0002610: Scripts cannot be safely sandboxed until unsafe code is moved out of the shared script libraries

OpenSim Mantis Tracker

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0002610

[opensim] [REGION] Scripting Engine

feature

always

2008-11-12 11:12

2009-09-18 07:37

Reporter

jhurliman

View Status

public

Assigned To

Priority

normal

Resolution

open

Status

acknowledged

Product Version

Summary

0002610: Scripts cannot be safely sandboxed until unsafe code is moved out of the shared script libraries

Description

Properly sandboxing scripts is not possible until all of the code loaded into script AppDomains is safe. Currently, remoting and other things are happening in OpenSim.Region.ScriptEngine.Shared.Api.Runtime.dll which prevents the script AppDomain from being properly locked down. All code that is not allowed by the "Internet" policy should be moved into the OpenSim.exe AppDomain. (see additional information for the permission set of that policy)

Additional Information

An example exception:

System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
   at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Assembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
      at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(Object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandle rmh, SecurityAction action, Object demand, IPermission permThatFailed)
         at System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Object assemblyOrString, SecurityAction action, Boolean throwException)
            at System.Security.CodeAccessSecurityEngine.CheckSetHelper(CompressedStack cs, PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandle rmh, Assembly asm, SecurityAction action)
               at OpenSim.Region.ScriptEngine.Shared.ScriptBase.ScriptBaseClass.InitializeLifetimeService()
                  at System.Runtime.Remoting.Lifetime.LeaseLifeTimeServiceProperty.GetObjectSink(MarshalByRefObject obj, IMessageSink nextSink)
                     at System.Runtime.Remoting.Contexts.Context.CreateServerObjectChain(MarshalByRefObject serverObj)
                        at System.Runtime.Remoting.ServerIdentity.GetServerObjectChain(MarshalByRefObject& obj)
                           at System.Runtime.Remoting.RemotingServices.MarshalInternal(MarshalByRefObject Obj, String ObjURI, Type RequestedType, Boolean updateChannelData)
                              at System.Runtime.Serialization.ObjectCloneHelper.GetObjectData(Object serObj, String& typeName, String& assemName, String[]& fieldNames, Object[]& fieldValues)



                                 at System.AppDomain.CreateInstanceFromAndUnwrap(String assemblyName, String typeName)
                                    at OpenSim.Region.ScriptEngine.DotNetEngine.AppDomainManager.LoadScript(String FileName, AppDomain& ad) in C:\\Code\\OpenSim\\trunk\\OpenSim\\Region\\ScriptEngine\\DotNetEngine\\AppDomainManager.cs:line 191
                                       at OpenSim.Region.ScriptEngine.DotNetEngine.ScriptManager._StartScript(UInt32 localID, UUID itemID, String Script, Int32 startParam, Boolean postOnRez) in C:\\Code\\OpenSim\\trunk\\OpenSim\\Region\\ScriptEngine\\DotNetEngine\\ScriptManager.cs:line 164
                                       The action that failed was:
                                       LinkDemand
                                       The type of the first permission that failed was:
                                       System.Security.Permissions.SecurityPermission
                                       The first permission that failed was:
                                       <IPermission class=\"System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Flags=\"Infrastructure\"/>

                                       The demand was for:
                                       <PermissionSet class=\"System.Security.PermissionSet\"
                                       version=\"1\">
                                       <IPermission class=\"System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Flags=\"Infrastructure\"/>
                                       </PermissionSet>

                                       The granted set of the failing assembly was:
                                       <PermissionSet class=\"System.Security.PermissionSet\"
                                       version=\"1\">
                                       <IPermission class=\"System.Security.Permissions.FileDialogPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Access=\"Open\"/>
                                       <IPermission class=\"System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Allowed=\"ApplicationIsolationByUser\"
                                       UserQuota=\"512000\"/>
                                       <IPermission class=\"System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Flags=\"Execution\"/>
                                       <IPermission class=\"System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Window=\"SafeTopLevelWindows\"
                                       Clipboard=\"OwnClipboard\"/>
                                       <IPermission class=\"System.Security.Permissions.UrlIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Url=\"file:///C:/Code/OpenSim/trunk/bin/OpenSim.Region.ScriptEngine.Shared.Api.Runtime.DLL\"/> [^]
                                       <IPermission class=\"System.Security.Permissions.ZoneIdentityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"
                                       version=\"1\"
                                       Zone=\"MyComputer\"/>
                                       <IPermission class=\"System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\"
                                       version=\"1\"
                                       Level=\"SafePrinting\"/>
                                       </PermissionSet>

                                       The assembly or AppDomain that failed was:
                                       OpenSim.Region.ScriptEngine.Shared.Api.Runtime, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
                                       The Zone of the assembly that failed was:
                                       MyComputer
                                       The Url of the assembly that failed was:
                                       file:///C:/Code/OpenSim/trunk/bin/OpenSim.Region.ScriptEngine.Shared.Api.Runtime.DLL [^]

Notes
(0007088) melanie (administrator) 2008-11-12 17:20	Without that lifetime stuff, the script expires. So I don't know how to resolve that

(0007309) justincc (manager) 2008-11-25 06:02	jhurliman, I know you had some test code for this (when it made it into some of the libomv update patches). Any chance you could attach that as a patch to this mantis in case other people are able to work on this?

(0007329) jhurliman (manager) 2008-11-25 14:16	I don't have the original patch I made, although part of it should be in OpenSim SVN history. The code is fairly straightforward to write, more information here: http://msdn.microsoft.com/en-us/library/bb763046.aspx [^]

Issue History
Date Modified	Username	Field	Change
2008-11-12 11:12	jhurliman	New Issue
2008-11-12 11:12	jhurliman	SVN Revision	=> 7267
2008-11-12 11:12	jhurliman	Run Mode	=> Standalone (1 Region) , Standalone (Multiple Regions) , Grid (1 Region per Sim) , Grid (Multiple Regions per Sim)
2008-11-12 11:12	jhurliman	Physics Engine	=> BasicPhysics, PhysicsOfSimplicity, ODE, BulletX, PhysX, Other
2008-11-12 11:12	jhurliman	Environment	=> Mono / Linux32, Mono / Linux64, Mono / Windows, Mono / OSX, .NET / Windows32, .NET / Windows64
2008-11-12 17:20	melanie	Note Added: 0007088
2008-11-17 13:38	justincc	Issue Monitored: justincc
2008-11-25 06:02	justincc	Note Added: 0007309
2008-11-25 14:16	jhurliman	Note Added: 0007329
2008-11-26 17:45	nlin	Issue Monitored: nlin
2009-09-18 07:37	Fly-Man-	Status	new => acknowledged

Relationships