Opened 12 years ago

Closed 10 years ago

#831 closed defect (done)

Activate restricted permission set for sandboxed AppDomains

Reported by: gkronber Owned by: gkronber
Priority: highest Milestone: HeuristicLab 3.3.5
Component: PluginInfrastructure Version: 3.3.5
Keywords: Cc:

Description

Currently the permission policy for 'sandboxed' AppDomains is unrestricted.

This is relevant for plugins HeuristicLab.Hive.Client and HeuristicLab.Grid which create a new appdomain for each job. Additionally HeuristicLab.Hive.Client loads plugins dynamically which causes additional troubles in combination with the security policy.

Probably the sandboxing mechanism has to be changed completely. Ideally we create a temporary directory for each job where we can store the files (assemblies) that are necessary for that job and use this directory as base-path (or private bin path) for the job-specific sandbox.

Change History (13)

comment:1 Changed 11 years ago by gkronber

  • Version changed from 3.2 to 3.3

comment:2 Changed 11 years ago by gkronber

  • Version changed from 3.3 to 3.3.0

comment:3 Changed 11 years ago by gkronber

  • Version changed from 3.3.0 to 3.3

comment:4 Changed 11 years ago by gkronber

  • Priority changed from critical to minor

comment:5 Changed 10 years ago by gkronber

  • Milestone changed from HeuristicLab 3.3.x Backlog to HeuristicLab 3.3.5
  • Owner changed from gkronber to ascheibe
  • Priority changed from low to highest
  • Status changed from new to assigned
  • Version changed from 3.3 to 3.3.4

comment:6 Changed 10 years ago by ascheibe

In a sandboxed AppDomain only partially-trusted code can be executed. Therefore all code that requires full trust has to be avoided:

  • Ticket #1486 fixes a problem where gui dependencies which need full trust are pulled in.
  • Ticket #1517 switches HeuristicLab.Tracing to Diagnostics.Trace to allow tracing in a sandbox.

For this ticket, a new ApplicationManager will be implemented which runs in a sandbox. Also, SandboxManager will be completed.

comment:7 Changed 10 years ago by ascheibe

r6174

  • completed SandboxManager
  • added SandboxApplicationManager for Hive
  • DefaultApplicationManager is now a subclass of the SandboxApplicationManager
  • ApplicationManager now instantiates the LightweightApplicationManager only if it is accessed to avoid calling InitializeLifetimeService(..) in a sandbox

comment:8 Changed 10 years ago by ascheibe

  • Owner changed from ascheibe to gkronber
  • Status changed from assigned to reviewing

comment:9 Changed 10 years ago by ascheibe

r6487 removed unnecessary permission

comment:10 Changed 10 years ago by gkronber

Reviewed r6174 and r6487.

r6538:

  • removed unnecessary method to load assemblies from byte arrays from SandboxApplicationManager.
  • Minor changes in SandboxManager.

comment:11 Changed 10 years ago by gkronber

Review comments:

The SandboxManager creates an application domain with a restricted permission set. However, the permissions granted in the sandbox are too powerful and it would actually be possible to compromise and gather sensitive information from the executing machine. To make the sandbox more secure the following permissions should be removed in future versions (see ticket #1580):

  • SecurityPermissionFlag.Infrastructure
  • SecurityPermissionFlag.UnmanagedCode
  • SecurityPermissionFlag.ControlEvidence
  • ReflectionPermission(PermissionState.Unrestricted)
  • FileIOPermissionAccess.PathDiscovery, Path.GetPathRoot(Path.GetFullPath(Environment.SystemDirectory))

also see: http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermissionflag.aspx

comment:12 Changed 10 years ago by gkronber

  • Status changed from reviewing to readytorelease

comment:13 Changed 10 years ago by swagner

  • Resolution set to done
  • Status changed from readytorelease to closed
  • Version changed from 3.3.4 to 3.3.5
Note: See TracTickets for help on using tickets.