// source: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
static AppDomain CreateRestrictedDomain(string filename)
{
PermissionSet emptySet = new PermissionSet(PermissionState.None);
PolicyStatement emptyPolicy = new PolicyStatement(emptySet);
UnionCodeGroup root = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
PermissionSet userSet = null;
if (filename [0] == '@')
{
userSet = GetNamedPermissionSet(filename.Substring(1));
}
else
{
userSet = LoadFromFile(filename);
}
PolicyStatement userPolicy = new PolicyStatement(userSet);
root.AddChild(new UnionCodeGroup(new AllMembershipCondition(), userPolicy));
PolicyLevel pl = PolicyLevel.CreateAppDomainLevel();
pl.RootCodeGroup = root;
AppDomain ad = AppDomain.CreateDomain("Restricted");
ad.SetAppDomainPolicy(pl);
return(ad);
}
public static void SetAppDomainPolicy(AppDomain appDomain)
{
// Create an AppDomain policy level.
PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();
// The root code group of the policy level combines all
// permissions of its children.
UnionCodeGroup rootCodeGroup;
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
rootCodeGroup = new UnionCodeGroup(new AllMembershipCondition(),
new PolicyStatement(ps, PolicyStatementAttribute.Nothing));
NamedPermissionSet localIntranet = FindNamedPermissionSet("LocalIntranet");
// The following code limits all code on this machine to local intranet permissions
// when running in this application domain.
UnionCodeGroup virtualIntranet = new UnionCodeGroup(
new ZoneMembershipCondition(SecurityZone.MyComputer),
new PolicyStatement(localIntranet,
PolicyStatementAttribute.Nothing));
virtualIntranet.Name = "Virtual Intranet";
// Add the code groups to the policy level.
rootCodeGroup.AddChild(virtualIntranet);
pLevel.RootCodeGroup = rootCodeGroup;
appDomain.SetAppDomainPolicy(pLevel);
}
private static AppDomain CreateRestrictedDomain(string domainName)
{
// Default to all code getting nothing
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
// Grant all code the named permission set for the test
PermissionSet partialTrustPermissionSet = new PermissionSet(PermissionState.None);
partialTrustPermissionSet.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.AllFlags));
partialTrustPermissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution | SecurityPermissionFlag.ControlEvidence));
PolicyStatement permissions = new PolicyStatement(partialTrustPermissionSet);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// Create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// Set the Application Base correctly in order to find the test assembly
AppDomainSetup ads = new AppDomainSetup();
ads.ApplicationBase = Environment.CurrentDirectory;
AppDomain restrictedDomain = AppDomain.CreateDomain(domainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
return(restrictedDomain);
}
private static PolicyLevel GetPolicyForUrl(String strUrl, int iZone, String strAppPath)
{
if (strUrl == null || strAppPath == null || strUrl.Length < 1 || strAppPath.Length < 1)
{
return(null);
}
Evidence evidence = new Evidence();
PolicyLevel plReturn = PolicyLevel.CreateAppDomainLevel();
PermissionSet denyPS = null;
PermissionSet ps;
UnionCodeGroup allCG;
UnionCodeGroup snCG;
UnionCodeGroup cg;
evidence.AddAssembly(new Url(strUrl));
evidence.AddAssembly(new Zone((SecurityZone)iZone));
ps = SecurityManager.ResolvePolicy(evidence,
null, null, null, out denyPS);
ps.RemovePermission(typeof(UrlIdentityPermission));
ps.RemovePermission(typeof(ZoneIdentityPermission));
allCG = new UnionCodeGroup(new AllMembershipCondition(),
new PolicyStatement(new PermissionSet(PermissionState.None)));
snCG = new UnionCodeGroup(
new StrongNameMembershipCondition(new StrongNamePublicKeyBlob(s_microsoftPublicKey), null, null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
if (!strAppPath.EndsWith("/"))
{
strAppPath += "/";
}
strAppPath += "*";
cg = new UnionCodeGroup(
new UrlMembershipCondition(strAppPath),
new PolicyStatement(ps));
allCG.AddChild(snCG);
allCG.AddChild(cg);
plReturn.RootCodeGroup.AddChild(allCG);
return(plReturn);
}
public void CopyWithChildren()
{
UnionCodeGroup cgChild = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
UnionCodeGroup cg = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
cg.AddChild(cgChild);
UnionCodeGroup cg2 = (UnionCodeGroup)cg.Copy();
Assert.AreEqual(cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual(cg.ToXml().ToString(), cg2.ToXml().ToString(), "ToXml");
}
public void ResolveMatchingCodeGroups_TwoLevel()
{
UnionCodeGroup level1 = new UnionCodeGroup(new AllMembershipCondition(), new PolicyStatement(new PermissionSet(PermissionState.None)));
CodeGroup level2 = level1.Copy();
level1.AddChild(level2);
CodeGroup match = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match, "Match");
Assert.IsTrue(match.Equals(level1, false), "Equals(false)");
Assert.IsTrue(match.Equals(level1, true), "Equals(true)");
UnionCodeGroup level2b = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Untrusted), new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)));
level1.AddChild(level2b);
CodeGroup match2 = level1.ResolveMatchingCodeGroups(new Evidence());
Assert.IsNotNull(match2, "Match2");
Assert.IsTrue(match2.Equals(level1, false), "Equals(false)");
Assert.IsTrue(!match2.Equals(level1, true), "Equals(true)");
}
// Create new code groups using the custom named permission sets previously created.
private static void CreateCodeGroups()
{
// Create instances of the named permission sets created earlier to establish the
// permissions for the new code groups.
NamedPermissionSet companyCodeSet = new NamedPermissionSet("MyCompany", PermissionState.Unrestricted);
NamedPermissionSet departmentCodeSet = new NamedPermissionSet("MyDepartment", PermissionState.Unrestricted);
// Create new code groups using the named permission sets.
PolicyStatement policyMyCompany = new PolicyStatement(companyCodeSet, PolicyStatementAttribute.LevelFinal);
PolicyStatement policyMyDepartment = new PolicyStatement(departmentCodeSet, PolicyStatementAttribute.Exclusive);
// Create new code groups using UnionCodeGroup.
CodeGroup myCompanyZone = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Intranet), policyMyCompany);
myCompanyZone.Name = "MyCompanyCodeGroup";
byte[] b1 = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 237, 146, 145, 51, 34, 97, 123, 196, 90, 174, 41, 170, 173, 221, 41, 193, 175, 39, 7, 151, 178, 0, 230, 152, 218, 8, 206, 206, 170, 84, 111, 145, 26, 208, 158, 240, 246, 219, 228, 34, 31, 163, 11, 130, 16, 199, 111, 224, 4, 112, 46, 84, 0, 104, 229, 38, 39, 63, 53, 189, 0, 157, 32, 38, 34, 109, 0, 171, 114, 244, 34, 59, 9, 232, 150, 192, 247, 175, 104, 143, 171, 42, 219, 66, 66, 194, 191, 218, 121, 59, 92, 42, 37, 158, 13, 108, 210, 189, 9, 203, 204, 32, 48, 91, 212, 101, 193, 19, 227, 107, 25, 133, 70, 2, 220, 83, 206, 71, 102, 245, 104, 252, 87, 109, 190, 56, 34, 180 };
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(b1);
CodeGroup myDepartmentZone = new UnionCodeGroup(new StrongNameMembershipCondition(blob, null, null), policyMyDepartment);
myDepartmentZone.Name = "MyDepartmentCodeGroup";
// Move through the policy levels looking for the Machine policy level.
// Create two new code groups at that level.
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();
while (policyEnumerator.MoveNext())
{
// At the Machine level delete already existing copies of the custom code groups,
// then create the new code groups.
PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;
if (currentLevel.Label == "Machine")
{
// Remove old instances of the custom groups.
DeleteCustomCodeGroups();
// Add the new code groups.
//*******************************************************
// To add a child code group, add the child to the parent prior to adding
// the parent to the root.
myCompanyZone.AddChild(myDepartmentZone);
// Add the parent to the root code group.
currentLevel.RootCodeGroup.AddChild(myCompanyZone);
SecurityManager.SavePolicy();
}
}
// Save the security policy.
SecurityManager.SavePolicy();
Console.WriteLine("Security policy modified.");
Console.WriteLine("New code groups added at the Machine policy level.");
}
static AppDomain NewDomain()
{
PolicyStatement statement = new PolicyStatement(new PermissionSet(PermissionState.None), PolicyStatementAttribute.Nothing);
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Assertion));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlAppDomain));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlDomainPolicy));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlEvidence));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPolicy));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPrincipal));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlThread));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Infrastructure));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.RemotingConfiguration));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.SerializationFormatter));
ps.AddPermission(new FileIOPermission(PermissionState.Unrestricted));
ps.AddPermission(new EnvironmentPermission(PermissionState.Unrestricted));
ps.AddPermission(new ReflectionPermission(PermissionState.Unrestricted));
ps.AddPermission(new RegistryPermission(PermissionState.Unrestricted));
ps.AddPermission(new IsolatedStorageFilePermission(PermissionState.Unrestricted));
ps.AddPermission(new EventLogPermission(PermissionState.Unrestricted));
ps.AddPermission(new PerformanceCounterPermission(PermissionState.Unrestricted));
ps.AddPermission(new DnsPermission(PermissionState.Unrestricted));
ps.AddPermission(new UIPermission(PermissionState.Unrestricted));
PolicyStatement statement1 = new PolicyStatement(ps, PolicyStatementAttribute.Exclusive);
CodeGroup group;
group = new UnionCodeGroup(new AllMembershipCondition(), statement);
group.AddChild(new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.MyComputer), statement1));
PolicyLevel level = PolicyLevel.CreateAppDomainLevel();
level.RootCodeGroup = group;
AppDomain domain = AppDomain.CreateDomain("test");
domain.SetAppDomainPolicy(level);
return(domain);
}
/// <summary>
/// 设置程序域的权限
/// </summary>
/// <param name="pAppDomain">指定的程序域</param>
private void SetAppDomainPolicy(AppDomain pAppDomain)
{
PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();
PermissionSet pPermission = new PermissionSet(PermissionState.None);
pPermission.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
UnionCodeGroup pRootGroup = new UnionCodeGroup(new AllMembershipCondition(),
new PolicyStatement(pPermission, PolicyStatementAttribute.Nothing));
NamedPermissionSet pPermissionSet = FindNamedPermissionSet("Machine", "Everything");
UnionCodeGroup pChileGroup = new UnionCodeGroup(
new ZoneMembershipCondition(SecurityZone.MyComputer),
new PolicyStatement(pPermissionSet, PolicyStatementAttribute.Nothing));
pChileGroup.Name = "Virtual Intranet";
pRootGroup.AddChild(pChileGroup);
pLevel.RootCodeGroup = pRootGroup;
pAppDomain.SetAppDomainPolicy(pLevel);
}
// source: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
static AppDomain CreateRestrictedDomain (string filename)
{
PermissionSet emptySet = new PermissionSet (PermissionState.None);
PolicyStatement emptyPolicy = new PolicyStatement (emptySet);
UnionCodeGroup root = new UnionCodeGroup (new AllMembershipCondition (), emptyPolicy);
PermissionSet userSet = null;
if (filename [0] == '@')
userSet = GetNamedPermissionSet (filename.Substring (1));
else
userSet = LoadFromFile (filename);
PolicyStatement userPolicy = new PolicyStatement (userSet);
root.AddChild (new UnionCodeGroup (new AllMembershipCondition (), userPolicy));
PolicyLevel pl = PolicyLevel.CreateAppDomainLevel ();
pl.RootCodeGroup = root;
AppDomain ad = AppDomain.CreateDomain ("Restricted");
ad.SetAppDomainPolicy (pl);
return ad;
}
private static void SetupPolicy(string path, string name)
{
//Get a reference to the User level "All Code" group.
PolicyLevel polLevel = GetPolicy(_user);
if (polLevel != null)
{
UnionCodeGroup allCodeCG =
(UnionCodeGroup)polLevel.RootCodeGroup;
//Create a new code group with the FullTrust permission
//set and a URL as evidence of membership.
PermissionSet permSet = polLevel.GetNamedPermissionSet(_fullTrust);
UrlMembershipCondition urlMemCond = new UrlMembershipCondition(path);
UnionCodeGroup cg =
new UnionCodeGroup(urlMemCond, new PolicyStatement(permSet));
cg.Name = name;
allCodeCG.AddChild(cg);
//Save the policy
SecurityManager.SavePolicy();
}
}
public static void CreateAPolicyLevel()
{
try
{
//<Snippet2>
// Create an AppDomain policy level.
PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();
//</Snippet2>
// The root code group of the policy level combines all
// permissions of its children.
UnionCodeGroup rootCodeGroup;
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
rootCodeGroup = new UnionCodeGroup(
new AllMembershipCondition(),
new PolicyStatement(ps, PolicyStatementAttribute.Nothing));
// This code group grants FullTrust to assemblies with the strong
// name key from this assembly.
UnionCodeGroup myCodeGroup = new UnionCodeGroup(
new StrongNameMembershipCondition(
new StrongNamePublicKeyBlob(GetKey()),
null,
null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted),
PolicyStatementAttribute.Nothing)
);
myCodeGroup.Name = "My CodeGroup";
//<Snippet4>
// Add the code groups to the policy level.
rootCodeGroup.AddChild(myCodeGroup);
pLevel.RootCodeGroup = rootCodeGroup;
Console.WriteLine("Permissions granted to all code running in this AppDomain level: ");
Console.WriteLine(rootCodeGroup.ToXml());
Console.WriteLine("Child code groups in RootCodeGroup:");
IList codeGroups = pLevel.RootCodeGroup.Children;
IEnumerator codeGroup = codeGroups.GetEnumerator();
while (codeGroup.MoveNext())
{
Console.WriteLine("\t" + ((CodeGroup)codeGroup.Current).Name);
}
//</Snippet4>
//<Snippet5>
Console.WriteLine("Demonstrate adding and removing named permission sets.");
Console.WriteLine("Original named permission sets:");
ListPermissionSets(pLevel);
NamedPermissionSet myInternet = pLevel.GetNamedPermissionSet("Internet");
//</Snippet5>
myInternet.Name = "MyInternet";
//<Snippet6>
pLevel.AddNamedPermissionSet(myInternet);
//</Snippet6>
Console.WriteLine("\nNew named permission sets:");
ListPermissionSets(pLevel);
myInternet.RemovePermission(typeof(System.Security.Permissions.FileDialogPermission));
//<Snippet7>
pLevel.ChangeNamedPermissionSet("MyInternet", myInternet);
//</Snippet7>
//<Snippet8>
pLevel.RemoveNamedPermissionSet("MyInternet");
//</Snippet8>
Console.WriteLine("\nCurrent permission sets:");
ListPermissionSets(pLevel);
pLevel.AddNamedPermissionSet(myInternet);
Console.WriteLine("\nUpdated named permission sets:");
ListPermissionSets(pLevel);
//<Snippet9>
pLevel.Reset();
//</Snippet9>
Console.WriteLine("\nReset named permission sets:");
ListPermissionSets(pLevel);
//<Snippet10>
Console.WriteLine("\nType property = " + pLevel.Type.ToString());
//</Snippet10>
//<Snippet11>
Console.WriteLine("The result of GetHashCode is " + pLevel.GetHashCode().ToString());
//</Snippet11>
Console.WriteLine("StoreLocation property for the AppDomain level is empty, since AppDomain policy " +
"cannot be saved to a file.");
Console.WriteLine("StoreLocation property = " + pLevel.StoreLocation);
//<Snippet12>
PolicyLevel pLevelCopy = PolicyLevel.CreateAppDomainLevel();
// Create a copy of the PolicyLevel using ToXml/FromXml.
pLevelCopy.FromXml(pLevel.ToXml());
if (ComparePolicyLevels(pLevel, pLevelCopy))
{
Console.WriteLine("The ToXml/FromXml roundtrip was successful.");
}
else
{
Console.WriteLine("ToXml/FromXml roundtrip failed.");
}
//</Snippet12>
Console.WriteLine("Show the result of resolving policy for evidence unique to the AppDomain policy level.");
Evidence myEvidence = new Evidence(new object[] { myCodeGroup }, null);
CheckEvidence(pLevel, myEvidence);
return;
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return;
}
}
/// <summary>
/// Create an AppDomain that contains policy restricting code to execute
/// with only the permissions granted by a named permission set
/// </summary>
/// <param name="permissionSetName">name of the permission set to restrict to</param>
/// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="permissionSetName"/> is null
/// </exception>
/// <exception cref="ArgumentOutOfRangeException">
/// if <paramref name="permissionSetName"/> is empty
/// </exception>
/// <returns>AppDomain with a restricted security policy</returns>
/// <remarks>Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
/// Valid permissionSetName values are:
/// * FullTrust
/// * SkipVerification
/// * Execution
/// * Nothing
/// * LocalIntranet
/// * Internet
/// * Everything
/// </remarks>
#pragma warning disable 0618
public static AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName)
{
if (permissionSetName == null)
{
throw new ArgumentNullException("permissionSetName");
}
if (permissionSetName.Length == 0)
{
throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
"Cannot have an empty permission set name");
}
// Default to all code getting nothing
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
bool foundName = false;
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
// iterate over each policy level
IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
while (levelEnumerator.MoveNext())
{
PolicyLevel level = levelEnumerator.Current as PolicyLevel;
// if this level has defined a named permission set with the
// given name, then intersect it with what we've retrieved
// from all the previous levels
if (level != null)
{
PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
if (levelSet != null)
{
foundName = true;
if (setIntersection != null)
{
setIntersection = setIntersection.Intersect(levelSet);
}
}
}
}
// Intersect() can return null for an empty set, so convert that
// to an empty set object. Also return an empty set if we didn't find
// the named permission set we were looking for
if (setIntersection == null || !foundName)
{
setIntersection = new PermissionSet(PermissionState.None);
}
else
{
setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
}
// if no named permission sets were found, return an empty set,
// otherwise return the set that was found
PolicyStatement permissions = new PolicyStatement(setIntersection);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// create an AppDomain where this policy will be in effect
string domainName = appDomainName;
AppDomain restrictedDomain = AppDomain.CreateDomain(domainName);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
return(restrictedDomain);
}
/// From MRMModule.cs by Adam Frisby
/// <summary>
/// Create an AppDomain that contains policy restricting code to execute
/// with only the permissions granted by a named permission set
/// </summary>
/// <param name="permissionSetName">name of the permission set to restrict to</param>
/// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
/// <param name="ads"></param>
/// <exception cref="ArgumentNullException">
/// if <paramref name="permissionSetName" /> is null
/// </exception>
/// <exception cref="ArgumentOutOfRangeException">
/// if <paramref name="permissionSetName" /> is empty
/// </exception>
/// <returns>AppDomain with a restricted security policy</returns>
/// <remarks>
/// Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
/// Valid permissionSetName values are:
/// * FullTrust
/// * SkipVerification
/// * Execution
/// * Nothing
/// * LocalIntranet
/// * Internet
/// * Everything
/// </remarks>
public AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName, AppDomainSetup ads)
{
if (permissionSetName == null)
{
throw new ArgumentNullException("permissionSetName");
}
if (permissionSetName.Length == 0)
{
throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
"Cannot have an empty permission set name");
}
// Default to all code getting everything
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
AppDomain restrictedDomain = null;
#if LINUX
#pragma warning disable 612, 618
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
bool foundName = false;
// iterate over each policy level
IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
while (levelEnumerator.MoveNext())
{
PolicyLevel level = levelEnumerator.Current as PolicyLevel;
// if this level has defined a named permission set with the
// given name, then intersect it with what we've retrieved
// from all the previous levels
if (level != null)
{
PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
if (levelSet != null)
{
foundName = true;
if (setIntersection != null)
{
setIntersection = setIntersection.Intersect(levelSet);
}
}
}
}
// Intersect() can return null for an empty set, so convert that
// to an empty set object. Also return an empty set if we didn't find
// the named permission set we were looking for
if (setIntersection == null || !foundName)
{
setIntersection = new PermissionSet(PermissionState.None);
}
else
{
setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
}
// if no named permission sets were found, return an empty set,
// otherwise return the set that was found
setIntersection.AddPermission(new SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new SecurityPermission(PermissionState.Unrestricted));
PolicyStatement permissions = new PolicyStatement(setIntersection);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
#pragma warning restore 612, 618
#else
SecurityZone zone = SecurityZone.MyComputer;
try
{
zone = (SecurityZone)Enum.Parse(typeof(SecurityZone), permissionSetName);
}
catch
{
zone = SecurityZone.MyComputer;
}
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(zone));
setIntersection = SecurityManager.GetStandardSandbox(ev);
setIntersection.AddPermission(new System.Net.SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Net.WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(
new System.Security.Permissions.SecurityPermission(PermissionState.Unrestricted));
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, ev, ads, setIntersection, null);
#endif
return(restrictedDomain);
}
// Create new code groups using the custom named permission sets previously created.
private static void CreateCodeGroups()
{
// Create instances of the named permission sets created earlier to establish the
// permissions for the new code groups.
NamedPermissionSet companyCodeSet = new NamedPermissionSet("MyCompany",PermissionState.Unrestricted);
NamedPermissionSet departmentCodeSet = new NamedPermissionSet("MyDepartment",PermissionState.Unrestricted);
// Create new code groups using the named permission sets.
PolicyStatement policyMyCompany = new PolicyStatement(companyCodeSet,PolicyStatementAttribute.LevelFinal);
PolicyStatement policyMyDepartment = new PolicyStatement(departmentCodeSet,PolicyStatementAttribute.Exclusive);
// Create new code groups using UnionCodeGroup.
CodeGroup myCompanyZone = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Intranet), policyMyCompany);
myCompanyZone.Name = "MyCompanyCodeGroup";
byte[] b1 = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 237, 146, 145, 51, 34, 97, 123, 196, 90, 174, 41, 170, 173, 221, 41, 193, 175, 39, 7, 151, 178, 0, 230, 152, 218, 8, 206, 206, 170,84, 111, 145, 26, 208, 158, 240, 246, 219, 228, 34, 31, 163, 11, 130, 16, 199, 111, 224, 4, 112, 46, 84, 0, 104, 229, 38, 39, 63, 53, 189, 0, 157, 32, 38, 34, 109, 0, 171, 114, 244, 34, 59, 9, 232, 150, 192, 247, 175, 104, 143, 171, 42, 219, 66, 66, 194, 191, 218, 121, 59, 92, 42, 37, 158, 13, 108, 210, 189, 9, 203, 204, 32, 48, 91, 212, 101, 193, 19, 227, 107, 25, 133, 70, 2, 220, 83, 206, 71, 102, 245, 104, 252, 87, 109, 190, 56, 34, 180};
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(b1);
CodeGroup myDepartmentZone = new UnionCodeGroup(new StrongNameMembershipCondition(blob, null, null), policyMyDepartment);
myDepartmentZone.Name = "MyDepartmentCodeGroup";
// Move through the policy levels looking for the Machine policy level.
// Create two new code groups at that level.
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();
while(policyEnumerator.MoveNext())
{
// At the Machine level delete already existing copies of the custom code groups,
// then create the new code groups.
PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;
if (currentLevel.Label == "Machine")
{
// Remove old instances of the custom groups.
DeleteCustomCodeGroups();
// Add the new code groups.
//*******************************************************
// To add a child code group, add the child to the parent prior to adding
// the parent to the root.
myCompanyZone.AddChild(myDepartmentZone);
// Add the parent to the root code group.
currentLevel.RootCodeGroup.AddChild(myCompanyZone);
SecurityManager.SavePolicy();
}
}
// Save the security policy.
SecurityManager.SavePolicy();
Console.WriteLine("Security policy modified.");
Console.WriteLine("New code groups added at the Machine policy level.");
}
public void ResolveWithChildren()
{
PermissionSet pset1 = new PermissionSet(PermissionState.None);
PermissionSet pset2 = new PermissionSet(PermissionState.None);
PermissionSet pset3 = new PermissionSet(PermissionState.None);
PermissionSet pset4 = new PermissionSet(PermissionState.None);
PermissionSet pset5 = new PermissionSet(PermissionState.None);
PermissionSet pset6 = new PermissionSet(PermissionState.None);
IPermission perm1 = new UIPermission(PermissionState.Unrestricted);
IPermission perm2 = new EnvironmentPermission(PermissionState.Unrestricted);
IPermission perm3 = new FileDialogPermission(PermissionState.Unrestricted);
IPermission perm4 = new ReflectionPermission(PermissionState.Unrestricted);
IPermission perm5 = new RegistryPermission(PermissionState.Unrestricted);
IPermission perm6 = new FileIOPermission(PermissionState.Unrestricted);
pset1.AddPermission(perm1);
PolicyStatement policy1 = new PolicyStatement(pset1);
pset2.AddPermission(perm2);
PolicyStatement policy2 = new PolicyStatement(pset2);
pset3.AddPermission(perm3);
PolicyStatement policy3 = new PolicyStatement(pset3);
pset4.AddPermission(perm4);
PolicyStatement policy4 = new PolicyStatement(pset4);
pset5.AddPermission(perm5);
PolicyStatement policy5 = new PolicyStatement(pset5);
pset6.AddPermission(perm6);
PolicyStatement policy6 = new PolicyStatement(pset6);
UnionCodeGroup root = new UnionCodeGroup(new AllMembershipCondition(), policy1);
UnionCodeGroup child1 = new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.Internet), policy2);
UnionCodeGroup child2 = new UnionCodeGroup(new AllMembershipCondition(), policy3);
UnionCodeGroup child3 = new UnionCodeGroup(new AllMembershipCondition(), policy4);
UnionCodeGroup childofchild1 = new UnionCodeGroup(new AllMembershipCondition(), policy5);
UnionCodeGroup childofchild3 = new UnionCodeGroup(new AllMembershipCondition(), policy6);
child1.AddChild(childofchild1);
child3.AddChild(childofchild3);
root.AddChild(child1);
root.AddChild(child2);
root.AddChild(child3);
PolicyStatement result = root.Resolve(new Evidence());
PermissionSet correctset = new PermissionSet(PermissionState.None);
correctset.AddPermission(perm1);
correctset.AddPermission(perm3);
correctset.AddPermission(perm4);
correctset.AddPermission(perm6);
Assert.AreEqual(correctset.Count, result.PermissionSet.Count, "PermissionSet.Count");
foreach (IPermission p in correctset)
{
IPermission r = result.PermissionSet.GetPermission(p.GetType());
Assert.IsNotNull(r, "PermissionSet.GetPermission");
}
}
