seems more secure. However, Sandboxie lacks an easy way to allow one folder while blocking its 50 siblings. The ability to block a parent folder and add exceptions for sub-folders would not only make it easier to define blocks, but would also offer better protection because folders created in the future would automatically be blocked.

While I do think that could be a good addition that provides more flexibility, Im wondering about what scenarios would this be useful in? Most people do tend to keep all docs in the My Documents folder, Also (@ Mike) by the word secure do you mean it in terms of privacy or actual system protection from modification by malware?

Adding exceptions would make much sense since it is already possible to implement it for internet access, it probably is possible to do them for other folders too. It would be easier to have it supported by the GUI

On second thought it would be similar to a white listing policy, just like specifying what programs can run, one could also specify what programs have access to the blocked folder

Okay I just observed something when editinf the ini file for exceptions; the list in the GUI displays the exception program with a ! next to it. Maybe specifying that as a note about making exceptions on the blockedaccess settings tab could be helpful?

I did some firther testing with setting exceptions; The problem with exceptions is that you cant enable more than one program to access a blocked folder at a time. Doing so will cause both programs not being able to access the folder.
For example:

ClosedFilePath=!winword.exe,\Device\Mup\
ClosedFilePath=!winword.exe,%Personal%\

enables access to my docs for word while file explorer and anything else could not access it. However enabling both exceptions for the same sandbox stops both of them from accessing the designated exception.
So is this a bug, or is it setup that there be only one exception at the time (or else they conflict)? The thing is though, you could block off net access, with exceptions for multiple programs at a time... which still utilizes exceptions to accomplish this. this feature could probably be polished.

ClosedFilePath=!winword.exe,\Device\Mup\
ClosedFilePath=!winword.exe,%Personal%\
ClosedFilePath=!explorer.exe,\Device\Mup\
ClosedFilePath=!explorer.exe,%Personal%\

Also a separate question...is it tecnically possible to enable access to a subfolder while blocking the parent directory?

More secure in the privacy sense, particularly for sandboxes with internet access.


Right, and that's exactly why exceptions would be useful. For an internet browsing sandbox, one could block off all user folders (C:\Users\), but make specific exceptions for My Documents and the current Firefox profile.

Sandboxie's motto is "Trust No Program." Thus, it would be nice to have a straightforward way to block programs from accessing personal data (contacts, emails, photos) stored not just under My Documents, but in Contacts, My Pictures, %LocalAppData%, and myriad other locations.

If I understand you correctly, you should be able to do this by defining a ProcessGroup...

Thanks for that Mike. It did what I wanted it to do. I would still think having GUI support exceptions as a global setting would definitely be a plus for usability function.



Now doing that could be confusing for some people that have different needs for a sandbox. In my case I have personal docs on a usb stick, and I tend to download files in the documents folder. Now considering that the above proposal was put into effect;

should Tzuk make it so it blocks off all folders in just the User profile by default?

should he extend this to other folders on the C/drive?
What about the different versions of windows that use different paths for user profile folders?

Yous see it can be very hard for Tzuk to guess everyone's needs for them and what they want closed access to, Thats why the defaultbox has nothing blocked to entire ease of use for most people. And tzuk provides us with the ability to make exceptions. However I think the ability to have a specific folder blocked while having access to a sibfolder could be useful. maybe Tzuk can explain the technial limitations if any, or his opinion on the subject...

Sorry I wasn't clear - I only meant to emphasize that exceptions would be useful. I wasn't suggesting that anything be blocked by default.