Adding Code Groups and PermissionSets through code

[Thomas Delrue]

hi...

I would like to add some code groups (Code Access Security)
based on a strongName and permission sets (that will be
used by the code groups) to a machine through an MSI-installer.

I already know that I can use an Installer class and let
the MSI call that one in post-install mode.

However... I am a bit stuck on how I can add
permissionSets (with permissions of either the .net
framework itself or permissions in my own assemblies - in
the GAC) through code... The same thing with code groups...

I need this so I can install a Windows user Control in the
GAC for usage in a web site (embedded user control), in
order to give the user control the appropriate permissions
(and not one to many)

Can anyone direct me to some more information please?

Thanks

Thomas

 

[Dave]

see below

hi...

I would like to add some code groups (Code Access Security)
based on a strongName and permission sets (that will be
used by the code groups) to a machine through an MSI-installer.


<snip>
Can anyone direct me to some more information please?

There's a book called ".NET Framework Security" with an example of doing it.
Here's how we do it.


static public void Install()
{
try
{
// Uninstall the old Security group
Uninstall();

IEnumerator policylevels = SecurityManager.PolicyHierarchy();

bool bFound = false;

// find machine policy level
while (policylevels.MoveNext() == true)
{
if (((PolicyLevel)(policylevels.Current)).Label == "Machine")
{
bFound = true;
break;
}
}

// Could not find the machine policy level
if (bFound == false)
return;

PolicyLevel machinepolicy = (PolicyLevel)(policylevels.Current);

//getting the root code group of the code group hierarchy
CodeGroup rootcg = machinepolicy.RootCodeGroup;

// Public Key for .dll
byte[] PublicKey = { /* NOTE: fill in public key here*/ };

StrongNamePublicKeyBlob strongnameblob = new
StrongNamePublicKeyBlob(PublicKey);

// create a strong name membership condition for the code group
StrongNameMembershipCondition strongnamemship = new
StrongNameMembershipCondition(strongnameblob, null, null);

//get the permission set from the permission set list of the machine
policy, or create a unique one. This example grants full trust
PermissionSet pset =
machinepolicy.GetNamedPermissionSet("FullTrust");

PolicyStatement policystatement = new PolicyStatement(pset,
PolicyStatementAttribute.Nothing);

UnionCodeGroup newcg = new UnionCodeGroup(strongnamemship,
policystatement);
newcg.Name = "<your new codegroup name name>";
newcg.Description = "Code group grants full trust to code signed
with the <your name here> strong name.";

//add the new code group under the root code group
rootcg.AddChild(newcg);

machinepolicy.RootCodeGroup = rootcg;

//Save the changes
SecurityManager.SavePolicy();
}
catch(Exception ex)
{
/// do something meaningful here
}
}

static public void Uninstall()
{
try
{
IEnumerator policylevels = SecurityManager.PolicyHierarchy();

bool bFound = false;

// find machine policy level
while (policylevels.MoveNext() == true)
{
if (((PolicyLevel)(policylevels.Current)).Label == "Machine")
{
bFound = true;
break;
}
}

// Could not find the machine policy level
if (bFound == false)
return;

PolicyLevel machinepolicy = (PolicyLevel)(policylevels.Current);

//getting the root code group of the code group hierarchy
CodeGroup rootcg = machinepolicy.RootCodeGroup;

//get all the child code groups of the root code group
IEnumerator rootchildren = (rootcg.Children).GetEnumerator();

//find and remove the code group
while (rootchildren.MoveNext())
{
if (((CodeGroup)(rootchildren.Current)).Name == "<your new
codegroup name name>"
{
CodeGroup codegroup = (CodeGroup)rootchildren.Current;

//remove the code group
rootcg.RemoveChild(codegroup);
}
}

//save it
SecurityManager.SavePolicy();
}
catch
{
// do something here
}
}

You will need to get the public key bytes to populate the array in the
install routine. There are several ways to do this, one being to use sn.exe.
I don't recall the details but it isn't too difficult.

 

[Guest]

Thanks, worked marvelously

Can anyone tell me how I can assign an exclusive
permissionSet ("This policy level will only have the
permissions from the permissionSet associated with this
group") to a codeGroup...

-----Original Message-----
see below

hi...

I would like to add some code groups (Code Access Security)
based on a strongName and permission sets (that will be
used by the code groups) to a machine through an MSI-installer.


<snip>
Can anyone direct me to some more information please?

There's a book called ".NET Framework Security" with an example of doing it.
Here's how we do it.


static public void Install()
{
try
{
// Uninstall the old Security group
Uninstall();

IEnumerator policylevels = SecurityManager.PolicyHierarchy();

bool bFound = false;

// find machine policy level
while (policylevels.MoveNext() == true)
{
if (((PolicyLevel)(policylevels.Current)).Label == "Machine")
{
bFound = true;
break;
}
}

// Could not find the machine policy level
if (bFound == false)
return;

PolicyLevel machinepolicy = (PolicyLevel)(policylevels.Current);

//getting the root code group of the code group hierarchy
CodeGroup rootcg = machinepolicy.RootCodeGroup;

// Public Key for .dll
byte[] PublicKey = { /* NOTE: fill in public key here*/ };

StrongNamePublicKeyBlob strongnameblob = new
StrongNamePublicKeyBlob(PublicKey);

// create a strong name membership condition for the code group
StrongNameMembershipCondition strongnamemship = new
StrongNameMembershipCondition(strongnameblob, null, null);

//get the permission set from the permission set list of the machine
policy, or create a unique one. This example grants full trust
PermissionSet pset =
machinepolicy.GetNamedPermissionSet("FullTrust");

PolicyStatement policystatement = new PolicyStatement(pset,
PolicyStatementAttribute.Nothing);

UnionCodeGroup newcg = new UnionCodeGroup(strongnamemship,
policystatement);
newcg.Name = "<your new codegroup name name>";
newcg.Description = "Code group grants full trust to code signed
with the <your name here> strong name.";

//add the new code group under the root code group
rootcg.AddChild(newcg);

machinepolicy.RootCodeGroup = rootcg;

//Save the changes
SecurityManager.SavePolicy();
}
catch(Exception ex)
{
/// do something meaningful here
}
}

static public void Uninstall()
{
try
{
IEnumerator policylevels = SecurityManager.PolicyHierarchy();

bool bFound = false;

// find machine policy level
while (policylevels.MoveNext() == true)
{
if (((PolicyLevel)(policylevels.Current)).Label == "Machine")
{
bFound = true;
break;
}
}

// Could not find the machine policy level
if (bFound == false)
return;

PolicyLevel machinepolicy = (PolicyLevel)(policylevels.Current);

//getting the root code group of the code group hierarchy
CodeGroup rootcg = machinepolicy.RootCodeGroup;

//get all the child code groups of the root code group
IEnumerator rootchildren = (rootcg.Children).GetEnumerator();

//find and remove the code group
while (rootchildren.MoveNext())
{
if (((CodeGroup)(rootchildren.Current)).Name == "<your new
codegroup name name>"
{
CodeGroup codegroup = (CodeGroup)rootchildren.Current;

//remove the code group
rootcg.RemoveChild(codegroup);
}
}

//save it
SecurityManager.SavePolicy();
}
catch
{
// do something here
}
}

You will need to get the public key bytes to populate the array in the
install routine. There are several ways to do this, one being to use sn.exe.
I don't recall the details but it isn't too difficult.




.