Re: Enabling App Domain Policy to run an executable

From: Jason Collum (jcollum_at_bear.com)
Date: 08/30/04 

Date: Mon, 30 Aug 2004 16:32:33 -0500

What if I changed the line of code to look like the following?

System.Security.Policy.PolicyStatement internetPolicyStatement = new
System.Security.Policy.PolicyStatement(internetPermissionSet);

System.Security.Policy.PolicyStatement internetPolicyStatement = new
System.Security.Policy.PolicyStatement(internetPermissionSet,
System.Security.Policy.PolicyStatementAttribute.All);

Thank you for your time.

""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message
news:JezecNtjEHA.2020@cpmsftngxa10.phx.gbl...
> Hi Jason,
>
> The code you posted below looks correct to me. One thing that you might
be running into is that the permission grant at each policy level
> are calculated seperately, and then intersected together to get the final
grant. This means that you cannot use AppDomain policy to elevate an
> assembly's permissions above and beyond what the machine policy would have
given anyway. My first guess is that this is your problem.
>
> -Shawn
> http://blogs.msdn.com/shawnfa
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
> originated.
> --------------------
> >From: "Jason Collum" <jcollum@bear.com>
> >Subject: Enabling App Domain Policy to run an executable
> >Date: Mon, 30 Aug 2004 12:51:26 -0500
> >Lines: 49
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> >Message-ID: <uOy9cjrjEHA.2500@TK2MSFTNGP09.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.security
> >NNTP-Posting-Host: wafw-pi.bear.com 207.162.228.1
> >Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08
.phx.gbl!TK2MSFTNGP09.phx.gbl
> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7283
> >X-Tomcat-NG: microsoft.public.dotnet.security
> >
> >I have looked over the internet and found some code to create an
application
> >domain policy, create a permission set based on "LocalIntranet", add
> >additional permissions, union membership conditions with the permission
set,
> >and try to execute another application. My code can be found below.
Even
> >after giving the FileIOPermission unrestricted access to the app domain
> >policy, the other application is still throwing the securityexception
> >because the FileIOPermission failed. Can someone please shed some light
on
> >why this is happenning and maybe help me figure out how to get it to
work?
> >
> >Code Example:
> >namespace ApplicationLauncher
> >{
> > class Launch
> > {
> > static void Main (string[] args)
> > {
> > if (args.Length < 1)
> > {
> > System.Console.WriteLine("Usage: Launch <assembly>");
> > return;
> > }
> >
> > string fileName = args[0];
> >
> > System.AppDomain ad = System.AppDomain.CreateDomain("AppLaunch");
> >
> > System.Security.Policy.PolicyLevel domainPolicy =
> >System.Security.Policy.PolicyLevel.CreateAppDomainLevel();
> >
> > System.Security.Policy.AllMembershipCondition allCodeMC = new
> >System.Security.Policy.AllMembershipCondition();
> > System.Security.PermissionSet internetPermissionSet =
> >domainPolicy.GetNamedPermissionSet("LocalIntranet");
> > System.Security.Policy.PolicyStatement internetPolicyStatement = new
> >System.Security.Policy.PolicyStatement(internetPermissionSet);
> >
> > System.Security.Policy.CodeGroup allCodeInternetCG = new
> >System.Security.Policy.UnionCodeGroup(allCodeMC,
internetPolicyStatement);
> > domainPolicy.RootCodeGroup = allCodeInternetCG;
> > ad.SetAppDomainPolicy(domainPolicy);
> >
> > string[] newArgs = new string[args.Length-1];
> > System.Array.Copy(args, 1, newArgs, 0, args.Length-1);
> > ad.ExecuteAssembly(fileName, null, newArgs);
> > }
> > }
> >}
> >
> >
> >
>
>

Relevant Pages

  • Re: Enabling App Domain Policy to run an executable
    ... There's no way to use a policy level to elevate permissions ... AppDomain policy is best use to sandbox assemblies into a permission set lower than what the machine ... >System.Security.Policy.PolicyStatement internetPolicyStatement = new ...
    (microsoft.public.dotnet.security)
  • Sandboxing Winforms code
    ... do it always requires FullTrust. ... Even when using "Everything" permission set it still fails to get all ... internetPolicyStatement); ... "Unhandled Exception: System.Security.SecurityException: Request failed. ...
    (microsoft.public.dotnet.security)
  • RE: Enabling App Domain Policy to run an executable
    ... assembly's permissions above and beyond what the machine policy would have given anyway. ... >after giving the FileIOPermission unrestricted access to the app domain ... >System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement); ...
    (microsoft.public.dotnet.security)
  • Enabling App Domain Policy to run an executable
    ... domain policy, create a permission set based on "LocalIntranet", add ... additional permissions, union membership conditions with the permission set, ... after giving the FileIOPermission unrestricted access to the app domain ... System.Security.Policy.UnionCodeGroup(allCodeMC, internetPolicyStatement); ...
    (microsoft.public.dotnet.security)