220 likes | 411 Views
System.Security.policy Namespace. By: Marepalli Gayathri. System.Security.policy Namespace. Security policy provides mapping between evidence and permissions. The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain.
E N D
System.Security.policy Namespace By: Marepalli Gayathri
System.Security.policy Namespace • Security policy provides mapping between evidence and permissions. • The runtime uses security policy to determine which code-access permissions to grant an assembly or application domain. • The System.security.policy Namespace contains 3 classes code groups, membership conditions, and evidence. • These classes are used to create the rules applied by the common language runtime (CLR) security policy system
System.Security.policy Namespace Security policy Levels: .NET divides security policy into 4 levels: • Enterprise Policy Level • Machine Policy Level • User Policy Level • Application Domain Policy Level
System.Security.policy Namespace • Policy Level contains 3 key elements: 1.Code groups 2. Named permission sets 3. Fully trusted assemblies Code group: Organized in tree structure
System.Security.policy Namespace • Code group contains name and a description and few elements: 1.Membership Condition: 2. permission set 3.Child code groups 4. Attributes a. Exclusive b. Level Final
System.Security.policy Namespace Policy Resolution:
System.Security.policy Namespace • System.Security.Policy.CodeGroup class:
System.Security.policy Namespace • Structure of code group class: • Membership Condition: An object implements from System.Security.Policy.IMembershipCondition interface. • Policy Statement: Contains System.Security.Policy.PolicyStatement class System.Security.Policy.PolicyStatementAttribute (codegroup’s attributes) System.Security.Permissionset Children: uses System.Collections.IList
System.Security.policy Namespace Programming Membership conditions: These are the classes thatcontains IMembershipCondition interface Ex: bool Check (Evidence evidence); .NET framework includes 8 membership condition classes that are members of System.security.Policy namespace
System.Security.policy Namespace Examples to create membership conditions: // Create a membership condition to match all code. IMembershipCondition m1 = new AllMembershipCondition( ); // Create a membership condition to match all code with Internet Zone evidence. IMembershipCondition m2 =new ZoneMembershipCondition(SecurityZone.Internet); //create a membership condition to match all code from all “google.com” sites IMembershipCondition m3= new SiteMembershipCondition(“*.google.com”); //create a membership condition to match all code with the same publisher certificate used to sign csFile.exe assembly IMembershipCondition m4= new PublisherMembershipCondition(X509Certificate.CreateFromSignedFile(“csFile.exe”));
System.Security.policy Namespace • Programming Policy statements: contains 2 enumerations 1. System.security.PermissionSet 2. System.security.Policy.PolicyStatementAttribute Example to create PolicyStatement and PermissionSet objects: //create a policystatement that grants unrestricted access to everything PolicyStatement p1=new PolicyStatement(new PermissionSet(PermissionState.Unrestricted)); //create a policyStatement that grant read access to the file “C:\g.txt” and specifies the LevelFinal attribute. PermissionSet pset=new PermissionSet(new FileIOPermission (FileIOPermissionAccess.Read,@”C:\g.txt”)); PolicyStatement p2=new PolicyStatement(pset,PolicyStatementAttribute.LevelFinal);
System.Security.policy Namespace Creating code groups: // create the permission set and adding unrestricted file access. PermissionSet pset=new PermissionSet(PermissionState.None); pset.AddPermission(new FileIOPermission(PermissionState.Unrestricted)); // create the policy statement and set the exclusive attribute. PolicyStatement pstate= new Policystatement(pset,PolicyStatementAttribute.Exclusive); // Create membershipCondition to match all “*.google.com” sites. IMembershipCondition mc=new SiteMembershipCondition(“*.google.com”); //create the UnionCodeGroup and UnionCodeGroup cg=new unionCodeGroup(mc,pstate);
System.Security.policy Namespace • Programming Policy Levels: contains System.Security.Policy.PolicyLevel class which contains Fully Trusted assemblies, named permission sets. Managing a fully trusted assembly: Ex: creates a StrongNameMembershipCondition object to add an entry to fully trusted assembly // create a byte array containing the strong name public key data byte[] publickey={0,36,0,0,4,128,0,0,148,0,0,0,169,206,36,4,82,66,,36,0,0,223,231,138,171,62,192…………………………………………………………………………}; //create a strongname publickeyBlob object from the public key byte array. StrongNamePublicKeyBlob blob=new StrongNamePublicKeyBlob(publickey); //create a version object based on the assembly version number Version version=new Version(“1.230.1.1”);
System.Security.policy Namespace //create the new StrongNameMembershipCondition StrongNameMembershipCondition mc=new StrongNameMembershipCondition (blob,”HelloWorld”,version); //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomianLevel(); // add the strongnamemembershipcondition to fully trusted assembly list p.AddFullTrustAssembly(mc);
System.Security.policy Namespace Managing named permission sets: GetNamedPermissionSet method returns a NamedPermissionSet with specified name NamedPermissionSetsGets an IList containing set of namedPermission Objects Ex: //create a new application domain policy level PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //get a copy of default permission set named “Internet” and call it “NewPermissionSet” NamedPermissionSet ps=p.GetNamedPermissionSet(“Internet”).Copy(“NewPermissionSet”); //add the new permission set p.AddNamedPermissionset(ps);
System.Security.policy Namespace //Modify the permission set “NewPermissionSet” to grant unrestricted access p.ChangeNamedPermissionSet(“NewPermissionset”,new Permissionset(PermissionState.Unrestricted)); //Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet(“NewPermissionSet”); Managing CodeGroup tree: Ex: // create a new application domain policy level. PolicyLevel p=PolicyLevel.CreateAppDomainLevel(); //create the xyz named permission set as a copy of default LocalIntranet namedpermission set p.AddNamedPermissionSet(p.GetNamedPermissionSet (“LocalIntranet”).Copy(“xyz”));
System.Security.policy Namespace // Create the My_Site code group that matches all code run from the www.mysite.com" Site and grants it FullTrust. UnionCodeGroup MySite = new UnionCodeGroup( new SiteMembershipCondition ("www.mysite.com"), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MySite.Name = "My_Site"; // Create the Work_Site code group that matches all code run from the www.company.com" Site and grants it the MyCompany, permission set. UnionCodeGroup WorkSite = new UnionCodeGroup( new SiteMembershipCondition("www.company.com"), new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))); WorkSite.Name = "Work_Site";
System.Security.policy Namespace // Create the Internet_Code code group that matches all code run from the Internet Zone and grants it Internet permissions. UnionCodeGroup Internet = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.Internet), new PolicyStatement(p.GetNamedPermissionSet("Internet"))); Internet.Name=“Internet_Code”; // Add the My_Site and Work_Site code groups as children of the Internet code group Internet.AddChild(MySite); Internet.AddChild(WorkSite);
System.Security.policy Namespace // Create the My_Code code group that matches all code run from the My_Computer Zone and grants it FullTrust. UnionCodeGroup MyCode = new UnionCodeGroup( new ZoneMembershipCondition(SecurityZone.MyComputer), new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))); MyCode.Name = "My_Code"; // Create the root UnionCodeGroup that matches all code, but grants no permissions. UnionCodeGroup Root = new UnionCodeGroup( new AllMembershipCondition( ), new PolicyStatement(p.GetNamedPermissionSet("Nothing"))); Root.Name = "All_Code"; // Add the My_Code and Internet_Code groups as children of the root code group Root.AddChild(MyCode); Root.AddChild(Internet); // Assign the code group tree to the PolicyLevel p.RootCodeGroup = Root;