Code Access Permissions
Code needs permissions in order to access a resource such as a file or to perform certain operations. A security policy (discussed later in the chapter) will give certain permissions to each assembly. Code access permissions can be
requested
by code. The CLR will decide which permissions to grant based on the security policy for that assembly. You can even implement your own custom permissions for very specialized security situations. However, that is beyond the scope of this book. Here are some examples of predefined code access permissions:
-
DNSPermission
controls access to domain
name
servers on the network.
-
EnvironmentPermission
controls read or write access to environment
variables
.
-
FileIOPermission
controls access to files and directories.
-
FileDialogPermission
allows files selected in an Open dialog box to be read. This is useful if
FileIOPermission
has not been granted.
-
ReflectionPermission
controls the ability to access
nonpublic
metadata.
-
RegistryPermission
controls the ability to access and modify the registry.
-
SecurityPermission
controls the use of the security subsystem.
-
SocketPermission
controls the ability to make or accept connections on a transport address.
-
UIPPermission
controls the user of various
user
interface features, including the clipboard.
-
WebPermission
controls making or accepting connections on a Web address.
The use of these permissions is referred to as
Code Access Security
because this permission is based not on the identity of the user running the code, but on whether the code itself has the right to take certain actions.
Simple Permission Code Request
The
SimplePermissionCodeRequest
example first
requests
permission to access a file. If the CLR does not grant that request, the CLR will throw a
SecurityException
inside the file constructor. However, this code first tests to see if it has that permission. If it does not, it just returns instead of trying to access the file.
[8]
[8]
We have not yet discussed how you set security policy, so we do not yet know how to grant or revoke this permission. By default, however, code running on the same machine that it resides on has this permission.
This step is
generally
superfluous because the CLR will do the demand inside of the constructor, but often you want to check permissions before you execute some code to ascertain if you have the rights you need.
The
FileIOPermission
class models the CLR file permissions. A full
path
must be supplied to its constructor, and we use the
Path
class we discussed in Chapter 10 to get the full path. We are asking for read, write, and append file access. Other possible access rights are NoAccess or PathDiscovery. The latter is required to access information about the file path itself. You might want to allow access to the file, but you may want to hide information in the path, such as directory structure or user
names
.
The demand request checks to see if we have the required permission. The
Demand
method checks all the
callers
on the stack to see if they have this permission. In other words, we want to make sure not only that the assembly that this code is running in has this permission, but that all the assemblies that this code is running on
behalf
of has this permission. If an exception was generated, we do not have the permission we demanded, so we then exit the program.
Dim filename As String = "..\read.txt"
' need full path for security check
Dim fileWithFullPath As String = _
Path.GetFullPath(filename)
Try
Dim fileIOPerm As FileIOPermission = _
New FileIOPermission(_
FileIOPermissionAccess.AllAccess, _
fileWithFullPath)
fileIOPerm.Demand()
Catch e As Exception
Console.WriteLine(e.Message)
Return
End Try
Try
Dim file As FileInfo = New FileInfo(filename)
Dim sr As StreamReader =
File.OpenText()
Dim text As String
text =
sr.ReadLine()
While Not text Is Nothing
Console.WriteLine(text)
text =
sr.ReadLine()
End While
sr.Close()
Catch e As Exception
Console.WriteLine(e.Message)
End Try
Even if the code has the CLR read permission, the user must have read permission from the file system. If the user does not, the
UnauthorizedAccessException
will be thrown when the
OpenText
method is called.
You have to be careful when passing objects that have passed a security check in their constructor to code in other assemblies. Since the check was made in the constructor, no further check is made by the CLR to ascertain access rights. The assembly you pass the object to might not have the same rights as your assembly. If you were to pass this
FileInfo
object to another assembly that did not have the CLR read permission, it would not be prevented from accessing the file by the CLR, because no additional security check will be made. This is a design compromise for performance reasons to avoid making security checks for every operation. This is true for other code access permissions as well.
How a Permission Request Works
To determine whether code is authorized to access a resource or perform an operation, the CLR
performs
checks on all the callers on the stack frame to make sure that each assembly that has a method call on the stack can be granted the requested permission. If any caller in the stack does not have the permission that was demanded, a
SecurityException
is thrown.
Less trusted code is not permitted to use trusted code to perform an unauthorized action. The procedures on the stack could come from different assemblies that have different sets of permissions. For example, an assembly that you build might have all rights, but it might be called by a downloaded component that you would want to have restricted rights, so that it cannot open your email address book, delete files, and so on.
As discussed in the
next
sections, you can modify the results of the stack walk by using
Deny
or
Assert
methods
on the
CodeAccessPermission
base class.
Strategy for Requesting Permissions
Code should request permissions that it needs before it uses them so that it is easier to recover if the permission request is
denied
. For example, if you need to access several key files, it is much easier to check to see if you have the permissions when the code starts up rather than when you are halfway through a delicate operation and then have to roll back several operations. In some situations, the user could be told up front that certain functions will not be available, so that he or she will not be surprised later when certain operations are blocked.
On the other hand, you should not request permissions that you do not need. This will minimize the
chances
that your code will do
damaging
things from
bugs
or malicious third-party code and
components
. In fact, you can restrict the permissions you have to the minimum necessary to prevent such damage. For example, if you do not want a program to read and write the files on your disk, there is no good reason to permit it, and therefore, you should explicitly deny the right to do so.
Denying Permissions
One can apply the
Deny
method to the permission. Even though security policy would permit access to the file, any attempt to access the file will fail. The
SimplePermissionCodeDenial
example
demonstrates
this. Instead of demanding the permission, we invoke the
Deny
method on the
FileIOPermission
object. We then try to read the file in a separate method named
ReadFile
.
...
Try
fileIOPerm.
Deny
()
Console.WriteLine("File Access Permission Denied")
Catch se As SecurityException
Console.WriteLine(se.Message)
End Try
ReadFile()
...
The reason we attempt to read the file in the separate
ReadFile
method will be explained shortly, when we discuss the
Assert
method. For now, notice that since the permission was denied, the
FileInfo
constructor in the
ReadFile
method will throw a
SecurityException
.
Public Sub
ReadFile
()
Try
Dim file As FileInfo =
New FileInfo(filename)
Dim sr As StreamReader = File.OpenText()
Dim text As String
Text = sr.ReadLine()
While text <> Nothing
Console.WriteLine(" " + text)
text = sr.ReadLine()
End While
sr.Close()
Catch se As SecurityException
Console.WriteLine(_
"Could not read file: " + se.Message)
End Try
End Sub
We then call the static
RevertDeny
method on the
FileIOPermission
class to remove the permission denial, and attempt to read the file again. This time the file can be read without throwing an exception. The call to
Deny
is good until the containing code returns to its caller or a
subsequent
call to
Deny
.
RevertDeny
removes
all current
Deny
requests.
...
Try
FileIOPermission.RevertDeny()
Console.WriteLine(_
"File Access Permission Restored")
Catch se As SecurityException
Console.WriteLine(se.Message)
End Try
ReadFile()
...
We then invoke the
Deny
method to once again remove the permission and attempt to read the file, throwing an exception.
...
Try
fileIOPerm.
Deny()
Console.WriteLine(_
"File Access Permission Denied")
Catch se As SecurityException
Console.WriteLine(se.Message)
End Try
ReadFile()
...
Asserting
Permissions
The
Assert
method allows you to demand a permission even though you do not have access rights to do so due to callers higher in the stack that have not been granted the necessary permission. Of course, you can only assert permissions that your assembly itself has been granted. If this were not the case, it would be trivial to circumvent CLR security.
The
SimplePermissionCodeDenial
example now asserts the
FileIO-Permission
and then attempts to read the file by calling the
ReadFile
method, then the
ReadFileWithAssert
method, and finally the
ReadFile
method again. The
ReadFileWithAssert
method is much the same as the
ReadFile
method, but it has its own call to the
Assert
method.
Try
fileIOPerm.Assert()
Console.WriteLine(_
"File Access Permission Asserted")
Catch se As SecurityException
Console.WriteLine(se.Message)
End Try
ReadFile()
ReadFileWithAssert(fileIOPerm)
Console.WriteLine(_
"Returned from read routine with assert.")
ReadFile()
The file-read operations in both calls to the
ReadFile
method fail, but the file-read in
ReadFileWithAssert
succeeds. The permission assertion is only good within the method that calls
Assert
, and the assertion disappears after returning from that method. The
ReadFileWithAssert
method can read the file because it asserts the permission within the method and then attempts the read.
Assert
stops the permission stack walk from checking permissions higher in the stack frame and allows the action to proceed, but it does not cause a grant of the permission. Therefore, if code further down the stack frame (like
ReadFile
)
tries
to demand the denied permission (as the
FileInfo
constructor does), a
SecurityException
will be thrown. Similarly,
Deny
prevents
callers higher in the stack frame from an action, but not on the current level.
Public Sub
ReadFileWithAssert
(ByVal f As FileIOPermission)
Try
f.
Assert()
Console.WriteLine(_
"File Permission Asserted in same procedure
as read.")
Dim file As FileInfo = New FileInfo(filename)
Dim sr As StreamReader = file.OpenText()
Dim text As String
text = sr.
ReadLine()
While text <> Nothing
Console.WriteLine(" " + text)
text = sr.
ReadLine()
End While
sr.Close()
Catch se As SecurityException
Console.WriteLine(_
"Could not read file: " + se.Message)
End Try
End Sub
Remember that the permission assertion only applies to I/O operations done in this one method for the specific file that was passed into the
FileIO-Permission
constructor (i.e., read.txt). The call to
Assert
is good until the containing method returns. Hence,
ReadFile
fails again when it is attempted after
ReadFileWithAssert
returns.
RevertAssert
removes all current
Assert
requests.
Assert
opens up security holes, because some caller in the stack frame might be able to use the routine that calls
Assert
to
violate
security.
Other Permission Methods
PermitOnly
specifies the permissions that should succeed. You simply specify what resources you want to access. The call to
PermitOnly
is good until the containing code returns or a subsequent call to
PermitOnly
.
RevertPermitOnly
removes all current
PermitOnly
requests.
RevertAll
removes the effect of
Deny
,
PermitOnly
, and
Assert
.
SecurityPermission Class
The
SecurityPermission
class controls "meta permissions" that
govern
the CLR security subsystem. Let us look again at the
RoleBasedSecurity
example from earlier in the chapter. It used the
AppDomain.SetPrincipalPolicy
method to set the application domain's principal policy.
Dim ap As AppDomain = AppDomain.CurrentDomain
ap.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal)
The type of principal returned by
Thread.CurrentPrincipal
will depend on the application domain's principal policy. An application domain can have one of three authentication policies, as defined by the
System.Security.PrincipalPolicy
enumeration:
-
WindowsPrincipal
uses the current user associated with the thread.
Thread.CurrentPrincipal
returns a
WindowsPrincipal
object.
-
UnauthenticatedPrincipal
uses an unauthenticated user.
Thread.-CurrentPrincipal
returns a
GenericPrincipal
object. This is the default.
-
NoPrincipal
returns Nothing for
Thread.CurrentPrincipal
.
You set the policy with the
SetPrincipalPolicy
method on the
AppDomain
instance for the current application domain. The static
method AppDomain.CurrentDomain
will return the current instance. This method should be called before any call to
Thread.CurrentPrincipal
because the principal object is not created until the first attempt to access that property.
In order for the
RoleBasedSecurity
example to set the principal policy, it needs to have the
ControlPrincipal
right. To ascertain if the executing code has that right, you can demand that
SecurityPermission
before you change the policy. A
SecurityException
will be thrown if you do not have that permission.
...
Dim sp As SecurityPermission = _
New SecurityPermission(_
SecurityPermissionFlag.
ControlPrincipal
)
Try
sp.
Demand()
Catch se As SecurityException
Console.WriteLine(se.Message)
Return
End Try
...
We first construct a new
SecurityPermission
instance, passing to the constructor the security permission we want to see if we have the right to use.
SecurityPermissionFlag
is an enumeration of permissions used by the
SecurityPermission
class. The
ControlPolicy
permission represents the right to change policy. Obviously, this should only be granted to trusted code. We then demand (i.e., request) the permission.
As mentioned earlier, you can only assert permissions that your assembly actually has, so rogue components cannot just assert permissions when running within your code. You can either set security policy or use the
Security-
Permission
class to prevent components from calling
Assert
. Construct an instance of the class with the
SecurityPermissionFlag.Assertion
value, and then
Deny
the permission. Among the other actions you can control with the
SecurityPermission
class are the ability to create and manipulate application domains, specify policy, allow or disallow execution, control whether verification is performed, and access unmanaged code.
Calling Unmanaged Code
Asserts are necessary for controlling access to unmanaged code, because in order to call unmanaged code, you need the unmanaged code permission, since the CLR performs a stack walk to check if all the callers have the unmanaged code permission. Therefore, if you did not use the
Assert
method, you would have to grant all code the unmanaged code permission. Hence, assemblies other than your own trusted assemblies could perform operations through the Win32 API calls and subvert the framework's security system.
[9]
[9]
The underlying operating system identity that is running the program must have the rights to perform the operating system function.
It is much better to make unmanaged code calls through wrapper classes that are contained in an assembly that has the unmanaged code permission. The code in the wrapper class would first ascertain that the caller has the proper CLR rights by demanding the minimal set of permissions necessary to accomplish the task (such as writing to a file). If the demand succeeds, then the wrapper code can assert the right to call unmanaged code.
[10]
No other assembly in the call chain then needs to have the unmanaged code permission.
[10]
By demanding first and then asserting, you can ensure that a
luring
attack (i.e.,
unprivileged
code calling privileged code to do evil things) is not in progress.
For example, if you ask the .NET file classes to delete a file, they first demand the delete permission on the file. If that permission is granted, then the code asserts the unmanaged code permission and calls the Win32 API to perform the delete.
Attribute-Based Permissions
|
|
The
SimplePermissionAttributeRequest
example shows how you can use attributes to make permission requests. This example uses an attribute to put in the metadata for the assembly that you need to have the
ControlPrincipal
permission to run. This enables you to query in advance which components conflict with security policy.
|
...
<Assembly: SecurityPermissionAttribute(_
SecurityAction.RequestMinimum, _
ControlPrincipal:=True
)>
...
The
SecurityAction
enumeration has several values, some of which can be applied to a class or method and some that can be applied to an entire assembly, as in this example. For assemblies these are
RequestMinimum
,
RequestOptional
, and
RequestRefuse
.
RequestMinimum
indicates to the metadata those permissions the assembly requires to run.
RequestOptional
indicates to the metadata permissions that the assembly would like to have, but can run without.
RequestRefuse
indicates permissions that the assembly would like to be denied.
[11]
[11]
An assembly would do this to prevent code from another assembly executing on its behalf from having this permission.
If you change the attribute in this example to
RequestRefuse
and run it, you will find that the assembly will load, but you will get a
SecurityException
when you attempt to change the policy.
Other values apply to classes and methods.
LinkDemand
is acted upon when a link is made to some type. It requires your immediate caller to have a permission. The other values apply at runtime.
InheritanceDemand
requires a derived class to have a permission.
Assert
,
Deny
,
PermitOnly
, and
Demand
do what you would expect.
Here is an example of a
FileIOPermission
demand being applied to a class through an attribute. The named value
All
means all file access is being demanded for the specified file. A full file path is required.
<FileIOPermissionAttribute(SecurityAction.Demand, _
All:="c:\foo\read.txt")> _
Public Class Simple
...
End Class
Principal Permission
Role-based security is controlled by the
PrincipalPermission
class. The
PrincipalPermission
example uses this class to make sure that the user identity under which the program is being run is an administrator. We do that by passing the identity name and a string representing the role to the constructor. Once again, we use the
Demand
method on the permission to check the validity of our permission request.
Dim PrincipalPerm As PrincipalPermission = _
New PrincipalPermission(_
wi.Name, adminRole)
Try
PrincipalPerm.
Demand
()
Console.WriteLine(_
"Code demand for an administrator succeeded.")
Catch e As SecurityException
Console.WriteLine(_
"Demand for Administrator failed.")
End Try
If the current user were an administrator, the demand would succeed;
otherwise
, it would fail with an exception being thrown. The code then checks for the user with the name JaneAdmin (not a system administrator, but part of the CustomerAdmin
group
).
Dim customerAdminRole As String = _
"HPDESKTOP\CustomerAdmin"
Dim pp As PrincipalPermission
pp = New PrincipalPermission(_
"HPDESKTOP\JaneAdmin", customerAdminRole)
Try
pp.Demand()
Console.WriteLine(_
"Demand for Customer Administrator succeeded.")
Catch e As SecurityException
Console.WriteLine(_
"Demand for Customer Administrator failed.")
End Try
Next, the
PrincipalPermission
example tests to see if either of these two administrators is the identity of the running code. The
PrincipalPermission
class has methods for creating permissions that are the union or the intersection of other permissions. The following shows how to form a union of the permissions of the users Administrator and PeterT.
Dim
id1
As String =
"HPDESKTOP\Administrator"
Dim
id2
As String =
"HPDESKTOP\PeterT"
Dim
pp1
As PrincipalPermission = _
New
PrincipalPermission
(_
id1
, adminRole)
Dim
pp2
As PrincipalPermission = _
New
PrincipalPermission
(_
id2
, adminRole)
Dim
ipermission
As IPermission =
pp2.Union(pp1)
Try
ipermission.Demand()
Console.WriteLine(_
"Demand for either administrator succeeded.")
Catch e As SecurityException
Console.WriteLine(_
"Demand for either administrator failed.")
End Try
The code then sees if any administrator is the current identity of the running code.
Dim
pp3
As PrincipalPermission = _
New
PrincipalPermission
(_
Nothing
, adminRole)
Try
pp3.
Demand()
Console.WriteLine(_
"Demand for any administrator succeeded.")
Catch e As SecurityException
Console.WriteLine(_
"Demand for any administrator failed.")
End Try
If the users are unauthenticated, even if they do belong to the appropriate roles, the
Demand
will fail.
PermissionSet
You can deal with a set of permissions through the
PermissionSet
class. The
AddPermission
and
RemovePermission
methods allow you to add instances of a
CodeAccessPermission
derived class to the set. You can then
Deny
,
PermitOnly
, or
Assert
sets of permissions instead of individual permissions. This makes it easier to restrict what third-party components and scripts might be able to do. The
PermissionSet
example demonstrates how this is done.
We first define an interface
IUserCode
that our trusted code will use to access some third-party code. While in reality this third-party code would be in a separate assembly, to keep the example simple, we put everything in the same assembly.
Public Interface IUserCode
Function
PotentialRogueCode
() As Integer
End Interface
Public Class ThirdParty
Implements IUserCode
Public Function
PotentialRogueCode
() As Integer _
Implements IUserCode.PotentialRogueCode
Try
Dim filename As String = "..\read.txt"
Dim file As FileInfo = New FileInfo(filename)
Dim sr As StreamReader = file.OpenText()
Dim text As String
text = sr.ReadLine()
While text <> Nothing
Console.WriteLine(text)
text = sr.ReadLine()
End While
sr.Close()
Catch e As Exception
Console.WriteLine(e.Message)
End Try
Return 0
End Function
End Class
Our code will create a new instance of the third party, which would cause the code to be loaded into our assembly. We then invoke the
OurCode
method passing it the third-party code.
...
Public Module PSTest
Public Sub Main()
Dim thirdParty As ThirdParty = New ThirdParty()
Dim ourClass As OurClass = New OurClass()
ourClass.
OurCode
(thirdParty)
End Sub
End Module
...
Now let us look at the
OurCode
method. It creates a permission set consisting of unrestricted user interface and file access permissions. It then denies the permissions in the permission set. The third-party code is then called. After it returns, the permission denial is
revoked
and the third-party code is called again.
Public Class OurClass
Public Sub
OurCode
(ByVal code As IUserCode)
Dim uiPerm As UIPermission = _
New UIPermission(PermissionState.Unrestricted)
Dim fileIOPerm As FileIOPermission = _
New FileIOPermission(PermissionState.Unrestricted)
Dim ps As PermissionSet = _
New
PermissionSet
(_
PermissionState.None)
ps.
AddPermission(uiPerm)
ps.
AddPermission(fileIOPerm)
ps.
Deny()
Console.WriteLine("Permissions denied.")
Dim v As Integer = code.
PotentialRogueCode()
CodeAccessPermission.
RevertDeny()
Console.WriteLine("Permissions allowed.")
v = code.
PotentialRogueCode()
End Sub
End Class
The first time the
PotentialRogueCode
method is called, it fails, and the second time, it succeeds. Each stack frame can have only one permission set for denial of permissions. If you call
Deny
on a permission set, it
overrides
any other calls to
Deny
on a permission set in that stack frame.
|
