How to: Run Partially Trusted Code in a Sandbox

批注:沙盒机制是.NET Framework 4.0中对于安全性方面给予开发人员的一个鼓励做法,意思是说某些特殊的程序集(你可能不信任,例如插件),则可以让他们运行在一个特殊的区域中。使用AppDomain来实现该功能。

 

其实,这样的功能在.NET Framework 2.0中也是可以实现的。感觉.NET Framework 4的安全性是一个很大的让步,至少说没有什么大的改进。(纯属个人意见)

 

 

转载自:http://msdn.microsoft.com/en-us/library/bb763046.aspx

Sandboxing is the practice of running code in a restricted security environment, which limits the access permissions granted to the code. For example, if you have a managed library from a source you do not completely trust, you should not run it as fully trusted. Instead, you should place the code in a sandbox that limits its permissions to those that you expect it to need (for example, Execution permission).

You can also use sandboxing to test code you will be distributing that will run in partially trusted environments.

An AppDomain is an effective way of providing a sandbox for managed applications. Application domains that are used for running partially trusted code have permissions that define the protected resources that are available when running within that AppDomain. Code that runs inside the AppDomain is bound by the permissions associated with the AppDomain and is allowed to access only the specified resources. The AppDomain also includes a StrongName array that is used to identify assemblies that are to be loaded as fully trusted. This enables the creator of an AppDomain to start a new sandboxed domain that allows specific helper assemblies to be fully trusted. Another option for loading assemblies as fully trusted is to place them in the global assembly cache; however, that will load assemblies as fully trusted in all application domains created on that computer. The list of strong names supports a per-AppDomain decision that provides more restrictive determination.

You can use the AppDomain..::.CreateDomain(String, Evidence, AppDomainSetup, PermissionSet, array []()[]) method overload to specify the permission set for applications that run in a sandbox. This overload enables you to specify the exact level of code access security you want. Assemblies that are loaded into an AppDomain by using this overload can either have the specified grant set only, or can be fully trusted. The assembly is granted full trust if it is in the global assembly cache or listed in the fullTrustAssemblies (the StrongName) array parameter. Only assemblies known to be fully trusted should be added to the fullTrustAssemblies list.

The overload has the following signature:

AppDomain.CreateDomain( string friendlyName,                         Evidence securityInfo,                         AppDomainSetup info,                         PermissionSet grantSet,                         params StrongName[] fullTrustAssemblies);

The parameters for the CreateDomain(String, Evidence, AppDomainSetup, PermissionSet, array []()[]) method overload specify the name of the AppDomain, the evidence for the AppDomain, the AppDomainSetup object that identifies the application base for the sandbox, the permission set to use, and the strong names for fully trusted assemblies.

For security reasons, the application base specified in the info parameter should not be the application base for the hosting application.

For the grantSet parameter, you can specify either a permission set you have explicitly created, or a standard permission set created by the GetStandardSandbox method.

Unlike most AppDomain loads, the evidence for the AppDomain (which is provided by the securityInfo parameter) is not used to determine the grant set for the partially trusted assemblies. Instead, it is independently specified by the grantSet parameter. However, the evidence can be used for other purposes such as determining the isolated storage scope.

你可能感兴趣的:(How to: Run Partially Trusted Code in a Sandbox)