Re: Creating code groups | Setup project

Thanks a ton Dominick!
I finally got the entire bit working.

However, was just wondering if you do not mind sharing the code for the
_removeCodeGroupsByName method too! Guess you missed it in the initial
response.

Cheers!
Nick

"Dominick Baier [DevelopMentor]" wrote:

hi,

add a class lib to the installer project - and include its primary output

add a class to that project:

[RunInstaller(true)]
public class MyInstaller : System.Configuration.Install.Installer

and override the install/unistall methods.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hey Dominick,

I did indeed get this code running and was able to create the desired
code
groups and perm sets. Thanks a ton!
However, I couldn't quite figure out exactly where to get this Install
method that is overridden. All that I have worked with Setup projects,
I have
purely done with the GUI. I'm not sure where I can fit this code in
the
project. I believe I'll have to create an exe for this and put it in
as a
custom action during install, and put the code for removing it in a
similar
action during uninstall. Am I correct in this assumption?
"Dominick Baier [DevelopMentor]" wrote:

hi,

this is part of an msi installer project - and should get you
started...don't forget the uninstall action :)

// this code will run when the MSI file is installed public override
void Install(IDictionary stateSaver) {

// first need to find the machine policy,
// which is where we'll make our changes
PolicyLevel machinePolicy = _findPolicyLevel("Machine");
if (null == machinePolicy) {
// sanity check - this should never happen
throw new ApplicationException("Failed to find the machine policy
in the PolicyHierarchy");
}
// we need to add a named permission set
// that includes whatever permissions we're granting
NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
PermissionState.None);
nps.Description = permissionSetDesc;
// TODO: add the permissions AcmeExpense needs
nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
@"c:\acme\expenses"));
nps.AddPermission(new
EnvironmentPermission(EnvironmentPermissionAccess.Read,
"EXPENSE"));
nps.AddPermission(new
SqlClientPermission(PermissionState.Unrestricted));
nps.AddPermission(new
DataProtectionPermission(PermissionState.Unrestricted));
// add our named permission set to the machine policy level
// note that nothing is saved yet (we'll save at the end)
try {
machinePolicy.AddNamedPermissionSet(nps);
}
catch {
// duplicate name - update the existing one with the same name
machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
}
// now we need to create a code group that matches all assemblies
// that we ship with AcmeExpense - one way of doing this is to
// match the strong name we assign to that application (although
// depending on how you manage strong names, this might cover
// a wider set of assemblies)
CodeGroup cg = new UnionCodeGroup(
new StrongNameMembershipCondition(
new StrongNamePublicKeyBlob(acmePublicKey),
null, // match regardless of assembly's simple name
null), // match regardless of assembly's version
new PolicyStatement(nps,
PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
attribute on this code group
);
cg.Name = codeGroupName;
cg.Description = codeGroupDesc;
// code groups with duplicate names are legal, but messy and
confusing,
// so we make sure to first remove any existing code groups with
our name
_removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);
// add our new code group (note we've not saved yet).
machinePolicy.RootCodeGroup.AddChild(cg);

// finally, save all changes atomically.
SecurityManager.SavePolicyLevel(machinePolicy);
}
PolicyLevel _findPolicyLevel(string labelWeWant) {
IEnumerator policyLevelEnumerator =
SecurityManager.PolicyHierarchy();
PolicyLevel found = null;
while (policyLevelEnumerator.MoveNext()) {
PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
if (labelWeWant == lvl.Label) {
found = lvl;
}
}
return found;
}
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hey,

I'm not sure if this can be done, but here's what I require:

I have a windows application that needs to be secured in a code
group with limited permissions to write to a log folder, and to
download certain files before startup. Issue is that this happens to
be running on a restricted user login. And also, i need to prevent
malicious files from accessing this application.

The solution for the first issue is the cacls exe that I've managed
to use and put together certain code that does the trick for me. Is
there any other/better way to do it? I basically need write
permission on a folder in the Program Files application directory to
write some logs, and write permission on another folder to download
some files through the application.

The second issue needs to be addressed using CAS. I know we can use
the configuration manager of the framework in administrative tools
to create the desired permission set and code group and then import
the application assemblies/components into it to sign it.

My queries:

1. How can I do the same that I manage to achieve with the config
manager through some framework classes? I would be required to do
this as a custom action while installation of the application
through a setup project that I have.

2. Which would be the best condition on the basis of which I should
create my code group? There are 7 of them, and I do intend to strong
name the app anyway. Would the strong name be a sufficient enought
condition for the code group? Or would some other condition serve
the purpose better and more smartly?

Any pointers are gladly appreciated.
Cheers!
Nick



.

Relevant Pages

  • Re: CAS Policy issue
    ... If enterprise-specified CAS restrictions are set at the enterprise policy level, neither the machine nor user levels will be able to override the restrictions to grant additional permissions. ... Any given code group can be marked as exclusive, which will prevent code that meets the code group membership conditions from being granted any additional permissions via other groups. ... I'd really like the option to prevent the control from loading at child B level, but it seems with child C full trust, this is not possible. ... If you're trying to troubleshoot CAS permission problems, I'd recommend resetting your CAS policy. ...
    (microsoft.public.dotnet.security)
  • Re: Creating code groups | Setup project
    ... add a class lib to the installer project - and include its primary output ... throw new ApplicationException("Failed to find the machine policy ... // add our named permission set to the machine policy level ... // now we need to create a code group that matches all assemblies ...
    (microsoft.public.dotnet.security)
  • Re: assign permission set
    ... policy it does so at some risk. ... If an msi install will work for you, ... The .NET Framework Configuration tool generates a Microsoft installer ... >> code shows how to programmatically replace the trusted zone code group. ...
    (microsoft.public.dotnet.security)
  • Re: Creating code groups | Setup project
    ... foreach (CodeGroup existingCodeGroup in parent.Children) { ... throw new ApplicationException("Failed to find the machine policy ... // add our named permission set to the machine policy level ... // now we need to create a code group that matches all assemblies ...
    (microsoft.public.dotnet.security)
  • Re: Creating code groups | Setup project
    ... I couldn't quite figure out exactly where to get this Install ... throw new ApplicationException("Failed to find the machine policy ... // add our named permission set to the machine policy level ... // now we need to create a code group that matches all assemblies ...
    (microsoft.public.dotnet.security)