<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>To allow access to the imports the next step in this will be
providing your own PlatformAdapationLayer. You’ll need to subclass
ScriptHost and specify that type as the HostType for a
ScriptRuntimeSetup. Your PAL can then provide access to a limited file
system or a virtual file system from which the files are imported. All of
the IronPython import logic will then go through the PAL – you could
check out the Silverlight PAL (BrowserPAL.cs) for an example.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>For me the loop/print is working w/ just Execution permission.
I’ve just taken your original Program.cs, added APTCA, restricted the
permissions to Execution, and removed full trust from the Ipy/DLR DLLs.
What’s the stack trace of the exception here? <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> users-bounces@lists.ironpython.com
[mailto:users-bounces@lists.ironpython.com] <b>On Behalf Of </b>Leo Carbajal<br>
<b>Sent:</b> Tuesday, September 02, 2008 7:26 PM<br>
<b>To:</b> Discussion of IronPython<br>
<b>Subject:</b> Re: [IronPython] Re strict imports<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>Dino,<br>
<br>
Thanks for the advice on Security Transparent. The IO permission seems
necessary in order to load scripts from a file, as is the actual plan in the
end - the example I attached not withstanding. Also, for some reason scripts
fail unless I grant the UnmanagedCode flag, in addition to Execution. This is
kind of problematic since UnmanagedCode allows me to do:<br>
<br>
import clr<br>
clr.AddReference("mscorlib.dll")<br>
import System<br>
from System import Environment<br>
Environment.Exit(9)<br>
<br>
Which I think is kinda bad. =\ <br>
<br>
Without UnmanagedCode imports don't work and even this won't work:<br>
<br>
i = 200<br>
while i > 0: <br>
i = i - 1<br>
print "Done in the second verse. Yes?"<br>
<br>
Print by itself works, though, and other functions such as
Environment.CommandLine and such are correctly stopped unless called through a
method I expose that asserts the appropriate permission set. Still, that Exit
thing is rather crippling. Unfortunately the application I'm building will be
run by the type of people that have too much time on their hands, I'm not sure
how to plug that kind of hole without resorting to filtering each file for
'naughty' commands.<br>
<br>
---<br>
LC<o:p></o:p></p>
<div>
<p class=MsoNormal>On Tue, Sep 2, 2008 at 9:10 PM, Dino Viehland <<a
href="mailto:dinov@microsoft.com">dinov@microsoft.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>To avoid the link demands you
can mark your assembly as being SecurityTransparent – see <a
href="http://blogs.msdn.com/shawnfa/archive/2005/08/31/458641.aspx"
target="_blank">http://blogs.msdn.com/shawnfa/archive/2005/08/31/458641.aspx</a>.
That will force link demands from your assembly to turn into full demands which
will fail when they hit the untrusted script code. And full demands will
of course also fail normally.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Also just a couple of other
comments: You (probably) shouldn't be marking IronPython/IronPython.Modules/Microsoft.Scripting/Microsoft.Scripting.Core
as full trust – we're also security critical so we don't need to be
trusted at all. You also probably don't want to be granting reflection or
file-io – pset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
should be sufficient for what you're doing so far.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Finally if you need to
occasionally elevate permissions in your object model you can mark your
assembly as SecurityCritical and then have individual methods which are audited
and elevate appropriately. But you also might just want to restrict the
surface area by not having many public types other than the object model you're
exposing.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p><b><span style='font-size:10.0pt'>From:</span></b><span style='font-size:
10.0pt'> <a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>
[mailto:<a href="mailto:users-bounces@lists.ironpython.com" target="_blank">users-bounces@lists.ironpython.com</a>]
<b>On Behalf Of </b>Leo Carbajal<br>
<b>Sent:</b> Tuesday, September 02, 2008 6:33 PM<o:p></o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt'><br>
<b>To:</b> Discussion of IronPython<br>
<b>Subject:</b> Re: [IronPython] Re strict imports<o:p></o:p></span></p>
</div>
</div>
<p> <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'>Ok, so I think I misunderstood what a
LinkDemand was, as well as the fact that the exception I'm getting is expected
behavior.<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal><br>
<br>
I added the [assembly: AllowPartiallyTrustedCallers] attribute to my assembly
and now things work fine outside of the debug environment. From what I (now)
understand, using the LinkDemand attribute is so that the partially trusted
assembly (i.e. the scripts) <b>can't</b> access that method. Does that sound
right to you guru types? To test this I imported System.Windows.Forms and tried
to call the MessageBox.Show() method which failed while running in the domain,
as expected. When I removed the LinkDemand from the ScriptableItem class the
calls to it in the script also worked fine.<br>
<br>
So all I have to do is decorate the classes I don't want to be imported from my
assembly into the script with LinkDemands, I think? Is there some way to
reverse that, I.E. some way that I can decorate the classes I want to be
accessible rather than the other way around? I suppose another alternative is
to create the ScriptableItem wrappers in their own assembly and just reference
that, as well as make it callable by partially trusted callers, while leaving
my own assembly alone and thus off-limits to an import.<br>
<br>
I will play with it some more, I think. I'm sorry to have wasted some of your
time. =\<br>
<br>
---<br>
LC<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p>On Tue, Sep 2, 2008 at 7:38 PM, Leo Carbajal <<a
href="mailto:desleo@gmail.com" target="_blank">desleo@gmail.com</a>> wrote:<o:p></o:p></p>
<div>
<p>This is a condensed version. You'll have to sign the assembly or you'll get
an error at the domain creation step, other than that this should run just by
starting a new console application, adding the IPY and DLR DLLs, and then
copying and pasting this file over the default generated code.<br>
<br>
Even after starting a new project to make sure my sample builds I still observe
the same behavior.<br>
<br>
---<br>
<span style='color:#888888'>LC</span><o:p></o:p></p>
<div>
<div>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<p>On Tue, Sep 2, 2008 at 6:36 PM, Curt Hagenlocher <<a
href="mailto:curt@hagenlocher.org" target="_blank">curt@hagenlocher.org</a>>
wrote:<o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'>Do you have a simple reproduction that doesn't
include any of your domain-specific code?<o:p></o:p></p>
<div>
<div>
<div>
<p>On Tue, Sep 2, 2008 at 4:30 PM, Leo Carbajal <<a
href="mailto:desleo@gmail.com" target="_blank">desleo@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;
border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color rgb(204, 204, 204)'>
<div>
<div>
<div>
<p>So here's a strange wrinkle,<br>
<br>
when I run this with the debugger (unmodified except for adding the IronPython
assemblies as full-trust on the domain) it works fine and as expected. If I run
it without the debugger attached it gives me the same exception as before, when
I catch the exception myself I also get this tidbit:<br>
<br>
The assembly or AppDomain that failed was:<br>
Microsoft.Scripting, Version=1.0.0.4000, Culture=neutral,
PublicKeyToken=31bf3856ad364e35<br>
The Zone of the assembly that failed was:<br>
MyComputer<br>
The Url of the assembly that failed was:<br>
file:///B:/Code/IronPythonShell/IronPythonShell/bin/Debug/Microsoft.Scripting.DLL<br>
<br>
If I build and compile the code as Release instead of Debug I get: <br>
<br>
System.Runtime.Serialization.SerializationException: Type
'System.Scripting.SourceUnit' in assembly 'Microsoft.Scripting.Core,
Version=1.0.0.4000, Culture=neutral, PublicKeyToken=31bf3856ad364e35' is not
marked as serializable. <o:p></o:p></p>
<div>
<p><br>
at Microsoft.Scripting.Hosting.ScriptRuntime.ExecuteFile(String
path)<o:p></o:p></p>
</div>
<p> at IronPythonShell.Program.Main(String[] args) in
B:\Code\IronPythonShell\IronPythonShell\Program.cs:line 54<br>
<br>
It's a little beyond odd to me, but like I said before I fear I don't fully
understand what's going on behind the goo. The only consolation is that I can
at least built out my scripting system in working form and later run it under a
more trusted domain for production by simply removing the domain from the
Runtime.Create() constructor and then adding it later. (At least, I hope this
is the case)<br>
<br>
---<br>
Leo C. <o:p></o:p></p>
<div>
<p style='margin-bottom:12.0pt'> <o:p></o:p></p>
<div>
<p>On Tue, Sep 2, 2008 at 4:50 PM, Shri Borde <<a
href="mailto:Shri.Borde@microsoft.com" target="_blank">Shri.Borde@microsoft.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span style='font-size:11.0pt;color:#1F497D'>The CLR doesn't dump out full
exception information on SecurityExceptions in partial trust – you can
get a lot more information if you look at the exception in a debugger, or if you
Assert for FullTrust before doing a ToString on the permission. Once you
do that, you should be able to get more data including the demanded permission
and the assembly which caused the demand to fail, instead of the message saying
"</span><span style='color:#666666'>The granted set of the failing
assembly was:</span><span style='font-size:11.0pt;color:#1F497D'>" which
does not say which assembly is causing the problem.</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Also, can you try adding
IronPython.dll and IronPython.Modules.dll to the </span><span style='font-size:
8.0pt;color:black'>fullTrustAssemblies</span><span style='font-size:11.0pt;
color:#1F497D'> argument to <a
href="http://msdn.microsoft.com/en-us/library/ms130766.aspx" target="_blank">AppDomain.CreateDomain</a>?</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Thanks,</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'>Shri</span><o:p></o:p></p>
<p><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
<div>
<p style='margin-bottom:12.0pt'>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com" target="_blank">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com"
target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p> <o:p></o:p></p>
</div>
<p style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com" target="_blank">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com"
target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.ironpython.com">Users@lists.ironpython.com</a><br>
<a href="http://lists.ironpython.com/listinfo.cgi/users-ironpython.com"
target="_blank">http://lists.ironpython.com/listinfo.cgi/users-ironpython.com</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>