stm_app icon indicating copy to clipboard operation
stm_app copied to clipboard

Published 20 hours ago verified publisher icon stackmuncher

Move from full trust to partial trust win app

Open rimutaka opened this issue 3 years ago • 0 comments

File access

The current version of the windows app is packaged to run at full trust when all it needs is:

  1. access to the working directory to read .git folder with the repo
  2. internet client access to submit reports
  3. access to *AppData...\stackmuncher* folder to cache the reports locally, which is granted to all apps by default

The rules are stored in the application folder under *C:\Program Files\WindowsApps\stackmuncher....* as part of the package. The app has access to that by default.

According to https://docs.microsoft.com/en-us/archive/msdn-magazine/2018/may/universal-windows-platform-closing-uwp-win32-gaps#console-uwp-apps it is possible to declare the app as a console app which grants it access to the current working directory - the directory it was launched from.

I tried to follow the example, but it didn't work - the app installed, ran and tripped over access to the project dir - the current dir.

    <Application Id="stackmuncher" Executable="stackmuncher.exe" EntryPoint="Windows.PartialTrustApplication" desktop4:SupportsMultipleInstances="true" desktop4:Subsystem="console">
      <uap:VisualElements DisplayName="stackmuncher" Description="stackmuncher app" Square150x150Logo="150.png" Square44x44Logo="44.png" BackgroundColor="#999999" />
      <Extensions>
        <uap5:Extension Category="windows.appExecutionAlias" Executable="stackmuncher.exe" EntryPoint="Windows.PartialTrustApplication">
          <uap5:AppExecutionAlias desktop4:Subsystem="console">
            <uap5:ExecutionAlias Alias="stackmuncher.exe"/>
          </uap5:AppExecutionAlias>
        </uap5:Extension>
      </Extensions>
    </Application>

It is not clear if this applies to Win32 apps, but is worth trying.

Related:

  • https://docs.microsoft.com/en-us/windows/uwp/files/file-access-permissions#locations-that-all-apps-can-access
  • https://docs.microsoft.com/en-us/uwp/schemas/appxpackage/uapmanifestschema/element-uap5-appexecutionalias
  • https://stackoverflow.com/questions/33082835/windows-10-universal-app-file-directory-access
  • https://support.microsoft.com/en-us/windows/-windows-10-file-system-access-and-privacy-a7d90b20-b252-0e7b-6a29-a3a688e5c7be
  • https://github.com/microsoft/ProjectReunion/issues/219

Git access

Partially-trusted apps trip over git access because WinApps cannot launch another process. We'd need to bundle mingit with it: https://github.com/git-for-windows/git/releases and launch it from the app's folder, which is apparently allowed. A better alternative is to use GitOxide as per #15

rimutaka avatar May 12 '21 03:05 rimutaka