Login/Register
Code Access Security exception in restricted AppDomain
Asked Answered
Solved c#appdomaincode-access-security
N

1

4

Goal: I need to run some code in an AppDomain with very limited permissions - it should have no access to anything at all fancy or unsafe, except for a few helper methods that I have defined elsewhere.

What I've done: I'm creating a sandbox AppDomain with the required basic permissions, and creating a proxy object, which runs the code:

static AppDomain CreateSandbox()
{
    var e = new Evidence();
    e.AddHostEvidence(new Zone(SecurityZone.Internet));

    var ps = SecurityManager.GetStandardSandbox(e);
    var security = new SecurityPermission(SecurityPermissionFlag.Execution);

    ps.AddPermission(security);

    var setup = new AppDomainSetup { 
        ApplicationBase = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location) 
    };
    return AppDomain.CreateDomain("Sandbox" + DateTime.Now, null, setup, ps);
}

public class Proxy : MarshalByRefObject
{
    public Proxy() { }

    public DoStuff()
    {
       // perform custom operation requiring permission
       HelperAssembly.HelperMethods.Method1();

       // do other stuff with low permission level
       ...
       ...
       ...   
    }
}

I've put the helper methods in a dedicated strong-named assembly, and marked them and their container class with [SecuritySafeCritical]:

// HelperAssembly.dll

namespace HelperAssembly
{
    [SecuritySafeCritical]
    public class HelperMethods
    {
        [SecuritySafeCritical]
        public static void Method1()
        {
            new SecurityPermission(SecurityPermissionFlag.UnmanagedCode)
                .Assert();
            try
            {
                // logic requiring unmanaged code
                ...
            }
            finally
            {
                CodeAccessSecurity.RevertAll();
            }

        }
    }
}

Then, I load the helper assembly in the sandbox AppDomain and run Proxy.DoStuff(), expecting it to execute the helper method and be on its way:

var appDomain = CreateSandbox();

appDomain.Load(typeof(HelperAssembly.HelperMethods).Assembly.FullName);

var proxy = (Proxy)sandbox.CreateInstance(
    typeof(Proxy).Assembly.FullName, 
    typeof(Proxy).FullName).Unwrap();

proxy.DoStuff();

However, running the code causes an exception on the Assert() line in the helper method:

Unhandled Exception: System.InvalidOperationException: Cannot perform CAS Asserts in Security Transparent methods

What is the reason for this behavior and how can I achieve what I'm trying to do? To my understanding, the code in the untrusted AppDomain is security transparent, while the code in the helper assembly is security safe-critical, meaning it should be able to request permissions with Assert().

I'm obviously missing a piece of the puzzle, so it's up to someone with better understanding of Code Access Security to explain what is going wrong. Any help is appreciated.

Nerva answered 6/10, 2013 at 19:13 Comment(4)
Does your trusted assembly have the AllowPartiallyTrustedCallers attribute? IIRC it's used for SecuritySafeCritical stuff... Also, you're not using the fullTrustAssemblies argument of CreateDomain. Is that normal?Ygerne
The [SecuritySafeCritical] attribute is ignored unless you strong-name the assembly. Project + Properties, Signing tab.Gersham
@Medinoc, correct! I needed to add the helper assembly as trusted in AppDomain.Create, and mark it as [AllowPartiallyTrustedCallers]. Please promote your comment to an answer so I can mark it as correct.Nerva
@HansPassant, thank you for your input. You are correct, however in this case the helper assembly was strong-named (I mentioned it in the question, but perhaps I should have bold-ed it).Nerva
Y
5

Your "Trusted" assembly needs to have the AllowPartiallyTrustedCallers attribute for SecuritySafeCritical to be callable across assembly boundary. It must also be added to the fullTrustAssemblies in your call to CreateDomain.

Ygerne answered 6/10, 2013 at 22:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.