[Ironpython-users] Issue with restricted AppDomain

Frank Schusdziarra see_toronto at web.de
Tue Mar 6 11:54:48 CET 2012 

Hi all,
I'm having trouble to run Python scripts from a C# app with IP 2.7.1 
embedded in a restricted AppDomain. I have checked all the advice I 
could find on the net, but I must be missing something.

This is the requirement:
C# app creates a restricted app domain for the scripts to execute. The 
scripts however are allowed to access e.g. the lib folder and it's modules.
If running in "unrestricted" mode, all works fine, but thats clearly not 
what I would like to achieve.
Among other exceptions thrown (e.g. regarding Environment) there is one 
that seams to really cause the trouble:
[System.Security.SecurityException] = {"Request failed."}
  at Microsoft.Scripting.Utils.WeakHandle..ctor(Object target, Boolean 
trackResurrection)
    at IronPython.Runtime.WeakRefTracker.CallbackInfo..ctor(Object 
callback, Object weakRef)
    at IronPython.Runtime.WeakRefTracker.ChainCallback(Object callback, 
Object weakRef)
    at IronPython.Runtime.WeakRefTracker..ctor(Object callback, Object 
weakRef)
    at 
IronPython.Modules.PythonWeakRef.WeakRefHelpers.InitializeWeakRef(Object 
self, Object target, Object callback)
    at IronPython.Modules.PythonWeakRef.ref..ctor(Object object, Object 
callback)
    at IronPython.Modules.PythonWeakRef.ref..ctor(Object object)
    at IronPython.Modules.PythonWeakRef.ref.__new__(CodeContext context, 
PythonType cls, Object object)
    at System.Func`4.Invoke(T1 arg1, T2 arg2, T3 arg3)
    at 
Microsoft.Scripting.Interpreter.FuncCallInstruction`4.Run(InterpretedFrame 
frame)
    at Microsoft.Scripting.Interpreter.Interpreter.Run(InterpretedFrame 
frame)

This exception is however not "visible" in the calling app domain. I 
understand that there is an outstanding bug regarding serialization of 
exception information. However a breakpoint on the WeakHandle ctor call 
allowed me to get the above exception information.

But I can't figure out which permission is actually missing or if there 
is anything else I'm doing wrong. Any advice is greatly appreciated.

Here's a stripped down sample (C# 4.0 console app) to reproduce the issue:

using System;
using System.Collections.Generic;
using System.IO;
using System.Security;
using System.Security.Policy;
using System.Security.Permissions;
using System.Reflection;
using Microsoft.Scripting.Hosting;
using IronPython.Hosting;

namespace SimpleAD
{
     class Program
     {
         static void Main(string[] args)
         {
             string pyLibPath = @"<PathToIPLibFolder>";
             string code = @"
print 'Importing sys and addding lib path'
import sys
sys.path.append('"+pyLibPath+@"')
print 'Importing os'
import os
print 'OS Name',os.name
print 'Done'
";

             StrongName fullTrustAssembly = 
typeof(Program).Assembly.Evidence.GetHostEvidence<StrongName>();
             Evidence evi = AppDomain.CurrentDomain.Evidence;
             AppDomainSetup adSetup = new AppDomainSetup();
             adSetup.ApplicationBase = 
Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);

             /* THIS IS WORKING !
             PermissionSet permSet = new 
PermissionSet(PermissionState.Unrestricted);
             */

             PermissionSet permSet = new 
PermissionSet(PermissionState.None);
             permSet.AddPermission(new 
SecurityPermission(SecurityPermissionFlag.Execution));
             permSet.AddPermission(new 
ReflectionPermission(PermissionState.Unrestricted));

             FileIOPermission libPerm = new 
FileIOPermission(PermissionState.None);
             libPerm.AddPathList(FileIOPermissionAccess.PathDiscovery | 
FileIOPermissionAccess.Read, adSetup.ApplicationBase); // Assembly Path
             libPerm.AddPathList(FileIOPermissionAccess.PathDiscovery | 
FileIOPermissionAccess.Read, pyLibPath);               // Iron-Python 
Lib Path
             permSet.AddPermission(libPerm);

             AppDomain restricted = 
AppDomain.CreateDomain("Sandbox",evi,adSetup,permSet,fullTrustAssembly);

             Dictionary<string, object> options = new Dictionary<string, 
object>();
             ScriptRuntimeSetup setup = Python.CreateRuntimeSetup(options);

             ScriptRuntime runtime = 
ScriptRuntime.CreateRemote(restricted, setup);
             ScriptEngine engine = runtime.GetEngine("Python");
             try
             {
                 engine.Execute(code);
             }
             catch (Exception e)
             {
                 (new PermissionSet(PermissionState.Unrestricted)).Assert();
                 Console.WriteLine("Error:" + e.ToString());
                 CodeAccessPermission.RevertAssert();
             }
             Console.ReadLine();

         }
     }
}


Regards,
Frank

More information about the Ironpython-users mailing list