问题描述

在过去几个月，我已经开发了我使用网上编译C＃3.5的XAML项目的个人工具。基本上，我编译与codeDOM编译器。我正在考虑使其成为公共的，但问题是，它是 - 非常-very-容易服务器使用此工具上做任何事情。

Over the months, I've developed a personal tool that I'm using to compile C# 3.5 Xaml projects online. Basically, I'm compiling with the CodeDom compiler. I'm thinking about making it public, but the problem is that it is -very-very- easy to do anything on the server with this tool.

我要保护我的服务器是因为有一个运行按钮来测试和调试应用程序（以截图方式）的原因。

The reason I want to protect my server is because there's a 'Run' button to test and debug the app (in screenshot mode).

这是可能运行在沙盒中的应用程序 - 换句话说，限制内存访问，硬盘驱动器访问和BIOS访问 - 而无需在虚拟机上运行呢？或者我应该只是分析每一个code或禁用的运行模式？

Is this possible to run an app in a sandbox - in other words, limiting memory access, hard drive access and BIOS access - without having to run it in a VM? Or should I just analyze every code, or 'disable' the Run mode?

推荐答案

旋转了一个AppDomain，承载组件在里面，找你控制的界面，激活了实施型，打电话给你的方法。只是不要让任何情况下越过了AppDomain的障碍（包括例外！），你没有100％的控制权。

Spin up an AppDomain, load assemblies in it, look for an interface you control, Activate up the implementing type, call your method. Just don't let any instances cross that AppDomain barrier (including exceptions!) that you don't 100% control.

控制了你的外部 - code AppDomain中的安全策略是有点多了一个答案，但你可以的此链接，或只需搜索code接入安全MSDN，以获取有关如何确保这一领域的详细信息。

Controlling the security policies for your external-code AppDomain is a bit much for a single answer, but you can check this link on MSDN or just search for "code access security msdn" to get details about how to secure this domain.

修改：但也有例外，你不能停止，所以看他们和记录以某种方式导致异常的组件是很重要的，所以你将不会再加载它们。

Edit: There are exceptions you cannot stop, so it is important to watch for them and record in some manner the assemblies that caused the exception so you will not load them again.

此外，它始终是最好的注射的这个第二的AppDomain一个类型，然后你会用它来完成所有加载和执行。这样，你是确保没有类型（即不会搞垮整个应用程序），将跨越所有应用程序域边界。我发现定义扩展，你调用方法上，在第二AppDomain中执行不安全code MarshalByRefObject的类型是非常有用的。它不应该返回未标记跨越边界序列化未密封的类型，无论是作为一个方法参数或者返回类型。只要你能做到这一点，你有90％的存在方式。

Also, it is always better to inject into this second AppDomain a type that you will then use to do all loading and execution. That way you are ensured that no type (that won't bring down your entire application) will cross any AppDomain boundary. I've found it is useful to define a type that extends MarshalByRefObject that you call methods on that executes insecure code in the second AppDomain. It should never return an unsealed type that isn't marked Serializable across the boundary, either as a method parameter or as a return type. As long as you can accomplish this you are 90% of the way there.

这篇关于运行在沙箱中.Net应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！