Programming Security Policy (part 2) - Programming Policy Levels

2. Programming Policy Levels

The .NET class library contains the System.Security.Policy.PolicyLevel class to represent all security policy levels: enterprise, machine, user, and application domain. 

You cannot create new PolicyLevel objects using constructors. To manipulate the enterprise, machine, or user policy levels, you must obtain a reference to the desired level using the static methods of the System.Security.SecurityManager class, which we discuss in the next section. To create a new application domain policy level, use the static PolicyLevel.CreateAppDomainLevel factory method.

Table 6 summarizes the members of the PolicyLevel class. None of the members is protected with code-access permissions. .NET protects the methods you use to obtain and update policy levels, not the methods that manipulate them once you have a reference.

Table 6. Members of the PolicyLevel class

Member	Description
Properties
FullTrustAssemblies	Gets an IList of StrongNameMembershipCondition objects representing the fully trusted assemblies of the policy level.
Label	Gets a String containing a description of the PolicyLevel.
NamedPermissionSets	Gets an IList of NamedPermissionSet objects representing the fully trusted assemblies of the policy level.
RootCodeGroup	Gets or sets the root CodeGroup of the policy levels code group tree.
StoreLocation	Gets a String containing the path of the file in which the PolicyLevel is stored. Returns null (C#) or Nothing (Visual Basic .NET) if the PolicyLevel does not have a storage location.
Methods
AddFullTrustAssembly	Adds a StrongNamedMembershipCondition to the fully trusted assembly list.
AddNamedPermissionSet	Adds a NamedPermissionSet to the policy level's set of named permission sets.
ChangeNamedPermissionSet	Replaces the PermissionSet of the specified NamedPermissionSet.
CreateAppDomainLevel	Returns a PolicyLevel configured for use as an application domain policy level.
FromXml	Reconstructs a PolicyLevel from correctly formatted XML, which is normally generated using the ToXml method.
GetNamedPermissionSet	Returns a NamedPermissionSet with the specified name.
Recover	Reverts the file where the policy level is stored to the previously stored version.
RemoveFullTrustAssembly	Removes the specified fully trusted assembly.
RemoveNamedPermissionSet	Removes the specified named permission set.
Reset	Returns the policy level to its default state.
Resolve	Returns a PolicyStatement containing the permissions granted by the PolicyLevel based on a specified Evidence collection. This is the same as calling Resolve on the CodeGroup contained in the policy levels RootCodeGroup property.
ResolveMatchingCodeGroups	Returns a CodeGroup tree containing all of the child code groups to which a specified Evidence collection qualifies for membership. This is the same as calling ResolveMatchingCodeGroups on the CodeGroup contained in the policy levels RootCodeGroup property.
ToXml	Returns a SecurityElement containing an XML object model of the PolicyLevel and its contents.

2.1. Managing fully trusted assemblies

The PolicyLevel class represents fully trusted assemblies by maintaining a list of StrongNameMembershipCondition objects configured to match the strong names of the trusted assembly. You can manage the fully trusted assembly list by providing StrongName or StrongNameMembershipCondition objects to the AddFullTrustAssembly and RemoveFullTrustAssembly methods. The read-only FullTrustAssemblies property gets a System.Collections.IList containing the list of fully trusted assemblies.

Example 1 creates a StrongNameMembershipCondition object to add an entry to the fully trusted assembly list for the HelloWorld assembly.

Example 1. Managing a fully trusted assembly

# C# // Create a byte array containing the strong name public key // data. byte[] publickey = { 0, 36, 0, 0, 4, 128, 0, 0, 148, 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, 0, 1, 0, 1, 0, 169, 206, 164, 8, 66, 197, 231, 138, 148, 74, 99, 125, 171, 203, 120, 143, 240, 155, 104, 138, 4, 123, 15, 55, 85, 255, 183, 20, 111, 10, 217, 58, 127, 15, 236, 86, 16, 121, 222, 35, 161, 14, 122, 246, 85, 226, 162, 221, 46, 215, 161, 151, 183, 38, 31, 150, 198, 119, 109, 94, 11, 65, 208, 33, 122, 172, 106, 62, 192, 4, 35, 255, 220, 10, 43, 90, 92, 183, 29, 136, 57, 235, 30, 5, 127, 72, 210, 108, 215, 226, 65, 197, 184, 28, 129, 184, 191, 211, 159, 69, 8, 84, 116, 65, 186, 179, 35, 116, 174, 223, 167, 217, 116, 8, 178, 232, 213, 155, 172, 87, 181, 187, 61, 43, 133, 105, 10, 187 }; // Create a StrongNamePublicKeyBlob object from the // public key byte array. StrongNamePublicKeyBlob blob = new StrongNamePublicKeyBlob(publickey); // Create a Version object based on the assembly version // number Version version = new Version("1.1578.0.0"); // Create the new StrongNameMembershipCondition StrongNameMembershipCondition mc = new StrongNameMembershipCondition (blob, "HelloWorld", version); // Create a new application domain policy level PolicyLevel p = PolicyLevel.CreateAppDomainLevel( ); // Add the StrongNameMembershipCondition to the fully trusted // assembly list p.AddFullTrustAssembly(mc); # Visual Basic .NET ' Create a byte array containing the strong name public key ' data. Dim publickey( ) As Byte = { 0, 36, 0, 0, 4, 128, 0, 0, 148, _ 0, 0, 0, 6, 2, 0, 0, 0, 36, 0, 0, 82, 83, 65, 49, 0, 4, 0, _ 0, 1, 0, 1, 0, 169, 206, 164, 8, 66, 197, 231, 138, 148, 74, _ 99, 125, 171, 203, 120, 143, 240, 155, 104, 138, 4, 123, 15, _ 55, 85, 255, 183, 20, 111, 10, 217, 58, 127, 15, 236, 86, 16, _ 121, 222, 35, 161, 14, 122, 246, 85, 226, 162, 221, 46, 215, _ 161, 151, 183, 38, 31, 150, 198, 119, 109, 94, 11, 65, 208, _ 33, 122, 172, 106, 62, 192, 4, 35, 255, 220, 10, 43, 90, 92, _ 183, 29, 136, 57, 235, 30, 5, 127, 72, 210, 108, 215, 226, 65, _ 197, 184, 28, 129, 184, 191, 211, 159, 69, 8, 84, 116, 65, 186, _ 179, 35, 116, 174, 223, 167, 217, 116, 8, 178, 232, 213, 155, _ 172, 87, 181, 187, 61, 43, 133, 105, 10, 187} ' Create a StrongNamePublicKeyBlob object from the ' publickey byte array. Dim blob As StrongNamePublicKeyBlob = New StrongNamePublicKeyBlob(publickey) ' Create a Version object based on the assembly version ' number Dim version As Version = New Version("1.1578.0.0") ' Create the new StrongNameMembershipCondition Dim mc As StrongNameMembershipCondition = _ New StrongNameMembershipCondition(blob,"HelloWorld",version) ' Create a new application domain policy level Dim p As PolicyLevel = PolicyLevel.CreateAppDomainLevel( ) ' Add the StrongNameMembershipCondition to the fully trusted ' assembly list p.AddFullTrustAssembly(mc)

2.2. Managing named permission sets

To manage a policy level's named permission sets use the AddNamedPermissionSet and RemoveNamedPermissionSet methods. AddNamedPermissionSet takes a NamedPermissionSet argument, whereas RemoveNamedPermissionSet can take either a NamedPermissionSet or a String containing the name of the NamedPermissionSet to remove. You can also change the permission set of an existing NamedPermissionSet without having to add and remove it by calling the ChangeNamedPermissionSet method and passing it the name of the NamedPermissionSet to change, and a PermissionSet containing the new set of permissions.

The GetNamedPermissionSet method returns a NamedPermissionSet with the specified name, and the NamedPermissionSets property gets an IList containing the set of NamedPermissionSet objects. Example 2 demonstrates the manipulation of named permission sets.

Example 2. Manipulating named permission sets

# C# // Create a new application domain policy level PolicyLevel p = PolicyLevel.CreateAppDomainLevel( ); // Get a copy of the default permission set named "Internet" and // call it "NewPermissionSet" NamedPermissionSet ps = p.GetNamedPermissionSet("Internet").Copy("NewPermissionSet"); // Add the new permission set p.AddNamedPermissionSet(ps); // Modify the permission set "NewPermissionSet" to grant unrestricted // access p.ChangeNamedPermissionSet("NewPermissionSet", new PermissionSet(PermissionState.Unrestricted)); // Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet("NewPermissionSet"); # Visual Basic .NET ' Create a new application domain policy level Dim p As PolicyLevel = PolicyLevel.CreateAppDomainLevel( ) ' Get a copy of the default permission set named "Internet" and ' call it "NewPermissionSet" Dim ps As NamedPermissionSet = _ p.GetNamedPermissionSet("Internet").Copy("NewPermissionSet") ' Add the new permission set p.AddNamedPermissionSet(ps) ' Modify the permission set "NewPermissionSet" to grant unrestricted ' access p.ChangeNamedPermissionSet("NewPermissionSet", _ New PermissionSet(PermissionState.Unrestricted)) Console.WriteLine(p.ToXml( )) ' Remove the NewPermissionSet permission set p.RemoveNamedPermissionSet("NewPermissionSet")

2.3. Managing the code group tree

You get and set the root code group of the policy level's code group tree using the RootCodeGroup property . You must then use the methods and properties of CodeGroup,to build and configure the tree hierarchy. 

The difficulty in building large code trees is that the CodeGroup.AddChild method and the PolicyLevel.RootCodeGroup property both create a copy of the CodeGroup argument you pass to them. Therefore, either you must build your tree from the bottom up, or reacquire the reference to the CodeGroup you have just added before adding children to it.

Example 3. Manipulating the code group tree of a policy level

# C#

// Create a new application domain policy level.
PolicyLevel p = PolicyLevel.CreateAppDomainLevel(  );

// Create the MyCompany named permission set as a copy of 
// the default LocalIntranet named permission set
p.AddNamedPermissionSet(
    p.GetNamedPermissionSet("LocalIntranet").Copy("MyCompany")
);

// Create the My_Site code group that matches all code
// run from the "www.mysite.com" Site and grants it FullTrust.
UnionCodeGroup MySite = new UnionCodeGroup(
    new SiteMembershipCondition("www.mysite.com"),
    new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))
);
MySite.Name = "My_Site";

// Create the Work_Site code group that matches all code
// run from the "www.company.com" Site and grants it the 
// MyCompany, permission set. 
UnionCodeGroup WorkSite = new UnionCodeGroup(
    new SiteMembershipCondition("www.company.com"),
    new PolicyStatement(p.GetNamedPermissionSet("MyCompany"))
);
WorkSite.Name = "Work_Site";

// Create the Internet_Code code group that matches all code
// run from the Internet Zone and grants it Interent permissions.
UnionCodeGroup Internet = new UnionCodeGroup(
    new ZoneMembershipCondition(SecurityZone.Internet),
    new PolicyStatement(p.GetNamedPermissionSet("Internet"))
);
Internet.Name = "Internet_Code";

// Add the My_Site and Work_Site code groups as children of the 
// Internet code group
Internet.AddChild(MySite);
Internet.AddChild(WorkSite);

// Create the My_Code code group that matches all code
// run from the My_Computer Zone and grants it FullTrust.
UnionCodeGroup MyCode = new UnionCodeGroup(
    new ZoneMembershipCondition(SecurityZone.MyComputer),
    new PolicyStatement(p.GetNamedPermissionSet("FullTrust"))
);
MyCode.Name = "My_Code";

// Create the root UnionCodeGroup that matches all code,
// but grants no permissions.
UnionCodeGroup Root = new UnionCodeGroup(
    new AllMembershipCondition(  ),
    new PolicyStatement(p.GetNamedPermissionSet("Nothing"))
);
Root.Name = "All_Code";

// Add the My_Code and Internet_Code groups as children of the 
// Root code group
Root.AddChild(MyCode);
Root.AddChild(Internet);

// Assign the code group tree to the PolicyLevel
p.RootCodeGroup = Root;

# Visual Basic .NET

' Create a new application domain policy level.
Dim p As PolicyLevel =  PolicyLevel.CreateAppDomainLevel(  ) 
 
' Create the MyCompany named permission set as a copy of 
' the default LocalIntranet named permission set
p.AddNamedPermissionSet( _
p.GetNamedPermissionSet("LocalIntranet").Copy("MyCompany"))
 
' Create the My_Site code group that matches all code
' run from the "www.mysite.com" Site and grants it FullTrust.
Dim MySite As UnionCodeGroup = New UnionCodeGroup( _
New SiteMembershipCondition("www.mysite.com"), _
New PolicyStatement(p.GetNamedPermissionSet("FullTrust"))) 
MySite.Name = "My_Site"
 
' Create the Work_Site code group that matches all code
' run from the "www.company.com" Site and grants it the 
' MyCompany, permission set. 
Dim WorkSite As UnionCodeGroup =  New UnionCodeGroup( _
New SiteMembershipCondition("www.company.com"), _
New PolicyStatement(p.GetNamedPermissionSet("MyCompany"))) 
WorkSite.Name = "Work_Site"
 
' Create the Internet_Code code group that matches all code
' run from the Internet Zone and grants it Interent permissions.
Dim Internet As UnionCodeGroup =  New UnionCodeGroup( _
New ZoneMembershipCondition(SecurityZone.Internet), _
New PolicyStatement(p.GetNamedPermissionSet("Internet"))) 
Internet.Name = "Internet_Code"
 
' Add the My_Site and Work_Site code groups as children of the 
' Internet code group
Internet.AddChild(MySite)
Internet.AddChild(WorkSite)
 
' Create the My_Code code group that matches all code
' run from the My_Computer Zone and grants it FullTrust.
Dim MyCode As UnionCodeGroup =  New UnionCodeGroup( _
New ZoneMembershipCondition(SecurityZone.MyComputer), _
New PolicyStatement(p.GetNamedPermissionSet("FullTrust"))) 
MyCode.Name = "My_Code"
 
' Create the root UnionCodeGroup that matches all code,
' but grants no permissions.
Dim Root As UnionCodeGroup =  New UnionCodeGroup( _
New AllMembershipCondition(  ), _
New PolicyStatement(p.GetNamedPermissionSet("Nothing"))) 
Root.Name = "All_Code"
 
' Add the My_Code and Internet_Code groups as children of the 
' Root code group
Root.AddChild(MyCode)
Root.AddChild(Internet)
 
' Assign the code group tree to the PolicyLevel
p.RootCodeGroup = Root