How to allow DLL create/read/update/delete files O

2019-07-27 14:44发布

问题:

I have a few folders and every folder contains a few .DLL files. The DLL can be executed, and I have to ban CRUD operations by this DLL outside of its own folder.

But the DLL can perform any save operation it needs, as long as its in the same folder where the DLL is situated.

For example:

//this code can be executed succesfully

public static void Create()
{
 string path = Directory.GetCurrentDirectory() + "\\file.txt";
 File.Create(path);
}

//but execution of this code I have to ban

public static void Create()
{
File.Create("../file.txt");
}

回答1:

.NET has built in security features to do exactly what you want to do. What you need to do is apply a security context to the DLL's AppDomain and restrict what it can access.

To do what you want to do the likely setting that would me most interesting to you is FileIOPermission. It will let you restrict the DLL's access to only the folder that the DLL is loaded from. If you have multiple DLL's you will likely need to make multiple AppDomains or allow all of the DLL's to access each other's folders (but not anywhere else on the system).

If the DLL can be modified so it no longer has to write to it's own folder can make it even easier on yourself by requiring they read and write to Isolated Storage, then it does not matter where the DLL was loaded from, in case there happens to be other sensitive files in the same folder as the DLL.


One thing to consider is it is better to give the DLL no permissions at all and only grant it the things you want to do as there could be other things it uses to get arround your restrictions. For example: FileIOPermission won't stop a call if they P\Invoke a call to the FileOpen API's in windows instead of going though .NET's Stream object.



标签: c# dll sandbox