Why is CASPol allowing my .NET application to run?

Curious to know why my 2.0 .net application is being allowed to execute when I have restricted the permissions assigned to the assembly.

I've created a new Code Group at the Enterprise level which will match for any assembly with a particular digital signature. The code group has been set so that only permissions from the associated permission set will be used and also that lower policy levels will not be evaluated.

Running the .Net 2.0 PermCalc states that my application needs the following permissions:

• UnmanagedCode,
• Environment
• FileIO
• Registry
• Reflection

I've assigned to my custom code group the permission for unmanaged code but nothing else.

The first method in my application demands all of the above permissions upfront so I can display a sensible message to the user before exiting.

Running the .NET 2.0 Configuation "Evaluate Assembly" tool on my assembly indeed shows that my application will only be given the UnmanagedCode permission.

However when I execute my application is runs and completes, quite obviously doing various FileIO and Registry operations.

My app is signed with the digital signature that should match the restricted code group.

Can anyone explain why this works.

Note: My ultimate aim is to make sure that my application does not crash horribly if executed from a network share. I would have liked to check the assembly evidence zone is My_Computer but I can no longer do that with .NET 3.5 SP1. See FullTrust On the LocalInt开发者_如何学Pythonranet

Thanks in advance for any help/suggestions.

If you have configured your CAS policy correctly, then chances are that your application isn't being denied the permissions you expect because it is not being run under the CLR whose policy you configured. Do you perhaps have 32-bit and 64-bit CLRs installed on the same machine?

Another possibility might be that your "early check" demand is in the wrong place. Is it directly in your application's Main method? If so, when the demand runs, there won't be any of your application code on the call stack that is verified. If this is the problem, simply moving the demand into another method invoked from Main should allow the demand to fail.

you can still check the assembly evidence zone in .NET 3.5 SP1 - http://msdn.microsoft.com/en-us/library/system.security.policy.zone.aspx.

For what caspol allows your assembly see http://msdn.microsoft.com/en-us/library/tx1dts55.aspx.

This http://blogs.msdn.com/b/brada/archive/2007/10/26/adhoc-poll-allowing-net-exes-to-run-off-a-network-share.aspx could affect what you see...

EDIT:

For checking when running from a network share you can still get Assembly.GetExecutingAssembly().Location and then check whether it a UNC or netowrk drive via DriveType for your location System.IO.DriveInfo[] (i.e. System.IO.DriveType.Network).