RE: Enabling App Domain Policy to run an executable

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 08/30/04

Next message: Shawn Farkas: "RE: CryptoAPI vs CAPICOM"
Previous message: Shawn Farkas: "Re: Can an Assert issued following a Deny override it?"
In reply to: Jason Collum: "Enabling App Domain Policy to run an executable"
Next in thread: Jason Collum: "Re: Enabling App Domain Policy to run an executable"
Reply: Jason Collum: "Re: Enabling App Domain Policy to run an executable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 30 Aug 2004 20:52:58 GMT

Hi Jason,

The code you posted below looks correct to me. One thing that you might be running into is that the permission grant at each policy level
are calculated seperately, and then intersected together to get the final grant. This means that you cannot use AppDomain policy to elevate an
assembly's permissions above and beyond what the machine policy would have given anyway. My first guess is that this is your problem.

-Shawn
http://blogs.msdn.com/shawnfa

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>From: "Jason Collum" <jcollum@bear.com>
>Subject: Enabling App Domain Policy to run an executable
>Date: Mon, 30 Aug 2004 12:51:26 -0500
>Lines: 49
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7283
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>I have looked over the internet and found some code to create an application
>domain policy, create a permission set based on "LocalIntranet", add
>additional permissions, union membership conditions with the permission set,
>and try to execute another application.  My code can be found below.  Even
>after giving the FileIOPermission unrestricted access to the app domain
>policy, the other application is still throwing the securityexception
>because the FileIOPermission failed.  Can someone please shed some light on
>why this is happenning and maybe help me figure out how to get it to work?
>
>Code Example:
>namespace ApplicationLauncher
>{
> class Launch
> {
>  static void Main (string[] args)
>  {
>   if (args.Length < 1)
>   {
>    System.Console.WriteLine("Usage: Launch <assembly>");
>    return;
>   }
>
>   string fileName = args[0];
>
>   System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch");
>
>   System.Security.Policy.PolicyLevel domainPolicy =
>System.Security.Policy.PolicyLevel.CreateAppDomainLevel();
>
>   System.Security.Policy.AllMembershipCondition allCodeMC = new
>System.Security.Policy.AllMembershipCondition();
>   System.Security.PermissionSet internetPermissionSet =
>domainPolicy.GetNamedPermissionSet("LocalIntranet");
>   System.Security.Policy.PolicyStatement internetPolicyStatement = new
>System.Security.Policy.PolicyStatement(internetPermissionSet);
>
>   System.Security.Policy.CodeGroup allCodeInternetCG = new
>System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement);
>   domainPolicy.RootCodeGroup = allCodeInternetCG;
>   ad.SetAppDomainPolicy(domainPolicy);
>
>   string[] newArgs = new string[args.Length-1];
>   System.Array.Copy(args, 1, newArgs, 0, args.Length-1);
>   ad.ExecuteAssembly(fileName, null, newArgs);
>  }
> }
>}
>
>
>

Next message: Shawn Farkas: "RE: CryptoAPI vs CAPICOM"
Previous message: Shawn Farkas: "Re: Can an Assert issued following a Deny override it?"
In reply to: Jason Collum: "Enabling App Domain Policy to run an executable"
Next in thread: Jason Collum: "Re: Enabling App Domain Policy to run an executable"
Reply: Jason Collum: "Re: Enabling App Domain Policy to run an executable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [RFC][PATCH] Privilege dropping security module
... dpriv.c contains the struct security_operations hooks for dpriv. ... You're masking file permissions. ... And stick with your namespace, ... * Parse policy lines one at a time. ...
(Linux-Kernel)
[RFC][PATCH] Privilege dropping security module
... dpriv.c contains the struct security_operations hooks for dpriv. ... * under the terms of the GNU General Public License as published by the Free ... * Parse policy lines one at a time. ... * Open file descriptors and their implied permissions based on @policy ...
(Linux-Kernel)
Re: Access to Network and Dial-Up Connections blocked
... John John wrote: ... if a NoPropertiesMyComputer policy exists: ... I re-enabled Remove Network Connection from ... If this is a permissions issue check and make sure that you have ...
(microsoft.public.win2000.general)
Re: Automated logoff using Winexit.scr
... New OU - New Policy ... Settings: Configure this key then Propogate inheritable permissions to ... Permissions granted: Authenticated Users: Read/Special ... test GPO linked to it trying to accomplish that and move a couple computers ...
(microsoft.public.windows.group_policy)
Re: Trouble with Win2003 Folder Redirection Policy
... giving NTFS permissions to that group. ... From what information you've given me the policy is correct as long as ... The user's home folder in the profile section of the AD has been ... updated to the new server as well. ...
(microsoft.public.windows.server.general)