public static PermissionSet GetStandardSandbox(Evidence evidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } Zone hostEvidence = evidence.GetHostEvidence <Zone>(); if (hostEvidence == null) { return(new PermissionSet(PermissionState.None)); } if (hostEvidence.SecurityZone == SecurityZone.MyComputer) { return(new PermissionSet(PermissionState.Unrestricted)); } if (hostEvidence.SecurityZone == SecurityZone.Intranet) { PermissionSet localIntranet = BuiltInPermissionSets.LocalIntranet; PolicyStatement statement = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence); PolicyStatement statement2 = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read).Resolve(evidence); if (statement != null) { localIntranet.InplaceUnion(statement.PermissionSet); } if (statement2 != null) { localIntranet.InplaceUnion(statement2.PermissionSet); } return(localIntranet); } if ((hostEvidence.SecurityZone != SecurityZone.Internet) && (hostEvidence.SecurityZone != SecurityZone.Trusted)) { return(new PermissionSet(PermissionState.None)); } PermissionSet internet = BuiltInPermissionSets.Internet; PolicyStatement statement3 = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence); if (statement3 != null) { internet.InplaceUnion(statement3.PermissionSet); } return(internet); }
internal PermissionSetTriple UpdateAssert(PermissionSet in_a) { PermissionSetTriple retTriple = null; if (in_a != null) { Debug.Assert((!in_a.IsUnrestricted() || RefusedSet == null), "Cannot be unrestricted or refused must be null"); // if we're already asserting in_a, nothing to do if (in_a.IsSubsetOf(AssertSet)) { return(null); } PermissionSet retPs; if (GrantSet != null) { retPs = in_a.Intersect(GrantSet); // Restrict the assert to what we've already been granted } else { GrantSet = new PermissionSet(true); retPs = in_a.Copy(); // Currently unrestricted Grant: assert the whole assert set } bool bFailedToCompress = false; // removes anything that is already in the refused set from the assert set if (RefusedSet != null) { retPs = PermissionSet.RemoveRefusedPermissionSet(retPs, RefusedSet, out bFailedToCompress); } if (!bFailedToCompress) { bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(retPs, AssertSet); } if (bFailedToCompress) { retTriple = new PermissionSetTriple(this); this.Reset(); this.GrantSet = retTriple.GrantSet.Copy(); } if (AssertSet == null) { AssertSet = retPs; } else { AssertSet.InplaceUnion(retPs); } } return(retTriple); }
internal void UpdateRefused(PermissionSet in_r) { if (in_r != null) { if (RefusedSet == null) { RefusedSet = in_r.Copy(); } else { RefusedSet.InplaceUnion(in_r); } } }
// Get a sandbox permission set that the CLR considers safe to grant an application with the given // evidence. Note that this API is not a policy API, but rather a host helper API so that a host can // determine if an application's requested permission set is reasonable. This is esentially just a // hard coded mapping of Zone -> Sandbox and is not configurable in any way. public static PermissionSet GetStandardSandbox(Evidence evidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } Contract.EndContractBlock(); // // The top-level switch for grant set is based upon Zone // MyComputer -> FullTrust // Intranet -> LocalIntranet // Trusted -> Internet // Internet -> Internet // All else -> Nothing // // Both the Internet and LocalIntranet zones can have permission set extensions applied to them // if there is Activation. // Zone zone = evidence.GetHostEvidence <Zone>(); if (zone == null) { return(new PermissionSet(PermissionState.None)); } #if FEATURE_CAS_POLICY else if (zone.SecurityZone == SecurityZone.MyComputer) { return(new PermissionSet(PermissionState.Unrestricted)); } else if (zone.SecurityZone == SecurityZone.Intranet) { PermissionSet intranetGrantSet = BuiltInPermissionSets.LocalIntranet; // We also need to add in same site web and file IO permission PolicyStatement webPolicy = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence); PolicyStatement filePolicy = new FileCodeGroup(new AllMembershipCondition(), FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery).Resolve(evidence); if (webPolicy != null) { intranetGrantSet.InplaceUnion(webPolicy.PermissionSet); } if (filePolicy != null) { intranetGrantSet.InplaceUnion(filePolicy.PermissionSet); } return(intranetGrantSet); } else if (zone.SecurityZone == SecurityZone.Internet || zone.SecurityZone == SecurityZone.Trusted) { PermissionSet internetGrantSet = BuiltInPermissionSets.Internet; // We also need to add in same site web permission PolicyStatement webPolicy = new NetCodeGroup(new AllMembershipCondition()).Resolve(evidence); if (webPolicy != null) { internetGrantSet.InplaceUnion(webPolicy.PermissionSet); } return(internetGrantSet); } #endif // FEATURE_CAS_POLICY else { return(new PermissionSet(PermissionState.None)); } }