.NET Core 限制插件权限
.NET Core limit plugin permissions
在 .NET Framework 中,我能够将插件 (dll) 加载到它们自己的 AppDomains 中,限制 App Domin 拥有的权限(例如,只能从给定目录读取),并安全地执行这些插件。随着 .NET Core 中对 AppDomain 支持的移除,现在有什么方法可以实现这样的功能吗?
让我们参考官方消息。这是引用自 Porting to .NET Core 文章的 "Sandboxing" 部分:
Why was it discontinued? Sandboxing, i.e. relying on the runtime or
the framework to constrain which resources a managed application can
access, is considered a non-goal for .NET Core. Sandboxing
applications and components is also really hard to get right, which is
why generally recommend customers not to rely on it. It also makes the
implementation more complicated and often negatively affects
performance of applications that don’t use sandboxing. Hence, we do
not offer sandboxing features in .NET Core.
What should I use instead? Use operating system provided security
boundaries, such as user accounts for running processes with the least
set of privileges.
因此,正确隔离不受信任的插件的正确方法是将其加载到在受限用户帐户下启动的单独进程中。当然,这会使事情变得复杂,尤其是在主机和插件之间共享状态和通信方面。但是 .Net Core 目前没有提供任何其他方法。
在 .NET Framework 中,我能够将插件 (dll) 加载到它们自己的 AppDomains 中,限制 App Domin 拥有的权限(例如,只能从给定目录读取),并安全地执行这些插件。随着 .NET Core 中对 AppDomain 支持的移除,现在有什么方法可以实现这样的功能吗?
让我们参考官方消息。这是引用自 Porting to .NET Core 文章的 "Sandboxing" 部分:
Why was it discontinued? Sandboxing, i.e. relying on the runtime or the framework to constrain which resources a managed application can access, is considered a non-goal for .NET Core. Sandboxing applications and components is also really hard to get right, which is why generally recommend customers not to rely on it. It also makes the implementation more complicated and often negatively affects performance of applications that don’t use sandboxing. Hence, we do not offer sandboxing features in .NET Core.
What should I use instead? Use operating system provided security boundaries, such as user accounts for running processes with the least set of privileges.
因此,正确隔离不受信任的插件的正确方法是将其加载到在受限用户帐户下启动的单独进程中。当然,这会使事情变得复杂,尤其是在主机和插件之间共享状态和通信方面。但是 .Net Core 目前没有提供任何其他方法。