// // System.Security.Policy.DefaultPolicies.cs // // Author: // Sebastien Pouliot // // Copyright (C) 2005 Novell, Inc (http://www.novell.com) // // Permission is hereby granted, free of charge, to any person obtaining // a copy of this software and associated documentation files (the // "Software"), to deal in the Software without restriction, including // without limitation the rights to use, copy, modify, merge, publish, // distribute, sublicense, and/or sell copies of the Software, and to // permit persons to whom the Software is furnished to do so, subject to // the following conditions: // // The above copyright notice and this permission notice shall be // included in all copies or substantial portions of the Software. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. // using System.Security.Permissions; namespace System.Security.Policy { /* NOTES * * [1] Some permissions classes are defined _outside_ mscorlib.dll. * In this case we're using SecurityElement to construct the * permissions manually. * */ internal static class DefaultPolicies { public static class ReservedNames { public const string FullTrust = "FullTrust"; public const string LocalIntranet = "LocalIntranet"; public const string Internet = "Internet"; public const string SkipVerification = "SkipVerification"; public const string Execution = "Execution"; public const string Nothing = "Nothing"; public const string Everything = "Everything"; static public bool IsReserved (string name) { switch (name) { case FullTrust: case LocalIntranet: case Internet: case SkipVerification: case Execution: case Nothing: case Everything: return true; default: return false; } } } public enum Key { Ecma, MsFinal, } private const string DnsPermissionClass = "System.Net.DnsPermission, " + Consts.AssemblySystem; private const string EventLogPermissionClass = "System.Diagnostics.EventLogPermission, " + Consts.AssemblySystem; private const string PrintingPermissionClass = "System.Drawing.Printing.PrintingPermission, " + Consts.AssemblySystem_Drawing; private const string SocketPermissionClass = "System.Net.SocketPermission, " + Consts.AssemblySystem; private const string WebPermissionClass = "System.Net.WebPermission, " + Consts.AssemblySystem; private const string PerformanceCounterPermissionClass = "System.Diagnostics.PerformanceCounterPermission, " + Consts.AssemblySystem; private const string DirectoryServicesPermissionClass = "System.DirectoryServices.DirectoryServicesPermission, " + Consts.AssemblySystem_DirectoryServices; private const string MessageQueuePermissionClass = "System.Messaging.MessageQueuePermission, " + Consts.AssemblySystem_Messaging; private const string ServiceControllerPermissionClass = "System.ServiceProcess.ServiceControllerPermission, " + Consts.AssemblySystem_ServiceProcess; private const string OleDbPermissionClass = "System.Data.OleDb.OleDbPermission, " + Consts.AssemblySystem_Data; private const string SqlClientPermissionClass = "System.Data.SqlClient.SqlClientPermission, " + Consts.AssemblySystem_Data; // private const string DataProtectionPermissionClass = "System.Security.Permissions.DataProtectionPermission, " + Consts.AssemblySystem_Security; // private const string StorePermissionClass = "System.Security.Permissions.StorePermission, " + Consts.AssemblySystem_Security; private static Version _fxVersion; private static byte[] _ecmaKey = new byte [16] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; private static StrongNamePublicKeyBlob _ecma; private static byte[] _msFinalKey = new byte [160] { 0x00, 0x24, 0x00, 0x00, 0x04, 0x80, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x06, 0x02, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31, 0x00, 0x04, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x07, 0xD1, 0xFA, 0x57, 0xC4, 0xAE, 0xD9, 0xF0, 0xA3, 0x2E, 0x84, 0xAA, 0x0F, 0xAE, 0xFD, 0x0D, 0xE9, 0xE8, 0xFD, 0x6A, 0xEC, 0x8F, 0x87, 0xFB, 0x03, 0x76, 0x6C, 0x83, 0x4C, 0x99, 0x92, 0x1E, 0xB2, 0x3B, 0xE7, 0x9A, 0xD9, 0xD5, 0xDC, 0xC1, 0xDD, 0x9A, 0xD2, 0x36, 0x13, 0x21, 0x02, 0x90, 0x0B, 0x72, 0x3C, 0xF9, 0x80, 0x95, 0x7F, 0xC4, 0xE1, 0x77, 0x10, 0x8F, 0xC6, 0x07, 0x77, 0x4F, 0x29, 0xE8, 0x32, 0x0E, 0x92, 0xEA, 0x05, 0xEC, 0xE4, 0xE8, 0x21, 0xC0, 0xA5, 0xEF, 0xE8, 0xF1, 0x64, 0x5C, 0x4C, 0x0C, 0x93, 0xC1, 0xAB, 0x99, 0x28, 0x5D, 0x62, 0x2C, 0xAA, 0x65, 0x2C, 0x1D, 0xFA, 0xD6, 0x3D, 0x74, 0x5D, 0x6F, 0x2D, 0xE5, 0xF1, 0x7E, 0x5E, 0xAF, 0x0F, 0xC4, 0x96, 0x3D, 0x26, 0x1C, 0x8A, 0x12, 0x43, 0x65, 0x18, 0x20, 0x6D, 0xC0, 0x93, 0x34, 0x4D, 0x5A, 0xD2, 0x93 }; private static StrongNamePublicKeyBlob _msFinal; private static NamedPermissionSet _fullTrust; private static NamedPermissionSet _localIntranet; private static NamedPermissionSet _internet; private static NamedPermissionSet _skipVerification; private static NamedPermissionSet _execution; private static NamedPermissionSet _nothing; private static NamedPermissionSet _everything; public static PermissionSet GetSpecialPermissionSet (string name) { if (name == null) throw new ArgumentNullException ("name"); switch (name) { case ReservedNames.FullTrust: return FullTrust; case ReservedNames.LocalIntranet: return LocalIntranet; case ReservedNames.Internet: return Internet; case ReservedNames.SkipVerification: return SkipVerification; case ReservedNames.Execution: return Execution; case ReservedNames.Nothing: return Nothing; case ReservedNames.Everything: return Everything; default: return null; } } public static PermissionSet FullTrust { get { if (_fullTrust == null) _fullTrust = BuildFullTrust (); return _fullTrust; } } public static PermissionSet LocalIntranet { get { if (_localIntranet == null) _localIntranet = BuildLocalIntranet (); return _localIntranet; } } public static PermissionSet Internet { get { if (_internet == null) _internet = BuildInternet (); return _internet; } } public static PermissionSet SkipVerification { get { if (_skipVerification == null) _skipVerification = BuildSkipVerification (); return _skipVerification; } } public static PermissionSet Execution { get { if (_execution == null) _execution = BuildExecution (); return _execution; } } public static PermissionSet Nothing { get { if (_nothing == null) _nothing = BuildNothing (); return _nothing; } } public static PermissionSet Everything { get { if (_everything == null) _everything = BuildEverything (); return _everything; } } public static StrongNameMembershipCondition FullTrustMembership (string name, Key key) { StrongNamePublicKeyBlob snkb = null; switch (key) { case Key.Ecma: if (_ecma == null) { _ecma = new StrongNamePublicKeyBlob (_ecmaKey); } snkb = _ecma; break; case Key.MsFinal: if (_msFinal == null) { _msFinal = new StrongNamePublicKeyBlob (_msFinalKey); } snkb = _msFinal; break; } if (_fxVersion == null) { _fxVersion = new Version (Consts.FxVersion); } return new StrongNameMembershipCondition (snkb, name, _fxVersion); } // internal stuff private static NamedPermissionSet BuildFullTrust () { return new NamedPermissionSet (ReservedNames.FullTrust, PermissionState.Unrestricted); } private static NamedPermissionSet BuildLocalIntranet () { NamedPermissionSet nps = new NamedPermissionSet (ReservedNames.LocalIntranet, PermissionState.None); nps.AddPermission (new EnvironmentPermission (EnvironmentPermissionAccess.Read, "USERNAME;USER")); nps.AddPermission (new FileDialogPermission (PermissionState.Unrestricted)); IsolatedStorageFilePermission isfp = new IsolatedStorageFilePermission (PermissionState.None); isfp.UsageAllowed = IsolatedStorageContainment.AssemblyIsolationByUser; isfp.UserQuota = Int64.MaxValue; nps.AddPermission (isfp); nps.AddPermission (new ReflectionPermission (ReflectionPermissionFlag.ReflectionEmit)); SecurityPermissionFlag spf = SecurityPermissionFlag.Execution | SecurityPermissionFlag.Assertion; nps.AddPermission (new SecurityPermission (spf)); nps.AddPermission (new UIPermission (PermissionState.Unrestricted)); // DnsPermission requires stuff outside corlib (System) nps.AddPermission (PermissionBuilder.Create (DnsPermissionClass, PermissionState.Unrestricted)); // PrintingPermission requires stuff outside corlib (System.Drawing) nps.AddPermission (PermissionBuilder.Create (PrintingPermission ("SafePrinting"))); return nps; } private static NamedPermissionSet BuildInternet () { NamedPermissionSet nps = new NamedPermissionSet (ReservedNames.Internet, PermissionState.None); nps.AddPermission (new FileDialogPermission (FileDialogPermissionAccess.Open)); IsolatedStorageFilePermission isfp = new IsolatedStorageFilePermission (PermissionState.None); isfp.UsageAllowed = IsolatedStorageContainment.DomainIsolationByUser; isfp.UserQuota = 512000; nps.AddPermission (isfp); nps.AddPermission (new SecurityPermission (SecurityPermissionFlag.Execution)); nps.AddPermission (new UIPermission (UIPermissionWindow.SafeTopLevelWindows, UIPermissionClipboard.OwnClipboard)); // PrintingPermission requires stuff outside corlib (System.Drawing) nps.AddPermission (PermissionBuilder.Create (PrintingPermission ("SafePrinting"))); return nps; } private static NamedPermissionSet BuildSkipVerification () { NamedPermissionSet nps = new NamedPermissionSet (ReservedNames.SkipVerification, PermissionState.None); nps.AddPermission (new SecurityPermission (SecurityPermissionFlag.SkipVerification)); return nps; } private static NamedPermissionSet BuildExecution () { NamedPermissionSet nps = new NamedPermissionSet (ReservedNames.Execution, PermissionState.None); nps.AddPermission (new SecurityPermission (SecurityPermissionFlag.Execution)); return nps; } private static NamedPermissionSet BuildNothing () { return new NamedPermissionSet (ReservedNames.Nothing, PermissionState.None); } private static NamedPermissionSet BuildEverything () { NamedPermissionSet nps = new NamedPermissionSet (ReservedNames.Everything, PermissionState.None); nps.AddPermission (new EnvironmentPermission (PermissionState.Unrestricted)); nps.AddPermission (new FileDialogPermission (PermissionState.Unrestricted)); nps.AddPermission (new FileIOPermission (PermissionState.Unrestricted)); nps.AddPermission (new IsolatedStorageFilePermission (PermissionState.Unrestricted)); nps.AddPermission (new ReflectionPermission (PermissionState.Unrestricted)); nps.AddPermission (new RegistryPermission (PermissionState.Unrestricted)); nps.AddPermission (new KeyContainerPermission (PermissionState.Unrestricted)); // not quite all in this case SecurityPermissionFlag spf = SecurityPermissionFlag.AllFlags; spf &= ~SecurityPermissionFlag.SkipVerification; nps.AddPermission (new SecurityPermission (spf)); nps.AddPermission (new UIPermission (PermissionState.Unrestricted)); // others requires stuff outside corlib nps.AddPermission (PermissionBuilder.Create (DnsPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (PrintingPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (EventLogPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (SocketPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (WebPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (PerformanceCounterPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (DirectoryServicesPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (MessageQueuePermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (ServiceControllerPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (OleDbPermissionClass, PermissionState.Unrestricted)); nps.AddPermission (PermissionBuilder.Create (SqlClientPermissionClass, PermissionState.Unrestricted)); // nps.AddPermission (PermissionBuilder.Create (DataProtectionPermissionClass, PermissionState.Unrestricted)); // nps.AddPermission (PermissionBuilder.Create (StorePermissionClass, PermissionState.Unrestricted)); return nps; } private static SecurityElement PrintingPermission (string level) { SecurityElement se = new SecurityElement ("IPermission"); se.AddAttribute ("class", PrintingPermissionClass); se.AddAttribute ("version", "1"); se.AddAttribute ("Level", level); return se; } } }