How to Maintain a Code Group in Security Policy at Runtime

Whenever protected resources are accessed by an assembly, the permissions are determined by the code access security system of CLR. Each permission set granted to an assembly is based on the assembly's evidence (such as its URL or publisher certificate, strong name), which in turn is based on a configurable security policy.

Code groups are the building blocks of security policies. A code group is made of an association between an evidence value and a permission set.

A hierarchical structure of code groups defines a security policy. The .NET framework comes with three different security policies: Enterprise, Machine, and User. Additionally, a host can define an application domain-level policy by calling the AppDomain.SetAppDomainPolicy method on the System.AppDomain class. The first three policies are typically set by an administrator whereas the latter is eventually defined by developers.

There are number of built-in permission sets, as shown below.

  • FullTrust
  • Everything
  • Internet
  • LocalIntranet
  • Execution
  • SkipVerification
  • Nothing

Now, see how to create/delete a code group at runtime.

Registering the Code Group

You need to decide on the following when creating a code group:

  1. At what level do you need to set the code group?
  2. What evidence value is to be set?
  3. What permission set do you need to provide for this code group?

Accessing a Security Level

You can use SecurityManager.PolicyHierarchy().

IEnumerator secLevels = SecurityManager.PolicyHierarchy();
PolicyLevel policyMachineLevel = null;
CodeGroup machineCodeGroupRoot = null;
while (secLevels.MoveNext())
{
   PolicyLevel level = secLevels.Current as PolicyLevel;
   //used to check whether the level is Machine Level
   if(level != null && level.Label == "Machine")
   {
      policyMachineLevel = level;
      machineCodeGroupRoot = level.RootCodeGroup;
      break;
   }
}
return policyMachineLevel;

Providing Evidence Value

You can use Assembly.GetExecutingAssembly() to get the assembly object and then you can use assembly.Evidence to get the evidence information.

Assembly myAssembly = Assembly.GetExecutingAssembly();
Evidence evidence   = myAssembly.Evidence;
IEnumerator enuEvd  = evidence.GetEnumerator();
StrongNamePublicKeyBlob pubKey = null;
while(enuEvd.MoveNext())    // Get public key so as to use it as
                            // evidence
{
   Object obj = enuEvd.Current;
   //It can be either of zone,url,strongname,hash
   StrongName sn = obj as StrongName;
   if(sn != null)
   {
      pubKey = sn.PublicKey;
      break;
   }
}
return pubKey;

Registering a Code Group with PublicKey as Evidence and FullTrust as PermissionSet

StrongNamePublicKeyBlob cdeGroupKey = {Get the public of executing
                                       assembly using the above
                                       logic}
UnionCodeGroup myCodeGroup = new UnionCodeGroup(new
                             StrongNameMembershipCondition(cdeGroupKey,
                             null,null),
                             new PolicyStatement(
                             new NamedPermissionSet("FullTrust")));
//create a code group with public key as evidence
myCodeGroup.Description = "Code group grants full trust to all
                           code originating from this group";
myCodeGroup.Name = b.MyGroupb.;
//add this group to the security level you have chosen
machineCodeGroupRoot.AddChild(myCodeGroup);
//at last, save the policy
SecurityManager.SavePolicyLevel(policyMachineLevel);

Checking Whether a Code Group Is Present

You can navigate through the machine level code group object to find whether the code group is already registered:

foreach(CodeGroup codeGroup in machineCodeGroupRoot.Children)
{
   if(codeGroup.Name == b.MyGroupb.)
   {
      //already added
      return;
   }
}

Deleting a Code Group

You just need to call in the following code before returning.

machineCodeGroupRoot.RemoveChild(codeGroup);


Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: December 11, 2014 @ 1:00 p.m. ET / 10:00 a.m. PT Market pressures to move more quickly and develop innovative applications are forcing organizations to rethink how they develop and release applications. The combination of public clouds and physical back-end infrastructures are a means to get applications out faster. However, these hybrid solutions complicate DevOps adoption, with application delivery pipelines that span across complex hybrid cloud and non-cloud environments. Check out this …

  • Hundreds of millions of users have adopted public cloud storage solutions to satisfy their Private Online File Sharing and Collaboration (OFS) needs. With new headlines on cloud privacy issues appearing almost daily, the need to explore private alternatives has never been stronger. Join ESG Senior Analyst Terri McClure and Connected Data in this on-demand webinar to take a look at the business drivers behind OFS adoption, how organizations can benefit from on-premise deployments, and emerging private OFS …

Most Popular Programming Stories

More for Developers

RSS Feeds