static void WritePermissionSet(string file)
{
WMDDetectorPermission perm =
new WMDDetectorPermission(WMDDetectorPermissions.Read);
NamedPermissionSet pset =
new NamedPermissionSet("ReadWMDDetector");
pset.Description = "WMD Detector Permission Set";
pset.SetPermission(perm);
StreamWriter sw = new StreamWriter(file);
sw.Write(pset.ToXml());
sw.Close();
}
}// NewPermissions
protected override int WizFinish(IntPtr hwnd)
{
if (isImportXMLFile)
{
// We're importing a permission set
try
{
SecurityElement se = SecurityXMLStuff.GetSecurityElementFromXMLFile(XMLFilename);
if (se == null)
{
throw new Exception("Invalid XML");
}
m_ps = new NamedPermissionSet("Hi");
m_ps.FromXml(se);
if (m_ps.Name == null || m_ps.Name.Length == 0)
{
m_ps.Name = Security.FindAGoodPermissionSetName(m_pl, "CustomPermissionSet");
}
return(0);
}
catch (Exception)
{
MessageBox(CResourceStore.GetString("XMLNoPermSet"),
CResourceStore.GetString("XMLNoPermSetTitle"),
MB.ICONEXCLAMATION);
SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)0, (IntPtr)(-1));
return(-1);
}
}
// Ok, let's create our permission set
NamedPermissionSet nps = new NamedPermissionSet(NewPermissionSetName, PermissionState.None);
nps.Description = NewPermissionSetDescription;
IPermission[] perms = NewPermissions;
for (int i = 0; i < perms.Length; i++)
{
nps.SetPermission(perms[i]);
}
// Ok, now that we have this permission set, let's add it to
// our other ones....
m_ps = nps;
return(0);
}// WizFinish
public void ShouldWorkEvenWithLowestPossiblePermissions()
{
// based on: https://msdn.microsoft.com/en-us/library/bb384237(v=vs.110).aspx
Evidence evidence = new Evidence();
evidence.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet permissionSet = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(evidence));
permissionSet.SetPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess));
AppDomainSetup appDomainSetup = new AppDomainSetup
{
ApplicationBase = "."
};
AppDomain sandbox = AppDomain.CreateDomain("Sandbox", evidence, appDomainSetup, permissionSet, null);
CrossDomain crossDomain = (CrossDomain)sandbox.CreateInstanceAndUnwrap(typeof(CrossDomain).Assembly.FullName, typeof(CrossDomain).FullName);
Assert.AreEqual(3, crossDomain.RunArrayProvider());
}
// The entry point for the code example.
static void Main()
{
// Get the display name of the executing assembly, to use when
// creating objects to run code in application domains.
//<Snippet14>
String asmName = typeof(Worker).Assembly.FullName;
//</Snippet14>
// Create the permission set to grant to other assemblies. In this
// case they are the permissions found in the Internet zone.
//<Snippet2>
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet pset = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(ev));
//</Snippet2>
// For simplicity, set up the application domain to use the
// current path as the application folder, so the same executable
// can be used in both trusted and untrusted scenarios. Normally
// you would not do this with real untrusted code.
//<Snippet3>
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = ".";
//</Snippet3>
// Create an application domain in which all code that executes is
// granted the permissions of an application run from the Internet.
//<Snippet5>
AppDomain ad = AppDomain.CreateDomain("Sandbox", ev, adSetup, pset, null);
//</Snippet5>
// Create an instance of the Worker class in the partially trusted
// domain. Note: If you build this code example in Visual Studio,
// you must change the name of the class to include the default
// namespace, which is the project name. For example, if the project
// is "AnonymouslyHosted", the class is "AnonymouslyHosted.Worker".
//<Snippet12>
Worker w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker");
//</Snippet12>
// Emit a simple dynamic method that prints "Hello, World!"
//<Snippet13>
w.SimpleEmitDemo();
//</Snippet13>
// Emit and invoke a dynamic method that calls a private method
// of Worker, with JIT visibility checks enforced. The call fails
// when the delegate is invoked.
w.AccessPrivateMethod(false);
// Emit and invoke a dynamic method that calls a private method
// of Worker, skipping JIT visibility checks. The call fails when
// the method is invoked.
w.AccessPrivateMethod(true);
// Unload the application domain. Add RestrictedMemberAccess to the
// grant set, and use it to create an application domain in which
// partially trusted code can call private members, as long as the
// trust level of those members is equal to or lower than the trust
// level of the partially trusted code.
AppDomain.Unload(ad);
//<Snippet7>
pset.SetPermission(
new ReflectionPermission(
ReflectionPermissionFlag.RestrictedMemberAccess));
//</Snippet7>
//<Snippet8>
ad = AppDomain.CreateDomain("Sandbox2", ev, adSetup, pset, null);
//</Snippet8>
// Create an instance of the Worker class in the partially trusted
// domain.
w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker");
// Again, emit and invoke a dynamic method that calls a private method
// of Worker, skipping JIT visibility checks. This time compilation
// succeeds because of the grant for RestrictedMemberAccess.
w.AccessPrivateMethod(true);
// Finally, emit and invoke a dynamic method that calls an internal
// method of the String class. The call fails, because the trust level
// of the assembly that contains String is higher than the trust level
// of the assembly that emits the dynamic method.
w.AccessPrivateMethod();
}
}// ImportPermissionSet
protected override int WizFinish(IntPtr hwnd)
{
// Let's see if we're importing the codegroup from a file
if (CodeGroupFilename != null)
{
m_cg = ImportCodegroup();
if (m_cg != null)
{
return(0);
}
// Else, we had problems
SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)0, (IntPtr)(-1));
return(-1);
}
// This is the case where we need to create a code group from scratch
// Ok, let's get our permission set
if (PermissionSet == null)
{
NamedPermissionSet nps = null;
if (PermissionSetFilename != null && PermissionSetFilename.Length > 0)
{
nps = ImportPermissionSet();
if (nps == null)
{
SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)3, (IntPtr)(-1));
return(-1);
}
}
else // They built a new permission set
{
nps = new NamedPermissionSet(NewPermissionSetName);
nps.Description = NewPermissionSetDescription;
IPermission[] perms = NewPermissions;
for (int i = 0; i < perms.Length; i++)
{
nps.SetPermission(perms[i]);
}
}
// Ok, now that we have this permission set, let's make it available
// so it can be added it to our other ones....
m_fNewPermissionSet = true;
m_ps = nps;
}
else
{
m_fNewPermissionSet = false;
m_ps = PermissionSet;
}
// Now create our codegroup
PolicyStatement pols = new PolicyStatement(m_ps);
pols.Attributes = PolicyStatementAttribute.Nothing;
if (IsLevelFinal)
{
pols.Attributes |= PolicyStatementAttribute.LevelFinal;
}
if (IsExclusive)
{
pols.Attributes |= PolicyStatementAttribute.Exclusive;
}
UnionCodeGroup ucg = new UnionCodeGroup(NewMembershipCondition, pols);
ucg.Name = NewCodeGroupName;
ucg.Description = NewCodeGroupDescription;
m_cg = ucg;
return(0);
}// WizFinish
