Whenever protected resources are accessed by an assembly, it's permissions are determined by the code access security system of CLR. Each permission set granted to an assembly is based on the assembly's evidence (such as its URL or publisher certificate, strong name), which in turn is based on configurable security policy.
Code groups are the building blocks of security policies. A Code Group is made of an association between an evidence value and a permission set.
- A hierarchical structure of Code Groups defines a security policy. The .NET framework comes with three different security policies: Enterprise, Machine, User. Additionally an host can define application domain-level policy by calling the AppDomain.SetAppDomainPolicy method on the System.AppDomain class. The first three policies are typically set by administrator while the latter is eventually defined by developers.
There are number of built-in permission sets as shown below.
- FullTrust
- Everything
- Internet
- LocalIntranet
- Execution
- SkipVerification
- Nothing
Let's see how to create/delete a code group at runtime.
Register CodeGroup.
We need to decide on the following while creating a code-group.
- At what level we need to set the code group?
- What evidence value is to be set?
- What permission set we need to provide for this code-group?
To access a security level.
Imports
System.Security
Imports System.Reflection
Imports System.Security.Permissions
Imports System.Security.Policy
We can use SecurityManager.PolicyHierarchy()
Dim secLevels As IEnumerator = SecurityManager.PolicyHierarchy()
Dim policyMachineLevel As PolicyLevel = Nothing
Dim machineCodeGroupRoot As CodeGroup = Nothing
While secLevels.MoveNext()
Dim level As PolicyLevel = secLevels.Current '
If Not (level Is Nothing) And level.Label = "Machine" Then 'used to check whether the level is Machine Level
policyMachineLevel = level
machineCodeGroupRoot = level.RootCodeGroup
Exit While
End If
End While
Return policyMachineLevel
To provide evidence value.
We can use Assembly.GetExecutingAssembly() to get the assembly object and then we can use assembly.Evidence to get the evidence information.
Dim myAssembly As [Assembly] = [Assembly].GetExecutingAssembly()
Dim evidence As Evidence = myAssembly.Evidence
Dim enuEvd As IEnumerator = evidence.GetEnumerator()
Dim pubKey As StrongNamePublicKeyBlob = Nothing
While enuEvd.MoveNext() ' Get public key so as to use it as evidence
Dim obj As [Object] = enuEvd.Current
'It can be either of zone,url,strongname,hash
Dim sn As StrongName = obj '
'ToDo: Error processing original source shown below
If Not (sn Is Nothing) Then
pubKey = sn.PublicKey
Exit While
End If
End While
Return pubKey
Register a code-group with PublicKey as Evidence and FullTrust as PermissionSet.
Dim cdeGroupKey As StrongNamePublicKeyBlob
Dim policyMachineLevel As PolicyLevel
Dim machineCodeGroupRoot As CodeGroup
Dim myCodeGroup As New UnionCodeGroup(New StrongNameMembershipCondition(cdeGroupKey, Nothing, Nothing), New PolicyStatement(New NamedPermissionSet("FullTrust")))
'create a codegroup with public key as evidence
myCodeGroup.Description = "Code group grants full trust to all code originating from the Arsenal team"
myCodeGroup.Name = "MyGroup"
machineCodeGroupRoot.AddChild(myCodeGroup) 'add this group to the security level you have chosen
SecurityManager.SavePolicyLevel(policyMachineLevel) 'at last save the policy
To check whether a CodeGroup is present.
We can navigate through the machine level code group object to find whether the codegroup is already registered.
Dim codeGroup As CodeGroup
Dim machineCodeGroupRoot As CodeGroup
For Each codeGroup In machineCodeGroupRoot.Children
If codeGroup.Name = "MyGroup" Then
'already added
Return
End If
Next codeGroup
To delete a codegroup.
We just need to call in the above code before returning.
Dim
codeGroup As CodeGroup
Dim machineCodeGroupRoot As CodeGroup
machineCodeGroupRoot.RemoveChild(CodeGroup)
NOTE: THIS ARTICLE IS CONVERTED FROM C# TO VB.NET USING A CONVERSION TOOL. ORIGINAL ARTICLE CAN BE FOUND ON C# CORNER (WWW.C-SHARPCORNER.COM).