如何在C＃中的外部过程中创建沙盒？ [英] How to create sandbox in C# for external process?

问题描述

如何创建在C＃中的外部进程沙盒？
作为沙盒我理解过程中，我从C＃启动环境中，阻止这一过程从别的干扰 - 内核，系统变量，系统配置，内存，注册表，硬盘，硬件，其他位置比起始位置等上。

How to create sandbox in C# for external process? As sandbox I understand an environment for process I start from C#, that stop that process from interfering with anything else - kernel, system variables, system configuration, memory, registry, disk, hardware, location other than starting place and so on.

我想在一个地方发生的可执行文件，并确保这个地方是只可以通过这个过程可以改变的地方。此外，可执行文件可以用C，C ++，C＃等。

I want place executable in one place and be sure that this place is only place that can be changed by this process. Additionally, executable can be written in C, C++, C# and etc.

推荐答案

如果您只想运行托管代码，这是相对容易的创建一个使用一个AppDomain一个沙盒环境瓦特/受限制的权限集：

If you only wanted to run managed code, it's relatively easy to create a Sandbox environment using an AppDomain w/ a restricted permission set:

        PermissionSet ps = new PermissionSet(PermissionState.None);
        // ps.AddPermission(new System.Security.Permissions.*); // Add Whatever Permissions you want to grant here

        AppDomainSetup setup = new AppDomainSetup();
        Evidence ev = new Evidence();

        AppDomain sandbox = AppDomain.CreateDomain("Sandbox",
            ev,
            setup,
            ps);

        sandbox.ExecuteAssembly("ManagedAssembly.exe");

但只要你打开大门，非托管/不安全的代码全盘皆输，它将成为很难保障的第三方的代码。正如已经提到的，你基本上要创建执行代码和操作系统之间的垫片来限制它能做什么，除非它是足以运行它作为一个受限用户，靠的ACL /独UAC保护你。

But as soon as you open the door to unmanaged/unsafe code all bets are off, and it becomes very difficult to secure 3rd party code. As has been mentioned, you basically have to create a shim between the executing code and the OS to limit what it can do, unless it is sufficient to run it as a restricted user and rely on ACLs/UAC alone to protect you.

注意：代码示例不是工作的样品，只是什么样的代码是这样的想法。有些finagling瓦特/证据和AppDomainSetup可能是必要的，而且你当然应该研究/测试的挫折感出它考虑到安全问题。下面是关于这一主题的好文章： http://msdn.microsoft.com/en -us /杂志/ cc163701.aspx

NOTE: that code sample is not a working sample, just an idea of what the code would look like. Some finagling w/ Evidence and AppDomainSetup will probably be necessary, and you should certainly research/test the heck out of it considering the security implications. Here's a good article on the topic: http://msdn.microsoft.com/en-us/magazine/cc163701.aspx

这篇关于如何在C＃中的外部过程中创建沙盒？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！