I'm launching some code in a separate AppDomain and the code needs to be able to query a SQLite database. If I set the PermissionState to Unrestricted for the AppDomain, then everything works. However, I would like to give the AppDomain the minimum necessary permissions to accomplish its task.
After a lot of research along with trial and error, I determined that the following Security Permissions are necessary: Execution, UnmanagedCode, and SkipVerification. The following FileIOPermissions are needed on the directory that contains the assemblies that are being run in the AppDomain: PathDiscovery and Read. The following FileIOPermissions are needed on the directory that contains the SQLite db3 file: PathDiscovery, Read, and Write.
Those permissions, however, are giving me the following unhelpful exception when I attempt to open the SQLite DB:
System.Security.SecurityException was unhandled by user code
HResult=-2146233078 Message=Request failed.
Source=System.Data.SQLite StackTrace: at System.Data.SQLite.SQLiteConnectionHandle.op_Implicit(IntPtr db) at System.Data.SQLite.SQLite3.Open(String strFilename, SQLiteOpenFlagsEnum flags, Int32 maxPoolSize, Boolean usePool) at System.Data.SQLite.SQLiteConnection.Open() ...
Here's the code that generates the AppDomain:
public static ServerCacheSandboxer GetDomainInstance(string cachePath)
{
string assembliesPath = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, ADENIUM_SERVER_ASSEMBLIES_FOLDER);
AppDomainSetup appDomainSetup = new AppDomainSetup();
appDomainSetup.ApplicationBase = assembliesPath;
appDomainSetup.ConfigurationFile = AppDomain.CurrentDomain.SetupInformation.ConfigurationFile;
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution | SecurityPermissionFlag.UnmanagedCode | SecurityPermissionFlag.SkipVerification));
permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read, assembliesPath));
permissionSet.AddPermission(new FileIOPermission(FileIOPermissionAccess.PathDiscovery | FileIOPermissionAccess.Read | FileIOPermissionAccess.Write, cachePath));
StrongName fullTrustAssembly = typeof(ServerCacheSandboxer).Assembly.Evidence.GetHostEvidence<StrongName>();
AppDomain appDomain = AppDomain.CreateDomain("ServerCacheSandbox", null, appDomainSetup, permissionSet, fullTrustAssembly);
ObjectHandle objectHandle = Activator.CreateInstanceFrom(appDomain, typeof(ServerCacheSandboxer).Assembly.ManifestModule.FullyQualifiedName, typeof(ServerCacheSandboxer).FullName);
ServerCacheSandboxer domainInstance = objectHandle.Unwrap() as ServerCacheSandboxer;
return domainInstance;
}
