programming4us
programming4us
SECURITY

Programming Security Policy (part 2) - Programming Policy Levels

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

2. Programming Policy Levels

The .NET class library contains the System.Security.Policy.PolicyLevel class to represent all security policy levels: enterprise, machine, user, and application domain. 

You cannot create new PolicyLevel objects using constructors. To manipulate the enterprise, machine, or user policy levels, you must obtain a reference to the desired level using the static methods of the System.Security.SecurityManager class, which we discuss in the next section. To create a new application domain policy level, use the static PolicyLevel.CreateAppDomainLevel factory method.

Table 6 summarizes the members of the PolicyLevel class. None of the members is protected with code-access permissions. .NET protects the methods you use to obtain and update policy levels, not the methods that manipulate them once you have a reference.

Table 6. Members of the PolicyLevel class
Member Description
Properties  
FullTrustAssemblies Gets an IList of StrongNameMembershipCondition objects representing the fully trusted assemblies of the policy level.
Label Gets a String containing a description of the PolicyLevel.
NamedPermissionSets Gets an IList of NamedPermissionSet objects representing the fully trusted assemblies of the policy level.
RootCodeGroup Gets or sets the root CodeGroup of the policy levels code group tree.
StoreLocation Gets a String containing the path of the file in which the PolicyLevel is stored. Returns null (C#) or Nothing (Visual Basic .NET) if the PolicyLevel does not have a storage location.
Methods  
AddFullTrustAssembly Adds a StrongNamedMembershipCondition to the fully trusted assembly list.
AddNamedPermissionSet Adds a NamedPermissionSet to the policy level's set of named permission sets.
ChangeNamedPermissionSet Replaces the PermissionSet of the specified NamedPermissionSet.
CreateAppDomainLevel Returns a PolicyLevel configured for use as an application domain policy level.
FromXml Reconstructs a PolicyLevel from correctly formatted XML, which is normally generated using the ToXml method.
GetNamedPermissionSet Returns a NamedPermissionSet with the specified name.
Recover Reverts the file where the policy level is stored to the previously stored version.
RemoveFullTrustAssembly Removes the specified fully trusted assembly.
RemoveNamedPermissionSet Removes the specified named permission set.
Reset Returns the policy level to its default state. 
Resolve Returns a PolicyStatement containing the permissions granted by the PolicyLevel based on a specified Evidence collection. This is the same as calling Resolve on the CodeGroup contained in the policy levels RootCodeGroup property.
ResolveMatchingCodeGroups Returns a CodeGroup tree containing all of the child code groups to which a specified Evidence collection qualifies for membership. This is the same as calling ResolveMatchingCodeGroups on the CodeGroup contained in the policy levels RootCodeGroup property.
ToXml Returns a SecurityElement containing an XML object model of the PolicyLevel and its contents.

2.1. Managing fully trusted assemblies

The PolicyLevel class represents fully trusted assemblies by maintaining a list of StrongNameMembershipCondition objects configured to match the strong names of the trusted assembly. You can manage the fully trusted assembly list by providing StrongName or StrongNameMembershipCondition objects to the AddFullTrustAssembly and RemoveFullTrustAssembly methods. The read-only FullTrustAssemblies property gets a System.Collections.IList containing the list of fully trusted assemblies.

Example 1 creates a StrongNameMembershipCondition object to add an entry to the fully trusted assembly list for the HelloWorld assembly.

Example 1. Managing a fully trusted assembly
# C#

// Create a byte array containing the strong name public key 
// data.
byte[] publickey = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 
    0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 
    0, 1, 0, 1, 0, 169, 206, 164, 8, 66, 197, 231, 138, 148, 74,
    99, 125, 171, 203, 120, 143, 240, 155, 104, 138, 4, 123, 15, 
    55, 85, 255, 183, 20, 111, 10, 217, 58, 127, 15, 236, 86, 16, 
    121, 222, 35, 161, 14, 122, 246, 85, 226, 162, 221, 46, 215, 
    161, 151, 183, 38, 31, 150, 198, 119, 109, 94, 11, 65, 208, 
    33, 122, 172, 106, 62, 192, 4, 35, 255, 220, 10, 43, 90, 92, 
    183, 29, 136, 57, 235, 30, 5, 127, 72, 210, 108, 215, 226, 65, 
    197, 184, 28, 129, 184, 191, 211, 159, 69, 8, 84, 116, 65, 186, 
    179, 35, 116, 174, 223, 167, 217, 116, 8, 178, 232, 213, 155, 
    172, 87, 181, 187, 61, 43, 133, 105, 10, 187 };

// Create a StrongNamePublicKeyBlob object from the 
// public key byte array.
StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(publickey); 
            
// Create a Version object based on the assembly version 
// number
Version version = new Version("1.1578.0.0");
    
// Create the new StrongNameMembershipCondition 
StrongNameMembershipCondition mc = 
    new StrongNameMembershipCondition (blob, "HelloWorld", version);

// Create a new application domain policy level
PolicyLevel p = PolicyLevel.CreateAppDomainLevel(  );

// Add the StrongNameMembershipCondition to the fully trusted 
// assembly list
p.AddFullTrustAssembly(mc);

# Visual Basic .NET

' Create a byte array containing the strong name public key 
' data.
Dim publickey(  ) As Byte = { 0, 36, 0, 0, 4, 128, 0, 0, 148, _
    0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, _
    0, 1, 0, 1, 0, 169, 206, 164, 8, 66, 197, 231, 138, 148, 74, _
    99, 125, 171, 203, 120, 143, 240, 155, 104, 138, 4, 123, 15, _
    55, 85, 255, 183, 20, 111, 10, 217, 58, 127, 15, 236, 86, 16, _
    121, 222, 35, 161, 14, 122, 246, 85, 226, 162, 221, 46, 215, _
    161, 151, 183, 38, 31, 150, 198, 119, 109, 94, 11, 65, 208, _
    33, 122, 172, 106, 62, 192, 4, 35, 255, 220, 10, 43, 90, 92, _
    183, 29, 136, 57, 235, 30, 5, 127, 72, 210, 108, 215, 226, 65, _ 
    197, 184, 28, 129, 184, 191, 211, 159, 69, 8, 84, 116, 65, 186, _
    179, 35, 116, 174, 223, 167, 217, 116, 8, 178, 232, 213, 155, _
    172, 87, 181, 187, 61, 43, 133, 105, 10, 187} 

' Create a StrongNamePublicKeyBlob object from the 
' publickey byte array.
Dim blob As StrongNamePublicKeyBlob = New StrongNamePublicKeyBlob(publickey) 
 
' Create a Version object based on the assembly version 
' number
Dim version As Version = New Version("1.1578.0.0") 
 
' Create the new StrongNameMembershipCondition 
Dim mc As StrongNameMembershipCondition = _
New StrongNameMembershipCondition(blob,"HelloWorld",version) 
 
' Create a new application domain policy level
Dim p As PolicyLevel = PolicyLevel.CreateAppDomainLevel(  ) 
 
' Add the StrongNameMembershipCondition to the fully trusted 
' assembly list
p.AddFullTrustAssembly(mc)

					  

2.2. Managing named permission sets

To manage a policy level's named permission sets use the AddNamedPermissionSet and RemoveNamedPermissionSet methods. AddNamedPermissionSet takes a NamedPermissionSet argument, whereas RemoveNamedPermissionSet can take either a NamedPermissionSet or a String containing the name of the NamedPermissionSet to remove. You can also change the permission set of an existing NamedPermissionSet without having to add and remove it by calling the ChangeNamedPermissionSet method and passing it the name of the NamedPermissionSet to change, and a PermissionSet containing the new set of permissions.

The GetNamedPermissionSet method returns a NamedPermissionSet with the specified name, and the NamedPermissionSets property gets an IList containing the set of NamedPermissionSet objects. Example 2 demonstrates the manipulation of named permission sets.

Example 2. Manipulating named permission sets
# C#
// Create a new application domain policy level
PolicyLevel p = PolicyLevel.CreateAppDomainLevel(  );

// Get a copy of the default permission set named "Internet" and
// call it "NewPermissionSet" 
NamedPermissionSet ps = 
    p.GetNamedPermissionSet("Internet").Copy("NewPermissionSet");

// Add the new permission set
p.AddNamedPermissionSet(ps);

// Modify the permission set "NewPermissionSet" to grant unrestricted 
// access
p.ChangeNamedPermissionSet("NewPermissionSet", 
    new PermissionSet(PermissionState.Unrestricted));

// Remove the NewPermissionSet permission set
p.RemoveNamedPermissionSet("NewPermissionSet");

# Visual Basic .NET

' Create a new application domain policy level
Dim p As PolicyLevel = PolicyLevel.CreateAppDomainLevel(  ) 
 
' Get a copy of the default permission set named "Internet" and
' call it "NewPermissionSet" 
Dim ps As NamedPermissionSet = _
p.GetNamedPermissionSet("Internet").Copy("NewPermissionSet") 
 
' Add the new permission set
p.AddNamedPermissionSet(ps)
 
' Modify the permission set "NewPermissionSet" to grant unrestricted 
' access
p.ChangeNamedPermissionSet("NewPermissionSet", _
New PermissionSet(PermissionState.Unrestricted))
 
Console.WriteLine(p.ToXml(  ))
' Remove the NewPermissionSet permission set
p.RemoveNamedPermissionSet("NewPermissionSet")

					  

2.3. Managing the code group tree

You get and set the root code group of the policy level's code group tree using the RootCodeGroup property . You must then use the methods and properties of CodeGroup,to build and configure the tree hierarchy. 

The difficulty in building large code trees is that the CodeGroup.AddChild method and the PolicyLevel.RootCodeGroup property both create a copy of the CodeGroup argument you pass to them. Therefore, either you must build your tree from the bottom up, or reacquire the reference to the CodeGroup you have just added before adding children to it.


Example 3. Manipulating the code group tree of a policy level
# C#

// Create a new application domain policy level.
PolicyLevel p = PolicyLevel.CreateAppDomainLevel(  );

// Create the MyCompany named permission set as a copy of 
// the default LocalIntranet named permission set
p.AddNamedPermissionSet(
    p.GetNamedPermissionSet("LocalIntranet").Copy("MyCompany")
);

// Create the My_Site code group that matches all code
// run from the "www.mysite.com" Site and grants it FullTrust.
UnionCodeGroup MySite = new UnionCodeGroup(
    new SiteMembershipCondition("www.mysite.com"),
    new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))
);
MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code
// run from the "www.company.com" Site and grants it the 
// MyCompany, permission set. 
UnionCodeGroup WorkSite = new UnionCodeGroup(
    new SiteMembershipCondition("www.company.com"),
    new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))
);
WorkSite.Name = "Work_Site";

// Create the Internet_Code code group that matches all code
// run from the Internet Zone and grants it Interent permissions.
UnionCodeGroup Internet = new UnionCodeGroup(
    new ZoneMembershipCondition(SecurityZone.Internet),
    new PolicyStatement(p.GetNamedPermissionSet("Internet"))
);
Internet.Name = "Internet_Code";

// Add the My_Site and Work_Site code groups as children of the 
// Internet code group
Internet.AddChild(MySite);
Internet.AddChild(WorkSite);

// Create the My_Code code group that matches all code
// run from the My_Computer Zone and grants it FullTrust.
UnionCodeGroup MyCode = new UnionCodeGroup(
    new ZoneMembershipCondition(SecurityZone.MyComputer),
    new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))
);
MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code,
// but grants no permissions.
UnionCodeGroup Root = new UnionCodeGroup(
    new AllMembershipCondition(  ),
    new PolicyStatement(p.GetNamedPermissionSet("Nothing"))
);
Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the 
// Root code group
Root.AddChild(MyCode);
Root.AddChild(Internet);

// Assign the code group tree to the PolicyLevel
p.RootCodeGroup = Root;

# Visual Basic .NET

' Create a new application domain policy level.
Dim p As PolicyLevel =  PolicyLevel.CreateAppDomainLevel(  ) 
 
' Create the MyCompany named permission set as a copy of 
' the default LocalIntranet named permission set
p.AddNamedPermissionSet( _
p.GetNamedPermissionSet("LocalIntranet").Copy("MyCompany"))
 
' Create the My_Site code group that matches all code
' run from the "www.mysite.com" Site and grants it FullTrust.
Dim MySite As UnionCodeGroup = New UnionCodeGroup( _
New SiteMembershipCondition("www.mysite.com"), _
New PolicyStatement(p.GetNamedPermissionSet("FullTrust"))) 
MySite.Name = "My_Site"
 
' Create the Work_Site code group that matches all code
' run from the "www.company.com" Site and grants it the 
' MyCompany, permission set. 
Dim WorkSite As UnionCodeGroup =  New UnionCodeGroup( _
New SiteMembershipCondition("www.company.com"), _
New PolicyStatement(p.GetNamedPermissionSet("MyCompany"))) 
WorkSite.Name = "Work_Site"
 
' Create the Internet_Code code group that matches all code
' run from the Internet Zone and grants it Interent permissions.
Dim Internet As UnionCodeGroup =  New UnionCodeGroup( _
New ZoneMembershipCondition(SecurityZone.Internet), _
New PolicyStatement(p.GetNamedPermissionSet("Internet"))) 
Internet.Name = "Internet_Code"
 
' Add the My_Site and Work_Site code groups as children of the 
' Internet code group
Internet.AddChild(MySite)
Internet.AddChild(WorkSite)
 
' Create the My_Code code group that matches all code
' run from the My_Computer Zone and grants it FullTrust.
Dim MyCode As UnionCodeGroup =  New UnionCodeGroup( _
New ZoneMembershipCondition(SecurityZone.MyComputer), _
New PolicyStatement(p.GetNamedPermissionSet("FullTrust"))) 
MyCode.Name = "My_Code"
 
' Create the root UnionCodeGroup that matches all code,
' but grants no permissions.
Dim Root As UnionCodeGroup =  New UnionCodeGroup( _
New AllMembershipCondition(  ), _
New PolicyStatement(p.GetNamedPermissionSet("Nothing"))) 
Root.Name = "All_Code"
 
' Add the My_Code and Internet_Code groups as children of the 
' Root code group
Root.AddChild(MyCode)
Root.AddChild(Internet)
 
' Assign the code group tree to the PolicyLevel
p.RootCodeGroup = Root					  
Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
programming4us
 
 
programming4us