AppDomain and SecurityPermission

From: Sekhmet den skammelige (s_at_lunarscape.dk)
Date: 07/13/03

  • Next message: Steve: "CAS, Hosting in Internet Explorer" 
    Date: Sun, 13 Jul 2003 15:37:23 +0200

    Hi

    I pretty sure I'm getting something wrong here.

    I want to make sure that an assembly I load into a AppDomain i create can't
    call assert to access fx. files it's not allowed to.

    If execute the following code which is supposed to give the AppDomain no
    access to d:\ and make sure it can't just assert that permission:

    FileIOPermission ioPerm = new
    FileIOPermission(FileIOPermissionAccess.AllAccess, @"d:\");
    SecurityPermission secPerm = new
    SecurityPermission(SecurityPermissionFlag.Assertion);

    NamedPermissionSet permSet = new NamedPermissionSet("permSet",
    PermissionState.None);
    permSet.AddPermission(secPerm);
    permSet.AddPermission(ioPerm);
    permSet.Deny();

    PolicyLevel lvl = PolicyLevel.CreateAppDomainLevel();
    lvl.AddNamedPermissionSet(permSet);

    AppDomain domain = AppDomain.CreateDomain("testApp");
    domain.SetAppDomainPolicy(lvl);

    Assembly ass = Assembly.GetAssembly(typeof(C.C));
    domain.CreateInstance(ass.FullName, "C.C");

    In the constructor for class C.C I have the following:

    try {
            new FileIOPermission(FileIOPermissionAccess.Read,
    @"d:\temp").Assert();
            Console.WriteLine(new StreamReader(File.Open(@"d:\temp\test.txt",
    FileMode.Open, FileAccess.Read)).ReadToEnd());
    } catch (Exception e) {
            Console.WriteLine(e.Message);
    }

    The problem is now that if I execute the code with the
    FileIOPermission.Assert statement in C I get the appropriate
    SecurityException telling me I don't have access to d:\temp\.

    But if I have the FileIOPermission.Assert statement the code runs and
    outputs the contents of the file.

    What I want is to make sure that under no circumstances can code running in
    the new AppDomain access ressources other than those I specify.

    Hope you can help me.

    /sekhmet

  • Next message: Steve: "CAS, Hosting in Internet Explorer"

    Relevant Pages

    • Re: AppDomain and SecurityPermission
      ... In practice, Deny just stops the stackwalk, but it does not change the assembly grant set [and assembly can assert everything that it was granted]. ... > I want to make sure that an assembly I load into a AppDomain i create can't ...
      (microsoft.public.dotnet.security)
    • Re: AppDomain and SecurityPermission
      ... In practice, Deny just stops the stackwalk, but it does not change the ... assembly grant set [and assembly can assert everything that it was granted]. ... So, if you want to create an AppDomain with restricted Security in it, you ... will need to create a permission set with all the permissions your ...
      (microsoft.public.dotnet.security)
    • Re: My own autoupdater - problem
      ... Next, however, while trying to install the new version, I run ... open an explorer and b) let wceload.exe execute the cab-file ... the autoupdate and the core app in two different appdomains. ... I mean, having the main appdomain which checks for updates, download them ...
      (microsoft.public.dotnet.framework.compactframework)
    • Re: Question on AppDomain and Thread
      ... When you invoke a method on the object it will be invoked on the current ... but a single thread will only execute in one AppDomain at a time. ... AppDomain as the caller. ...
      (microsoft.public.dotnet.framework)
    • Re: Preloading assemblies into an AppDomain I create
      ... application B (by using the AppDomain functionality). ... assemblies for an application and thus make that application start-up ... rather than just to execute application B directly. ... that AppDomain - but I'm still seeing slower performance. ...
      (microsoft.public.dotnet.languages.csharp)
    • Quantcast