|
|
You're in the
dotnet security
group:Enabling App Domain Policy to run an executable
dotnet security:
I have looked over the internet and found some code to create an application
domain policy, create a permission set based on "LocalIntranet", add additional permissions, union membership conditions with the permission set, and try to execute another application. My code can be found below. Even after giving the FileIOPermission unrestricted access to the app domain policy, the other application is still throwing the securityexception because the FileIOPermission failed. Can someone please shed some light on why this is happenning and maybe help me figure out how to get it to work? Code Example: namespace ApplicationLauncher { class Launch { static void Main (string[] args) { if (args.Length < 1) { System.Console.WriteLine("Usage: Launch <assembly>"); return; } string fileName = args[0]; System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch"); System.Security.Policy.PolicyLevel domainPolicy = System.Security.Policy.PolicyLevel.CreateAppDomainLevel(); System.Security.Policy.AllMembershipCondition allCodeMC = new System.Security.Policy.AllMembershipCondition(); System.Security.PermissionSet internetPermissionSet = domainPolicy.GetNamedPermissionSet("LocalIntranet"); System.Security.Policy.PolicyStatement internetPolicyStatement = new System.Security.Policy.PolicyStatement(internetPermissionSet); System.Security.Policy.CodeGroup allCodeInternetCG = new System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement); domainPolicy.RootCodeGroup = allCodeInternetCG; ad.SetAppDomainPolicy(domainPolicy); string[] newArgs = new string[args.Length-1]; System.Array.Copy(args, 1, newArgs, 0, args.Length-1); ad.ExecuteAssembly(fileName, null, newArgs); } } }
What if I changed the line of code to look like the following?
System.Security.Policy.PolicyStatement internetPolicyStatement = new System.Security.Policy.PolicyStatement(internetPermissionSet); System.Security.Policy.PolicyStatement internetPolicyStatement = new System.Security.Policy.PolicyStatement(internetPermissionSet, System.Security.Policy.PolicyStatementAttribute.All); Thank you for your time. [quoted text, click to view] ""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08news:JezecNtjEHA.2020@cpmsftngxa10.phx.gbl... > Hi Jason, > > The code you posted below looks correct to me. One thing that you might be running into is that the permission grant at each policy level > are calculated seperately, and then intersected together to get the final grant. This means that you cannot use AppDomain policy to elevate an > assembly's permissions above and beyond what the machine policy would have given anyway. My first guess is that this is your problem. > > -Shawn > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no rights. > Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they > originated. > -------------------- > >From: "Jason Collum" <jcollum@bear.com> > >Subject: Enabling App Domain Policy to run an executable > >Date: Mon, 30 Aug 2004 12:51:26 -0500 > >Lines: 49 > >X-Priority: 3 > >X-MSMail-Priority: Normal > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 > >Message-ID: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl> > >Newsgroups: microsoft.public.dotnet.security > >NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1 > >Path: ..phx.gbl!TK2MSFTNGP09.phx.gbl [quoted text, click to view] > >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7283 > >X-Tomcat-NG: microsoft.public.dotnet.security > > > >I have looked over the internet and found some code to create an application > >domain policy, create a permission set based on "LocalIntranet", add > >additional permissions, union membership conditions with the permission set, > >and try to execute another application. My code can be found below. Even > >after giving the FileIOPermission unrestricted access to the app domain > >policy, the other application is still throwing the securityexception > >because the FileIOPermission failed. Can someone please shed some light on > >why this is happenning and maybe help me figure out how to get it to work? > > > >Code Example: > >namespace ApplicationLauncher > >{ > > class Launch > > { > > static void Main (string[] args) > > { > > if (args.Length < 1) > > { > > System.Console.WriteLine("Usage: Launch <assembly>"); > > return; > > } > > > > string fileName = args[0]; > > > > System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch"); > > > > System.Security.Policy.PolicyLevel domainPolicy = > >System.Security.Policy.PolicyLevel.CreateAppDomainLevel(); > > > > System.Security.Policy.AllMembershipCondition allCodeMC = new > >System.Security.Policy.AllMembershipCondition(); > > System.Security.PermissionSet internetPermissionSet = > >domainPolicy.GetNamedPermissionSet("LocalIntranet"); > > System.Security.Policy.PolicyStatement internetPolicyStatement = new > >System.Security.Policy.PolicyStatement(internetPermissionSet); > > > > System.Security.Policy.CodeGroup allCodeInternetCG = new > >System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement); > > domainPolicy.RootCodeGroup = allCodeInternetCG; > > ad.SetAppDomainPolicy(domainPolicy); > > > > string[] newArgs = new string[args.Length-1]; > > System.Array.Copy(args, 1, newArgs, 0, args.Length-1); > > ad.ExecuteAssembly(fileName, null, newArgs); > > } > > } > >} > > > > > > > >
Hi Jason,
The code you posted below looks correct to me. One thing that you might be running into is that the permission grant at each policy level are calculated seperately, and then intersected together to get the final grant. This means that you cannot use AppDomain policy to elevate an assembly's permissions above and beyond what the machine policy would have given anyway. My first guess is that this is your problem. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] >From: "Jason Collum" <jcollum@bear.com> >Subject: Enabling App Domain Policy to run an executable >Date: Mon, 30 Aug 2004 12:51:26 -0500 >Lines: 49 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Message-ID: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1 >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7283 >X-Tomcat-NG: microsoft.public.dotnet.security > >I have looked over the internet and found some code to create an application >domain policy, create a permission set based on "LocalIntranet", add >additional permissions, union membership conditions with the permission set, >and try to execute another application. My code can be found below. Even >after giving the FileIOPermission unrestricted access to the app domain >policy, the other application is still throwing the securityexception >because the FileIOPermission failed. Can someone please shed some light on >why this is happenning and maybe help me figure out how to get it to work? > >Code Example: >namespace ApplicationLauncher >{ > class Launch > { > static void Main (string[] args) > { > if (args.Length < 1) > { > System.Console.WriteLine("Usage: Launch <assembly>"); > return; > } > > string fileName = args[0]; > > System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch"); > > System.Security.Policy.PolicyLevel domainPolicy = >System.Security.Policy.PolicyLevel.CreateAppDomainLevel(); > > System.Security.Policy.AllMembershipCondition allCodeMC = new >System.Security.Policy.AllMembershipCondition(); > System.Security.PermissionSet internetPermissionSet = >domainPolicy.GetNamedPermissionSet("LocalIntranet"); > System.Security.Policy.PolicyStatement internetPolicyStatement = new >System.Security.Policy.PolicyStatement(internetPermissionSet); > > System.Security.Policy.CodeGroup allCodeInternetCG = new >System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement); > domainPolicy.RootCodeGroup = allCodeInternetCG; > ad.SetAppDomainPolicy(domainPolicy); > > string[] newArgs = new string[args.Length-1]; > System.Array.Copy(args, 1, newArgs, 0, args.Length-1); > ad.ExecuteAssembly(fileName, null, newArgs); > } > } >} > > >
If I was correct in my guess in the last post, then you'll still run into the same problem. There's no way to use a policy level to elevate permissions
beyond what other levels allow. AppDomain policy is best use to sandbox assemblies into a permission set lower than what the machine permission set is currently allowing them. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] >From: "Jason Collum" <jcollum@bear.com> >References: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl> <JezecNtjEHA.2020@cpmsftngxa10.phx.gbl> >Subject: Re: Enabling App Domain Policy to run an executable >Date: Mon, 30 Aug 2004 16:32:33 -0500 >Lines: 112 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Message-ID: <uU$SCftjEHA.2692@TK2MSFTNGP12.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1 >Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7288 >X-Tomcat-NG: microsoft.public.dotnet.security > >What if I changed the line of code to look like the following? > >System.Security.Policy.PolicyStatement internetPolicyStatement = new >System.Security.Policy.PolicyStatement(internetPermissionSet); > > >System.Security.Policy.PolicyStatement internetPolicyStatement = new >System.Security.Policy.PolicyStatement(internetPermissionSet, >System.Security.Policy.PolicyStatementAttribute.All); > >Thank you for your time. > > >""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message >news:JezecNtjEHA.2020@cpmsftngxa10.phx.gbl... >> Hi Jason, >> >> The code you posted below looks correct to me. One thing that you might >be running into is that the permission grant at each policy level >> are calculated seperately, and then intersected together to get the final >grant. This means that you cannot use AppDomain policy to elevate an >> assembly's permissions above and beyond what the machine policy would have >given anyway. My first guess is that this is your problem. >> >> -Shawn >> http://blogs.msdn.com/shawnfa >> >> -- >> >> This posting is provided "AS IS" with no warranties, and confers no >rights. >> Note: For the benefit of the community-at-large, all responses to this >message are best directed to the newsgroup/thread from which they >> originated. >> -------------------- >> >From: "Jason Collum" <jcollum@bear.com> >> >Subject: Enabling App Domain Policy to run an executable >> >Date: Mon, 30 Aug 2004 12:51:26 -0500 >> >Lines: 49 >> >X-Priority: 3 >> >X-MSMail-Priority: Normal >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >> >Message-ID: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl> >> >Newsgroups: microsoft.public.dotnet.security >> >NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1 >> >Path: >cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08 >.phx.gbl!TK2MSFTNGP09.phx.gbl >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7283 >> >X-Tomcat-NG: microsoft.public.dotnet.security >> > >> >I have looked over the internet and found some code to create an >application >> >domain policy, create a permission set based on "LocalIntranet", add >> >additional permissions, union membership conditions with the permission >set, >> >and try to execute another application. My code can be found below. >Even >> >after giving the FileIOPermission unrestricted access to the app domain >> >policy, the other application is still throwing the securityexception >> >because the FileIOPermission failed. Can someone please shed some light >on >> >why this is happenning and maybe help me figure out how to get it to >work? >> > >> >Code Example: >> >namespace ApplicationLauncher >> >{ >> > class Launch >> > { >> > static void Main (string[] args) >> > { >> > if (args.Length < 1) >> > { >> > System.Console.WriteLine("Usage: Launch <assembly>"); >> > return; >> > } >> > >> > string fileName = args[0]; >> > >> > System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch"); >> > >> > System.Security.Policy.PolicyLevel domainPolicy = >> >System.Security.Policy.PolicyLevel.CreateAppDomainLevel(); >> > >> > System.Security.Policy.AllMembershipCondition allCodeMC = new >> >System.Security.Policy.AllMembershipCondition(); >> > System.Security.PermissionSet internetPermissionSet = >> >domainPolicy.GetNamedPermissionSet("LocalIntranet"); >> > System.Security.Policy.PolicyStatement internetPolicyStatement = new >> >System.Security.Policy.PolicyStatement(internetPermissionSet); >> > >> > System.Security.Policy.CodeGroup allCodeInternetCG = new >> >System.Security.Policy.UnionCodeGroup(allCodeMC, >internetPolicyStatement); >> > domainPolicy.RootCodeGroup = allCodeInternetCG; >> > ad.SetAppDomainPolicy(domainPolicy); >> > >> > string[] newArgs = new string[args.Length-1]; >> > System.Array.Copy(args, 1, newArgs, 0, args.Length-1); >> > ad.ExecuteAssembly(fileName, null, newArgs); >> > } >> > } >> >} >> > >> > >> > >> >> > > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |