Added additional configuration options for MRM Security. See OpenSim.ini.example under the [MRM] section.

OpenSim/Region/OptionalModules/Scripting/Minimodule/MRMModule.cs

@@ -211,25 +211,39 @@ namespace OpenSim.Region.OptionalModules.Scripting.Minimodule
         {
             if (script.StartsWith("//MRM:C#"))
             {
-                if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID
+                if (m_config.GetBoolean("OwnerOnly", true))
-                    ||
+                    if (m_scene.GetSceneObjectPart(localID).OwnerID != m_scene.RegionInfo.MasterAvatarAssignedUUID
-                    m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)
+                        || m_scene.GetSceneObjectPart(localID).CreatorID != m_scene.RegionInfo.MasterAvatarAssignedUUID)
-                    return;
+                        return;
 
                 script = ConvertMRMKeywords(script);
 
                 try
                 {
-                    m_log.Info("[MRM] Found C# MRM - Starting in AppDomain with " + m_config.GetString("permissionLevel", "Internet") + "-level security.");
+                    AppDomain target;
+                    if (m_config.GetBoolean("Sandboxed", true))
+                    {
+                        m_log.Info("[MRM] Found C# MRM - Starting in AppDomain with " +
+                                   m_config.GetString("SandboxLevel", "Internet") + "-level security.");
 
-                    string domainName = UUID.Random().ToString();
+                        string domainName = UUID.Random().ToString();
-                    AppDomain target = CreateRestrictedDomain(m_config.GetString("permissionLevel", "Internet"),
+                        target = CreateRestrictedDomain(m_config.GetString("SandboxLevel", "Internet"),
-                                                              domainName);
+                                                                  domainName);
+                    }
+                    else
+                    {
+                        m_log.Info("[MRM] Found C# MRM - Starting in current AppDomain");
+                        m_log.Warn(
+                            "[MRM] Security Risk: AppDomain is run in current context. Use only in trusted environments.");
+                        target = AppDomain.CurrentDomain;
+                    }
 
+                    m_log.Info("[MRM] Unwrapping into target AppDomain");
                     MRMBase mmb = (MRMBase) target.CreateInstanceFromAndUnwrap(
                                                 CompileFromDotNetText(script, itemID.ToString()),
                                                 "OpenSim.MiniModule");
 
+                    m_log.Info("[MRM] Initialising MRM Globals");
                     InitializeMRM(mmb, localID, itemID);
 
                     m_scripts[itemID] = mmb;

bin/OpenSim.ini.example

@@ -1163,10 +1163,28 @@
 
 
 [MRM]
-    ; Enables the Mini Region Modules Script Engine. WARNING: SECURITY RISK.
+    ; Enables the Mini Region Modules Script Engine.
     ; default is false
     Enabled = false
+	
+	; Runs MRM in a Security Sandbox
+	; WARNING: DISABLING IS A SECURITY RISK.
+	Sandboxed = true
+	
+	; The level sandbox to use, adjust at your OWN RISK.
+	; Valid values are: 
+	; *  FullTrust
+    ; *  SkipVerification
+    ; *  Execution
+    ; *  Nothing
+    ; *  LocalIntranet
+    ; *  Internet
+    ; *  Everything
+	SandboxLevel = "Internet"
 
+	; Only allow Region Owners to run MRMs
+	; May represent a security risk if you disable this.
+	OwnerOnly = true
 
 [Hypergrid]
     ; Keep it false for now. Making it true requires the use of a special client in order to access inventory