[Mono-list] Limiting access in embedded mono
robertj at gmx.net
Fri Mar 20 06:53:37 EDT 2009
> We're planning on using mono embedded in our application, however, since
> arbitrary users might write code for it we'd need to limit access to certain
> things, like FS IO, memory allocation and perhaps even network IO.
> Does mono have provision for limiting such stuff? Is it simply a matter of
> limiting which class libraries are available for the mono run-time?
You're looking for CAS, but this is unfortunately neither fully
implemented nor tested. It's a really great area for contributions :)
Mono projects that need this kind of protection are usually verifying
and parsing the assembly upon invocation. The parsing can be performed
with a library like Mono.Cecil: You could define a whitelist of
allowed types and reject the assembly if unsuitable.
For more security, you may want to disable some features (p/invoke,
Reflection/Reflection.Emit) in mono itself. See the
"--enable-minimal=LIST" option of the configure script.
This is only feasible if the host doesn't need this features
> Also, is there a way in mono to load an assembly (for execution) from memory
> (f.i. have the assembly stored in a database) ?
Yes. See the (MSDN) docs of the Assembly class.
More information about the Mono-list