Getting the Current Permissions in a Named Permission Set
There are several named permission sets defined by default in the CLR security policy:
- FullTrust
- SkipVerification
- Execution
- Nothing
- LocalIntranet
- Internet
- Everything
These sets are used to create the default policy, however there's nothing stopping any user from modifying them (adding or removing permissions for instance), or creating their own named permission sets. Sometimes its useful to be able to determine what permissions are in each named permission set from code.
At first glance this seems easy ... since the PolicyLevel class exposes a GetNamedPermissionSet method. However, there are several complications along the way. To start with, we'll need to check each policy level, since nothing is stopping someone from defining another set of permissions with the same name on another level.
OK, to solve that problem, we can just loop over each level, and check to see if there's a named permission set on that level. If there is a named set on multiple levels, we'll need to merge them together. I've chosen to intersect them which leads to another interesting problem. Intersecting permission sets can result in a null return if the intersection is an empty set.
With all that in mind, it becomes pretty easy to write this method:
public static PermissionSet GetNamedPermissionSet(string name)
{
if(String.IsNullOrEmpty(name))
throw new ArgumentException("name", "Cannot search for a permission set without a name");
bool foundName = false;
PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
while(levelEnumerator.MoveNext())
{
PolicyLevel level = levelEnumerator.Current as PolicyLevel;
Debug.Assert(level != null);
PermissionSet levelSet = level.GetNamedPermissionSet(name);
if(levelSet != null)
{
foundName = true;
setIntersection = setIntersection.Intersect(levelSet);
}
}
if(setIntersection == null || !foundName)
setIntersection = new PermissionSet(PermissionState.None);
else
setIntersection = new NamedPermissionSet(name, setIntersection);
return setIntersection;
}
Using this method is equally easy. Calling GetNamedPermissionSet("Internet") will retrieve you the current set of permissions in the Internet permission set on all policy levels.
