Hi,

I'm having trouble running untrusted code inside a sandboxed AppDomain, and
I was hoping that someone could help me!

The code is user-supplied, and so I want my Winform application to run the
code in a seperate AppDomain without any more permissions than given in the
Internet permission set.

This seems to work okay, except for when the code contains Winform code -
such as MessageBox.Show. The following exception is thrown when
UntrustedMethod is called in my sandboxed appdomain:

System.Security.Policy.PolicyException: Required permissions cannot be
acquired.

I've tried adding UIPermissionWindow.AllWindows, but that doesn't seem to
help.

Thanks in advance for your help,

Kirk

using System;
using System.Collections;
using System.Reflection;
using System.Security;
using System.Security.Permissions;
using System.Security.Policy;

namespace Sandbox
{

interface ISandbox {
void UntrustedMethod();
}

[Serializable]
class Sandbox : MarshalByRefObject, ISandbox
{
[STAThread]
static void Main(string[] args) {
AppDomainSetup setup = new AppDomainSetup();
setup.ApplicationName = "Sandbox secure appdomain";
setup.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory;

AppDomain sandboxAppDomain = AppDomain.CreateDomain("Sandbox secure
appdomain", null, setup);

// Load the internet permission set, and add UIPermission.AllWindows
NamedPermissionSet permSet = FindNamedPermissionSet("Internet");

permSet.AddPermission(new UIPermission(UIPermissionWindow.AllWindows));

PolicyStatement polState = new PolicyStatement(permSet);
PolicyLevel domainPolicy = PolicyLevel.CreateAppDomainLevel();
AllMembershipCondition allCodeMC = new AllMembershipCondition();
CodeGroup allCodeCG = new UnionCodeGroup(allCodeMC,polState);
domainPolicy.RootCodeGroup = allCodeCG;
sandboxAppDomain.SetAppDomainPolicy(domainPolicy);

// Try running MessageBox.Show in the appdomain
try {
Sandbox sandboxObject =
(Sandbox)sandboxAppDomain.CreateInstanceAndUnwrap(
Assembly.GetExecutingAssembly().FullName,
"Sandbox.Sandbox");

sandboxObject.UntrustedMethod();
} catch (Exception ex) {
Console.WriteLine(ex.ToString());
}

Console.ReadLine();
}

private static NamedPermissionSet FindNamedPermissionSet(string name) {
IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();

while (policyEnumerator.MoveNext()) {
PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;

if (currentLevel.Label == "Machine") {
IList namedPermissions = currentLevel.NamedPermissionSets;
IEnumerator namedPermission = namedPermissions.GetEnumerator();

while (namedPermission.MoveNext()) {
if (((NamedPermissionSet)namedPermission.Current).Name == name) {
return ((NamedPermissionSet)namedPermission.Current);
}
}
}
}
return null;
}

/// This is an untrusted method executed seperately from the rest of the
application
public void UntrustedMethod() {
System.Windows.Forms.MessageBox.Show(AppDomain.CurrentDomain.FriendlyName);
}
}
}

Unfortunately loading *UI* code into a separate AppDomain is not a supported scenario in Windows Forms

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

Hi,

I'm having trouble running untrusted code inside a sandboxed AppDomain, and
I was hoping that someone could help me!

The code is user-supplied, and so I want my Winform application to run the
code in a seperate AppDomain without any more permissions than given in the
Internet permission set.

This seems to work okay, except for when the code contains Winform code -
such as MessageBox.Show. The following exception is thrown when
UntrustedMethod is called in my sandboxed appdomain:

System.Security.Policy.PolicyException: Required permissions cannot be
acquired.

I've tried adding UIPermissionWindow.AllWindows, but that doesn't seem to
help.

Thanks in advance for your help,

Kirk

In that using AppDomains to isolate UI code can't be done reliably because the message pump is visible across AppDomains.

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

Not sure what you mean by this. I run code that displays UI in separate
appdomains all the time. Under what conditions is it not supported?

Not sure what you mean by this. I run code that displays UI in separate
appdomains all the time. Under what conditions is it not supported?

"Richard Blewett [DevelopMentor]" <richardb@NOSPAMdevelop.com> wrote in
message news:uTITdG41EHA.4004@tk2msftngp13.phx.gbl...
[quoted text, click to view]

[quoted text, click to view]

What do you mean by "realiably"? Full trust means that is has all possible
permissions.

[quoted text, click to view]

Yes, there ways of doing this. For example, you can package this code in a
separate assembly, and then when the assembly is loaded you can supply
evidence that will make it run at a reduced security level. I suggest
reading one of the books on Code Access Security - there are several.

[quoted text, click to view]

Ask your questions on the security newsgroup @
microsoft.public.dotnet.security

Hmmm, it's still not clear to me why that makes the isolation less reliable.
Also, have you tried using an ApplicationContext to coordinate the winforms?

"Richard Blewett [DevelopMentor]" <richardb@NOSPAMdevelop.com> wrote in
message news:%23vEQIQG2EHA.3500@TK2MSFTNGP09.phx.gbl...
[quoted text, click to view]

[quoted text, click to view]

Thanks Richard, I appreciate your help.

Do you (or anyone else) know the answers to these questions?

- Can Winform code be *reliably* run in an AppDomain at full trust? It seems
to work for me - can I rely on it?

- Is there any other way to reduce the permissions of code that contains UI
code, so that it can't access files / network etc?

- Will it be possible in future versions of the framework?

It'd be great if someone can point me to docs or a web page outlining this -
I'd like to have something to show to others about why my current approach
won't work.

Kirk