[Ironpython-users] Importing modules in a restricted AppDomain

Dino Viehland dinov at microsoft.com
Wed Mar 7 18:34:00 CET 2012 

Nope, ideally IronPython's assemblies are not trusted.  In general IronPython's assemblies are "security transparent" which means they don't affect any security decisions made by the CLR.  If you gave them full trust then the user could do something like file('C:\\bad_file.txt', 'w+').  The security transparency means that IronPython can contain a bunch of code for accessing files and stuff but that code doesn't need to be audited for security because we don't have any permissions of our own.

You might want to try doing something like:

            AppDomainSetup info = new AppDomainSetup();
            info.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory;
            info.ApplicationName = "Test";

            Evidence evidence = new Evidence();
            evidence.AddHost(new Zone(SecurityZone.Internet));

            System.Security.PermissionSet permSet = SecurityManager.GetStandardSandbox(evidence);
            AppDomain newDomain = AppDomain.CreateDomain("test", evidence, info, permSet, null);

            // create runtime in partial trust...
            ScriptRuntime runtime = Python.CreateRuntime(newDomain);

Which will run the code in the internet zone which should be a safe set of permissions - you might need to add in your path access to this, but we use this setup in a test case so it definitely works.

From: ironpython-users-bounces+dinov=microsoft.com at python.org [mailto:ironpython-users-bounces+dinov=microsoft.com at python.org] On Behalf Of Cesar Mello
Sent: Wednesday, March 07, 2012 5:17 AM
To: ironpython-users at python.org
Subject: Re: [Ironpython-users] Importing modules in a restricted AppDomain

Hi,

Must I grant fulltrust permissions to the IronPython assemblies? Sorry for the basic question, but will the scripts still be restricted in this case?

Thank you a lot. This is a bit urgent for me, because it's the last step before I can finish the prototype with IronPython and let it be accepted for embedding in our product.

Best regards!
Mello


On Mon, Mar 5, 2012 at 4:26 PM, Cesar Mello <cmello at gmail.com<mailto:cmello at gmail.com>> wrote:
Please ignore my previous question. Sucessfully added FileIOPermission with PathDiscovery and it worked:

      var pythonLibsPath = ExpressionEvaluator.GetPythonLibsPath();
      permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read, pythonLibsPath));


Now I'm facing some problem with Emit permissions. Added ReflectionPermission(PermissionState.Unrestricted) but still doesn't work.

I'm using .NET 4 in this project at work. Sorry if the subject is too general and off-topic.

Best regards
Mello

Message: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
   at System.Security.CodeAccessPermission.Demand()
   at System.Reflection.Emit.AssemblyBuilder.DefineDynamicModuleInternalNoLock(String name, Boolean emitSymbolInfo, StackCrawlMark& stackMark)
   at System.Reflection.Emit.AssemblyBuilder.DefineDynamicModuleInternal(String name, Boolean emitSymbolInfo, StackCrawlMark& stackMark)
   at System.Reflection.Emit.AssemblyBuilder.DefineDynamicModule(String name, Boolean emitSymbolInfo)
   at Microsoft.Scripting.Generation.AssemblyGen..ctor(AssemblyName name, String outDir, String outFileExtension, Boolean isDebuggable, PortableExecutableKinds peKind, ImageFileMachine machine)
   at Microsoft.Scripting.Generation.AssemblyGen..ctor(AssemblyName name, String outDir, String outFileExtension, Boolean isDebuggable)
   at Microsoft.Scripting.Generation.Snippets.CreateNewAssembly(String nameSuffix, Boolean emitSymbols)
   at Microsoft.Scripting.Generation.Snippets.GetOrCreateAssembly(Boolean emitSymbols, AssemblyGen& assembly)
   at Microsoft.Scripting.Generation.Snippets.GetAssembly(Boolean emitSymbols)
   at Microsoft.Scripting.Generation.Snippets.DefineType(String name, Type parent, Boolean preserveName, Boolean emitDebugSymbols)
   at Microsoft.Scripting.Generation.CompilerHelpers.CompileToMethod(LambdaExpression lambda, DebugInfoGenerator debugInfoGenerator, Boolean emitDebugSymbols)
   at Microsoft.Scripting.Generation.CompilerHelpers.CompileToMethod[T](Expression`1 lambda, DebugInfoGenerator debugInfoGenerator, Boolean emitDebugSymbols)
   at Microsoft.Scripting.Generation.CompilerHelpers.Compile[T](Expression`1 lambda, Boolean emitDebugSymbols)
   at IronPython.Compiler.RuntimeScriptCode.Compile()
   at IronPython.Compiler.RuntimeScriptCode.EnsureCompiled()
   at IronPython.Compiler.RuntimeScriptCode.InvokeTarget(Scope scope)
   at IronPython.Compiler.RuntimeScriptCode.Run(Scope scope)
   at IronPython.Runtime.PythonContext.InitializeModule(String fileName, ModuleContext moduleContext, ScriptCode scriptCode, ModuleOptions options)
   at IronPython.Runtime.PythonContext.CompileModule(String fileName, String moduleName, SourceUnit sourceCode, ModuleOptions options, ScriptCode& scriptCode)
   at IronPython.Runtime.PythonContext.CompileModule(String fileName, String moduleName, SourceUnit sourceCode, ModuleOptions options)
   at IronPython.Runtime.Importer.LoadFromSourceUnit(CodeContext context, SourceUnit sourceCode, String name, String path)
   at IronPython.Runtime.Importer.LoadModuleFromSource(CodeContext context, String name, String path)
   at IronPython.Runtime.Importer.LoadFromDisk(CodeContext context, String name, String fullName, String str)
   at IronPython.Runtime.Importer.ImportFromPathHook(CodeContext context, String name, String fullName, List path, Func`5 defaultLoader)
   at IronPython.Runtime.Importer.ImportFromPath(CodeContext context, String name, String fullName, List path)
   at IronPython.Runtime.Importer.ImportTopAbsolute(CodeContext context, String name)
   at IronPython.Runtime.Importer.ImportModule(CodeContext context, Object globals, String modName, Boolean bottom, Int32 level)
   at IronPython.Modules.Builtin.__import__(CodeContext context, String name, Object globals, Object locals, Object fromlist, Int32 level)
   at Microsoft.Scripting.Interpreter.FuncCallInstruction`7.Run(InterpretedFrame frame)
   at Microsoft.Scripting.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at Microsoft.Scripting.Interpreter.LightLambda.Run7[T0,T1,T2,T3,T4,T5,T6,TRet](T0 arg0, T1 arg1, T2 arg2, T3 arg3, T4 arg4, T5 arg5, T6 arg6)
   at IronPython.Runtime.Importer.ImportLightThrow(CodeContext context, String fullName, PythonTuple from, Int32 level)
   at IronPython.Runtime.Operations.PythonOps.ImportTop(CodeContext context, String fullName, Int32 level)
   at Microsoft.Scripting.Interpreter.FuncCallInstruction`4.Run(InterpretedFrame frame)
   at Microsoft.Scripting.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at Microsoft.Scripting.Interpreter.LightLambda.Run2[T0,T1,TRet](T0 arg0, T1 arg1)
   at IronPython.Compiler.PythonScriptCode.RunWorker(CodeContext ctx)
   at IronPython.Compiler.PythonScriptCode.Run(Scope scope)
   at IronPython.Compiler.RuntimeScriptCode.InvokeTarget(Scope scope)
   at IronPython.Compiler.RuntimeScriptCode.Run(Scope scope)
   at Microsoft.Scripting.SourceUnit.Execute(Scope scope, ErrorSink errorSink)
   at Microsoft.Scripting.SourceUnit.Execute(Scope scope)
   at Microsoft.Scripting.Hosting.ScriptSource.Execute(ScriptScope scope)
   at Microsoft.Scripting.Hosting.ScriptEngine.Execute(String expression, ScriptScope scope)
   at Microsoft.Scripting.Hosting.ScriptEngine.Execute(String expression, ScriptScope scope)
   at Elipse.Epm.Scripting.ExpressionEvaluator.ImportStandardModules(ScriptScope scope) in D:\proj\epm_5527\Source\EpmCommon\Elipse.Epm.Scripting\ExpressionEvaluator.cs:line 174
   at Elipse.Epm.Scripting.ExpressionEvaluator.AddExpression(Expression expression, Object clientHandle) in D:\proj\epm_5527\Source\EpmCommon\Elipse.Epm.Scripting\ExpressionEvaluator.cs:line 82


On Mon, Mar 5, 2012 at 3:18 PM, Cesar Mello <cmello at gmail.com<mailto:cmello at gmail.com>> wrote:
Hi!

Is there a way to load modules without giving permission to the AppDomain to read .py files from disk?

I need to run user code with limited permissions. They should be able to do some simple calculations. But when I try to import a module like 'decimal', filesystem access permission is required.

Thank you a lot for the attention!

Best regards
Mello


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ironpython-users/attachments/20120307/7c303912/attachment.html>

More information about the Ironpython-users mailing list