Re: code access security, local application
From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: Tue, 6 May 2003 11:53:54 -0400
First off, remember that if you add a child code-group, the resultant
permission set is a *union* of all permissions granted by code-groups
that match the membership condition for that level (Machine in your case).
Since the Machine/All Code by default has full permissions, if you
want to restrict permissions for a local machine file sandbox, you need
to make it exculsive. Here is one way to do it:
- create child group under Machine/All Code (as you have done)
I call it netSandbox
- set the Membership Condition for this new code group to "URL"
and assign the sandboxed folder as a wildcarded file URL, e.g.
- under Permission Set, assign the restricting permissions (e.g. Internet if
you wish to simulate code originating from the Internet)
- most importantly, in the General tab, check the box:
"This policy level will only have the permissions from the permission set associated
associated with this code group"
The last step makes this matching condition mask out the Machine/All Code group
permissions, which as I said are full.
- Michel Gallant
"Wiktor Zychla" <ieUser@microsoft.com.no.spam> wrote in message
> [also posted to donet.framework]
> Hi there,
> I've read several docs about .net security. I am interested in code
> access security. I've experimented with .NET framework Configuration tool.
> However, there's one thing I do not understand (or I do not know how to
> do). Suppose I get an application from someone, I put it in C:\000 but I do
> not trust this application. I would like to "sandbox" it, i.e. give it only
> a fixed set of permissions.
> So, I bring .NET Framework Configuration tool, I add new code group
> under "Machine/All Code", I associate the group with new permission set and
> I set the membership condition to Application Directory (is it ok?). I call
> my new code group "XYZ".
> Then I wish the application, C:\000\myApplication.exe, to be in the group
> XYZ to force my custom permission set. But I do not know how to do this! I
> have no idea how to add particular application, located on my hard disk, to
> my own code group with my own permissions.
> Is it possible? Do I miss something? I suppose this should be possible
> but at the moment I have no idea how to do it. Remember that my primary goal
> is to "sanbox" a local application, i.e. define my own permission set and
> run my application against the set. Maybe there are other ways to accomplish
> this goal.
> Big thanks for help,
> Wiktor Zychla