I am trying to sort out my understanding of the way that Runtime Security Policies are applied.
If the Enterprise Runtime Security Policy applies Full Trust to the All_Code code group with the default membership condition of All Code, and at the Machine Runtime Security Policy, the Permission Set granted is Nothing, am I correct in understanding that the reason a local exe would run unrestricted is because it meets the evidence for the My_Computer_Zone
If this is the case, can you help me understand how the policies are applied to code groups For example, under what conditions would the code groups under the User Runtime Security Policies be evaulated
Is my understanding correct that policies are "unioned" such that the least restrictive code group permission set is applied, and if so, if the Enterprise Runtime Sercurity Policy was changed to Nothing, then no code would run
Finally, is the difference between union and intersection in permission sets that union applies least restrictive policy and intersection only policies that are in common for all Runtime Security Policies (such that if I have two permission sets that are interesected and one allows read to drive c: but the other allows write, only read is granted ).
Many thanks.
Rick
Enterprise, Machine and User Runtime Security Policies
Raulsassaa
Hi Rick,
The first part is correct. For a local assembly on your machine with the default policy, here's what happens:
Enterprise: Matches "All code" code group = FullTrust
Machine: Matches "All code" code group (Nothing) and "MyComputer Zone" code group (FullTrust) = unioned to FullTrust
User: Matches "All code" code group = FullTrust
Final policy = all three unioned = FullTrust
You can also see what code groups you are matching by running "caspol.exe -rsg <assembly>".
In a nutshell, inside of policy level (ie Enterprise, Machine, etc), the matched code groups are unioned together to give the least restrictive policy. However, between the policy levels, the results are intersected together to give the most restrictive policy. So as an example, you can specify in your machine's policy to given more permissions than the default, but if your company's IT department wants to limit your machine's policy by restricting the Enterprise policy level, you will be subject to those restrictions.
Your file read/write example is almost correct. If read and write permission are unioned inside of a given policy level, then you will have both read and write. If read and write are intersected between policy levels, you will have nothing, as they are both separate and distinct. If you instead intersect "unrestricted" and "read" (ie FileIOPermission(PermissionState.Unrestricted) and FileIOPermission(FileIOPermissionAccess.Read)), then you would indeed have only read granted.
I know that is kind of confusing. I hope it helps clear things up a little
Brian Stern [MSFT]