private static AppDomain CreateRestrictedDomain(string domainName)
{
// Default to all code getting nothing
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
// Grant all code the named permission set for the test
PermissionSet partialTrustPermissionSet = new PermissionSet(PermissionState.None);
partialTrustPermissionSet.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.AllFlags));
partialTrustPermissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution | SecurityPermissionFlag.ControlEvidence | SecurityPermissionFlag.ControlPolicy));
PolicyStatement permissions = new PolicyStatement(partialTrustPermissionSet);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// Create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// Set the Application Base correctly in order to find the test assembly
AppDomainSetup ads = new AppDomainSetup();
ads.ApplicationBase = Environment.CurrentDirectory;
AppDomain restrictedDomain = AppDomain.CreateDomain(domainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
return restrictedDomain;
}
internal CodeGroup Copy (bool childs)
{
UnionCodeGroup copy = new UnionCodeGroup (MembershipCondition, PolicyStatement);
copy.Name = Name;
copy.Description = Description;
if (childs) {
foreach (CodeGroup child in Children) {
copy.AddChild (child.Copy ());
}
}
return copy;
}
/// <summary>Makes a deep copy of the current code group.</summary>
/// <returns>An equivalent copy of the current code group, including its membership conditions and child code groups.</returns>
// Token: 0x06002A5C RID: 10844 RVA: 0x0009D9A8 File Offset: 0x0009BBA8
public override CodeGroup Copy()
{
UnionCodeGroup unionCodeGroup = new UnionCodeGroup();
unionCodeGroup.MembershipCondition = base.MembershipCondition;
unionCodeGroup.PolicyStatement = base.PolicyStatement;
unionCodeGroup.Name = base.Name;
unionCodeGroup.Description = base.Description;
foreach (object obj in base.Children)
{
unionCodeGroup.AddChild((CodeGroup)obj);
}
return(unionCodeGroup);
}
/// <summary>生成当前代码组的深层副本。</summary>
/// <returns>当前代码组(包括其成员条件和子代码组)的等效副本。</returns>
/// <PermissionSet>
/// <IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="UnmanagedCode" />
/// </PermissionSet>
public override CodeGroup Copy()
{
UnionCodeGroup unionCodeGroup = new UnionCodeGroup();
unionCodeGroup.MembershipCondition = this.MembershipCondition;
unionCodeGroup.PolicyStatement = this.PolicyStatement;
unionCodeGroup.Name = this.Name;
unionCodeGroup.Description = this.Description;
foreach (CodeGroup child in (IEnumerable)this.Children)
{
unionCodeGroup.AddChild(child);
}
return((CodeGroup)unionCodeGroup);
}
private static void CreateAPolicyLevel()
{
try
{
// Create an AppDomain policy level.
PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();
// The root code group of the policy level combines all permissions of its children.
UnionCodeGroup rootCodeGroup;
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
rootCodeGroup = new UnionCodeGroup(
new AllMembershipCondition(),
new PolicyStatement(ps, PolicyStatementAttribute.Nothing));
// This code group grants FullTrust to assemblies with the strong name key from this assembly.
UnionCodeGroup myCodeGroup = new UnionCodeGroup(
new StrongNameMembershipCondition(
new StrongNamePublicKeyBlob(GetKey()),
null,
null),
new PolicyStatement(new PermissionSet(PermissionState.Unrestricted),
PolicyStatementAttribute.Nothing)
);
myCodeGroup.Name = "My CodeGroup";
// Add the code groups to the policy level.
rootCodeGroup.AddChild(myCodeGroup);
pLevel.RootCodeGroup = rootCodeGroup;
Console.WriteLine("Permissions granted to all code running in this AppDomain level: ");
Console.WriteLine(rootCodeGroup.ToXml());
Console.WriteLine("Child code groups in RootCodeGroup: ");
IList codeGroups = pLevel.RootCodeGroup.Children;
IEnumerator codeGroup = codeGroups.GetEnumerator();
while (codeGroup.MoveNext())
{
Console.WriteLine("\t" + ((CodeGroup)codeGroup.Current).Name);
}
Console.WriteLine("Demonstrate adding and removing named permission sets.");
Console.WriteLine("Original named permissions sets:");
ListPermissionSets(pLevel);
NamedPermissionSet myInternet = pLevel.GetNamedPermissionSet("Internet");
}
catch
{
}
}
internal CodeGroup Copy(bool childs)
{
UnionCodeGroup copy = new UnionCodeGroup(MembershipCondition, PolicyStatement);
copy.Name = Name;
copy.Description = Description;
if (childs)
{
foreach (CodeGroup child in Children)
{
copy.AddChild(child.Copy());
}
}
return(copy);
}
public override CodeGroup Copy()
{
UnionCodeGroup group = new UnionCodeGroup {
MembershipCondition = base.MembershipCondition,
PolicyStatement = base.PolicyStatement,
Name = base.Name,
Description = base.Description
};
IEnumerator enumerator = base.Children.GetEnumerator();
while (enumerator.MoveNext())
{
group.AddChild((CodeGroup) enumerator.Current);
}
return group;
}
public override CodeGroup Copy()
{
UnionCodeGroup group = new UnionCodeGroup {
MembershipCondition = base.MembershipCondition,
PolicyStatement = base.PolicyStatement,
Name = base.Name,
Description = base.Description
};
IEnumerator enumerator = base.Children.GetEnumerator();
while (enumerator.MoveNext())
{
group.AddChild((CodeGroup)enumerator.Current);
}
return(group);
}
internal CodeGroup Copy(bool childs)
{
UnionCodeGroup unionCodeGroup = new UnionCodeGroup(base.MembershipCondition, base.PolicyStatement);
unionCodeGroup.Name = base.Name;
unionCodeGroup.Description = base.Description;
if (childs)
{
foreach (object obj in base.Children)
{
CodeGroup codeGroup = (CodeGroup)obj;
unionCodeGroup.AddChild(codeGroup.Copy());
}
}
return(unionCodeGroup);
}
// Make a copy of this code group.
public override CodeGroup Copy()
{
UnionCodeGroup group;
group = new UnionCodeGroup
(MembershipCondition, PolicyStatement);
group.Name = Name;
group.Description = Description;
IList children = Children;
if(children != null)
{
foreach(CodeGroup child in children)
{
group.AddChild(child);
}
}
return group;
}
/// <include file='doc\UnionCodeGroup.uex' path='docs/doc[@for="UnionCodeGroup.Copy"]/*' />
public override CodeGroup Copy()
{
UnionCodeGroup group = new UnionCodeGroup();
group.MembershipCondition = this.MembershipCondition;
group.PolicyStatement = this.PolicyStatement;
group.Name = this.Name;
group.Description = this.Description;
IEnumerator enumerator = this.Children.GetEnumerator();
while (enumerator.MoveNext())
{
group.AddChild((CodeGroup)enumerator.Current);
}
return(group);
}
// Make a copy of this code group.
public override CodeGroup Copy()
{
UnionCodeGroup group;
group = new UnionCodeGroup
(MembershipCondition, PolicyStatement);
group.Name = Name;
group.Description = Description;
IList children = Children;
if (children != null)
{
foreach (CodeGroup child in children)
{
group.AddChild(child);
}
}
return(group);
}
/// From MRMModule.cs by Adam Frisby
/// <summary>
/// Create an AppDomain that contains policy restricting code to execute
/// with only the permissions granted by a named permission set
/// </summary>
/// <param name = "permissionSetName">name of the permission set to restrict to</param>
/// <param name = "appDomainName">'friendly' name of the appdomain to be created</param>
/// <exception cref = "ArgumentNullException">
/// if <paramref name = "permissionSetName" /> is null
/// </exception>
/// <exception cref = "ArgumentOutOfRangeException">
/// if <paramref name = "permissionSetName" /> is empty
/// </exception>
/// <returns>AppDomain with a restricted security policy</returns>
/// <remarks>
/// Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
/// Valid permissionSetName values are:
/// * FullTrust
/// * SkipVerification
/// * Execution
/// * Nothing
/// * LocalIntranet
/// * Internet
/// * Everything
/// </remarks>
public AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName, AppDomainSetup ads)
{
if (permissionSetName == null)
throw new ArgumentNullException("permissionSetName");
if (permissionSetName.Length == 0)
throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
"Cannot have an empty permission set name");
// Default to all code getting everything
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
AppDomain restrictedDomain = null;
#if NET_3_5
PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
bool foundName = false;
// iterate over each policy level
IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
while (levelEnumerator.MoveNext())
{
PolicyLevel level = levelEnumerator.Current as PolicyLevel;
// if this level has defined a named permission set with the
// given name, then intersect it with what we've retrieved
// from all the previous levels
if (level != null)
{
PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
if (levelSet != null)
{
foundName = true;
if (setIntersection != null)
setIntersection = setIntersection.Intersect(levelSet);
}
}
}
// Intersect() can return null for an empty set, so convert that
// to an empty set object. Also return an empty set if we didn't find
// the named permission set we were looking for
if (setIntersection == null || !foundName)
setIntersection = new PermissionSet(PermissionState.None);
else
setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
// if no named permission sets were found, return an empty set,
// otherwise return the set that was found
setIntersection.AddPermission(new SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new SecurityPermission(PermissionState.Unrestricted));
PolicyStatement permissions = new PolicyStatement(setIntersection);
policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
// create an AppDomain policy level for the policy tree
PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
appDomainLevel.RootCodeGroup = policyRoot;
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, null, ads);
restrictedDomain.SetAppDomainPolicy(appDomainLevel);
#else
SecurityZone zone = SecurityZone.MyComputer;
try
{
zone = (SecurityZone)Enum.Parse(typeof(SecurityZone), permissionSetName);
}
catch
{
zone = SecurityZone.MyComputer;
}
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(zone));
setIntersection = SecurityManager.GetStandardSandbox(ev);
setIntersection.AddPermission(new System.Net.SocketPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Net.WebPermission(PermissionState.Unrestricted));
setIntersection.AddPermission(new System.Security.Permissions.SecurityPermission(PermissionState.Unrestricted));
// create an AppDomain where this policy will be in effect
restrictedDomain = AppDomain.CreateDomain(appDomainName, ev, ads, setIntersection, null);
#endif
return restrictedDomain;
}
public void ResolveMatchingCodeGroups_ThreeLevel ()
{
UnionCodeGroup level1 = new UnionCodeGroup (new AllMembershipCondition (), new PolicyStatement (new PermissionSet (PermissionState.None)));
CodeGroup level2 = level1.Copy ();
level1.AddChild (level2);
UnionCodeGroup level3 = new UnionCodeGroup (new ZoneMembershipCondition (SecurityZone.Untrusted), new PolicyStatement (new PermissionSet (PermissionState.Unrestricted)));
level2.AddChild (level3);
CodeGroup match = level1.ResolveMatchingCodeGroups (new Evidence ());
Assert.IsNotNull (match, "Match");
Assert.IsTrue (match.Equals (level1, false), "Equals(false)");
// Equals (true) isn't a deep compare (just one level)
Assert.IsTrue (match.Equals (level1, true), "Equals(true)");
}
[System.Security.SecurityCritical] // auto-generated
private static void SetupSecurity()
{
PolicyLevel level = PolicyLevel.CreateAppDomainLevel();
CodeGroup rootGroup = new UnionCodeGroup( new AllMembershipCondition(), level.GetNamedPermissionSet( "Execution" ) );
StrongNamePublicKeyBlob microsoftBlob = new StrongNamePublicKeyBlob( AssemblyRef.MicrosoftPublicKeyFull );
CodeGroup microsoftGroup = new UnionCodeGroup( new StrongNameMembershipCondition( microsoftBlob, null, null ), level.GetNamedPermissionSet( "FullTrust" ) );
StrongNamePublicKeyBlob ecmaBlob = new StrongNamePublicKeyBlob( AssemblyRef.EcmaPublicKeyFull );
CodeGroup ecmaGroup = new UnionCodeGroup( new StrongNameMembershipCondition( ecmaBlob, null, null ), level.GetNamedPermissionSet( "FullTrust" ) );
CodeGroup gacGroup = new UnionCodeGroup( new GacMembershipCondition(), level.GetNamedPermissionSet( "FullTrust" ) );
rootGroup.AddChild( microsoftGroup );
rootGroup.AddChild( ecmaGroup );
rootGroup.AddChild( gacGroup );
level.RootCodeGroup = rootGroup;
try
{
AppDomain.CurrentDomain.SetAppDomainPolicy( level );
}
catch (PolicyException)
{
}
}
public void ResolveWithChildren ()
{
PermissionSet pset1 = new PermissionSet (PermissionState.None);
PermissionSet pset2 = new PermissionSet (PermissionState.None);
PermissionSet pset3 = new PermissionSet (PermissionState.None);
PermissionSet pset4 = new PermissionSet (PermissionState.None);
PermissionSet pset5 = new PermissionSet (PermissionState.None);
PermissionSet pset6 = new PermissionSet (PermissionState.None);
IPermission perm1 = new UIPermission (PermissionState.Unrestricted);
IPermission perm2 = new EnvironmentPermission (PermissionState.Unrestricted);
IPermission perm3 = new FileDialogPermission (PermissionState.Unrestricted);
IPermission perm4 = new ReflectionPermission (PermissionState.Unrestricted);
IPermission perm5 = new RegistryPermission (PermissionState.Unrestricted);
IPermission perm6 = new FileIOPermission (PermissionState.Unrestricted);
pset1.AddPermission (perm1);
PolicyStatement policy1 = new PolicyStatement (pset1);
pset2.AddPermission(perm2);
PolicyStatement policy2 = new PolicyStatement (pset2);
pset3.AddPermission (perm3);
PolicyStatement policy3 = new PolicyStatement (pset3);
pset4.AddPermission (perm4);
PolicyStatement policy4 = new PolicyStatement (pset4);
pset5.AddPermission (perm5);
PolicyStatement policy5 = new PolicyStatement (pset5);
pset6.AddPermission (perm6);
PolicyStatement policy6 = new PolicyStatement (pset6);
UnionCodeGroup root = new UnionCodeGroup (new AllMembershipCondition (), policy1);
UnionCodeGroup child1 = new UnionCodeGroup (new ZoneMembershipCondition (SecurityZone.Internet), policy2);
UnionCodeGroup child2 = new UnionCodeGroup (new AllMembershipCondition (), policy3);
UnionCodeGroup child3 = new UnionCodeGroup (new AllMembershipCondition (), policy4);
UnionCodeGroup childofchild1 = new UnionCodeGroup (new AllMembershipCondition (), policy5);
UnionCodeGroup childofchild3 = new UnionCodeGroup (new AllMembershipCondition (), policy6);
child1.AddChild (childofchild1);
child3.AddChild (childofchild3);
root.AddChild (child1);
root.AddChild (child2);
root.AddChild (child3);
PolicyStatement result = root.Resolve (new Evidence ());
PermissionSet correctset = new PermissionSet (PermissionState.None);
correctset.AddPermission (perm1);
correctset.AddPermission (perm3);
correctset.AddPermission (perm4);
correctset.AddPermission (perm6);
Assert.AreEqual (correctset.Count, result.PermissionSet.Count, "PermissionSet.Count");
foreach (IPermission p in correctset) {
IPermission r = result.PermissionSet.GetPermission (p.GetType ());
Assert.IsNotNull (r, "PermissionSet.GetPermission");
}
}
public void CopyWithChildren ()
{
UnionCodeGroup cgChild = new UnionCodeGroup (new AllMembershipCondition (), new PolicyStatement (new PermissionSet (PermissionState.Unrestricted)));
UnionCodeGroup cg = new UnionCodeGroup (new AllMembershipCondition (), new PolicyStatement (new PermissionSet (PermissionState.None)));
cg.AddChild (cgChild);
UnionCodeGroup cg2 = (UnionCodeGroup) cg.Copy ();
Assert.AreEqual (cg.Children.Count, cg2.Children.Count, "Children");
Assert.AreEqual (cg.ToXml ().ToString (), cg2.ToXml ().ToString (), "ToXml");
}
private static void SetupSecurity()
{
PolicyLevel domainPolicy = PolicyLevel.CreateAppDomainLevel();
CodeGroup group = new UnionCodeGroup(new AllMembershipCondition(), domainPolicy.GetNamedPermissionSet("Execution"));
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob("002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293");
CodeGroup group2 = new UnionCodeGroup(new StrongNameMembershipCondition(blob, null, null), domainPolicy.GetNamedPermissionSet("FullTrust"));
StrongNamePublicKeyBlob blob2 = new StrongNamePublicKeyBlob("00000000000000000400000000000000");
CodeGroup group3 = new UnionCodeGroup(new StrongNameMembershipCondition(blob2, null, null), domainPolicy.GetNamedPermissionSet("FullTrust"));
CodeGroup group4 = new UnionCodeGroup(new GacMembershipCondition(), domainPolicy.GetNamedPermissionSet("FullTrust"));
group.AddChild(group2);
group.AddChild(group3);
group.AddChild(group4);
domainPolicy.RootCodeGroup = group;
try
{
AppDomain.CurrentDomain.SetAppDomainPolicy(domainPolicy);
}
catch (PolicyException)
{
}
}
static AppDomain NewDomain () {
PolicyStatement statement = new PolicyStatement(new PermissionSet(PermissionState.None),PolicyStatementAttribute.Nothing);
PermissionSet ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Assertion));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlAppDomain));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlDomainPolicy));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlEvidence));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPolicy));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPrincipal));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlThread));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Infrastructure));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.RemotingConfiguration));
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.SerializationFormatter));
ps.AddPermission(new FileIOPermission(PermissionState.Unrestricted));
ps.AddPermission(new EnvironmentPermission(PermissionState.Unrestricted));
ps.AddPermission(new ReflectionPermission(PermissionState.Unrestricted));
ps.AddPermission(new RegistryPermission(PermissionState.Unrestricted));
ps.AddPermission(new IsolatedStorageFilePermission(PermissionState.Unrestricted));
ps.AddPermission(new EventLogPermission(PermissionState.Unrestricted));
ps.AddPermission(new PerformanceCounterPermission(PermissionState.Unrestricted));
ps.AddPermission(new DnsPermission(PermissionState.Unrestricted));
ps.AddPermission(new UIPermission(PermissionState.Unrestricted));
PolicyStatement statement1 = new PolicyStatement(ps,PolicyStatementAttribute.Exclusive);
CodeGroup group;
group = new UnionCodeGroup(new AllMembershipCondition(),statement);
group.AddChild(new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.MyComputer),statement1));
PolicyLevel level = PolicyLevel.CreateAppDomainLevel();
level.RootCodeGroup = group;
AppDomain domain = AppDomain.CreateDomain ("test");
domain.SetAppDomainPolicy(level);
return domain;
}
public override CodeGroup Copy()
{
UnionCodeGroup group = new UnionCodeGroup();
group.MembershipCondition = this.MembershipCondition;
group.PolicyStatement = this.PolicyStatement;
group.Name = this.Name;
group.Description = this.Description;
IEnumerator enumerator = this.Children.GetEnumerator();
while (enumerator.MoveNext())
{
group.AddChild( (CodeGroup)enumerator.Current );
}
return group;
}
