UseRuleSpecificity should be available for everyone

[Ashesh3]

Hello,

I was looking for a safer way to run applications in an isolated secured environment and Sandboxie caught my eye. It seem be have all the features required to run an executable application without worry, if the box is configured correctly.

However, after going extensively though the documentation and the feature comparison page, I noticed that, unfortunately, the UseRuleSpecificity flag is behind a paywall. I understand that other features such as "Privacy Mode", "Security Enhancements", "Encryption", "Ram Disk" are for very specific user cases and it seems fair to have them behind a paywall considering the immerse development effort with these features. I am not the one to judge the development effort for the UseRuleSpecificity feature, but it seems like a very basic and fundamental requirement for any sandbox application, and should be, (in my opinion) enabled and availale for all edition.

The reason being very simple, most users prefer 1 whitelist over 10 blacklist entries. In my case, I want to restrict (box only) access to D:\ but keep normal access to D:\Downloads\* and D:\Sandbox\* , So I went ahead and added these rules, just to realize that this will not work as D:\ (box only) takes precedence over everything! This is totally counter intuitive, as in any path config, the more specific paths take precedence over more general ones. I believe this should be the default behavior for Sandboxie as it makes the most sense. The same way it works for most antiviruses - If you include D:\ but then exclude D:\unsafe, it should not ignore the more specific rule for the broader rule.

I love this program and would definitely support it on Patreon, and I also understand it takes a lot of time and effort to maintain this, but I wanted to present my views here, as when i felt deceived that, this fundamental rule priority feature is behind a paywall and disabled by default. I am totally okay with all other paid features - but this one seems just too important for most use cases.

[bastik-1001]

It's interesting that Sandboxie did not appear to have this feature before, so that it was not something originally thought about. It makes it easier to configure Sandboxie and in some way it is required for some fine-grained access control.

I don't know if the feature is what someone would spend money on. If it isn't an incentive to buy a certificate, then David could be convinced to make this freely available for anyone.

[DavidXanatos]

Well the thing is that UseRuleSpecificity + a set of default presets == privacy mode,
or 2/3 of the security enhanced box.
Hence this feature needs to remain premium, or there is no point in locking the others out.

[bastik-1001]

I understand that point. It would only work if most people would be lazy enough to configure access rules to block something in general, what the privacy mode does out of the box. Understandably, this is nothing to bet on.

[Ashesh3]

@DavidXanatos The issue is abstracting the basic functionality of a sandbox behind a fancy term "Privacy box". It makes sense if "Privacy box" / "Security Enhanced Box" are one click easy to set up boxes for people who want an easier way. But to be in a state where a normal free sandbox user does not have the ability to achieve "Privacy" / "Security" in any reasonable manner is what concerns me. I understand you could just block C:\ D:\ but then the executable itself won't run.. I tried for hours to get a configuration to work fine to somewhat get close to "Privacy"/"Security" but the app would not let me have it. Again, just my opinion here and I respect your work and decisions, but do you think allowing UseRuleSpecificity for the free editions would at least give them a capability to work towards the sandbox they want, they won't get the easy way out of selecting a button and getting everything set up for them. They would need to fine tune every resource - but at least in a sandboxing app they now have the capability of doing so.. Without this feature Sandboxie seems like a shadow premium app - more of a trial version. fine-grained access control should be a fundamental right of a sandbox i believe. Again, just having a discussion.

[DavidXanatos]

@Ashesh3 Well first of all for the first 16 years of sandboxies existence the total lack of Rule Specificity was not a big issue. Certainly some users complained about the inability to prioritize rules or create more complex configs, but for the most part sandboxie did its job good enough.
You can set up a reasonably private box by using WriteFilePath=D:\ and many WriteFilePath=C:[all your C directories except Windows and Program Files] that should be good enough just don't create new super secret folders at the root of C without setting up a new rule to protect them.
Sandboxie somewhat always was a trial version of sorts, as you may remember before going open source the free version did not support program forcing and only allowed to use one sandbox at a time, if you wanted more a license was required.
Now that its open source that very essential functionality remains free but new also somewhat essential functionality is in turn not and I think that's fair.
I don't intent to change this, currently only about 1% of all users have a supporter certificate, that leaves a lot of room for improvement, IMHO the goal should be at least 10%.

[Ashesh3]

@DavidXanatos That makes sense, fair enough. Thanks for the response.