Windows 沙盒配置Windows Sandbox configuration

Windows 沙盒支持简单的配置文件,这些文件为沙盒提供了一组最小的自定义参数。Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. 此功能可用于 Windows 10 内部版本18342或更高版本。This feature can be used with Windows 10 build 18342 or later. Windows 沙盒配置文件的格式设置为 XML,并且通过文件扩展名与沙盒关联 .wsbWindows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.

配置文件使用户能够控制 Windows 沙盒的以下方面:A configuration file enables the user to control the following aspects of Windows Sandbox:

  • **vGPU (虚拟 gpu) **:启用或禁用虚拟化 gpu。vGPU (virtualized GPU): Enable or disable the virtualized GPU. 如果 vGPU 处于禁用状态,则沙盒将使用 Windows 高级光栅化平台 (弯曲) 。If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
  • 网络:在沙盒中启用或禁用网络访问。Networking: Enable or disable network access within the sandbox.
  • 映射文件夹:从具有 读取写入 权限的主机共享文件夹。Mapped folders: Share folders from the host with read or write permissions. 请注意,公开主机目录可能允许恶意软件影响系统或窃取数据。Note that exposing host directories may allow malicious software to affect the system or steal data.
  • 登录命令:在 Windows 沙盒启动时执行的命令。Logon command: A command that's executed when Windows Sandbox starts.
  • 音频输入:将主机的麦克风输入共享到沙盒中。Audio input: Shares the host's microphone input into the sandbox.
  • 视频输入:将主机的网络摄像头输入共享到沙盒中。Video input: Shares the host's webcam input into the sandbox.
  • 受保护的客户端:将 RDP 会话中增加的安全设置置于沙盒中。Protected client: Places increased security settings on the RDP session to the sandbox.
  • 打印机重定向:将来自主机的打印机共享到沙盒中。Printer redirection: Shares printers from the host into the sandbox.
  • 剪贴板重定向:与沙盒共享主机剪贴板,以便可以来回粘贴文本和文件。Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
  • 内存(以 mb 为单位):分配给沙盒的内存量(以 mb 为单位)。Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.

创建配置文件Creating a configuration file

要创建简单的配置文件,请执行以下操作:To create a simple configuration file:

  1. 打开纯文本编辑器或源代码编辑器 (例如记事本、Visual Studio 代码等 ) Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.)

  2. 插入以下行:Insert the following lines:

    <Configuration>
    </Configuration>
    
  3. 在两行之间添加适当的配置文本。Add appropriate configuration text between the two lines. 有关详细信息,请参阅下面的正确语法和示例。For details, see the correct syntax and the examples below.

  4. 将文件保存为所需的名称,但确保其文件扩展名为 .wsbSave the file with the desired name, but make sure its filename extension is .wsb. 在记事本中,应将文件名和扩展名括在双引号内, "My config file.wsb" 例如。In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. "My config file.wsb".

使用配置文件Using a configuration file

若要使用配置文件,请双击它以根据其设置启动 Windows 沙盒。To use a configuration file, double-click it to start Windows Sandbox according to its settings. 您也可以通过命令行调用它,如下所示:You can also invoke it via the command line as shown here:

C:\Temp> MyConfigFile.wsb 

关键字、值和限制Keywords, values, and limits

vGPUvGPU

启用或禁用 GPU 共享。Enables or disables GPU sharing.

<vGPU>value</vGPU>

支持的值:Supported values:

  • 启用:在沙盒中启用 vGPU 支持。Enable: Enables vGPU support in the sandbox.
  • Disable:在沙盒中禁用 vGPU 支持。Disable: Disables vGPU support in the sandbox. 如果设置了此值,则沙盒将使用软件呈现,这可能比虚拟化 GPU 慢。If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
  • 默认 这是 vGPU 支持的默认值。Default This is the default value for vGPU support. 当前,这意味着已禁用 vGPU。Currently this means vGPU is disabled.

备注

启用虚拟 GPU 可能会增加沙盒的攻击面。Enabling virtualized GPU can potentially increase the attack surface of the sandbox.

网络Networking

启用或禁用沙盒中的网络。Enables or disables networking in the sandbox. 你可以禁用网络访问以减少由沙盒公开的攻击面。You can disable network access to decrease the attack surface exposed by the sandbox.

<Networking>value</Networking>

支持的值:Supported values:

  • 禁用:在沙盒中禁用网络。Disable: Disables networking in the sandbox.
  • 默认:这是网络支持的默认值。Default: This is the default value for networking support. 此值通过在主机上创建虚拟交换机并通过虚拟 NIC 将沙盒连接到它来启用网络。This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.

备注

启用网络会将不受信任的应用程序暴露给内部网络。Enabling networking can expose untrusted applications to the internal network.

映射文件夹Mapped folders

一个文件夹数组,每个文件夹都表示主机上的一个位置,该位置将在指定路径中共享到沙盒中。An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. 此时不支持相对路径。At this time, relative paths are not supported. 如果未指定路径,则将文件夹映射到容器用户的桌面。If no path is specified, the folder will be mapped to the container user's desktop.

<MappedFolders>
  <MappedFolder> 
    <HostFolder>absolute path to the host folder</HostFolder> 
    <SandboxFolder>absolute path to the sandbox folder</SandboxFolder> 
    <ReadOnly>value</ReadOnly> 
  </MappedFolder>
  <MappedFolder>  
    ...
  </MappedFolder>
</MappedFolders>

HostFolder:指定主机上要共享到沙盒的文件夹。HostFolder: Specifies the folder on the host machine to share into the sandbox. 请注意,该文件夹必须已存在于主机上,否则容器将无法启动。Note that the folder must already exist on the host, or the container will fail to start.

SandboxFolder:在沙盒中指定要将文件夹映射到的目标。SandboxFolder: Specifies the destination in the sandbox to map the folder to. 如果该文件夹不存在,将创建它。If the folder doesn't exist, it will be created. 如果未指定沙盒文件夹,则会将文件夹映射到容器桌面。If no sandbox folder is specified, the folder will be mapped to the container desktop.

ReadOnly:如果 为 true,则从容器内强制执行对共享文件夹的只读访问权限。ReadOnly: If true, enforces read-only access to the shared folder from within the container. 支持的值: true / falseSupported values: true/false. 默认值为 falseDefaults to false.

备注

从主机中映射的文件和文件夹可能会受到沙盒中的应用危害,或者可能会影响主机。Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.

登录命令Logon command

指定将在沙盒登录后自动调用的单个命令。Specifies a single command that will be invoked automatically after the sandbox logs on. 沙盒中的应用在容器用户帐户下运行。Apps in the sandbox are run under the container user account.

<LogonCommand>
  <Command>command to be invoked</Command>
</LogonCommand>

命令:在登录后将执行的容器内的可执行文件或脚本的路径。Command: A path to an executable or script inside the container that will be executed after login.

备注

虽然非常简单的命令将起作用 (例如启动可执行文件或脚本) ),但应将更复杂的涉及多个步骤的方案放入脚本文件中。Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. 此脚本文件可以通过共享文件夹映射到容器中,然后通过 LogonCommand 指令执行。This script file may be mapped into the container via a shared folder, and then executed via the LogonCommand directive.

音频输入Audio input

启用或禁用对沙盒的音频输入。Enables or disables audio input to the sandbox.

<AudioInput>value</AudioInput>

支持的值:Supported values:

  • 启用:在沙盒中启用音频输入。Enable: Enables audio input in the sandbox. 如果设置了此值,则沙盒将能够接收来自用户的音频输入。If this value is set, the sandbox will be able to receive audio input from the user. 使用麦克风的应用程序可能需要此功能。Applications that use a microphone may require this capability.
  • 禁用:在沙盒中禁用音频输入。Disable: Disables audio input in the sandbox. 如果设置此值,则沙盒无法接收来自用户的音频输入。If this value is set, the sandbox can't receive audio input from the user. 使用麦克风的应用程序可能无法在此设置下正常工作。Applications that use a microphone may not function properly with this setting.
  • 默认:这是音频输入支持的默认值。Default: This is the default value for audio input support. 当前,这意味着启用音频输入。Currently this means audio input is enabled.

备注

向容器公开主机音频输入可能存在安全问题。There may be security implications of exposing host audio input to the container.

视频输入Video input

启用或禁用对沙盒的视频输入。Enables or disables video input to the sandbox.

<VideoInput>value</VideoInput>

支持的值:Supported values:

  • 启用:在沙盒中启用视频输入。Enable: Enables video input in the sandbox.
  • 禁用:在沙盒中禁用视频输入。Disable: Disables video input in the sandbox. 使用视频输入的应用程序在沙盒中可能无法正常运行。Applications that use video input may not function properly in the sandbox.
  • 默认:这是视频输入支持的默认值。Default: This is the default value for video input support. 当前,这意味着视频输入已被禁用。Currently this means video input is disabled. 使用视频输入的应用程序在沙盒中可能无法正常运行。Applications that use video input may not function properly in the sandbox.

备注

向容器公开主机视频输入可能存在安全问题。There may be security implications of exposing host video input to the container.

受保护客户端Protected client

将其他安全设置应用于沙盒远程桌面客户端,减少其受攻击面。Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.

<ProtectedClient>value</ProtectedClient>

支持的值:Supported values:

  • 启用:在受保护的客户端模式下运行 Windows 沙盒。Enable: Runs Windows sandbox in Protected Client mode. 如果设置此值,则会在启用了额外安全缓解的情况下运行沙盒。If this value is set, the sandbox runs with extra security mitigations enabled.
  • Disable:在标准模式下运行沙盒,无需额外的安全缓解。Disable: Runs the sandbox in standard mode without extra security mitigations.
  • 默认:这是 "受保护的客户端" 模式的默认值。Default: This is the default value for Protected Client mode. 当前,这意味着沙盒不会在受保护的客户端模式下运行。Currently, this means the sandbox doesn't run in Protected Client mode.

备注

此设置可能会限制用户在沙盒中复制/粘贴文件的能力。This setting may restrict the user's ability to copy/paste files in and out of the sandbox.

打印机重定向Printer redirection

启用或禁用从主机到沙盒的打印机共享。Enables or disables printer sharing from the host into the sandbox.

<PrinterRedirection>value</PrinterRedirection>

支持的值:Supported values:

  • 启用:启用主机打印机与沙盒的共享。Enable: Enables sharing of host printers into the sandbox.
  • 禁用:在沙盒中禁用打印机重定向。Disable: Disables printer redirection in the sandbox. 如果设置了此值,则沙盒无法从主机查看打印机。If this value is set, the sandbox can't view printers from the host.
  • 默认:这是打印机重定向支持的默认值。Default: This is the default value for printer redirection support. 当前,这意味着已禁用打印机重定向。Currently this means printer redirection is disabled.

剪贴板重定向Clipboard redirection

启用或禁用与沙盒的主机剪贴板共享。Enables or disables sharing of the host clipboard with the sandbox.

<ClipboardRedirection>value</ClipboardRedirection>

支持的值:Supported values:

  • 禁用:在沙盒中禁用剪贴板重定向。Disable: Disables clipboard redirection in the sandbox. 如果设置了此值,将限制 "复制/粘贴" 和 "粘贴到沙盒"。If this value is set, copy/paste in and out of the sandbox will be restricted.
  • 默认:这是剪贴板重定向的默认值。Default: This is the default value for clipboard redirection. 默认情况下允许在主机和沙盒之间复制/粘贴当前。Currently copy/paste between the host and sandbox are permitted under Default.

内存(以 MB 为单位)Memory in MB

指定沙盒可以使用的内存量,以兆 (MB 为单位) 。Specifies the amount of memory that the sandbox can use in megabytes (MB).

<MemoryInMB>value</MemoryInMB>

如果指定的内存值不足以启动沙盒,它将自动增加到所需的最小金额。If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.

示例 1Example 1

可以使用以下配置文件轻松测试沙盒内已下载的文件。The following config file can be used to easily test downloaded files inside the sandbox. 为了实现此目的,已禁用网络和 vGPU,并且沙盒允许以只读权限访问 "共享下载" 文件夹。To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. 为方便起见,登录命令将在沙盒启动时打开沙盒中的 "下载" 文件夹。For convenience, the logon command opens the downloads folder inside the sandbox when it's started.

可下载的 wsbDownloads.wsb

<Configuration>
  <VGpu>Disable</VGpu>
  <Networking>Disable</Networking>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Users\Public\Downloads</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
  </LogonCommand>
</Configuration>

示例 2Example 2

以下配置文件在沙盒中安装 Visual Studio 代码,这需要稍复杂的 LogonCommand 设置。The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.

两个文件夹映射到沙盒中;第一个 (SandboxScripts) 包含 VSCodeInstall,该命令将安装并运行 Visual Studio 代码。Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. 假定 (CodingProjects) 的第二个文件夹包含开发人员希望使用 Visual Studio 代码修改的项目文件。The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.

通过 Visual Studio 代码安装程序脚本已映射到沙盒,LogonCommand 可以引用它。With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.

VSCodeInstallVSCodeInstall.cmd

REM Download Visual Studio Code
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe

REM Install and run Visual Studio Code
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes

VSCodeVSCode.wsb

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\SandboxScripts</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
    <MappedFolder>
      <HostFolder>C:\CodingProjects</HostFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
  </LogonCommand>
</Configuration>