static AppDomain NewDomain () {
			PolicyStatement statement = new PolicyStatement(new PermissionSet(PermissionState.None),PolicyStatementAttribute.Nothing);
			PermissionSet ps = new PermissionSet(PermissionState.None);
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Assertion));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlAppDomain));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlDomainPolicy));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlEvidence));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPolicy));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlPrincipal));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.ControlThread));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.Infrastructure));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.RemotingConfiguration));
			ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.SerializationFormatter));
			ps.AddPermission(new FileIOPermission(PermissionState.Unrestricted));
			ps.AddPermission(new EnvironmentPermission(PermissionState.Unrestricted));
			ps.AddPermission(new ReflectionPermission(PermissionState.Unrestricted));
			ps.AddPermission(new RegistryPermission(PermissionState.Unrestricted));
			ps.AddPermission(new IsolatedStorageFilePermission(PermissionState.Unrestricted));
			ps.AddPermission(new EventLogPermission(PermissionState.Unrestricted));
			ps.AddPermission(new PerformanceCounterPermission(PermissionState.Unrestricted));
			ps.AddPermission(new DnsPermission(PermissionState.Unrestricted));
			ps.AddPermission(new UIPermission(PermissionState.Unrestricted));
   			PolicyStatement statement1 = new PolicyStatement(ps,PolicyStatementAttribute.Exclusive);
			CodeGroup group;
			group = new UnionCodeGroup(new AllMembershipCondition(),statement);
			group.AddChild(new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.MyComputer),statement1));
			PolicyLevel level = PolicyLevel.CreateAppDomainLevel();
			level.RootCodeGroup = group;

			AppDomain domain = AppDomain.CreateDomain ("test");
			domain.SetAppDomainPolicy(level);
			return domain;
		}

        private static AppDomain CreateRestrictedDomain(string domainName)
        {
            // Default to all code getting nothing
            PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
            UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);

            // Grant all code the named permission set for the test
            PermissionSet partialTrustPermissionSet = new PermissionSet(PermissionState.None);
            partialTrustPermissionSet.AddPermission(new ReflectionPermission(ReflectionPermissionFlag.AllFlags));
            partialTrustPermissionSet.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution | SecurityPermissionFlag.ControlEvidence | SecurityPermissionFlag.ControlPolicy));

            PolicyStatement permissions = new PolicyStatement(partialTrustPermissionSet);
            policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));

            // Create an AppDomain policy level for the policy tree
            PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
            appDomainLevel.RootCodeGroup = policyRoot;

            // Set the Application Base correctly in order to find the test assembly
            AppDomainSetup ads = new AppDomainSetup();
            ads.ApplicationBase = Environment.CurrentDirectory;

            AppDomain restrictedDomain = AppDomain.CreateDomain(domainName, null, ads);
            restrictedDomain.SetAppDomainPolicy(appDomainLevel);

            return restrictedDomain;
        }

        public static Task<GetManifestCompletedEventArgs> DownloadManifestAsync(this InPlaceHostingManager manager) {
            var tcs = new TaskCompletionSource<GetManifestCompletedEventArgs>();

            manager.GetManifestCompleted += (sender, e) => {
                if(e.Error != null) {
                    tcs.SetException(e.Error);
                    return;
                }

                var trust = new ApplicationTrust();
                var permissions = new PermissionSet(PermissionState.Unrestricted);
                var statement = new PolicyStatement(permissions);

                trust.DefaultGrantSet = statement;
                trust.ApplicationIdentity = e.ApplicationIdentity;
                trust.IsApplicationTrustedToRun = true;

                ApplicationSecurityManager.UserApplicationTrusts.Add(trust);

                tcs.SetResult(e);
            };

            manager.GetManifestAsync();

            return tcs.Task;
        }

        public override void Install(System.Collections.IDictionary stateSaver)
        {
            PolicyLevel ent;
            PolicyLevel mach;
            PolicyLevel user;
            string sAssemblyPath = this.Context.Parameters["custassembly"];
            //string sAssemblyPath = this.Context.Parameters["XWord.dll"];
            System.Collections.IEnumerator policies = SecurityManager.PolicyHierarchy();
            policies.MoveNext();
            ent = (PolicyLevel)policies.Current;
            policies.MoveNext();
            mach = (PolicyLevel)policies.Current;
            policies.MoveNext();
            user = (PolicyLevel)policies.Current;

            PermissionSet fullTrust = user.GetNamedPermissionSet("FullTrust");
            PolicyStatement statement = new PolicyStatement(fullTrust, PolicyStatementAttribute.Nothing);
            UrlMembershipCondition condition = new UrlMembershipCondition(sAssemblyPath);
            CodeGroup group = new UnionCodeGroup(condition, statement);
            group.Name = "TestWordAddInCS";
            user.RootCodeGroup.AddChild(group);
            SecurityManager.SavePolicy();

            base.Install(stateSaver);
        }

		public void Constructor_PermissionSetPolicyStatementAttribute_Null ()
		{
			PolicyStatement ps = new PolicyStatement (null, PolicyStatementAttribute.All);
			Assert.AreEqual (PolicyStatementAttribute.All, ps.Attributes, "Attributes");
			Assert.AreEqual ("Exclusive LevelFinal", ps.AttributeString, "AttributeString");
			Assert.AreEqual (Empty.ToString (), ps.PermissionSet.ToString (), "PermissionSet");
			Assert.AreEqual (ps.ToXml ().ToString (), ps.Copy ().ToXml ().ToString (), "Copy");
		}

		public void Constructor_PermissionSet_Null ()
		{
			PolicyStatement ps = new PolicyStatement (null);
			Assert.AreEqual (PolicyStatementAttribute.Nothing, ps.Attributes, "Attributes");
			Assert.AreEqual (String.Empty, ps.AttributeString, "AttributeString");
			Assert.AreEqual (Empty.ToString (), ps.PermissionSet.ToString (), "PermissionSet");
			Assert.AreEqual (ps.ToXml ().ToString (), ps.Copy ().ToXml ().ToString (), "Copy");
		}

 public PolicyStatement Copy()
 {
     PolicyStatement statement = new PolicyStatement(this.m_permSet, this.Attributes, true);
     if (this.HasDependentEvidence)
     {
         statement.m_dependentEvidence = new List<IDelayEvaluatedEvidence>(this.m_dependentEvidence);
     }
     return statement;
 }

		public void Constructor_PermissionSet_Unrestricted ()
		{
			PermissionSet pset = new PermissionSet (PermissionState.Unrestricted);
			PolicyStatement ps = new PolicyStatement (pset);
			Assert.AreEqual (PolicyStatementAttribute.Nothing, ps.Attributes, "Attributes");
			Assert.AreEqual (String.Empty, ps.AttributeString, "AttributeString");
			Assert.AreEqual (Unrestricted.ToString (), ps.PermissionSet.ToString (), "PermissionSet");
			Assert.AreEqual (ps.ToXml ().ToString (), ps.Copy ().ToXml ().ToString (), "Copy");
		}

//		PolicyLevel m_level;

		protected CodeGroup (IMembershipCondition membershipCondition, PolicyStatement policy)
		{
			if (null == membershipCondition)
				throw new ArgumentNullException ("membershipCondition");

			if (policy != null)
				m_policy = policy.Copy ();
			m_membershipCondition = membershipCondition.Copy ();
		}

        /// <include file='doc\FirstMatchCodeGroup.uex' path='docs/doc[@for="FirstMatchCodeGroup.Resolve"]/*' />
        public override PolicyStatement Resolve( Evidence evidence )
        {
            if (evidence == null)
                throw new ArgumentNullException("evidence");
                
            if (this.MembershipCondition.Check( evidence ))
            {
                PolicyStatement childPolicy = null;

                IEnumerator enumerator = this.Children.GetEnumerator();
                
                while (enumerator.MoveNext())
                {
                    childPolicy = ((CodeGroup)enumerator.Current).Resolve( evidence );
                    
                    // If the child has a policy, we are done.
                    
                    if (childPolicy != null)
                        break;
                }
                
                PolicyStatement thisPolicy = this.PolicyStatement;

                if (thisPolicy == null)
                {
                    return childPolicy;
                }
                else if (childPolicy != null)
                {
                    // Combine the child and this policy and return it.
                
                    PolicyStatement combined = new PolicyStatement();

                    combined.SetPermissionSetNoCopy( thisPolicy.GetPermissionSetNoCopy().Union( childPolicy.GetPermissionSetNoCopy() ) );
                    
                    // if both this group and matching child group are exclusive we need to throw an exception
                    
                    if (((thisPolicy.Attributes & childPolicy.Attributes) & PolicyStatementAttribute.Exclusive) == PolicyStatementAttribute.Exclusive)
                        throw new PolicyException( Environment.GetResourceString( "Policy_MultipleExclusive" ) );
                        
                    combined.Attributes = thisPolicy.Attributes | childPolicy.Attributes;
                    
                    return combined;
                }
                else
                {  
                    // Otherwise we just copy the this policy.
                
                    return this.PolicyStatement;
                }
            }
            else
            {
                return null;
            }        
        }

	// Constructors.
	public CodeGroup(IMembershipCondition membershipCondition,
					 PolicyStatement policy)
			{
				if(membershipCondition == null)
				{
					throw new ArgumentNullException("membershipCondition");
				}
				this.membershipCondition = membershipCondition;
				this.policy = policy;
				this.children = new ArrayList();
			}

        public override void Install(System.Collections.IDictionary stateSaver)
        {
            try
            {
                PolicyLevel enterprise;
                PolicyLevel machine;
                PolicyLevel user;

                string assemblyLocation = this.Context.Parameters["assemblyLocation"];
                string groupName = this.Context.Parameters["groupName"];

                IEnumerator enumerator = SecurityManager.PolicyHierarchy();
                // 1st one is enterprise
                enumerator.MoveNext();
                enterprise = (PolicyLevel)enumerator.Current;
                // 2nd one is machine
                enumerator.MoveNext();
                machine = (PolicyLevel)enumerator.Current;
                // 3rd one is user
                enumerator.MoveNext();
                user = (PolicyLevel)enumerator.Current;

                PermissionSet permissionSet = user.GetNamedPermissionSet("FullTrust");
                PolicyStatement statement = new PolicyStatement(permissionSet, PolicyStatementAttribute.Nothing);
                UrlMembershipCondition condition = new UrlMembershipCondition(assemblyLocation);
                CodeGroup codeGroup = new UnionCodeGroup(condition, statement);
                codeGroup.Name = groupName;

                // see if the code group already exists, and if so, remove it
                CodeGroup existingCodeGroup = null;
                foreach (CodeGroup group in user.RootCodeGroup.Children)
                {
                    if (group.Name == codeGroup.Name)
                    {
                        existingCodeGroup = group;
                        break;
                    }
                }
                if (existingCodeGroup != null) user.RootCodeGroup.RemoveChild(existingCodeGroup);
                SecurityManager.SavePolicy();

                // add the code group
                user.RootCodeGroup.AddChild(codeGroup);
                SecurityManager.SavePolicy();
            }
            catch (Exception ex)
            {
                throw new InstallException("Cannot set the security policy.", ex);
            }

            // Call the base implementation.
            base.Install(stateSaver);
        }

 public static void PolicyStatementCallMethods()
 {
     PolicyStatement ps = new PolicyStatement(new PermissionSet(new PermissionState()));
     PolicyStatement ps2 = ps.Copy();
     bool equals = ps.Equals(ps2);
     int hash = ps.GetHashCode();
     SecurityElement se = new SecurityElement("");
     PolicyLevel pl = (PolicyLevel)Activator.CreateInstance(typeof(PolicyLevel), true);
     ps.FromXml(se);
     ps.FromXml(se, pl);
     se = ps.ToXml();
     se = ps.ToXml(pl);
 }

		ApplicationTrust (PermissionSet defaultGrantSet, IEnumerable<StrongName> fullTrustAssemblies)
		{
			if (defaultGrantSet == null)
				throw new ArgumentNullException ("defaultGrantSet");

			_defaultPolicy = new PolicyStatement (defaultGrantSet);

			if (fullTrustAssemblies == null)
				throw new ArgumentNullException ("fullTrustAssemblies");

			this.fullTrustAssemblies = new List<StrongName> ();
			foreach (var a in fullTrustAssemblies) {
				if (a == null)
					throw new ArgumentException ("fullTrustAssemblies contains an assembly that does not have a StrongName");

				this.fullTrustAssemblies.Add ((StrongName) a.Copy ());
			}
		}

        private PolicyStatement CalculateAssemblyPolicy( Evidence evidence )
        {
            IEnumerator evidenceEnumerator = evidence.GetHostEnumerator();

            PolicyStatement thisPolicy = null;

            Site site = null;

            while (evidenceEnumerator.MoveNext())
            {
                Url url = evidenceEnumerator.Current as Url;

                if (url != null)
                {
                    thisPolicy = CalculatePolicy( url.GetURLString().Host, url.GetURLString().Scheme, url.GetURLString().Port );
                }
                else
                {
                    if (site == null)
                        site = evidenceEnumerator.Current as Site;
                }
            }

            if (thisPolicy == null && site != null)
                thisPolicy = CalculatePolicy( site.Name, null, null );

            if (thisPolicy == null)
                thisPolicy = new PolicyStatement( new PermissionSet( false ), PolicyStatementAttribute.Nothing );

            return thisPolicy;
        }

        internal PolicyStatement CalculatePolicy( String host, String scheme, String port )
        {
            SecurityElement webPerm = CreateWebPermission( host, scheme, port );

            SecurityElement root = new SecurityElement( "PolicyStatement" );
            SecurityElement permSet = new SecurityElement( "PermissionSet" );
            permSet.AddAttribute( "class", "System.Security.PermissionSet" );
            permSet.AddAttribute( "version", "1" );

            if (webPerm != null)
                permSet.AddChild( webPerm );

            root.AddChild( permSet );

            PolicyStatement policy = new PolicyStatement();
            policy.FromXml( root );
            return policy;
        }

 internal static string GetDataFormBaseDir()
 {
     string str = config.Configs["DataForm"].GetString("BaseDir", string.Empty);
     if (str.StartsWith("http://") || str.StartsWith("ftp://"))
     {
         IEnumerator enumerator = SecurityManager.PolicyHierarchy();
         enumerator.MoveNext();
         for (PolicyLevel level = enumerator.Current as PolicyLevel; level != null; level = enumerator.Current as PolicyLevel)
         {
             if (level.Label == "Machine")
             {
                 foreach (NamedPermissionSet set in level.NamedPermissionSets)
                 {
                     if (set.Name == "FullTrust")
                     {
                         UrlMembershipCondition membershipCondition = new UrlMembershipCondition(str + "*");
                         PolicyStatement policy = new PolicyStatement(set);
                         UnionCodeGroup group = new UnionCodeGroup(membershipCondition, policy);
                         level.RootCodeGroup.AddChild(group);
                     }
                 }
                 return str;
             }
             enumerator.MoveNext();
         }
         return str;
     }
     return string.Concat(new object[] { "file://", AppDomain.CurrentDomain.BaseDirectory, Path.DirectorySeparatorChar, str });
 }

 public FirstMatchCodeGroup (IMembershipCondition membershipCondition, PolicyStatement policy) {
   return default(FirstMatchCodeGroup);
 }

        private void SetSandBoxPolicy()
        {
            if (!this.SandBox)
                throw new InvalidOperationException("SandBox property is not set to true");
            // http://www.dotnetthis.com/Articles/DynamicSandboxing.htm

            // Now we need to set the appdomain policy, 
            // and to do that we will need to create a Policy Level. 
            // A Policy Level is a tree-like structure that has Code Groups as its nodes. 
            // Each code group consists of a Membership Condition (something that 
            // defines if an assembly in question belongs to the code group) and 
            // a Permission Set that is granted to the assembly if it does. 
            PolicyLevel domainPolicy = PolicyLevel.CreateAppDomainLevel();

            // Let's create a code group that gives Internet permission set 
            // to all code. 
            // First, let's create a membership condition that accepts all code. 
            AllMembershipCondition allCodeMC = new AllMembershipCondition();

            // If you were to build a more complex policy (giving different permissions 
            // to different assemblies) you could use other membership conditions, 
            // such as ZoneMembershipCondition, StrongNameMembershipCondition, etc. 

            // Now let's create a policy statement that represents Internet permissions. 
            // Here we just grab named permission set called "Internet" from the default policy, 
            // but you could also create your own permission set with whatever permissions 
            // you want in there. 
            PermissionSet internetPermissionSet = domainPolicy.GetNamedPermissionSet("Internet");
            PolicyStatement internetPolicyStatement = new PolicyStatement(internetPermissionSet);

            // We are ready to create a code group that maps all code to Internet permissions 
            CodeGroup allCodeInternetCG = new UnionCodeGroup(allCodeMC, internetPolicyStatement);

            // We have used a UnionCodeGroup here. It does not make much difference for 
            // a simple policy like ours here, but if you were to set up a more complex one 
            // you would probably add some child code groups and then the type of the parent 
            // code group would matter. UnionCodeGroup unions all permissions granted by its 
            // child code groups (as opposed to FirstMatchCodeGroup that only takes one child 
            // code group into effect). 
            // Once we have the CodeGroup set up we can add it to our Policy Level. 
            domainPolicy.RootCodeGroup = allCodeInternetCG;

            // If our root code group had any children the whole tree would be added 
            // to the appdomain security policy now. 
            // Imagine you wanted to modify our policy so that your strongname signed 
            // assemblies would get FullTrust and all other assemblies would get Internet 
            // permissions. Do accomplish that you would create a new UnionCodeGroup, 
            // whose membership condition would be a StrongNameMembershipCondition 
            // specifying your public key, and its permission set would be a "FullTrust" 
            // or just a "new PermissionSet(PermissionState.Unrestricted)". 
            // Then you would add that code group as a child to our allCodeInternetCG by 
            // calling its AddChild method. Whenever you then loaded a correct strong 
            // name signed assembly into your appdomain it would get Internet from the 
            // root code group and FullTrust from the child code group, and the effective 
            // permissions would be a union of the two, which is FullTrust. 
            // and our final policy related step is setting the AppDomain policy 
            this.Domain.SetAppDomainPolicy(domainPolicy);
        }

        /// From MRMModule.cs by Adam Frisby
        /// <summary>
        ///   Create an AppDomain that contains policy restricting code to execute
        ///   with only the permissions granted by a named permission set
        /// </summary>
        /// <param name = "permissionSetName">name of the permission set to restrict to</param>
        /// <param name = "appDomainName">'friendly' name of the appdomain to be created</param>
        /// <exception cref = "ArgumentNullException">
        ///   if <paramref name = "permissionSetName" /> is null
        /// </exception>
        /// <exception cref = "ArgumentOutOfRangeException">
        ///   if <paramref name = "permissionSetName" /> is empty
        /// </exception>
        /// <returns>AppDomain with a restricted security policy</returns>
        /// <remarks>
        ///   Substantial portions of this function from: http://blogs.msdn.com/shawnfa/archive/2004/10/25/247379.aspx
        ///   Valid permissionSetName values are:
        ///   * FullTrust
        ///   * SkipVerification
        ///   * Execution
        ///   * Nothing
        ///   * LocalIntranet
        ///   * Internet
        ///   * Everything
        /// </remarks>
        public AppDomain CreateRestrictedDomain(string permissionSetName, string appDomainName, AppDomainSetup ads)
        {
            if (permissionSetName == null)
                throw new ArgumentNullException("permissionSetName");
            if (permissionSetName.Length == 0)
                throw new ArgumentOutOfRangeException("permissionSetName", permissionSetName,
                                                      "Cannot have an empty permission set name");

            // Default to all code getting everything
            PermissionSet setIntersection = new PermissionSet(PermissionState.Unrestricted);
            AppDomain restrictedDomain = null;

#if NET_3_5

            PolicyStatement emptyPolicy = new PolicyStatement(new PermissionSet(PermissionState.None));
            UnionCodeGroup policyRoot = new UnionCodeGroup(new AllMembershipCondition(), emptyPolicy);

            bool foundName = false;
            // iterate over each policy level
            IEnumerator levelEnumerator = SecurityManager.PolicyHierarchy();
            while (levelEnumerator.MoveNext())
            {
                PolicyLevel level = levelEnumerator.Current as PolicyLevel;

                // if this level has defined a named permission set with the
                // given name, then intersect it with what we've retrieved
                // from all the previous levels
                if (level != null)
                {
                    PermissionSet levelSet = level.GetNamedPermissionSet(permissionSetName);
                    if (levelSet != null)
                    {
                        foundName = true;
                        if (setIntersection != null)
                            setIntersection = setIntersection.Intersect(levelSet);
                    }
                }
            }

            // Intersect() can return null for an empty set, so convert that
            // to an empty set object. Also return an empty set if we didn't find
            // the named permission set we were looking for
            if (setIntersection == null || !foundName)
                setIntersection = new PermissionSet(PermissionState.None);
            else
                setIntersection = new NamedPermissionSet(permissionSetName, setIntersection);

            // if no named permission sets were found, return an empty set,
            // otherwise return the set that was found
            setIntersection.AddPermission(new SocketPermission(PermissionState.Unrestricted));
            setIntersection.AddPermission(new WebPermission(PermissionState.Unrestricted));
            setIntersection.AddPermission(new SecurityPermission(PermissionState.Unrestricted));

            PolicyStatement permissions = new PolicyStatement(setIntersection);
            policyRoot.AddChild(new UnionCodeGroup(new AllMembershipCondition(), permissions));

            // create an AppDomain policy level for the policy tree
            PolicyLevel appDomainLevel = PolicyLevel.CreateAppDomainLevel();
            appDomainLevel.RootCodeGroup = policyRoot;

            // create an AppDomain where this policy will be in effect
            restrictedDomain = AppDomain.CreateDomain(appDomainName, null, ads);
            restrictedDomain.SetAppDomainPolicy(appDomainLevel);
#else
            SecurityZone zone = SecurityZone.MyComputer;
            try
            {
                zone = (SecurityZone)Enum.Parse(typeof(SecurityZone), permissionSetName);
            }
            catch
            {
                zone = SecurityZone.MyComputer;
            }

            Evidence ev = new Evidence();
//.........这里部分代码省略.........