1 files changed, 127 insertions, 8 deletions
diff --git a/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs b/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs
index 5ed9af3..bf523dd 100644
--- a/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs
+++ b/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs
@@ -27,9 +27,14 @@
 using System;
 using System.CodeDom.Compiler;
+using System.Collections;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Reflection;
+using System.Security;
+using System.Security.Permissions;
+using System.Security.Policy;
 using System.Text;
 using log4net;
 using Microsoft.CSharp;
@@ -54,6 +59,9 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
        private readonly MicroScheduler m_microthreads = new MicroScheduler();
+        private IConfig m_config;
        public void RegisterExtension<T>(T instance)
        {
            m_extensions[typeof (T)] = instance;
@@ -63,6 +71,8 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
        {
            if (source.Configs["MRM"] != null)
            {
+                m_config = source.Configs["MRM"];
                if (source.Configs["MRM"].GetBoolean("Enabled", false))
                {
                    m_log.Info("[MRM] Enabling MRM Module");
@@ -112,25 +122,128 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
            return script;
        }
+        /// <summary>
+        /// Create an AppDomain that contains policy restricting code to execute
+        /// with only the permissions granted by a named permission set
+        /// </summary>
+        /// <param name="permissionSetName">name of the permission set to restrict to</param>
+        /// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
+        /// <exception cref="ArgumentNullException">
+        /// if <paramref name="permissionSetName"/> is null
+        /// </exception>
+        /// <exception cref="ArgumentOutOfRangeException">
+        /// if <paramref name="permissionSetName"/> is empty
+        /// </exception>
+        /// <returns>AppDomain with a restricted security policy</returns>
+        /// <remarks>Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
+        /// Valid permissionSetName values are:     
+        /// * FullTrust
+        /// * SkipVerification
+        /// * Execution
+        /// * Nothing
+        /// * LocalIntranet
+        /// * Internet
+        /// * Everything
+        /// </remarks>
+        public static AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName)
+        {
+            if (permissionSetName == null)
+                throw new ArgumentNullException("permissionSetName");
+            if (permissionSetName.Length == 0)
+                throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
+                                                      "Cannot have an empty permission set name");
+            // Default to all code getting nothing
+            PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
+            UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
+            bool foundName = false;
+            PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
+            // iterate over each policy level
+            IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
+            while (levelEnumerator.MoveNext())
+            {
+                PolicyLevel level = levelEnumerator.Current as PolicyLevel;
+                // if this level has defined a named permission set with the
+                // given name, then intersect it with what we've retrieved
+                // from all the previous levels
+                if (level != null)
+                {
+                    PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
+                    if (levelSet != null)
+                    {
+                        foundName = true;
+                        if (setIntersection != null)
+                            setIntersection = setIntersection.Intersect(levelSet);
+                    }
+                }
+            }
+            // Intersect() can return null for an empty set, so convert that
+            // to an empty set object. Also return an empty set if we didn't find
+            // the named permission set we were looking for
+            if (setIntersection == null || !foundName)
+                setIntersection = new PermissionSet(PermissionState.None);
+            else
+                setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
+            // if no named permission sets were found, return an empty set,
+            // otherwise return the set that was found
+            PolicyStatement permissions = new PolicyStatement(setIntersection);
+            policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
+            // create an AppDomain policy level for the policy tree
+            PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
+            appDomainLevel.RootCodeGroup = policyRoot;
+            // create an AppDomain where this policy will be in effect
+            string domainName = appDomainName;
+            AppDomain restrictedDomain = AppDomain.CreateDomain(domainName);
+            restrictedDomain.SetAppDomainPolicy(appDomainLevel);
+            return restrictedDomain;
+        }
        void EventManager_OnRezScript(uint localID, UUID itemID, string script, int startParam, bool postOnRez, string engine, int stateSource)
        {
            if (script.StartsWith("//MRM:C#"))
            {
-                if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID
+                if (m_config.GetBoolean("OwnerOnly", true))
-                    ||
+                    if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID
-                    m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)
+                        || m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)
-                    return;
+                        return;
                script = ConvertMRMKeywords(script);
                try
                {
-                    m_log.Info("[MRM] Found C# MRM");
+                    AppDomain target;
+                    if (m_config.GetBoolean("Sandboxed", true))
+                    {
+                        m_log.Info("[MRM] Found C# MRM - Starting in AppDomain with " +
+                                   m_config.GetString("SandboxLevel", "Internet") + "-level security.");
+                        string domainName = UUID.Random().ToString();
+                        target = CreateRestrictedDomain(m_config.GetString("SandboxLevel", "Internet"),
+                                                                  domainName);
+                    }
+                    else
+                    {
+                        m_log.Info("[MRM] Found C# MRM - Starting in current AppDomain");
+                        m_log.Warn(
+                            "[MRM] Security Risk: AppDomain is run in current context. Use only in trusted environments.");
+                        target = AppDomain.CurrentDomain;
+                    }
-                    MRMBase mmb = (MRMBase)AppDomain.CurrentDomain.CreateInstanceFromAndUnwrap(
+                    m_log.Info("[MRM] Unwrapping into target AppDomain");
+                    MRMBase mmb = (MRMBase) target.CreateInstanceFromAndUnwrap(
                                                CompileFromDotNetText(script, itemID.ToString()),
                                                "OpenSim.MiniModule");
+                    m_log.Info("[MRM] Initialising MRM Globals");
                    InitializeMRM(mmb, localID, itemID);
                    m_scripts[itemID] = mmb;
@@ -166,8 +279,14 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
        public void GetGlobalEnvironment(uint localID, out IWorld world, out IHost host)
        {
-            world = new World(m_scene);
+            // UUID should be changed to object owner.
-            host = new Host(new SOPObject(m_scene, localID), m_scene, new ExtensionHandler(m_extensions), m_microthreads);
+            UUID owner = m_scene.RegionInfo.MasterAvatarAssignedUUID;
+            SEUser securityUser = new SEUser(owner, "Name Unassigned");
+            SecurityCredential creds = new SecurityCredential(securityUser, m_scene);
+            world = new World(m_scene, creds);
+            host = new Host(new SOPObject(m_scene, localID, creds), m_scene, new ExtensionHandler(m_extensions),
+                            m_microthreads);
        }
        public void InitializeMRM(MRMBase mmb, uint localID, UUID itemID)

diff --git a/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs b/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs index 5ed9af3..bf523dd 100644 --- a/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs +++ b/OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs
@@ -27,9 +27,14 @@
27		27
28	using System;	28	using System;
29	using System.CodeDom.Compiler;	29	using System.CodeDom.Compiler;
		30	using System.Collections;
30	using System.Collections.Generic;	31	using System.Collections.Generic;
		32	using System.Diagnostics;
31	using System.IO;	33	using System.IO;
32	using System.Reflection;	34	using System.Reflection;
		35	using System.Security;
		36	using System.Security.Permissions;
		37	using System.Security.Policy;
33	using System.Text;	38	using System.Text;
34	using log4net;	39	using log4net;
35	using Microsoft.CSharp;	40	using Microsoft.CSharp;
@@ -54,6 +59,9 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
54		59
55	private readonly MicroScheduler m_microthreads = new MicroScheduler();	60	private readonly MicroScheduler m_microthreads = new MicroScheduler();
56		61
		62
		63	private IConfig m_config;
		64
57	public void RegisterExtension<T>(T instance)	65	public void RegisterExtension<T>(T instance)
58	{	66	{
59	m_extensions[typeof (T)] = instance;	67	m_extensions[typeof (T)] = instance;
@@ -63,6 +71,8 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
63	{	71	{
64	if (source.Configs["MRM"] != null)	72	if (source.Configs["MRM"] != null)
65	{	73	{
		74	m_config = source.Configs["MRM"];
		75
66	if (source.Configs["MRM"].GetBoolean("Enabled", false))	76	if (source.Configs["MRM"].GetBoolean("Enabled", false))
67	{	77	{
68	m_log.Info("[MRM] Enabling MRM Module");	78	m_log.Info("[MRM] Enabling MRM Module");
@@ -112,25 +122,128 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
112	return script;	122	return script;
113	}	123	}
114		124
		125	/// <summary>
		126	/// Create an AppDomain that contains policy restricting code to execute
		127	/// with only the permissions granted by a named permission set
		128	/// </summary>
		129	/// <param name="permissionSetName">name of the permission set to restrict to</param>
		130	/// <param name="appDomainName">'friendly' name of the appdomain to be created</param>
		131	/// <exception cref="ArgumentNullException">
		132	/// if <paramref name="permissionSetName"/> is null
		133	/// </exception>
		134	/// <exception cref="ArgumentOutOfRangeException">
		135	/// if <paramref name="permissionSetName"/> is empty
		136	/// </exception>
		137	/// <returns>AppDomain with a restricted security policy</returns>
		138	/// <remarks>Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
		139	/// Valid permissionSetName values are:
		140	/// * FullTrust
		141	/// * SkipVerification
		142	/// * Execution
		143	/// * Nothing
		144	/// * LocalIntranet
		145	/// * Internet
		146	/// * Everything
		147	/// </remarks>
		148	public static AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName)
		149	{
		150	if (permissionSetName == null)
		151	throw new ArgumentNullException("permissionSetName");
		152	if (permissionSetName.Length == 0)
		153	throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
		154	"Cannot have an empty permission set name");
		155
		156	// Default to all code getting nothing
		157	PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
		158	UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);
		159
		160	bool foundName = false;
		161	PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
		162
		163	// iterate over each policy level
		164	IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
		165	while (levelEnumerator.MoveNext())
		166	{
		167	PolicyLevel level = levelEnumerator.Current as PolicyLevel;
		168
		169	// if this level has defined a named permission set with the
		170	// given name, then intersect it with what we've retrieved
		171	// from all the previous levels
		172	if (level != null)
		173	{
		174	PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
		175	if (levelSet != null)
		176	{
		177	foundName = true;
		178	if (setIntersection != null)
		179	setIntersection = setIntersection.Intersect(levelSet);
		180	}
		181	}
		182	}
		183
		184	// Intersect() can return null for an empty set, so convert that
		185	// to an empty set object. Also return an empty set if we didn't find
		186	// the named permission set we were looking for
		187	if (setIntersection == null \|\| !foundName)
		188	setIntersection = new PermissionSet(PermissionState.None);
		189	else
		190	setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);
		191
		192	// if no named permission sets were found, return an empty set,
		193	// otherwise return the set that was found
		194	PolicyStatement permissions = new PolicyStatement(setIntersection);
		195	policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));
		196
		197	// create an AppDomain policy level for the policy tree
		198	PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
		199	appDomainLevel.RootCodeGroup = policyRoot;
		200
		201	// create an AppDomain where this policy will be in effect
		202	string domainName = appDomainName;
		203	AppDomain restrictedDomain = AppDomain.CreateDomain(domainName);
		204	restrictedDomain.SetAppDomainPolicy(appDomainLevel);
		205
		206	return restrictedDomain;
		207	}
		208
		209
115	void EventManager_OnRezScript(uint localID, UUID itemID, string script, int startParam, bool postOnRez, string engine, int stateSource)	210	void EventManager_OnRezScript(uint localID, UUID itemID, string script, int startParam, bool postOnRez, string engine, int stateSource)
116	{	211	{
117	if (script.StartsWith("//MRM:C#"))	212	if (script.StartsWith("//MRM:C#"))
118	{	213	{
119	if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID	214	if (m_config.GetBoolean("OwnerOnly", true))
120	\|\|	215	if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID
121	m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)	216	\|\| m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)
122	return;	217	return;
123		218
124	script = ConvertMRMKeywords(script);	219	script = ConvertMRMKeywords(script);
125		220
126	try	221	try
127	{	222	{
128	m_log.Info("[MRM] Found C# MRM");	223	AppDomain target;
		224	if (m_config.GetBoolean("Sandboxed", true))
		225	{
		226	m_log.Info("[MRM] Found C# MRM - Starting in AppDomain with " +
		227	m_config.GetString("SandboxLevel", "Internet") + "-level security.");
		228
		229	string domainName = UUID.Random().ToString();
		230	target = CreateRestrictedDomain(m_config.GetString("SandboxLevel", "Internet"),
		231	domainName);
		232	}
		233	else
		234	{
		235	m_log.Info("[MRM] Found C# MRM - Starting in current AppDomain");
		236	m_log.Warn(
		237	"[MRM] Security Risk: AppDomain is run in current context. Use only in trusted environments.");
		238	target = AppDomain.CurrentDomain;
		239	}
129		240
130	MRMBase mmb = (MRMBase)AppDomain.CurrentDomain.CreateInstanceFromAndUnwrap(	241	m_log.Info("[MRM] Unwrapping into target AppDomain");
		242	MRMBase mmb = (MRMBase) target.CreateInstanceFromAndUnwrap(
131	CompileFromDotNetText(script, itemID.ToString()),	243	CompileFromDotNetText(script, itemID.ToString()),
132	"OpenSim.MiniModule");	244	"OpenSim.MiniModule");
133		245
		246	m_log.Info("[MRM] Initialising MRM Globals");
134	InitializeMRM(mmb, localID, itemID);	247	InitializeMRM(mmb, localID, itemID);
135		248
136	m_scripts[itemID] = mmb;	249	m_scripts[itemID] = mmb;
@@ -166,8 +279,14 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
166		279
167	public void GetGlobalEnvironment(uint localID, out IWorld world, out IHost host)	280	public void GetGlobalEnvironment(uint localID, out IWorld world, out IHost host)
168	{	281	{
169	world = new World(m_scene);	282	// UUID should be changed to object owner.
170	host = new Host(new SOPObject(m_scene, localID), m_scene, new ExtensionHandler(m_extensions), m_microthreads);	283	UUID owner = m_scene.RegionInfo.MasterAvatarAssignedUUID;
		284	SEUser securityUser = new SEUser(owner, "Name Unassigned");
		285	SecurityCredential creds = new SecurityCredential(securityUser, m_scene);
		286
		287	world = new World(m_scene, creds);
		288	host = new Host(new SOPObject(m_scene, localID, creds), m_scene, new ExtensionHandler(m_extensions),
		289	m_microthreads);
171	}	290	}
172		291
173	public void InitializeMRM(MRMBase mmb, uint localID, UUID itemID)	292	public void InitializeMRM(MRMBase mmb, uint localID, UUID itemID)