programming4us
programming4us
SECURITY

Programming Security Policy (part 4) - Programming Application Domain Policy

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

4. Programming Application Domain Policy

Application domain policy is the final layer of security policy evaluated when determining the code-access permissions to grant an assembly. Regardless of the permissions granted to an assembly based on the enterprise, machine, and user policies, you can further lock down its permissions using application domain policy. Application domain policy is resolved even if the assembly is a member of a LevelFinal code group in a higher policy level.

You configure application domain policy by calling the AppDomain.SetAppDomainPolicy method and passing a configured PolicyLevel object. Application domain policy can be set only once per application domain—setting it a second time results in a System.Security.Policy.PolicyException. Your code must have the ControlDomainPolicy permission to call the SetAppDomainPolicy method. ControlDomainPolicy is an element of SecurityPermission:

# C#

public void SetAppDomainPolicy(
    PolicyLevel domainPolicy
);

# Visual Basic .NET

NotOverridable Public Sub SetAppDomainPolicy( _
    ByVal domainPolicy As PolicyLevel
)

Any assemblies loaded into an application domain before you configure the application domain policy are subject to the standard policy resolution results from the enterprise, machine, and user levels. Application domain policy affects only those assemblies loaded after it's set. This allows you to load assemblies that require higher trust, before locking down the application domain through the additional layer of policy.

The need to implement application domain policy will not be an everyday occurrence, but when writing applications that are responsible for loading other code, the capability is invaluable.

Example 4 uses the SetDomainPolicy method to create a policy level with the code group structure shown in Figure 3 and assign it to a specified application domain. The root code group matches all code but grants the Nothing permission set. The second layer of code groups determines the permissions to grant based on Url evidence of a loaded assembly. You grant assemblies loaded from the Trusted folder the FullTrust permission set, assemblies loaded from the Untrusted folder the Internet permission set, and assemblies loaded from the Demo the Execution permission set. You grant all other assemblies no permissions. Because we expect an assembly to have only one piece of Url evidence, we make the root code group of type FirstMatchCodeGroup, saving the runtime from performing unnecessary policy resolution processing.

Figure 3. Sample application domain policy

Example 4. Creating a policy level and assigning it to an application domain
# C#

private static void SetDomainPolicy(AppDomain domain) {
        
        // Create a new PolicyLevel for the application domain
    PolicyLevel policy = PolicyLevel.CreateAppDomainLevel(  );

    // Create a new FirstMatchCodeGroup that matches all code and
    // grants the named permission set "Nothing".
    policy.RootCodeGroup = new FirstMatchCodeGroup(
        new AllMembershipCondition(  ),
        new PolicyStatement(policy.GetNamedPermissionSet("Nothing"))
    );
        
    // Determine the base path name for the URL evidence
    String basePath = "file://" + AppDomain.CurrentDomain.BaseDirectory;

    // Create the code groups that apply to the assemblies loaded 
    // from specific folders. Make each of the the code groups
    // Exclusive so that they set the absolut maximum permisisons a
    // plugin can have.
    policy.RootCodeGroup.AddChild(new UnionCodeGroup(
        new UrlMembershipCondition(basePath + "Trusted/*"),
        new PolicyStatement(policy.GetNamedPermissionSet("FullTrust"),
        PolicyStatementAttribute.Exclusive)
    ));

    policy.RootCodeGroup.AddChild(new UnionCodeGroup(
        new UrlMembershipCondition(basePath + "Untrusted/*"),
        new PolicyStatement(policy.GetNamedPermissionSet("Internet"),
        PolicyStatementAttribute.Exclusive)
    ));

    policy.RootCodeGroup.AddChild(new UnionCodeGroup(
        new UrlMembershipCondition(basePath + "Demo/*"),
        new PolicyStatement(policy.GetNamedPermissionSet("Execution"),
        PolicyStatementAttribute.Exclusive)
    ));

    // Assign the policy to the specified application domain.
    domain.SetAppDomainPolicy(policy);
}

# Visual Basic .NET

Private Shared Sub SetDomainPolicy(ByVal domain As AppDomain)
 
        ' Create a new PolicyLevel for the application domain
    Dim policy As PolicyLevel = _
    PolicyLevel.CreateAppDomainLevel(  ) 
 
    ' Create a new FirstMatchCodeGroup that matches all code and
    ' grants the named permission set "Nothing".
    policy.RootCodeGroup = New FirstMatchCodeGroup( _
    New AllMembershipCondition(  ), _
    New PolicyStatement(policy.GetNamedPermissionSet("Nothing")))
 
    ' Determine the base path name for the URL evidence
    Dim basePath As String = _
    "file://" & AppDomain.CurrentDomain.BaseDirectory;

    ' Create the code groups that apply to the assemblies loaded 
    ' from specific folders. Make each of the the code groups
    ' Exclusive so that they set the absolut maximum permisisons a
    ' plugin can have.
    policy.RootCodeGroup.AddChild(New UnionCodeGroup( _
    New UrlMembershipCondition(basePath & "Trusted/*"), _
    New PolicyStatement(policy.GetNamedPermissionSet("FullTrust"), _
    PolicyStatementAttribute.Exclusive)))
 
    policy.RootCodeGroup.AddChild(New UnionCodeGroup( _
    New UrlMembershipCondition(basePath & "Untrusted/*"), _
    New PolicyStatement(policy.GetNamedPermissionSet("Internet"), _
    PolicyStatementAttribute.Exclusive)))
 
    policy.RootCodeGroup.AddChild(New UnionCodeGroup( _
    New UrlMembershipCondition(basePath & "Demo/*"), _
    New PolicyStatement(policy.GetNamedPermissionSet("Execution"), _
    PolicyStatementAttribute.Exclusive)))

 
    ' Assign the policy to the specified application domain.
    domain.SetAppDomainPolicy(policy)
End Sub		  
Other  
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
programming4us
 
 
programming4us