protected void SetupCompilerParams()
{
var p = new CompilerParameters();
p.ReferencedAssemblies.AddRange(CommonAssemblies);
p.CompilerOptions = "";
p.GenerateExecutable = false;
p.GenerateInMemory = true;
p.IncludeDebugInformation = true;
PolicyLevel policyLevel = PolicyLevel.CreateAppDomainLevel();
PermissionSet perms = new PermissionSet(PermissionState.None);
const SecurityPermissionFlag permissionFlags = SecurityPermissionFlag.ControlThread | SecurityPermissionFlag.RemotingConfiguration |
SecurityPermissionFlag.SerializationFormatter | SecurityPermissionFlag.SkipVerification |
SecurityPermissionFlag.UnmanagedCode | SecurityPermissionFlag.Execution;
perms.AddPermission(new SecurityPermission(permissionFlags));
perms.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.AllFlags));
PolicyStatement policy = new PolicyStatement(perms, PolicyStatementAttribute.Exclusive);
CodeGroup group = new UnionCodeGroup(new AllMembershipCondition(), policy);
policyLevel.RootCodeGroup = group;
AppDomain.CurrentDomain.SetAppDomainPolicy(policyLevel);
// All that work, and now we finally set the value =)
compilerParams = p;
}
private void ConfigureSecurityPolicy()
{
// Find the machine policy level
PolicyLevel machinePolicyLevel = GetMachinePolicyLevel();
// Get the install directory of the current installer
string assemblyPath = this.Context.Parameters["assemblypath"];
string installDirectory =
assemblyPath.Substring(0, assemblyPath.LastIndexOf("\\"));
if (!installDirectory.EndsWith(@"\"))
{
installDirectory += @"\";
}
installDirectory += "*";
// Create the code group
CodeGroup codeGroup = new UnionCodeGroup(
new UrlMembershipCondition(installDirectory),
new PolicyStatement(new NamedPermissionSet("FullTrust")));
codeGroup.Description = Properties.Resources.CasPolicyDescription;
codeGroup.Name = Properties.Resources.CasPolicyName;
// Add the code group
machinePolicyLevel.RootCodeGroup.AddChild(codeGroup);
// Save changes
SecurityManager.SavePolicy();
}
private static void RemovePolicy(string path, string name)
{
//Get a reference to the User level "All Code" group.
PolicyLevel polLevel = GetPolicy(_user);
if (polLevel != null)
{
UnionCodeGroup allCodeCG =
(UnionCodeGroup)polLevel.RootCodeGroup;
//Determine the resolved membership condition for the
//specified path.
string resolvedPath =
new UrlMembershipCondition(path).ToString();
//Locate a code group with the same name, the same resolved
//path, and FullTrust; if found, remove the child group.
IEnumerator cgs = allCodeCG.Children.GetEnumerator();
while (cgs.MoveNext())
{
CodeGroup cg = (CodeGroup)cgs.Current;
if (cg.Name == name)
{
if (cg.MembershipCondition.ToString() == resolvedPath &&
allCodeCG.PermissionSetName == _fullTrust)
{
allCodeCG.RemoveChild(cg);
SecurityManager.SavePolicy();
break;
}
}
}
}
}
// source: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
static AppDomain CreateRestrictedDomain(string filename)
{
PermissionSet emptySet = new PermissionSet(PermissionState.None);
PolicyStatement emptyPolicy = new PolicyStatement(emptySet);
UnionCodeGroup root = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
PermissionSet userSet = null;
if (filename [0] == '@')
{
userSet = GetNamedPermissionSet(filename.Substring(1));
}
else
{
userSet = LoadFromFile(filename);
}
PolicyStatement userPolicy = new PolicyStatement(userSet);
root.AddChild(new UnionCodeGroup(new AllMembershipCondition(), userPolicy));
PolicyLevel pl = PolicyLevel.CreateAppDomainLevel();
pl.RootCodeGroup = root;
AppDomain ad = AppDomain.CreateDomain("Restricted");
ad.SetAppDomainPolicy(pl);
return(ad);
}
private static AppDomain CreateRestrictedDomain(string domainName)
{
// Default to all code getting nothing
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
// Grant all code the named permission set for the test
PermissionSet partialTrustPermissionSet = new PermissionSet(PermissionState.None);
partialTrustPermissionSet.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.AllFlags));
partialTrustPermissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution | SecurityPermissionFlag.ControlEvidence));
PolicyStatement permissions = new PolicyStatement(partialTrustPermissionSet);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// Create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// Set the Application Base correctly in order to find the test assembly
AppDomainSetup ads = new AppDomainSetup();
ads.ApplicationBase = Environment.CurrentDirectory;
AppDomain restrictedDomain = AppDomain.CreateDomain(domainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
return(restrictedDomain);
}
private void SetSandBoxPolicy()
{
if (!this.SandBox)
{
throw new InvalidOperationException("SandBox property is not set to true");
}
// http://www.dotnetthis.com/Articles/DynamicSandboxing.htm
// Now we need to set the appdomain policy,
// and to do that we will need to create a Policy Level.
// A Policy Level is a tree-like structure that has Code Groups as its nodes.
// Each code group consists of a Membership Condition (something that
// defines if an assembly in question belongs to the code group) and
// a Permission Set that is granted to the assembly if it does.
PolicyLevel domainPolicy = PolicyLevel.CreateAppDomainLevel();
// Let's create a code group that gives Internet permission set
// to all code.
// First, let's create a membership condition that accepts all code.
AllMembershipCondition allCodeMC = new AllMembershipCondition();
// If you were to build a more complex policy (giving different permissions
// to different assemblies) you could use other membership conditions,
// such as ZoneMembershipCondition, StrongNameMembershipCondition, etc.
// Now let's create a policy statement that represents Internet permissions.
// Here we just grab named permission set called "Internet" from the default policy,
// but you could also create your own permission set with whatever permissions
// you want in there.
PermissionSet internetPermissionSet = domainPolicy.GetNamedPermissionSet("Internet");
PolicyStatement internetPolicyStatement = new PolicyStatement(internetPermissionSet);
// We are ready to create a code group that maps all code to Internet permissions
CodeGroup allCodeInternetCG = new UnionCodeGroup(allCodeMC, internetPolicyStatement);
// We have used a UnionCodeGroup here. It does not make much difference for
// a simple policy like ours here, but if you were to set up a more complex one
// you would probably add some child code groups and then the type of the parent
// code group would matter. UnionCodeGroup unions all permissions granted by its
// child code groups (as opposed to FirstMatchCodeGroup that only takes one child
// code group into effect).
// Once we have the CodeGroup set up we can add it to our Policy Level.
domainPolicy.RootCodeGroup = allCodeInternetCG;
// If our root code group had any children the whole tree would be added
// to the appdomain security policy now.
// Imagine you wanted to modify our policy so that your strongname signed
// assemblies would get FullTrust and all other assemblies would get Internet
// permissions. Do accomplish that you would create a new UnionCodeGroup,
// whose membership condition would be a StrongNameMembershipCondition
// specifying your public key, and its permission set would be a "FullTrust"
// or just a "new PermissionSet(PermissionState.Unrestricted)".
// Then you would add that code group as a child to our allCodeInternetCG by
// calling its AddChild method. Whenever you then loaded a correct strong
// name signed assembly into your appdomain it would get Internet from the
// root code group and FullTrust from the child code group, and the effective
// permissions would be a union of the two, which is FullTrust.
// and our final policy related step is setting the AppDomain policy
this.Domain.SetAppDomainPolicy(domainPolicy);
}
public static void SetAppDomainPolicy(AppDomain appDomain)
{
// Create an AppDomain policy level.
PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();
// The root code group of the policy level combines all
// permissions of its children.
UnionCodeGroup rootCodeGroup;
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
rootCodeGroup = new UnionCodeGroup(new AllMembershipCondition(),
new PolicyStatement(ps, PolicyStatementAttribute.Nothing));
NamedPermissionSet localIntranet = FindNamedPermissionSet("LocalIntranet");
// The following code limits all code on this machine to local intranet permissions
// when running in this application domain.
UnionCodeGroup virtualIntranet = new UnionCodeGroup(
new ZoneMembershipCondition(SecurityZone.MyComputer),
new PolicyStatement(localIntranet,
PolicyStatementAttribute.Nothing));
virtualIntranet.Name = "Virtual Intranet";
// Add the code groups to the policy level.
rootCodeGroup.AddChild(virtualIntranet);
pLevel.RootCodeGroup = rootCodeGroup;
appDomain.SetAppDomainPolicy(pLevel);
}
// -ag label|name membership psetname flag
// -addgroup label|name membership psetname flag
static bool AddCodeGroup(string[] args, ref int i)
{
string name = args [++i];
PolicyLevel pl = null;
CodeGroup parent = null;
CodeGroup cg = FindCodeGroup(name, ref parent, ref pl);
if ((pl == null) || (parent == null) || (cg == null))
{
return(false);
}
UnionCodeGroup child = new UnionCodeGroup(
new AllMembershipCondition(),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
if (!ProcessCodeGroup(child, args, ref i))
{
return(false);
}
cg.AddChild(child);
SecurityManager.SavePolicyLevel(pl);
Console.WriteLine("CodeGroup '{0}' added in {1} policy level.",
cg.Name, pl.Label);
return(true);
}
public override void Install(System.Collections.IDictionary stateSaver)
{
PolicyLevel ent;
PolicyLevel mach;
PolicyLevel user;
string sAssemblyPath = this.Context.Parameters["custassembly"];
System.Collections.IEnumerator policies = SecurityManager.PolicyHierarchy();
policies.MoveNext();
ent = (PolicyLevel)policies.Current;
policies.MoveNext();
mach = (PolicyLevel)policies.Current;
policies.MoveNext();
user = (PolicyLevel)policies.Current;
PermissionSet fullTrust = user.GetNamedPermissionSet("FullTrust");
PolicyStatement statement = new PolicyStatement(fullTrust, PolicyStatementAttribute.Nothing);
UrlMembershipCondition condition = new UrlMembershipCondition(sAssemblyPath);
CodeGroup group = new UnionCodeGroup(condition, statement);
group.Name = "DefineUFL";
user.RootCodeGroup.AddChild(group);
SecurityManager.SavePolicy();
base.Install(stateSaver);
}
// Grant all code signed with the Ecma private key full trust
// (all of the the .Net Framework and CLR assemblies)
private static UnionCodeGroup MakeEcmaCodeGroup()
{
var ecma = new UnionCodeGroup(
new StrongNameMembershipCondition(new StrongNamePublicKeyBlob(s_ecmaPublicKey), null, null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
return(ecma);
}
public static void UnionCodeGroupCallMethods()
{
UnionCodeGroup ucg = new UnionCodeGroup(new GacMembershipCondition(), new PolicyStatement(new PermissionSet(new PermissionState())));
CodeGroup cg = ucg.Copy();
PolicyStatement ps = ucg.Resolve(new Evidence());
cg = ucg.ResolveMatchingCodeGroups(new Evidence());
}
// Grant all code signed with the Microsoft private key full trust
// (all of the the .Net Framework and CLR assemblies)
private static UnionCodeGroup MakeMSCodeGroup()
{
var ms = new UnionCodeGroup(
new StrongNameMembershipCondition(new StrongNamePublicKeyBlob(s_microsoftPublicKey), null, null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
return(ms);
}
//----------------------------------------------------------------------------
// ConstructAppPolicy
//----------------------------------------------------------------------------
public PolicyLevel ConstructAppPolicy(Evidence securityEvidence)
{
Console.WriteLine("Constructing App Policy Level...");
// NOTENOTE: not effective if not both url and zone in evidence
// Populate the PolicyLevel with code groups that will do the following:
// 1) For all assemblies that come from this app's cache directory,
// give permissions from retrieved permission set from SecurityManager.
// 2) For all other assemblies, give FullTrust permission set. Remember,
// since the permissions will be intersected with other policy levels,
// just because we grant full trust to all other assemblies does not mean
// those assemblies will end up with full trust.
PolicyLevel AppPolicy = null;
// ResolvePolicy will return a System.Security.PermissionSet
PermissionSet AppPerms = SecurityManager.ResolvePolicy(securityEvidence);
// Create a new System.Security.Policy.PolicyStatement that does not contain any permissions.
PolicyStatement Nada = new PolicyStatement(new PermissionSet(PermissionState.None)); //PermissionSet());
// Create a PolicyStatement for the permissions that we want to grant to code from the app directory:
PolicyStatement AppStatement = new PolicyStatement(AppPerms);
// Create Full trust PolicyStatement so all other code gets full trust, by passing in an _unrestricted_ PermissionSet
PolicyStatement FullTrustStatement = new PolicyStatement(new PermissionSet(PermissionState.Unrestricted));
// Create a System.Security.Policy.FirstMatchCodeGroup as the root that matches all
// assemblies by supplying an AllMembershipCondition:
FirstMatchCodeGroup RootCG = new FirstMatchCodeGroup(new AllMembershipCondition(), Nada);
// Create a child UnionCodeGroup to handle the assemblies from the app cache. We do this
// by using a UrlMembershipCondition set to the app cache directory:
UnionCodeGroup AppCG = new UnionCodeGroup(new UrlMembershipCondition("file://" + _sAppBase + "*"), AppStatement);
// Add AppCG to RootCG as first child. This is important because we need it to be evaluated first
RootCG.AddChild(AppCG);
// Create a second child UnionCodeGroup to handle all other code, by using the AllMembershipCondition again
UnionCodeGroup AllCG = new UnionCodeGroup(new AllMembershipCondition(), FullTrustStatement);
// Add AllCG to RootCG after AppCG. If AppCG doesnt apply to the assembly, AllCG will.
RootCG.AddChild(AllCG);
// This will be the PolicyLevel that we will associate with the new AppDomain.
AppPolicy = PolicyLevel.CreateAppDomainLevel();
// Set the RootCG as the root code group on the new policy level
AppPolicy.RootCodeGroup = RootCG;
// NOTENOTE
// Code from the site that lives on the local machine will get the reduced permissions as expected.
// Dependencies of this app (not under app dir or maybe dependencies that live in the GAC) would still get full trust.
// If the full trust dependencies need to do something trusted, they carry the burden of asserting to overcome the stack walk.
return(AppPolicy);
}
public void ResolveMatchingCodeGroups_OneLevel()
{
UnionCodeGroup level1 = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
}
public override void Install(System.Collections.IDictionary stateSaver)
{
try
{
PolicyLevel enterprise;
PolicyLevel machine;
PolicyLevel user;
string assemblyLocation = this.Context.Parameters["assemblyLocation"];
string groupName = this.Context.Parameters["groupName"];
IEnumerator enumerator = SecurityManager.PolicyHierarchy();
// 1st one is enterprise
enumerator.MoveNext();
enterprise = (PolicyLevel)enumerator.Current;
// 2nd one is machine
enumerator.MoveNext();
machine = (PolicyLevel)enumerator.Current;
// 3rd one is user
enumerator.MoveNext();
user = (PolicyLevel)enumerator.Current;
PermissionSet permissionSet = user.GetNamedPermissionSet("FullTrust");
PolicyStatement statement = new PolicyStatement(permissionSet, PolicyStatementAttribute.Nothing);
UrlMembershipCondition condition = new UrlMembershipCondition(assemblyLocation);
CodeGroup codeGroup = new UnionCodeGroup(condition, statement);
codeGroup.Name = groupName;
// see if the code group already exists, and if so, remove it
CodeGroup existingCodeGroup = null;
foreach (CodeGroup group in user.RootCodeGroup.Children)
{
if (group.Name == codeGroup.Name)
{
existingCodeGroup = group;
break;
}
}
if (existingCodeGroup != null)
{
user.RootCodeGroup.RemoveChild(existingCodeGroup);
}
SecurityManager.SavePolicy();
// add the code group
user.RootCodeGroup.AddChild(codeGroup);
SecurityManager.SavePolicy();
}
catch (Exception ex)
{
throw new InstallException("Cannot set the security policy.", ex);
}
// Call the base implementation.
base.Install(stateSaver);
}
public void Resolve_AllMembershipCondition_Unrestricted()
{
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
PolicyStatement result = cg.Resolve(new Evidence());
Assert.AreEqual(PolicyStatementAttribute.Nothing, result.Attributes, "Attributes");
Assert.AreEqual(String.Empty, result.AttributeString, "AttributeString");
Assert.IsTrue(result.PermissionSet.IsUnrestricted(), "IsUnrestricted");
Assert.AreEqual(0, result.PermissionSet.Count, "Count");
}
public void CopyWithChildren()
{
UnionCodeGroup cgChild = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
cg.AddChild(cgChild);
UnionCodeGroup cg2 = (UnionCodeGroup)cg.Copy();
Assert.AreEqual(cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual(cg.ToXml().ToString(), cg2.ToXml().ToString(), "ToXml");
}
public void Constructor()
{
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
Assert.AreEqual(String.Empty, cg.AttributeString, "AttributeString");
Assert.IsNull(cg.Description, "Description");
Assert.IsNotNull(cg.MembershipCondition, "MembershipCondition");
Assert.IsNull(cg.Name, "Name");
Assert.IsNull(cg.PermissionSetName, "PermissionSetName");
Assert.IsNotNull(cg.PolicyStatement, "PolicyStatement");
}
private void SetSecurity()
{
levelOfAccess = PolicyLevel.CreateAppDomainLevel();
executeOnly = new PermissionSet(PermissionState.None);
executeOnly.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
//executeOnly.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read, "C:\\Windows\\"));
PolicyStatement executeOnlyStatement = new PolicyStatement(executeOnly);
UnionCodeGroup applicablePolicy = new UnionCodeGroup(new AllMembershipCondition(), executeOnlyStatement);
levelOfAccess.RootCodeGroup = applicablePolicy;
}
public void Constructor_MembershipConditionPolicyStatementNull()
{
// legal
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), null);
Assert.IsNull(cg.AttributeString, "AttributeString");
Assert.IsNull(cg.Description, "Description");
Assert.IsNotNull(cg.MembershipCondition, "MembershipCondition");
Assert.IsNull(cg.Name, "Name");
Assert.IsNull(cg.PermissionSetName, "PermissionSetName");
Assert.IsNull(cg.PolicyStatement, "PolicyStatement");
}
/// <summary>
///
/// </summary>
///
public override void Install(System.Collections.IDictionary stateSaver)
{
base.Install(stateSaver);
try
{
// Find the machine policy level
PolicyLevel machinePolicyLevel = null;
System.Collections.IEnumerator policyHierarchy = SecurityManager.PolicyHierarchy();
while (policyHierarchy.MoveNext())
{
PolicyLevel level = (PolicyLevel)policyHierarchy.Current;
if (level.Label == "Machine")
{
machinePolicyLevel = level;
break;
}
}
if (machinePolicyLevel == null)
{
throw new ApplicationException(
"Could not find Machine Policy level. Code Access Security " +
"is not configured for this application."
);
}
// Get the installation directory of the current installer
string assemblyPath = this.Context.Parameters["assemblypath"];
string installDirectory = assemblyPath.Substring(0, assemblyPath.LastIndexOf("\\"));
if (!installDirectory.EndsWith(@"\"))
{
installDirectory += @"\";
}
installDirectory += "*";
//Create a code group with a new FullTrust permission set
PolicyStatement policyStatement = new PolicyStatement(new NamedPermissionSet("FullTrust"));
CodeGroup codeGroup = new UnionCodeGroup(new UrlMembershipCondition(installDirectory), policyStatement);
codeGroup.Description = "Permissions for Outlook Addin";
codeGroup.Name = "Outlook Addin";
machinePolicyLevel.RootCodeGroup.AddChild(codeGroup);
SecurityManager.SavePolicy();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
public void Copy()
{
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
UnionCodeGroup cg2 = (UnionCodeGroup)cg.Copy();
Assert.AreEqual(cg.AttributeString, cg2.AttributeString, "AttributeString");
Assert.AreEqual(cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual(cg.Description, cg2.Description, "Description");
Assert.AreEqual(cg.MergeLogic, cg2.MergeLogic, "MergeLogic");
Assert.AreEqual(cg.Name, cg2.Name, "Name");
Assert.AreEqual(cg.PermissionSetName, cg2.PermissionSetName, "PermissionSetName");
Assert.AreEqual(cg.ToXml().ToString(), cg2.ToXml().ToString(), "ToXml");
}
private void AddUrlCodeGroup(CodeGroup parentGroup, String groupName, String url, String permissionSetName)
{
RemoveGroupIfExists(parentGroup, groupName);
PermissionSet permSet = new NamedPermissionSet(permissionSetName);
IMembershipCondition membershipCondition = new UrlMembershipCondition(url);
PolicyStatement statement = new PolicyStatement(permSet);
CodeGroup group = new UnionCodeGroup(membershipCondition, statement);
group.Name = groupName;
parentGroup.AddChild(group);
}
// Create new code groups using the custom named permission sets previously created.
private static void CreateCodeGroups()
{
// Create instances of the named permission sets created earlier to establish the
// permissions for the new code groups.
NamedPermissionSet companyCodeSet = new NamedPermissionSet("MyCompany", PermissionState.Unrestricted);
NamedPermissionSet departmentCodeSet = new NamedPermissionSet("MyDepartment", PermissionState.Unrestricted);
// Create new code groups using the named permission sets.
PolicyStatement policyMyCompany = new PolicyStatement(companyCodeSet, PolicyStatementAttribute.LevelFinal);
PolicyStatement policyMyDepartment = new PolicyStatement(departmentCodeSet, PolicyStatementAttribute.Exclusive);
// Create new code groups using UnionCodeGroup.
CodeGroup myCompanyZone = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Intranet), policyMyCompany);
myCompanyZone.Name = "MyCompanyCodeGroup";
byte[] b1 = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 237, 146, 145, 51, 34, 97, 123, 196, 90, 174, 41, 170, 173, 221, 41, 193, 175, 39, 7, 151, 178, 0, 230, 152, 218, 8, 206, 206, 170, 84, 111, 145, 26, 208, 158, 240, 246, 219, 228, 34, 31, 163, 11, 130, 16, 199, 111, 224, 4, 112, 46, 84, 0, 104, 229, 38, 39, 63, 53, 189, 0, 157, 32, 38, 34, 109, 0, 171, 114, 244, 34, 59, 9, 232, 150, 192, 247, 175, 104, 143, 171, 42, 219, 66, 66, 194, 191, 218, 121, 59, 92, 42, 37, 158, 13, 108, 210, 189, 9, 203, 204, 32, 48, 91, 212, 101, 193, 19, 227, 107, 25, 133, 70, 2, 220, 83, 206, 71, 102, 245, 104, 252, 87, 109, 190, 56, 34, 180 };
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(b1);
CodeGroup myDepartmentZone = new UnionCodeGroup(new StrongNameMembershipCondition(blob, null, null), policyMyDepartment);
myDepartmentZone.Name = "MyDepartmentCodeGroup";
// Move through the policy levels looking for the Machine policy level.
// Create two new code groups at that level.
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();
while (policyEnumerator.MoveNext())
{
// At the Machine level delete already existing copies of the custom code groups,
// then create the new code groups.
PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;
if (currentLevel.Label == "Machine")
{
// Remove old instances of the custom groups.
DeleteCustomCodeGroups();
// Add the new code groups.
//*******************************************************
// To add a child code group, add the child to the parent prior to adding
// the parent to the root.
myCompanyZone.AddChild(myDepartmentZone);
// Add the parent to the root code group.
currentLevel.RootCodeGroup.AddChild(myCompanyZone);
SecurityManager.SavePolicy();
}
}
// Save the security policy.
SecurityManager.SavePolicy();
Console.WriteLine("Security policy modified.");
Console.WriteLine("New code groups added at the Machine policy level.");
}
private static PolicyLevel GetPolicyForUrl(String strUrl, int iZone, String strAppPath)
{
if (strUrl == null || strAppPath == null || strUrl.Length < 1 || strAppPath.Length < 1)
{
return(null);
}
Evidence evidence = new Evidence();
PolicyLevel plReturn = PolicyLevel.CreateAppDomainLevel();
PermissionSet denyPS = null;
PermissionSet ps;
UnionCodeGroup allCG;
UnionCodeGroup snCG;
UnionCodeGroup cg;
evidence.AddAssembly(new Url(strUrl));
evidence.AddAssembly(new Zone((SecurityZone)iZone));
ps = SecurityManager.ResolvePolicy(evidence,
null, null, null, out denyPS);
ps.RemovePermission(typeof(UrlIdentityPermission));
ps.RemovePermission(typeof(ZoneIdentityPermission));
allCG = new UnionCodeGroup(new AllMembershipCondition(),
new PolicyStatement(new PermissionSet(PermissionState.None)));
snCG = new UnionCodeGroup(
new StrongNameMembershipCondition(new StrongNamePublicKeyBlob(s_microsoftPublicKey), null, null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
if (!strAppPath.EndsWith("/"))
{
strAppPath += "/";
}
strAppPath += "*";
cg = new UnionCodeGroup(
new UrlMembershipCondition(strAppPath),
new PolicyStatement(ps));
allCG.AddChild(snCG);
allCG.AddChild(cg);
plReturn.RootCodeGroup.AddChild(allCG);
return(plReturn);
}
public void ResolveMatchingCodeGroups_ThreeLevel()
{
UnionCodeGroup level1 = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
CodeGroup level2 = level1.Copy();
level1.AddChild(level2);
UnionCodeGroup level3 = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
level2.AddChild(level3);
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
// Equals (true) isn't a deep compare (just one level)
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
}
internal CNewCodeGroupWiz2() : base(null)
{
// Since we're inheriting off of a property page and not a wizard
// page, we need to set our size ourselves....
CWizardPage wizPage = new CWizardPage();
PageSize = wizPage.PageSize;
m_sTitle = CResourceStore.GetString("CNewCodeGroupWiz2:Title");
m_sHeaderTitle = CResourceStore.GetString("CNewCodeGroupWiz2:HeaderTitle");
m_sHeaderSubTitle = CResourceStore.GetString("CNewCodeGroupWiz2:HeaderSubTitle");
m_cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
MyCodeGroup = m_cg;
System.Resources.ResourceManager resources = new System.Resources.ResourceManager(typeof(CNewCodeGroupWiz2));
m_point2ndPiece = ((System.Drawing.Point)(resources.GetObject("m_uc.Location")));
}// CNewCodeGroupWiz2
/// <summary>
/// Configures FullTrust for the entire installdirectory
/// </summary>
private void ConfigureCodeAccessSecurity()
{
PolicyLevel machinePolicyLevel = GetPolicyLevel();
if (null == GetCodeGroup(machinePolicyLevel))
{
// Create a new FullTrust permission set
PermissionSet permissionSet = new NamedPermissionSet(this.namedPermissionSet);
IMembershipCondition membershipCondition =
new UrlMembershipCondition(InstallDirectory);
// Create the code group
PolicyStatement policyStatement = new PolicyStatement(permissionSet);
CodeGroup codeGroup = new UnionCodeGroup(membershipCondition, policyStatement);
codeGroup.Description = this.codeGroupDescription;
codeGroup.Name = this.codeGroupName;
// Add the code group
machinePolicyLevel.RootCodeGroup.AddChild(codeGroup);
// Save changes
SecurityManager.SavePolicy();
}
}
private PolicyLevel DefineHostPolicy()
{
// Create the domain level policy
PolicyLevel pl = PolicyLevel.CreateAppDomainLevel();
//
// include a code group that gives permissions only to assemblies that
// that are strong named with s_somePublicKey
//
UnionCodeGroup snCG =
new UnionCodeGroup(
new StrongNameMembershipCondition(new
StrongNamePublicKeyBlob(s_somePublicKey), null, null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
pl.RootCodeGroup.AddChild(snCG);
Console.WriteLine("Domain security policy successfully created...");
return(pl);
}
public void ToFromXmlRoundtrip()
{
const string ps_Name = "TestName";
PolicyStatement ps = new PolicyStatement(new NamedPermissionSet(ps_Name));
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), ps);
cg.Name = "SomeName";
cg.Description = "Some Description";
Assert.IsTrue(cg.Equals(cg), "Equals (itself)");
SecurityElement se = cg.ToXml();
UnionCodeGroup cg2 = new UnionCodeGroup(new AllMembershipCondition(), ps);
cg2.Name = "SomeOtherName";
cg2.Description = "Some Other Description";
Assert.IsTrue(!cg.Equals(cg2), "Equals (another)");
cg2.FromXml(se);
Assert.IsTrue(cg.Equals(cg2), "Equals (FromXml)");
}
// source: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
static AppDomain CreateRestrictedDomain (string filename)
{
PermissionSet emptySet = new PermissionSet (PermissionState.None);
PolicyStatement emptyPolicy = new PolicyStatement (emptySet);
UnionCodeGroup root = new UnionCodeGroup (new AllMembershipCondition (), emptyPolicy);
PermissionSet userSet = null;
if (filename [0] == '@')
userSet = GetNamedPermissionSet (filename.Substring (1));
else
userSet = LoadFromFile (filename);
PolicyStatement userPolicy = new PolicyStatement (userSet);
root.AddChild (new UnionCodeGroup (new AllMembershipCondition (), userPolicy));
PolicyLevel pl = PolicyLevel.CreateAppDomainLevel ();
pl.RootCodeGroup = root;
AppDomain ad = AppDomain.CreateDomain ("Restricted");
ad.SetAppDomainPolicy (pl);
return ad;
}
// Create new code groups using the custom named permission sets previously created.
private static void CreateCodeGroups()
{
// Create instances of the named permission sets created earlier to establish the
// permissions for the new code groups.
NamedPermissionSet companyCodeSet = new NamedPermissionSet("MyCompany",PermissionState.Unrestricted);
NamedPermissionSet departmentCodeSet = new NamedPermissionSet("MyDepartment",PermissionState.Unrestricted);
// Create new code groups using the named permission sets.
PolicyStatement policyMyCompany = new PolicyStatement(companyCodeSet,PolicyStatementAttribute.LevelFinal);
PolicyStatement policyMyDepartment = new PolicyStatement(departmentCodeSet,PolicyStatementAttribute.Exclusive);
// Create new code groups using UnionCodeGroup.
CodeGroup myCompanyZone = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Intranet), policyMyCompany);
myCompanyZone.Name = "MyCompanyCodeGroup";
byte[] b1 = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 237, 146, 145, 51, 34, 97, 123, 196, 90, 174, 41, 170, 173, 221, 41, 193, 175, 39, 7, 151, 178, 0, 230, 152, 218, 8, 206, 206, 170,84, 111, 145, 26, 208, 158, 240, 246, 219, 228, 34, 31, 163, 11, 130, 16, 199, 111, 224, 4, 112, 46, 84, 0, 104, 229, 38, 39, 63, 53, 189, 0, 157, 32, 38, 34, 109, 0, 171, 114, 244, 34, 59, 9, 232, 150, 192, 247, 175, 104, 143, 171, 42, 219, 66, 66, 194, 191, 218, 121, 59, 92, 42, 37, 158, 13, 108, 210, 189, 9, 203, 204, 32, 48, 91, 212, 101, 193, 19, 227, 107, 25, 133, 70, 2, 220, 83, 206, 71, 102, 245, 104, 252, 87, 109, 190, 56, 34, 180};
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(b1);
CodeGroup myDepartmentZone = new UnionCodeGroup(new StrongNameMembershipCondition(blob, null, null), policyMyDepartment);
myDepartmentZone.Name = "MyDepartmentCodeGroup";
// Move through the policy levels looking for the Machine policy level.
// Create two new code groups at that level.
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();
while(policyEnumerator.MoveNext())
{
// At the Machine level delete already existing copies of the custom code groups,
// then create the new code groups.
PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;
if (currentLevel.Label == "Machine")
{
// Remove old instances of the custom groups.
DeleteCustomCodeGroups();
// Add the new code groups.
//*******************************************************
// To add a child code group, add the child to the parent prior to adding
// the parent to the root.
myCompanyZone.AddChild(myDepartmentZone);
// Add the parent to the root code group.
currentLevel.RootCodeGroup.AddChild(myCompanyZone);
SecurityManager.SavePolicy();
}
}
// Save the security policy.
SecurityManager.SavePolicy();
Console.WriteLine("Security policy modified.");
Console.WriteLine("New code groups added at the Machine policy level.");
}
