static void WritePermissionSet(string file) { WMDDetectorPermission perm = new WMDDetectorPermission(WMDDetectorPermissions.Read); NamedPermissionSet pset = new NamedPermissionSet("ReadWMDDetector"); pset.Description = "WMD Detector Permission Set"; pset.SetPermission(perm); StreamWriter sw = new StreamWriter(file); sw.Write(pset.ToXml()); sw.Close(); }
}// NewPermissions protected override int WizFinish(IntPtr hwnd) { if (isImportXMLFile) { // We're importing a permission set try { SecurityElement se = SecurityXMLStuff.GetSecurityElementFromXMLFile(XMLFilename); if (se == null) { throw new Exception("Invalid XML"); } m_ps = new NamedPermissionSet("Hi"); m_ps.FromXml(se); if (m_ps.Name == null || m_ps.Name.Length == 0) { m_ps.Name = Security.FindAGoodPermissionSetName(m_pl, "CustomPermissionSet"); } return(0); } catch (Exception) { MessageBox(CResourceStore.GetString("XMLNoPermSet"), CResourceStore.GetString("XMLNoPermSetTitle"), MB.ICONEXCLAMATION); SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)0, (IntPtr)(-1)); return(-1); } } // Ok, let's create our permission set NamedPermissionSet nps = new NamedPermissionSet(NewPermissionSetName, PermissionState.None); nps.Description = NewPermissionSetDescription; IPermission[] perms = NewPermissions; for (int i = 0; i < perms.Length; i++) { nps.SetPermission(perms[i]); } // Ok, now that we have this permission set, let's add it to // our other ones.... m_ps = nps; return(0); }// WizFinish
public void ShouldWorkEvenWithLowestPossiblePermissions() { // based on: https://msdn.microsoft.com/en-us/library/bb384237(v=vs.110).aspx Evidence evidence = new Evidence(); evidence.AddHostEvidence(new Zone(SecurityZone.Internet)); PermissionSet permissionSet = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(evidence)); permissionSet.SetPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess)); AppDomainSetup appDomainSetup = new AppDomainSetup { ApplicationBase = "." }; AppDomain sandbox = AppDomain.CreateDomain("Sandbox", evidence, appDomainSetup, permissionSet, null); CrossDomain crossDomain = (CrossDomain)sandbox.CreateInstanceAndUnwrap(typeof(CrossDomain).Assembly.FullName, typeof(CrossDomain).FullName); Assert.AreEqual(3, crossDomain.RunArrayProvider()); }
// The entry point for the code example. static void Main() { // Get the display name of the executing assembly, to use when // creating objects to run code in application domains. //<Snippet14> String asmName = typeof(Worker).Assembly.FullName; //</Snippet14> // Create the permission set to grant to other assemblies. In this // case they are the permissions found in the Internet zone. //<Snippet2> Evidence ev = new Evidence(); ev.AddHostEvidence(new Zone(SecurityZone.Internet)); PermissionSet pset = new NamedPermissionSet("Internet", SecurityManager.GetStandardSandbox(ev)); //</Snippet2> // For simplicity, set up the application domain to use the // current path as the application folder, so the same executable // can be used in both trusted and untrusted scenarios. Normally // you would not do this with real untrusted code. //<Snippet3> AppDomainSetup adSetup = new AppDomainSetup(); adSetup.ApplicationBase = "."; //</Snippet3> // Create an application domain in which all code that executes is // granted the permissions of an application run from the Internet. //<Snippet5> AppDomain ad = AppDomain.CreateDomain("Sandbox", ev, adSetup, pset, null); //</Snippet5> // Create an instance of the Worker class in the partially trusted // domain. Note: If you build this code example in Visual Studio, // you must change the name of the class to include the default // namespace, which is the project name. For example, if the project // is "AnonymouslyHosted", the class is "AnonymouslyHosted.Worker". //<Snippet12> Worker w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker"); //</Snippet12> // Emit a simple dynamic method that prints "Hello, World!" //<Snippet13> w.SimpleEmitDemo(); //</Snippet13> // Emit and invoke a dynamic method that calls a private method // of Worker, with JIT visibility checks enforced. The call fails // when the delegate is invoked. w.AccessPrivateMethod(false); // Emit and invoke a dynamic method that calls a private method // of Worker, skipping JIT visibility checks. The call fails when // the method is invoked. w.AccessPrivateMethod(true); // Unload the application domain. Add RestrictedMemberAccess to the // grant set, and use it to create an application domain in which // partially trusted code can call private members, as long as the // trust level of those members is equal to or lower than the trust // level of the partially trusted code. AppDomain.Unload(ad); //<Snippet7> pset.SetPermission( new ReflectionPermission( ReflectionPermissionFlag.RestrictedMemberAccess)); //</Snippet7> //<Snippet8> ad = AppDomain.CreateDomain("Sandbox2", ev, adSetup, pset, null); //</Snippet8> // Create an instance of the Worker class in the partially trusted // domain. w = (Worker)ad.CreateInstanceAndUnwrap(asmName, "Worker"); // Again, emit and invoke a dynamic method that calls a private method // of Worker, skipping JIT visibility checks. This time compilation // succeeds because of the grant for RestrictedMemberAccess. w.AccessPrivateMethod(true); // Finally, emit and invoke a dynamic method that calls an internal // method of the String class. The call fails, because the trust level // of the assembly that contains String is higher than the trust level // of the assembly that emits the dynamic method. w.AccessPrivateMethod(); }
}// ImportPermissionSet protected override int WizFinish(IntPtr hwnd) { // Let's see if we're importing the codegroup from a file if (CodeGroupFilename != null) { m_cg = ImportCodegroup(); if (m_cg != null) { return(0); } // Else, we had problems SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)0, (IntPtr)(-1)); return(-1); } // This is the case where we need to create a code group from scratch // Ok, let's get our permission set if (PermissionSet == null) { NamedPermissionSet nps = null; if (PermissionSetFilename != null && PermissionSetFilename.Length > 0) { nps = ImportPermissionSet(); if (nps == null) { SendMessage(GetParent(hwnd), PSM.SETCURSEL, (IntPtr)3, (IntPtr)(-1)); return(-1); } } else // They built a new permission set { nps = new NamedPermissionSet(NewPermissionSetName); nps.Description = NewPermissionSetDescription; IPermission[] perms = NewPermissions; for (int i = 0; i < perms.Length; i++) { nps.SetPermission(perms[i]); } } // Ok, now that we have this permission set, let's make it available // so it can be added it to our other ones.... m_fNewPermissionSet = true; m_ps = nps; } else { m_fNewPermissionSet = false; m_ps = PermissionSet; } // Now create our codegroup PolicyStatement pols = new PolicyStatement(m_ps); pols.Attributes = PolicyStatementAttribute.Nothing; if (IsLevelFinal) { pols.Attributes |= PolicyStatementAttribute.LevelFinal; } if (IsExclusive) { pols.Attributes |= PolicyStatementAttribute.Exclusive; } UnionCodeGroup ucg = new UnionCodeGroup(NewMembershipCondition, pols); ucg.Name = NewCodeGroupName; ucg.Description = NewCodeGroupDescription; m_cg = ucg; return(0); }// WizFinish