Mono Security Manager Part I - Using CAS permissions
Here's the first promised CAS sample for Mono.
As you can see the sample is quite simple - the
Loop method denies any request to call unmanaged code.
Either via directly using P/Invoke or by using framework methods that requires the privilege to call unmanaged code.
The later case is being demonstrated in the sample when calling the
Environment.Exit static method.
Here's the definition for
MethodImplOptions.InternalCall indicates that the actual implementation of the method resides in the Mono runtime.
The security manager doesn't enforce any restriction to execute this icall because the type,
and the method,
Exit are both public and because Mono 1.1.4 doesn't (yet) enforce restrictions on calling
runtime's icalls (but this feature is already in SVN for HEAD users).
The security manager (if active) will initiate a stack walk to ensure that all callers on the stack have the rights to call unmanaged code. In this case both the executing assembly (e.g.
mscorlib.dll are in the local
file system and are granted FullTrust. This means that, under normal condition, the call to
Exit should succeed.
The definition of the method call.
Now let's compile the sample code and try to execute it without enabling the security manager.
The sample starts by indicating the status of the security manager. In this case (OFF) nothing can stop you from
quiting the application before ending the loop. Type
quit followed by ENTER to quit the sample.
While this isn't a big problem when running an application at FullTrust it's more a problem if you are hosting mono inside
your application (e.g. a database server supporting C# stored proc) or if you have a plug-in system.
Next execute again the sample code with the security manager enabled:
In this case (ON) the security manager will stops you from quitting the application directly from inside the loop
(i.e. where the
Deny declarative security attribute applies). Type
quit followed by ENTER. You
should see the text from the SecurityException thrown from the security manager. Now type
endloop followed by
ENTER to quit the sample.
Note that this sample isn't very secure (i.e. don't use that pattern) as the loop is still running at FullTrust - there
are much better way to sandbox code than to use
Deny. You will also get the same behaviour (by default) using
MS Framework on Windows. However calling "exit" in a Windows' shell will close the shell - not execute the program -
so be sure to specify the ending .exe in the command line.
Now this sample works because
Demand (i.e. stack walks) is functional in Mono 1.1.4 as are the declarative
stack modifiers (e.g. Deny) and most important because I added the proper security checks (either in declarative or
imperative form) to the
System.Environment class before the 1.1.4 release. This means that similar cases with
different classes won't work because there is no security permission to protect them (yet)! But nothings stops you
from adding permissions into your own code today ;-)
Next stop... identity permissions!
2/21/2005 08:51:50 | Comments
The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.