Creating code groups | Setup project

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Nick - 17 Feb 2006 11:04 GMT

Hey,

I'm not sure if this can be done, but here's what I require:

I have a windows application that needs to be secured in a code group with
limited permissions to write to a log folder, and to download certain files
before startup. Issue is that this happens to be running on a restricted user
login. And also, i need to prevent malicious files from accessing this
application.

The solution for the first issue is the cacls exe that I've managed to use
and put together certain code that does the trick for me. Is there any
other/better way to do it? I basically need write permission on a folder in
the Program Files application directory to write some logs, and write
permission on another folder to download some files through the application.

The second issue needs to be addressed using CAS. I know we can use the
configuration manager of the framework in administrative tools to create the
desired permission set and code group and then import the application
assemblies/components into it to sign it.

My queries:

1. How can I do the same that I manage to achieve with the config manager
through some framework classes? I would be required to do this as a custom
action while installation of the application through a setup project that I
have.

2. Which would be the best condition on the basis of which I should create
my code group? There are 7 of them, and I do intend to strong name the app
anyway. Would the strong name be a sufficient enought condition for the code
group? Or would some other condition serve the purpose better and more
smartly?

Any pointers are gladly appreciated.
Cheers!
Nick

Reply to this Message

Dominick Baier [DevelopMentor] - 17 Feb 2006 11:55 GMT

hi,

this is part of an msi installer project - and should get you started...don't
forget the uninstall action :)

// this code will run when the MSI file is installed
public override void Install(IDictionary stateSaver) {

// first need to find the machine policy,
// which is where we'll make our changes
PolicyLevel machinePolicy = _findPolicyLevel("Machine");

if (null == machinePolicy) {
// sanity check - this should never happen
throw new ApplicationException("Failed to find the machine policy
in the PolicyHierarchy");
}

// we need to add a named permission set
// that includes whatever permissions we're granting
NamedPermissionSet nps = new NamedPermissionSet(permissionSetName,
PermissionState.None);
nps.Description = permissionSetDesc;

// TODO: add the permissions AcmeExpense needs
nps.AddPermission(new FileIOPermission(FileIOPermissionAccess.Read,
@"c:\acme\expenses"));
nps.AddPermission(new EnvironmentPermission(EnvironmentPermissionAccess.Read,
"EXPENSE"));
nps.AddPermission(new SqlClientPermission(PermissionState.Unrestricted));
nps.AddPermission(new DataProtectionPermission(PermissionState.Unrestricted));

// add our named permission set to the machine policy level
// note that nothing is saved yet (we'll save at the end)
try {
machinePolicy.AddNamedPermissionSet(nps);
}
catch {
// duplicate name - update the existing one with the same name
machinePolicy.ChangeNamedPermissionSet(nps.Name, nps);
}

// now we need to create a code group that matches all assemblies
// that we ship with AcmeExpense - one way of doing this is to
// match the strong name we assign to that application (although
// depending on how you manage strong names, this might cover
// a wider set of assemblies)
CodeGroup cg = new UnionCodeGroup(
new StrongNameMembershipCondition(
new StrongNamePublicKeyBlob(acmePublicKey),
null, // match regardless of assembly's simple name
null), // match regardless of assembly's version
new PolicyStatement(nps,
PolicyStatementAttribute.Nothing) // no LevelFinal or Exclusive
attribute on this code group
);
cg.Name = codeGroupName;
cg.Description = codeGroupDesc;

// code groups with duplicate names are legal, but messy and confusing,
// so we make sure to first remove any existing code groups with
our name
_removeCodeGroupsByName(machinePolicy.RootCodeGroup, cg.Name);

// add our new code group (note we've not saved yet).
machinePolicy.RootCodeGroup.AddChild(cg);

// finally, save all changes atomically.
SecurityManager.SavePolicyLevel(machinePolicy);
}

PolicyLevel _findPolicyLevel(string labelWeWant) {
IEnumerator policyLevelEnumerator = SecurityManager.PolicyHierarchy();
PolicyLevel found = null;
while (policyLevelEnumerator.MoveNext()) {
PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current;
if (labelWeWant == lvl.Label) {
found = lvl;
}
}
return found;
}

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hey,
>
[quoted text clipped - 34 lines]
> Cheers!
> Nick

Reply to this Message

Nick - 20 Feb 2006 10:12 GMT

Hey Dominick,

I did indeed get this code running and was able to create the desired code
groups and perm sets. Thanks a ton!
However, I couldn't quite figure out exactly where to get this Install
method that is overridden. All that I have worked with Setup projects, I have
purely done with the GUI. I'm not sure where I can fit this code in the
project. I believe I'll have to create an exe for this and put it in as a
custom action during install, and put the code for removing it in a similar
action during uninstall. Am I correct in this assumption?

> hi,
>
[quoted text clipped - 121 lines]
> > Cheers!
> > Nick

Reply to this Message

Dominick Baier [DevelopMentor] - 20 Feb 2006 16:18 GMT

hi,

add a class lib to the installer project - and include its primary output

add a class to that project:

[RunInstaller(true)]
public class MyInstaller : System.Configuration.Install.Installer

and override the install/unistall methods.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hey Dominick,
>
[quoted text clipped - 132 lines]
>>> Cheers!
>>> Nick

Reply to this Message

Nick - 21 Feb 2006 06:19 GMT

Thanks a ton Dominick!
I finally got the entire bit working.

However, was just wondering if you do not mind sharing the code for the
_removeCodeGroupsByName method too! Guess you missed it in the initial
response.

Cheers!
Nick

> hi,
>
[quoted text clipped - 147 lines]
> >>> Cheers!
> >>> Nick

Reply to this Message

Dominick Baier [DevelopMentor] - 21 Feb 2006 07:38 GMT

:) this is a challenge :)

void _removeCodeGroupsByName(CodeGroup parent, string childName) {
ArrayList codeGroupsToRemove = new ArrayList();
foreach (CodeGroup existingCodeGroup in parent.Children) {
if (childName == existingCodeGroup.Name) {
codeGroupsToRemove.Add(existingCodeGroup);
}
}
foreach (CodeGroup cg in codeGroupsToRemove) {
parent.RemoveChild(cg);
}
}

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks a ton Dominick!
> I finally got the entire bit working.
[quoted text clipped - 156 lines]
>>>>> Cheers!
>>>>> Nick

Reply to this Message

Creating code groups | Setup project

Free Magazines