.NET DLR 和 SecurityException

发布于 2024-11-01 03:45:28 字数 1769 浏览 1 评论 0原文

DLR 需要哪些强制 PermissionSet 项目才能正常运行？

我们已在沙盒脚本环境中启用了 DLR。但是像下面这样的一些代码......

dynamic foo = someobject
foo.FooBar();

只会导致抛出一个相当模糊且“未完成”的异常，如下所示：

System.Security.SecurityException: Request failed.
   at CallSite.Target(Closure , CallSite , Object )
   at System.Dynamic.UpdateDelegates.UpdateAndExecuteVoid1[T0](CallSite site, T0 arg0)
   at AcmeCorp.AcmeRocket.Workflow.Scripting.Assemblies.WorkflowScriptImplementation.Test()
   at AcmeCorp.AcmeRocket.Workflow.Scripting.Assemblies.WorkflowScriptImplementation.__action_activity_4397110c5d7141a6802a070d3b942b77()
   --- End of inner exception stack trace ---
   at AcmeCorp.AcmeRocket.Workflow.Scripting.WorkflowScriptProxy.Invoke(String method_name)
   at AcmeCorp.AcmeRocket.Workflow.Execution.Executors.ActionActivityExecutor.Execute(WorkflowInstance wi, ActionActivity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.ActivityExecutorBase.Execute(WorkflowInstance wi, Activity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.WorkflowExecutor.ExecuteActivity(WorkflowInstance wi, Activity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.WorkflowExecutor.Execute(WorkflowInstance wi, Nullable`1 branch_index)

通常 SecurityException 包含大量详细信息，精确指定哪些异常权限导致它失败，但在这种情况下我们没有得到它 - 非常烦人。

PS：如果我使用临时授予 PermissionSet(PermissionState.Unrestricted) 的沙箱运行相同的测试，那么问题就会消失。但显然我们确实希望将其锁定为 DLR 所需的非常特定的权限集。

PPS：当前（失败）PermissionSet 创建如下：

var ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
ps.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess));

谢谢。

原文

What are the mandatory PermissionSet items that the DLR requires in order to function correctly?

We've enabled the DLR in our sandboxed scripting environment. But some code like the following...

dynamic foo = someobject
foo.FooBar();

... just results in a rather vague and "unfinished"-looking exception being thrown, as follows:

System.Security.SecurityException: Request failed.
   at CallSite.Target(Closure , CallSite , Object )
   at System.Dynamic.UpdateDelegates.UpdateAndExecuteVoid1[T0](CallSite site, T0 arg0)
   at AcmeCorp.AcmeRocket.Workflow.Scripting.Assemblies.WorkflowScriptImplementation.Test()
   at AcmeCorp.AcmeRocket.Workflow.Scripting.Assemblies.WorkflowScriptImplementation.__action_activity_4397110c5d7141a6802a070d3b942b77()
   --- End of inner exception stack trace ---
   at AcmeCorp.AcmeRocket.Workflow.Scripting.WorkflowScriptProxy.Invoke(String method_name)
   at AcmeCorp.AcmeRocket.Workflow.Execution.Executors.ActionActivityExecutor.Execute(WorkflowInstance wi, ActionActivity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.ActivityExecutorBase.Execute(WorkflowInstance wi, Activity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.WorkflowExecutor.ExecuteActivity(WorkflowInstance wi, Activity activity)
   at AcmeCorp.AcmeRocket.Workflow.Execution.WorkflowExecutor.Execute(WorkflowInstance wi, Nullable`1 branch_index)

Normally SecurityException's include a host of detail specifying precisely which permissions caused it to fail, but in this case we are not getting that - very annoying.

PS: If I run the same test with our sandbox temporarily granted a PermissionSet(PermissionState.Unrestricted) then the problem goes away. But obviously we really want to lock it down to the very specific set of permissions that the DLR requires.

PPS: The current (failing) PermissionSet is created as follows:

var ps = new PermissionSet(PermissionState.None);
ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
ps.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.RestrictedMemberAccess));

Thanks.

分享到QQ

分享到微博