2 // Copyright (c) Microsoft. All rights reserved.
3 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
11 #ifndef __security_h__
12 #define __security_h__
14 #include "securitypolicy.h"
15 #include "securityattributes.h"
16 #include "securitydeclarativecache.h"
17 #include "securitydeclarative.h"
18 #include "securityimperative.h"
19 #include "securitytransparentassembly.h"
25 class IAssemblySecurityDescriptor;
26 class IApplicationSecurityDescriptor;
27 class IPEFileSecurityDescriptor;
29 enum SecurityStackWalkType
31 SSWT_DECLARATIVE_DEMAND = 1,
32 SSWT_IMPERATIVE_DEMAND = 2,
33 SSWT_DEMAND_FROM_NATIVE = 3,
34 SSWT_IMPERATIVE_ASSERT = 4,
35 SSWT_DENY_OR_PERMITONLY = 5,
36 SSWT_LATEBOUND_LINKDEMAND = 6,
37 SSWT_COUNT_OVERRIDES = 7,
38 SSWT_GET_ZONE_AND_URL = 8,
41 // AssemblyLoadSecurity is used to describe to the loader security information to apply to an assembly at
42 // load time. This includes information such as the assembly's evidence, as well as if we should resolve
43 // policy on the assembly or push a grant set to its security descriptor.
44 struct AssemblyLoadSecurity
46 OBJECTREF *m_pEvidence;
47 OBJECTREF *m_pAdditionalEvidence;
48 OBJECTREF *m_pGrantSet;
49 OBJECTREF *m_pRefusedSet;
50 DWORD m_dwSpecialFlags;
51 bool m_fCheckLoadFromRemoteSource;
52 bool m_fSuppressSecurityChecks;
53 bool m_fPropagatingAnonymouslyHostedDynamicMethodGrant;
55 inline AssemblyLoadSecurity();
57 // Should the assembly have policy resolved on it, or should it use a pre-determined grant set
58 inline bool ShouldResolvePolicy();
61 // Ultimately this will become the only interface through
62 // which the VM will access security code.
66 // ----------------------------------------
68 // ----------------------------------------
73 inline void SaveCache();
76 #ifdef FEATURE_CAS_POLICY
77 inline bool IsProcessWideLegacyCasPolicyEnabled();
78 inline bool CanLoadFromRemoteSources();
79 #endif // FEATURE_CAS_POLICY
81 BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD);
82 inline BOOL CanCallUnmanagedCode(Module *pModule);
83 inline BOOL CanAssert(Module *pModule);
84 inline DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags);
86 #ifndef DACCESS_COMPILE
87 inline BOOL CanTailCall(MethodDesc* pMD);
88 inline BOOL CanHaveRVA(Assembly * pAssembly);
89 inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD);
90 inline BOOL CanSkipVerification(MethodDesc * pMethod);
93 inline BOOL CanSkipVerification(DomainAssembly * pAssembly);
94 inline CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly);
95 inline CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD);
97 // ----------------------------------------
99 // ----------------------------------------
101 inline OBJECTREF CreatePermissionSet(BOOL fTrusted);
102 inline void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData);
103 inline void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray);
105 // ----------------------------------------
106 // SecurityDeclarative
107 // ----------------------------------------
108 inline HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL);
109 inline void RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas);
110 inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) ;
112 inline LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD,
113 OBJECTREF *pClassCasDemands,
114 OBJECTREF *pClassNonCasDemands,
115 OBJECTREF *pMethodCasDemands,
116 OBJECTREF *pMethodNonCasDemands);
118 inline void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee);
119 inline void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent);
120 inline void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent);
121 inline void GetPermissionInstance(OBJECTREF *perm, int index);
122 inline void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL);
123 #ifndef DACCESS_COMPILE
124 inline void CheckNonCasDemand(OBJECTREF *prefDemand);
125 #endif // #ifndef DACCESS_COMPILE
126 inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD);
127 inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass);
128 inline void CheckBeforeAllocConsole(AppDomain* pDomain, Assembly* pAssembly);
130 // ----------------------------------------
132 // ----------------------------------------
135 inline void Demand(SecurityStackWalkType eType, OBJECTREF demand) ;
136 #ifdef FEATURE_CAS_POLICY
137 inline void DemandGrantSet(IAssemblySecurityDescriptor *psdAssembly);
138 #endif // FEATURE_CAS_POLICY
139 inline void DemandSet(SecurityStackWalkType eType, OBJECTREF demand) ;
140 inline void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) ;
141 #ifdef FEATURE_CAS_POLICY
142 inline void ReflectionTargetDemand(DWORD dwPermission, IAssemblySecurityDescriptor *psdTarget);
143 inline void ReflectionTargetDemand(DWORD dwPermission,
144 IAssemblySecurityDescriptor *psdTarget,
145 DynamicResolver * pAccessContext);
146 #endif // FEATURE_CAS_POLICY
147 inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) ;
149 inline void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand);
151 inline void FullTrustInheritanceDemand(Assembly *pTargetAssembly);
152 inline void FullTrustLinkDemand(Assembly *pTargetAssembly);
155 #ifdef FEATURE_COMPRESSEDSTACK
156 inline COMPRESSEDSTACKREF GetCSFromContextTransitionFrame(Frame *pFrame) ;
157 inline BOOL IsContextTransitionFrameWithCS(Frame *pFrame);
158 #endif // #ifdef FEATURE_COMPRESSEDSTACK
160 // Misc - todo: put these in better categories
162 inline BOOL AllDomainsOnStackFullyTrusted();
163 IApplicationSecurityDescriptor* CreateApplicationSecurityDescriptor(AppDomain * pDomain);
164 IAssemblySecurityDescriptor* CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
165 ISharedSecurityDescriptor* CreateSharedSecurityDescriptor(Assembly* pAssembly);
166 #ifndef FEATURE_CORECLR
167 IPEFileSecurityDescriptor* CreatePEFileSecurityDescriptor(AppDomain* pDomain, PEFile *pPEFile);
169 inline void SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD);
170 inline void SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD);
173 // Checks for one of the special domain wide flags
174 // such as if we are currently in a "fully trusted" environment
175 // or if unmanaged code access is allowed at this time
176 // Note: This is an inline method instead of a virtual method on IApplicationSecurityDescriptor
177 // for stackwalk perf.
178 inline BOOL CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags);
180 inline BOOL IsResolved(Assembly *pAssembly);
182 FORCEINLINE VOID IncrementSecurityPerfCounter() ;
183 inline BOOL IsSpecialRunFrame(MethodDesc *pMeth) ;
184 inline BOOL SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
185 inline BOOL SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
187 // Transparency checks
188 inline BOOL IsMethodTransparent(MethodDesc * pMD);
189 inline BOOL IsMethodCritical(MethodDesc * pMD);
190 inline BOOL IsMethodSafeCritical(MethodDesc * pMD);
192 inline BOOL IsTypeCritical(MethodTable *pMT);
193 inline BOOL IsTypeSafeCritical(MethodTable *pMT);
194 inline BOOL IsTypeTransparent(MethodTable * pMT);
195 inline BOOL IsTypeAllTransparent(MethodTable * pMT);
197 inline BOOL IsFieldTransparent(FieldDesc * pFD);
198 inline BOOL IsFieldCritical(FieldDesc * pFD);
199 inline BOOL IsFieldSafeCritical(FieldDesc * pFD);
201 inline BOOL IsTokenTransparent(Module* pModule, mdToken token);
203 inline void DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
204 const TypeHandle &calleeTH,
205 CorInfoSecurityRuntimeChecks check);
207 inline CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
209 SecurityTransparencyError *pError);
210 inline VOID EnforceTransparentAssemblyChecks(MethodDesc* pCallee, MethodDesc* pCaller);
211 inline VOID EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller);
212 inline VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc);
214 inline bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands = false);
216 inline BOOL CheckCriticalAccess(AccessCheckContext* pContext,
217 MethodDesc* pOptionalTargetMethod = NULL,
218 FieldDesc* pOptionalTargetField = NULL,
219 MethodTable * pOptionalTargetType = NULL);
221 // declarative security
222 inline HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry = NULL) ;
224 // security enforcement
225 inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);
228 inline BOOL IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem = NULL) ;
229 inline void DoUntrustedCallerChecks(Assembly *pCaller, MethodDesc *pCalee, BOOL fFullStackWalk) ;
231 inline bool NativeImageHasValidAptcaDependencies(PEImage *pNativeImage, DomainAssembly *pDomainAssembly);
233 inline SString GetAptcaKillBitAccessExceptionContext(Assembly *pTargetAssembly);
234 inline SString GetConditionalAptcaAccessExceptionContext(Assembly *pTargetAssembly);
235 #endif // FEATURE_APTCA
237 #ifdef FEATURE_CORECLR
238 inline BOOL IsMicrosoftPlatform(IAssemblySecurityDescriptor *pSecDesc);
239 #endif // FEATURE_CORECLR
241 inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);
243 inline bool CanShareAssembly(DomainAssembly *pAssembly);
246 class ISecurityDescriptor
250 VPTR_BASE_VTABLE_CLASS(ISecurityDescriptor)
252 virtual ~ISecurityDescriptor() { LIMITED_METHOD_CONTRACT; }
254 virtual BOOL IsFullyTrusted() = 0;
256 virtual BOOL CanCallUnmanagedCode() const = 0;
258 #ifndef DACCESS_COMPILE
259 virtual DWORD GetSpecialFlags() const = 0;
261 virtual AppDomain* GetDomain() const = 0;
263 virtual void Resolve() = 0;
264 virtual BOOL IsResolved() const = 0;
266 #ifdef FEATURE_CAS_POLICY
267 virtual OBJECTREF GetEvidence() = 0;
268 virtual BOOL IsEvidenceComputed() const = 0;
269 virtual void SetEvidence(OBJECTREF evidence) = 0;
270 #endif // FEATURE_CAS_POLICY
272 virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) = 0;
273 #endif // !DACCESS_COMPILE
276 class IApplicationSecurityDescriptor : public ISecurityDescriptor
280 VPTR_ABSTRACT_VTABLE_CLASS(IApplicationSecurityDescriptor, ISecurityDescriptor)
283 #ifndef DACCESS_COMPILE
285 virtual BOOL IsHomogeneous() const = 0;
286 virtual void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) = 0;
287 virtual BOOL ContainsAnyRefusedPermissions() = 0;
289 virtual BOOL IsDefaultAppDomain() const = 0;
290 virtual BOOL IsDefaultAppDomainEvidence() = 0;
291 virtual BOOL DomainMayContainPartialTrustCode() = 0;
293 virtual BOOL CallHostSecurityManager() = 0;
294 virtual void SetHostSecurityManagerFlags(DWORD dwFlags) = 0;
295 virtual void SetPolicyLevelFlag() = 0;
297 virtual void FinishInitialization() = 0;
298 virtual BOOL IsInitializationInProgress() = 0;
300 // Determine the security state that an AppDomain will arrive in if nothing changes during domain
301 // initialization. (ie, get the input security state of the domain)
302 virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) = 0;
304 // Gets special domain wide flags that specify things
305 // such as whether we are currently in a "fully trusted" environment
306 // or if unmanaged code access is allowed at this time
307 virtual DWORD GetDomainWideSpecialFlag() const = 0;
309 #ifdef FEATURE_CAS_POLICY
310 virtual void SetLegacyCasPolicyEnabled() = 0;
311 virtual BOOL IsLegacyCasPolicyEnabled() = 0;
312 virtual BOOL AllowsLoadsFromRemoteSources() = 0;
313 #endif // FEATURE_CAS_POLICY
316 virtual ConditionalAptcaCache *GetConditionalAptcaCache() = 0;
317 virtual void SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList) = 0;
318 #endif // FEATURE_APTCA
319 #endif // !DACCESS_COMPILE
322 class IAssemblySecurityDescriptor : public ISecurityDescriptor
326 VPTR_ABSTRACT_VTABLE_CLASS(IAssemblySecurityDescriptor, ISecurityDescriptor)
329 #ifndef DACCESS_COMPILE
330 virtual SharedSecurityDescriptor *GetSharedSecDesc() = 0;
332 virtual BOOL CanAssert() = 0;
333 virtual BOOL HasUnrestrictedUIPermission() = 0;
334 virtual BOOL IsAllCritical() = 0;
335 virtual BOOL IsAllSafeCritical() = 0;
336 virtual BOOL IsAllPublicAreaSafeCritical() = 0;
337 virtual BOOL IsAllTransparent() = 0;
338 virtual BOOL IsSystem() = 0;
339 virtual BOOL AllowSkipVerificationInFullTrust() = 0;
341 virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution) = 0;
343 #ifdef FEATURE_CAS_POLICY
344 virtual HRESULT LoadSignature( COR_TRUST **ppSignature = NULL) = 0;
346 virtual void SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet, OBJECTREF OptionalPermissionSet, OBJECTREF DeniedPermissionSet) = 0;
348 virtual void SetAdditionalEvidence(OBJECTREF evidence) = 0;
349 virtual BOOL HasAdditionalEvidence() = 0;
350 virtual OBJECTREF GetAdditionalEvidence() = 0;
351 virtual void SetEvidenceFromPEFile(IPEFileSecurityDescriptor *pPEFileSecDesc) = 0;
352 #endif // FEATURE_CAS_POLICY
354 virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) = 0;
356 #ifndef FEATURE_CORECLR
357 virtual BOOL AllowApplicationSpecifiedAppDomainManager() = 0;
360 // Check to make sure that security will allow this assembly to load. Throw an exception if the
361 // assembly should be forbidden from loading for security related purposes
362 virtual void CheckAllowAssemblyLoad() = 0;
363 #endif // #ifndef DACCESS_COMPILE
366 class ISharedSecurityDescriptor
369 virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL) = 0;
370 virtual BOOL IsResolved() const = 0;
371 virtual BOOL IsSystem() = 0;
372 virtual Assembly* GetAssembly() = 0;
375 #ifndef FEATURE_CORECLR
376 class IPEFileSecurityDescriptor : public ISecurityDescriptor
379 virtual BOOL AllowBindingRedirects() = 0;
383 #include "security.inl"
384 #include "securitydeclarative.inl"
385 #include "securityattributes.inl"