Opened 14 years ago
Closed 13 years ago
#831 closed defect (done)
Activate restricted permission set for sandboxed AppDomains
| Reported by: | gkronber | Owned by: | gkronber |
|---|---|---|---|
| Priority: | highest | Milestone: | HeuristicLab 3.3.5 |
| Component: | PluginInfrastructure | Version: | 3.3.5 |
| Keywords: | Cc: |
Description
Currently the permission policy for 'sandboxed' AppDomains is unrestricted.
This is relevant for plugins HeuristicLab.Hive.Client and HeuristicLab.Grid which create a new appdomain for each job. Additionally HeuristicLab.Hive.Client loads plugins dynamically which causes additional troubles in combination with the security policy.
Probably the sandboxing mechanism has to be changed completely. Ideally we create a temporary directory for each job where we can store the files (assemblies) that are necessary for that job and use this directory as base-path (or private bin path) for the job-specific sandbox.
Change History (13)
comment:1 Changed 14 years ago by gkronber
- Version changed from 3.2 to 3.3
comment:2 Changed 14 years ago by gkronber
- Version changed from 3.3 to 3.3.0
comment:3 Changed 14 years ago by gkronber
- Version changed from 3.3.0 to 3.3
comment:4 Changed 14 years ago by gkronber
- Priority changed from critical to minor
comment:5 Changed 13 years ago by gkronber
- Milestone changed from HeuristicLab 3.3.x Backlog to HeuristicLab 3.3.5
- Owner changed from gkronber to ascheibe
- Priority changed from low to highest
- Status changed from new to assigned
- Version changed from 3.3 to 3.3.4
comment:6 Changed 13 years ago by ascheibe
comment:7 Changed 13 years ago by ascheibe
- completed SandboxManager
- added SandboxApplicationManager for Hive
- DefaultApplicationManager is now a subclass of the SandboxApplicationManager
- ApplicationManager now instantiates the LightweightApplicationManager only if it is accessed to avoid calling InitializeLifetimeService(..) in a sandbox
comment:8 Changed 13 years ago by ascheibe
- Owner changed from ascheibe to gkronber
- Status changed from assigned to reviewing
comment:9 Changed 13 years ago by ascheibe
r6487 removed unnecessary permission
comment:10 Changed 13 years ago by gkronber
comment:11 Changed 13 years ago by gkronber
Review comments:
The SandboxManager creates an application domain with a restricted permission set. However, the permissions granted in the sandbox are too powerful and it would actually be possible to compromise and gather sensitive information from the executing machine. To make the sandbox more secure the following permissions should be removed in future versions (see ticket #1580):
- SecurityPermissionFlag.Infrastructure
- SecurityPermissionFlag.UnmanagedCode
- SecurityPermissionFlag.ControlEvidence
- ReflectionPermission(PermissionState.Unrestricted)
- FileIOPermissionAccess.PathDiscovery, Path.GetPathRoot(Path.GetFullPath(Environment.SystemDirectory))
also see: http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermissionflag.aspx
comment:12 Changed 13 years ago by gkronber
- Status changed from reviewing to readytorelease
comment:13 Changed 13 years ago by swagner
- Resolution set to done
- Status changed from readytorelease to closed
- Version changed from 3.3.4 to 3.3.5
In a sandboxed AppDomain only partially-trusted code can be executed. Therefore all code that requires full trust has to be avoided:
For this ticket, a new ApplicationManager will be implemented which runs in a sandbox. Also, SandboxManager will be completed.