I am working through the Microsoft .Net Framework--Application Development Foundation Training Kit book Chapter 8 Lesson 2: Configuring Application Domains
ShowWinIni being the assembly name for the program I want to execute
object[] hostEvidence = { new Zone(SecurityZone.MyComputer) };
Evidence e = new Evidence(hostEvidence, null);
// Create an AppDomain.
AppDomain d = AppDomain.CreateDomain("New Domain", e);
// Run the assembly
d.ExecuteAssemblyByName("ShowWinIni");
When I execute:
AppDomain d = AppDomain.CreateDomain("New Domain", e);
I get the following message: "This method implicitly uses CAS policy, which has been obsoleted by the .NET Framework. In order to enable CAS policy for compatibility reasons, please use the NetFx40_LegacySecurityPolicy configuration switch. Please see http://go.microsoft.com/fwlink/?LinkID=155570 for more information."
I can execute the assembly fine when I create an AppDomain without an Evidence object.
Of course, I visited http://go.microsoft.com/fwlink/?LinkID=155570 but I am still confused as to how to create an application domain with specified privileges.
The next most helpful site I found was http://msdn.microsoft.com/en-us/library/bb763046.aspx but my StrongName object computes to NULL.
StrongName fullTrustAssembly =
typeof(Program).Assembly.Evidence.GetHostEvidence<StrongName>();
Program being the name of the class implementing all this code.
Thanks in advance for your advice and tips!
I found a way to make the original code example work without having to enable NetFX40_LegacySecurityPolicy.
EvidenceBase[] hostEvidence = { new Zone(SecurityZone.MyComputer) };
Evidence e = new Evidence(hostEvidence, null);
AppDomain d = AppDomain.CreateDomain("New Domain", e);
d.ExecuteAssemblyByName("ShowWinIni");
This will not work if you change the SecurityZone to Internet, it will try to use the obsoleted CAS security policy resulting in a NotSupportedException. What I want is a SecurityException... meaning that the assembly I want to execute does not have the permissions it needs.
To execute an assembly in an AppDomain with restricted permissions, you need to use sandboxing. The best example of sandboxing I found is here: http://www.simple-talk.com/dotnet/.net-framework/whats-new-in-code-access-security-in-.net-framework-4.0---part-i/
I think that page also explains the changes made to CAS in 4.0 very well!
Many sources, including MSDN, had me convinced I needed to provide a StrongName array when calling:
AppDomain.CreateDomain( string friendlyName,
Evidence securityInfo,
AppDomainSetup info,
PermissionSet grantSet,
params StrongName[] fullTrustAssemblies);
As stated in my original post, I was (and still am) having trouble getting a StrongName object instead of null. Turns out I didn't even need it!
This is my completed example for sandboxing:
Evidence ev = new Evidence();
ev.AddHostEvidence(new Zone(SecurityZone.Internet));
PermissionSet internetPS = SecurityManager.GetStandardSandbox(ev);
AppDomainSetup adSetup = new AppDomainSetup();
adSetup.ApplicationBase = Path.GetFullPath(pathToUntrusted);
AppDomain newDomain = AppDomain.CreateDomain("Sandbox Domain", null, adSetup, internetPS);
newDomain.ExecuteAssemblyByName(untrustedAssembly);
pathToUntrusted = a string representation of the file path to my assembly
untrustedAssembly = a string representation of the assembly name