public static PermissionSet GetStandardSandbox(Evidence evidence)
{
if (evidence == null)
{
throw new ArgumentNullException("evidence");
}
Zone hostEvidence = evidence.GetHostEvidence <Zone>();
if (hostEvidence == null)
{
return(new PermissionSet(PermissionState.None));
}
if (hostEvidence.SecurityZone == SecurityZone.MyComputer)
{
return(new PermissionSet(PermissionState.Unrestricted));
}
if (hostEvidence.SecurityZone == SecurityZone.Intranet)
{
PermissionSet localIntranet = BuiltInPermissionSets.LocalIntranet;
PolicyStatement statement = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
PolicyStatement statement2 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read).Resolve(evidence);
if (statement != null)
{
localIntranet.InplaceUnion(statement.PermissionSet);
}
if (statement2 != null)
{
localIntranet.InplaceUnion(statement2.PermissionSet);
}
return(localIntranet);
}
if ((hostEvidence.SecurityZone != SecurityZone.Internet) && (hostEvidence.SecurityZone != SecurityZone.Trusted))
{
return(new PermissionSet(PermissionState.None));
}
PermissionSet internet = BuiltInPermissionSets.Internet;
PolicyStatement statement3 = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
if (statement3 != null)
{
internet.InplaceUnion(statement3.PermissionSet);
}
return(internet);
}
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple retTriple = null;
if (in_a != null)
{
Debug.Assert((!in_a.IsUnrestricted() || RefusedSet == null), "Cannot be unrestricted or refused must be null");
// if we're already asserting in_a, nothing to do
if (in_a.IsSubsetOf(AssertSet))
{
return(null);
}
PermissionSet retPs;
if (GrantSet != null)
{
retPs = in_a.Intersect(GrantSet); // Restrict the assert to what we've already been granted
}
else
{
GrantSet = new PermissionSet(true);
retPs = in_a.Copy(); // Currently unrestricted Grant: assert the whole assert set
}
bool bFailedToCompress = false;
// removes anything that is already in the refused set from the assert set
if (RefusedSet != null)
{
retPs = PermissionSet.RemoveRefusedPermissionSet(retPs, RefusedSet, out bFailedToCompress);
}
if (!bFailedToCompress)
{
bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(retPs, AssertSet);
}
if (bFailedToCompress)
{
retTriple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = retTriple.GrantSet.Copy();
}
if (AssertSet == null)
{
AssertSet = retPs;
}
else
{
AssertSet.InplaceUnion(retPs);
}
}
return(retTriple);
}
internal void UpdateRefused(PermissionSet in_r)
{
if (in_r != null)
{
if (RefusedSet == null)
{
RefusedSet = in_r.Copy();
}
else
{
RefusedSet.InplaceUnion(in_r);
}
}
}
// Get a sandbox permission set that the CLR considers safe to grant an application with the given
// evidence. Note that this API is not a policy API, but rather a host helper API so that a host can
// determine if an application's requested permission set is reasonable. This is esentially just a
// hard coded mapping of Zone -> Sandbox and is not configurable in any way.
public static PermissionSet GetStandardSandbox(Evidence evidence)
{
if (evidence == null)
{
throw new ArgumentNullException("evidence");
}
Contract.EndContractBlock();
//
// The top-level switch for grant set is based upon Zone
// MyComputer -> FullTrust
// Intranet -> LocalIntranet
// Trusted -> Internet
// Internet -> Internet
// All else -> Nothing
//
// Both the Internet and LocalIntranet zones can have permission set extensions applied to them
// if there is Activation.
//
Zone zone = evidence.GetHostEvidence <Zone>();
if (zone == null)
{
return(new PermissionSet(PermissionState.None));
}
#if FEATURE_CAS_POLICY
else if (zone.SecurityZone == SecurityZone.MyComputer)
{
return(new PermissionSet(PermissionState.Unrestricted));
}
else if (zone.SecurityZone == SecurityZone.Intranet)
{
PermissionSet intranetGrantSet = BuiltInPermissionSets.LocalIntranet;
// We also need to add in same site web and file IO permission
PolicyStatement webPolicy =
new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
PolicyStatement filePolicy =
new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery).Resolve(evidence);
if (webPolicy != null)
{
intranetGrantSet.InplaceUnion(webPolicy.PermissionSet);
}
if (filePolicy != null)
{
intranetGrantSet.InplaceUnion(filePolicy.PermissionSet);
}
return(intranetGrantSet);
}
else if (zone.SecurityZone == SecurityZone.Internet ||
zone.SecurityZone == SecurityZone.Trusted)
{
PermissionSet internetGrantSet = BuiltInPermissionSets.Internet;
// We also need to add in same site web permission
PolicyStatement webPolicy =
new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence);
if (webPolicy != null)
{
internetGrantSet.InplaceUnion(webPolicy.PermissionSet);
}
return(internetGrantSet);
}
#endif // FEATURE_CAS_POLICY
else
{
return(new PermissionSet(PermissionState.None));
}
}
