private static QuickCacheEntryType GenerateQuickCache(PolicyLevel level)
{
if (PolicyManager.FullTrustMap == null)
{
PolicyManager.FullTrustMap = new QuickCacheEntryType[5]
{
QuickCacheEntryType.FullTrustZoneMyComputer,
QuickCacheEntryType.FullTrustZoneIntranet,
QuickCacheEntryType.FullTrustZoneTrusted,
QuickCacheEntryType.FullTrustZoneInternet,
QuickCacheEntryType.FullTrustZoneUntrusted
}
}
;
QuickCacheEntryType quickCacheEntryType = (QuickCacheEntryType)0;
Evidence evidence1 = new Evidence();
try
{
if (level.Resolve(evidence1).PermissionSet.IsUnrestricted())
{
quickCacheEntryType |= QuickCacheEntryType.FullTrustAll;
}
}
catch (PolicyException ex)
{
}
foreach (SecurityZone zone in Enum.GetValues(typeof(SecurityZone)))
{
if (zone != SecurityZone.NoZone)
{
Evidence evidence2 = new Evidence();
evidence2.AddHostEvidence <Zone>(new Zone(zone));
try
{
if (level.Resolve(evidence2).PermissionSet.IsUnrestricted())
{
quickCacheEntryType |= PolicyManager.FullTrustMap[(int)zone];
}
}
catch (PolicyException ex)
{
}
}
}
return(quickCacheEntryType);
}
}
public AppDomain CreateSandboxDomain(Plugin plugin, SecurityZone zone = SecurityZone.Untrusted)
{
var setup = new AppDomainSetup
{
ApplicationName = plugin.Name,
ApplicationBase = Path.GetFullPath(Application.StartupPath),
DynamicBase = Path.GetFullPath((plugin.EntryType as Type).Assembly.Location)
};
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(zone));
var permissions = GetPermissions(plugin, SecurityManager.GetStandardSandbox(evidence));
var strongName = typeof(PluginSandbox).Assembly.Evidence.GetHostEvidence <StrongName>();
return(AppDomain.CreateDomain(plugin.Name, null, setup, permissions, strongName));
}
private static AppDomain CreateSandbox()
{
var e = new Evidence();
e.AddHostEvidence(new Zone(SecurityZone.Internet));
var ps = SecurityManager.GetStandardSandbox(e);
var security = new SecurityPermission(SecurityPermissionFlag.Execution);
ps.AddPermission(security);
var setup = new AppDomainSetup {
ApplicationBase = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)
};
return(AppDomain.CreateDomain("Sandbox", null, setup, ps));
}
private static AppDomain CreateDomain(string id, string assemblyPath)
{
var permSet = new PermissionSet(PermissionState.None);
permSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read, assemblyPath));
permSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.PathDiscovery, assemblyPath));
permSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.PathDiscovery, Environment.CurrentDirectory));
permSet.AddPermission(new EnvironmentPermission(EnvironmentPermissionAccess.Read, "InsideSandbox"));
/*
* Permissions for NUnit: see https://github.com/nunit/nunit/blob/master/src/NUnitFramework/tests/Assertions/LowTrustFixture.cs#L166
* and https://github.com/nunit/nunit/issues/2792 for details
*/
permSet.AddPermission(new ReflectionPermission(
ReflectionPermissionFlag.MemberAccess)); // Required to instantiate classes that contain test code and to get cross-appdomain communication to work.
permSet.AddPermission(new SecurityPermission(
SecurityPermissionFlag.Execution | // Required to execute test code
SecurityPermissionFlag.SerializationFormatter // Required to support cross-appdomain test result formatting by NUnit TestContext
));
/* In .NET <= 3.5 add following EnvironmentPermission:
* permSet.AddPermission(new EnvironmentPermission(PermissionState.Unrestricted)); // Required for NUnit.Framework.Assert.GetStackTrace()
*/
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Untrusted));
var fullyTrustAssemblies = typeof(Sandboxer).Assembly.Evidence.GetHostEvidence <StrongName>();
var applicationBase = Path.GetDirectoryName(assemblyPath);
var adSetup = new AppDomainSetup
{
ApplicationBase = applicationBase,
};
/* Copy CsSandboxer.exe to destination folder, because it's needed them to set domain.UnhandledException handler below. */
var sandboxAssembly = typeof(Sandboxer).Assembly.Location;
File.Copy(sandboxAssembly, Path.Combine(applicationBase, Path.GetFileName(sandboxAssembly)), overwrite: true);
var domain = AppDomain.CreateDomain(id, evidence, adSetup, permSet, fullyTrustAssemblies);
domain.UnhandledException += HandleException;
return(domain);
}
internal void InitStore(IsolatedStorageScope scope, object domain, object assem, object app)
{
PermissionSet psAllowed = (PermissionSet)null;
PermissionSet psDenied = (PermissionSet)null;
Evidence domainEv = (Evidence)null;
Evidence assemEv = (Evidence)null;
Evidence appEv = (Evidence)null;
if (System.IO.IsolatedStorage.IsolatedStorage.IsApp(scope))
{
EvidenceBase evidence = app as EvidenceBase ?? (EvidenceBase) new LegacyEvidenceWrapper(app);
appEv = new Evidence();
appEv.AddHostEvidence <EvidenceBase>(evidence);
}
else
{
EvidenceBase evidence1 = assem as EvidenceBase ?? (EvidenceBase) new LegacyEvidenceWrapper(assem);
assemEv = new Evidence();
assemEv.AddHostEvidence <EvidenceBase>(evidence1);
if (System.IO.IsolatedStorage.IsolatedStorage.IsDomain(scope))
{
EvidenceBase evidence2 = domain as EvidenceBase ?? (EvidenceBase) new LegacyEvidenceWrapper(domain);
domainEv = new Evidence();
domainEv.AddHostEvidence <EvidenceBase>(evidence2);
}
}
this._InitStore(scope, domainEv, (Type)null, assemEv, (Type)null, appEv, (Type)null);
if (!System.IO.IsolatedStorage.IsolatedStorage.IsRoaming(scope))
{
RuntimeAssembly caller = System.IO.IsolatedStorage.IsolatedStorage.GetCaller();
System.IO.IsolatedStorage.IsolatedStorage.GetControlEvidencePermission().Assert();
// ISSUE: explicit reference operation
// ISSUE: variable of a reference type
PermissionSet& newGrant = @psAllowed;
// ISSUE: explicit reference operation
// ISSUE: variable of a reference type
PermissionSet& newDenied = @psDenied;
caller.GetGrantSet(newGrant, newDenied);
if (psAllowed == null)
{
throw new IsolatedStorageException(Environment.GetResourceString("IsolatedStorage_AssemblyGrantSet"));
}
}
this.SetQuota(psAllowed, psDenied);
}
static void Main(string[] args)
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
if (args.Length > 0 && args[0] == "startui")
{
Application.Run(new Form1());
}
else
{
PermissionSet permissions = new PermissionSet(PermissionState.Unrestricted);
string AppName = Assembly.GetEntryAssembly().GetName().Name;
string AppExe = $"{AppName}.exe";
string DebugSecurityZoneURL = $"{AppExe}.manifest";
string AppManifestPath = $"{AppName}.application";
string appType = "win32";
AssemblyIdentity ca = AssemblyIdentity.FromManifest(AppManifestPath);
string appIdentitySubString = $"Version={ca.Version}, Culture={ca.Culture}, PublicKeyToken={ca.PublicKeyToken}, ProcessorArchitecture={ca.ProcessorArchitecture}";
string assemblyIdentity = $"http://tempuri.org/{AppManifestPath}#{AppManifestPath}, {appIdentitySubString}/{AppExe}, {appIdentitySubString},Type={appType}";
System.ApplicationIdentity applicationIdentity = new System.ApplicationIdentity(assemblyIdentity);
ApplicationTrust appTrust = new ApplicationTrust();
appTrust.DefaultGrantSet = new PolicyStatement(permissions, PolicyStatementAttribute.Nothing);
appTrust.IsApplicationTrustedToRun = true;
appTrust.ApplicationIdentity = applicationIdentity;
AppDomainSetup adSetup = new AppDomainSetup
{
ApplicationBase = AppDomain.CurrentDomain.BaseDirectory,
ActivationArguments = new ActivationArguments(
ActivationContext.CreatePartialActivationContext(
applicationIdentity,
new string[] { AppManifestPath, DebugSecurityZoneURL })
),
ApplicationTrust = appTrust
};
Evidence e = new Evidence();
e.AddHostEvidence(appTrust);
AppDomain a = AppDomain.CreateDomain("Internet Security Zone AppDomain", e, adSetup, permissions);
a.ExecuteAssembly(AppExe, e, new string[] { "startui" });
}
}
public void ShouldWorkEvenWithLowestPossiblePermissions()
{
// based on: https://msdn.microsoft.com/en-us/library/bb384237(v=vs.110).aspx
Evidence evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet permissionSet = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(evidence));
permissionSet.SetPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess));
AppDomainSetup appDomainSetup = new AppDomainSetup
{
ApplicationBase = "."
};
AppDomain sandbox = AppDomain.CreateDomain("Sandbox", evidence, appDomainSetup, permissionSet, null);
CrossDomain crossDomain = (CrossDomain)sandbox.CreateInstanceAndUnwrap(typeof(CrossDomain).Assembly.FullName, typeof(CrossDomain).FullName);
Assert.AreEqual(3, crossDomain.RunArrayProvider());
}
private static AppDomain CreateDomain(string id, string assemblyPath)
{
var permSet = new PermissionSet(PermissionState.None);
permSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Untrusted));
var fullTrustAssembly = typeof(Sandboxer).Assembly.Evidence.GetHostEvidence <StrongName>();
var adSetup = new AppDomainSetup
{
ApplicationBase = Path.GetDirectoryName(assemblyPath),
};
var domain = AppDomain.CreateDomain(id, evidence, adSetup, permSet, fullTrustAssembly);
return(domain);
}
/// <summary>
/// Creates a sandbox for testing.
/// </summary>
/// <param name="permissions">Additional permissions</param>
/// <returns></returns>
public static AppDomain SandboxCreator(IEnumerable <IPermission> permissions)
{
CheckMono();
#if RAZOR4
Assert.Ignore("IsolatedRazorEngineServiceTestFixture is not tested with razor 4 as it is not signed!");
#endif
#if MONO
// Mono has no AddHostEvidence or GetHostEvidence.
// We do not run the tests anyway.
return(null);
#else
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet permSet = SecurityManager.GetStandardSandbox(ev);
if (permissions != null)
{
foreach (IPermission permission in permissions)
{
permSet.AddPermission(permission);
}
}
// We have to load ourself with full trust
StrongName razorEngineAssembly = typeof(RazorEngineService).Assembly.Evidence.GetHostEvidence <StrongName>();
// We have to load Razor with full trust (so all methods are SecurityCritical)
// This is because we apply AllowPartiallyTrustedCallers to RazorEngine, because
// We need the untrusted (transparent) code to be able to inherit TemplateBase.
// Because in the normal environment/appdomain we run as full trust and the Razor assembly has no security attributes
// it will be completely SecurityCritical.
// This means we have to mark a lot of our members SecurityCritical (which is fine).
// However in the sandbox domain we have partial trust and because razor has no Security attributes that means the
// code will be transparent (this is where we get a lot of exceptions, because we now have different security attributes)
// To work around this we give Razor full trust in the sandbox as well.
StrongName razorAssembly = typeof(RazorTemplateEngine).Assembly.Evidence.GetHostEvidence <StrongName>();
// We trust ourself as well
StrongName testAssembly = typeof(IsolatedRazorEngineServiceTestFixture).Assembly.Evidence.GetHostEvidence <StrongName>();
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase;
AppDomain newDomain = AppDomain.CreateDomain("Sandbox", null, adSetup, permSet, razorEngineAssembly, razorAssembly, testAssembly);
return(newDomain);
#endif
}
static DotNetScriptHandler()
{
cParams = new CompilerParameters
{
GenerateExecutable = false,
GenerateInMemory = false,
IncludeDebugInformation = false,
OutputAssembly = ScriptOutputPath
};
cParams.ReferencedAssemblies.Add(Framework.DLLPath);
cParams.ReferencedAssemblies.Add("System.dll");
cParams.ReferencedAssemblies.Add("System.IO.dll");
cParams.ReferencedAssemblies.Add("System.Drawing.dll");
cParams.ReferencedAssemblies.Add("System.Windows.Forms.dll");
cParams.ReferencedAssemblies.Add("System.Xml.dll");
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
}
private static TResult ExecuteInPartialTrust <TResult>(
Func <MappingHelper, TResult> testFunc,
Action <PermissionSet> permissionsSetup = null)
{
AppDomain partialTrustDomain = null;
try
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permissions = new NamedPermissionSet(
"PartialTrust",
SecurityManager.GetStandardSandbox(evidence));
permissionsSetup?.Invoke(permissions);
partialTrustDomain = AppDomain.CreateDomain(
"PartialTrust",
evidence,
new AppDomainSetup {
ApplicationBase = "."
},
permissions);
var helperType = typeof(MappingHelper);
// ReSharper disable once AssignNullToNotNullAttribute
var helper = (MappingHelper)partialTrustDomain
.CreateInstanceAndUnwrap(helperType.Assembly.FullName, helperType.FullName);
return(testFunc.Invoke(helper));
}
finally
{
if (partialTrustDomain != null)
{
AppDomain.Unload(partialTrustDomain);
}
}
}
public void CannotGetThreadIdAndProcessidOnPartialTrustIfFullyTrusted()
{
var slabAssemblyName = typeof(EventEntry).Assembly.GetName();
if (slabAssemblyName.GetPublicKeyToken().Length == 0)
{
Assert.Inconclusive("Can only be run if assemblies are signed");
}
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Intranet));
var permissionSet = SecurityManager.GetStandardSandbox(evidence);
var appDomain =
AppDomain.CreateDomain(
"partial trust",
evidence,
new AppDomainSetup {
ApplicationBase = Environment.CurrentDirectory
},
permissionSet,
new StrongName(new StrongNamePublicKeyBlob(slabAssemblyName.GetPublicKey()), slabAssemblyName.Name, slabAssemblyName.Version));
try
{
var tester = (ProcessIdAndThreadIdTester)appDomain
.CreateInstanceAndUnwrap(
typeof(ProcessIdAndThreadIdTester).Assembly.GetName().Name,
typeof(ProcessIdAndThreadIdTester).FullName);
var result = tester.GetProcessIdAndThreadIdThoughEvent();
Assert.AreEqual(0, result.Item1);
Assert.AreEqual(0, result.Item2);
}
finally
{
AppDomain.Unload(appDomain);
}
}
private void DoTestWithPartialTrust(CrossAppDomainDelegate test)
{
var appDomainSetUp = new AppDomainSetup()
{
ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase
};
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permisions = SecurityManager.GetStandardSandbox(evidence);
AppDomain workerDomain = AppDomain.CreateDomain("PartialTrust", evidence, appDomainSetUp, permisions, GetStrongName(this.GetType()));
try
{
workerDomain.DoCallBack(test);
}
finally
{
AppDomain.Unload(workerDomain);
}
}
static DotNetScriptHandler()
{
Params = new CompilerParameters
{
GenerateExecutable = false,
GenerateInMemory = false,
IncludeDebugInformation = false,
OutputAssembly = ScriptOutputPath,
ReferencedAssemblies =
{
Framework.Settings.DllPath,
"System.dll",
"System.Drawing.dll",
"System.Windows.Forms.dll",
"System.Xml.dll"
}
};
Evidence = new Evidence();
Evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
}
private void TestSerializationOnPartialTrust()
{
var appDomainSetUp = new AppDomainSetup()
{
ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase
};
var evidence = new Evidence();
#if MONO || NETFX_35
#pragma warning disable 0612
// TODO: patching
// currently, Mono does not declare AddHostEvidence
evidence.AddHost(new Zone(SecurityZone.Internet));
#pragma warning restore 0612
var permisions = GetDefaultInternetZoneSandbox();
#else
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permisions = SecurityManager.GetStandardSandbox(evidence);
#endif
AppDomain workerDomain = AppDomain.CreateDomain("PartialTrust", evidence, appDomainSetUp, permisions, GetStrongName(this.GetType()));
try
{
var innerMessage = Guid.NewGuid().ToString();
var message = Guid.NewGuid().ToString();
workerDomain.SetData("MsgPack.GenericExceptionTester.InnerMessage", innerMessage);
workerDomain.SetData("MsgPack.GenericExceptionTester.Message", message);
workerDomain.SetData("MsgPack.GenericExceptionTester.Proxy", this);
workerDomain.DoCallBack(TestSerializationOnPartialTrustCore);
var target = workerDomain.GetData("MsgPack.GenericExceptionTester.Target") as T;
Assert.That(target, Is.Not.Null);
Assert.That(target.Message, Is.EqualTo(target.Message));
Assert.That(target.InnerException, Is.Not.Null.And.TypeOf(typeof(Exception)));
Assert.That(target.InnerException.Message, Is.EqualTo(target.InnerException.Message));
}
finally
{
AppDomain.Unload(workerDomain);
}
}
/// From MRMModule.cs by Adam Frisby
/// <summary>
/// Create an AppDomain that contains policy restricting code to execute
/// with only the permissions granted by a named permission set
/// </summary>
/// <param name="permissionSetName">name of the permission set to restrict to</param>
/// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="permissionSetName"/> is null
/// </exception>
/// <exception cref="ArgumentOutOfRangeException">
/// if <paramref name="permissionSetName"/> is empty
/// </exception>
/// <returns>AppDomain with a restricted security policy</returns>
/// <remarks>Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
/// Valid permissionSetName values are:
/// * FullTrust
/// * SkipVerification
/// * Execution
/// * Nothing
/// * LocalIntranet
/// * Internet
/// * Everything
/// </remarks>
public AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName, AppDomainSetup ads)
{
if (permissionSetName == null)
{
throw new ArgumentNullException("permissionSetName");
}
if (permissionSetName.Length == 0)
{
throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
"Cannot have an empty permission set name");
}
// Default to all code getting everything
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
AppDomain restrictedDomain = null;
SecurityZone zone = SecurityZone.MyComputer;
try
{
zone = (SecurityZone)Enum.Parse(typeof(SecurityZone), permissionSetName);
}
catch
{
zone = SecurityZone.MyComputer;
}
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(zone));
setIntersection = SecurityManager.GetStandardSandbox(ev);
setIntersection.AddPermission(new System.Net.SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Net.WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Security.Permissions.SecurityPermission(PermissionState.Unrestricted));
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, ev, ads, setIntersection, null);
return(restrictedDomain);
}
public Sandbox(string name = DefaultName)
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permissions = SecurityManager.GetStandardSandbox(evidence);
permissions.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
permissions.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess));
var setup = new AppDomainSetup
{
ApplicationBase = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location),
ApplicationName = name,
DisallowBindingRedirects = true,
DisallowCodeDownload = true,
DisallowPublisherPolicy = true
};
domain = AppDomain.CreateDomain(name, null, setup, permissions);
}
/// <summary>We have to create seperate domain shizzle to prevent hackers from beeing able abuse our templating power. I would like to understand better how this works, just doing as told by this page now: https://antaris.github.io/RazorEngine/Isolation.html </summary>
/// <returns>An AppDomain that you should use to execute the sandbox stuff.</returns>
private static AppDomain SandboxCreator()
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permissionSet = SecurityManager.GetStandardSandbox(evidence);
// You have to sign your assembly in order to get strong names (http://stackoverflow.com/questions/8349573/getting-null-from-gethostevidence)
// But doing this results in:
// Error 1 Assembly generation failed -- Referenced assembly 'RazorEngine' does not have a strong name D:\git\presence-engine\RazorExperiment\CSC RazorExperiment
// Error 2 Assembly generation failed -- Referenced assembly 'Microsoft.AspNet.Razor' does not have a strong name D:\git\presence-engine\RazorExperiment\CSC RazorExperiment
var razorEngineAssembly = typeof(RazorEngineService).Assembly.Evidence.GetHostEvidence <StrongName>();
var razorAssembly = typeof(RazorTemplateEngine).Assembly.Evidence.GetHostEvidence <StrongName>();
var appDomainSetup = new AppDomainSetup();
appDomainSetup.ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase;
var result = AppDomain.CreateDomain("Sandbox", null, appDomainSetup, permissionSet, razorEngineAssembly, razorAssembly);
return(result);
}
public void FlatFileListenerReplacedEnviromentVariablesWillFallBackIfNotPrivilegesToRead()
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var set = SecurityManager.GetStandardSandbox(evidence);
set.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.MemberAccess));
set.RemovePermission(typeof(EnvironmentPermission));
var domain = AppDomain.CreateDomain("partial trust", null, AppDomain.CurrentDomain.SetupInformation, set);
try
{
domain.DoCallBack(CheckListener);
}
catch
{
throw;
}
finally
{
AppDomain.Unload(domain);
}
}
private static AppDomain CreateAppDomain(string name)
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.MyComputer));
var securityManager = SecurityManager.GetStandardSandbox(evidence);
securityManager.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
securityManager.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.MemberAccess));
securityManager.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery, @"C:\"));
var appDomainSetup = new AppDomainSetup()
{
ApplicationBase = AppDomain.CurrentDomain.BaseDirectory
};
var fullTrustAssemblies = SurfaceArea
.GetAssemblies()
.Select(x => x.Evidence.GetHostEvidence <StrongName>())
.ToArray();
return(AppDomain.CreateDomain(name + ":" + Guid.NewGuid(), null, appDomainSetup, securityManager, fullTrustAssemblies));
}
private AppDomain CreateSandboxedAppDomain(SandboxSecurityParameters securityParameters, string sandboxName)
{
PermissionSet securityManager = null;
if (securityParameters.UseZoneSecurity)
{
var evidence = new Evidence();
evidence.AddHostEvidence(securityParameters.ZoneSecurityEvidence);
securityManager = SecurityManager.GetStandardSandbox(evidence);
}
else
{
//Use explicit permission security
securityManager = securityParameters.AppDomainPermissions;
}
var appDomainSetup = new AppDomainSetup()
{
ApplicationBase = AppDomain.CurrentDomain.BaseDirectory
};
return(AppDomain.CreateDomain(sandboxName, null, appDomainSetup, securityManager, securityParameters.FullTrustAssemblies));
}
private AppDomain BuildSandbox()
{
//Setting the AppDomainSetup. It is very important to set the ApplicationBase to a folder
//other than the one in which the sandboxer resides.
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory;
adSetup.ApplicationName = "FrEee";
adSetup.DynamicBase = "ScriptEngine";
//Setting the permissions for the AppDomain. We give the permission to execute and to
//read/discover the location where the untrusted code is loaded.
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.MyComputer));
var permissions = SecurityManager.GetStandardSandbox(evidence);
var reflection = new ReflectionPermission(PermissionState.Unrestricted);
permissions.AddPermission(reflection);
//Now we have everything we need to create the AppDomain, so let's create it.
return(AppDomain.CreateDomain("Test", null, adSetup, permissions, AppDomain.CurrentDomain.GetAssemblies().Select(a => a.Evidence.GetHostEvidence <StrongName>()).Where(sn => sn != null).ToArray()));
}
private static void ExecuteInPartialTrust(Action <TranslationHelper> testAction)
{
AppDomain partialTrustDomain = null;
try
{
var evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permissions = new NamedPermissionSet(
"PartialTrust",
SecurityManager.GetStandardSandbox(evidence));
partialTrustDomain = AppDomain.CreateDomain(
"PartialTrust",
evidence,
new AppDomainSetup {
ApplicationBase = "."
},
permissions);
var helperType = typeof(TranslationHelper);
// ReSharper disable once AssignNullToNotNullAttribute
var helper = (TranslationHelper)partialTrustDomain
.CreateInstanceAndUnwrap(helperType.Assembly.FullName, helperType.FullName);
testAction.Invoke(helper);
}
finally
{
if (partialTrustDomain != null)
{
AppDomain.Unload(partialTrustDomain);
}
}
}
private static PermissionSet /*!*/ CreatePermissionSet()
{
#if CLR2
string name = "Internet";
bool foundName = false;
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
// iterate over each policy level
IEnumerator e = SecurityManager.PolicyHierarchy();
while (e.MoveNext())
{
PolicyLevel level = (PolicyLevel)e.Current;
PermissionSet levelSet = level.GetNamedPermissionSet(name);
if (levelSet != null)
{
foundName = true;
setIntersection = setIntersection.Intersect(levelSet);
}
}
if (setIntersection == null || !foundName)
{
setIntersection = new PermissionSet(PermissionState.None);
}
else
{
setIntersection = new NamedPermissionSet(name, setIntersection);
}
return(setIntersection);
#else
// this functionality is not available on Mono (AddHostEvidence is undefined), use dynamic to resolve it at runtime
dynamic e = new Evidence();
e.AddHostEvidence(new Zone(SecurityZone.Internet));
return(SecurityManager.GetStandardSandbox((Evidence)e));
#endif
}
public object executeAssembly(string assemblyName, Loader codeLoader, object param)
{
Evidence e = new Evidence();
e.AddHostEvidence(new Zone(SecurityZone.Intranet));
PermissionSet permSet = SecurityManager.GetStandardSandbox(e);
AppDomainSetup ads = new AppDomainSetup();
ads.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory;
AppDomain tempDomain = AppDomain.CreateDomain(assemblyName + new Random().NextDouble(), e, ads, permSet, null);
tempDomain.Load("CodeInterface");
ObjectHandle handle = Activator.CreateInstanceFrom(tempDomain, typeof(Sandboxer).Assembly.ManifestModule.FullyQualifiedName, typeof(Sandboxer).FullName);
Sandboxer newDomainInstance = (Sandboxer)handle.Unwrap();
byte[] assemblyBinary = codeLoader.codeDictionary.ReadAssembly(assemblyName);
object output = newDomainInstance.ExecuteNewAssembly(assemblyBinary, param);
return(output);
}
public HandlerDataEngine(GameHandlerMetadata metadata, string jsCode)
{
this.metadata = metadata;
this.jsCode = jsCode;
string tempPath = GameManager.GetTempFolder(metadata.GameID);
Assembly platform = Assembly.GetExecutingAssembly();
Evidence evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Untrusted));
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Write, tempPath));
permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery, metadata.RootDirectory));
permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery, AssemblyUtil.GetStartFolder()));
permissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
AppDomainSetup setup = new AppDomainSetup {
ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase
};
domain = AppDomain.CreateDomain("JSENGINE", evidence, setup, permissionSet);
string enginePath = GetLibraryPath();
byte[] engineData = File.ReadAllBytes(enginePath);
domain.Load(engineData);
ObjectHandle jsobj = domain.CreateInstance("Nucleus.Gaming.Coop.Engine", "Nucleus.Gaming.Coop.Engine.AppDomainEngine");
jsEngine = jsobj.Unwrap();
// TODO: strong typing on dynamic object (cache the fields/use reflection)
}
public void TestEqualsPartialTrust()
{
var appDomainSetUp = new AppDomainSetup()
{
ApplicationBase = AppDomain.CurrentDomain.SetupInformation.ApplicationBase
};
var evidence = new Evidence();
#if MONO || NETFX_35
#pragma warning disable 0612
// TODO: patching
// currently, Mono does not declare AddHostEvidence
evidence.AddHost(new Zone(SecurityZone.Internet));
#pragma warning restore 0612
var permisions = GetDefaultInternetZoneSandbox();
#else
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
var permisions = SecurityManager.GetStandardSandbox(evidence);
#endif // if MONO || NETFX_35
AppDomain workerDomain = AppDomain.CreateDomain("PartialTrust", evidence, appDomainSetUp, permisions, GetStrongName(this.GetType()), GetStrongName(typeof(Assert)));
try
{
workerDomain.DoCallBack(TestEqualsWorker);
#if !MONO
// P/Invoke is not disabled on Mono even if in the InternetZone.
Assert.That(( bool )workerDomain.GetData("MessagePackString.IsFastEqualsDisabled"), Is.True);
#endif // if !MONO
Console.WriteLine("TestEqualsPartialTrust");
ShowResult(workerDomain.GetData("TestEqualsWorker.Performance") as Tuple <double, double, double, double>);
}
finally
{
AppDomain.Unload(workerDomain);
}
}
public static void ExecuteInMediumTrust(MethodInfo methodInfo, object parameter)
{
#if !MEDIUM_TRUST
Assert.Inconclusive("Medium trust is only valid for signed builds");
#endif
Type type = methodInfo.DeclaringType;
// Instance methods are not supported because in common use, caller is in full trust
if (!methodInfo.IsStatic)
{
throw new ArgumentException("The method " + type.Name + "." + methodInfo.Name + " must be static");
}
if (methodInfo.GetParameters().Length > 1)
{
throw new ArgumentException("The method " + type.Name + "." + methodInfo.Name + " accepts an unexpected number of parameters");
}
string methodName = methodInfo.Name;
string typeName = methodInfo.DeclaringType.FullName;
string assemblyName = methodInfo.DeclaringType.Assembly.FullName;
string pathToAssembly = methodInfo.DeclaringType.Assembly.Location;
// TODO (wilcob, roncain): Parse web_mediumtrust.config for a 100% correct sandboxed appdomain.
// Use Intranet permission because that is how our framework is run in ASP.NET
Evidence evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Intranet));
PermissionSet permSet = SecurityManager.GetStandardSandbox(evidence);
// We want the sandboxer assembly's strong name, so that we can add it to the full trust list
StrongName sandBoxAssembly = typeof(SandBoxer).Assembly.Evidence.GetHostEvidence <StrongName>();
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = Path.GetFullPath(pathToAssembly);
// We need the following to be fully trusted:
// SandBoxer: does Reflection to invoke down to partial trust
StrongName[] fullTrustAssemblies = new StrongName[] {
sandBoxAssembly,
};
// DataAnnotations is in the GAC and will run full trust unless we ask otherwise
string[] partialTrustAssemblies = new string[] {
typeof(System.ComponentModel.DataAnnotations.ValidationAttribute).Assembly.FullName,
};
adSetup.PartialTrustVisibleAssemblies = partialTrustAssemblies;
AppDomain newDomain = AppDomain.CreateDomain("SandBox", null, adSetup, permSet, fullTrustAssemblies);
// Use CreateInstanceFrom to load an instance of the Sandboxer class into the new AppDomain.
ObjectHandle handle = Activator.CreateInstanceFrom(
newDomain, typeof(SandBoxer).Assembly.ManifestModule.FullyQualifiedName,
typeof(SandBoxer).FullName
);
// Unwrap the new domain instance into an reference in this domain and use it to
// execute the untrusted code
SandBoxer newDomainInstance = handle.Unwrap() as SandBoxer;
Exception exception = null;
try
{
newDomainInstance.ExecuteUntrustedCode(assemblyName, typeName, methodName, parameter);
}
catch (TargetInvocationException tie)
{
exception = tie.InnerException == null ? tie : tie.InnerException;
}
catch (Exception ex)
{
exception = ex;
}
if (exception != null)
{
throw (exception is AssertFailedException)
? exception
: new AssertFailedException(exception.Message, exception);
}
}
/// From MRMModule.cs by Adam Frisby
/// <summary>
/// Create an AppDomain that contains policy restricting code to execute
/// with only the permissions granted by a named permission set
/// </summary>
/// <param name="permissionSetName">name of the permission set to restrict to</param>
/// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
/// <param name="ads"></param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="permissionSetName" /> is null
/// </exception>
/// <exception cref="ArgumentOutOfRangeException">
/// if <paramref name="permissionSetName" /> is empty
/// </exception>
/// <returns>AppDomain with a restricted security policy</returns>
/// <remarks>
/// Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
/// Valid permissionSetName values are:
/// * FullTrust
/// * SkipVerification
/// * Execution
/// * Nothing
/// * LocalIntranet
/// * Internet
/// * Everything
/// </remarks>
public AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName, AppDomainSetup ads)
{
if (permissionSetName == null)
{
throw new ArgumentNullException("permissionSetName");
}
if (permissionSetName.Length == 0)
{
throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
"Cannot have an empty permission set name");
}
// Default to all code getting everything
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
AppDomain restrictedDomain = null;
#if LINUX
#pragma warning disable 612, 618
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
bool foundName = false;
// iterate over each policy level
IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
while (levelEnumerator.MoveNext())
{
PolicyLevel level = levelEnumerator.Current as PolicyLevel;
// if this level has defined a named permission set with the
// given name, then intersect it with what we've retrieved
// from all the previous levels
if (level != null)
{
PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
if (levelSet != null)
{
foundName = true;
if (setIntersection != null)
{
setIntersection = setIntersection.Intersect(levelSet);
}
}
}
}
// Intersect() can return null for an empty set, so convert that
// to an empty set object. Also return an empty set if we didn't find
// the named permission set we were looking for
if (setIntersection == null || !foundName)
{
setIntersection = new PermissionSet(PermissionState.None);
}
else
{
setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
}
// if no named permission sets were found, return an empty set,
// otherwise return the set that was found
setIntersection.AddPermission(new SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new SecurityPermission(PermissionState.Unrestricted));
PolicyStatement permissions = new PolicyStatement(setIntersection);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
#pragma warning restore 612, 618
#else
SecurityZone zone = SecurityZone.MyComputer;
try
{
zone = (SecurityZone)Enum.Parse(typeof(SecurityZone), permissionSetName);
}
catch
{
zone = SecurityZone.MyComputer;
}
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(zone));
setIntersection = SecurityManager.GetStandardSandbox(ev);
setIntersection.AddPermission(new System.Net.SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Net.WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(
new System.Security.Permissions.SecurityPermission(PermissionState.Unrestricted));
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, ev, ads, setIntersection, null);
#endif
return(restrictedDomain);
}
// The entry point for the code example.
static void Main()
{
// Get the display name of the executing assembly, to use when
// creating objects to run code in application domains.
//<Snippet14>
String asmName = typeof(Worker).Assembly.FullName;
//</Snippet14>
// Create the permission set to grant to other assemblies. In this
// case they are the permissions found in the Internet zone.
//<Snippet2>
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet pset = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(ev));
//</Snippet2>
// For simplicity, set up the application domain to use the
// current path as the application folder, so the same executable
// can be used in both trusted and untrusted scenarios. Normally
// you would not do this with real untrusted code.
//<Snippet3>
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = ".";
//</Snippet3>
// Create an application domain in which all code that executes is
// granted the permissions of an application run from the Internet.
//<Snippet5>
AppDomain ad = AppDomain.CreateDomain("Sandbox", ev, adSetup, pset, null);
//</Snippet5>
// Create an instance of the Worker class in the partially trusted
// domain. Note: If you build this code example in Visual Studio,
// you must change the name of the class to include the default
// namespace, which is the project name. For example, if the project
// is "AnonymouslyHosted", the class is "AnonymouslyHosted.Worker".
//<Snippet12>
Worker w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker");
//</Snippet12>
// Emit a simple dynamic method that prints "Hello, World!"
//<Snippet13>
w.SimpleEmitDemo();
//</Snippet13>
// Emit and invoke a dynamic method that calls a private method
// of Worker, with JIT visibility checks enforced. The call fails
// when the delegate is invoked.
w.AccessPrivateMethod(false);
// Emit and invoke a dynamic method that calls a private method
// of Worker, skipping JIT visibility checks. The call fails when
// the method is invoked.
w.AccessPrivateMethod(true);
// Unload the application domain. Add RestrictedMemberAccess to the
// grant set, and use it to create an application domain in which
// partially trusted code can call private members, as long as the
// trust level of those members is equal to or lower than the trust
// level of the partially trusted code.
AppDomain.Unload(ad);
//<Snippet7>
pset.SetPermission(
new ReflectionPermission(
ReflectionPermissionFlag.RestrictedMemberAccess));
//</Snippet7>
//<Snippet8>
ad = AppDomain.CreateDomain("Sandbox2", ev, adSetup, pset, null);
//</Snippet8>
// Create an instance of the Worker class in the partially trusted
// domain.
w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker");
// Again, emit and invoke a dynamic method that calls a private method
// of Worker, skipping JIT visibility checks. This time compilation
// succeeds because of the grant for RestrictedMemberAccess.
w.AccessPrivateMethod(true);
// Finally, emit and invoke a dynamic method that calls an internal
// method of the String class. The call fails, because the trust level
// of the assembly that contains String is higher than the trust level
// of the assembly that emits the dynamic method.
w.AccessPrivateMethod();
}
