I'm trying to use CreateAppContainerProfile to run a .NET 6 application.
Based on the documentation that api is used to set up the same kind of sandbox used by UWP applications.
Now this works correctly if the application is installed below c:\program files but if it's installed elsewhere the process fails with "Failed to resolve full path of the current executable [path to the executable]" (code 0x80008085)
If the user account has the WRITE_DAC access right to the application folder I can allow the sandbox read/list_directory access and it works again, but if the user account itself only haves read/list/execute rights there I can't do that.
The documentation for UWP sandboxes say that they implicitly give the sandbox read access to the application directory (which makes sense) and considering the application works in c:\program files without granting any permissions, that seems to somewhat also apply here but I don't understand why it doesn't work the same elsewhere. Is there some security settings on the folders outside the user rights that would be relevant here?
There is so little documentation on this functionality I'm not entirely sure where else to look for information.
Answering my own question here: I did really overthink this by assuming that the app container was supposed to magically give read/execute permission to the application directory.
In reality, c:\program files simply has an ACL for the special user "ALL RESTRICTED APPLICATION PACKAGES" that grants all app containers read/execute access to the entire directory tree.
Unfortunately this means there isn't really a nice solution for what I'm looking for apparently. At some point my main process has to be elevated to change ACLs to the application directory so that the app container can read it, there is no way afaict to just "inherit" rights the host process has to the containerized one.
"Capabilities" can be used when creating the appcontainer to allow access to certain predefined functionality (libraries, devices, ...) or you can basically set up custom capabilities, like a set of directories a container should be able to access but that then again requires the right to change ACLs on those directories when setting up the capability.