{
MethodTable *pMT = elementType.AsMethodTable();
- // TODO: We also should check for type/member visibility here. To do that we can replace
- // the following chunk of code with a simple InvokeUtil::CanAccessClass call.
- // But it's too late to make this change in Dev10 and we want SL4 to be compatible with Dev10.
- if (Security::TypeRequiresTransparencyCheck(pMT))
- {
- // The AccessCheckOptions flag doesn't matter because we just need to get the caller.
- RefSecContext sCtx(AccessCheckOptions::kMemberAccess);
-
- AccessCheckOptions accessCheckOptions(InvokeUtil::GetInvocationAccessCheckType(),
- NULL /*pAccessContext*/,
- TRUE /*throwIfTargetIsInaccessible*/,
- pMT /*pTargetMT*/);
-
- accessCheckOptions.DemandMemberAccessOrFail(&sCtx, pMT, FALSE /*visibilityCheck*/);
- }
-
// Check for byref-like types.
if (pMT->IsByRefLike())
COMPlusThrow(kNotSupportedException, W("NotSupported_ByRefLikeArray"));
}
FCIMPLEND
-FCIMPL0(StringObject*, SystemNative::GetDeveloperPath)
-{
- return NULL;
-}
-FCIMPLEND
-
FCIMPL0(StringObject*, SystemNative::GetRuntimeDirectory)
{
FCALL_CONTRACT;
}
FCIMPLEND
-FCIMPL0(StringObject*, SystemNative::GetHostBindingFile);
-{
- FCALL_CONTRACT;
-
- STRINGREF refRetVal = NULL;
-
- HELPER_METHOD_FRAME_BEGIN_RET_1(refRetVal);
-
- LPCWSTR wszFile = g_pConfig->GetProcessBindingFile();
- if(wszFile)
- refRetVal = StringObject::NewString(wszFile);
-
- HELPER_METHOD_FRAME_END();
- return (StringObject*)OBJECTREFToObject(refRetVal);
-}
-FCIMPLEND
-
-
INT32 QCALLTYPE SystemNative::GetProcessorCount()
{
QCALL_CONTRACT;
return processorCount;
}
-#ifdef FEATURE_CLASSIC_COMINTEROP
-
-LPVOID QCALLTYPE SystemNative::GetRuntimeInterfaceImpl(
- /*in*/ REFCLSID clsid,
- /*in*/ REFIID riid)
-{
- QCALL_CONTRACT;
-
- LPVOID pUnk = NULL;
-
- BEGIN_QCALL;
-
- IfFailThrow(E_NOINTERFACE);
-
- END_QCALL;
-
- return pUnk;
-}
-
-#endif
-
FCIMPL0(FC_BOOL_RET, SystemNative::HasShutdownStarted)
{
FCALL_CONTRACT;
// Purpose: Native methods on System.System
//
-//
-
#ifndef _SYSTEM_H_
#define _SYSTEM_H_
#include "fcall.h"
#include "qcall.h"
-// Corresponding to managed class Microsoft.Win32.OSVERSIONINFO
-class OSVERSIONINFOObject : public Object
-{
- public:
- STRINGREF szCSDVersion;
- DWORD dwOSVersionInfoSize;
- DWORD dwMajorVersion;
- DWORD dwMinorVersion;
- DWORD dwBuildNumber;
- DWORD dwPlatformId;
-};
-
-//Corresponding to managed class Microsoft.Win32.OSVERSIONINFOEX
-class OSVERSIONINFOEXObject : public Object
-{
- public:
- STRINGREF szCSDVersion;
- DWORD dwOSVersionInfoSize;
- DWORD dwMajorVersion;
- DWORD dwMinorVersion;
- DWORD dwBuildNumber;
- DWORD dwPlatformId;
- WORD wServicePackMajor;
- WORD wServicePackMinor;
- WORD wSuiteMask;
- BYTE wProductType;
- BYTE wReserved;
-};
-
-
-
class SystemNative
{
friend class DebugStackTrace;
static FCDECL2(VOID, FailFastWithExitCode, StringObject* refMessageUNSAFE, UINT exitCode);
static FCDECL2(VOID, FailFastWithException, StringObject* refMessageUNSAFE, ExceptionObject* refExceptionUNSAFE);
- static FCDECL0(StringObject*, GetDeveloperPath);
static FCDECL1(Object*, _GetEnvironmentVariable, StringObject* strVar);
static FCDECL0(StringObject*, _GetModuleFileName);
static FCDECL0(StringObject*, GetRuntimeDirectory);
- static FCDECL0(StringObject*, GetHostBindingFile);
- static LPVOID QCALLTYPE GetRuntimeInterfaceImpl(REFCLSID clsid, REFIID riid);
- static void QCALLTYPE _GetSystemVersion(QCall::StringHandleOnStack retVer);
// Returns the number of logical processors that can be used by managed code
static INT32 QCALLTYPE GetProcessorCount();
// Return a method info for the method were the exception was thrown
static FCDECL1(ReflectMethodObject*, GetMethodFromStackTrace, ArrayBase* pStackTraceUNSAFE);
-
-
-// Move this into a separate CLRConfigQCallWrapper class once CLRConfif has been refactored:
-
-
private:
// Common processing code for FailFast
static void GenericFailFast(STRINGREF refMesgString, EXCEPTIONREF refExceptionForWatsonBucketing, UINT_PTR retAddress, UINT exitCode);
{
DD_ENTER_MAY_THROW;
- DomainAssembly * pAssembly = vmDomainAssembly.GetDacPtr();
- IAssemblySecurityDescriptor * pSecDisc = pAssembly->GetSecurityDescriptor();
- return pSecDisc->IsFullyTrusted();
+ return TRUE;
}
// Get the full path and file name to the assembly's manifest module.
#pragma warning(disable:21000) // Suppress PREFast warning about overly large function
#endif
-const NativeImageDumper::EnumMnemonics s_MSDFlags[] =
-{
-#define MSD_ENTRY(f) NativeImageDumper::EnumMnemonics(ModuleSecurityDescriptorFlags_ ## f, W(#f))
- MSD_ENTRY(IsComputed),
- MSD_ENTRY(IsAllCritical),
- MSD_ENTRY(IsAllTransparent),
- MSD_ENTRY(IsTreatAsSafe),
- MSD_ENTRY(IsOpportunisticallyCritical),
- MSD_ENTRY(SkipFullTrustVerification)
-#undef MSD_ENTRY
-};
-
void NativeImageDumper::DumpModule( PTR_Module module )
{
Module, MODULE );
- _ASSERTE(module->m_pModuleSecurityDescriptor);
- PTR_ModuleSecurityDescriptor msd(TO_TADDR(module->m_pModuleSecurityDescriptor));
- DisplayStartStructureWithOffset( m_pModuleSecurityDescriptor,
- DPtrToPreferredAddr(msd), sizeof(*msd),
- Module, MODULE );
- DisplayWriteElementEnumerated("Flags", msd->GetRawFlags(), s_MSDFlags, W(", "), MODULE );
-
- _ASSERTE(msd->GetModule() == module);
- DisplayEndStructure(MODULE); //ModuleSecurityDescriptor
-
/* REVISIT_TODO Wed 09/21/2005
* Get me in the debugger and look at the activations and module/class
* dependencies.
MTFLAG2_ENTRY(IsZapped),
MTFLAG2_ENTRY(IsPreRestored),
MTFLAG2_ENTRY(HasModuleDependencies),
- MTFLAG2_ENTRY(NoSecurityProperties),
MTFLAG2_ENTRY(RequiresDispatchTokenFat),
MTFLAG2_ENTRY(HasCctor),
MTFLAG2_ENTRY(HasCCWTemplate),
#endif
#undef VMF_ENTRY
};
-static NativeImageDumper::EnumMnemonics s_SecurityProperties[] =
-{
-#define SP_ENTRY(x) NativeImageDumper::EnumMnemonics(DECLSEC_ ## x, W(#x))
- SP_ENTRY(DEMANDS),
- SP_ENTRY(ASSERTIONS),
- SP_ENTRY(DENIALS),
- SP_ENTRY(INHERIT_CHECKS),
- SP_ENTRY(LINK_CHECKS),
- SP_ENTRY(PERMITONLY),
- SP_ENTRY(REQUESTS),
- SP_ENTRY(UNMNGD_ACCESS_DEMAND),
- SP_ENTRY(NONCAS_DEMANDS),
- SP_ENTRY(NONCAS_LINK_DEMANDS),
- SP_ENTRY(NONCAS_INHERITANCE),
-
- SP_ENTRY(NULL_INHERIT_CHECKS),
- SP_ENTRY(NULL_LINK_CHECKS),
-#undef SP_ENTRY
-};
static NativeImageDumper::EnumMnemonics s_CorFieldAttr[] =
{
#define CFA_ENTRY(x) NativeImageDumper::EnumMnemonics( x, W(#x) )
DisplayWriteFieldInt( m_cbModuleDynamicID, pClassOptional->m_cbModuleDynamicID,
EEClassOptionalFields, EECLASSES );
-
- DisplayWriteFieldEnumerated( m_SecProps, clazz->GetSecurityProperties()->dwFlags,
- EEClassOptionalFields, s_SecurityProperties, W("|"),
- EECLASSES );
-
DisplayEndStructure( EECLASSES ); // EEClassOptionalFields
}
} // NativeImageDumper::DumpEEClassForMethodTable
typedef DPTR(CerNgenRootTable) PTR_CerNgenRootTable;
typedef DPTR(struct CerRoot) PTR_CerRoot;
typedef DPTR(MethodContextElement) PTR_MethodContextElement;
-typedef DPTR(ModuleSecurityDescriptor) PTR_ModuleSecurityDescriptor;
typedef DPTR(DictionaryEntry) PTR_DictionaryEntry;
typedef DPTR(GuidInfo) PTR_GuidInfo;
#if defined(FEATURE_COMINTEROP)
appdomainData->FailedAssemblyCount++;
}
}
-#ifndef FEATURE_PAL
- // MiniDumpNormal doesn't guarantee to dump the SecurityDescriptor, let it fail.
- EX_TRY
- {
- appdomainData->AppSecDesc = HOST_CDADDR(pAppDomain->GetSecurityDescriptor());
- }
- EX_CATCH
- {
- HRESULT hrExc = GET_EXCEPTION()->GetHR();
- if (hrExc != HRESULT_FROM_WIN32(ERROR_READ_FAULT)
- && hrExc != CORDBG_E_READVIRTUAL_FAILURE)
- {
- EX_RETHROW;
- }
- }
- EX_END_CATCH(SwallowAllExceptions)
-#endif // FEATURE_PAL
}
}
assemblyData->AssemblyPtr = HOST_CDADDR(pAssembly);
assemblyData->ClassLoader = HOST_CDADDR(pAssembly->GetLoader());
assemblyData->ParentDomain = HOST_CDADDR(pAssembly->GetDomain());
- if (pDomain != NULL)
- assemblyData->AssemblySecDesc = HOST_CDADDR(pAssembly->GetSecurityDescriptor(pDomain));
assemblyData->isDynamic = pAssembly->IsDynamic();
assemblyData->ModuleCount = 0;
assemblyData->isDomainNeutral = pAssembly->IsDomainNeutral();
static STARTUP_FLAGS GetStartupFlags();
- static LPCWSTR GetAppDomainManagerAsm();
-
- static LPCWSTR GetAppDomainManagerType();
-
static EInitializeNewDomainFlags GetAppDomainManagerInitializeNewDomainFlags();
- static BOOL HasAppDomainManagerInfo()
- {
- LIMITED_METHOD_CONTRACT;
- return GetAppDomainManagerAsm() != NULL && GetAppDomainManagerType() != NULL;
- }
-
static BOOL HasStarted()
{
return m_RefCount != 0;
}
-
- static BOOL IsLoadFromBlocked(); // LoadFrom, LoadFile and Load(byte[]) are blocked in certain hosting scenarios
private:
// This flag indicates if this instance was the first to load and start CoreCLR
static IHostControl *m_HostControl;
- static LPCWSTR s_wszAppDomainManagerAsm;
- static LPCWSTR s_wszAppDomainManagerType;
- static EInitializeNewDomainFlags s_dwDomainManagerInitFlags;
-
-
SVAL_DECL(STARTUP_FLAGS, m_dwStartupFlags);
};
#endif
VPTR_CLASS(InlinedCallFrame)
VPTR_CLASS(SecureDelegateFrame)
-VPTR_CLASS(SecurityContextFrame)
VPTR_CLASS(MulticastFrame)
VPTR_CLASS(PInvokeCalliFrame)
VPTR_CLASS(PrestubMethodFrame)
VPTR_CLASS(GlobalLoaderAllocator)
VPTR_CLASS(AppDomainLoaderAllocator)
VPTR_CLASS(AssemblyLoaderAllocator)
-
-VPTR_CLASS(AssemblySecurityDescriptor)
-VPTR_CLASS(ApplicationSecurityDescriptor)
ULONG cSecAttrs, // [IN] Count of elements in above array.
ULONG *pulErrorAttr) // [OUT] On error, index of attribute causing problem.
{
-#ifdef FEATURE_METADATA_EMIT_ALL
- HRESULT hr = S_OK;
-
- BEGIN_ENTRYPOINT_NOTHROW;
-
- NewArrayHolder <CORSEC_ATTRSET> rAttrSets;
- DWORD i;
- mdPermission ps;
- DWORD dwAction;
- bool fProcessDeclarativeSecurityAtRuntime;
-
- LOG((LOGMD, "RegMeta::DefineSecurityAttributeSet(0x%08x, 0x%08x, 0x%08x, 0x%08x)\n",
- tkObj, rSecAttrs, cSecAttrs, pulErrorAttr));
- START_MD_PERF();
- LOCKWRITE();
-
- IfFailGo(m_pStgdb->m_MiniMd.PreUpdate());
-
- rAttrSets = new (nothrow) CORSEC_ATTRSET[dclMaximumValue + 1];
- if (rAttrSets == NULL)
- {
- hr = E_OUTOFMEMORY;
- goto ErrExit;
- }
-
- memset(rAttrSets, 0, sizeof(CORSEC_ATTRSET) * (dclMaximumValue + 1));
-
- // Initialize error index to indicate a general error.
- if (pulErrorAttr)
- *pulErrorAttr = cSecAttrs;
-
- fProcessDeclarativeSecurityAtRuntime = true;
-
- // See if we should default to old v1.0/v1.1 serialization behavior
- if (m_OptionValue.m_MetadataVersion < MDVersion2)
- fProcessDeclarativeSecurityAtRuntime = false;
-
- // Startup the EE just once, no matter how many times we're called (this is
- // better on performance and the EE falls over if we try a start-stop-start
- // cycle anyway).
- if (!m_fStartedEE && !fProcessDeclarativeSecurityAtRuntime)
- {
- IfFailGo(StartupEE());
- }
-
- // Group the security attributes by SecurityAction (thus creating an array of CORSEC_PERM's)
- IfFailGo(GroupSecurityAttributesByAction(/*OUT*/rAttrSets, rSecAttrs, cSecAttrs, tkObj, pulErrorAttr, &m_pStgdb->m_MiniMd, NULL));
-
- // Put appropriate data in the metadata
- for (i = 0; i <= dclMaximumValue; i++)
- {
- NewArrayHolder <BYTE> pbBlob(NULL);
- NewArrayHolder <BYTE> pbNonCasBlob(NULL);
- DWORD cbBlob = 0;
- DWORD cbNonCasBlob = 0;
-
- rAttrSets[i].pImport = this;
- rAttrSets[i].pAppDomain = m_pAppDomain;
- if (rAttrSets[i].dwAttrCount == 0)
- continue;
- if (pulErrorAttr)
- *pulErrorAttr = i;
-
- if(fProcessDeclarativeSecurityAtRuntime)
- {
- // Put a serialized CORSEC_ATTRSET in the metadata
- SIZE_T cbAttrSet = 0;
- IfFailGo(AttributeSetToBlob(&rAttrSets[i], NULL, &cbAttrSet, this, i)); // count size required for buffer
- if (!FitsIn<DWORD>(cbAttrSet))
- {
- hr = COR_E_OVERFLOW;
- goto ErrExit;
- }
- cbBlob = static_cast<DWORD>(cbAttrSet);
-
- pbBlob = new (nothrow) BYTE[cbBlob]; // allocate buffer
- if (pbBlob == NULL)
- {
- hr = E_OUTOFMEMORY;
- goto ErrExit;
- }
-
- IfFailGo(AttributeSetToBlob(&rAttrSets[i], pbBlob, NULL, this, i)); // serialize into the buffer
- IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj, rAttrSets[i].dwAction, pbBlob, cbBlob, &ps)); // put it in metadata
- }
- else
- {
- // Now translate the sets of security attributes into a real permission
- // set and convert this to a serialized Xml blob. We may possibly end up
- // with two sets as the result of splitting CAS and non-CAS permissions
- // into separate sets.
- hr = TranslateSecurityAttributes(&rAttrSets[i], &pbBlob, &cbBlob, &pbNonCasBlob, &cbNonCasBlob, pulErrorAttr);
- IfFailGo(hr);
-
- // Persist the permission set blob into the metadata. For empty CAS
- // blobs this is only done if the corresponding non-CAS blob is empty
- if (cbBlob || !cbNonCasBlob)
- IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj, rAttrSets[i].dwAction, pbBlob, cbBlob, &ps));
-
- if (pbNonCasBlob)
- {
- // Map the SecurityAction to a special non-CAS action so this
- // blob will have its own entry in the metadata
- switch (rAttrSets[i].dwAction)
- {
- case dclDemand:
- dwAction = dclNonCasDemand;
- break;
- case dclLinktimeCheck:
- dwAction = dclNonCasLinkDemand;
- break;
- case dclInheritanceCheck:
- dwAction = dclNonCasInheritance;
- break;
- default:
- PostError(CORSECATTR_E_BAD_NONCAS);
- IfFailGo(CORSECATTR_E_BAD_NONCAS);
- }
-
- // Persist to metadata
- IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj,
- dwAction,
- pbNonCasBlob,
- cbNonCasBlob,
- &ps));
- }
- }
- }
-
-ErrExit:
- STOP_MD_PERF(DefineSecurityAttributeSet);
-
- END_ENTRYPOINT_NOTHROW;
-
- return (hr);
-#else //!FEATURE_METADATA_EMIT_ALL
return E_NOTIMPL;
-#endif //!FEATURE_METADATA_EMIT_ALL
} // RegMeta::DefineSecurityAttributeSet
#endif //FEATURE_METADATA_EMIT
<Compile Include="$(BclSourcesRoot)\System\AppDomain.cs" />
<Compile Include="$(BclSourcesRoot)\System\AppDomainSetup.cs" />
<Compile Include="$(BclSourcesRoot)\System\AppDomainManager.cs" />
- <Compile Include="$(BclSourcesRoot)\System\IAppDomainPauseManager.cs" />
- <Compile Include="$(BclSourcesRoot)\System\AppDomainAttributes.cs" />
<Compile Include="$(BclSourcesRoot)\System\AppDomainUnloadedException.cs" />
<Compile Include="$(BclSourcesRoot)\System\ArgIterator.cs" />
<Compile Include="$(BclSourcesRoot)\System\Attribute.cs" />
<Compile Include="$(CommonPath)\System\SR.cs" />
<!-- Include Internals visible to file in the compilation -->
<Compile Include="$(BclSourcesRoot)\mscorlib.Friends.cs" />
- <!-- TODO list of types to be cleaned up from CoreLib -->
- <Compile Include="$(BclSourcesRoot)\CleanupToDoList.cs" />
</ItemGroup>
<ItemGroup>
<Compile Include="src\System\Runtime\RuntimeImports.cs" />
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-
-//
-// Stubbed out types to be cleanup from CoreLib
-//
-
-namespace System.Security
-{
- internal enum SecurityContextSource
- {
- CurrentAppDomain = 0,
- CurrentAssembly
- }
-}
-
-namespace System.Security.Policy
-{
- internal sealed class Evidence
- {
- }
-
- internal sealed class ApplicationTrust
- {
- }
-}
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-using System.Diagnostics.CodeAnalysis;
-
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lpfuncdesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lptcomp", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lpvardesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.CriticalHandle.#handle", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.DISPPARAMS.#rgdispidNamedArgs", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.DISPPARAMS.#rgvarg", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.EXCEPINFO.#pfnDeferredFillIn", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.EXCEPINFO.#pvReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.FUNCDESC.#lprgelemdescParam", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.FUNCDESC.#lprgscode", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.PARAMDESC.#lpVarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.SafeHandle.#handle", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.TYPEATTR.#lpstrSchema", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.TYPEDESC.#lpValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.VARDESC+DESCUNION.#lpvarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lpfuncdesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lptcomp", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lpvardesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.DISPPARAMS.#rgdispidNamedArgs", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.DISPPARAMS.#rgvarg", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.EXCEPINFO.#pfnDeferredFillIn", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.EXCEPINFO.#pvReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.FUNCDESC.#lprgelemdescParam", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.FUNCDESC.#lprgscode", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.IDLDESC.#dwReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.PARAMDESC.#lpVarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.TYPEATTR.#lpstrSchema", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.TYPEDESC.#lpValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.VARDESC+DESCUNION.#lpvarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#EventHandle", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#InternalHigh", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#InternalLow", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2105:ArrayFieldsShouldNotBeReadOnly", Scope="member", Target="System.IO.Path.#InvalidPathChars", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2105:ArrayFieldsShouldNotBeReadOnly", Scope="member", Target="System.Type.#EmptyTypes", Justification="matell: We already shipped this and it would be a breaking change to fix it")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.BinaryWriter.#Null", Justification="matell: Underlying type is actually immutable")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.Stream.#Null", Justification="matell: Underlying type is actually immutable")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.StreamReader.#Null", Justification="matell: Underlying type is actually immutable")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.StreamWriter.#Null", Justification="matell: Underlying type is actually Immutable")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.TextReader.#Null", Justification="matell: Underlying type is actually immutable")]
-[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.TextWriter.#Null", Justification="matell: Underlying type is actually immutable")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Diagnostics.Tracing.EventSource.#GenerateGuidFromName(System.String)", Justification="matell: Existing code that needs to interop with other components using SHA-1")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.IO.IsolatedStorage.IsolatedStorage.#GetHash(System.IO.Stream)", Justification="matell: Existing code that needs to interop with other components using SHA-1")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.IO.IsolatedStorage.IsolatedStorageFile.#GetStrongHashSuitableForObjectName(System.String)", Justification="matell: Existing code that needs to interop with other components using SHA-1")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Policy.HashMembershipCondition.#ParseHashAlgorithm()", Justification="matell: Existing code that needs to interop with other components using SHA-1")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Policy.HashMembershipCondition.#.ctor(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext)", Justification="matell: Existing code that needs to interop with other components using SHA-1")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#IsSemiWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#IsWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#get_Key()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#set_Key(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#GenerateKey()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.DSACryptoServiceProvider.#.ctor(System.Int32,System.Security.Cryptography.CspParameters)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5356:DSACannotBeUsed", Scope="member", Target="System.Security.Cryptography.DSASignatureFormatter.#CreateSignature(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACMD5.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACMD5.#.ctor(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.HMACRIPEMD160.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.HMACRIPEMD160.#.ctor(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACSHA1.#.ctor(System.Byte[],System.Boolean)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.MACTripleDES.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.MACTripleDES.#.ctor(System.String,System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.MD5.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.MD5CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#HashCore(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#HashFinal()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#Initialize()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#MDTransform(System.UInt32*,System.UInt32*,System.Byte*)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#_EndHash()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#_HashData(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter.#DecryptKeyExchange(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RSAOAEPKeyExchangeFormatter.#CreateKeyExchange(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.Rijndael.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#HashCore(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#HashFinal()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#Initialize()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#SHATransform(System.UInt32*,System.UInt32*,System.Byte*)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#_EndHash()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#_HashData(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#IsWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#get_Key()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#set_Key(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")]
-[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#GenerateKey()", Justification="matell: By design. Needed for implementation of security algorithms")]
[DllImport(KERNEL32)]
internal static extern bool FindClose(IntPtr handle);
- [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)]
- internal static extern uint GetCurrentDirectoryW(uint nBufferLength, char[] lpBuffer);
-
[DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)]
internal static extern bool GetFileAttributesEx(String name, int fileInfoLevel, ref WIN32_FILE_ATTRIBUTE_DATA lpFileInformation);
- [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)]
- internal static extern bool SetCurrentDirectory(String path);
-
internal const int LCID_SUPPORTED = 0x00000002; // supported locale ids
[DllImport(KERNEL32)]
using System.Reflection;
using System.Security;
using CultureInfo = System.Globalization.CultureInfo;
- using Evidence = System.Security.Policy.Evidence;
using StackCrawlMark = System.Threading.StackCrawlMark;
using System.Runtime.InteropServices;
using System.Runtime.CompilerServices;
using System.Runtime;
using System.Runtime.CompilerServices;
using System.Security;
- using System.Security.Policy;
using System.Collections;
using System.Collections.Generic;
using System.Threading;
using System.Diagnostics.Contracts;
using System.Runtime.ExceptionServices;
- internal delegate void AppDomainInitializer(string[] args);
-
- internal class AppDomainInitializerInfo
- {
- internal class ItemInfo
- {
- public string TargetTypeAssembly;
- public string TargetTypeName;
- public string MethodName;
- }
-
- internal ItemInfo[] Info;
-
- internal AppDomainInitializerInfo(AppDomainInitializer init)
- {
- Info = null;
- if (init == null)
- return;
- List<ItemInfo> itemInfo = new List<ItemInfo>();
- List<AppDomainInitializer> nestedDelegates = new List<AppDomainInitializer>();
- nestedDelegates.Add(init);
- int idx = 0;
-
- while (nestedDelegates.Count > idx)
- {
- AppDomainInitializer curr = nestedDelegates[idx++];
- Delegate[] list = curr.GetInvocationList();
- for (int i = 0; i < list.Length; i++)
- {
- if (!list[i].Method.IsStatic)
- {
- if (list[i].Target == null)
- continue;
-
- AppDomainInitializer nested = list[i].Target as AppDomainInitializer;
- if (nested != null)
- nestedDelegates.Add(nested);
- else
- throw new ArgumentException(SR.Arg_MustBeStatic,
- list[i].Method.ReflectedType.FullName + "::" + list[i].Method.Name);
- }
- else
- {
- ItemInfo info = new ItemInfo();
- info.TargetTypeAssembly = list[i].Method.ReflectedType.Module.Assembly.FullName;
- info.TargetTypeName = list[i].Method.ReflectedType.FullName;
- info.MethodName = list[i].Method.Name;
- itemInfo.Add(info);
- }
- }
- }
-
- Info = itemInfo.ToArray();
- }
-
- internal AppDomainInitializer Unwrap()
- {
- if (Info == null)
- return null;
- AppDomainInitializer retVal = null;
- for (int i = 0; i < Info.Length; i++)
- {
- Assembly assembly = Assembly.Load(Info[i].TargetTypeAssembly);
- AppDomainInitializer newVal = (AppDomainInitializer)Delegate.CreateDelegate(typeof(AppDomainInitializer),
- assembly.GetType(Info[i].TargetTypeName),
- Info[i].MethodName);
- if (retVal == null)
- retVal = newVal;
- else
- retVal += newVal;
- }
- return retVal;
- }
- }
-
internal sealed class AppDomain
{
// Domain security information
private AppDomainManager _domainManager;
private Dictionary<String, Object> _LocalStore;
private AppDomainSetup _FusionStore;
- private Evidence _SecurityIdentity;
-#pragma warning disable 169
- private Object[] _Policies; // Called from the VM.
-#pragma warning restore 169
public event AssemblyLoadEventHandler AssemblyLoad;
private ResolveEventHandler _TypeResolve;
}
- private ApplicationTrust _applicationTrust;
private EventHandler _processExit;
private EventHandler _domainUnload;
private IntPtr _pDomain; // this is an unmanaged pointer (AppDomain * m_pDomain)` used from the VM.
- private bool _HasSetPolicy;
- private bool _IsFastFullTrustDomain; // quick check to see if the AppDomain is fully trusted and homogenous
private bool _compatFlagsInitialized;
internal const String TargetFrameworkNameAppCompatSetting = "TargetFrameworkName";
}
#endif // FEATURE_APPX
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool DisableFusionUpdatesFromADManager(AppDomainHandle domain);
-
#if FEATURE_APPX
[DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
[SuppressUnmanagedCodeSecurity]
private static extern APPX_FLAGS nGetAppXFlags();
#endif
- [SuppressUnmanagedCodeSecurity]
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- private static extern void SetSecurityHomogeneousFlag(AppDomainHandle domain,
- [MarshalAs(UnmanagedType.Bool)] bool runtimeSuppliedHomogenousGrantSet);
-
/// <summary>
/// Get a handle used to make a call into the VM pointing to this domain
/// </summary>
}
/// <summary>
- /// Returns the setting of the corresponding compatibility config switch (see CreateAppDomainManager for the impact).
- /// </summary>
- internal bool DisableFusionUpdatesFromADManager()
- {
- return DisableFusionUpdatesFromADManager(GetNativeHandle());
- }
-
- /// <summary>
/// Returns whether the current AppDomain follows the AppX rules.
/// </summary>
[Pure]
}
/// <summary>
- /// Checks (and throws on failure) if the domain supports Assembly.ReflectionOnlyLoad.
- /// </summary>
- [Pure]
- internal static void CheckReflectionOnlyLoadSupported()
- {
-#if FEATURE_APPX
- if (IsAppXModel())
- throw new NotSupportedException(SR.Format(SR.NotSupported_AppX, "Assembly.ReflectionOnlyLoad"));
-#endif
- }
-
- /// <summary>
/// Checks (and throws on failure) if the domain supports Assembly.Load(byte[] ...).
/// </summary>
[Pure]
#endif
}
- /// <summary>
- /// Called for every AppDomain (including the default domain) to initialize the security of the AppDomain)
- /// </summary>
- private void InitializeDomainSecurity(Evidence providedSecurityInfo,
- Evidence creatorsSecurityInfo,
- bool generateDefaultEvidence,
- IntPtr parentSecurityDescriptor,
- bool publishAppDomain)
- {
- AppDomainSetup adSetup = FusionStore;
-
- bool runtimeSuppliedHomogenousGrant = false;
- ApplicationTrust appTrust = adSetup.ApplicationTrust;
-
- if (appTrust != null)
- {
- SetupDomainSecurityForHomogeneousDomain(appTrust, runtimeSuppliedHomogenousGrant);
- }
- else if (_IsFastFullTrustDomain)
- {
- SetSecurityHomogeneousFlag(GetNativeHandle(), runtimeSuppliedHomogenousGrant);
- }
-
- // Get the evidence supplied for the domain. If no evidence was supplied, it means that we want
- // to use the default evidence creation strategy for this domain
- Evidence newAppDomainEvidence = (providedSecurityInfo != null ? providedSecurityInfo : creatorsSecurityInfo);
- if (newAppDomainEvidence == null && generateDefaultEvidence)
- {
- newAppDomainEvidence = new Evidence();
- }
-
- // Set the evidence on the managed side
- _SecurityIdentity = newAppDomainEvidence;
-
- // Set the evidence of the AppDomain in the VM.
- // Also, now that the initialization is complete, signal that to the security system.
- // Finish the AppDomain initialization and resolve the policy for the AppDomain evidence.
- SetupDomainSecurity(newAppDomainEvidence,
- parentSecurityDescriptor,
- publishAppDomain);
- }
-
- private void SetupDomainSecurityForHomogeneousDomain(ApplicationTrust appTrust,
- bool runtimeSuppliedHomogenousGrantSet)
- {
- // If the CLR has supplied the homogenous grant set (that is, this domain would have been
- // heterogenous in v2.0), then we need to strip the ApplicationTrust from the AppDomainSetup of
- // the current domain. This prevents code which does:
- // AppDomain.CreateDomain(..., AppDomain.CurrentDomain.SetupInformation);
- //
- // From looking like it is trying to create a homogenous domain intentionally, and therefore
- // having its evidence check bypassed.
- if (runtimeSuppliedHomogenousGrantSet)
- {
- BCLDebug.Assert(_FusionStore.ApplicationTrust != null, "Expected to find runtime supplied ApplicationTrust");
- }
-
- _applicationTrust = appTrust;
-
- // Set the homogeneous bit in the VM's ApplicationSecurityDescriptor.
- SetSecurityHomogeneousFlag(GetNativeHandle(),
- runtimeSuppliedHomogenousGrantSet);
- }
-
public AppDomainManager DomainManager
{
get
sb.Append(Environment.NewLine);
}
- if (_Policies == null || _Policies.Length == 0)
- sb.Append(SR.Loader_NoContextPolicies
- + Environment.NewLine);
- else
- {
- sb.Append(SR.Loader_ContextPolicies
- + Environment.NewLine);
- for (int i = 0; i < _Policies.Length; i++)
- {
- sb.Append(_Policies[i]);
- sb.Append(Environment.NewLine);
- }
- }
-
return StringBuilderCache.GetStringAndRelease(sb);
}
nCreateContext();
- if (info.LoaderOptimization != LoaderOptimization.NotSpecified || (oldInfo != null && info.LoaderOptimization != oldInfo.LoaderOptimization))
- UpdateLoaderOptimization(info.LoaderOptimization);
// This must be the last action taken
_FusionStore = info;
}
- private static void RunInitializer(AppDomainSetup setup)
- {
- if (setup.AppDomainInitializer != null)
- {
- string[] args = null;
- if (setup.AppDomainInitializerArguments != null)
- args = (string[])setup.AppDomainInitializerArguments.Clone();
- setup.AppDomainInitializer(args);
- }
- }
-
// Used to switch into other AppDomain and call SetupRemoteDomain.
// We cannot simply call through the proxy, because if there
// are any remoting sinks registered, they can add non-mscorlib
// we try to deserialize it on the other side)
private static object PrepareDataForSetup(String friendlyName,
AppDomainSetup setup,
- Evidence providedSecurityInfo,
- Evidence creatorsSecurityInfo,
- IntPtr parentSecurityDescriptor,
- string sandboxName,
string[] propertyNames,
string[] propertyValues)
{
- byte[] serializedEvidence = null;
- bool generateDefaultEvidence = false;
-
- AppDomainInitializerInfo initializerInfo = null;
- if (setup != null && setup.AppDomainInitializer != null)
- initializerInfo = new AppDomainInitializerInfo(setup.AppDomainInitializer);
-
- // will travel x-Ad, drop non-agile data
AppDomainSetup newSetup = new AppDomainSetup(setup, false);
// Remove the special AppDomainCompatSwitch entries from the set of name value pairs
{
friendlyName,
newSetup,
- parentSecurityDescriptor,
- generateDefaultEvidence,
- serializedEvidence,
- initializerInfo,
- sandboxName,
propertyNames,
propertyValues
};
Object[] args = (Object[])arg;
String friendlyName = (String)args[0];
AppDomainSetup setup = (AppDomainSetup)args[1];
- IntPtr parentSecurityDescriptor = (IntPtr)args[2];
- bool generateDefaultEvidence = (bool)args[3];
- byte[] serializedEvidence = (byte[])args[4];
- AppDomainInitializerInfo initializerInfo = (AppDomainInitializerInfo)args[5];
- string sandboxName = (string)args[6];
- string[] propertyNames = (string[])args[7]; // can contain null elements
- string[] propertyValues = (string[])args[8]; // can contain null elements
- // extract evidence
- Evidence providedSecurityInfo = null;
- Evidence creatorsSecurityInfo = null;
+ string[] propertyNames = (string[])args[2]; // can contain null elements
+ string[] propertyValues = (string[])args[3]; // can contain null elements
AppDomain ad = AppDomain.CurrentDomain;
AppDomainSetup newSetup = new AppDomainSetup(setup, false);
newSetup.ApplicationBase = NormalizePath(propertyValues[i], fullCheck: true);
}
- else if (propertyNames[i] == "LOADER_OPTIMIZATION")
- {
- if (propertyValues[i] == null)
- throw new ArgumentNullException("LOADER_OPTIMIZATION");
-
- switch (propertyValues[i])
- {
- case "SingleDomain": newSetup.LoaderOptimization = LoaderOptimization.SingleDomain; break;
- case "MultiDomain": newSetup.LoaderOptimization = LoaderOptimization.MultiDomain; break;
- case "MultiDomainHost": newSetup.LoaderOptimization = LoaderOptimization.MultiDomainHost; break;
- case "NotSpecified": newSetup.LoaderOptimization = LoaderOptimization.NotSpecified; break;
- default: throw new ArgumentException(SR.Argument_UnrecognizedLoaderOptimization, "LOADER_OPTIMIZATION");
- }
- }
else if (propertyNames[i] == "TRUSTED_PLATFORM_ASSEMBLIES" ||
propertyNames[i] == "PLATFORM_RESOURCE_ROOTS" ||
propertyNames[i] == "APP_PATHS" ||
// but it's confusing since it isn't immediately obvious whether we have a ref or a copy
AppDomainSetup adSetup = ad.FusionStore;
- adSetup.InternalSetApplicationTrust(sandboxName);
-
// set up the friendly name
ad.nSetupFriendlyName(friendlyName);
-#if FEATURE_COMINTEROP
- if (setup != null && setup.SandboxInterop)
- {
- ad.nSetDisableInterfaceCache();
- }
-#endif // FEATURE_COMINTEROP
-
ad.CreateAppDomainManager(); // could modify FusionStore's object
- ad.InitializeDomainSecurity(providedSecurityInfo,
- creatorsSecurityInfo,
- generateDefaultEvidence,
- parentSecurityDescriptor,
- true);
-
- // can load user code now
- if (initializerInfo != null)
- adSetup.AppDomainInitializer = initializerInfo.Unwrap();
- RunInitializer(adSetup);
return null;
}
AppDomainSetup setup = new AppDomainSetup();
// always use internet permission set
- setup.InternalSetApplicationTrust("Internet");
SetupFusionStore(setup, null);
}
}
}
- private void SetupDomainSecurity(Evidence appDomainEvidence,
- IntPtr creatorsSecurityDescriptor,
- bool publishAppDomain)
- {
- Evidence stackEvidence = appDomainEvidence;
- SetupDomainSecurity(GetNativeHandle(),
- JitHelpers.GetObjectHandleOnStack(ref stackEvidence),
- creatorsSecurityDescriptor,
- publishAppDomain);
- }
-
- [SuppressUnmanagedCodeSecurity]
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- private static extern void SetupDomainSecurity(AppDomainHandle appDomain,
- ObjectHandleOnStack appDomainEvidence,
- IntPtr creatorsSecurityDescriptor,
- [MarshalAs(UnmanagedType.Bool)] bool publishAppDomain);
-
[MethodImplAttribute(MethodImplOptions.InternalCall)]
private extern void nSetupFriendlyName(string friendlyName);
-#if FEATURE_COMINTEROP
- [MethodImplAttribute(MethodImplOptions.InternalCall)]
- private extern void nSetDisableInterfaceCache();
-#endif // FEATURE_COMINTEROP
-
- [MethodImplAttribute(MethodImplOptions.InternalCall)]
- internal extern void UpdateLoaderOptimization(LoaderOptimization optimization);
-
public AppDomainSetup SetupInformation
{
get
[MethodImplAttribute(MethodImplOptions.InternalCall)]
internal extern String GetOrInternString(String str);
- [SuppressUnmanagedCodeSecurity]
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- private static extern void GetGrantSet(AppDomainHandle domain, ObjectHandleOnStack retGrantSet);
-
public bool IsFullyTrusted
{
get
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-
-/*=============================================================================
-**
-**
-**
-** Purpose: For AppDomain-related custom attributes.
-**
-**
-=============================================================================*/
-
-namespace System
-{
- internal enum LoaderOptimization
- {
- NotSpecified = 0,
- SingleDomain = 1,
- MultiDomain = 2,
- MultiDomainHost = 3,
- [Obsolete("This method has been deprecated. Please use Assembly.Load() instead. http://go.microsoft.com/fwlink/?linkid=14202")]
- DomainMask = 3,
- [Obsolete("This method has been deprecated. Please use Assembly.Load() instead. http://go.microsoft.com/fwlink/?linkid=14202")]
- DisallowBindings = 4
- }
-}
-
using System.Runtime.InteropServices;
using System.Runtime.Serialization;
using System.Security;
- using System.Security.Policy;
using Path = System.IO.Path;
using System.Diagnostics;
using System.Diagnostics.Contracts;
// of these fields or add new ones.
private string[] _Entries;
- private LoaderOptimization _LoaderOptimization;
#pragma warning disable 169
private String _AppBase; // for compat with v1.1
#pragma warning restore 169
- [OptionalField(VersionAdded = 2)]
- private AppDomainInitializer _AppDomainInitializer;
- [OptionalField(VersionAdded = 2)]
- private string[] _AppDomainInitializerArguments;
-
- // On the CoreCLR, this contains just the name of the permission set that we install in the new appdomain.
- // Not the ToXml().ToString() of an ApplicationTrust object.
- [OptionalField(VersionAdded = 2)]
- private string _ApplicationTrust;
- [OptionalField(VersionAdded = 2)]
- private byte[] _ConfigurationBytes;
-#if FEATURE_COMINTEROP
- [OptionalField(VersionAdded = 3)]
- private bool _DisableInterfaceCache = false;
-#endif // FEATURE_COMINTEROP
- [OptionalField(VersionAdded = 4)]
- private string _AppDomainManagerAssembly;
- [OptionalField(VersionAdded = 4)]
- private string _AppDomainManagerType;
// A collection of strings used to indicate which breaking changes shouldn't be applied
// to an AppDomain. We only use the keys, the values are ignored.
mine[i] = null;
}
- _LoaderOptimization = copy._LoaderOptimization;
-
- _AppDomainInitializerArguments = copy.AppDomainInitializerArguments;
- _ApplicationTrust = copy._ApplicationTrust;
-
- if (copyDomainBoundData)
- _AppDomainInitializer = copy.AppDomainInitializer;
- else
- _AppDomainInitializer = null;
-
- _ConfigurationBytes = null;
-#if FEATURE_COMINTEROP
- _DisableInterfaceCache = copy._DisableInterfaceCache;
-#endif // FEATURE_COMINTEROP
- _AppDomainManagerAssembly = copy.AppDomainManagerAssembly;
- _AppDomainManagerType = copy.AppDomainManagerType;
-
if (copy._CompatFlags != null)
{
SetCompatibilitySwitches(copy._CompatFlags.Keys);
#endif
}
- else
- _LoaderOptimization = LoaderOptimization.NotSpecified;
}
public AppDomainSetup()
{
- _LoaderOptimization = LoaderOptimization.NotSpecified;
}
internal void SetupDefaults(string imageLocation, bool imageLocationAlreadyNormalized = false)
}
}
- public string AppDomainManagerAssembly
- {
- get { return _AppDomainManagerAssembly; }
- set { _AppDomainManagerAssembly = value; }
- }
-
- public string AppDomainManagerType
- {
- get { return _AppDomainManagerType; }
- set { _AppDomainManagerType = value; }
- }
-
public String ApplicationBase
{
[Pure]
Value[(int)LoaderInformation.ApplicationNameValue] = value;
}
}
-
- public AppDomainInitializer AppDomainInitializer
- {
- get
- {
- return _AppDomainInitializer;
- }
-
- set
- {
- _AppDomainInitializer = value;
- }
- }
- public string[] AppDomainInitializerArguments
- {
- get
- {
- return _AppDomainInitializerArguments;
- }
-
- set
- {
- _AppDomainInitializerArguments = value;
- }
- }
-
- internal ApplicationTrust InternalGetApplicationTrust()
- {
- if (_ApplicationTrust == null) return null;
- ApplicationTrust grantSet = new ApplicationTrust();
- return grantSet;
- }
-
- internal void InternalSetApplicationTrust(String permissionSetName)
- {
- _ApplicationTrust = permissionSetName;
- }
-
- internal ApplicationTrust ApplicationTrust
- {
- get
- {
- return InternalGetApplicationTrust();
- }
- }
-
- public LoaderOptimization LoaderOptimization
- {
- get
- {
- return _LoaderOptimization;
- }
-
- set
- {
- _LoaderOptimization = value;
- }
- }
-
- internal static string LoaderOptimizationKey
- {
- get
- {
- return LOADER_OPTIMIZATION;
- }
- }
-
-#if FEATURE_COMINTEROP
- public bool SandboxInterop
- {
- get
- {
- return _DisableInterfaceCache;
- }
- set
- {
- _DisableInterfaceCache = value;
- }
- }
-#endif // FEATURE_COMINTEROP
}
}
[MethodImplAttribute(MethodImplOptions.InternalCall)]
public static extern void FailFast(String message, Exception exception);
- /*===============================CurrentDirectory===============================
- **Action: Provides a getter and setter for the current directory. The original
- ** current directory is the one from which the process was started.
- **Returns: The current directory (from the getter). Void from the setter.
- **Arguments: The current directory to which to switch to the setter.
- **Exceptions:
- ==============================================================================*/
- internal static String CurrentDirectory
- {
- get
- {
- return Directory.GetCurrentDirectory();
- }
-
- set
- {
- Directory.SetCurrentDirectory(value);
- }
- }
-
// Returns the system directory (ie, C:\WinNT\System32).
internal static String SystemDirectory
{
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-
-/*=============================================================================
-**
-**
-** Purpose: Interface meant for CLR to participate in framework rundown.
-** AppDomainPauseManager is the class that encapsulates all Fx rundown work.
-**
-**
-=============================================================================*/
-
-using System;
-using System.Threading;
-using System.Security;
-using System.Diagnostics.Contracts;
-using System.Runtime.Versioning;
-using System.Runtime.CompilerServices;
-
-namespace System
-{
- internal class AppDomainPauseManager
- {
- public AppDomainPauseManager()
- {
- isPaused = false;
- }
-
- static AppDomainPauseManager()
- {
- }
-
- private static readonly AppDomainPauseManager instance = new AppDomainPauseManager();
-
- private static volatile bool isPaused;
-
- internal static bool IsPaused
- {
- get { return isPaused; }
- }
-
- internal static ManualResetEvent ResumeEvent
- {
- get;
- set;
- }
- }
-}
if (path == null) return null;
return path.Substring(0, PathInternal.GetRootLength(path));
}
-
- /*===============================CurrentDirectory===============================
- **Action: Provides a getter and setter for the current directory. The original
- ** current DirectoryInfo is the one from which the process was started.
- **Returns: The current DirectoryInfo (from the getter). Void from the setter.
- **Arguments: The current DirectoryInfo to which to switch to the setter.
- **Exceptions:
- ==============================================================================*/
- public static String GetCurrentDirectory()
- {
- // Start with a buffer the size of MAX_PATH
- StringBuffer buffer = new StringBuffer(260);
- try
- {
- uint result = 0;
- while ((result = Win32Native.GetCurrentDirectoryW((uint)buffer.Capacity, buffer.UnderlyingArray)) > buffer.Capacity)
- {
- // Reported size is greater than the buffer size. Increase the capacity.
- // The size returned includes the null only if more space is needed (this case).
- buffer.EnsureCapacity(checked((int)result));
- }
-
- if (result == 0)
- __Error.WinIOError();
-
- buffer.Length = (int)result;
-
-#if PLATFORM_WINDOWS
- if (buffer.Contains('~'))
- return Path.GetFullPath(buffer.ToString());
-#endif // PLATFORM_WINDOWS
-
- return buffer.ToString();
- }
- finally
- {
- buffer.Free();
- }
- }
-
- public static void SetCurrentDirectory(String path)
- {
- if (path == null)
- throw new ArgumentNullException(nameof(path));
- if (path.Length == 0)
- throw new ArgumentException(SR.Argument_PathEmpty);
- if (path.Length >= Path.MaxPath)
- throw new PathTooLongException(SR.IO_PathTooLong);
-
- String fulldestDirName = Path.GetFullPath(path);
-
- if (!Win32Native.SetCurrentDirectory(fulldestDirName))
- {
- // If path doesn't exist, this sets last error to 2 (File
- // not Found). LEGACY: This may potentially have worked correctly
- // on Win9x, maybe.
- int errorCode = Marshal.GetLastWin32Error();
- if (errorCode == Win32Native.ERROR_FILE_NOT_FOUND)
- errorCode = Win32Native.ERROR_PATH_NOT_FOUND;
- __Error.WinIOError(errorCode, fulldestDirName);
- }
- }
}
}
// See the LICENSE file in the project root for more information.
using System.Collections.Generic;
-using System.Security.Policy;
using System.IO;
using System.Configuration.Assemblies;
using StackCrawlMark = System.Threading.StackCrawlMark;
Contract.Ensures(!Contract.Result<Assembly>().ReflectionOnly);
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
- return RuntimeAssembly.InternalLoad(assemblyString, null, ref stackMark, false /*forIntrospection*/);
+ return RuntimeAssembly.InternalLoad(assemblyString, ref stackMark);
}
// Returns type from the assembly while keeping compatibility with Assembly.Load(assemblyString).GetType(typeName) for managed types.
RuntimeAssembly assembly;
AssemblyName assemblyName = RuntimeAssembly.CreateAssemblyName(
assemblyString,
- false /*forIntrospection*/,
out assembly);
if (assembly == null)
}
assembly = RuntimeAssembly.InternalLoadAssemblyName(
- assemblyName, null, null, ref stackMark,
- true /*thrownOnFileNotFound*/, false /*forIntrospection*/);
+ assemblyName, null, ref stackMark,
+ true /*thrownOnFileNotFound*/);
}
return assembly.GetType(typeName, true /*throwOnError*/, false /*ignoreCase*/);
}
}
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
- return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, null, ref stackMark, true /*thrownOnFileNotFound*/, false /*forIntrospection*/);
+ return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, ref stackMark, true /*thrownOnFileNotFound*/);
}
// Locate an assembly by its name. The name can be strong or
}
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
- return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, null, ref stackMark, true /*thrownOnFileNotFound*/, false /*forIntrospection*/, ptrLoadContextBinder);
+ return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, ref stackMark, true /*thrownOnFileNotFound*/, ptrLoadContextBinder);
}
// Loads the assembly with a COFF based IMAGE containing
}
[MethodImplAttribute(MethodImplOptions.InternalCall)]
- internal extern void nInit(out RuntimeAssembly assembly, bool forIntrospection, bool raiseResolveEvent);
+ internal extern void nInit(out RuntimeAssembly assembly, bool raiseResolveEvent);
internal void nInit()
{
RuntimeAssembly dummy = null;
- nInit(out dummy, false, false);
+ nInit(out dummy, false);
}
internal void SetProcArchIndex(PortableExecutableKinds pek, ImageFileMachine ifm)
// ... however if the attribute is sealed we can rely on the attribute usage
if (!inherit || (caType.IsSealed && !CustomAttribute.GetAttributeUsage(caType).Inherited))
{
- object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(type));
+ object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
while (type != (RuntimeType)typeof(object) && type != null)
{
- object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, 0, caType, mustBeInheritable, result, !AllowCriticalCustomAttributes(type));
+ object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, 0, caType, mustBeInheritable, result);
mustBeInheritable = true;
for (int i = 0; i < attributes.Length; i++)
result.Add(attributes[i]);
return typedResult;
}
- private static bool AllowCriticalCustomAttributes(RuntimeType type)
- {
- if (type.IsGenericParameter)
- {
- // Generic parameters don't have transparency state, so look at the
- // declaring method/type. One of declaringMethod or declaringType
- // must be set.
- MethodBase declaringMethod = type.DeclaringMethod;
- if (declaringMethod != null)
- {
- return AllowCriticalCustomAttributes(declaringMethod);
- }
- else
- {
- type = type.DeclaringType as RuntimeType;
- Debug.Assert(type != null);
- }
- }
-
- return !type.IsSecurityTransparent || SpecialAllowCriticalAttributes(type);
- }
-
- private static bool SpecialAllowCriticalAttributes(RuntimeType type)
- {
- return false;
- }
-
- private static bool AllowCriticalCustomAttributes(MethodBase method)
- {
- Contract.Requires(method is RuntimeMethodInfo || method is RuntimeConstructorInfo);
-
- return !method.IsSecurityTransparent ||
- SpecialAllowCriticalAttributes((RuntimeType)method.DeclaringType);
- }
-
- private static bool AllowCriticalCustomAttributes(RuntimeFieldInfo field)
- {
- return !field.IsSecurityTransparent ||
- SpecialAllowCriticalAttributes((RuntimeType)field.DeclaringType);
- }
-
- private static bool AllowCriticalCustomAttributes(RuntimeParameterInfo parameter)
- {
- // Since parameters have no transparency state, we look at the defining method instead.
- return AllowCriticalCustomAttributes(parameter.DefiningMethod);
- }
-
internal static Object[] GetCustomAttributes(RuntimeMethodInfo method, RuntimeType caType, bool inherit)
{
Contract.Requires(method != null);
// ... however if the attribute is sealed we can rely on the attribute usage
if (!inherit || (caType.IsSealed && !CustomAttribute.GetAttributeUsage(caType).Inherited))
{
- object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(method));
+ object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
while (method != null)
{
- object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, 0, caType, mustBeInheritable, result, !AllowCriticalCustomAttributes(method));
+ object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, 0, caType, mustBeInheritable, result);
mustBeInheritable = true;
for (int i = 0; i < attributes.Length; i++)
result.Add(attributes[i]);
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(ctor, caType, true, out pcaCount);
- object[] attributes = GetCustomAttributes(ctor.GetRuntimeModule(), ctor.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(ctor));
+ object[] attributes = GetCustomAttributes(ctor.GetRuntimeModule(), ctor.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(property, caType, out pcaCount);
- // Since properties and events have no transparency state, logically we should check the declaring types.
- // But then if someone wanted to apply critical attributes on a property/event he would need to make the type critical,
- // which would also implicitly made all the members critical.
- // So we check the containing assembly instead. If the assembly can contain critical code we allow critical attributes on properties/events.
- bool disallowCriticalCustomAttributes = property.GetRuntimeModule().GetRuntimeAssembly().IsAllSecurityTransparent();
- object[] attributes = GetCustomAttributes(property.GetRuntimeModule(), property.MetadataToken, pcaCount, caType, disallowCriticalCustomAttributes);
+ object[] attributes = GetCustomAttributes(property.GetRuntimeModule(), property.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(e, caType, out pcaCount);
- // Since properties and events have no transparency state, logically we should check the declaring types.
- // But then if someone wanted to apply critical attributes on a property/event he would need to make the type critical,
- // which would also implicitly made all the members critical.
- // So we check the containing assembly instead. If the assembly can contain critical code we allow critical attributes on properties/events.
- bool disallowCriticalCustomAttributes = e.GetRuntimeModule().GetRuntimeAssembly().IsAllSecurityTransparent();
- object[] attributes = GetCustomAttributes(e.GetRuntimeModule(), e.MetadataToken, pcaCount, caType, disallowCriticalCustomAttributes);
+ object[] attributes = GetCustomAttributes(e.GetRuntimeModule(), e.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(field, caType, out pcaCount);
- object[] attributes = GetCustomAttributes(field.GetRuntimeModule(), field.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(field));
+ object[] attributes = GetCustomAttributes(field.GetRuntimeModule(), field.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(parameter, caType, out pcaCount);
- object[] attributes = GetCustomAttributes(parameter.GetRuntimeModule(), parameter.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(parameter));
+ object[] attributes = GetCustomAttributes(parameter.GetRuntimeModule(), parameter.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(assembly, caType, true, out pcaCount);
int assemblyToken = RuntimeAssembly.GetToken(assembly.GetNativeHandle());
- bool isAssemblySecurityTransparent = assembly.IsAllSecurityTransparent();
- object[] attributes = GetCustomAttributes(assembly.ManifestModule as RuntimeModule, assemblyToken, pcaCount, caType, isAssemblySecurityTransparent);
+ object[] attributes = GetCustomAttributes(assembly.ManifestModule as RuntimeModule, assemblyToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
int pcaCount = 0;
Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(module, caType, out pcaCount);
- bool isModuleSecurityTransparent = module.GetRuntimeAssembly().IsAllSecurityTransparent();
- object[] attributes = GetCustomAttributes(module, module.MetadataToken, pcaCount, caType, isModuleSecurityTransparent);
+ object[] attributes = GetCustomAttributes(module, module.MetadataToken, pcaCount, caType);
if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount);
return attributes;
}
}
private unsafe static object[] GetCustomAttributes(
- RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount, RuntimeType attributeFilterType, bool isDecoratedTargetSecurityTransparent)
+ RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount, RuntimeType attributeFilterType)
{
- return GetCustomAttributes(decoratedModule, decoratedMetadataToken, pcaCount, attributeFilterType, false, null, isDecoratedTargetSecurityTransparent);
+ return GetCustomAttributes(decoratedModule, decoratedMetadataToken, pcaCount, attributeFilterType, false, null);
}
private unsafe static object[] GetCustomAttributes(
RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount,
- RuntimeType attributeFilterType, bool mustBeInheritable, IList derivedAttributes, bool isDecoratedTargetSecurityTransparent)
+ RuntimeType attributeFilterType, bool mustBeInheritable, IList derivedAttributes)
{
if (decoratedModule.Assembly.ReflectionOnly)
throw new InvalidOperationException(SR.Arg_ReflectionOnlyCA);
out attributeType, out ctor, out ctorHasParameters, out isVarArg))
continue;
- if (ctor != null)
- {
- // Linktime demand checks
- // decoratedMetadataToken needed as it may be "transparent" in which case we do a full stack walk
- RuntimeMethodHandle.CheckLinktimeDemands(ctor, decoratedModule, isDecoratedTargetSecurityTransparent);
- }
- else
- {
- }
-
// Leverage RuntimeConstructorInfo standard .ctor verfication
RuntimeConstructorInfo.CheckCanCreateInstance(attributeType, isVarArg);
if (!setMethod.IsPublic)
continue;
- RuntimeMethodHandle.CheckLinktimeDemands(setMethod, decoratedModule, isDecoratedTargetSecurityTransparent);
-
setMethod.UnsafeInvoke(attribute, BindingFlags.Default, null, new object[] { value }, null);
#endregion
}
{
RtFieldInfo field = attributeType.GetField(name) as RtFieldInfo;
- if (isDecoratedTargetSecurityTransparent)
- {
- RuntimeFieldHandle.CheckAttributeAccess(field.FieldHandle, decoratedModule.GetNativeHandle());
- }
-
field.CheckConsistency(attribute);
field.UnsafeSetValue(attribute, value, BindingFlags.Default, Type.DefaultBinder, null);
}
using System.Runtime.Serialization;
using System.Runtime.Versioning;
using System.Security;
- using System.Security.Policy;
using System.Threading;
- // These must match the definitions in Assembly.hpp
- [Flags]
- internal enum DynamicAssemblyFlags
- {
- None = 0x00000000,
-
- // Security attributes which affect the module security descriptor
- AllCritical = 0x00000001,
- Aptca = 0x00000002,
- Critical = 0x00000004,
- Transparent = 0x00000008,
- TreatAsSafe = 0x00000010,
- }
-
// When the user calls AppDomain.DefineDynamicAssembly the loader creates a new InternalAssemblyBuilder.
// This InternalAssemblyBuilder can be retrieved via a call to Assembly.GetAssemblies() by untrusted code.
// In the past, when InternalAssemblyBuilder was AssemblyBuilder, the untrusted user could down cast the
internal AssemblyBuilder(AppDomain domain,
AssemblyName name,
AssemblyBuilderAccess access,
- String dir,
- Evidence evidence,
ref StackCrawlMark stackMark,
- IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes,
- SecurityContextSource securityContextSource)
+ IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes)
{
if (name == null)
throw new ArgumentNullException(nameof(name));
throw new ArgumentException(SR.Format(SR.Arg_EnumIllegalVal, (int)access), nameof(access));
}
- if (securityContextSource < SecurityContextSource.CurrentAppDomain ||
- securityContextSource > SecurityContextSource.CurrentAssembly)
- {
- throw new ArgumentOutOfRangeException(nameof(securityContextSource));
- }
-
// Clone the name in case the caller modifies it underneath us.
name = (AssemblyName)name.Clone();
// assembly. Currently, we look for any attribute which modifies the security transparency
// of the assembly.
List<CustomAttributeBuilder> assemblyAttributes = null;
- DynamicAssemblyFlags assemblyFlags = DynamicAssemblyFlags.None;
- byte[] securityRulesBlob = null;
- byte[] aptcaBlob = null;
if (unsafeAssemblyAttributes != null)
{
// Create a copy to ensure that it cannot be modified from another thread
// as it is used further below.
assemblyAttributes = new List<CustomAttributeBuilder>(unsafeAssemblyAttributes);
-
-#pragma warning disable 618 // We deal with legacy attributes here as well for compat
- foreach (CustomAttributeBuilder attribute in assemblyAttributes)
- {
- if (attribute.m_con.DeclaringType == typeof(SecurityTransparentAttribute))
- {
- assemblyFlags |= DynamicAssemblyFlags.Transparent;
- }
- else if (attribute.m_con.DeclaringType == typeof(SecurityCriticalAttribute))
- {
- {
- assemblyFlags |= DynamicAssemblyFlags.AllCritical;
- }
- }
- }
-#pragma warning restore 618
}
m_internalAssemblyBuilder = (InternalAssemblyBuilder)nCreateDynamicAssembly(domain,
name,
- evidence,
ref stackMark,
- securityRulesBlob,
- aptcaBlob,
- access,
- assemblyFlags,
- securityContextSource);
+ access);
m_assemblyData = new AssemblyBuilderData(m_internalAssemblyBuilder,
name.Name,
- access,
- dir);
+ access);
// Make sure that ManifestModule is properly initialized
// We need to do this before setting any CustomAttribute
Contract.Ensures(Contract.Result<AssemblyBuilder>() != null);
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
- return InternalDefineDynamicAssembly(name, access, null,
- null, ref stackMark, null, SecurityContextSource.CurrentAssembly);
+ return InternalDefineDynamicAssembly(name, access,
+ ref stackMark, null);
}
[System.Security.DynamicSecurityMethod] // Methods containing StackCrawlMark local var has to be marked DynamicSecurityMethod
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
return InternalDefineDynamicAssembly(name,
access,
- null, null,
ref stackMark,
- assemblyAttributes, SecurityContextSource.CurrentAssembly);
+ assemblyAttributes);
}
[MethodImplAttribute(MethodImplOptions.InternalCall)]
private static extern Assembly nCreateDynamicAssembly(AppDomain domain,
AssemblyName name,
- Evidence identity,
ref StackCrawlMark stackMark,
- byte[] securityRulesBlob,
- byte[] aptcaBlob,
- AssemblyBuilderAccess access,
- DynamicAssemblyFlags flags,
- SecurityContextSource securityContextSource);
+ AssemblyBuilderAccess access);
private class AssemblyBuilderLock { }
internal static AssemblyBuilder InternalDefineDynamicAssembly(
AssemblyName name,
AssemblyBuilderAccess access,
- String dir,
- Evidence evidence,
ref StackCrawlMark stackMark,
- IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes,
- SecurityContextSource securityContextSource)
+ IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes)
{
lock (typeof(AssemblyBuilderLock))
{
return new AssemblyBuilder(AppDomain.CurrentDomain,
name,
access,
- dir,
- evidence,
ref stackMark,
- unsafeAssemblyAttributes,
- securityContextSource);
+ unsafeAssemblyAttributes);
} //lock(typeof(AssemblyBuilderLock))
}
#endregion
internal AssemblyBuilderData(
InternalAssemblyBuilder assembly,
String strAssemblyName,
- AssemblyBuilderAccess access,
- String dir)
+ AssemblyBuilderAccess access)
{
m_assembly = assembly;
m_strAssemblyName = strAssemblyName;
m_moduleBuilderList = new List<ModuleBuilder>();
m_resWriterList = new List<ResWriterData>();
- //Init to null/0 done for you by the CLR. FXCop has spoken
-
- if (dir == null && access != AssemblyBuilderAccess.Run)
- m_strDir = Environment.CurrentDirectory;
- else
- m_strDir = dir;
-
m_peFileKind = PEFileKinds.Dll;
}
internal bool m_isSaved;
internal const int m_iInitialSize = 16;
- internal String m_strDir;
// hard coding the assembly def token
internal const int m_tkAssembly = 0x20000001;
AssemblyBuilder assembly = AssemblyBuilder.InternalDefineDynamicAssembly(
assemblyName,
AssemblyBuilderAccess.Run,
- null, null,
ref stackMark,
- assemblyAttributes,
- SecurityContextSource.CurrentAssembly);
+ assemblyAttributes);
AppDomain.PublishAnonymouslyHostedDynamicMethodsAssembly(assembly.GetNativeHandle());
{
get
{
- String fullyQualifiedName = m_moduleData.m_strFileName;
- if (fullyQualifiedName == null)
- return null;
- if (ContainingAssemblyBuilder.m_assemblyData.m_strDir != null)
- {
- fullyQualifiedName = Path.Combine(ContainingAssemblyBuilder.m_assemblyData.m_strDir, fullyQualifiedName);
- fullyQualifiedName = Path.GetFullPath(fullyQualifiedName);
- }
-
- return fullyQualifiedName;
+ return m_moduleData.m_strFileName;
}
}
using System.Collections.Generic;
using CultureInfo = System.Globalization.CultureInfo;
using System.Security;
-using System.Security.Policy;
using System.IO;
using StringBuilder = System.Text.StringBuilder;
using System.Configuration.Assemblies;
// Wrapper function to wrap the typical use of InternalLoad.
internal static RuntimeAssembly InternalLoad(String assemblyString,
- Evidence assemblySecurity,
- ref StackCrawlMark stackMark,
- bool forIntrospection)
+ ref StackCrawlMark stackMark)
{
- return InternalLoad(assemblyString, assemblySecurity, ref stackMark, IntPtr.Zero, forIntrospection);
+ return InternalLoad(assemblyString, ref stackMark, IntPtr.Zero);
}
[System.Security.DynamicSecurityMethod] // Methods containing StackCrawlMark local var has to be marked DynamicSecurityMethod
internal static RuntimeAssembly InternalLoad(String assemblyString,
- Evidence assemblySecurity,
ref StackCrawlMark stackMark,
- IntPtr pPrivHostBinder,
- bool forIntrospection)
+ IntPtr pPrivHostBinder)
{
RuntimeAssembly assembly;
- AssemblyName an = CreateAssemblyName(assemblyString, forIntrospection, out assembly);
+ AssemblyName an = CreateAssemblyName(assemblyString, out assembly);
if (assembly != null)
{
return assembly;
}
- return InternalLoadAssemblyName(an, assemblySecurity, null, ref stackMark,
+ return InternalLoadAssemblyName(an, null, ref stackMark,
pPrivHostBinder,
- true /*thrownOnFileNotFound*/, forIntrospection);
+ true /*thrownOnFileNotFound*/);
}
// Creates AssemblyName. Fills assembly if AssemblyResolve event has been raised.
internal static AssemblyName CreateAssemblyName(
String assemblyString,
- bool forIntrospection,
out RuntimeAssembly assemblyFromResolveEvent)
{
if (assemblyString == null)
(assemblyString[0] == '\0'))
throw new ArgumentException(SR.Format_StringZeroLength);
- if (forIntrospection)
- AppDomain.CheckReflectionOnlyLoadSupported();
-
AssemblyName an = new AssemblyName();
an.Name = assemblyString;
- an.nInit(out assemblyFromResolveEvent, forIntrospection, true);
+ an.nInit(out assemblyFromResolveEvent, true);
return an;
}
// Wrapper function to wrap the typical use of InternalLoadAssemblyName.
internal static RuntimeAssembly InternalLoadAssemblyName(
AssemblyName assemblyRef,
- Evidence assemblySecurity,
RuntimeAssembly reqAssembly,
ref StackCrawlMark stackMark,
bool throwOnFileNotFound,
- bool forIntrospection,
IntPtr ptrLoadContextBinder = default(IntPtr))
{
- return InternalLoadAssemblyName(assemblyRef, assemblySecurity, reqAssembly, ref stackMark, IntPtr.Zero, true /*throwOnError*/, forIntrospection, ptrLoadContextBinder);
+ return InternalLoadAssemblyName(assemblyRef, reqAssembly, ref stackMark, IntPtr.Zero, true /*throwOnError*/, ptrLoadContextBinder);
}
internal static RuntimeAssembly InternalLoadAssemblyName(
AssemblyName assemblyRef,
- Evidence assemblySecurity,
RuntimeAssembly reqAssembly,
ref StackCrawlMark stackMark,
IntPtr pPrivHostBinder,
bool throwOnFileNotFound,
- bool forIntrospection,
IntPtr ptrLoadContextBinder = default(IntPtr))
{
if (assemblyRef == null)
}
assemblyRef = (AssemblyName)assemblyRef.Clone();
- if (!forIntrospection &&
- (assemblyRef.ProcessorArchitecture != ProcessorArchitecture.None))
+ if (assemblyRef.ProcessorArchitecture != ProcessorArchitecture.None)
{
// PA does not have a semantics for by-name binds for execution
assemblyRef.ProcessorArchitecture = ProcessorArchitecture.None;
String codeBase = VerifyCodeBase(assemblyRef.CodeBase);
- return nLoad(assemblyRef, codeBase, assemblySecurity, reqAssembly, ref stackMark,
+ return nLoad(assemblyRef, codeBase, reqAssembly, ref stackMark,
pPrivHostBinder,
- throwOnFileNotFound, forIntrospection, ptrLoadContextBinder);
+ throwOnFileNotFound, ptrLoadContextBinder);
}
- // These are the framework assemblies that does reflection invocation
- // on behalf of user code. We allow framework code to invoke non-W8P
- // framework APIs but don't want user code to gain that privilege
- // through these assemblies. So we blaklist them.
- private static string[] s_unsafeFrameworkAssemblyNames = new string[] {
- "System.Reflection.Context",
- "Microsoft.VisualBasic"
- };
-
#if FEATURE_APPX
internal bool IsFrameworkAssembly()
{
#endif
[MethodImplAttribute(MethodImplOptions.InternalCall)]
- private static extern RuntimeAssembly _nLoad(AssemblyName fileName,
- String codeBase,
- Evidence assemblySecurity,
- RuntimeAssembly locationHint,
- ref StackCrawlMark stackMark,
- IntPtr pPrivHostBinder,
- bool throwOnFileNotFound,
- bool forIntrospection,
- bool suppressSecurityChecks,
- IntPtr ptrLoadContextBinder);
-
- private static RuntimeAssembly nLoad(AssemblyName fileName,
- String codeBase,
- Evidence assemblySecurity,
- RuntimeAssembly locationHint,
- ref StackCrawlMark stackMark,
- IntPtr pPrivHostBinder,
- bool throwOnFileNotFound,
- bool forIntrospection,
- IntPtr ptrLoadContextBinder = default(IntPtr))
- {
- return _nLoad(fileName, codeBase, assemblySecurity, locationHint, ref stackMark,
- pPrivHostBinder,
- throwOnFileNotFound, forIntrospection, true /* suppressSecurityChecks */, ptrLoadContextBinder);
- }
-
- [MethodImplAttribute(MethodImplOptions.InternalCall)]
- private static extern bool IsReflectionOnly(RuntimeAssembly assembly);
+ private static extern RuntimeAssembly nLoad(AssemblyName fileName,
+ String codeBase,
+ RuntimeAssembly locationHint,
+ ref StackCrawlMark stackMark,
+ IntPtr pPrivHostBinder,
+ bool throwOnFileNotFound,
+ IntPtr ptrLoadContextBinder = default(IntPtr));
public override bool ReflectionOnly
{
get
{
- return IsReflectionOnly(GetNativeHandle());
+ return false;
}
}
return publicKey;
}
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private extern static bool IsAllSecurityTransparent(RuntimeAssembly assembly);
-
- // Is everything introduced by this assembly transparent
- internal bool IsAllSecurityTransparent()
- {
- return IsAllSecurityTransparent(GetNativeHandle());
- }
-
// This method is called by the VM.
private RuntimeModule OnModuleResolveEvent(String moduleName)
{
an.CultureInfo = culture;
an.Name = name;
- RuntimeAssembly retAssembly = nLoad(an, null, null, this, ref stackMark,
+ RuntimeAssembly retAssembly = nLoad(an, null, this, ref stackMark,
IntPtr.Zero,
- throwOnFileNotFound, false);
+ throwOnFileNotFound);
if (retAssembly == this || (retAssembly == null && throwOnFileNotFound))
{
public override bool IsSecurityCritical
{
- get { return new RuntimeTypeHandle(this).IsSecurityCritical(); }
+ get { return true; }
}
public override bool IsSecuritySafeCritical
{
- get { return new RuntimeTypeHandle(this).IsSecuritySafeCritical(); }
+ get { return false; }
}
public override bool IsSecurityTransparent
{
- get { return new RuntimeTypeHandle(this).IsSecurityTransparent(); }
+ get { return false; }
}
#endregion
return _IsVisible(new RuntimeTypeHandle(type));
}
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecurityCritical(RuntimeTypeHandle typeHandle);
-
- internal bool IsSecurityCritical()
- {
- return IsSecurityCritical(GetNativeHandle());
- }
-
-
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecuritySafeCritical(RuntimeTypeHandle typeHandle);
-
- internal bool IsSecuritySafeCritical()
- {
- return IsSecuritySafeCritical(GetNativeHandle());
- }
-
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecurityTransparent(RuntimeTypeHandle typeHandle);
-
- internal bool IsSecurityTransparent()
- {
- return IsSecurityTransparent(GetNativeHandle());
- }
-
[MethodImplAttribute(MethodImplOptions.InternalCall)]
internal extern static bool IsValueType(RuntimeType type);
return ptr;
}
- [MethodImplAttribute(MethodImplOptions.InternalCall)]
- internal unsafe extern static void CheckLinktimeDemands(IRuntimeMethodInfo method, RuntimeModule module, bool isDecoratedTargetSecurityTransparent);
-
[DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
[SuppressUnmanagedCodeSecurity]
internal extern static bool IsCAVisibleFromDecoratedType(
[MethodImplAttribute(MethodImplOptions.InternalCall)]
internal static extern bool AcquiresContextFromThis(RuntimeFieldHandleInternal field);
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecurityCritical(RuntimeFieldHandle fieldHandle);
-
- internal bool IsSecurityCritical()
- {
- return IsSecurityCritical(GetNativeHandle());
- }
-
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecuritySafeCritical(RuntimeFieldHandle fieldHandle);
-
- internal bool IsSecuritySafeCritical()
- {
- return IsSecuritySafeCritical(GetNativeHandle());
- }
-
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- [return: MarshalAs(UnmanagedType.Bool)]
- private static extern bool IsSecurityTransparent(RuntimeFieldHandle fieldHandle);
-
- internal bool IsSecurityTransparent()
- {
- return IsSecurityTransparent(GetNativeHandle());
- }
-
- [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
- [SuppressUnmanagedCodeSecurity]
- internal static extern void CheckAttributeAccess(RuntimeFieldHandle fieldHandle, RuntimeModule decoratedTarget);
-
// ISerializable interface
private RuntimeFieldHandle(SerializationInfo info, StreamingContext context)
{
public static new void Sleep(int millisecondsTimeout)
{
SleepInternal(millisecondsTimeout);
- // Ensure we don't return to app code when the pause is underway
- if (AppDomainPauseManager.IsPaused)
- AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS();
}
public static void Sleep(TimeSpan timeout)
Contract.EndContractBlock();
int ret = WaitOneNative(waitableSafeHandle, (uint)millisecondsTimeout, hasThreadAffinity, exitContext);
- if (AppDomainPauseManager.IsPaused)
- AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS();
-
if (ret == WAIT_ABANDONED)
{
ThrowAbandonedMutexException();
int ret = WaitMultiple(internalWaitHandles, millisecondsTimeout, exitContext, true /* waitall*/ );
- if (AppDomainPauseManager.IsPaused)
- AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS();
-
if ((WAIT_ABANDONED <= ret) && (WAIT_ABANDONED + internalWaitHandles.Length > ret))
{
//In the case of WaitAll the OS will only provide the
#endif
int ret = WaitMultiple(internalWaitHandles, millisecondsTimeout, exitContext, false /* waitany*/ );
- if (AppDomainPauseManager.IsPaused)
- AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS();
-
if ((WAIT_ABANDONED <= ret) && (WAIT_ABANDONED + internalWaitHandles.Length > ret))
{
int mutexIndex = ret - WAIT_ABANDONED;
{
if (throwOnError)
{
- assembly = RuntimeAssembly.InternalLoad(asmName, null, ref stackMark, false /*forIntrospection*/);
+ assembly = RuntimeAssembly.InternalLoad(asmName, ref stackMark);
}
else
{
// Other exceptions like BadImangeFormatException should still fly.
try
{
- assembly = RuntimeAssembly.InternalLoad(asmName, null, ref stackMark, false /*forIntrospection*/);
+ assembly = RuntimeAssembly.InternalLoad(asmName, ref stackMark);
}
catch (FileNotFoundException)
{
precode.cpp
prestub.cpp
rejit.cpp
- securitydescriptor.cpp
- securitydescriptorassembly.cpp
+ security.cpp
sigformat.cpp
siginfo.cpp
spinlock.cpp
set(VM_SOURCES_WKS
${VM_SOURCES_DAC_AND_WKS_COMMON}
appdomainnative.cpp
- appdomainstack.cpp
assemblyname.cpp
assemblynative.cpp
assemblyspec.cpp
runtimehandles.cpp
safehandle.cpp
sampleprofiler.cpp
- security.cpp
- securityattributes.cpp
- securitydeclarative.cpp
- securitydeclarativecache.cpp
- securitydescriptorappdomain.cpp
- securitymeta.cpp
- securitypolicy.cpp
- securitytransparentassembly.cpp
sha1.cpp
simplerwlock.cpp
sourceline.cpp
threaddebugblockinginfo.cpp
threadsuspend.cpp
typeparse.cpp
- verifier.cpp
weakreferencenative.cpp
${VM_SOURCES_GDBJIT}
)
}
// Only partially load the system assembly. Other parts of the code will want to access
// the globals in this function before finishing the load.
- m_pSystemAssembly = DefaultDomain()->LoadDomainAssembly(NULL, m_pSystemFile, FILE_LOAD_POST_LOADLIBRARY, NULL)->GetCurrentAssembly();
+ m_pSystemAssembly = DefaultDomain()->LoadDomainAssembly(NULL, m_pSystemFile, FILE_LOAD_POST_LOADLIBRARY)->GetCurrentAssembly();
// Set up binder for mscorlib
MscorlibBinder::AttachModule(m_pSystemAssembly->GetManifestModule());
{
GCX_COOP();
-#ifndef CROSSGEN_COMPILE
- if (!NingenEnabled())
- {
- }
-#endif // CROSSGEN_COMPILE
-
pDefaultDomain->InitializeDomainContext(allowRedirects, pwsPath, pwsConfig);
#ifndef CROSSGEN_COMPILE
if (!IsSingleAppDomain())
{
pDefaultDomain->InitializeDefaultDomainManager();
- pDefaultDomain->InitializeDefaultDomainSecurity();
}
}
#endif // CROSSGEN_COMPILE
CLASS__LAZY_INITIALIZER,
CLASS__DYNAMICMETHOD,
CLASS__DELEGATE,
- CLASS__MULTICAST_DELEGATE
+ CLASS__MULTICAST_DELEGATE,
+ CLASS__APP_DOMAIN
};
static const BinderClassID genericReflectionInvocationTypes[] = {
if (MscorlibBinder::GetExistingClass(reflectionInvocationTypes[i]) == pCaller)
return true;
}
-
- // AppDomain is an example of a type that is both used in the implementation of
- // reflection, and also a type that contains methods that are clients of reflection
- // (i.e., they instigate their own CreateInstance). Skip all AppDomain frames that
- // are NOT known clients of reflection. NOTE: The ever-increasing complexity of this
- // exclusion list is a sign that we need a better way--this is error-prone and
- // unmaintainable as more changes are made to BCL types.
- if ((pCaller == MscorlibBinder::GetExistingClass(CLASS__APP_DOMAIN))
- && (pMeth != MscorlibBinder::GetMethod(METHOD__APP_DOMAIN__CREATE_APP_DOMAIN_MANAGER)) // This uses reflection to create an AppDomainManager
- )
- {
- return true;
- }
}
return false;
SystemDomain::LockHolder lh;
pDomain->Init();
- Security::SetDefaultAppDomainProperty(pDomain->GetSecurityDescriptor());
-
// need to make this assignment here since we'll be releasing
// the lock before calling AddDomain. So any other thread
// grabbing this lock after we release it will find that
m_cRef=1;
m_pNextInDelayedUnloadList = NULL;
- m_pSecContext = NULL;
m_fRudeUnload = FALSE;
m_pUnloadRequestThread = NULL;
m_ADUnloadSink=NULL;
m_pwDynamicDir = NULL;
m_dwFlags = 0;
- m_pSecDesc = NULL;
m_pDefaultContext = NULL;
#ifdef FEATURE_COMINTEROP
m_pComCallWrapperCache = NULL;
m_pWinRTFactoryCache = NULL;
#endif // FEATURE_COMINTEROP
- m_fAppDomainManagerSetInConfig = FALSE;
- m_dwAppDomainManagerInitializeDomainFlags = eInitializeNewDomainFlags_None;
-
#ifdef FEATURE_PREJIT
m_pDomainFileWithNativeImageList = NULL;
#endif
if (m_ADUnloadSink)
m_ADUnloadSink->Release();
- if (m_pSecContext)
- delete m_pSecContext;
-
if(!g_fEEInit)
Terminate();
// Set up the IL stub cache
m_ILStubCache.Init(GetLoaderAllocator()->GetHighFrequencyHeap());
- m_pSecContext = new SecurityContext (GetLowFrequencyHeap());
-
// Set up the binding caches
m_AssemblyCache.Init(&m_DomainCacheCrst, GetHighFrequencyHeap());
m_UnmanagedCache.InitializeTable(this, &m_DomainCacheCrst);
m_clsidHash.Init(0,&CompareCLSID,true, &lock); // init hash table
}
- CreateSecurityDescriptor();
SetStage(STAGE_READYFORMANAGEDCODE);
#ifndef CROSSGEN_COMPILE
m_pRootAssembly = NULL; // This assembly is in the assembly list;
- if (m_pSecDesc != NULL)
- {
- delete m_pSecDesc;
- m_pSecDesc = NULL;
- }
-
#ifdef DEBUGGING_SUPPORTED
if (NULL != g_pDebugInterface)
{
#ifndef DACCESS_COMPILE
-void AppDomain::CreateSecurityDescriptor()
-{
- STANDARD_VM_CONTRACT;
-
- _ASSERTE(m_pSecDesc == NULL);
-
- m_pSecDesc = Security::CreateApplicationSecurityDescriptor(this);
-}
-
bool IsPlatformAssembly(LPCSTR szName, DomainAssembly *pDomainAssembly)
{
CONTRACTL
return FALSE;
}
-BOOL AppDomain::HasSetSecurityPolicy()
-{
- CONTRACT(BOOL)
- {
- THROWS;
- GC_TRIGGERS;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACT_END;
-
- GCX_COOP();
-
- if (NingenEnabled())
- {
- return FALSE;
- }
- RETURN ((APPDOMAINREF)GetExposedObject())->HasSetPolicy();
-}
-
-
EEClassFactoryInfoHashTable* AppDomain::SetupClassFactHash()
{
CONTRACTL
Assembly *AppDomain::LoadAssembly(AssemblySpec* pIdentity,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity /* = NULL */)
+ FileLoadLevel targetLevel)
{
CONTRACT(Assembly *)
{
}
CONTRACT_END;
- DomainAssembly *pAssembly = LoadDomainAssembly(pIdentity, pFile, targetLevel, pLoadSecurity);
+ DomainAssembly *pAssembly = LoadDomainAssembly(pIdentity, pFile, targetLevel);
PREFIX_ASSUME(pAssembly != NULL);
RETURN pAssembly->GetAssembly();
AppDomain *pThis;
AssemblySpec* pSpec;
PEAssembly *pFile;
- AssemblyLoadSecurity *pLoadSecurity;
FileLoadLevel targetLevel;
- LoadDomainAssemblyStress(AppDomain *pThis, AssemblySpec* pSpec, PEAssembly *pFile, FileLoadLevel targetLevel, AssemblyLoadSecurity *pLoadSecurity)
- : pThis(pThis), pSpec(pSpec), pFile(pFile), pLoadSecurity(pLoadSecurity), targetLevel(targetLevel) {LIMITED_METHOD_CONTRACT;}
+ LoadDomainAssemblyStress(AppDomain *pThis, AssemblySpec* pSpec, PEAssembly *pFile, FileLoadLevel targetLevel)
+ : pThis(pThis), pSpec(pSpec), pFile(pFile), targetLevel(targetLevel) {LIMITED_METHOD_CONTRACT;}
void Invoke()
{
WRAPPER_NO_CONTRACT;
STATIC_CONTRACT_SO_INTOLERANT;
SetupThread();
- pThis->LoadDomainAssembly(pSpec, pFile, targetLevel, pLoadSecurity);
+ pThis->LoadDomainAssembly(pSpec, pFile, targetLevel);
}
};
#endif // CROSSGEN_COMPILE
DomainAssembly* AppDomain::LoadDomainAssembly( AssemblySpec* pSpec,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity /* = NULL */)
+ FileLoadLevel targetLevel)
{
STATIC_CONTRACT_THROWS;
if (pSpec == nullptr)
{
// skip caching, since we don't have anything to base it on
- return LoadDomainAssemblyInternal(pSpec, pFile, targetLevel, pLoadSecurity);
+ return LoadDomainAssemblyInternal(pSpec, pFile, targetLevel);
}
DomainAssembly* pRetVal = NULL;
EX_TRY
{
- pRetVal = LoadDomainAssemblyInternal(pSpec, pFile, targetLevel, pLoadSecurity);
+ pRetVal = LoadDomainAssemblyInternal(pSpec, pFile, targetLevel);
}
EX_HOOK
{
DomainAssembly *AppDomain::LoadDomainAssemblyInternal(AssemblySpec* pIdentity,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity /* = NULL */)
+ FileLoadLevel targetLevel)
{
CONTRACT(DomainAssembly *)
{
THROWS;
MODE_ANY;
PRECONDITION(CheckPointer(pFile));
- PRECONDITION(CheckPointer(pLoadSecurity, NULL_OK));
PRECONDITION(pFile->IsSystem() || ::GetAppDomain()==this);
POSTCONDITION(CheckPointer(RETVAL));
POSTCONDITION(RETVAL->GetLoadLevel() >= GetThreadFileLoadLevel()
DomainAssembly * result;
#ifndef CROSSGEN_COMPILE
- LoadDomainAssemblyStress ts (this, pIdentity, pFile, targetLevel, pLoadSecurity);
+ LoadDomainAssemblyStress ts (this, pIdentity, pFile, targetLevel);
#endif
// Go into preemptive mode since this may take a while.
// a rare redundant allocation by moving this closer to FileLoadLock::Create, but it's not worth it.
NewHolder<DomainAssembly> pDomainAssembly;
- pDomainAssembly = new DomainAssembly(this, pFile, pLoadSecurity, this->GetLoaderAllocator());
+ pDomainAssembly = new DomainAssembly(this, pFile, this->GetLoaderAllocator());
LoadLockHolder lock(this);
RETURN pDomainFile;
}
-void AppDomain::SetSharePolicy(SharePolicy policy)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- if ((int)policy > SHARE_POLICY_COUNT)
- COMPlusThrow(kArgumentException,W("Argument_InvalidValue"));
-
- // We cannot make all code domain neutral and still provide complete compatibility with regard
- // to using custom security policy and assembly evidence.
- //
- // In particular, if you try to do either of the above AFTER loading a domain neutral assembly
- // out of the GAC, we will now throw an exception. The remedy would be to either not use SHARE_POLICY_ALWAYS
- // (change LoaderOptimizationMultiDomain to LoaderOptimizationMultiDomainHost), or change the loading order
- // in the app domain to do the policy set or evidence load earlier (which BTW will have the effect of
- // automatically using MDH rather than MD, for the same result.)
- //
- // We include a compatibility flag here to preserve old functionality if necessary - this has the effect
- // of never using SHARE_POLICY_ALWAYS.
- if (policy == SHARE_POLICY_ALWAYS &&
- (HasSetSecurityPolicy()
- || GetCompatibilityFlag(compatOnlyGACDomainNeutral)))
- {
- // Never share assemblies not in the GAC
- policy = SHARE_POLICY_GAC;
- }
-
- if (policy != m_SharePolicy)
- {
-
-#ifdef FEATURE_PREJIT
-
-
-#endif // FEATURE_PREJIT
-
- m_SharePolicy = policy;
- }
-
- return;
-}
-
-
AppDomain::SharePolicy AppDomain::GetSharePolicy()
{
LIMITED_METHOD_CONTRACT;
- // If the policy has been explicitly set for
- // the domain, use that.
- SharePolicy policy = m_SharePolicy;
-
- // Pick up the a specified config policy
- if (policy == SHARE_POLICY_UNSPECIFIED)
- policy = (SharePolicy) g_pConfig->DefaultSharePolicy();
-
- // Next, honor a host's request for global policy.
- if (policy == SHARE_POLICY_UNSPECIFIED)
- policy = (SharePolicy) g_dwGlobalSharePolicy;
- // If all else fails, use the hardwired default policy.
- if (policy == SHARE_POLICY_UNSPECIFIED)
- policy = SHARE_POLICY_DEFAULT;
-
- return policy;
+ return SHARE_POLICY_NEVER;
}
#endif // FEATURE_LOADER_OPTIMIZATION
BOOL fThrowOnFileNotFound,
BOOL fRaisePrebindEvents,
StackCrawlMark * pCallerStackMark,
- AssemblyLoadSecurity * pLoadSecurity,
BOOL fUseHostBinderIfAvailable)
{
STATIC_CONTRACT_THROWS;
THROWS;
INJECT_FAULT(COMPlusThrowOM(););
PRECONDITION(GetId().m_dwId == DefaultADID);
- PRECONDITION(!HasAppDomainManagerInfo());
- }
- CONTRACTL_END;
-
- //
- // The AppDomainManager for the default domain can be specified by:
- // 1. Native hosting API
- // 2. Application config file if the application is fully trusted
- // 3. Environment variables
- //
-
-
- if (CorHost2::HasAppDomainManagerInfo())
- {
- SetAppDomainManagerInfo(CorHost2::GetAppDomainManagerAsm(),
- CorHost2::GetAppDomainManagerType(),
- CorHost2::GetAppDomainManagerInitializeNewDomainFlags());
- m_fAppDomainManagerSetInConfig = FALSE;
-
- LOG((LF_APPDOMAIN, LL_INFO10, "Setting default AppDomainManager '%S', '%S' from hosting API.\n", GetAppDomainManagerAsm(), GetAppDomainManagerType()));
- }
-
- // If we found an AppDomain manager to use, create and initialize it
- // Otherwise, initialize the config flags.
- if (HasAppDomainManagerInfo())
- {
- // If the initialization flags promise that the domain manager isn't going to modify security, then do a
- // pre-resolution of the domain now so that we can do some basic verification of the state later. We
- // don't care about the actual result now, just that the resolution took place to compare against later.
- if (GetAppDomainManagerInitializeNewDomainFlags() & eInitializeNewDomainFlags_NoSecurityChanges)
- {
- BOOL fIsFullyTrusted;
- BOOL fIsHomogeneous;
- GetSecurityDescriptor()->PreResolve(&fIsFullyTrusted, &fIsHomogeneous);
- }
-
- OBJECTREF orThis = GetExposedObject();
- GCPROTECT_BEGIN(orThis);
-
- MethodDescCallSite createDomainManager(METHOD__APP_DOMAIN__CREATE_APP_DOMAIN_MANAGER);
- ARG_SLOT args[] =
- {
- ObjToArgSlot(orThis)
- };
-
- createDomainManager.Call(args);
-
- GCPROTECT_END();
- }
- else
- {
- OBJECTREF orThis = GetExposedObject();
- GCPROTECT_BEGIN(orThis);
-
- MethodDescCallSite initCompatFlags(METHOD__APP_DOMAIN__INITIALIZE_COMPATIBILITY_FLAGS);
- ARG_SLOT args[] =
- {
- ObjToArgSlot(orThis)
- };
-
- initCompatFlags.Call(args);
-
- GCPROTECT_END();
- }
-}
-
-
-//---------------------------------------------------------------------------------------
-//
-// Intialize the security settings in the default AppDomain.
-//
-
-void AppDomain::InitializeDefaultDomainSecurity()
-{
- CONTRACTL
- {
- MODE_COOPERATIVE;
- GC_TRIGGERS;
- THROWS;
- PRECONDITION(GetId().m_dwId == DefaultADID);
}
CONTRACTL_END;
OBJECTREF orThis = GetExposedObject();
GCPROTECT_BEGIN(orThis);
- MethodDescCallSite initializeSecurity(METHOD__APP_DOMAIN__INITIALIZE_DOMAIN_SECURITY);
+ MethodDescCallSite initCompatFlags(METHOD__APP_DOMAIN__INITIALIZE_COMPATIBILITY_FLAGS);
ARG_SLOT args[] =
{
- ObjToArgSlot(orThis),
- ObjToArgSlot(NULL),
- ObjToArgSlot(NULL),
- static_cast<ARG_SLOT>(FALSE),
- ObjToArgSlot(NULL),
- static_cast<ARG_SLOT>(FALSE)
+ ObjToArgSlot(orThis)
};
- initializeSecurity.Call(args);
+ initCompatFlags.Call(args);
GCPROTECT_END();
}
}
CONTRACTL_END;
- BOOL fIsInGAC = FALSE;
const SString &sImagePath = pPEImage->GetPath();
- if (!sImagePath.IsEmpty())
- {
- // If we're not in a sandboxed domain, everything is full trust all the time
- if (GetSecurityDescriptor()->IsFullyTrusted())
- {
- return TRUE;
- }
-
- fIsInGAC = GetTPABinderContext()->IsInTpaList(sImagePath);
- }
-
- return fIsInGAC;
-}
-
-BOOL AppDomain::IsImageFullyTrusted(PEImage* pPEImage)
-{
- WRAPPER_NO_CONTRACT;
- return IsImageFromTrustedPath(pPEImage);
+ return !sImagePath.IsEmpty();
}
-
#endif //!DACCESS_COMPILE
#if !defined(DACCESS_COMPILE) && !defined(CROSSGEN_COMPILE)
class Context;
class GlobalStringLiteralMap;
class StringLiteralMap;
-struct SecurityContext;
class MngStdInterfacesInfo;
class DomainModule;
class DomainAssembly;
class LoadLevelLimiter;
class UMEntryThunkCache;
class TypeEquivalenceHashTable;
-class IApplicationSecurityDescriptor;
class StringArrayList;
-typedef VPTR(IApplicationSecurityDescriptor) PTR_IApplicationSecurityDescriptor;
-
extern INT64 g_PauseTime; // Total time in millisecond the CLR has been paused
#ifdef FEATURE_COMINTEROP
// creates only unamaged part
static void CreateUnmanagedObject(AppDomainCreationHolder<AppDomain>& result);
- inline void SetAppDomainManagerInfo(LPCWSTR szAssemblyName, LPCWSTR szTypeName, EInitializeNewDomainFlags dwInitializeDomainFlags);
- inline BOOL HasAppDomainManagerInfo();
- inline LPCWSTR GetAppDomainManagerAsm();
- inline LPCWSTR GetAppDomainManagerType();
- inline EInitializeNewDomainFlags GetAppDomainManagerInitializeNewDomainFlags();
#if defined(FEATURE_COMINTEROP)
Assembly *LoadAssembly(AssemblySpec* pIdentity,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity = NULL);
+ FileLoadLevel targetLevel);
// this function does not provide caching, you must use LoadDomainAssembly
// unless the call is guaranteed to succeed or you don't need the caching
//which is violating our internal assumptions
DomainAssembly *LoadDomainAssemblyInternal( AssemblySpec* pIdentity,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity = NULL);
+ FileLoadLevel targetLevel);
DomainAssembly *LoadDomainAssembly( AssemblySpec* pIdentity,
PEAssembly *pFile,
- FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity = NULL);
+ FileLoadLevel targetLevel);
CHECK CheckValidModule(Module *pModule);
SHARE_POLICY_DEFAULT = SHARE_POLICY_NEVER,
};
- void SetSharePolicy(SharePolicy policy);
SharePolicy GetSharePolicy();
- BOOL ReduceSharePolicyFromAlways();
-
- //****************************************************************************************
- // Determines if the image is to be loaded into the shared assembly or an individual
- // appdomains.
#endif // FEATURE_LOADER_OPTIMIZATION
- BOOL HasSetSecurityPolicy();
-
- FORCEINLINE IApplicationSecurityDescriptor* GetSecurityDescriptor()
- {
- LIMITED_METHOD_CONTRACT;
- STATIC_CONTRACT_SO_TOLERANT;
- return static_cast<IApplicationSecurityDescriptor*>(m_pSecDesc);
- }
-
- void CreateSecurityDescriptor();
-
//****************************************************************************************
//
// Reference count. When an appdomain is first created the reference is bump
BOOL fThrowOnFileNotFound,
BOOL fRaisePrebindEvents,
StackCrawlMark *pCallerStackMark = NULL,
- AssemblyLoadSecurity *pLoadSecurity = NULL,
BOOL fUseHostBinderIfAvailable = TRUE) DAC_EMPTY_RET(NULL);
HRESULT BindAssemblySpecForHostedBinder(
void InitializeDefaultDomainManager ();
-
- void InitializeDefaultDomainSecurity();
public:
protected:
// by one. For it to hit zero an explicit close must have happened.
LONG m_cRef; // Ref count.
- PTR_IApplicationSecurityDescriptor m_pSecDesc; // Application Security Descriptor
-
OBJECTHANDLE m_ExposedObject;
#ifdef FEATURE_LOADER_OPTIMIZATION
DISABLE_TRANSPARENCY_ENFORCEMENT= 0x800000, // Disable enforcement of security transparency rules
};
- SecurityContext *m_pSecContext;
-
AssemblySpecBindingCache m_AssemblyCache;
DomainAssemblyCache m_UnmanagedCache;
size_t m_MemoryPressure;
- SString m_AppDomainManagerAssembly;
- SString m_AppDomainManagerType;
- BOOL m_fAppDomainManagerSetInConfig;
- EInitializeNewDomainFlags m_dwAppDomainManagerInitializeDomainFlags;
-
ArrayList m_NativeDllSearchDirectories;
BOOL m_ReversePInvokeCanEnter;
bool m_ForceTrivialWaitOperations;
}
BOOL IsImageFromTrustedPath(PEImage* pImage);
- BOOL IsImageFullyTrusted(PEImage* pImage);
#ifdef FEATURE_TYPEEQUIVALENCE
private:
};
#endif // !DACCESS_COMPILE && !CROSSGEN_COMPILE
+#define INVALID_APPDOMAIN_ID ((DWORD)-1)
+#define CURRENT_APPDOMAIN_ID ((ADID)(DWORD)0)
+
#endif
#endif // DACCESS_COMPILE
-inline void AppDomain::SetAppDomainManagerInfo(LPCWSTR szAssemblyName, LPCWSTR szTypeName, EInitializeNewDomainFlags dwInitializeDomainFlags)
-{
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- m_AppDomainManagerAssembly=szAssemblyName;
- m_AppDomainManagerType=szTypeName;
- m_dwAppDomainManagerInitializeDomainFlags = dwInitializeDomainFlags;
-}
-
-inline BOOL AppDomain::HasAppDomainManagerInfo()
-{
- WRAPPER_NO_CONTRACT;
- return !m_AppDomainManagerAssembly.IsEmpty() && !m_AppDomainManagerType.IsEmpty();
-}
-
-inline LPCWSTR AppDomain::GetAppDomainManagerAsm()
-{
- WRAPPER_NO_CONTRACT;
- return m_AppDomainManagerAssembly;
-}
-
-
-inline LPCWSTR AppDomain::GetAppDomainManagerType()
-{
- WRAPPER_NO_CONTRACT;
- return m_AppDomainManagerType;
-}
-
-
-inline EInitializeNewDomainFlags AppDomain::GetAppDomainManagerInitializeNewDomainFlags()
-{
- LIMITED_METHOD_CONTRACT;
- return m_dwAppDomainManagerInitializeDomainFlags;
-}
-
inline AppDomain::PathIterator AppDomain::IterateNativeDllSearchDirectories()
{
WRAPPER_NO_CONTRACT;
return pDomain;
}
-
-
-void QCALLTYPE AppDomainNative::SetupDomainSecurity(QCall::AppDomainHandle pDomain,
- QCall::ObjectHandleOnStack ohEvidence,
- IApplicationSecurityDescriptor *pParentSecurityDescriptor,
- BOOL fPublishAppDomain)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- struct
- {
- OBJECTREF orEvidence;
- }
- gc;
- ZeroMemory(&gc, sizeof(gc));
-
- GCX_COOP();
- GCPROTECT_BEGIN(gc)
- if (ohEvidence.m_ppObject != NULL)
- {
- gc.orEvidence = ObjectToOBJECTREF(*ohEvidence.m_ppObject);
- }
-
-
- // Set up the default AppDomain property.
- IApplicationSecurityDescriptor *pSecDesc = pDomain->GetSecurityDescriptor();
-
- if (!pSecDesc->IsHomogeneous() && pDomain->IsDefaultDomain())
- {
- Security::SetDefaultAppDomainProperty(pSecDesc);
- }
- // Set up the evidence property in the VM side.
- else
- {
- // If there is no provided evidence then this new appdomain gets the same evidence as the creator.
- //
- // If there is no provided evidence and this AppDomain is not homogeneous, then it automatically
- // is also a default appdomain (for security grant set purposes)
- //
- //
- // If evidence is provided, the new appdomain is not a default appdomain and
- // we simply use the provided evidence.
-
- if (gc.orEvidence == NULL)
- {
- _ASSERTE(pParentSecurityDescriptor == NULL || pParentSecurityDescriptor->IsDefaultAppDomainEvidence());
-
- if (pSecDesc->IsHomogeneous())
- {
- // New domain gets default AD evidence
- Security::SetDefaultAppDomainEvidenceProperty(pSecDesc);
- }
- else
- {
- // New domain gets to be a default AD
- Security::SetDefaultAppDomainProperty(pSecDesc);
- }
- }
- }
-
-
- // We need to downgrade sharing level if the AppDomain is homogeneous and not fully trusted, or the
- // AppDomain is in legacy mode. Effectively, we need to be sure that all assemblies loaded into the
- // domain must be fully trusted in order to allow non-GAC sharing.
-
- // Now finish the initialization.
- pSecDesc->FinishInitialization();
-
- // once domain is loaded it is publically available so if you have anything
- // that a list interrogator might need access to if it gets a hold of the
- // appdomain, then do it above the LoadDomain.
- if (fPublishAppDomain)
- SystemDomain::LoadDomain(pDomain);
-
-#ifdef _DEBUG
- LOG((LF_APPDOMAIN, LL_INFO100, "AppDomainNative::CreateDomain domain [%d] %p %S\n", pDomain->GetIndex().m_dwIndex, (AppDomain*)pDomain, pDomain->GetFriendlyName()));
-#endif
-
- GCPROTECT_END();
-
- END_QCALL;
-}
-
FCIMPL2(void, AppDomainNative::SetupFriendlyName, AppDomainBaseObject* refThisUNSAFE, StringObject* strFriendlyNameUNSAFE)
{
FCALL_CONTRACT;
}
FCIMPLEND
-#if FEATURE_COMINTEROP
-
-FCIMPL1(void, AppDomainNative::SetDisableInterfaceCache, AppDomainBaseObject* refThisUNSAFE)
-{
- CONTRACTL
- {
- MODE_COOPERATIVE;
- DISABLED(GC_TRIGGERS); // can't use this in an FCALL because we're in forbid gc mode until we setup a H_M_F.
- SO_TOLERANT;
- THROWS;
- }
- CONTRACTL_END;
-
- struct _gc
- {
- APPDOMAINREF refThis;
- } gc;
-
- gc.refThis = (APPDOMAINREF) refThisUNSAFE;
-
- HELPER_METHOD_FRAME_BEGIN_PROTECT(gc)
-
- AppDomainRefHolder pDomain(ValidateArg(gc.refThis));
- pDomain->AddRef();
-
- pDomain->SetDisableInterfaceCache();
-
- HELPER_METHOD_FRAME_END();
-}
-FCIMPLEND
-
-#endif // FEATURE_COMINTEROP
-
-
-FCIMPL1(void*, AppDomainNative::GetSecurityDescriptor, AppDomainBaseObject* refThisUNSAFE)
-{
- FCALL_CONTRACT;
-
- void* pvRetVal = NULL;
- APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE;
-
- HELPER_METHOD_FRAME_BEGIN_RET_1(refThis);
-
-
- pvRetVal = ValidateArg(refThis)->GetSecurityDescriptor();
-
- HELPER_METHOD_FRAME_END();
- return pvRetVal;
-}
-FCIMPLEND
-
-#ifdef FEATURE_LOADER_OPTIMIZATION
-FCIMPL2(void, AppDomainNative::UpdateLoaderOptimization, AppDomainBaseObject* refThisUNSAFE, DWORD optimization)
-{
- FCALL_CONTRACT;
-
- APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE;
-
- HELPER_METHOD_FRAME_BEGIN_1(refThis);
-
- ValidateArg(refThis)->SetSharePolicy((AppDomain::SharePolicy) (optimization & AppDomain::SHARE_POLICY_MASK));
-
- HELPER_METHOD_FRAME_END();
-}
-FCIMPLEND
-#endif // FEATURE_LOADER_OPTIMIZATION
-
-
FCIMPL1(void,
AppDomainNative::CreateContext,
AppDomainBaseObject *refThisUNSAFE)
}
-FCIMPL9(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, Object* identityUNSAFE, StackCrawlMark* stackMark, U1Array *securityRulesBlobUNSAFE, U1Array *aptcaBlobUNSAFE, INT32 access, INT32 dwFlags, SecurityContextSource securityContextSource)
+FCIMPL4(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, StackCrawlMark* stackMark, INT32 access)
{
FCALL_CONTRACT;
args.refThis = (APPDOMAINREF) refThisUNSAFE;
args.assemblyName = (ASSEMBLYNAMEREF) assemblyNameUNSAFE;
- args.identity = (OBJECTREF) identityUNSAFE;
- args.securityRulesBlob = (U1ARRAYREF) securityRulesBlobUNSAFE;
- args.aptcaBlob = (U1ARRAYREF) aptcaBlobUNSAFE;
args.loaderAllocator = NULL;
args.access = access;
- args.flags = static_cast<DynamicAssemblyFlags>(dwFlags);
args.stackMark = stackMark;
- args.securityContextSource = securityContextSource;
HELPER_METHOD_FRAME_BEGIN_RET_PROTECT((CreateDynamicAssemblyArgsGC&)args);
}
FCIMPLEND
-//---------------------------------------------------------------------------------------
-//
-// Returns true if the DisableFusionUpdatesFromADManager config switch is turned on.
-//
-// Arguments:
-// adhTarget - AppDomain to get domain manager information about
-//
-
-// static
-BOOL QCALLTYPE AppDomainNative::DisableFusionUpdatesFromADManager(QCall::AppDomainHandle adhTarget)
-{
- QCALL_CONTRACT;
-
- BOOL bUpdatesDisabled = FALSE;
-
- BEGIN_QCALL;
-
- bUpdatesDisabled = !!(g_pConfig->DisableFusionUpdatesFromADManager());
-
- END_QCALL;
-
- return bUpdatesDisabled;
-}
-
#ifdef FEATURE_APPX
//
#endif // FEATURE_APPX
-//---------------------------------------------------------------------------------------
-//
-// Get the assembly and type containing the AppDomainManager used for the current domain
-//
-// Arguments:
-// adhTarget - AppDomain to get domain manager information about
-// retAssembly - [out] assembly which contains the AppDomainManager
-// retType - [out] AppDomainManger for the domain
-//
-// Notes:
-// If the AppDomain does not have an AppDomainManager, retAssembly and retType will be null on return.
-//
-
-// static
-void QCALLTYPE AppDomainNative::GetAppDomainManagerType(QCall::AppDomainHandle adhTarget,
- QCall::StringHandleOnStack shRetAssembly,
- QCall::StringHandleOnStack shRetType)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- if (adhTarget->HasAppDomainManagerInfo())
- {
- shRetAssembly.Set(adhTarget->GetAppDomainManagerAsm());
- shRetType.Set(adhTarget->GetAppDomainManagerType());
- }
- else
- {
- shRetAssembly.Set(static_cast<LPCWSTR>(NULL));
- shRetType.Set(static_cast<LPCWSTR>(NULL));
- }
-
- END_QCALL;
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Set the assembly and type containing the AppDomainManager to be used for the current domain
-//
-// Arguments:
-// adhTarget - AppDomain to set domain manager information for
-// wszAssembly - assembly which contains the AppDomainManager
-// wszType - AppDomainManger for the domain
-//
-
-// static
-void QCALLTYPE AppDomainNative::SetAppDomainManagerType(QCall::AppDomainHandle adhTarget,
- __in_z LPCWSTR wszAssembly,
- __in_z LPCWSTR wszType)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(wszAssembly));
- PRECONDITION(CheckPointer(wszType));
- PRECONDITION(!GetAppDomain()->HasAppDomainManagerInfo());
- }
- CONTRACTL_END;
-
- BEGIN_QCALL;
-
- // If the AppDomainManager type is the same as the domain manager setup by the CLR host, then we can
- // propagate the host's initialization flags to the new domain as well;
- EInitializeNewDomainFlags initializationFlags = eInitializeNewDomainFlags_None;
- if (CorHost2::HasAppDomainManagerInfo())
- {
- if (wcscmp(CorHost2::GetAppDomainManagerAsm(), wszAssembly) == 0 &&
- wcscmp(CorHost2::GetAppDomainManagerType(), wszType) == 0)
- {
- initializationFlags = CorHost2::GetAppDomainManagerInitializeNewDomainFlags();
- }
- }
-
- adhTarget->SetAppDomainManagerInfo(wszAssembly, wszType, initializationFlags);
-
- // If the initialization flags promise that the domain manager isn't going to modify security, then do a
- // pre-resolution of the domain now so that we can do some basic verification of the state later. We
- // don't care about the actual result now, just that the resolution took place to compare against later.
- if (initializationFlags & eInitializeNewDomainFlags_NoSecurityChanges)
- {
- BOOL fIsFullyTrusted;
- BOOL fIsHomogeneous;
- adhTarget->GetSecurityDescriptor()->PreResolve(&fIsFullyTrusted, &fIsHomogeneous);
- }
-
- END_QCALL;
-}
-
-
-FCIMPL1(void, AppDomainNative::SetHostSecurityManagerFlags, DWORD dwFlags);
-{
- FCALL_CONTRACT;
-
- HELPER_METHOD_FRAME_BEGIN_0();
-
- GetThread()->GetDomain()->GetSecurityDescriptor()->SetHostSecurityManagerFlags(dwFlags);
-
- HELPER_METHOD_FRAME_END();
-}
-FCIMPLEND
-
-// static
-void QCALLTYPE AppDomainNative::SetSecurityHomogeneousFlag(QCall::AppDomainHandle adhTarget,
- BOOL fRuntimeSuppliedHomogenousGrantSet)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- IApplicationSecurityDescriptor *pAppSecDesc = adhTarget->GetSecurityDescriptor();
- pAppSecDesc->SetHomogeneousFlag(fRuntimeSuppliedHomogenousGrantSet);
-
- END_QCALL;
-}
-
-
-
FCIMPL1(Object*, AppDomainNative::GetFriendlyName, AppDomainBaseObject* refThisUNSAFE)
{
FCALL_CONTRACT;
}
FCIMPLEND
-FCIMPL1(FC_BOOL_RET, AppDomainNative::IsDefaultAppDomainForEvidence, AppDomainBaseObject* refThisUNSAFE)
-{
- FCALL_CONTRACT;
-
- BOOL retVal = FALSE;
- APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE;
-
- HELPER_METHOD_FRAME_BEGIN_RET_1(refThis);
-
- AppDomain* pApp = ValidateArg((APPDOMAINREF) refThisUNSAFE);
- retVal = pApp->GetSecurityDescriptor()->IsDefaultAppDomainEvidence();
-
- HELPER_METHOD_FRAME_END();
- FC_RETURN_BOOL(retVal);
-}
-FCIMPLEND
-
FCIMPL2(Object*, AppDomainNative::GetAssemblies, AppDomainBaseObject* refThisUNSAFE, CLR_BOOL forIntrospection);
{
FCALL_CONTRACT;
}
FCIMPLEND
-FCIMPL1(void, AppDomainNative::ChangeSecurityPolicy, AppDomainBaseObject* refThisUNSAFE)
-{
- FCALL_CONTRACT;
-
- APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE;
- HELPER_METHOD_FRAME_BEGIN_1(refThis);
- AppDomain* pApp = ValidateArg(refThis);
-
- pApp->GetSecurityDescriptor()->SetPolicyLevelFlag();
-
- HELPER_METHOD_FRAME_END();
-}
-FCIMPLEND
-
-
FCIMPL2(Object*, AppDomainNative::IsStringInterned, AppDomainBaseObject* refThisUNSAFE, StringObject* pStringUNSAFE)
{
FCALL_CONTRACT;
}
FCIMPLEND
-// static
-void QCALLTYPE AppDomainNative::GetGrantSet(QCall::AppDomainHandle adhTarget,
- QCall::ObjectHandleOnStack retGrantSet)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- IApplicationSecurityDescriptor *pSecDesc = adhTarget->GetSecurityDescriptor();
-
- GCX_COOP();
- pSecDesc->Resolve();
- retGrantSet.Set(pSecDesc->GetGrantedPermissionSet());
-
- END_QCALL;
-}
-
FCIMPL1(FC_BOOL_RET, AppDomainNative::IsUnloadingForcedFinalize, AppDomainBaseObject* refThisUNSAFE)
{
public:
static AppDomain *ValidateArg(APPDOMAINREF pThis);
static FCDECL2(void, SetupFriendlyName, AppDomainBaseObject* refThisUNSAFE, StringObject* strFriendlyNameUNSAFE);
-#if FEATURE_COMINTEROP
- static FCDECL1(void, SetDisableInterfaceCache, AppDomainBaseObject* refThisUNSAFE);
-#endif // FEATURE_COMINTEROP
- static FCDECL1(void*, GetSecurityDescriptor, AppDomainBaseObject* refThisUNSAFE);
-#ifdef FEATURE_LOADER_OPTIMIZATION
- static FCDECL2(void, UpdateLoaderOptimization, AppDomainBaseObject* refThisUNSAFE, DWORD optimization);
-#endif // FEATURE_LOADER_OPTIMIZATION
- static FCDECL9(Object*, CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, Object* identityUNSAFE, StackCrawlMark* stackMark, U1Array* securityRulesBlobUNSAFE, U1Array* aptcaBlobUNSAFE, INT32 access, INT32 flags, SecurityContextSource securityContextSource);
- static FCDECL1(void, SetHostSecurityManagerFlags, DWORD dwFlags);
+ static FCDECL4(Object*, CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, StackCrawlMark* stackMark, INT32 access);
static FCDECL1(Object*, GetFriendlyName, AppDomainBaseObject* refThisUNSAFE);
- static FCDECL1(FC_BOOL_RET, IsDefaultAppDomainForEvidence, AppDomainBaseObject* refThisUNSAFE);
static FCDECL2(Object*, GetAssemblies, AppDomainBaseObject* refThisUNSAFE, CLR_BOOL fForIntrospection);
static FCDECL2(Object*, GetOrInternString, AppDomainBaseObject* refThisUNSAFE, StringObject* pStringUNSAFE);
static FCDECL1(void, CreateContext, AppDomainBaseObject *refThisUNSAFE);
static FCDECL1(FC_BOOL_RET, IsDomainIdValid, INT32 dwId);
static FCDECL1(FC_BOOL_RET, IsFinalizingForUnload, AppDomainBaseObject* refThisUNSAFE);
static FCDECL1(void, ForceToSharedDomain, Object* pObjectUNSAFE);
- static FCDECL1(void, ChangeSecurityPolicy, AppDomainBaseObject* refThisUNSAFE);
static FCDECL1(LPVOID, GetFusionContext, AppDomainBaseObject* refThis);
static FCDECL2(Object*, IsStringInterned, AppDomainBaseObject* refThis, StringObject* pString);
static FCDECL1(FC_BOOL_RET, IsUnloadingForcedFinalize, AppDomainBaseObject* refThis);
PTRARRAYREF *pStringArgs);
public:
- static
- void QCALLTYPE SetupDomainSecurity(QCall::AppDomainHandle pDomain,
- QCall::ObjectHandleOnStack ohEvidence,
- IApplicationSecurityDescriptor *pParentSecurityDescriptor,
- BOOL fPublishAppDomain);
-
- static
- void QCALLTYPE GetGrantSet(QCall::AppDomainHandle adhTarget,
- QCall::ObjectHandleOnStack retGrantSet);
-
-
- static
- BOOL QCALLTYPE DisableFusionUpdatesFromADManager(QCall::AppDomainHandle adhTarget);
-
#ifdef FEATURE_APPX
static
INT32 QCALLTYPE GetAppXFlags();
#endif
-
- static
- void QCALLTYPE GetAppDomainManagerType(QCall::AppDomainHandle adhTarget,
- QCall::StringHandleOnStack shRetAssembly,
- QCall::StringHandleOnStack shRetType);
-
- static
- void QCALLTYPE SetAppDomainManagerType(QCall::AppDomainHandle adhTarget,
- __in_z LPCWSTR wszAssembly,
- __in_z LPCWSTR wszType);
-
- static
- void QCALLTYPE SetSecurityHomogeneousFlag(QCall::AppDomainHandle adhTarget,
- BOOL fRuntimeSuppliedHomgenousGrantSet);
-
-
-
-
};
#endif
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-
-//
-
-
-#include "common.h"
-
-#include "appdomainstack.h"
-#include "appdomainstack.inl"
-#include "security.h"
-#include "securitypolicy.h"
-#include "appdomain.inl"
-#include "callhelpers.h"
-
-#ifdef _DEBUG
-void AppDomainStack::CheckOverridesAssertCounts()
-{
- LIMITED_METHOD_CONTRACT;
- DWORD dwAppDomainIndex = 0;
- DWORD dwOverrides = 0;
- DWORD dwAsserts = 0;
- AppDomainStackEntry *pEntry = NULL;
- for(dwAppDomainIndex=0;dwAppDomainIndex<m_numEntries;dwAppDomainIndex++)
- {
- pEntry = __GetEntryPtr(dwAppDomainIndex);
- dwOverrides += pEntry->m_dwOverridesCount;
- dwAsserts += pEntry->m_dwAsserts;
- }
- _ASSERTE(dwOverrides == m_dwOverridesCount);
- _ASSERTE(dwAsserts == m_dwAsserts);
-}
-#endif
-
-BOOL AppDomainStackEntry::IsFullyTrustedWithNoStackModifiers(void)
-{
- LIMITED_METHOD_CONTRACT;
- if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0)
- return FALSE;
-
- AppDomainFromIDHolder pDomain(m_domainID, FALSE);
- if (pDomain.IsUnloaded())
- return FALSE;
- IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor();
- if (currAppSecDesc == NULL)
- return FALSE;
- return Security::CheckDomainWideSpecialFlag(currAppSecDesc, 1 << SECURITY_FULL_TRUST);
-}
-BOOL AppDomainStackEntry::IsHomogeneousWithNoStackModifiers(void)
-{
- LIMITED_METHOD_CONTRACT;
- if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0)
- return FALSE;
-
- AppDomainFromIDHolder pDomain(m_domainID, FALSE);
- if (pDomain.IsUnloaded())
- return FALSE;
- IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor();
- if (currAppSecDesc == NULL)
- return FALSE;
- return (currAppSecDesc->IsHomogeneous() && !currAppSecDesc->ContainsAnyRefusedPermissions());
-}
-
-BOOL AppDomainStackEntry::HasFlagsOrFullyTrustedWithNoStackModifiers(DWORD flags)
-{
- LIMITED_METHOD_CONTRACT;
- if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0)
- return FALSE;
-
- AppDomainFromIDHolder pDomain(m_domainID, FALSE);
- if (pDomain.IsUnloaded())
- return FALSE;
- IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor();
- if (currAppSecDesc == NULL)
- return FALSE;
-
- // either the desired flag (often 0) or fully trusted will do
- flags |= (1<<SECURITY_FULL_TRUST);
- return Security::CheckDomainWideSpecialFlag(currAppSecDesc, flags);
-}
-
-BOOL AppDomainStack::AllDomainsHomogeneousWithNoStackModifiers()
-{
- WRAPPER_NO_CONTRACT;
-
- // Used primarily by CompressedStack code to decide if a CS has to be constructed
-
- DWORD dwAppDomainIndex = 0;
-
-
- InitDomainIteration(&dwAppDomainIndex);
- while (dwAppDomainIndex != 0)
- {
- AppDomainStackEntry* pEntry = GetNextDomainEntryOnStack(&dwAppDomainIndex);
- _ASSERTE(pEntry != NULL);
-
- if (!pEntry->IsHomogeneousWithNoStackModifiers() && !pEntry->IsFullyTrustedWithNoStackModifiers())
- return FALSE;
- }
-
- return TRUE;
-}
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-// Appdomainstack.h -
-//
-
-
-//
-
-
-#ifndef __appdomainstack_h__
-#define __appdomainstack_h__
-
-#include "vars.hpp"
-#include "util.hpp"
-
-
-// Stack of AppDomains executing on the current thread. Used in security optimization to avoid stackwalks
-#define ADSTACK_BLOCK_SIZE 16
-#define INVALID_APPDOMAIN_ID ((DWORD)-1)
-#define CURRENT_APPDOMAIN_ID ((ADID)(DWORD)0)
-#define __GetADID(index) ((index)<ADSTACK_BLOCK_SIZE?m_pStack[(index)].m_domainID:m_pExtraStack[((index)-ADSTACK_BLOCK_SIZE)].m_domainID)
-#define __GetEntryPtr(index) ((index)<ADSTACK_BLOCK_SIZE?&(m_pStack[(index)]):&(m_pExtraStack[((index)-ADSTACK_BLOCK_SIZE)]))
-
-struct AppDomainStackEntry
-{
- ADID m_domainID;
- DWORD m_dwOverridesCount;
- DWORD m_dwAsserts;
- DWORD m_dwPreviousThreadWideSpecialFlags;
-
- FORCEINLINE bool operator==(const AppDomainStackEntry& entry) const
- {
- return (m_domainID == entry.m_domainID &&
- m_dwOverridesCount == entry.m_dwOverridesCount &&
- m_dwAsserts == entry.m_dwAsserts);
- }
- FORCEINLINE bool operator!=(const AppDomainStackEntry& entry) const
- {
- return (m_domainID != entry.m_domainID ||
- m_dwOverridesCount != entry.m_dwOverridesCount ||
- m_dwAsserts != entry.m_dwAsserts);
-
- }
- BOOL IsFullyTrustedWithNoStackModifiers(void);
- BOOL IsHomogeneousWithNoStackModifiers(void);
- BOOL HasFlagsOrFullyTrustedWithNoStackModifiers(DWORD flags);
-};
-
-class AppDomainStack
-{
-public:
- AppDomainStack() : m_numEntries(0), m_pExtraStack(NULL), m_ExtraStackSize(0), m_dwOverridesCount(0), m_dwAsserts(0), m_dwThreadWideSpecialFlags(0xFFFFFFFF)
- {
- LIMITED_METHOD_CONTRACT;
- FillEntries(m_pStack, ADSTACK_BLOCK_SIZE);
- }
-
- AppDomainStack(const AppDomainStack& stack):m_numEntries(0), m_pExtraStack(NULL), m_ExtraStackSize(0), m_dwOverridesCount(0), m_dwAsserts(0)
- {
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- m_dwThreadWideSpecialFlags = stack.m_dwThreadWideSpecialFlags;
- m_numEntries = stack.m_numEntries;
- m_dwOverridesCount = stack.m_dwOverridesCount;
- m_dwAsserts = stack.m_dwAsserts;
- LOG((LF_APPDOMAIN, LL_INFO100, "copy ctor: m_dwAsserts:%d stack.m_dwAsserts:%d\n",m_dwAsserts, stack.m_dwAsserts));
- memcpy(m_pStack, stack.m_pStack, sizeof( AppDomainStackEntry) * ADSTACK_BLOCK_SIZE);
- // If there is anything stored in the extra allocated space, copy that over
- if (m_numEntries > ADSTACK_BLOCK_SIZE)
- {
- // #blocks to allocate = ceil(numDomains/blocksize) - 1 = ceil ((numdomains - blocksize)/blocksize) = numdomains/blocksize
- DWORD numBlocks = m_numEntries/ADSTACK_BLOCK_SIZE;
- m_ExtraStackSize = numBlocks*ADSTACK_BLOCK_SIZE;
- m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize];
- memcpy(m_pExtraStack, stack.m_pExtraStack, sizeof(AppDomainStackEntry)*(m_numEntries-ADSTACK_BLOCK_SIZE));
- FillEntries((m_pExtraStack+m_numEntries-ADSTACK_BLOCK_SIZE), (m_ExtraStackSize -(m_numEntries-ADSTACK_BLOCK_SIZE)));
- }
- }
-
- ~AppDomainStack()
- {
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- } CONTRACTL_END;
- if (m_pExtraStack != NULL)
- delete[] m_pExtraStack;
- m_pExtraStack = NULL;
- m_ExtraStackSize = 0;
- }
-
- bool operator!= (const AppDomainStack& stack) const
- {
- return !(*this == stack);
- }
-
- bool operator== (const AppDomainStack& stack) const
- {
- LIMITED_METHOD_CONTRACT;
- if (this == &stack) // degenerate case: comparing with self
- return true;
- if (this->m_numEntries != stack.m_numEntries ||
- this->m_dwAsserts != stack.m_dwAsserts ||
- this->m_dwOverridesCount != stack.m_dwOverridesCount)
- return false;
- for (unsigned i =0; i < stack.m_numEntries; i++)
- {
- if (i < ADSTACK_BLOCK_SIZE)
- {
- if (this->m_pStack[i] != stack.m_pStack[i])
- return false;
- }
- else
- {
- if (this->m_pExtraStack[i-ADSTACK_BLOCK_SIZE] != stack.m_pExtraStack[i-ADSTACK_BLOCK_SIZE])
- return false;
- }
- }
- return true;
- }
- inline AppDomainStack& operator =(const AppDomainStack& stack)
- {
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // Degenerate case (assigning x = x)
- if (this == &stack)
- return *this;
-
- m_dwThreadWideSpecialFlags = stack.m_dwThreadWideSpecialFlags;
- m_numEntries = stack.m_numEntries;
- m_dwOverridesCount = stack.m_dwOverridesCount;
- m_dwAsserts = stack.m_dwAsserts;
- LOG((LF_APPDOMAIN, LL_INFO100, "= operator : m_dwAsserts:%d stack.m_dwAsserts:%d\n",m_dwAsserts, stack.m_dwAsserts));
- memcpy(m_pStack, stack.m_pStack, sizeof( AppDomainStackEntry) * ADSTACK_BLOCK_SIZE);
- // If there is anything stored in the extra allocated space, copy that over
- if (m_numEntries > ADSTACK_BLOCK_SIZE)
- {
- // #blocks to allocate = ceil(numDomains/blocksize) - 1 = ceil ((numdomains - blocksize)/blocksize) = numdomains/blocksize
- DWORD numBlocks = m_numEntries/ADSTACK_BLOCK_SIZE;
- if (m_ExtraStackSize < numBlocks*ADSTACK_BLOCK_SIZE)
- {
- // free ptr if it exists
- if (m_pExtraStack != NULL)
- delete[] m_pExtraStack;
- m_pExtraStack = NULL;
-
- m_ExtraStackSize = numBlocks*ADSTACK_BLOCK_SIZE;
- m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize];
- }
-
- memset(m_pExtraStack, 0xFF, sizeof(ADID) * numBlocks);
- memcpy(m_pExtraStack, stack.m_pExtraStack, sizeof(AppDomainStackEntry)*(m_numEntries-ADSTACK_BLOCK_SIZE));
- FillEntries((m_pExtraStack+m_numEntries-ADSTACK_BLOCK_SIZE), (m_ExtraStackSize -(m_numEntries-ADSTACK_BLOCK_SIZE)));
- }
-
- return *this;
- }
-
- inline void PushDomain(ADID pDomain);
- inline ADID PopDomain();
-
- inline void InitDomainIteration(DWORD *pIndex) const;
- // Gets the next AD on the stack
- inline ADID GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts) const;
- inline AppDomainStackEntry* GetNextDomainEntryOnStack(DWORD *pIndex);
- inline AppDomainStackEntry* GetCurrentDomainEntryOnStack(DWORD pIndex);
- // Updates the asserts/overrides on the next AD on the stack
- inline void UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides);
- inline DWORD GetNumDomains() const;
- inline void ClearDomainStack();
- inline DWORD GetThreadWideSpecialFlag() const;
- inline DWORD IncrementOverridesCount();
- inline DWORD DecrementOverridesCount();
- inline DWORD GetOverridesCount();
- inline DWORD GetInnerAppDomainOverridesCount();
- inline DWORD IncrementAssertCount();
- inline DWORD DecrementAssertCount();
- inline DWORD GetAssertCount();
- inline DWORD GetInnerAppDomainAssertCount();
- bool IsDefaultSecurityInfo() const;
- BOOL AllDomainsHomogeneousWithNoStackModifiers();
-
-private:
- inline void AddMoreDomains(void);
- inline AppDomainStackEntry* ReadTopOfStack();
- void UpdateStackFromEntries();
- static void FillEntries(AppDomainStackEntry ptr[], DWORD size)
- {
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- }CONTRACTL_END;
- _ASSERTE(ptr != NULL);
- DWORD i;
- const AppDomainStackEntry tmp_entry = {ADID(INVALID_APPDOMAIN_ID), 0, 0};
- for(i=0;i<size;i++)
- ptr[i]=tmp_entry;
- }
-
-#ifdef _DEBUG
- inline void LogADStackUpdate(void);
- void CheckOverridesAssertCounts(); // Debug only code to check that assert count/overrides count are always in sync across adstack
-#endif
-
- DWORD m_numEntries;
- AppDomainStackEntry m_pStack[ADSTACK_BLOCK_SIZE];
- AppDomainStackEntry *m_pExtraStack;
- DWORD m_ExtraStackSize;
- DWORD m_dwOverridesCount; // across all entries
- DWORD m_dwAsserts; // across all entries
- DWORD m_dwThreadWideSpecialFlags; // this flag records the last evaluated thread wide security state
-};
-#endif
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-/*============================================================
-**
-** Header: AppDomainStack.inl
-**
-** Purpose: Implements ADStack inline functions
-**
-
-
-**
-===========================================================*/
-#ifndef _APPDOMAINSTACK_INL
-#define _APPDOMAINSTACK_INL
-
-#include "threads.h"
-#include "appdomain.hpp"
-#include "appdomainstack.h"
-#include "security.h"
-
-
-#ifndef DACCESS_COMPILE
-
-#ifdef _DEBUG
-#define LogADStackUpdateIfDebug LogADStackUpdate()
-inline void AppDomainStack::LogADStackUpdate(void)
-{
- LIMITED_METHOD_CONTRACT;
- for (int i=m_numEntries-1; i >= 0; i--) {
- AppDomainStackEntry* pEntry = __GetEntryPtr(i);
-
- LOG((LF_APPDOMAIN, LL_INFO100, " stack[%d]: AppDomain id[%d] Overrides[%d] Asserts[%d] \n", i,
- pEntry->m_domainID.m_dwId, pEntry->m_dwOverridesCount, pEntry->m_dwAsserts));
- }
-}
-
-#else
-#define LogADStackUpdateIfDebug
-#endif
-
-inline void AppDomainStack::AddMoreDomains(void)
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- // Need to allocate a bigger block for pMoreDomains
- AppDomainStackEntry *tmp = m_pExtraStack;
- m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize + ADSTACK_BLOCK_SIZE];
- memcpy(m_pExtraStack, tmp, sizeof(AppDomainStackEntry)*(m_ExtraStackSize));
- FillEntries((m_pExtraStack+m_ExtraStackSize), ADSTACK_BLOCK_SIZE);
- m_ExtraStackSize+= ADSTACK_BLOCK_SIZE;
- delete[] tmp; // free the old block
-
-}
-inline void AppDomainStack::PushDomain(ADID pDomain)
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PushDomain (%d), count now %d\n", pDomain.m_dwId, m_numEntries+1));
-
- //
- // When entering a new AppDomain, we need to update the thread wide
- // state with the intersection of the current and the new AppDomains flags.
- // This is because the old AppDomain could have loaded new assemblies
- // that are not yet reflected in the thread wide state, and the thread
- // could then execute code in that new Assembly.
- // We save the old thread wide state in the AppDomainStackEntry so we
- // can restore it when we pop the stack entry.
- //
-
- // The pushed domain could be the default AppDomain (which is the starting
- // AppDomain for all threads), in which case we don't need to intersect
- // with the flags from the previous AppDomain.
- Thread* pThread = GetThread();
- if (pThread)
- m_dwThreadWideSpecialFlags &= pThread->GetDomain()->GetSecurityDescriptor()->GetDomainWideSpecialFlag();
-
- if (m_numEntries == ADSTACK_BLOCK_SIZE + m_ExtraStackSize)
- {
- AddMoreDomains();
- }
-
- _ASSERTE(m_numEntries < ADSTACK_BLOCK_SIZE + m_ExtraStackSize);
- if (m_numEntries < ADSTACK_BLOCK_SIZE)
- {
- m_pStack[m_numEntries].m_domainID = pDomain;
- m_pStack[m_numEntries].m_dwAsserts = 0;
- m_pStack[m_numEntries].m_dwOverridesCount = 0;
- m_pStack[m_numEntries].m_dwPreviousThreadWideSpecialFlags = m_dwThreadWideSpecialFlags;
- }
- else
- {
- m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_domainID = pDomain ;
- m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwAsserts = 0;
- m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwOverridesCount = 0;
- m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwPreviousThreadWideSpecialFlags = m_dwThreadWideSpecialFlags;
- }
-
- if (pThread) {
- AppDomainFromIDHolder pAppDomain(pDomain, TRUE);
- if (!pAppDomain.IsUnloaded())
- m_dwThreadWideSpecialFlags &= pAppDomain->GetSecurityDescriptor()->GetDomainWideSpecialFlag();
- }
-
- m_numEntries++;
-
- LogADStackUpdateIfDebug;
-}
-
-inline ADID AppDomainStack::PopDomain()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- }
- CONTRACTL_END;
-
- ADID pRet = (ADID)INVALID_APPDOMAIN_ID;
- _ASSERTE(m_numEntries > 0);
- if (m_numEntries > 0)
- {
- m_numEntries--;
- AppDomainStackEntry ret_entry;
- const AppDomainStackEntry reset_entry = {ADID(INVALID_APPDOMAIN_ID), 0, 0};
-
- if (m_numEntries < ADSTACK_BLOCK_SIZE)
- {
- ret_entry = m_pStack[m_numEntries];
- m_pStack[m_numEntries] = reset_entry;
- }
- else
- {
- ret_entry = m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE];
- m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE] = reset_entry;
- }
- pRet=ret_entry.m_domainID;
-
- LOG((LF_APPDOMAIN, LL_INFO100, "PopDomain: Popping pRet.m_dwId [%d] m_dwAsserts:%d ret_entry.m_dwAsserts:%d. New m_dwAsserts:%d\n",
- pRet.m_dwId, m_dwAsserts,ret_entry.m_dwAsserts, (m_dwAsserts-ret_entry.m_dwAsserts)));
-
- m_dwAsserts -= ret_entry.m_dwAsserts;
- m_dwOverridesCount -= ret_entry.m_dwOverridesCount;
-#ifdef _DEBUG
- CheckOverridesAssertCounts();
-#endif
-
- //
- // When leaving an AppDomain, we need to update the thread wide state by
- // restoring to the state we were in before entering the AppDomain
- //
-
- m_dwThreadWideSpecialFlags = ret_entry.m_dwPreviousThreadWideSpecialFlags;
-
- LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PopDomain popping [%d] count now %d\n",
- pRet.m_dwId , m_numEntries));
- }
- else
- {
- LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PopDomain count now %d (error pop)\n", m_numEntries));
- }
-
- LogADStackUpdateIfDebug;
- return pRet;
-}
-#endif // DACCESS_COMPILE
-
-inline DWORD AppDomainStack::GetNumDomains() const
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(m_numEntries >= 1);
- return m_numEntries;
-}
-
-inline DWORD AppDomainStack::GetThreadWideSpecialFlag() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_dwThreadWideSpecialFlags;
-}
-
-inline DWORD AppDomainStack::IncrementOverridesCount()
-{
-
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- SO_TOLERANT;// Yes, we update global state here, but at worst we have an incorrect overrides count that will be updated the next
- }CONTRACTL_END; // time we run any code that leads to UpdateOverrides. And I don't see even how that can happen: it doesn't look possible
- // for use to take an SO between the update and when we return to managed code.
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
- ++(pEntry->m_dwOverridesCount);
- return ++m_dwOverridesCount;
-}
-inline DWORD AppDomainStack::DecrementOverridesCount()
-{
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- SO_TOLERANT;
- }CONTRACTL_END;
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
- _ASSERTE(pEntry->m_dwOverridesCount > 0);
- _ASSERTE(m_dwOverridesCount > 0);
- if (pEntry->m_dwOverridesCount > 0 && m_dwOverridesCount > 0)
- {
- --(pEntry->m_dwOverridesCount);
- return --m_dwOverridesCount;
- }
-
- return 0;
-}
-inline DWORD AppDomainStack::GetOverridesCount()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-#ifdef _DEBUG
- CheckOverridesAssertCounts();
-#endif
- return m_dwOverridesCount;
-}
-
-inline DWORD AppDomainStack::GetInnerAppDomainOverridesCount()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-#ifdef _DEBUG
- CheckOverridesAssertCounts();
-#endif
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
-
- return pEntry->m_dwOverridesCount;
-}
-
-inline DWORD AppDomainStack::IncrementAssertCount()
-{
- LIMITED_METHOD_CONTRACT;
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
- LOG((LF_APPDOMAIN, LL_INFO100, "IncrementAssertCount: m_dwAsserts:%d ADID:%d pEntry:%p pEntry->m_dwAsserts:%d.\n",
- m_dwAsserts, pEntry->m_domainID.m_dwId, pEntry, pEntry->m_dwAsserts));
- ++(pEntry->m_dwAsserts);
- return ++m_dwAsserts;
-}
-inline DWORD AppDomainStack::DecrementAssertCount()
-{
- LIMITED_METHOD_CONTRACT;
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
- _ASSERTE(pEntry->m_dwAsserts > 0);
- _ASSERTE(m_dwAsserts > 0);
- LOG((LF_APPDOMAIN, LL_INFO100, "DecrementAssertCount: m_dwAsserts:%d ADID:%d pEntry:%p pEntry->m_dwAsserts:%d.\n",
- m_dwAsserts, pEntry->m_domainID.m_dwId, pEntry, pEntry->m_dwAsserts));
- --(pEntry->m_dwAsserts);
- return --m_dwAsserts;
-}
-
-inline DWORD AppDomainStack::GetAssertCount()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-#ifdef _DEBUG
- CheckOverridesAssertCounts();
-#endif
-
- return m_dwAsserts;
-}
-
-inline DWORD AppDomainStack::GetInnerAppDomainAssertCount()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-#ifdef _DEBUG
- CheckOverridesAssertCounts();
-#endif
- AppDomainStackEntry *pEntry = ReadTopOfStack();
- _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
-
- return pEntry->m_dwAsserts;
-}
-
-inline void AppDomainStack::InitDomainIteration(DWORD *pIndex) const
-{
- LIMITED_METHOD_CONTRACT;
- *pIndex = m_numEntries;
-}
-
-inline ADID AppDomainStack::GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts) const
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-
- _ASSERTE(*pIndex > 0 && *pIndex <= m_numEntries);
- (*pIndex) --;
- const AppDomainStackEntry *pEntry = __GetEntryPtr(*pIndex);
- if (pOverrides != NULL)
- *pOverrides = pEntry->m_dwOverridesCount;
- if (pAsserts != NULL)
- *pAsserts = pEntry->m_dwAsserts;
- return (ADID)pEntry->m_domainID.m_dwId;
-}
-
-inline AppDomainStackEntry* AppDomainStack::GetCurrentDomainEntryOnStack(DWORD pIndex)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- }
- CONTRACTL_END;
-
- _ASSERTE(pIndex >=0 && pIndex < m_numEntries);
- return __GetEntryPtr(pIndex);
-}
-
-inline AppDomainStackEntry* AppDomainStack::GetNextDomainEntryOnStack(DWORD *pIndex)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-
- _ASSERTE(*pIndex >0 && *pIndex <= m_numEntries);
- (*pIndex) --;
- return __GetEntryPtr(*pIndex);
-}
-
-inline void AppDomainStack::UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- }
- CONTRACTL_END;
- AppDomainStackEntry* entry;
- _ASSERTE(pIndex >=0 && pIndex < m_numEntries);
- entry = __GetEntryPtr(pIndex);
- _ASSERTE(entry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID);
- entry->m_dwAsserts = asserts;
- entry->m_dwOverridesCount = overrides;
- UpdateStackFromEntries();
-
-}
-
-
-inline void AppDomainStack::UpdateStackFromEntries()
-{
- LIMITED_METHOD_CONTRACT;
- DWORD dwAppDomainIndex = 0;
- DWORD dwOverrides = 0;
- DWORD dwAsserts = 0;
- AppDomainStackEntry *pEntry = NULL;
- for(dwAppDomainIndex=0;dwAppDomainIndex<m_numEntries;dwAppDomainIndex++)
- {
- pEntry = __GetEntryPtr(dwAppDomainIndex);
- dwOverrides += pEntry->m_dwOverridesCount;
- dwAsserts += pEntry->m_dwAsserts;
- }
- LOG((LF_APPDOMAIN, LL_INFO100, "UpdateStackFromEntries: m_dwAsserts:%d Calculated dwAsserts:%d.\n",m_dwAsserts,dwAsserts));
-
- m_dwAsserts = dwAsserts;
- m_dwOverridesCount = dwOverrides;
- return;
-}
-
-inline AppDomainStackEntry* AppDomainStack::ReadTopOfStack()
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(m_numEntries > 0);
- AppDomainStackEntry* pEntry = NULL;
- if (m_numEntries <= ADSTACK_BLOCK_SIZE)
- {
- pEntry = &(m_pStack[m_numEntries-1]);
- }
- else
- {
- pEntry = &(m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE-1]);
- }
- return pEntry;
-}
-
-inline bool AppDomainStack::IsDefaultSecurityInfo() const
-{
- LIMITED_METHOD_CONTRACT;
- return (m_numEntries == 1 && m_pStack[0].m_domainID == ADID(DefaultADID) &&
- m_pStack[0].m_dwAsserts == 0 && m_pStack[0].m_dwOverridesCount == 0);
-}
-inline void AppDomainStack::ClearDomainStack()
-{
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- }CONTRACTL_END;
- m_dwThreadWideSpecialFlags = 0xFFFFFFFF;
- m_numEntries = 1;
- FillEntries(m_pStack, ADSTACK_BLOCK_SIZE);
- if (m_pExtraStack != NULL)
- delete[] m_pExtraStack;
- m_pExtraStack = NULL;
- m_ExtraStackSize = 0;
- m_dwOverridesCount = 0;
- LOG((LF_APPDOMAIN, LL_INFO100, "ClearDomainStack: m_dwAsserts:%d setting to 0\n",m_dwAsserts));
- m_dwAsserts = 0;
- m_pStack[0].m_domainID = ADID(DefaultADID);
-}
-
-#endif
#include "cgensys.h"
#include "asmconstants.h"
#include "security.h"
-#include "securitydescriptor.h"
#include "virtualcallstub.h"
#include "gcdump.h"
#include "rtlfunctions.h"
m_winMDStatus(WinMDStatus_Unknown),
m_pManifestWinMDImport(NULL),
#endif // FEATURE_COMINTEROP
- m_pSharedSecurityDesc(NULL),
- m_pTransparencyBehavior(NULL),
m_fIsDomainNeutral(pDomain == SharedDomain::GetDomain()),
#ifdef FEATURE_LOADER_OPTIMIZATION
m_bMissingDependenciesCheckDone(FALSE),
m_pClassLoader = new ClassLoader(this);
m_pClassLoader->Init(pamTracker);
- m_pSharedSecurityDesc = Security::CreateSharedSecurityDescriptor(this);
-
-
COUNTER_ONLY(GetPerfCounters().m_Loading.cAssemblies++);
#ifndef CROSSGEN_COMPILE
if (this->m_fTerminated)
return;
-
- Security::DeleteSharedSecurityDescriptor(m_pSharedSecurityDesc);
- m_pSharedSecurityDesc = NULL;
if (m_pClassLoader != NULL)
{
struct _gc
{
- OBJECTREF granted;
- OBJECTREF denied;
OBJECTREF cultureinfo;
STRINGREF pString;
OBJECTREF orArrayOrContainer;
// Set it as the fallback load context binder for the dynamic assembly being created
pFile->SetFallbackLoadContextBinder(pFallbackLoadContextBinder);
-
- }
-
- AssemblyLoadSecurity loadSecurity;
- // In SilverLight all dynamic assemblies should be transparent and partially trusted, even if they are
- // created by platform assemblies. Thus they should inherit the grant sets from the appdomain not the
- // parent assembly.
- IApplicationSecurityDescriptor *pCurrentDomainSecDesc = ::GetAppDomain()->GetSecurityDescriptor();
- gc.granted = pCurrentDomainSecDesc->GetGrantedPermissionSet();
- DWORD dwSpecialFlags = pCurrentDomainSecDesc->GetSpecialFlags();
-
- // If the dynamic assembly creator did not specify evidence for the newly created assembly, then it
- // should inherit the grant set of the creation assembly.
- if (loadSecurity.m_pAdditionalEvidence == NULL)
- {
-
- loadSecurity.m_pGrantSet = &gc.granted;
- loadSecurity.m_pRefusedSet = &gc.denied;
- loadSecurity.m_dwSpecialFlags = dwSpecialFlags;
}
NewHolder<DomainAssembly> pDomainAssembly;
}
// Create a domain assembly
- pDomainAssembly = new DomainAssembly(pDomain, pFile, &loadSecurity, pLoaderAllocator);
+ pDomainAssembly = new DomainAssembly(pDomain, pFile, pLoaderAllocator);
}
// Start loading process
pAssem->m_dwDynamicAssemblyAccess = args->access;
- // Making the dynamic assembly opportunistically critical in full trust CoreCLR and transparent otherwise.
- if (!GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- {
- args->flags = kTransparentAssembly;
- }
-
- // Fake up a module security descriptor for the assembly.
- TokenSecurityDescriptorFlags tokenFlags = TokenSecurityDescriptorFlags_None;
- if (args->flags & kAllCriticalAssembly)
- tokenFlags |= TokenSecurityDescriptorFlags_AllCritical;
- if (args->flags & kAptcaAssembly)
- tokenFlags |= TokenSecurityDescriptorFlags_APTCA;
- if (args->flags & kCriticalAssembly)
- tokenFlags |= TokenSecurityDescriptorFlags_Critical;
- if (args->flags & kTransparentAssembly)
- tokenFlags |= TokenSecurityDescriptorFlags_Transparent;
- if (args->flags & kTreatAsSafeAssembly)
- tokenFlags |= TokenSecurityDescriptorFlags_TreatAsSafe;
-
-
-
- _ASSERTE(pAssem->GetManifestModule()->m_pModuleSecurityDescriptor != NULL);
- pAssem->GetManifestModule()->m_pModuleSecurityDescriptor->OverrideTokenFlags(tokenFlags);
-
// Set the additional strong name information
pAssem->SetStrongNameLevel(Assembly::SN_NONE);
// but we allow a couple of exceptions to reduce the compat risk: full trust, caller's own key.
// As usual we treat anonymously hosted dynamic methods as partial trust code.
DomainAssembly* pCallerDomainAssembly = pCallerAssembly->GetDomainAssembly(pCallersDomain);
- if (!pCallerDomainAssembly->GetSecurityDescriptor()->IsFullyTrusted() ||
- pCallerDomainAssembly == pCallersDomain->GetAnonymouslyHostedDynamicMethodsAssembly())
+ if (pCallerDomainAssembly == pCallersDomain->GetAnonymouslyHostedDynamicMethodsAssembly())
{
DWORD cbKey = 0;
const void* pKey = pCallerAssembly->GetPublicKey(&cbKey);
pDomainAssembly->m_level = FILE_ACTIVE;
}
- // Force the transparency of the module to be computed now, so that we can catch any errors due to
- // inconsistent assembly level attributes during the assembly creation call, rather than at some
- // later point.
- pAssem->GetManifestModule()->m_pModuleSecurityDescriptor->VerifyDataComputed();
-
{
CANNOTTHROWCOMPLUSEXCEPTION();
FAULT_FORBID();
GetManifestModule()->SetDomainFile(pDomainAssembly);
- IAssemblySecurityDescriptor *pSec = pDomainAssembly->GetSecurityDescriptor();
-
- GCX_COOP();
- pSec->ResolvePolicy(GetSharedSecurityDescriptor(), pDomainAssembly->ShouldSkipPolicyResolution());
-
} // Assembly::SetDomainAssembly
#endif // #ifndef DACCESS_COMPILE
_ASSERTE(m_pDomain);
return (m_pDomain);
}
-IAssemblySecurityDescriptor *Assembly::GetSecurityDescriptor(AppDomain *pDomain)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- }
- CONTRACTL_END
-
- IAssemblySecurityDescriptor* pSecDesc;
-
- if (pDomain == NULL)
- {
-#ifndef DACCESS_COMPILE
- pDomain = ::GetAppDomain();
-#else //DACCESS_COMPILE
- DacNotImpl();
-#endif //DACCESS_COMPILE
- }
-
- PREFIX_ASSUME(FindDomainAssembly(pDomain) != NULL);
- pSecDesc = FindDomainAssembly(pDomain)->GetSecurityDescriptor();
-
- CONSISTENCY_CHECK(pSecDesc != NULL);
-
- return pSecDesc;
-}
#ifndef DACCESS_COMPILE
-const SecurityTransparencyBehavior *Assembly::GetSecurityTransparencyBehavior()
-{
- CONTRACT(const SecurityTransparencyBehavior *)
- {
- THROWS;
- GC_TRIGGERS;
- POSTCONDITION(CheckPointer(RETVAL));
- }
- CONTRACT_END;
-
- if (m_pTransparencyBehavior == NULL)
- {
- ModuleSecurityDescriptor *pModuleSecurityDescriptor = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(this);
- SetSecurityTransparencyBehavior(SecurityTransparencyBehavior::GetTransparencyBehavior(pModuleSecurityDescriptor->GetSecurityRuleSet()));
- }
-
- RETURN(m_pTransparencyBehavior);
-}
-
-// This method is like GetTransparencyBehavior, but will not attempt to get the transparency behavior if we
-// don't already know it, and therefore may return NULL
-const SecurityTransparencyBehavior *Assembly::TryGetSecurityTransparencyBehavior()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pTransparencyBehavior;
-}
-
-
-// The transparency behavior object passed to this method must have a lifetime of at least as long
-// as the assembly itself.
-void Assembly::SetSecurityTransparencyBehavior(const SecurityTransparencyBehavior *pTransparencyBehavior)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- PRECONDITION(CheckPointer(pTransparencyBehavior));
- PRECONDITION(m_pTransparencyBehavior == NULL || m_pTransparencyBehavior == pTransparencyBehavior);
- }
- CONTRACTL_END;
-
- m_pTransparencyBehavior = pTransparencyBehavior;
-}
-
void Assembly::SetParent(BaseDomain* pParent)
{
LIMITED_METHOD_CONTRACT;
return false;
}
- if (!m_fIsDomainNeutral && !GetSecurityDescriptor(GetDomain()->AsAppDomain())->IsFullyTrusted())
- {
- return false;
- }
-
return m_pFriendAssemblyDescriptor->IgnoresAccessChecksTo(pAccessedAssembly);
}
#endif // FEATURE_LOADER_OPTIMIZATION
-#if defined(FEATURE_CORESYSTEM)
-BOOL Assembly::AllowUntrustedCaller()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END
-
- return ModuleSecurityDescriptor::GetModuleSecurityDescriptor(this)->IsAPTCA();
-}
-#endif // defined(FEATURE_CORESYSTEM)
-
void DECLSPEC_NORETURN Assembly::ThrowTypeLoadException(LPCUTF8 pszFullName, UINT resIDWhy)
{
WRAPPER_NO_CONTRACT;
#define ASSEMBLY_ACCESS_REFLECTION_ONLY 0x04
#define ASSEMBLY_ACCESS_COLLECT 0x8
-// This must match System.Reflection.Emit.DynamicAssemblyFlags in AssemblyBuilder.cs
-enum DynamicAssemblyFlags
-{
- kAllCriticalAssembly = 0x00000001,
- kAptcaAssembly = 0x00000002,
- kCriticalAssembly = 0x00000004,
- kTransparentAssembly = 0x00000008,
- kTreatAsSafeAssembly = 0x00000010
-};
-
struct CreateDynamicAssemblyArgsGC
{
APPDOMAINREF refThis;
- OBJECTREF identity;
ASSEMBLYNAMEREF assemblyName;
- U1ARRAYREF securityRulesBlob;
- U1ARRAYREF aptcaBlob;
LOADERALLOCATORREF loaderAllocator;
};
-// This enumeration must be kept in sync with the managed enum System.Security.SecurityContextSource
-typedef enum
-{
- kCurrentAppDomain = 0,
- kCurrentAssembly
-}
-SecurityContextSource;
-
struct CreateDynamicAssemblyArgs : CreateDynamicAssemblyArgsGC
{
INT32 access;
- DynamicAssemblyFlags flags;
StackCrawlMark* stackMark;
- SecurityContextSource securityContextSource;
};
// An assembly is the unit of deployment for managed code. Typically Assemblies are one to one with files
BOOL GetModuleZapFile(LPCWSTR name, SString &path);
-#if defined(FEATURE_CORESYSTEM)
- BOOL AllowUntrustedCaller();
-#endif // defined(FEATURE_CORESYSTEM)
-
#ifdef LOGGING
LPCWSTR GetDebugName()
{
OBJECTHANDLE GetLoaderAllocatorObjectHandle() { WRAPPER_NO_CONTRACT; return GetLoaderAllocator()->GetLoaderAllocatorObjectHandle(); }
#endif // FEATURE_COLLECTIBLE_TYPES
- IAssemblySecurityDescriptor *GetSecurityDescriptor(AppDomain *pDomain = NULL);
- ISharedSecurityDescriptor *GetSharedSecurityDescriptor() { LIMITED_METHOD_CONTRACT; return m_pSharedSecurityDesc; }
-
-#ifndef DACCESS_COMPILE
- const SecurityTransparencyBehavior *GetSecurityTransparencyBehavior();
- const SecurityTransparencyBehavior *TryGetSecurityTransparencyBehavior();
- void SetSecurityTransparencyBehavior(const SecurityTransparencyBehavior *pTransparencyBehavior);
-#endif // !DACCESS_COMPILE
-
-
BOOL CanBeShared(DomainAssembly *pAsAssembly);
#ifdef FEATURE_LOADER_OPTIMIZATION
IWinMDImport *m_pManifestWinMDImport;
#endif // FEATURE_COMINTEROP
- ISharedSecurityDescriptor* m_pSharedSecurityDesc; // Security descriptor (permission requests, signature etc)
- const SecurityTransparencyBehavior *m_pTransparencyBehavior; // Transparency implementation the assembly uses
-
BOOL m_fIsDomainNeutral;
#ifdef FEATURE_LOADER_OPTIMIZATION
BOOL m_bMissingDependenciesCheckDone;
FCIMPLEND
-FCIMPL4(void, AssemblyNameNative::Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fForIntrospection, CLR_BOOL fRaiseResolveEvent)
+FCIMPL3(void, AssemblyNameNative::Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fRaiseResolveEvent)
{
FCALL_CONTRACT;
}
else if ((hr == FUSION_E_INVALID_NAME) && fRaiseResolveEvent)
{
- Assembly * pAssembly = GetAppDomain()->RaiseAssemblyResolveEvent(&spec, fForIntrospection, FALSE);
+ Assembly * pAssembly = GetAppDomain()->RaiseAssemblyResolveEvent(&spec, FALSE, FALSE);
if (pAssembly == NULL)
{
static FCDECL1(Object*, ToString, Object* refThisUNSAFE);
static FCDECL1(Object*, GetPublicKeyToken, Object* refThisUNSAFE);
static FCDECL1(Object*, EscapeCodeBase, StringObject* filenameUNSAFE);
- static FCDECL4(void, Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fForIntrospection, CLR_BOOL fRaiseResolveEvent);
+ static FCDECL3(void, Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fRaiseResolveEvent);
};
#endif // _AssemblyName_H
-FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSAFE,
+FCIMPL7(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSAFE,
StringObject* codeBaseUNSAFE,
- Object* securityUNSAFE,
AssemblyBaseObject* requestingAssemblyUNSAFE,
StackCrawlMark* stackMark,
ICLRPrivBinder * pPrivHostBinder,
CLR_BOOL fThrowOnFileNotFound,
- CLR_BOOL fForIntrospection,
- CLR_BOOL fSuppressSecurityChecks,
INT_PTR ptrLoadContextBinder)
{
FCALL_CONTRACT;
ASSEMBLYNAMEREF assemblyName;
STRINGREF codeBase;
ASSEMBLYREF requestingAssembly;
- OBJECTREF security;
ASSEMBLYREF rv;
} gc;
gc.assemblyName = (ASSEMBLYNAMEREF) assemblyNameUNSAFE;
gc.codeBase = (STRINGREF) codeBaseUNSAFE;
gc.requestingAssembly = (ASSEMBLYREF) requestingAssemblyUNSAFE;
- gc.security = (OBJECTREF) securityUNSAFE;
gc.rv = NULL;
HELPER_METHOD_FRAME_BEGIN_RET_PROTECT(gc);
if (gc.assemblyName == NULL)
COMPlusThrow(kArgumentNullException, W("ArgumentNull_AssemblyName"));
- if (fForIntrospection)
- {
- if (!GetThread()->GetDomain()->IsVerificationDomain())
- GetThread()->GetDomain()->SetIllegalVerificationDomain();
- }
-
Thread * pThread = GetThread();
CheckPointHolder cph(pThread->m_MarshalAlloc.GetCheckpoint()); //hold checkpoint for autorelease
{
if (gc.codeBase == NULL)
COMPlusThrow(kArgumentException, W("Format_StringZeroLength"));
- if ((!fForIntrospection) && CorHost2::IsLoadFromBlocked())
- COMPlusThrow(kFileLoadException, FUSION_E_LOADFROM_BLOCKED);
}
- else if (!fForIntrospection)
+ else
{
// name specified, if immersive ignore the codebase
if (GetThread()->GetDomain()->HasLoadContextHostBinder())
spec.InitializeSpec(&(pThread->m_MarshalAlloc),
&gc.assemblyName,
FALSE,
- fForIntrospection);
+ FALSE);
if (!spec.HasUniqueIdentity())
{ // Insuficient assembly name for binding (e.g. ContentType=WindowsRuntime cannot bind by assembly name)
spec.SetFallbackLoadContextBinderForRequestingAssembly(pRefAssemblyManifestFile->GetFallbackLoadContextBinder());
}
- AssemblyLoadSecurity loadSecurity;
- loadSecurity.m_pAdditionalEvidence = &gc.security;
- loadSecurity.m_fCheckLoadFromRemoteSource = !!(gc.codeBase != NULL);
- loadSecurity.m_fSuppressSecurityChecks = !!fSuppressSecurityChecks;
-
- // If we're in an APPX domain, then all loads from the application will find themselves within the APPX package
- // graph or from a trusted location. However, assemblies within the package may have been marked by Windows as
- // not being from the MyComputer zone, which can trip the LoadFromRemoteSources check. Since we do not need to
- // defend against accidental loads from HTTP for APPX applications, we simply suppress the remote load check.
- if (AppX::IsAppXProcess())
- {
- loadSecurity.m_fCheckLoadFromRemoteSource = false;
- }
-
Assembly *pAssembly;
{
GCX_PREEMP();
- pAssembly = spec.LoadAssembly(FILE_LOADED, &loadSecurity, fThrowOnFileNotFound, FALSE /*fRaisePrebindEvents*/, stackMark);
+ pAssembly = spec.LoadAssembly(FILE_LOADED, fThrowOnFileNotFound, FALSE /*fRaisePrebindEvents*/, stackMark);
}
if (pAssembly != NULL)
}
FCIMPLEND
-Assembly* AssemblyNative::LoadFromBuffer(BOOL fForIntrospection, const BYTE* pAssemblyData, UINT64 uAssemblyLength, const BYTE* pPDBData, UINT64 uPDBLength, StackCrawlMark* stackMark, Object * securityUNSAFE, SecurityContextSource securityContextSource)
-{
- CONTRACTL
- {
- GC_TRIGGERS;
- THROWS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- Assembly *pAssembly;
-
- struct _gc {
- OBJECTREF orefSecurity;
- OBJECTREF granted;
- OBJECTREF denied;
- } gc;
-
- ZeroMemory(&gc, sizeof(gc));
-
- GCPROTECT_BEGIN(gc);
-
- gc.orefSecurity = (OBJECTREF) securityUNSAFE;
-
- if((!fForIntrospection) && CorHost2::IsLoadFromBlocked())
- COMPlusThrow(kFileLoadException, FUSION_E_LOADFROM_BLOCKED);
-
- if (pAssemblyData == NULL)
- COMPlusThrow(kArgumentNullException, W("ArgumentNull_Array"));
-
- if (fForIntrospection) {
- if (!GetThread()->GetDomain()->IsVerificationDomain())
- GetThread()->GetDomain()->SetIllegalVerificationDomain();
- }
-
- // Get caller's assembly so we can extract their codebase and propagate it
- // into the new assembly (which obviously doesn't have one of its own).
-
- AppDomain *pCallersDomain = NULL;
- MethodDesc* pCallerMD = SystemDomain::GetCallersMethod (stackMark, &pCallersDomain);
- Assembly *pCallersAssembly = (pCallerMD ? pCallerMD->GetAssembly() : NULL);
- BOOL fPropagateIdentity = ((!fForIntrospection) && (gc.orefSecurity == NULL));
-
- // Callers assembly can be null if caller is interop
- // @todo: we really don't want to call this assembly "mscorlib" to anyone who asks
- // for its code base. But the required effect here is that it recieves full trust
- // as far as its codebase goes so this should be OK. We really need to allow a
- // "no code base" condition to avoid confusion
- if (pCallersAssembly == NULL) {
- pCallersAssembly = SystemDomain::System()->SystemAssembly();
- } else {
- }
-
- if ((COUNT_T)uAssemblyLength !=uAssemblyLength) // overflow
- ThrowOutOfMemory();
-
- PEAssemblyHolder pFile;
-
- {
- GCX_PREEMP();
-
- CLRPrivBinderLoadFile* pBinderToUse = NULL;
-
- pFile = PEAssembly::OpenMemory(pCallersAssembly->GetManifestFile(),
- pAssemblyData, (COUNT_T)uAssemblyLength,
- fForIntrospection,
- pBinderToUse);
- }
-
- fPropagateIdentity = (fPropagateIdentity && pCallersDomain && pCallersAssembly);
-
- AssemblyLoadSecurity loadSecurity;
- loadSecurity.m_pEvidence = &gc.orefSecurity;
- if (fPropagateIdentity)
- {
- DWORD dwSpecialFlags = 0;
-
- {
- IApplicationSecurityDescriptor *pDomainSecDesc = pCallersDomain->GetSecurityDescriptor();
-
-
-
- gc.granted = pDomainSecDesc->GetGrantedPermissionSet();
- dwSpecialFlags = pDomainSecDesc->GetSpecialFlags();
- }
-
-
- // Instead of resolving policy, the loader should use an inherited grant set
- loadSecurity.m_pGrantSet = &gc.granted;
- loadSecurity.m_pRefusedSet = &gc.denied;
- loadSecurity.m_dwSpecialFlags = dwSpecialFlags;
-
- // if the caller is from another appdomain we wil not be able to get the ssembly's security descriptor
- // but that is ok, since getting a pointer to our AppDomain required full trust
- if (!pCallersDomain->GetSecurityDescriptor()->IsFullyTrusted() ||
- ( pCallersAssembly->FindDomainAssembly(::GetAppDomain()) != NULL && !pCallersAssembly->GetSecurityDescriptor()->IsFullyTrusted()) )
- pFile->VerifyStrongName();
- }
- pAssembly = GetPostPolicyAssembly(pFile, fForIntrospection, &loadSecurity, TRUE);
-
- // perform necessary Transparency checks for this Load(byte[]) call (based on the calling method).
- if (pCallerMD)
- {
- Security::PerformTransparencyChecksForLoadByteArray(pCallerMD, pAssembly->GetSecurityDescriptor());
- }
-
- // In order to assign the PDB image (if present),
- // the resulting assembly's image needs to be exactly the one
- // we created above. We need pointer comparison instead of pe image equivalence
- // to avoid mixed binaries/PDB pairs of other images.
- // This applies to both Desktop CLR and CoreCLR, with or without fusion.
- BOOL fIsSameAssembly = (pAssembly->GetManifestFile()->GetILimage() == pFile->GetILimage());
-
-
- LOG((LF_CLASSLOADER,
- LL_INFO100,
- "\tLoaded in-memory module\n"));
-
- // Setting the PDB info is only applicable for our original assembly.
- // This applies to both Desktop CLR and CoreCLR, with or without fusion.
- if (fIsSameAssembly)
- {
-#ifdef DEBUGGING_SUPPORTED
- // If we were given symbols, save a copy of them.
- // the debugger, load them now).
- if (pPDBData != NULL)
- {
- GCX_PREEMP();
- if ((DWORD)uPDBLength != uPDBLength) // overflow
- ThrowOutOfMemory();
- pAssembly->GetManifestModule()->SetSymbolBytes(pPDBData, (DWORD)uPDBLength);
- }
-#endif // DEBUGGING_SUPPORTED
- }
-
- GCPROTECT_END();
-
- return pAssembly;
-}
-
/* static */
Assembly* AssemblyNative::LoadFromPEImage(ICLRPrivBinder* pBinderContext, PEImage *pILImage, PEImage *pNIImage)
{
PEAssemblyHolder pPEAssembly(PEAssembly::Open(pParentAssembly, assem->GetPEImage(), assem->GetNativePEImage(), pAssembly, FALSE));
- GCX_COOP();
-
- IApplicationSecurityDescriptor *pDomainSecDesc = pCurDomain->GetSecurityDescriptor();
-
- OBJECTREF refGrantedPermissionSet = NULL;
- AssemblyLoadSecurity loadSecurity;
- DomainAssembly *pDomainAssembly = NULL;
-
- // Setup the AssemblyLoadSecurity to perform the assembly load
- GCPROTECT_BEGIN(refGrantedPermissionSet);
-
- loadSecurity.m_dwSpecialFlags = pDomainSecDesc->GetSpecialFlags();
- refGrantedPermissionSet = pDomainSecDesc->GetGrantedPermissionSet();
- loadSecurity.m_pGrantSet = &refGrantedPermissionSet;
-
- pDomainAssembly = pCurDomain->LoadDomainAssembly(&spec, pPEAssembly, FILE_LOADED, &loadSecurity);
- pLoadedAssembly = pDomainAssembly->GetAssembly();
-
- GCPROTECT_END();
-
- RETURN pLoadedAssembly;
+ DomainAssembly *pDomainAssembly = pCurDomain->LoadDomainAssembly(&spec, pPEAssembly, FILE_LOADED);
+ RETURN pDomainAssembly->GetAssembly();
}
/* static */
END_QCALL;
}
-
-/* static */
-Assembly* AssemblyNative::GetPostPolicyAssembly(PEAssembly *pFile,
- BOOL fForIntrospection,
- AssemblyLoadSecurity *pLoadSecurity,
- BOOL fIsLoadByteArray /* = FALSE */)
-{
- CONTRACT(Assembly*)
- {
- MODE_ANY;
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pFile));
- PRECONDITION(CheckPointer(pLoadSecurity));
- POSTCONDITION(CheckPointer(RETVAL));
- }
- CONTRACT_END;
-
- GCX_PREEMP();
-
- if (fIsLoadByteArray)
- {
- PEImage *pPEImage = pFile->GetILimage();
- HRESULT hr = S_OK;
- PTR_AppDomain pCurDomain = GetAppDomain();
- CLRPrivBinderCoreCLR *pTPABinder = pCurDomain->GetTPABinderContext();
-
- _ASSERTE(pCurDomain->GetFusionContext() == pTPABinder);
- hr = pTPABinder->PreBindByteArray(pPEImage, fForIntrospection);
- if (hr == S_OK)
- {
- AssemblySpec spec;
- spec.InitializeSpec(pFile);
-
- // Set the binder associated with the AssemblySpec
- spec.SetBindingContext(pTPABinder);
- RETURN spec.LoadAssembly(FILE_LOADED, pLoadSecurity);
- }
- else
- {
- _ASSERTE(hr != S_FALSE);
- ThrowHR(hr);
- }
- }
-
- RETURN GetAppDomain()->LoadAssembly(NULL, pFile, FILE_LOADED, pLoadSecurity);
-}
-
-
void QCALLTYPE AssemblyNative::GetLocation(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString)
{
QCALL_CONTRACT;
END_QCALL;
}
-FCIMPL1(FC_BOOL_RET, AssemblyNative::IsReflectionOnly, AssemblyBaseObject *pAssemblyUNSAFE)
-{
- FCALL_CONTRACT;
-
- ASSEMBLYREF refAssembly = (ASSEMBLYREF)ObjectToOBJECTREF(pAssemblyUNSAFE);
-
- if (refAssembly == NULL)
- FCThrowRes(kArgumentNullException, W("Arg_InvalidHandle"));
-
- FC_RETURN_BOOL(refAssembly->GetDomainAssembly()->IsIntrospectionOnly());
-}
-FCIMPLEND
-
void QCALLTYPE AssemblyNative::GetType(QCall::AssemblyHandle pAssembly, LPCWSTR wszName, BOOL bThrowOnError, BOOL bIgnoreCase, QCall::ObjectHandleOnStack retType, QCall::ObjectHandleOnStack keepAlive)
{
CONTRACTL
return;
}
-
-void QCALLTYPE AssemblyNative::GetGrantSet(QCall::AssemblyHandle pAssembly, QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- IAssemblySecurityDescriptor *pSecDesc = pAssembly->GetSecurityDescriptor();
-
- {
- GCX_COOP();
-
- pSecDesc->Resolve();
-
- OBJECTREF granted, denied;
-
- granted = pSecDesc->GetGrantedPermissionSet(&denied);
-
- retGranted.Set(granted);
- retDenied.Set(denied);
- }
-
- END_QCALL;
-}
-
-//
-// QCalls to determine if everything introduced by the assembly is either security critical or safe critical
-//
-
-// static
-BOOL QCALLTYPE AssemblyNative::IsAllSecurityCritical(QCall::AssemblyHandle pAssembly)
-{
- QCALL_CONTRACT;
-
- BOOL fIsCritical = FALSE;
-
- BEGIN_QCALL;
-
- fIsCritical = pAssembly->GetSecurityDescriptor()->IsAllCritical();
-
- END_QCALL;
-
- return fIsCritical;
-}
-
-// static
-BOOL QCALLTYPE AssemblyNative::IsAllSecuritySafeCritical(QCall::AssemblyHandle pAssembly)
-{
- QCALL_CONTRACT;
-
- BOOL fIsSafeCritical = FALSE;
-
- BEGIN_QCALL;
-
- fIsSafeCritical = pAssembly->GetSecurityDescriptor()->IsAllSafeCritical();
-
- END_QCALL;
-
- return fIsSafeCritical;
-}
-
-// static
-BOOL QCALLTYPE AssemblyNative::IsAllPublicAreaSecuritySafeCritical(QCall::AssemblyHandle pAssembly)
-{
- QCALL_CONTRACT;
-
- BOOL fIsAllPublicAreaSafeCritical = FALSE;
-
- BEGIN_QCALL;
-
- fIsAllPublicAreaSafeCritical = pAssembly->GetSecurityDescriptor()->IsAllPublicAreaSafeCritical();
-
- END_QCALL;
-
- return fIsAllPublicAreaSafeCritical;
-}
-
-// static
-BOOL QCALLTYPE AssemblyNative::IsAllSecurityTransparent(QCall::AssemblyHandle pAssembly)
-{
- QCALL_CONTRACT;
-
- BOOL fIsTransparent = FALSE;
-
- BEGIN_QCALL;
-
- fIsTransparent = pAssembly->GetSecurityDescriptor()->IsAllTransparent();
-
- END_QCALL;
-
- return fIsTransparent;
-}
-
// return the on disk assembly module for reflection emit. This only works for dynamic assembly.
FCIMPL1(ReflectModuleBaseObject *, AssemblyNative::GetOnDiskAssemblyModule, AssemblyBaseObject* pAssemblyUNSAFE)
{
friend class BaseDomain;
friend class DomainAssembly;
-private:
- static Assembly* GetPostPolicyAssembly(PEAssembly *pFile,
- BOOL fForIntrospection,
- AssemblyLoadSecurity *pLoadSecurity,
- BOOL fIsLoadByteArray = FALSE);
-
- static Assembly* LoadFromBuffer(BOOL fForIntrospection,
- const BYTE* pAssemblyData,
- UINT64 uAssemblyLength,
- const BYTE* pPDBData,
- UINT64 uPDBLength,
- StackCrawlMark* stackMark,
- Object * securityUNSAFE,
- SecurityContextSource securityContextSource);
public:
// static FCALLs
static
static
void QCALLTYPE GetExecutingAssembly(QCall::StackCrawlMarkHandle stackMark, QCall::ObjectHandleOnStack retAssembly);
- static FCDECL10(Object*, Load, AssemblyNameBaseObject* assemblyNameUNSAFE,
+ static FCDECL7(Object*, Load, AssemblyNameBaseObject* assemblyNameUNSAFE,
StringObject* codeBaseUNSAFE,
- Object* securityUNSAFE,
AssemblyBaseObject* requestingAssemblyUNSAFE,
StackCrawlMark* stackMark,
ICLRPrivBinder * pPrivHostBinder,
CLR_BOOL fThrowOnFileNotFound,
- CLR_BOOL fForIntrospection,
- CLR_BOOL fSuppressSecurityChecks,
INT_PTR ptrLoadContextBinder);
//
void QCALLTYPE GetLocation(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString);
static
- FCDECL1(FC_BOOL_RET, IsReflectionOnly, AssemblyBaseObject * pAssemblyUNSAFE);
-
- static
void QCALLTYPE GetCodeBase(QCall::AssemblyHandle pAssembly, BOOL fCopiedName, QCall::StringHandleOnStack retString);
static
static FCDECL1(ReflectModuleBaseObject *, GetOnDiskAssemblyModule, AssemblyBaseObject * pAssemblyUNSAFE);
static FCDECL1(ReflectModuleBaseObject *, GetInMemoryAssemblyModule, AssemblyBaseObject * pAssemblyUNSAFE);
-
- static
- void QCALLTYPE GetGrantSet(QCall::AssemblyHandle pAssembly, QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied);
-
- static
- BOOL QCALLTYPE IsAllSecurityCritical(QCall::AssemblyHandle pAssembly);
-
- static
- BOOL QCALLTYPE IsAllSecuritySafeCritical(QCall::AssemblyHandle pAssembly);
-
- static
- BOOL QCALLTYPE IsAllPublicAreaSecuritySafeCritical(QCall::AssemblyHandle pAssembly);
-
- static
- BOOL QCALLTYPE IsAllSecurityTransparent(QCall::AssemblyHandle pAssembly);
-
static
void QCALLTYPE GetImageRuntimeVersion(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString);
-
- static
- INT64 QCALLTYPE GetHostContext(QCall::AssemblyHandle pAssembly);
//
}
-Assembly *AssemblySpec::LoadAssembly(FileLoadLevel targetLevel, AssemblyLoadSecurity *pLoadSecurity, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark)
+Assembly *AssemblySpec::LoadAssembly(FileLoadLevel targetLevel, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark)
{
CONTRACTL
{
}
CONTRACTL_END;
- DomainAssembly * pDomainAssembly = LoadDomainAssembly(targetLevel, pLoadSecurity, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark);
+ DomainAssembly * pDomainAssembly = LoadDomainAssembly(targetLevel, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark);
if (pDomainAssembly == NULL) {
_ASSERTE(!fThrowOnFileNotFound);
return NULL;
}
DomainAssembly *AssemblySpec::LoadDomainAssembly(FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity,
BOOL fThrowOnFileNotFound,
BOOL fRaisePrebindEvents,
StackCrawlMark *pCallerStackMark)
}
- PEAssemblyHolder pFile(pDomain->BindAssemblySpec(this, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark, pLoadSecurity));
+ PEAssemblyHolder pFile(pDomain->BindAssemblySpec(this, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark));
if (pFile == NULL)
RETURN NULL;
- pAssembly = pDomain->LoadDomainAssembly(this, pFile, targetLevel, pLoadSecurity);
+ pAssembly = pDomain->LoadDomainAssembly(this, pFile, targetLevel);
RETURN pAssembly;
}
StackCrawlMark *pCallerStackMark = NULL );
Assembly *LoadAssembly(FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity = NULL,
BOOL fThrowOnFileNotFound = TRUE,
BOOL fRaisePrebindEvents = TRUE,
StackCrawlMark *pCallerStackMark = NULL);
DomainAssembly *LoadDomainAssembly(FileLoadLevel targetLevel,
- AssemblyLoadSecurity *pLoadSecurity = NULL,
BOOL fThrowOnFileNotFound = TRUE,
BOOL fRaisePrebindEvents = TRUE,
StackCrawlMark *pCallerStackMark = NULL);
}
CONTRACTL_END;
- if(m_pModuleSecurityDescriptor)
- {
- _ASSERTE(m_pModuleSecurityDescriptor->GetModule() == this);
- }
-
PEImageLayout * pNativeImage = GetNativeImage();
ExecutionManager::AddNativeImageRange(dac_cast<TADDR>(pNativeImage->GetBase()), pNativeImage->GetVirtualSize(), this);
{
FastInterlockOr(&m_dwPersistedFlags, LOW_LEVEL_SYSTEM_ASSEMBLY_BY_NAME);
}
-
- _ASSERT(m_pModuleSecurityDescriptor == NULL);
- m_pModuleSecurityDescriptor = new ModuleSecurityDescriptor(this);
}
m_dwTransientFlags &= ~((DWORD)CLASSES_FREED); // Set flag indicating LookupMaps are now in a consistent and destructable state
#endif // FEATURE_PREJIT
{
m_file->Release();
-
- if (m_pModuleSecurityDescriptor)
- delete m_pModuleSecurityDescriptor;
}
// If this module was loaded as domain-specific, then
#ifndef DACCESS_COMPILE
-IAssemblySecurityDescriptor *Module::GetSecurityDescriptor()
-{
- WRAPPER_NO_CONTRACT;
- _ASSERTE(m_pAssembly != NULL);
- return m_pAssembly->GetSecurityDescriptor();
-}
-
#ifndef CROSSGEN_COMPILE
void Module::StartUnload()
{
{
INSTANCE_CHECK;
POSTCONDITION(CheckPointer(RETVAL, NULL_OK));
- PRECONDITION(Security::IsResolved(GetAssembly()));
THROWS;
WRAPPER(GC_TRIGGERS);
MODE_ANY;
#endif // DEBUGGING_SUPPORTED
- // Default policy - only read symbols corresponding to full-trust assemblies.
- // Note that there is no strong (cryptographic) connection between a symbol file and its assembly.
- // The intent here is just to ensure that the common high-risk scenarios (AppLaunch, etc)
- // will never be able to load untrusted PDB files.
- //
- if (GetSecurityDescriptor()->IsFullyTrusted())
- {
- return TRUE;
- }
- return FALSE;
+ return TRUE;
}
// At this point, this is only called when we're creating an appdomain
{
spec.SetWindowsRuntimeType(szWinRtTypeNamespace, szWinRtTypeClassName);
}
- pDomainAssembly = GetAppDomain()->LoadDomainAssembly(&spec, pFile, FILE_LOADED, NULL);
+ pDomainAssembly = GetAppDomain()->LoadDomainAssembly(&spec, pFile, FILE_LOADED);
}
if (pDomainAssembly != NULL)
// not have been fixed up.
if (!pPEAssembly->IsDll() && !pPEAssembly->IsILOnly())
return FALSE;
-
- // If the assembly does not have FullTrust, we should not execute its code.
- if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted())
- return FALSE;
#endif // FEATURE_PREJIT
return TRUE;
DataImage::ITEM_DYNAMIC_STATICS_INFO_TABLE);
}
- // save the module security descriptor
- if (m_pModuleSecurityDescriptor)
- {
- m_pModuleSecurityDescriptor->Save(image);
- }
-
InlineTrackingMap *inlineTrackingMap = image->GetInlineTrackingMap();
if (inlineTrackingMap)
{
}
}
- // fix up module security descriptor
- if (m_pModuleSecurityDescriptor)
- {
- image->FixupPointerField(this, offsetof(Module, m_pModuleSecurityDescriptor));
- m_pModuleSecurityDescriptor->Fixup(image);
- }
- else
- {
- image->ZeroPointerField(this, offsetof(Module, m_pModuleSecurityDescriptor));
- }
-
// If we failed to load some types we need to reset the pointers to the static offset tables so they'll be
// rebuilt at runtime.
if (m_pRegularStaticOffsets != (PTR_DWORD)NGEN_STATICS_ALLCLASSES_WERE_LOADED)
class MethodDesc;
class FieldDesc;
class Crst;
-class IAssemblySecurityDescriptor;
class ClassConverter;
class RefClassWriter;
class ReflectionModule;
class AppDomain;
class DynamicMethodTable;
struct CerPrepInfo;
-class ModuleSecurityDescriptor;
#ifdef FEATURE_PREJIT
class CerNgenRootTable;
struct MethodContextElement;
ClassLoader *GetClassLoader();
PTR_BaseDomain GetDomain();
ReJitManager * GetReJitManager();
- IAssemblySecurityDescriptor* GetSecurityDescriptor();
mdFile GetModuleRef()
{
#endif // defined(FEATURE_PREJIT)
public:
- ModuleSecurityDescriptor* m_pModuleSecurityDescriptor;
-
#if !defined(DACCESS_COMPILE) && defined(FEATURE_PREJIT)
PTR_Assembly GetNativeMetadataAssemblyRefFromCache(DWORD rid)
{
InitializeHeapType((flags & STARTUP_SERVER_GC) != 0);
g_heap_type = (flags & STARTUP_SERVER_GC) == 0 ? GC_HEAP_WKS : GC_HEAP_SVR;
-
-#ifdef FEATURE_LOADER_OPTIMIZATION
- g_dwGlobalSharePolicy = (flags&STARTUP_LOADER_OPTIMIZATION_MASK)>>1;
-#endif
}
#endif // CROSSGEN_COMPILE
StackwalkCache::Init();
- // Start up security
- Security::Start();
-
AppDomain::CreateADUnloadStartEvent();
// In coreclr, clrjit is compiled into it, but SO work in clrjit has not been done.
g_MiniMetaDataBuffMaxSize, MEM_COMMIT, PAGE_READWRITE);
#endif // FEATURE_MINIMETADATA_IN_TRIAGEDUMPS
- // Load mscorsn.dll if the app requested the legacy mode in its configuration file.
- if (g_pConfig->LegacyLoadMscorsnOnStartup())
- IfFailGo(LoadMscorsn());
-
#endif // CROSSGEN_COMPILE
g_fEEStarted = TRUE;
#define MODULE_NON_DYNAMIC_STATICS ((DWORD)-1)
DWORD m_cbModuleDynamicID;
-
- SecurityProperties m_SecProps;
-
#if defined(UNIX_AMD64_ABI) && defined(FEATURE_UNIX_AMD64_STRUCT_PASSING)
// Number of eightBytes in the following arrays
int m_numberEightBytes;
// class is blittable
BOOL IsBlittable();
- //
- // Security properties accessor methods
- //
-
- inline BOOL RequiresLinktimeCheck()
- {
- WRAPPER_NO_CONTRACT;
- PSecurityProperties psp = GetSecurityProperties();
- return psp && psp->RequiresLinktimeCheck();
- }
-
- inline BOOL RequiresLinkTimeCheckHostProtectionOnly()
- {
- WRAPPER_NO_CONTRACT;
- PSecurityProperties psp = GetSecurityProperties();
- return psp && psp->RequiresLinkTimeCheckHostProtectionOnly();
- }
-
- inline BOOL RequiresInheritanceCheck()
- {
- WRAPPER_NO_CONTRACT;
- PSecurityProperties psp = GetSecurityProperties();
- return psp && psp->RequiresInheritanceCheck();
- }
-
- inline BOOL RequiresCasInheritanceCheck()
- {
- WRAPPER_NO_CONTRACT;
- PSecurityProperties psp = GetSecurityProperties();
- return psp && psp->RequiresCasInheritanceCheck();
- }
-
- inline BOOL RequiresNonCasInheritanceCheck()
- {
- WRAPPER_NO_CONTRACT;
- PSecurityProperties psp = GetSecurityProperties();
- return psp && psp->RequiresNonCasInheritanceCheck();
- }
-
-
#ifndef DACCESS_COMPILE
void *operator new(size_t size, LoaderHeap* pHeap, AllocMemTracker *pamTracker);
void Destruct(MethodTable * pMT);
static void GetBestFitMapping(MethodTable * pMT, BOOL *pfBestFitMapping, BOOL *pfThrowOnUnmappableChar);
/*
- * Security attributes for the class are stored here. Do not update this field after the
- * class is constructed without also updating the enum_flag_NoSecurityProperties on the
- * methodtable.
- */
- inline SecurityProperties* GetSecurityProperties()
- {
- LIMITED_METHOD_CONTRACT;
- return HasOptionalFields() ? &GetOptionalFields()->m_SecProps : NULL;
- }
-
-
- /*
* The CorElementType for this class (most classes = ELEMENT_TYPE_CLASS)
*/
public:
m_WinRTRedirectedTypeIndex = WinMDAdapter::RedirectedTypeIndex_Invalid;
#endif // FEATURE_COMINTEROP
m_cbModuleDynamicID = MODULE_NON_DYNAMIC_STATICS;
- m_SecProps = 0;
#if defined(UNIX_AMD64_ABI) && defined(FEATURE_UNIX_AMD64_STRUCT_PASSING)
m_numberEightBytes = 0;
#endif // UNIX_AMD64_ABI && FEATURE_UNIX_AMD64_STRUCT_PASSING
#include "threads.h"
#include "stublink.h"
#include "dllimport.h"
-#include "verifier.hpp"
#include "jitinterface.h"
#include "eeconfig.h"
#include "log.h"
Classification = mcIL;
}
-
-#ifdef _DEBUG
- // We don't allow stack based declarative security on ecalls, fcalls and
- // other special purpose methods implemented by the EE (the interceptor
- // we use doesn't play well with non-jitted stubs).
- if ((Classification == mcFCall || Classification == mcEEImpl) &&
- (IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass())))
- {
- DWORD dwSecFlags;
- DWORD dwNullDeclFlags;
-
- if (IsTdHasSecurity(GetAttrClass()) &&
- SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, GetCl(), &dwSecFlags, &dwNullDeclFlags)))
- {
- CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS),
- "Cannot add stack based declarative security to a class containing an ecall/fcall/special method.");
- }
- if (IsMdHasSecurity(dwMemberAttrs) &&
- SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, tok, &dwSecFlags, &dwNullDeclFlags)))
- {
- CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS),
- "Cannot add stack based declarative security to an ecall/fcall/special method.");
- }
- }
-#endif // _DEBUG
-
// Generic methods should always be mcInstantiated
if (!((numGenericMethodArgs == 0) || ((Classification & mdcClassification) == mcInstantiated)))
{
// Find DomainAssembly * (can be cached if this is too slow to call always)
DomainAssembly * pDomainAssembly = pAppDomain->LoadDomainAssembly(
nullptr, // pIdentity
- pPEAssembly,
- FILE_LOAD_DELIVER_EVENTS,
- nullptr); // pLoadSecurity
+ pPEAssembly,
+ FILE_LOAD_DELIVER_EVENTS);
// Convert the type name into namespace and class name in UTF8
StackSString ssTypeNameWCHAR(wszTypeName);
BOOL fTrustTD = TRUE;
#ifndef DACCESS_COMPILE
CONTRACT_VIOLATION(ThrowsViolation);
- BOOL fVerifyTD = (FoundExportedType != mdTokenNil) &&
- !pClsLdr->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted();
+ BOOL fVerifyTD = FALSE;
// If this is an exported type with a mdTokenNil class token, then then
// exported type did not give a typedefID hint. We won't be able to trust the typedef
// classes/members in app code.
if (m_accessCheckType != kMemberAccess && pTargetMT)
{
- // m_accessCheckType must be kRestrictedMemberAccess if we are running in PT.
- _ASSERTE(GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted() ||
- m_accessCheckType == kRestrictedMemberAccess);
-
if (visibilityCheck && Security::IsTransparencyEnforcementEnabled())
{
// In CoreCLR RMA means visibility checks always succeed if the target is user code.
pOptionalTargetField,
pOptionalTargetType))
{
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pContext->GetCallerMethod(), "Transparent code accessing a critical type, method, or field", pOptionalTargetMethod);
- }
-#endif // _DEBUG
return accessCheckOptions.DemandMemberAccessOrFail(pContext, pTargetMT, FALSE /*visibilityCheck*/);
}
class EEClass;
class Thread;
class EETypeHashTable;
-class IAssemblySecurityDescriptor;
class DynamicResolver;
class SigPointer;
#include "rcwwalker.h"
#include "windowsruntimebufferhelper.h"
#include "winrttypenameconverter.h"
+#include "typestring.h"
#ifdef MDA_SUPPORTED
const int DEBUG_AssertSlots = 50;
}
break;
- CASE_IID_INLINE( enum_IObjectSafety ,0xCB5BDC81,0x93C1,0x11cf,0x8F,0x20,0x00,0x80,0x5F,0x2C,0xD0,0x64)
- {
- // Don't implement IObjectSafety by default.
- // Use IObjectSafety only for IE Hosting or similar hosts
- // which create sandboxed AppDomains.
- // Unconditionally implementing IObjectSafety would allow
- // Untrusted scripts to use managed components.
- // Managed components could implement their own IObjectSafety to
- // override this.
- BOOL bShouldProvideIObjectSafety=FALSE;
- {
- GCX_COOP();
- AppDomainFromIDHolder pDomain(GetDomainID(), FALSE);
- if (!pDomain.IsUnloaded())
- bShouldProvideIObjectSafety=!pDomain->GetSecurityDescriptor()->IsFullyTrusted();
- }
-
- if(bShouldProvideIObjectSafety)
- RETURN QIStandardInterface(enum_IObjectSafety);
- }
- break;
-
CASE_IID_INLINE( enum_IAgileObject ,0x94ea2b94,0xe9cc,0x49e0,0xc0,0xff,0xee,0x64,0xca,0x8f,0x5b,0x90)
{
// Don't implement IAgileObject if we are aggregated, if we are in a non AppX process, if the object explicitly implements IMarshal,
pWrapperCache->Release();
}
-void ComCallWrapper::DoScriptingSecurityCheck()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // If the object is shared or agile, and the current domain doesn't have
- // UmgdCodePermission, we fail the call.
- AppDomain* pCurrDomain = GetThread()->GetDomain();
- ADID currID = pCurrDomain->GetId();
-
- ADID ccwID = m_pSimpleWrapper->GetRawDomainID();
-
- if (currID != ccwID)
- {
- IApplicationSecurityDescriptor* pASD = pCurrDomain->GetSecurityDescriptor();
-
- if (!pASD->CanCallUnmanagedCode())
- Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE);
- }
-}
-
//--------------------------------------------------------------------------
//ComCallWrapper* ComCallWrapper::CreateWrapper(OBJECTREF* ppObj, ComCallWrapperTemplate *pTemplate, ComCallWrapper *pClassCCW)
// this function should be called only with pre-emptive GC disabled
RETURN (LinkedWrapperTerminator == pWrap->m_pNext ? NULL : pWrap->m_pNext);
}
- // Helper to perform a security check for passing out CCWs late-bound to scripting code.
- void DoScriptingSecurityCheck();
-
// Helper to create a wrapper, pClassCCW must be specified if pTemplate->RepresentsVariantInterface()
static ComCallWrapper* CreateWrapper(OBJECTREF* pObj, ComCallWrapperTemplate *pTemplate, ComCallWrapper *pClassCCW);
pMainWrap = pClassCCW;
else
pMainWrap = pWrap;
-
+
pMainWrap->CheckMakeAgile(*ppObj);
-
- // If the object is agile, and this domain doesn't have UmgdCodePermission
- // fail the call.
- if (pMainWrap->GetSimpleWrapper()->IsAgile())
- pMainWrap->DoScriptingSecurityCheck();
pWrap->AddRef();
#include "virtualcallstub.h"
#include "callingconvention.h"
#include "customattribute.h"
+#include "typestring.h"
#include "../md/compiler/custattr.h"
#ifdef FEATURE_COMINTEROP
#include "comcallablewrapper.h"
continue;
}
- if (!COMDelegate::ValidateSecurityTransparency(pCurMethod, gc.refThis->GetTypeHandle().AsMethodTable()))
- {
- // violates security transparency rules, skip.
- continue;
- }
-
// Found the target that matches the signature and satisfies security transparency rules
// Initialize the delegate to point to the target method.
BindToMethod(&gc.refThis,
gc.refThis->GetTypeHandle(),
pInvokeMeth,
flags,
- &fIsOpenDelegate) &&
- COMDelegate::ValidateSecurityTransparency(method, gc.refThis->GetTypeHandle().AsMethodTable()) )
+ &fIsOpenDelegate))
{
// Initialize the delegate to point to the target method.
BindToMethod(&gc.refThis,
pTargetMethod->IsStatic() ? NULL : pInstanceMT,
pTargetMethod);
- // Trip any link demands the target method requires.
- InvokeUtil::CheckLinktimeDemand(&sCtx,
- pTargetMethod);
-
// Ask for skip verification if a delegate over a .ctor or .cctor is requested.
if (pTargetMethod->IsClassConstructorOrCtor())
Security::SpecialDemand(SSWT_LATEBOUND_LINKDEMAND, SECURITY_SKIP_VER);
// The target must be decorated with AllowReversePInvokeCallsAttribute
if (!IsMethodAllowedToSinkReversePInvoke(pMD)) return FALSE;
- return pMD->GetModule()->GetSecurityDescriptor()->IsFullyTrusted();
+ return TRUE;
}
}
// Default:
return IsMethodDescCompatible(instHnd, ftnParentHnd, pFtn, dlgtHnd, pDlgtInvoke, DBF_RelaxedSignature, pfIsOpenDelegate);
}
-
-// This method checks the delegate type transparency rules.
-// It returns TRUE if the transparency rules are obeyed and FALSE otherwise
-//
-// The Partial Trust Silverlight (SL2, SL4, and PT SL5) rule is:
-// 1. Critical delegates can only be bound to critical target methods
-// 2. Transparent/SafeCritical delegates can only be bound to Transparent/SafeCritical target methods
-//
-// The Full Trust Silverlight rule FOR NOW is: anything is allowed
-// The Desktop rule FOR NOW is: anything is allowed
-//
-// This is called by JIT in early bound delegate creation to determine whether the delegate transparency
-// check is POSSIBLY needed. If the code is shared between appdomains of different trust levels, it is
-// possible that the check is needed in some domains but not the others. So we need to made that distinction
-// at run time in JIT_DelegateSecurityCheck.
-
-/* static */
-BOOL COMDelegate::ValidateSecurityTransparency(MethodDesc *pFtn, MethodTable *pdlgMT)
-{
- WRAPPER_NO_CONTRACT;
-
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- return TRUE;
-
- BOOL fCriticalDelegate = Security::IsTypeCritical(pdlgMT) && !Security::IsTypeSafeCritical(pdlgMT);
- BOOL fCriticalTarget = Security::IsMethodCritical(pFtn) && !Security::IsMethodSafeCritical(pFtn);
-
- // returns true if:
- // 1. the delegate is critical and the target method is critical, or
- // 2. the delegate is transparent/safecritical and the target method is transparent/safecritical
- return (fCriticalDelegate == fCriticalTarget);
-}
-
-
BOOL COMDelegate::ValidateBeginInvoke(DelegateEEClass* pClass)
{
CONTRACTL
//@GENERICSVER: new (suitable for generics)
// Method to do static validation of delegate .ctor
static BOOL ValidateCtor(TypeHandle objHnd, TypeHandle ftnParentHnd, MethodDesc *pFtn, TypeHandle dlgtHnd, BOOL *pfIsOpenDelegate);
- static BOOL ValidateSecurityTransparency(MethodDesc *pFtn, MethodTable *pdlgMT); // enforce the transparency rules
private:
static BOOL ValidateBeginInvoke(DelegateEEClass* pClass); // make certain the BeginInvoke method is consistant with the Invoke Method
ENTER_DOMAIN_PTR(pCompilationDomain,ADV_COMPILATION)
{
- if (fForceFulltrustDomain)
- ((ApplicationSecurityDescriptor *)pCompilationDomain->GetSecurityDescriptor())->SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF);
-
-#ifndef CROSSGEN_COMPILE
-#endif
pCompilationDomain->InitializeDomainContext(TRUE, NULL, NULL);
-#ifndef CROSSGEN_COMPILE
-
- if (!NingenEnabled())
- {
- APPDOMAINREF adRef = (APPDOMAINREF)pCompilationDomain->GetExposedObject();
- GCPROTECT_BEGIN(adRef);
- MethodDescCallSite initializeSecurity(METHOD__APP_DOMAIN__INITIALIZE_DOMAIN_SECURITY);
- ARG_SLOT args[] =
- {
- ObjToArgSlot(adRef),
- ObjToArgSlot(NULL),
- ObjToArgSlot(NULL),
- ObjToArgSlot(NULL),
- static_cast<ARG_SLOT>(FALSE)
- };
- initializeSecurity.Call(args);
- GCPROTECT_END();
- }
-#endif
-
- {
- GCX_PREEMP();
-
- // We load assemblies as domain-bound (However, they're compiled as domain neutral)
-#ifdef FEATURE_LOADER_OPTIMIZATION
- pCompilationDomain->SetSharePolicy(AppDomain::SHARE_POLICY_NEVER);
-#endif // FEATURE_LOADER_OPTIMIZATION
-
- }
-
pCompilationDomain->SetFriendlyName(W("Compilation Domain"));
- if (!NingenEnabled())
- {
- Security::SetDefaultAppDomainProperty(pCompilationDomain->GetSecurityDescriptor());
- pCompilationDomain->GetSecurityDescriptor()->FinishInitialization();
- }
SystemDomain::System()->LoadDomain(pCompilationDomain);
#ifndef CROSSGEN_COMPILE
wzPath,
// If we're explicitly binding to an NGEN image, we do not want the cache
- // this PEImage for use later, as pointers that need fixup (e.g.,
- // Module::m_pModuleSecurityDescriptor) will not be valid for use later.
+ // this PEImage for use later, as pointers that need fixup
// Normal caching is done when we open it "for real" further down when we
// call LoadDomainAssembly().
fExplicitBindToNativeImage ? MDInternalImport_NoCache : MDInternalImport_Default);
return CORINFO_METHOD_HANDLE(pMD);
}
+static BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr)
+{
+ LIMITED_METHOD_CONTRACT;
+ return (IsMdPublic(dwMethodAttr) ||
+ IsMdFamORAssem(dwMethodAttr) ||
+ IsMdFamily(dwMethodAttr));
+}
+
+static BOOL ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass)
+{
+ LIMITED_METHOD_CONTRACT;
+
+ if (fIsGlobalClass)
+ {
+ return TRUE;
+ }
+
+ return (IsTdPublic(dwClassAttr) ||
+ IsTdNestedPublic(dwClassAttr) ||
+ IsTdNestedFamily(dwClassAttr) ||
+ IsTdNestedFamORAssem(dwClassAttr));
+}
+
+static BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD)
+{
+ LIMITED_METHOD_CONTRACT;
+
+ MethodTable * pMT = pMD->GetMethodTable();
+
+ if (!ClassIsVisibleOutsideItsAssembly(pMT->GetAttrClass(), pMT->IsGlobalClass()))
+ return FALSE;
+
+ return MethodIsVisibleOutsideItsAssembly(pMD->GetAttrs());
+}
+
CorCompileILRegion CEEPreloader::GetILRegion(mdMethodDef token)
{
STANDARD_VM_CONTRACT;
}
}
else
- if (Security::MethodIsVisibleOutsideItsAssembly(pMD))
+ if (MethodIsVisibleOutsideItsAssembly(pMD))
{
// We are inlining only leaf methods, except for mscorlib. Thus we can assume that only methods
// visible outside its assembly are likely to be inlined.
InitVSD();
#endif
- Security::SetDefaultAppDomainProperty(GetSecurityDescriptor());
SetCompilationDomain();
if (pFile)
{
- DomainAssembly *pAssembly = GetAppDomain()->LoadDomainAssembly(NULL, pFile, FILE_LOAD_CREATE, NULL);
+ DomainAssembly *pAssembly = GetAppDomain()->LoadDomainAssembly(NULL, pFile, FILE_LOAD_CREATE);
// Note that this can trigger an assembly load (of mscorlib)
pAssembly->GetOptimizedIdentitySignature(&pDependency->signAssemblyDef);
BOOL fThrowOnFileNotFound,
BOOL fRaisePrebindEvents,
StackCrawlMark *pCallerStackMark,
- AssemblyLoadSecurity *pLoadSecurity,
BOOL fUseHostBinderIfAvailable)
{
PEAssembly *pFile = NULL;
fThrowOnFileNotFound,
fRaisePrebindEvents,
pCallerStackMark,
- pLoadSecurity,
fUseHostBinderIfAvailable);
}
EX_HOOK
BOOL fThrowOnFileNotFound,
BOOL fRaisePrebindEvents,
StackCrawlMark *pCallerStackMark = NULL,
- AssemblyLoadSecurity *pLoadSecurity = NULL,
BOOL fUseHostBinderIfAvailable = TRUE) DAC_EMPTY_RET(NULL);
BOOL CanEagerBindToZapFile(Module *targetModule, BOOL limitToHardBindList = TRUE);
GCPROTECT_END();
}
-
-void ResetThreadSecurityState(Thread* pThread)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- } CONTRACTL_END;
-
- if (pThread)
- {
- pThread->ResetSecurityInfo();
- }
-}
-
-// this holder resets our thread's security state
-typedef Holder<Thread*, DoNothing<Thread*>, ResetThreadSecurityState> ThreadSecurityStateHolder;
-
VOID NTAPI RegisterWaitForSingleObjectCallback(PVOID delegateInfo, BOOLEAN TimerOrWaitFired)
{
Thread* pThread = GetThread();
GCX_COOP();
- // this holder resets our thread's security state when exiting this scope
- ThreadSecurityStateHolder secState(pThread);
-
RegisterWaitForSingleObjectCallback_Args args = { ((DelegateInfo*) delegateInfo), TimerOrWaitFired };
ManagedThreadBase::ThreadPool(((DelegateInfo*) delegateInfo)->m_appDomainId, RegisterWaitForSingleObjectCallback_Worker, &args);
pHolderThread = pThread;
}
- ThreadSecurityStateHolder secState(pHolderThread);
-
BindIoCompletion_Args args = {ErrorCode, numBytesTransferred, lpOverlapped, &fProcessed};
appDomain.Release();
ManagedThreadBase::ThreadPool(ADID(overlapped->GetAppDomainId()), BindIoCompletionCallBack_Worker, &args);
GCX_COOP();
- {
- ThreadSecurityStateHolder secState(pThread);
- ManagedThreadBase::ThreadPool(((DelegateInfo*)delegateInfo)->m_appDomainId, AppDomainTimerCallback_Worker, NULL);
- }
-
+ ManagedThreadBase::ThreadPool(((DelegateInfo*)delegateInfo)->m_appDomainId, AppDomainTimerCallback_Worker, NULL);
+
// We should have released all locks.
_ASSERTE(g_fEEShutDown || pThread->m_dwLockCount == 0 || pThread->m_fRudeAborted);
}
static BOOL QCALLTYPE DeleteAppDomainTimer(HANDLE hTimer);
};
-void ResetThreadSecurityState(Thread* pThread);
VOID QueueUserWorkItemManagedCallback(PVOID pArg);
void WINAPI BindIoCompletionCallbackStub(DWORD ErrorCode,
DWORD numBytesTransferred,
DWORD dwErrorCode,
DWORD dwNumBytes);
-// this holder resets our thread's security state
-typedef Holder<Thread*, DoNothing<Thread*>, ResetThreadSecurityState> ThreadSecurityStateHolder;
-
#endif
EX_TRY
#endif
{
- pDomain->SetAppDomainManagerInfo(wszAppDomainManagerAssemblyName,wszAppDomainManagerTypeName,eInitializeNewDomainFlags_None);
-
GCX_COOP();
struct
STRINGREF friendlyName;
PTRARRAYREF propertyNames;
PTRARRAYREF propertyValues;
- STRINGREF sandboxName;
OBJECTREF setupInfo;
OBJECTREF adSetup;
} _gc;
}
}
- if (dwFlags & APPDOMAIN_SECURITY_SANDBOXED)
- {
- _gc.sandboxName = StringObject::NewString(W("Internet"));
- }
- else
- {
- _gc.sandboxName = StringObject::NewString(W("FullTrust"));
- }
-
MethodDescCallSite prepareDataForSetup(METHOD__APP_DOMAIN__PREPARE_DATA_FOR_SETUP);
- ARG_SLOT args[8];
+ ARG_SLOT args[4];
args[0]=ObjToArgSlot(_gc.friendlyName);
args[1]=ObjToArgSlot(NULL);
- args[2]=ObjToArgSlot(NULL);
- args[3]=ObjToArgSlot(NULL);
- //CoreCLR shouldn't have dependencies on parent app domain.
- args[4]=ObjToArgSlot(NULL);
- args[5]=ObjToArgSlot(_gc.sandboxName);
- args[6]=ObjToArgSlot(_gc.propertyNames);
- args[7]=ObjToArgSlot(_gc.propertyValues);
+ args[2]=ObjToArgSlot(_gc.propertyNames);
+ args[3]=ObjToArgSlot(_gc.propertyValues);
_gc.setupInfo=prepareDataForSetup.Call_RetOBJECTREF(args);
spec.Init(szAssemblyName);
Assembly* pAsm=spec.LoadAssembly(FILE_ACTIVE);
- // we have no signature to check so allowing calling partially trusted code
- // can result in an exploit
- if (!pAsm->GetSecurityDescriptor()->IsFullyTrusted())
- ThrowHR(COR_E_SECURITY);
-
TypeHandle th=pAsm->GetLoader()->LoadTypeByNameThrowing(pAsm,NULL,szClassName);
MethodDesc* pMD=NULL;
IHostControl *CorHost2::m_HostControl = NULL;
-LPCWSTR CorHost2::s_wszAppDomainManagerAsm = NULL;
-LPCWSTR CorHost2::s_wszAppDomainManagerType = NULL;
-EInitializeNewDomainFlags CorHost2::s_dwDomainManagerInitFlags = eInitializeNewDomainFlags_None;
-
-
#ifdef _DEBUG
extern void ValidateHostInterface();
#endif
-// fusion's global copy of host assembly manager stuff
-BOOL g_bFusionHosted = FALSE;
-
-/*static*/ BOOL CorHost2::IsLoadFromBlocked() // LoadFrom, LoadFile and Load(byte[]) are blocked in certain hosting scenarios
-{
- LIMITED_METHOD_CONTRACT;
- return FALSE; // as g_pHostAsmList is not defined for CoreCLR; hence above expression will be FALSE.
-}
-
static Volatile<BOOL> fOneOnly = 0;
///////////////////////////////////////////////////////////////////////////////
return hr;
}
-
-LPCWSTR CorHost2::GetAppDomainManagerAsm()
-{
- LIMITED_METHOD_CONTRACT;
- return NULL;
-}
-
-LPCWSTR CorHost2::GetAppDomainManagerType()
-{
- LIMITED_METHOD_CONTRACT;
- return NULL;
-}
-
// static
EInitializeNewDomainFlags CorHost2::GetAppDomainManagerInitializeNewDomainFlags()
{
../pendingload.cpp
../precode.cpp
../olevariant.cpp
- ../security.cpp
- ../securitypolicy.cpp
- ../securityattributes.cpp
- ../securitydeclarative.cpp
- ../securitydeclarativecache.cpp
- ../securitydescriptor.cpp
- ../securitydescriptorappdomain.cpp
- ../securitydescriptorassembly.cpp
- ../securitymeta.cpp
- ../securitytransparentassembly.cpp
../siginfo.cpp
../sigformat.cpp
../simplerwlock.cpp
}
#endif
-//---------------------------------------------------------------------------------------
-//
-// Security-related functions. They are reachable in theory for legacy security attributes. The legacy security
-// attributes should not be used in code running on CoreCLR. We fail fast for number of these just in case somebody
-// tries to use the legacy security attributes.
-//
-
-void SecurityDeclarative::FullTrustInheritanceDemand(Assembly *pTargetAssembly)
-{
- CrossGenNotSupported("FullTrustInheritanceDemand");
-}
-
-void SecurityDeclarative::InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand)
-{
- CrossGenNotSupported("InheritanceLinkDemandCheck");
-}
-
-void ApplicationSecurityDescriptor::PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous)
-{
- // virtual method unreachable in crossgen
- UNREACHABLE();
-}
-
extern "C" UINT_PTR STDCALL GetCurrentIP()
{
return 0;
#include "fcall.h"
#include "assemblynative.hpp"
#include "typeparse.h"
-#include "securityattributes.h"
#include "reflectioninvocation.h"
#include "runtimehandles.h"
+#include "typestring.h"
typedef InlineFactory<InlineSString<64>, 16> SStringFactory;
return retValue;
}
-
-FCIMPL2(VOID, COMCustomAttribute::PushSecurityContextFrame, SecurityContextFrame *pFrame, AssemblyBaseObject *pAssemblyObjectUNSAFE)
-{
- FCALL_CONTRACT;
-
- BEGIN_SO_INTOLERANT_CODE_NOTHROW(GetThread(), FCThrowVoid(kStackOverflowException));
-
- // Adjust frame pointer for the presence of the GSCookie at a negative
- // offset (it's hard for us to express neginfo in the managed definition of
- // the frame).
- pFrame = (SecurityContextFrame*)((BYTE*)pFrame + sizeof(GSCookie));
-
- *((TADDR*)pFrame) = SecurityContextFrame::GetMethodFrameVPtr();
- pFrame->SetAssembly(pAssemblyObjectUNSAFE->GetAssembly());
- *pFrame->GetGSCookiePtr() = GetProcessGSCookie();
- pFrame->Push();
-
- END_SO_INTOLERANT_CODE;
-}
-FCIMPLEND
-
-FCIMPL1(VOID, COMCustomAttribute::PopSecurityContextFrame, SecurityContextFrame *pFrame)
-{
- FCALL_CONTRACT;
-
- BEGIN_SO_INTOLERANT_CODE_NOTHROW(GetThread(), FCThrowVoid(kStackOverflowException));
-
- // Adjust frame pointer for the presence of the GSCookie at a negative
- // offset (it's hard for us to express neginfo in the managed definition of
- // the frame).
- pFrame = (SecurityContextFrame*)((BYTE*)pFrame + sizeof(GSCookie));
-
- pFrame->Pop();
-
- END_SO_INTOLERANT_CODE;
-}
-FCIMPLEND
static FCDECL5(LPVOID, CreateCaObject, ReflectModuleBaseObject* pAttributedModuleUNSAFE, ReflectMethodObject *pMethodUNSAFE, BYTE** ppBlob, BYTE* pEndBlob, INT32* pcNamedArgs);
static FCDECL7(void, GetPropertyOrFieldData, ReflectModuleBaseObject *pModuleUNSAFE, BYTE** ppBlobStart, BYTE* pBlobEnd, STRINGREF* pName, CLR_BOOL* pbIsProperty, OBJECTREF* pType, OBJECTREF* value);
static FCDECL4(VOID, GetSecurityAttributes, ReflectModuleBaseObject *pModuleUNSAFE, DWORD tkToken, CLR_BOOL fAssembly, PTRARRAYREF* ppArray);
- static FCDECL2(VOID, PushSecurityContextFrame, SecurityContextFrame *pFrame, AssemblyBaseObject *pAssemblyObjectUNSAFE);
- static FCDECL1(VOID, PopSecurityContextFrame, SecurityContextFrame *pFrame);
private:
// With IL stubs, we don't have to do anything but ensure the DLL is loaded.
//
- if (!pMD->GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode())
- Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE);
-
if (!pMD->IsZapped())
{
PInvokeStaticSigInfo sigInfo;
#include <shlwapi.h>
#include "security.h"
-#include "securitymeta.h"
#include "invokeutil.h"
#include "eeconfig.h"
#include "dynamicmethod.h"
}
CONTRACTL_END;
- // Check skip verification for loading if required
- if (!GetFile()->CanLoadLibrary())
- {
- DomainAssembly* pDomainAssembly = GetDomainAssembly();
- if (pDomainAssembly->GetSecurityDescriptor()->IsResolved())
- {
- if (Security::CanSkipVerification(pDomainAssembly))
- GetFile()->SetSkipVerification();
- }
- else
- {
- AppDomain *pAppDomain = this->GetAppDomain();
- PEFile *pFile = GetFile();
- _ASSERTE(pFile != NULL);
- PEImage *pImage = pFile->GetILimage();
- _ASSERTE(pImage != NULL);
- _ASSERTE(!pImage->IsFile());
- if (pImage->HasV1Metadata())
- {
- // In V1 case, try to derive SkipVerification status from parents
- do
- {
- PEAssembly * pAssembly = pFile->GetAssembly();
- if (pAssembly == NULL)
- break;
- pFile = pAssembly->GetCreator();
- if (pFile != NULL)
- {
- pAssembly = pFile->GetAssembly();
- // Find matching DomainAssembly for the given PEAsssembly
- // Perf: This does not scale
- AssemblyIterationFlags flags =
- (AssemblyIterationFlags) (kIncludeLoaded | kIncludeLoading | kIncludeExecution);
- AppDomain::AssemblyIterator i = pAppDomain->IterateAssembliesEx(flags);
- CollectibleAssemblyHolder<DomainAssembly *> pDomainAssembly;
-
- while (i.Next(pDomainAssembly.This()))
- {
- if ((pDomainAssembly != NULL) && (pDomainAssembly->GetFile() == pAssembly))
- {
- break;
- }
- }
- if (pDomainAssembly != NULL)
- {
- if (pDomainAssembly->GetSecurityDescriptor()->IsResolved())
- {
- if (Security::CanSkipVerification(pDomainAssembly))
- {
- GetFile()->SetSkipVerification();
- break;
- }
- }
- }
- else
- {
- // Potential Bug: Unable to find DomainAssembly for given PEAssembly
- // In retail build gracefully exit loop
- _ASSERTE(pDomainAssembly != NULL);
- break;
- }
- }
- }
- while (pFile != NULL);
- }
- }
- }
} // DomainFile::PreLoadLibrary
// Note that this is the sole loading function which must be called OUTSIDE THE LOCK, since
COMPlusThrow(kInvalidOperationException, IDS_EE_CODEEXECUTION_IN_INTROSPECTIVE_ASSEMBLY);
}
- if (GetModule()->GetAssembly()->IsSIMDVectorAssembly() &&
- !GetModule()->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted())
- {
- COMPlusThrow(kFileLoadException, IDS_EE_SIMD_PARTIAL_TRUST_DISALLOWED);
- }
-
if(GetFile()->PassiveDomainOnly())
{
// Remove path - location must be hidden for security purposes
// DomainAssembly
//--------------------------------------------------------------------------------
-DomainAssembly::DomainAssembly(AppDomain *pDomain, PEFile *pFile, AssemblyLoadSecurity *pLoadSecurity, LoaderAllocator *pLoaderAllocator)
+DomainAssembly::DomainAssembly(AppDomain *pDomain, PEFile *pFile, LoaderAllocator *pLoaderAllocator)
: DomainFile(pDomain, pFile),
m_pAssembly(NULL),
m_debuggerFlags(DACF_NONE),
m_MissingDependenciesCheckStatus(CMD_Unknown),
- m_fSkipPolicyResolution(pLoadSecurity != NULL && !pLoadSecurity->ShouldResolvePolicy()),
m_fDebuggerUnloadStarted(FALSE),
m_fCollectible(pLoaderAllocator->IsCollectible()),
m_fHostAssemblyPublished(false),
m_hExposedAssemblyObject = NULL;
- NewHolder<IAssemblySecurityDescriptor> pSecurityDescriptorHolder(Security::CreateAssemblySecurityDescriptor(pDomain, this, pLoaderAllocator));
-
- if (pLoadSecurity != NULL)
- {
-
- if (GetFile()->IsSourceGAC())
- {
- // Assemblies in the GAC are not allowed to
- // specify additional evidence. They must always follow default machine policy rules.
-
- // So, we just ignore the evidence. (Ideally we would throw an error, but it would introduce app
- // compat issues.)
- }
- else
- {
- {
- GCX_COOP();
-
-
- // If the assembly being loaded already knows its grant set (for instnace, it's being pushed
- // from the loading assembly), then we can set that up now as well
- if (!pLoadSecurity->ShouldResolvePolicy())
- {
- _ASSERTE(pLoadSecurity->m_pGrantSet != NULL);
-
-
- pSecurityDescriptorHolder->PropagatePermissionSet(
- *pLoadSecurity->m_pGrantSet,
- pLoadSecurity->m_pRefusedSet == NULL ? NULL : *pLoadSecurity->m_pRefusedSet,
- pLoadSecurity->m_dwSpecialFlags);
- }
- }
- }
- }
-
SetupDebuggingConfig();
// Add a Module iterator entry for this assembly.
IfFailThrow(m_Modules.Append(this));
-
- m_pSecurityDescriptor = pSecurityDescriptorHolder.Extract();
}
DomainAssembly::~DomainAssembly()
{
delete m_pAssembly;
}
-
- delete m_pSecurityDescriptor;
}
void DomainAssembly::ReleaseFiles()
#endif // FEATURE_LOADER_OPTIMIZATION
}
-BOOL DomainAssembly::ShouldSkipPolicyResolution()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fSkipPolicyResolution;
-}
-
-
-
// This is where the decision whether an assembly is DomainNeutral (shared) nor not is made.
void DomainAssembly::Allocate()
{
}
CONTRACTL_END;
- // Make sure the security system is happy with this assembly being loaded into the domain
- GetSecurityDescriptor()->CheckAllowAssemblyLoad();
-
AllocMemTracker amTracker;
AllocMemTracker * pamTracker = &amTracker;
class Assembly;
class Module;
class DynamicMethodTable;
-struct AssemblyLoadSecurity;
-
-typedef VPTR(class IAssemblySecurityDescriptor) PTR_IAssemblySecurityDescriptor;
enum FileLoadLevel
{
return PTR_PEAssembly(m_pFile);
}
-
- // Returns security information for the assembly based on the codebase
- void GetSecurityIdentity(SString &codebase, SecZone *pdwZone, DWORD dwFlags, BYTE *pbUniqueID, DWORD *pcbUniqueID);
-
- IAssemblySecurityDescriptor* GetSecurityDescriptor()
- {
- LIMITED_METHOD_CONTRACT;
- return static_cast<IAssemblySecurityDescriptor*>(m_pSecurityDescriptor);
- }
#ifdef FEATURE_LOADER_OPTIMIZATION
public:
public:
~DomainAssembly();
private:
- DomainAssembly(AppDomain *pDomain, PEFile *pFile, AssemblyLoadSecurity *pLoadSecurity, LoaderAllocator *pLoaderAllocator);
+ DomainAssembly(AppDomain *pDomain, PEFile *pFile, LoaderAllocator *pLoaderAllocator);
#endif
// ------------------------------------------------------------
BOOL ShouldLoadDomainNeutral();
BOOL ShouldLoadDomainNeutralHelper();
- BOOL ShouldSkipPolicyResolution();
// ------------------------------------------------------------
// Instance data
private:
LOADERHANDLE m_hExposedAssemblyObject;
- PTR_IAssemblySecurityDescriptor m_pSecurityDescriptor;
PTR_Assembly m_pAssembly;
DebuggerAssemblyControlFlags m_debuggerFlags;
CMD_State m_MissingDependenciesCheckStatus;
ArrayList m_Modules;
- BOOL m_fSkipPolicyResolution;
BOOL m_fDebuggerUnloadStarted;
BOOL m_fCollectible;
Volatile<bool> m_fHostAssemblyPublished;
FCFuncElement("IsComObject", RuntimeTypeHandle::IsComObject)
FCFuncElement("IsValueType", RuntimeTypeHandle::IsValueType)
FCFuncElement("IsInterface", RuntimeTypeHandle::IsInterface)
- QCFuncElement("IsSecurityCritical", RuntimeTypeHandle::IsSecurityCritical)
- QCFuncElement("IsSecuritySafeCritical", RuntimeTypeHandle::IsSecuritySafeCritical)
- QCFuncElement("IsSecurityTransparent", RuntimeTypeHandle::IsSecurityTransparent)
QCFuncElement("_IsVisible", RuntimeTypeHandle::IsVisible)
QCFuncElement("ConstructName", RuntimeTypeHandle::ConstructName)
FCFuncElement("CanCastTo", RuntimeTypeHandle::CanCastTo)
FCFuncElement("GetMethodFromCanonical", RuntimeMethodHandle::GetMethodFromCanonical)
FCFuncElement("IsDynamicMethod", RuntimeMethodHandle::IsDynamicMethod)
FCFuncElement("GetMethodBody", RuntimeMethodHandle::GetMethodBody)
- QCFuncElement("_IsSecurityTransparent", RuntimeMethodHandle::IsSecurityTransparent)
- FCFuncElement("CheckLinktimeDemands", RuntimeMethodHandle::CheckLinktimeDemands)
QCFuncElement("IsCAVisibleFromDecoratedType", RuntimeMethodHandle::IsCAVisibleFromDecoratedType)
FCFuncElement("IsConstructor", RuntimeMethodHandle::IsConstructor)
QCFuncElement("Destroy", RuntimeMethodHandle::Destroy)
FCFuncElement("GetApproxDeclaringType", RuntimeFieldHandle::GetApproxDeclaringType)
FCFuncElement("GetToken", RuntimeFieldHandle::GetToken)
FCFuncElement("GetStaticFieldForGenericType", RuntimeFieldHandle::GetStaticFieldForGenericType)
- QCFuncElement("IsSecurityCritical", RuntimeFieldHandle::IsSecurityCritical)
- QCFuncElement("IsSecuritySafeCritical", RuntimeFieldHandle::IsSecuritySafeCritical)
- QCFuncElement("IsSecurityTransparent", RuntimeFieldHandle::IsSecurityTransparent)
FCFuncElement("AcquiresContextFromThis", RuntimeFieldHandle::AcquiresContextFromThis)
- QCFuncElement("CheckAttributeAccess", RuntimeFieldHandle::CheckAttributeAccess)
FCFuncEnd()
QCFuncElement("GetEntryAssembly", AssemblyNative::GetEntryAssembly)
FCFuncEnd()
-
-
FCFuncStart(gAppDomainFuncs)
FCFuncElement("IsStringInterned", AppDomainNative::IsStringInterned)
FCFuncElement("IsUnloadingForcedFinalize", AppDomainNative::IsUnloadingForcedFinalize)
-#ifdef FEATURE_LOADER_OPTIMIZATION
- FCFuncElement("UpdateLoaderOptimization", AppDomainNative::UpdateLoaderOptimization)
-#endif // FEATURE_LOADER_OPTIMIZATION
- QCFuncElement("DisableFusionUpdatesFromADManager", AppDomainNative::DisableFusionUpdatesFromADManager)
#ifdef FEATURE_APPX
QCFuncElement("nGetAppXFlags", AppDomainNative::GetAppXFlags)
#endif
- QCFuncElement("GetAppDomainManagerType", AppDomainNative::GetAppDomainManagerType)
- QCFuncElement("SetAppDomainManagerType", AppDomainNative::SetAppDomainManagerType)
FCFuncElement("nGetFriendlyName", AppDomainNative::GetFriendlyName)
- QCFuncElement("SetSecurityHomogeneousFlag", AppDomainNative::SetSecurityHomogeneousFlag)
- QCFuncElement("SetupDomainSecurity", AppDomainNative::SetupDomainSecurity)
FCFuncElement("nSetupFriendlyName", AppDomainNative::SetupFriendlyName)
-#if FEATURE_COMINTEROP
- FCFuncElement("nSetDisableInterfaceCache", AppDomainNative::SetDisableInterfaceCache)
-#endif // FEATURE_COMINTEROP
FCFuncElement("nGetAssemblies", AppDomainNative::GetAssemblies)
FCFuncElement("nCreateContext", AppDomainNative::CreateContext)
FCFuncElement("GetId", AppDomainNative::GetId)
FCFuncElement("GetOrInternString", AppDomainNative::GetOrInternString)
- QCFuncElement("GetGrantSet", AppDomainNative::GetGrantSet)
QCFuncElement("nSetupBindingPaths", AppDomainNative::SetupBindingPaths)
QCFuncElement("nSetNativeDllSearchDirectories", AppDomainNative::SetNativeDllSearchDirectories)
FCFuncElement("IsFinalizingForUnload", AppDomainNative::IsFinalizingForUnload)
QCFuncElement("GetSimpleName", AssemblyNative::GetSimpleName)
QCFuncElement("GetVersion", AssemblyNative::GetVersion)
FCFuncElement("FCallIsDynamic", AssemblyNative::IsDynamic)
- FCFuncElement("_nLoad", AssemblyNative::Load)
+ FCFuncElement("nLoad", AssemblyNative::Load)
QCFuncElement("GetType", AssemblyNative::GetType)
QCFuncElement("GetManifestResourceInfo", AssemblyNative::GetManifestResourceInfo)
QCFuncElement("GetModules", AssemblyNative::GetModules)
QCFuncElement("GetExportedTypes", AssemblyNative::GetExportedTypes)
FCFuncElement("GetManifestResourceNames", AssemblyNative::GetManifestResourceNames)
QCFuncElement("GetEntryPoint", AssemblyNative::GetEntryPoint)
- QCFuncElement("IsAllSecurityTransparent", AssemblyNative::IsAllSecurityTransparent)
- QCFuncElement("IsAllSecurityCritical", AssemblyNative::IsAllSecurityCritical)
QCFuncElement("GetImageRuntimeVersion", AssemblyNative::GetImageRuntimeVersion)
- FCFuncElement("IsReflectionOnly", AssemblyNative::IsReflectionOnly)
FCFuncElement("GetManifestModule", AssemblyHandle::GetManifestModule)
FCFuncElement("GetToken", AssemblyHandle::GetToken)
FCFuncEnd()
FCFuncElement("_RunClassConstructor", ReflectionInvocation::RunClassConstructor)
FCFuncElement("_RunModuleConstructor", ReflectionInvocation::RunModuleConstructor)
QCFuncElement("_CompileMethod", ReflectionInvocation::CompileMethod)
- FCFuncElement("PrepareContractedDelegate", ReflectionInvocation::PrepareContractedDelegate)
- FCFuncElement("ProbeForSufficientStack", ReflectionInvocation::ProbeForSufficientStack)
FCFuncElement("ExecuteCodeWithGuaranteedCleanup", ReflectionInvocation::ExecuteCodeWithGuaranteedCleanup)
FCFuncElement("GetHashCode", ObjectNative::GetHashCode)
FCFuncElement("Equals", ObjectNative::Equals)
FCFuncElement("InternalSet", MarshalNative::GCHandleInternalSet)
FCFuncElement("InternalCompareExchange", MarshalNative::GCHandleInternalCompareExchange)
FCFuncElement("InternalAddrOfPinnedObject", MarshalNative::GCHandleInternalAddrOfPinnedObject)
- FCFuncElement("InternalCheckDomain", MarshalNative::GCHandleInternalCheckDomain)
FCFuncEnd()
-FCFuncStart(gVersioningHelperFuncs)
- FCFuncElement("GetRuntimeId", GetRuntimeId_Wrapper)
-FCFuncEnd()
-
FCFuncStart(gStreamFuncs)
FCFuncElement("HasOverriddenBeginEndRead", StreamNative::HasOverriddenBeginEndRead)
FCFuncElement("HasOverriddenBeginEndWrite", StreamNative::HasOverriddenBeginEndWrite)
#ifdef FEATURE_COMINTEROP
FCClassElement("Variant", "System", gVariantFuncs)
#endif
-FCClassElement("VersioningHelper", "System.Runtime.Versioning", gVersioningHelperFuncs)
FCClassElement("WaitHandle", "System.Threading", gWaitHandleFuncs)
FCClassElement("WeakReference", "System", gWeakReferenceFuncs)
FCClassElement("WeakReference`1", "System", gWeakReferenceOfTFuncs)
fLegacyComVTableLayout = false;
fLegacyVirtualMethodCallVerification = false;
fNewComVTableLayout = false;
- iImpersonationPolicy = IMP_DEFAULT;
#ifdef FEATURE_CORRUPTING_EXCEPTIONS
// By default, there is not pre-V4 CSE policy
fLegacyCorruptedStateExceptionsPolicy = false;
#endif // FEATURE_CORRUPTING_EXCEPTIONS
-#ifdef _DEBUG
- fLogTransparencyErrors = false;
-#endif // _DEBUG
- fLegacyLoadMscorsnOnStartup = false;
- fBypassStrongNameVerification = true;
- fGeneratePublisherEvidence = true;
- fEnforceFIPSPolicy = true;
- fLegacyHMACMode = false;
fNgenBindOptimizeNonGac = false;
fStressLog = false;
fCacheBindingFailures = true;
- fDisableFusionUpdatesFromADManager = false;
fDisableCommitThreadStack = false;
fProbeForStackOverflow = true;
// LS in DAC builds. Initialized via the environment variable TestDataConsistency
fTestDataConsistency = false;
#endif
-
- // TlbImp Stuff
- fTlbImpSkipLoading = false;
// In Thread::SuspendThread(), default the timeout to 2 seconds. If the suspension
// takes longer, assert (but keep trying).
fJitVerificationDisable = (GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_JitVerificationDisable, fJitVerificationDisable) != 0);
- fLogTransparencyErrors = CLRConfig::GetConfigValue(CLRConfig::UNSUPPORTED_Security_LogTransparencyErrors) != 0;
-
- // TlbImp stuff
- fTlbImpSkipLoading = (GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_TlbImpSkipLoading, fTlbImpSkipLoading) != 0);
-
iExposeExceptionsInCOM = GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_ExposeExceptionsInCOM, iExposeExceptionsInCOM);
#endif
}
}
-LPCWSTR EEConfig::GetProcessBindingFile()
-{
- LIMITED_METHOD_CONTRACT;
- return g_pszHostConfigFile;
-}
-
-SIZE_T EEConfig::GetSizeOfProcessBindingFile()
-{
- LIMITED_METHOD_CONTRACT;
- return g_dwHostConfigFile;
-}
-
-
bool EEConfig::RequireZap(LPCUTF8 assemblyName) const
{
LIMITED_METHOD_CONTRACT;
OPT_RANDOM,
OPT_DEFAULT = OPT_BLENDED };
-/* Control of impersonation flow:
- FASTFLOW means that impersonation is flowed only if it has been achieved through managed means. This is the default and avoids a kernel call.
- NOFLOW is the Everett default where we don't flow the impersonation at all
- ALWAYSFLOW is the (potentially) slow mode where we will always flow the impersonation, regardless of how it was achieved (managed or p/invoke). Includes
- a kernel call.
- Keep in sync with values in SecurityContext.cs
- */
-enum {
- IMP_FASTFLOW = 0,
- IMP_NOFLOW = 1,
- IMP_ALWAYSFLOW = 2,
- IMP_DEFAULT = IMP_FASTFLOW };
-
enum ParseCtl {
parseAll, // parse entire config file
stopAfterRuntimeSection // stop after <runtime>...</runtime> section
// Returns a bool to indicate if the legacy CSE (pre-v4) behaviour is enabled or not
bool LegacyCorruptedStateExceptionsPolicy(void) const {LIMITED_METHOD_CONTRACT; return fLegacyCorruptedStateExceptionsPolicy; }
#endif // FEATURE_CORRUPTING_EXCEPTIONS
-
- // SECURITY
- unsigned ImpersonationMode(void) const
- {
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- // MODE_ANY;
- SO_TOLERANT;
- } CONTRACTL_END;
- return iImpersonationPolicy ;
- }
- void SetLegacyImpersonationPolicy() { LIMITED_METHOD_CONTRACT; iImpersonationPolicy = IMP_NOFLOW; }
- void SetAlwaysFlowImpersonationPolicy() { LIMITED_METHOD_CONTRACT; iImpersonationPolicy = IMP_ALWAYSFLOW; }
-
-#ifdef _DEBUG
- bool LogTransparencyErrors() const { LIMITED_METHOD_CONTRACT; return fLogTransparencyErrors; }
- bool DisableTransparencyEnforcement() const { LIMITED_METHOD_CONTRACT; return fLogTransparencyErrors; }
-#endif // _DEBUG
-
- void SetLegacyLoadMscorsnOnStartup(bool val) { LIMITED_METHOD_CONTRACT; fLegacyLoadMscorsnOnStartup = val; }
- bool LegacyLoadMscorsnOnStartup(void) const { LIMITED_METHOD_CONTRACT; return fLegacyLoadMscorsnOnStartup; }
- bool BypassTrustedAppStrongNames() const { LIMITED_METHOD_CONTRACT; return fBypassStrongNameVerification; } // See code:AssemblySecurityDescriptor::ResolveWorker#StrongNameBypass
- bool GeneratePublisherEvidence(void) const { LIMITED_METHOD_CONTRACT; return fGeneratePublisherEvidence; }
- bool EnforceFIPSPolicy() const { LIMITED_METHOD_CONTRACT; return fEnforceFIPSPolicy; }
- bool LegacyHMACMode() const { LIMITED_METHOD_CONTRACT; return fLegacyHMACMode; }
#ifdef FEATURE_COMINTEROP
bool ComInsteadOfManagedRemoting() const {LIMITED_METHOD_CONTRACT; return m_fComInsteadOfManagedRemoting; }
bool GenDebuggableCode(void) const {LIMITED_METHOD_CONTRACT; return fDebuggable; }
bool IsStressOn(void) const {LIMITED_METHOD_CONTRACT; return fStressOn; }
int GetAPIThreadStressCount(void) const {LIMITED_METHOD_CONTRACT; return apiThreadStressCount; }
- bool TlbImpSkipLoading() const {LIMITED_METHOD_CONTRACT; return fTlbImpSkipLoading; }
bool ShouldExposeExceptionsInCOMToConsole() const {LIMITED_METHOD_CONTRACT; return (iExposeExceptionsInCOM & 1) != 0; }
bool ShouldExposeExceptionsInCOMToMsgBox() const {LIMITED_METHOD_CONTRACT; return (iExposeExceptionsInCOM & 2) != 0; }
return fUseLegacyIdentityFormat;
}
- inline bool DisableFusionUpdatesFromADManager() const
- {
- LIMITED_METHOD_CONTRACT;
- return fDisableFusionUpdatesFromADManager;
- }
-
inline void SetDisableCommitThreadStack(bool val)
{
LIMITED_METHOD_CONTRACT;
// will come as a result won't matter.
bool fCacheBindingFailures;
bool fUseLegacyIdentityFormat;
- bool fDisableFusionUpdatesFromADManager;
bool fInited; // have we synced to the registry at least once?
// Jit-config
bool fLegacyComHierarchyVisibility; // Old behavior allowing QIs for classes with invisible parents
bool fLegacyComVTableLayout; // Old behavior passing out IClassX interface for IUnknown and IDispatch.
bool fNewComVTableLayout; // New behavior passing out Basic interface for IUnknown and IDispatch.
-
- // SECURITY
- unsigned iImpersonationPolicy; //control flow of impersonation in the SecurityContext. 0=FASTFLOW 1=
-#ifdef _DEBUG
- bool fLogTransparencyErrors; // don't throw on transparency errors, instead log to the CLR log file
-#endif // _DEBUG
- bool fLegacyLoadMscorsnOnStartup; // load mscorsn.dll when starting up the runtime.
- bool fBypassStrongNameVerification; // bypass strong name verification of trusted app assemblies
- bool fGeneratePublisherEvidence; // verify Authenticode signatures of assemblies during load, generating publisher evidence for them
- bool fEnforceFIPSPolicy; // enforce that only FIPS certified crypto algorithms are created if the FIPS machine settting is enabled
- bool fLegacyHMACMode; // HMACSHA384 and HMACSHA512 should default to the Whidbey block size
LPUTF8 pszBreakOnClassLoad; // Halt just before loading this class
DWORD iExposeExceptionsInCOM; // Should we exposed exceptions that will be transformed into HRs?
- // Tlb Tools
- bool fTlbImpSkipLoading;
-
unsigned m_SuspendThreadDeadlockTimeoutMs; // Used in Thread::SuspendThread()
unsigned m_SuspendDeadlockTimeout; // Used in Thread::SuspendRuntime.
public:
HRESULT GetConfiguration_DontUse_(__in_z LPCWSTR pKey, ConfigSearch direction, __deref_out_opt LPCWSTR* value);
- LPCWSTR GetProcessBindingFile(); // All flavors must support this method
- SIZE_T GetSizeOfProcessBindingFile(); // All flavors must support this method
DWORD GetConfigDWORDInternal_DontUse_ (__in_z LPCWSTR name, DWORD defValue, //for getting data in the constructor of EEConfig
DWORD level=(DWORD) REGUTIL::COR_CONFIG_ALL,
#include "common.h"
#include "excep.h"
#include "eehash.h"
-#include "securityattributes.h"
-#include "securitydeclarativecache.h"
#include "stringliteralmap.h"
#include "clsload.hpp"
#include "typectxt.h"
return (HashBytes((const BYTE *) pKey->GetStringBuffer(), pKey->GetCharCount() * sizeof(WCHAR)));
}
-// ============================================================================
-// Permission set hash table helper.
-// ============================================================================
-
-EEHashEntry_t * EEPsetHashTableHelper::AllocateEntry(PsetCacheKey *pKey, BOOL bDeepCopy, void *pHeap)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- INJECT_FAULT(return NULL;);
- }
- CONTRACTL_END
-
- _ASSERTE(!bDeepCopy);
-
- EEHashEntry_t *pEntry;
-
- if (pHeap) {
-
- S_SIZE_T sizeEntry;
- LoaderHeap *pLHeap;
-
- sizeEntry = S_SIZE_T(sizeof (BYTE)) * (S_SIZE_T)SIZEOF_EEHASH_ENTRY +
- (S_SIZE_T)sizeof (PPsetCacheKey);
-
- pLHeap = (LoaderHeap*) pHeap;
-
- pEntry = (EEHashEntry_t *)
- ((void*) pLHeap->AllocMem_NoThrow (sizeEntry));
-
- } else {
- pEntry = (EEHashEntry_t *) new (nothrow)
- BYTE [SIZEOF_EEHASH_ENTRY + sizeof(PPsetCacheKey)];
- }
-
- if (pEntry) {
- *((PPsetCacheKey*)pEntry->Key) = pKey;
- }
-
- return pEntry;
-}
-
-void EEPsetHashTableHelper::DeleteEntry(EEHashEntry_t *pEntry, void *pHeap)
-{
- LIMITED_METHOD_CONTRACT;
-
- //
- // If a heap is present, memory will be reclaimed as part of appdomain
- // unload.
- //
-
- if (pHeap == NULL) {
- delete [] (BYTE*)pEntry;
- }
-
-}
-
-BOOL EEPsetHashTableHelper::CompareKeys(EEHashEntry_t *pEntry, PsetCacheKey *pKey)
-{
- LIMITED_METHOD_CONTRACT;
-
- PsetCacheKey *pThis = *((PPsetCacheKey*)pEntry->Key);
- return pKey->IsEquiv(pThis);
-}
-
-DWORD EEPsetHashTableHelper::Hash(PsetCacheKey *pKey)
-{
- LIMITED_METHOD_CONTRACT;
-
- return pKey->Hash();
-}
-
-PsetCacheKey * EEPsetHashTableHelper::GetKey(EEHashEntry_t *pEntry)
-{
- LIMITED_METHOD_CONTRACT;
-
- PsetCacheKey *pThis = *((PPsetCacheKey*)pEntry->Key);
- return pThis;
-}
-
// ============================================================================
// Instantiation hash table helper.
class ClassLoader;
struct LockOwner;
class NameHandle;
-struct PsetCacheKey;
class SigTypeContext;
-typedef PsetCacheKey* PPsetCacheKey;
-
// The "blob" you get to store in the hash table
typedef PTR_VOID HashDatum;
typedef EEHashTable<EEStringData *, EEUnicodeStringLiteralHashTableHelper, TRUE> EEUnicodeStringLiteralHashTable;
-// Permission set hash table.
-
-class EEPsetHashTableHelper
-{
-public:
- static EEHashEntry_t * AllocateEntry(PsetCacheKey *pKey, BOOL bDeepCopy, AllocationHeap Heap);
- static void DeleteEntry(EEHashEntry_t *pEntry, AllocationHeap Heap);
- static BOOL CompareKeys(EEHashEntry_t *pEntry, PsetCacheKey *pKey);
- static DWORD Hash(PsetCacheKey *pKey);
- static PsetCacheKey *GetKey(EEHashEntry_t *pEntry);
-};
-
-typedef EEHashTable<PsetCacheKey *, EEPsetHashTableHelper, FALSE> EEPsetHashTable;
-
// Generic pointer hash table helper.
#include "finalizerthread.h"
#include "threadsuspend.h"
+#include "typestring.h"
+
#ifndef FEATURE_PAL
#include "dwreport.h"
#endif // !FEATURE_PAL
#include "common.h"
#include "eventpipejsonfile.h"
+#include "typestring.h"
#ifdef _DEBUG
#ifdef FEATURE_PERFTRACING
return TRUE;
}
- // Only SecurityCritical code can handle CE since only they can generate it.
- // Even in full trusted assembly, transparent code cannot generate CE and thus,
- // will not know how to handle it properly.
- //
- // Check if the method in question is SecurityCritical or not.
- MethodSecurityDescriptor mdSec(pMethodDesc);
- fCanMethodHandleSeverity = mdSec.IsCritical();
-
- if (fCanMethodHandleSeverity)
- {
- // Reset the flag to FALSE
- fCanMethodHandleSeverity = FALSE;
-
- // Since the method is Security Critical, now check if it is
- // attributed to handle the CE or not.
- IMDInternalImport *pImport = pMethodDesc->GetMDImport();
- if (pImport != NULL)
- {
- mdMethodDef methodDef = pMethodDesc->GetMemberDef();
- switch(severity)
- {
- case ProcessCorrupting:
- fCanMethodHandleSeverity = (S_OK == pImport->GetCustomAttributeByName(
- methodDef,
- HANDLE_PROCESS_CORRUPTED_STATE_EXCEPTION_ATTRIBUTE,
- NULL,
- NULL));
- break;
- default:
- _ASSERTE(!"Unknown Exception Corruption Severity!");
- break;
- }
+ // Since the method is Security Critical, now check if it is
+ // attributed to handle the CE or not.
+ IMDInternalImport *pImport = pMethodDesc->GetMDImport();
+ if (pImport != NULL)
+ {
+ mdMethodDef methodDef = pMethodDesc->GetMemberDef();
+ switch(severity)
+ {
+ case ProcessCorrupting:
+ fCanMethodHandleSeverity = (S_OK == pImport->GetCustomAttributeByName(
+ methodDef,
+ HANDLE_PROCESS_CORRUPTED_STATE_EXCEPTION_ATTRIBUTE,
+ NULL,
+ NULL));
+ break;
+ default:
+ _ASSERTE(!"Unknown Exception Corruption Severity!");
+ break;
}
}
#endif // !DACCESS_COMPILE
// |
// |
// +-ExceptionFilterFrame - this frame wraps call to exception filter
-// |
-// +-SecurityContextFrame - place the security context of an assembly on the stack to ensure it will be included in security demands
//
//------------------------------------------------------------------------
#if 0
#if defined(_DEBUG)
FRAME_TYPE_NAME(AssumeByrefFromJITStack)
#endif // _DEBUG
-FRAME_TYPE_NAME(SecurityContextFrame)
#undef FRAME_ABSTRACT_TYPE_NAME
#undef FRAME_TYPE_NAME
GSCookie * GetGSCookiePtr() { LIMITED_METHOD_CONTRACT; return &m_gsCookie; }
};
-
-// The frame doesn't represent a transition of any sort, it's simply placed on the stack to represent an assembly that will be found
-// and checked by stackwalking security demands. This can be used in scenarios where an assembly is implicitly controlling a
-// security sensitive operation without being explicitly represented on the stack. For example, an assembly decorating one of its
-// classes or methods with a custom attribute can implicitly cause the ctor or property setters for that attribute to be executed by
-// a third party if they happen to browse the attributes on the assembly.
-// Note: This frame is pushed from managed code, so be sure to keep the layout synchronized with that in
-// bcl\system\reflection\customattribute.cs.
-class SecurityContextFrame : public Frame
-{
- VPTR_VTABLE_CLASS(SecurityContextFrame, Frame)
-
- Assembly *m_pAssembly;
-
-public:
- virtual Assembly *GetAssembly() { LIMITED_METHOD_CONTRACT; return m_pAssembly; }
-
- void SetAssembly(Assembly *pAssembly) { LIMITED_METHOD_CONTRACT; m_pAssembly = pAssembly; }
-
- // Keep as last entry in class
- DEFINE_VTABLE_GETTER_AND_CTOR_AND_DTOR(SecurityContextFrame)
-};
-
//------------------------------------------------------------------------
// These macros GC-protect OBJECTREF pointers on the EE's behalf.
// In between these macros, the GC can move but not discard the protected
#include "common.h"
#include "frameworkexceptionloader.h"
+#include "typeparse.h"
struct ExceptionLocationData
#include "dbginterface.h"
#include "eeprofinterfaces.h"
#include "eeconfig.h"
-#include "securitydeclarative.h"
#ifdef _TARGET_X86_
#include "asmconstants.h"
#endif // _TARGET_X86_
GCX_FORBID();
// Some managed methods, believe it or not, can push capital-F Frames on the Frame chain.
- // The example I've found involves SecurityContextFrame.Push/Pop.
// If this happens, executing the EX_CATCH below will pop it, which is bad.
// So detect that case, pop the explicitly-pushed frame, and push it again after the EX_CATCH.
// (Asserting that there is only 1 such frame!)
return (pCaller == NULL);
}
-BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(MethodTable* pMT)
-{
- WRAPPER_NO_CONTRACT;
-
- return Security::TypeRequiresTransparencyCheck(pMT, true);
-}
-
-BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(MethodDesc* pMD, MethodTable* pInstanceMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (Security::IsMethodCritical(pMD) && !Security::IsMethodSafeCritical(pMD)
- && pMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand())
- return TRUE;
-
- if (pMD->HasMethodInstantiation())
- {
- Instantiation inst = pMD->GetMethodInstantiation();
- for (DWORD i = 0; i < inst.GetNumArgs(); i++)
- {
- TypeHandle th = inst[i];
- if (InvokeUtil::IsCriticalWithConversionToFullDemand(th.GetMethodTableOfElementType()))
- return TRUE;
- }
- }
-
- if (pInstanceMT && InvokeUtil::IsCriticalWithConversionToFullDemand(pInstanceMT))
- return TRUE;
-
- return FALSE;
-}
-
-BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(FieldDesc* pFD, MethodTable* pInstanceMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (Security::IsFieldCritical(pFD) && !Security::IsFieldSafeCritical(pFD)
- && pFD->GetModule()->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand())
- return TRUE;
-
- if (pInstanceMT && InvokeUtil::IsCriticalWithConversionToFullDemand(pInstanceMT))
- return TRUE;
-
- return FALSE;
-}
-
void InvokeUtil::CanAccessClass(RefSecContext* pCtx,
MethodTable* pClass,
BOOL checkAccessForImplicitValueTypeCtor /*= FALSE*/)
}
CONTRACTL_END;
-
InvokeUtil::CheckAccessMethod(pSCtx,
pParentMT,
pInstanceMT,
pMeth);
-
-
- if (pMeth->RequiresLinktimeCheck())
- {
- // The following logic turns link demands on the target method into full
- // stack walks in order to close security holes in poorly written
- // reflection users.
-
-
- struct _gc
- {
- OBJECTREF refClassNonCasDemands;
- OBJECTREF refClassCasDemands;
- OBJECTREF refMethodNonCasDemands;
- OBJECTREF refMethodCasDemands;
- } gc;
- ZeroMemory(&gc, sizeof(gc));
-
- GCPROTECT_BEGIN(gc);
-
- // Fetch link demand sets from all the places in metadata where we might
- // find them (class and method). These might be split into CAS and non-CAS
- // sets as well.
- Security::RetrieveLinktimeDemands(pMeth,
- &gc.refClassCasDemands,
- &gc.refClassNonCasDemands,
- &gc.refMethodCasDemands,
- &gc.refMethodNonCasDemands);
-
- // CAS Link Demands
- if (gc.refClassCasDemands != NULL)
- Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refClassCasDemands);
-
- if (gc.refMethodCasDemands != NULL)
- Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refMethodCasDemands);
-
- // Non-CAS demands are not applied against a grant
- // set, they're standalone.
- if (gc.refClassNonCasDemands != NULL)
- Security::CheckNonCasDemand(&gc.refClassNonCasDemands);
-
- if (gc.refMethodNonCasDemands != NULL)
- Security::CheckNonCasDemand(&gc.refMethodNonCasDemands);
-
- GCPROTECT_END();
-
- if (pMeth->IsNDirect() ||
- (pMeth->IsComPlusCall() && !pMeth->IsInterface()))
- {
- if (Security::IsTransparencyEnforcementEnabled())
- {
- MethodDesc* pmdCaller = pSCtx->GetCallerMethod();
-
- if (pmdCaller != NULL &&
- Security::IsMethodTransparent(pmdCaller))
- {
- ThrowMethodAccessException(pSCtx, pMeth, IDS_E_TRANSPARENT_CALL_NATIVE);
- }
- }
- }
-
- }
-
- // @todo:
- //if (checkSkipVer && !Security::CanSkipVerification(pSCtx->GetCallerMethod()->GetModule()))
- //Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSSKIPVERIFICATION);
- //checkSkipVer is set only when the user tries to invoke a constructor on a existing object.
- if (checkSkipVer)
- {
- if (Security::IsTransparencyEnforcementEnabled())
- {
- MethodDesc *pCallerMD = pSCtx->GetCallerMethod();
-
- // Interop (NULL) caller should be able to skip verification
- if (pCallerMD != NULL &&
- Security::IsMethodTransparent(pCallerMD) &&
- !pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification())
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pMeth, "Attempt by a transparent method to use unverifiable code");
- }
-#endif // _DEBUG
- ThrowMethodAccessException(pCallerMD, pMeth, FALSE, IDS_E_TRANSPARENT_REFLECTION);
- }
- }
-
- }
}
#endif // #ifndef DACCESS_COMPILE
_ASSERTE(canAccess);
}
-// If a method has a linktime demand attached, perform it.
-
-// static
-void InvokeUtil::CheckLinktimeDemand(RefSecContext *pCtx, MethodDesc *pCalleeMD) {
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
-
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END
-
- if (pCalleeMD->RequiresLinktimeCheck())
- {
- MethodDesc* pCallerMD = pCtx->GetCallerMethod();
-
- if (pCallerMD)
- {
- Security::LinktimeCheckMethod(pCallerMD->GetAssembly(), pCalleeMD);
-
- // perform transparency checks as well
- if (Security::RequiresTransparentAssemblyChecks(pCallerMD, pCalleeMD, NULL))
- {
- Security::EnforceTransparentAssemblyChecks(pCallerMD, pCalleeMD);
- }
- }
- }
-}
-
/*static*/
AccessCheckOptions::AccessCheckType InvokeUtil::GetInvocationAccessCheckType(BOOL targetRemoted /*= FALSE*/)
{
if (targetRemoted)
return AccessCheckOptions::kMemberAccess;
- AppDomain * pAppDomain = GetAppDomain();
-
-
- if (pAppDomain->GetSecurityDescriptor()->IsFullyTrusted())
- // Ignore transparency so that reflection invocation is consistenct with LCG.
- // There is no security concern because we are in Full Trust.
- return AccessCheckOptions::kRestrictedMemberAccessNoTransparency;
-
- return AccessCheckOptions::kMemberAccess;
-
+ // Ignore transparency so that reflection invocation is consistenct with LCG.
+ // There is no security concern because we are in Full Trust.
+ return AccessCheckOptions::kRestrictedMemberAccessNoTransparency;
}
#endif // CROSSGEN_COMPILE
MethodTable* pInstanceMT,
FieldDesc* pTargetField);
- // If a method has a linktime demand attached, perform it.
- static void CheckLinktimeDemand(RefSecContext *pCtx, MethodDesc *pMeth);
-
//
// Check to see if the target of a reflection operation is on a remote object
//
return FALSE;
}
- static BOOL IsCriticalWithConversionToFullDemand(MethodTable* pMT);
- static BOOL IsCriticalWithConversionToFullDemand(MethodDesc* pMD, MethodTable* pInstanceMT);
- static BOOL IsCriticalWithConversionToFullDemand(FieldDesc* pFD, MethodTable* pInstanceMT);
-
static AccessCheckOptions::AccessCheckType GetInvocationAccessCheckType(BOOL targetRemoted = FALSE);
static bool IsDangerousMethod(MethodDesc *pMD);
#include "float.h" // for isnan
#include "dbginterface.h"
#include "security.h"
-#include "securitymeta.h"
#include "dllimport.h"
#include "gcheaputilities.h"
#include "comdelegate.h"
HELPER_METHOD_FRAME_BEGIN_ATTRIB_NOPOLL(Frame::FRAME_ATTR_EXCEPTION); // Set up a frame
- Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE);
+ COMPlusThrow(kSecurityException);
HELPER_METHOD_FRAME_END();
}
//
//========================================================================
-NOINLINE HCIMPL2(void, JIT_DelegateSecurityCheck_Internal, CORINFO_CLASS_HANDLE delegateHnd, CORINFO_METHOD_HANDLE calleeMethodHnd)
-{
- FCALL_CONTRACT;
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
-
- TypeHandle delegateType(delegateHnd);
- MethodDesc* pCallee = GetMethod(calleeMethodHnd);
-
- Security::EnforceTransparentDelegateChecks(delegateType.AsMethodTable(), pCallee);
-
- HELPER_METHOD_FRAME_END_POLL();
-}
-HCIMPLEND
-
-#include <optsmallperfcritical.h>
-/*************************************************************/
HCIMPL2(void, JIT_DelegateSecurityCheck, CORINFO_CLASS_HANDLE delegateHnd, CORINFO_METHOD_HANDLE calleeMethodHnd)
{
FCALL_CONTRACT;
-
- // If we're in full trust, then we don't enforce the delegate binding rules
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- {
- return;
- }
-
- // Tailcall to the real implementation
- ENDFORBIDGC();
- HCCALL2(JIT_DelegateSecurityCheck_Internal, delegateHnd, calleeMethodHnd);
}
HCIMPLEND
-#include <optdefault.h>
-
-/*************************************************************/
-//Make sure to allow check of 0 for COMPlus_Security_AlwaysInsertCallout
-NOINLINE HCIMPL4(void, JIT_MethodAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_METHOD_HANDLE calleeMethodHnd, CORINFO_CLASS_HANDLE calleeTypeHnd, CorInfoSecurityRuntimeChecks check)
-{
- FCALL_CONTRACT;
-
- //
- // Verify with the security at runtime whether call is allowed.
- // Throws an exception if the call is not allowed, returns if it is allowed.
- //
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
-
- MethodDesc *pCaller = GetMethod(callerMethodHnd);
- MethodDesc *pCallee = GetMethod(calleeMethodHnd);
- // If we're being called because of a transparency violation (either a standard violation, or an attempt
- // to call a conditional APTCA protected method from transparent code), process that now.
- if (check & CORINFO_ACCESS_SECURITY_TRANSPARENCY)
- {
- Security::EnforceTransparentAssemblyChecks(pCaller, pCallee);
- }
-
- // Also make sure that we have access to the type that the method lives on
- TypeHandle calleeTH(calleeTypeHnd);
- Security::DoSecurityClassAccessChecks(pCaller, calleeTH, check);
-
- // If the method has a generic instantiation, then we also need to do checks on its generic parameters
- if (pCallee->HasMethodInstantiation())
- {
- Instantiation instantiation = pCallee->GetMethodInstantiation();
- for (DWORD i = 0; i < instantiation.GetNumArgs(); i++)
- {
- TypeHandle argTH = instantiation[i];
- if (!argTH.IsGenericVariable())
- {
- Security::DoSecurityClassAccessChecks(pCaller, argTH, check);
- }
- }
- }
-
- HELPER_METHOD_FRAME_END_POLL();
-}
-HCIMPLEND
-
-
-#include <optsmallperfcritical.h>
-/*************************************************************/
-//Make sure to allow check of 0 for COMPlus_Security_AlwaysInsertCallout
HCIMPL4(void, JIT_MethodAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_METHOD_HANDLE calleeMethodHnd, CORINFO_CLASS_HANDLE calleeTypeHnd, CorInfoSecurityRuntimeChecks check)
{
FCALL_CONTRACT;
-
- MethodDesc *pCallerMD = GetMethod(callerMethodHnd);
- _ASSERTE(GetMethod(callerMethodHnd)->IsRestored());
- _ASSERTE(GetMethod(calleeMethodHnd)->IsRestored());
-
-
- // If we don't need to process this callout, then exit early
- if (Security::SecurityCalloutQuickCheck(pCallerMD))
- {
- return;
- }
-
- // Tailcall to the slow helper
- ENDFORBIDGC();
- HCCALL4(JIT_MethodAccessCheck_Internal, callerMethodHnd, calleeMethodHnd, calleeTypeHnd, check);
}
HCIMPLEND
-#include <optdefault.h>
-
-// Slower checks (including failure paths) for determining if a method has runtime access to a field
-NOINLINE HCIMPL3(void, JIT_FieldAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_FIELD_HANDLE calleeFieldHnd, CorInfoSecurityRuntimeChecks check)
-{
- FCALL_CONTRACT;
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
-
- MethodDesc *pCallerMD = GetMethod(callerMethodHnd);
- FieldDesc *pFD = reinterpret_cast<FieldDesc *>(calleeFieldHnd);
-
- // We can get caller checks of 0 if we're in AlwaysInsertCallout mode, so make sure to do all of our
- // work under checks for specific flags
-
- if (check & CORINFO_ACCESS_SECURITY_TRANSPARENCY)
- {
- _ASSERTE(pCallerMD != NULL);
- StaticAccessCheckContext accessContext(pCallerMD);
-
- if (!Security::CheckCriticalAccess(&accessContext, NULL, pFD, NULL))
- {
- ThrowFieldAccessException(pCallerMD, pFD, TRUE, IDS_E_CRITICAL_FIELD_ACCESS_DENIED);
- }
- }
-
- // Also make sure that we have access to the type that the field lives on
- TypeHandle fieldTH(pFD->GetApproxEnclosingMethodTable());
- Security::DoSecurityClassAccessChecks(pCallerMD, fieldTH, check);
-
- HELPER_METHOD_FRAME_END_POLL();
-}
-HCIMPLEND
-
-#include <optsmallperfcritical.h>
-// Check to see if a method has runtime access to a field
HCIMPL3(void, JIT_FieldAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_FIELD_HANDLE calleeFieldHnd, CorInfoSecurityRuntimeChecks check)
{
FCALL_CONTRACT;
- _ASSERTE(GetMethod(callerMethodHnd)->IsRestored());
- _ASSERTE(((FieldDesc*)calleeFieldHnd)->GetEnclosingMethodTable()->IsRestored_NoLogging());
-
- // We want to try to exit JIT_FieldAccessCheck as soon as possible, preferably without
- // entering JIT_FieldAccessCheck_Internal. This method contains only quick checks to see if
- // the access is definately allowed. More complete checks are done in the Internal method.
-
- MethodDesc *pCallerMD = GetMethod(callerMethodHnd);
-
- // If we don't need to process this callout at all, exit early
- if (Security::SecurityCalloutQuickCheck(pCallerMD))
- {
- return;
- }
-
- // If the callout is for conditional APTCA only and we know the target is enabled, then we can also exit
- // early
-
- // We couldn't quickly determine that this access is legal, so tailcall to the slower helper to do some
- // more work to process the access.
- ENDFORBIDGC();
- HCCALL3(JIT_FieldAccessCheck_Internal, callerMethodHnd, calleeFieldHnd, check);
-}
-HCIMPLEND
-#include <optdefault.h>
-
-// Slower checks (including failure paths) for determining if a method has runtime access to a type
-NOINLINE HCIMPL3(void, JIT_ClassAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_CLASS_HANDLE calleeClassHnd, CorInfoSecurityRuntimeChecks check)
-{
- FCALL_CONTRACT;
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
-
- MethodDesc *pCallerMD = GetMethod(callerMethodHnd);
- TypeHandle calleeClassTH(calleeClassHnd);
-
- Security::DoSecurityClassAccessChecks(pCallerMD, calleeClassTH, check);
-
- HELPER_METHOD_FRAME_END_POLL();
}
HCIMPLEND
-#include <optsmallperfcritical.h>
-// Check to see if a method has runtime access to a type
HCIMPL3(void, JIT_ClassAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_CLASS_HANDLE calleeClassHnd, CorInfoSecurityRuntimeChecks check)
{
FCALL_CONTRACT;
- _ASSERTE(GetMethod(callerMethodHnd)->IsRestored());
- _ASSERTE(TypeHandle(calleeClassHnd).IsRestored());
-
- // We want to try to exit JIT_ClassAccessCheck as soon as possible, preferably without
- // entering JIT_ClassAccessCheck_Internal. This method contains only quick checks to see if
- // the access is definately allowed. More complete checks are done in the Internal method.
-
- MethodDesc *pCallerMD = GetMethod(callerMethodHnd);
-
- // If we don't need to prrocess the callout at all, exit early
- if (Security::SecurityCalloutQuickCheck(pCallerMD))
- {
- return;
- }
-
- // If the callout is for conditional APTCA only, and we know the target is enabled, then we can also
- // exit early
-
- // We couldn't quickly determine that this access is legal, so tailcall to the slower helper to do some
- // more work processing the access.
- ENDFORBIDGC();
- HCCALL3(JIT_ClassAccessCheck_Internal, callerMethodHnd, calleeClassHnd, check);
}
HCIMPLEND
-#include <optdefault.h>
-
-NOINLINE HCIMPL2(void, JIT_Security_Prolog_Framed, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc)
-{
- FCALL_CONTRACT;
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
- {
- ASSUME_BYREF_FROM_JIT_STACK_BEGIN(ppFrameSecDesc);
-
- MethodDesc *pCurrent = GetMethod(methHnd_);
-
- g_IBCLogger.LogMethodDescAccess(pCurrent);
-
- // Note: This check is replicated in JIT_Security_Prolog
- if ((pCurrent->IsInterceptedForDeclSecurity() &&
- !(pCurrent->IsInterceptedForDeclSecurityCASDemandsOnly() &&
- SecurityStackWalk::HasFlagsOrFullyTrusted(0)))
- )
- {
- MethodSecurityDescriptor MDSecDesc(pCurrent);
- MethodSecurityDescriptor::LookupOrCreateMethodSecurityDescriptor(&MDSecDesc);
- // Do the Declarative CAS actions check
- DeclActionInfo* pRuntimeDeclActionInfo = MDSecDesc.GetRuntimeDeclActionInfo();
- if (pRuntimeDeclActionInfo != NULL || pCurrent->IsLCGMethod())
- {
- // Tell the debugger not to start on any managed code that we call in this method
- FrameWithCookie<DebuggerSecurityCodeMarkFrame> __dbgSecFrame;
-
- Security::DoDeclarativeActions(pCurrent, pRuntimeDeclActionInfo, ppFrameSecDesc, &MDSecDesc);
-
- // Pop the debugger frame
- __dbgSecFrame.Pop();
- }
- }
-
- ASSUME_BYREF_FROM_JIT_STACK_END();
- }
- HELPER_METHOD_FRAME_END_POLL();
-}
-HCIMPLEND
-
-/*************************************************************/
-#include <optsmallperfcritical.h>
HCIMPL2(void, JIT_Security_Prolog, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc)
{
FCALL_CONTRACT;
-
- //
- // do the security prolog work
- //
-
- MethodDesc *pCurrent = GetMethod(methHnd_);
-
- // Note: This check is replicated in JIT_Security_Prolog_Framed
- if ((pCurrent->IsInterceptedForDeclSecurity() &&
- !(pCurrent->IsInterceptedForDeclSecurityCASDemandsOnly() &&
- SecurityStackWalk::HasFlagsOrFullyTrusted(0)))
- // We don't necessarily need to do work for LCG methods, but we need a frame
- // to find out for sure
- || pCurrent->IsLCGMethod())
- {
- // Tailcall to the slow helper
- ENDFORBIDGC();
- HCCALL2(JIT_Security_Prolog_Framed, methHnd_, ppFrameSecDesc);
- }
}
HCIMPLEND
-#include <optdefault.h>
-/*************************************************************/
-NOINLINE HCIMPL1(void, JIT_VerificationRuntimeCheck_Internal, CORINFO_METHOD_HANDLE methHnd_)
+HCIMPL2(void, JIT_Security_Prolog_Framed, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc)
{
FCALL_CONTRACT;
-
-
- HELPER_METHOD_FRAME_BEGIN_NOPOLL();
- {
- // Transparent methods that contains unverifiable code is not allowed.
- MethodDesc *pMethod = GetMethod(methHnd_);
- SecurityTransparent::ThrowMethodAccessException(pMethod);
- }
- HELPER_METHOD_FRAME_END_POLL();
}
HCIMPLEND
-#include <optsmallperfcritical.h>
-/*************************************************************/
HCIMPL1(void, JIT_VerificationRuntimeCheck, CORINFO_METHOD_HANDLE methHnd_)
{
FCALL_CONTRACT;
-
- if (SecurityStackWalk::HasFlagsOrFullyTrustedIgnoreMode(0))
- return;
- //
- // inject a full-demand for unmanaged code permission at runtime
- // around methods in transparent assembly that contains unverifiable code
- {
- // Tailcall to the slow helper
- ENDFORBIDGC();
- HCCALL1(JIT_VerificationRuntimeCheck_Internal, methHnd_);
- }
-
}
HCIMPLEND
-#include <optdefault.h>
-
//========================================================================
#include "float.h" // for isnan
#include "dbginterface.h"
#include "security.h"
-#include "securitymeta.h"
#include "dllimport.h"
#include "gcheaputilities.h"
#include "comdelegate.h"
}
else if (dwSecurityFlags & DynamicResolver::RestrictedSkipVisibilityChecks)
{
- *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccess;
-
- // For compatibility, don't do transparency checks from dynamic methods in FT CoreCLR.
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccessNoTransparency;
-
+ *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccessNoTransparency;
}
else
{
- // For compatibility, don't do transparency checks from dynamic methods in FT CoreCLR.
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- *pAccessCheckType = AccessCheckOptions::kNormalAccessNoTransparency;
+ *pAccessCheckType = AccessCheckOptions::kNormalAccessNoTransparency;
}
return doAccessCheck;
MODE_PREEMPTIVE;
} CONTRACTL_END;
- CorInfoCanSkipVerificationResult canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP;
-
- JIT_TO_EE_TRANSITION();
-
- MethodDesc* pMD = GetMethod(ftnHnd);
-
-
-#ifdef _DEBUG
- if (g_pConfig->IsVerifierOff())
- {
- canSkipVerif = CORINFO_VERIFICATION_CAN_SKIP;
- }
- else
-#endif // _DEBUG
- {
- canSkipVerif = Security::JITCanSkipVerification(pMD);
- }
-
- EE_TO_JIT_TRANSITION();
-
- return canSkipVerif;
-
+ return CORINFO_VERIFICATION_CAN_SKIP;
}
/*********************************************************************/
MODE_PREEMPTIVE;
} CONTRACTL_END;
- CorInfoCanSkipVerificationResult canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP;
-
- JIT_TO_EE_TRANSITION();
-
- Assembly * pAssem = GetModule(moduleHnd)->GetAssembly();
-
-#ifdef _DEBUG
- if (g_pConfig->IsVerifierOff())
- {
- canSkipVerif = CORINFO_VERIFICATION_CAN_SKIP;
- }
- else
-#endif // _DEBUG
- {
- //
- // fQuickCheckOnly is set only by calls from Zapper::CompileAssembly
- // because that allows us make a determination for the most
- // common full trust scenarios (local machine) without actually
- // resolving policy and bringing in a whole list of assembly
- // dependencies.
- //
- // The scenario of interest here is determing whether or not an
- // assembly MVID comparison is enough when loading an NGEN'd
- // assembly or if a full binary hash comparison must be done.
- //
-
- DomainAssembly * pAssembly = pAssem->GetDomainAssembly();
- canSkipVerif = Security::JITCanSkipVerification(pAssembly);
- }
-
- EE_TO_JIT_TRANSITION();
-
- return canSkipVerif;
+ return CORINFO_VERIFICATION_CAN_SKIP;
}
/*********************************************************************/
TypeHandle callerTypeForSecurity = TypeHandle(pCallerForSecurity->GetMethodTable());
- //This just throws.
- if (pCalleeForSecurity->RequiresLinktimeCheck())
- {
- //hostProtectionAttribute(HPA) can be removed for coreclr mscorlib.dll
- //So if the call to LinktimeCheckMethod() is only b'coz of HPA then skip it
- if (!pCalleeForSecurity->RequiresLinkTimeCheckHostProtectionOnly())
- Security::LinktimeCheckMethod(pCallerForSecurity->GetAssembly(), pCalleeForSecurity);
- }
-
//Passed various link-time checks. Now do access checks.
BOOL doAccessCheck = TRUE;
}
}
}
-
- //Only do this if we're allowed to access the method under any circumstance.
- if (canAccessMethod)
- {
- BOOL fNeedsTransparencyCheck = TRUE;
-
- // All LCG methods are transparent in CoreCLR. When we switch from PT
- // to FT most user assemblies will become opportunistically critical.
- // If a LCG method calls a method in such an assembly it will stop working.
- // To avoid this we allow LCG methods to call user critical code in FT.
- // There is no security concern because the domain is fully trusted anyway.
- // There is nothing the LCG method can do that user code cannot do directly.
- // This is also consistent with the desktop where a transparent->critical
- // access will be converted to a demand and succeed in FT if the caller is
- // level1 and the target is level2.
- // See also AccessCheckOptions::DemandMemberAccess.
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted() && pCallerForSecurity->IsLCGMethod())
- fNeedsTransparencyCheck = FALSE;
-
- if (fNeedsTransparencyCheck)
- {
- CorInfoSecurityRuntimeChecks runtimeChecks = CORINFO_ACCESS_SECURITY_NONE;
-
- // See if transparency requires the runtime check too
- CorInfoIsAccessAllowedResult isCallAllowedResult =
- Security::RequiresTransparentAssemblyChecks(pCallerForSecurity, pCalleeForSecurity, NULL);
-
- if (isCallAllowedResult != CORINFO_ACCESS_ALLOWED)
- runtimeChecks = CORINFO_ACCESS_SECURITY_TRANSPARENCY;
-
- DebugSecurityCalloutStress(getMethodBeingCompiled(), isCallAllowedResult, runtimeChecks);
-
- if (isCallAllowedResult == CORINFO_ACCESS_RUNTIME_CHECK)
- {
- pResult->accessAllowed = CORINFO_ACCESS_RUNTIME_CHECK;
- //Explain the callback to the JIT.
- pResult->callsiteCalloutHelper.helperNum = CORINFO_HELP_METHOD_ACCESS_CHECK;
- pResult->callsiteCalloutHelper.numArgs = 4;
-
- pResult->callsiteCalloutHelper.args[0].Set(CORINFO_METHOD_HANDLE(pCallerForSecurity));
- pResult->callsiteCalloutHelper.args[1].Set(CORINFO_METHOD_HANDLE(pCalleeForSecurity));
- pResult->callsiteCalloutHelper.args[2].Set(CORINFO_CLASS_HANDLE(calleeTypeForSecurity.AsPtr()));
- pResult->callsiteCalloutHelper.args[3].Set(runtimeChecks);
-
- if (IsCompilingForNGen())
- {
- //see code:CEEInfo::getCallInfo for more information.
- if (pCallerForSecurity->ContainsGenericVariables()
- || pCalleeForSecurity->ContainsGenericVariables())
- {
- COMPlusThrowNonLocalized(kNotSupportedException, W("Cannot embed generic MethodDesc"));
- }
- }
- }
- else
- {
- _ASSERTE(pResult->accessAllowed == CORINFO_ACCESS_ALLOWED);
- _ASSERTE(isCallAllowedResult == CORINFO_ACCESS_ALLOWED);
- }
- }
- }
}
-
}
//We're pretty much done at this point. Let's grab the rest of the information that the jit is going to
}
MethodTable* pMT = VMClsHnd.AsMethodTable();
-#ifdef FEATURE_COMINTEROP
- if (pMT->IsComObjectType() && !GetMethod(callerHandle)->GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode())
- {
- // Caller does not have permission to make interop calls. Generate a
- // special helper that will throw a security exception when called.
- result = CORINFO_HELP_SEC_UNMGDCODE_EXCPT;
- }
- else
-#endif // FEATURE_COMINTEROP
- {
- result = getNewHelperStatic(pMT);
- }
+ result = getNewHelperStatic(pMT);
_ASSERTE(result != CORINFO_HELP_UNDEF);
MODE_PREEMPTIVE;
} CONTRACTL_END;
- BOOL isCallAllowed = FALSE;
-
- JIT_TO_EE_TRANSITION();
-
- TypeHandle delegateType(delegateHnd);
- MethodDesc* pCallee = GetMethod(calleeHnd);
-
- isCallAllowed = COMDelegate::ValidateSecurityTransparency(pCallee, delegateType.AsMethodTable());
-
- EE_TO_JIT_TRANSITION();
-
- return isCallAllowed;
+ return TRUE;
}
/*********************************************************************/
FCIMPLEND
// Make sure the handle is accessible from the current domain. (Throw if not.)
-FCIMPL1(VOID, MarshalNative::GCHandleInternalCheckDomain, OBJECTHANDLE handle)
-{
- FCALL_CONTRACT;
-
- if (handle == NULL)
- FCThrowArgumentVoid(W("handle"), W("Argument_ArgumentZero"));
-
- ADIndex index = HndGetHandleTableADIndex(HndGetHandleTable(handle));
-
- if (index.m_dwIndex != 1 && index != GetAppDomain()->GetIndex())
- FCThrowArgumentVoid(W("handle"), W("Argument_HandleLeak"));
-}
-FCIMPLEND
-
-// Make sure the handle is accessible from the current domain. (Throw if not.)
FCIMPL1(INT32, MarshalNative::GCHandleInternalGetHandleType, OBJECTHANDLE handle)
{
FCALL_CONTRACT;
static FCDECL3(VOID, GCHandleInternalSet, OBJECTHANDLE handle, Object *obj, CLR_BOOL isPinned);
static FCDECL4(Object*, GCHandleInternalCompareExchange, OBJECTHANDLE handle, Object *obj, Object* oldObj, CLR_BOOL isPinned);
static FCDECL1(LPVOID, GCHandleInternalAddrOfPinnedObject, OBJECTHANDLE handle);
- static FCDECL1(VOID, GCHandleInternalCheckDomain, OBJECTHANDLE handle);
static FCDECL1(INT32, GCHandleInternalGetHandleType, OBJECTHANDLE handle);
static FCDECL2(Object*, GetDelegateForFunctionPointerInternal, LPVOID FPtr, ReflectClassBaseObject* refTypeUNSAFE);
#include "stublink.h"
#include "ecall.h"
#include "dllimport.h"
-#include "verifier.hpp"
#include "jitinterface.h"
#include "eeconfig.h"
#include "log.h"
DEFINE_METASIG(SM(ArrByte_Bool_RetObj, a(b) F, j))
DEFINE_METASIG(SM(ArrByte_ArrByte_RefObj_RetObj, a(b) a(b) r(j), j))
DEFINE_METASIG_T(SM(PtrSByt_Int_Int_Encoding_RetStr, P(B) i i C(ENCODING), s))
-DEFINE_METASIG_T(SM(Evidence_RetEvidence, C(EVIDENCE), C(EVIDENCE)))
-DEFINE_METASIG_T(SM(Evidence_Asm_RetEvidence, C(EVIDENCE) C(ASSEMBLY), C(EVIDENCE)))
-DEFINE_METASIG_T(IM(Evidence_RetVoid, C(EVIDENCE), v))
DEFINE_METASIG_T(SM(Void_RetRuntimeTypeHandle, _, g(RT_TYPE_HANDLE)))
DEFINE_METASIG(SM(Void_RetIntPtr, _, I))
// App Domain related defines
DEFINE_METASIG(IM(Bool_Str_Str_ArrStr_ArrStr_RetVoid, F s s a(s) a(s), v))
-DEFINE_METASIG_T(IM(LoaderOptimization_RetVoid, g(LOADER_OPTIMIZATION), v))
-DEFINE_METASIG_T(IM(Evidence_Evidence_Bool_IntPtr_Bool_RetVoid, C(EVIDENCE) C(EVIDENCE) F I F, v))
-DEFINE_METASIG_T(SM(Str_Evidence_AppDomainSetup_RetAppDomain, s C(EVIDENCE) C(APPDOMAIN_SETUP), C(APP_DOMAIN)))
-DEFINE_METASIG_T(SM(Str_Evidence_Str_Str_Bool_RetAppDomain, s C(EVIDENCE) s s F, C(APP_DOMAIN)))
DEFINE_METASIG_T(SM(Str_RetAppDomain, s, C(APP_DOMAIN)))
-DEFINE_METASIG_T(SM(Str_AppDomainSetup_Evidence_Evidence_IntPtr_Str_ArrStr_ArrStr_RetObj, s C(APPDOMAIN_SETUP) C(EVIDENCE) C(EVIDENCE) I s a(s) a(s), j))
+DEFINE_METASIG_T(SM(Str_AppDomainSetup_ArrStr_ArrStr_RetObj, s C(APPDOMAIN_SETUP) a(s) a(s), j))
#ifdef FEATURE_COMINTEROP
// System.AppDomain.OnReflectionOnlyNamespaceResolveEvent
DEFINE_METASIG_T(IM(Assembly_Str_RetArrAssembly, C(ASSEMBLY) s, a(C(ASSEMBLY))))
#include "common.h"
#include "security.h"
-#include "verifier.hpp"
#include "excep.h"
#include "dbginterface.h"
#include "ecall.h"
}
//*******************************************************************************
-DWORD MethodDesc::GetSecurityFlagsDuringPreStub()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
-
- DWORD dwMethDeclFlags = 0;
- DWORD dwMethNullDeclFlags = 0;
- DWORD dwClassDeclFlags = 0;
- DWORD dwClassNullDeclFlags = 0;
-
- if (IsInterceptedForDeclSecurity())
- {
- HRESULT hr;
-
- BOOL fHasSuppressUnmanagedCodeAccessAttr = HasSuppressUnmanagedCodeAccessAttr();;
-
- hr = Security::GetDeclarationFlags(GetMDImport(),
- GetMemberDef(),
- &dwMethDeclFlags,
- &dwMethNullDeclFlags,
- &fHasSuppressUnmanagedCodeAccessAttr);
- if (FAILED(hr))
- COMPlusThrowHR(hr);
-
- // We only care about runtime actions, here.
- // Don't add security interceptors for anything else!
- dwMethDeclFlags &= DECLSEC_RUNTIME_ACTIONS;
- dwMethNullDeclFlags &= DECLSEC_RUNTIME_ACTIONS;
- }
-
- MethodTable *pMT = GetMethodTable();
- if (!pMT->IsNoSecurityProperties())
- {
- PSecurityProperties pSecurityProperties = pMT->GetClass()->GetSecurityProperties();
- _ASSERTE(pSecurityProperties);
-
- dwClassDeclFlags = pSecurityProperties->GetRuntimeActions();
- dwClassNullDeclFlags= pSecurityProperties->GetNullRuntimeActions();
- }
- else
- {
- _ASSERTE( pMT->GetClass()->GetSecurityProperties() == NULL ||
- ( pMT->GetClass()->GetSecurityProperties()->GetRuntimeActions() == 0
- && pMT->GetClass()->GetSecurityProperties()->GetNullRuntimeActions() == 0 ) );
- }
-
-
- // Build up a set of flags to indicate the actions, if any,
- // for which we will need to set up an interceptor.
-
- // Add up the total runtime declarative actions so far.
- DWORD dwSecurityFlags = dwMethDeclFlags | dwClassDeclFlags;
-
- // Add in a declarative demand for NDirect.
- // If this demand has been overridden by a declarative check
- // on a class or method, then the bit won't change. If it's
- // overridden by an empty check, then it will be reset by the
- // subtraction logic below.
- if (IsNDirect())
- {
- dwSecurityFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND;
- }
-
- if (dwSecurityFlags)
- {
- // If we've found any declarative actions at this point,
- // try to subtract any actions that are empty.
-
- // Subtract out any empty declarative actions on the method.
- dwSecurityFlags &= ~dwMethNullDeclFlags;
-
- // Finally subtract out any empty declarative actions on the class,
- // but only those actions that are not also declared by the method.
- dwSecurityFlags &= ~(dwClassNullDeclFlags & ~dwMethDeclFlags);
- }
-
- return dwSecurityFlags;
-}
-
-//*******************************************************************************
-DWORD MethodDesc::GetSecurityFlagsDuringClassLoad(IMDInternalImport *pInternalImport,
- mdToken tkMethod,
- mdToken tkClass,
- DWORD *pdwClassDeclFlags,
- DWORD *pdwClassNullDeclFlags,
- DWORD *pdwMethDeclFlags,
- DWORD *pdwMethNullDeclFlags)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
- HRESULT hr;
-
- hr = Security::GetDeclarationFlags(pInternalImport,
- tkMethod,
- pdwMethDeclFlags,
- pdwMethNullDeclFlags);
- if (FAILED(hr))
- COMPlusThrowHR(hr);
-
-
- if (!IsNilToken(tkClass) && (*pdwClassDeclFlags == 0xffffffff || *pdwClassNullDeclFlags == 0xffffffff))
- {
- hr = Security::GetDeclarationFlags(pInternalImport,
- tkClass,
- pdwClassDeclFlags,
- pdwClassNullDeclFlags);
- if (FAILED(hr))
- COMPlusThrowHR(hr);
-
- }
-
- // Build up a set of flags to indicate the actions, if any,
- // for which we will need to set up an interceptor.
-
- // Add up the total runtime declarative actions so far.
- DWORD dwSecurityFlags = *pdwMethDeclFlags | *pdwClassDeclFlags;
-
- // Add in a declarative demand for NDirect.
- // If this demand has been overridden by a declarative check
- // on a class or method, then the bit won't change. If it's
- // overridden by an empty check, then it will be reset by the
- // subtraction logic below.
- if (IsNDirect())
- {
- dwSecurityFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND;
- }
-
- if (dwSecurityFlags)
- {
- // If we've found any declarative actions at this point,
- // try to subtract any actions that are empty.
-
- // Subtract out any empty declarative actions on the method.
- dwSecurityFlags &= ~*pdwMethNullDeclFlags;
-
- // Finally subtract out any empty declarative actions on the class,
- // but only those actions that are not also declared by the method.
- dwSecurityFlags &= ~(*pdwClassNullDeclFlags & ~*pdwMethDeclFlags);
- }
-
- return dwSecurityFlags;
-}
-
-//*******************************************************************************
Dictionary* MethodDesc::GetMethodDictionary()
{
WRAPPER_NO_CONTRACT;
//==================================================================
// Security...
- DWORD GetSecurityFlagsDuringPreStub();
- DWORD GetSecurityFlagsDuringClassLoad(IMDInternalImport *pInternalImport,
- mdToken tkMethod, mdToken tkClass,
- DWORD *dwClassDeclFlags, DWORD *dwClassNullDeclFlags,
- DWORD *dwMethDeclFlags, DWORD *dwMethNullDeclFlags);
-
inline DWORD RequiresLinktimeCheck()
{
LIMITED_METHOD_CONTRACT;
#include "ecall.h"
#include "dllimport.h"
#include "gcdesc.h"
-#include "verifier.hpp"
#include "jitinterface.h"
#include "eeconfig.h"
#include "log.h"
// SECURITY SEMANTICS
//
-
- BOOL IsNoSecurityProperties()
- {
- LIMITED_METHOD_CONTRACT;
- return GetFlag(enum_flag_NoSecurityProperties);
- }
-
- void SetNoSecurityProperties()
- {
- LIMITED_METHOD_CONTRACT;
- SetFlag(enum_flag_NoSecurityProperties);
- }
-
void SetIsAsyncPinType()
{
LIMITED_METHOD_CONTRACT;
enum_flag_HasModuleDependencies = 0x0080,
- enum_flag_NoSecurityProperties = 0x0100, // Class does not have security properties (that is,
- // GetClass()->GetSecurityProperties will return 0).
+ // enum_Unused = 0x0100,
enum_flag_RequiresDispatchTokenFat = 0x0200,
#include "ecmakey.h"
#include "security.h"
#include "customattribute.h"
-
-
-#ifdef FEATURE_COMINTEROP
-#endif
+#include "typestring.h"
//*******************************************************************************
// Helper functions to sort GCdescs by offset (decending order)
COMPlusThrowHR(COR_E_TYPELOAD);
}
- //
- // Initialize SecurityProperties structure
- //
-
- if (IsTdHasSecurity(dwAttrClass))
- {
- DWORD dwSecFlags;
- DWORD dwNullDeclFlags;
-
- hrToThrow = Security::GetDeclarationFlags(pInternalImport, cl, &dwSecFlags, &dwNullDeclFlags);
- if (FAILED(hrToThrow))
- COMPlusThrowHR(hrToThrow);
-
- // Security properties is an optional field. If we have a non-default value we need to ensure the
- // optional field descriptor has been allocated.
- EnsureOptionalFieldsAreAllocated(pEEClass, pamTracker, pAllocator->GetLowFrequencyHeap());
-
- pEEClass->GetSecurityProperties()->SetFlags(dwSecFlags, dwNullDeclFlags);
- }
-
-
if (fHasLayout)
pEEClass->SetHasLayout();
// if there are context or thread static set the info in the method table optional members
//
- if (!bmtProp->fNoSanityChecks)
- {
- // If we have a non-interface class, then do inheritance security
- // checks on it. The check starts by checking for inheritance
- // permission demands on the current class. If these first checks
- // succeeded, then the cached declared method list is scanned for
- // methods that have inheritance permission demands.
- VerifyInheritanceSecurity();
-
- // If this is a type equivalent class, then check to see that security
- // rules have been properly followed
- VerifyEquivalenceSecurity();
- }
-
// Check for the RemotingProxy Attribute
// structs with GC pointers MUST be pointer sized aligned because the GC assumes it
if (IsValueClass() && pMT->ContainsPointers() && (bmtFP->NumInstanceFieldBytes % sizeof(void*) != 0))
type = METHOD_TYPE_NORMAL;
}
-
-#ifdef _DEBUG
- // We don't allow stack based declarative security on ecalls, fcalls and
- // other special purpose methods implemented by the EE (the interceptor
- // we use doesn't play well with non-jitted stubs).
- if ((type == METHOD_TYPE_FCALL || type == METHOD_TYPE_EEIMPL) &&
- (IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass())))
- {
- DWORD dwSecFlags;
- DWORD dwNullDeclFlags;
-
- if (IsTdHasSecurity(GetAttrClass()) &&
- SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, GetCl(), &dwSecFlags, &dwNullDeclFlags)))
- {
- CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS),
- "Cannot add stack based declarative security to a class containing an ecall/fcall/special method.");
- }
- if (IsMdHasSecurity(dwMemberAttrs) &&
- SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, tok, &dwSecFlags, &dwNullDeclFlags)))
- {
- CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS),
- "Cannot add stack based declarative security to an ecall/fcall/special method.");
- }
- }
-#endif // _DEBUG
-
// PInvoke methods are not permitted on collectible types
if ((type == METHOD_TYPE_NDIRECT) && GetAssembly()->IsCollectible())
{
return;
}
-//*******************************************************************************
-void MethodTableBuilder::SetSecurityFlagsOnMethod(bmtRTMethod* pParentMethod,
- MethodDesc* pNewMD,
- mdToken tokMethod,
- DWORD dwMemberAttrs,
- bmtInternalInfo* bmtInternal,
- bmtMetaDataInfo* bmtMetaData)
-{
- STANDARD_VM_CONTRACT;
-
- DWORD dwMethDeclFlags = 0;
- DWORD dwMethNullDeclFlags = 0;
- DWORD dwClassDeclFlags = 0xffffffff;
- DWORD dwClassNullDeclFlags = 0xffffffff;
-
- if ( IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass()) || pNewMD->IsNDirect() )
- {
- // Disable inlining for any function which does runtime declarative
- // security actions.
- DWORD dwRuntimeSecurityFlags = (pNewMD->GetSecurityFlagsDuringClassLoad(GetMDImport(),
- tokMethod,
- GetCl(),
- &dwClassDeclFlags,
- &dwClassNullDeclFlags,
- &dwMethDeclFlags,
- &dwMethNullDeclFlags) & DECLSEC_RUNTIME_ACTIONS);
- if (dwRuntimeSecurityFlags)
- {
- // If we get here it means
- // - We have some "runtime" actions on this method. We dont care about "linktime" demands
- // - If this is a pinvoke method, then the unmanaged code access demand has not been suppressed
- pNewMD->SetNotInline(true);
-
- pNewMD->SetInterceptedForDeclSecurity();
-
- if (MethodSecurityDescriptor::IsDeclSecurityCASDemandsOnly(dwRuntimeSecurityFlags, tokMethod, GetMDImport()))
- {
- pNewMD->SetInterceptedForDeclSecurityCASDemandsOnly();
- }
- }
- }
-
- if ( IsMdHasSecurity(dwMemberAttrs) )
- {
- // We only care about checks that are not empty...
- dwMethDeclFlags &= ~dwMethNullDeclFlags;
-
- if ( dwMethDeclFlags & (DECLSEC_LINK_CHECKS|DECLSEC_NONCAS_LINK_DEMANDS) )
- {
- pNewMD->SetRequiresLinktimeCheck();
- // if the link check is due to HP and nothing else, capture that in the flags too
- if (dwMethDeclFlags & DECLSEC_LINK_CHECKS_HPONLY)
- {
- pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly();
- }
- }
-
- if ( dwMethDeclFlags & (DECLSEC_INHERIT_CHECKS|DECLSEC_NONCAS_INHERITANCE) )
- {
- pNewMD->SetRequiresInheritanceCheck();
- if (IsInterface())
- {
- GetHalfBakedClass()->SetSomeMethodsRequireInheritanceCheck();
- }
- }
- }
-
- // Linktime checks on a method override those on a class.
- // If the method has an empty set of linktime checks,
- // then don't require linktime checking for this method.
- if (!pNewMD->RequiresLinktimeCheck() && RequiresLinktimeCheck() && !(dwMethNullDeclFlags & DECLSEC_LINK_CHECKS) )
- {
-
- pNewMD->SetRequiresLinktimeCheck();
- if (RequiresLinktimeCheckHostProtectionOnly())
- {
- pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly();
- }
- }
-
- if ( pParentMethod != NULL &&
- (pParentMethod->GetMethodDesc()->RequiresInheritanceCheck() ||
- pParentMethod->GetMethodDesc()->ParentRequiresInheritanceCheck()) )
- {
- pNewMD->SetParentRequiresInheritanceCheck();
- }
-
- // Methods on an interface that includes an UnmanagedCode check
- // suppression attribute are assumed to be interop methods. We ask
- // for linktime checks on these.
- // Also place linktime checks on all P/Invoke calls.
- if (
- pNewMD->IsNDirect() ||
- (pNewMD->IsComPlusCall() && !IsInterface()))
- {
- pNewMD->SetRequiresLinktimeCheck();
- }
-
-#if defined(FEATURE_CORESYSTEM)
- // All public methods on public types will do a link demand of
- // full trust, unless AllowUntrustedCaller attribute is set
- if (
-#ifdef _DEBUG
- g_pConfig->Do_AllowUntrustedCaller_Checks() &&
-#endif
- !pNewMD->RequiresLinktimeCheck())
- {
- // If the method is public (visible outside it's assembly),
- // and the type is public and the assembly
- // is not marked with AllowUntrustedCaller attribute, do
- // a link demand for full trust on all callers note that
- // this won't be effective on virtual overrides. The caller
- // can allways do a virtual call on the base type / interface
-
- if (Security::MethodIsVisibleOutsideItsAssembly(dwMemberAttrs, GetAttrClass(), IsGlobalClass()))
- {
- _ASSERTE(GetClassLoader());
- _ASSERTE(GetAssembly());
-
- // See if the Assembly has AllowUntrustedCallerChecks CA
- // Pull this page in last
-
- if (!GetAssembly()->AllowUntrustedCaller())
- pNewMD->SetRequiresLinktimeCheck();
- }
- }
-#endif // defined(FEATURE_CORESYSTEM)
-
- // If it's a delegate BeginInvoke, we need to do a HostProtection check for synchronization
- if(!pNewMD->RequiresLinktimeCheck() && IsDelegate())
- {
- DelegateEEClass* pDelegateClass = (DelegateEEClass*)GetHalfBakedClass();
- if(pNewMD == pDelegateClass->m_pBeginInvokeMethod)
- {
- pNewMD->SetRequiresLinktimeCheck();
- pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly(); // this link check is due to HP only
- }
-
- }
-}
//*******************************************************************************
//
}
}
-
- // Declarative Security
- SetSecurityFlagsOnMethod(pParentMethod, pNewMD, pMethod->GetMethodSignature().GetToken(), pMethod->GetDeclAttrs(), bmtInternal, bmtMetaData);
-
// Turn off inlining for any calls
// that are marked in the metadata as not being inlineable.
if(IsMiNoInlining(pMethod->GetImplAttrs()))
SetNonGCRegularStaticFieldBytes (bmtProp->dwNonGCRegularStaticFieldBytes);
SetNonGCThreadStaticFieldBytes (bmtProp->dwNonGCThreadStaticFieldBytes);
- PSecurityProperties psp = GetSecurityProperties();
- // Check whether we have any runtime actions such as Demand, Assert etc
- // that can result in methods needing the security stub. We dont care about Linkdemands etc
- if ( !psp || (!psp->GetRuntimeActions() && !psp->GetNullRuntimeActions()))
- pMT->SetNoSecurityProperties();
-
#ifdef FEATURE_TYPEEQUIVALENCE
if (bmtProp->fHasTypeEquivalence)
{
//*******************************************************************************
//
-// Helper method for VerifyInheritanceSecurity
-//
-VOID MethodTableBuilder::VerifyClassInheritanceSecurityHelper(
- MethodTable *pParentMT,
- MethodTable *pChildMT)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pParentMT));
- PRECONDITION(CheckPointer(pChildMT));
- }
- CONTRACTL_END;
-
- //@ASSUMPTION: The current class has been resolved to the point that
- // we can construct a reflection object on the class or its methods.
- // This is required for the security checks.
-
- // This method throws on failure.
- Security::ClassInheritanceCheck(pChildMT, pParentMT);
-
-}
-
-//*******************************************************************************
-//
-// Helper method for VerifyInheritanceSecurity
-//
-VOID MethodTableBuilder::VerifyMethodInheritanceSecurityHelper(
- MethodDesc *pParentMD,
- MethodDesc *pChildMD)
-{
- CONTRACTL {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pParentMD));
- PRECONDITION(CheckPointer(pChildMD));
- } CONTRACTL_END;
-
- Security::MethodInheritanceCheck(pChildMD, pParentMD);
-
-}
-
-//*******************************************************************************
-//
// Used by BuildMethodTable
//
// Check for the presence of type equivalence. If present, make sure
{
BOOL fTypeEquivalentNotPermittedDueToType = !(((IsComImport() || bmtProp->fComEventItfType) && IsInterface()) || IsValueClass() || IsDelegate());
BOOL fTypeEquivalentNotPermittedDueToGenerics = bmtGenerics->HasInstantiation();
- BOOL fTypeEquivalentNotPermittedDueToSecurity = !GetModule()->GetSecurityDescriptor()->IsFullyTrusted();
if (fTypeEquivalentNotPermittedDueToType || fTypeEquivalentNotPermittedDueToGenerics)
{
BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTBADTYPE);
}
- else
- if (fTypeEquivalentNotPermittedDueToSecurity)
- {
- BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTNOTTRUSTED);
- }
GetHalfBakedClass()->SetIsEquivalentType();
}
#endif //FEATURE_TYPEEQUIVALENCE
}
-// Convert linktime security (including link demands and security critical checks) into inheritance security
-// in order to prevent partial trust code from bypassing linktime checks via clever inheritance hierarchies.
-//
-// Arguments:
-// pMDLinkDemand - The method containing the linktime security check that needs to be converted into an
-// inheritance check
-//
-// Notes:
-// #PartialTrustInterfaceMappingCheck
-//
-// Partial trust code can bypass the enforcement of link time security on any public virtual method of a
-// base type by mapping an unprotected interface back to the base method. For instance:
-//
-// Full trust APTCA assembly A:
-// class AptcaClass
-// {
-// [SecurityCritical]
-// public virtual void CriticalMethod() { }
-//
-// [PermissionSet(SecurityAction.LinkDemand, Unrestricted = true)]
-// public virtual void LinkDemandMethod() { }
-// }
-//
-// Partial trust assembly B:
-// interface IBypass
-// {
-// void CriticalMethod();
-// void LinkDemandMethod();
-// }
-//
-// class Bypass : AptcaClass, IBypass { }
-//
-// IBypass o = new Bypass();
-// o.CriticalMethod();
-// o.LinkDemandMethod();
-//
-// Since the static type seen by the JIT is IBypass, and there is no link time security on IBypass, the
-// partial trust code has stepped around the link time security checks.
-//
-// In order to prevent this, types which:
-// 1. Are partially trusted AND
-// 2. Cause an interface to be added to the type WHICH
-// 3. Has a method implemented by a base type in a different assembly AND
-// 4. The base type method has a link time check on it
-//
-// Convert the link time checks into inheritance checks. This effectively says that in order for partially
-// trusted code to turn off link time security, it needs to have the right to directly satisfy that
-// security itself. Since the partial trust code can call the protected method directly, it can also
-// easily wrap the method in an unprotected new method and call through that there is no escalation of
-// privilege.
-//
-// This method is only responsible for doing the actual inheritance demand conversion.
-// VerifyInheritanceSecurity checks for the above set of conditions to know when such a conversion is
-// necessary.
-//
-void MethodTableBuilder::ConvertLinkDemandToInheritanceDemand(MethodDesc *pMDLinkDemand)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pMDLinkDemand));
- }
- CONTRACTL_END;
-
- const bool fNeedTransparencyCheck = Security::IsMethodCritical(pMDLinkDemand) &&
- !Security::IsMethodSafeCritical(pMDLinkDemand);
- const bool fNeedLinkDemandCheck = pMDLinkDemand->RequiresLinktimeCheck() &&
- !pMDLinkDemand->RequiresLinkTimeCheckHostProtectionOnly();
-
- if (fNeedTransparencyCheck)
- {
- // The method being mapped to is security critical, so it effectively has a link time check for full
- // trust on it. Therefore we need to convert to a full trust inheritance check
- Security::FullTrustInheritanceDemand(GetAssembly());
- }
- else if (fNeedLinkDemandCheck)
- {
- // The method being mapped to is protected with a legacy link demand. We need to retrieve the
- // permission set that is being used to protect the code and then use it to issue an inheritance
- // demand.
- Security::InheritanceLinkDemandCheck(GetAssembly(), pMDLinkDemand);
- }
-}
-
-//*******************************************************************************
-//
-// Used by BuildMethodTable
-//
-// If we have a type equivalent class, then do equivalent security
-// checks on it. The check starts by checking for that the class is
-// transparent or treat as safe, and then does the same for any fields.
-//
-
-void MethodTableBuilder::VerifyEquivalenceSecurity()
-{
- STANDARD_VM_CONTRACT;
-
-#ifdef FEATURE_TYPEEQUIVALENCE
- if (!bmtProp->fIsTypeEquivalent)
- return;
-
- if (!GetHalfBakedMethodTable()->IsExternallyVisible())
- {
- BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTNOTPUBLIC);
- }
-
- if (Security::IsTypeCritical(GetHalfBakedMethodTable()) &&
- !Security::IsTypeSafeCritical(GetHalfBakedMethodTable()))
- {
- BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY);
- }
-
- // Iterate through every field
- FieldDesc *pFieldDescList = GetApproxFieldDescListRaw();
- for (UINT i = 0; i < bmtEnumFields->dwNumInstanceFields; i++)
- {
- FieldDesc *pFD = &pFieldDescList[i];
-
- FieldSecurityDescriptor fieldSecDesc(pFD);
- if (fieldSecDesc.IsCritical() && !fieldSecDesc.IsTreatAsSafe())
- {
- BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY);
- }
- }
-
- // Iterate through every method
- DeclaredMethodIterator methIt(*this);
- while (methIt.Next())
- {
- MethodDesc *pMD = methIt->GetMethodDesc();
- _ASSERTE(pMD != NULL);
- if (pMD == NULL)
- continue;
-
- MethodSecurityDescriptor methodSecDesc(pMD, FALSE);
- if (Security::IsMethodCritical(pMD) && !Security::IsMethodSafeCritical(pMD))
- {
- BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY);
- }
- }
-#endif //FEATURE_TYPEEQUIVALENCE
-}
-
-//*******************************************************************************
-//
-// Used by BuildMethodTable
-//
-// If we have a non-interface class, then do inheritance security
-// checks on it. The check starts by checking for inheritance
-// permission demands on the current class. If these first checks
-// succeeded, then the cached declared method list is scanned for
-// methods that have inheritance permission demands.
-//
-
-void MethodTableBuilder::VerifyInheritanceSecurity()
-{
- STANDARD_VM_CONTRACT;
-
- if (IsInterface())
- return;
-
- if (!Security::IsTransparencyEnforcementEnabled())
- return;
-
- // If we have a non-interface class, then do inheritance security
- // checks on it. The check starts by checking for inheritance
- // permission demands on the current class. If these first checks
- // succeeded, then the cached declared method list is scanned for
- // methods that have inheritance permission demands.
- //
- // If we are transparent, and every class up the inheritence chain is also entirely transparent,
- // that means that no inheritence rules could be broken. If that's the case, we don't need to check
- // each individual method. We special case System.Object since it is not entirely transparent, but
- // every member which can be overriden is.
- //
- // This optimization does not currently apply for nested classes, since we may need to evaluate the
- // outer class in the TypeSecurityDescriptor, and that could end up with a type loading recursion.
- //
-
- const BOOL fCurrentTypeAllTransparent = GetHalfBakedClass()->IsNested() ? FALSE : Security::IsTypeAllTransparent(GetHalfBakedMethodTable());
- BOOL fInheritenceChainTransparent = FALSE;
-
- if (fCurrentTypeAllTransparent)
- {
- fInheritenceChainTransparent = TRUE;
- MethodTable *pParentMT = GetParentMethodTable();
- while (fInheritenceChainTransparent &&
- pParentMT != NULL &&
- pParentMT != g_pObjectClass)
- {
- fInheritenceChainTransparent &= Security::IsTypeAllTransparent(pParentMT);
- pParentMT = pParentMT->GetParentMethodTable();
- if (pParentMT != NULL && pParentMT->GetClass()->IsNested())
- {
- fInheritenceChainTransparent = FALSE;
- }
-
- }
- }
-
- if (GetParentMethodTable() != NULL
- && !fInheritenceChainTransparent
- )
- {
- // Check the parent for inheritance permission demands.
- VerifyClassInheritanceSecurityHelper(GetParentMethodTable(), GetHalfBakedMethodTable());
-
- // Iterate all the declared methods and check each of them for inheritance demands
- DeclaredMethodIterator mIt(*this);
- while (mIt.Next())
- {
- MethodDesc * pMD = mIt.GetMDMethod()->GetMethodDesc();
- CONSISTENCY_CHECK(CheckPointer(pMD));
-
- MethodDesc * pIntroducingMD = mIt.GetIntroducingMethodDesc();
- if (pIntroducingMD != NULL)
- {
- VerifyMethodInheritanceSecurityHelper(pIntroducingMD, pMD);
- }
-
- // Make sure that we don't have a transparent method in a critical class; that will lead
- // to situations where the method doesn't have access to the this pointer, so we want to
- // fail now, rather than with a strange method access exception at invoke time
- if (Security::IsTypeCritical(GetHalfBakedMethodTable()) &&
- !Security::IsTypeSafeCritical(GetHalfBakedMethodTable()))
- {
- if (!Security::IsMethodCritical(pMD) && !pMD->IsStatic())
- {
- SecurityTransparent::ThrowTypeLoadException(pMD, IDS_E_TRANSPARENT_METHOD_CRITICAL_TYPE);
- }
- }
-
- // If this method is a MethodImpl, we need to verify that all
- // decls are allowed to be overridden.
- if (pMD->IsMethodImpl())
- {
- // Iterate through each decl that this method is an impl for and
- // test that inheritance demands are met.
- MethodImpl *pMethodImpl = pMD->GetMethodImpl();
- for (DWORD iCurImpl = 0; iCurImpl < pMethodImpl->GetSize(); iCurImpl++)
- {
- MethodDesc *pDeclMD = pMethodImpl->GetImplementedMDs()[iCurImpl];
- _ASSERTE(pDeclMD != NULL);
- // We deal with interfaces below, so don't duplicate work
- if (!pDeclMD->IsInterface())
- {
- VerifyMethodInheritanceSecurityHelper(pDeclMD, pMD);
- }
- }
- }
- }
- }
-
- // Now we need to verify that we are meeting all inheritance demands
- // that were placed on interfaces and their methods. The logic is as
- // follows: for each method contributing an implementation to this type,
- // if a method it could contribute to any interface described in the
- // interface map, check that both method-level and type-level inheritance
- // demands are met (only need to check type-level once per interface).
- {
- // We need to do a transparency check if the current type enforces the transparency inheritance
- // rules. As an optimizaiton, we don't bother to do the check if the module is opportunistically
- // critical because the transparency setup for opportunitically critical assemblies by definition
- // statisfies the inheritance rules.
- const SecurityTransparencyBehavior *pTransparencyBehavior =
- GetAssembly()->GetSecurityTransparencyBehavior();
- ModuleSecurityDescriptor *pMSD =
- ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
-
- const bool fNeedTransparencyInheritanceCheck = pTransparencyBehavior->AreInheritanceRulesEnforced() &&
- !pMSD->IsOpportunisticallyCritical();
-
-
- // See code:PartialTrustInterfaceMappingCheck
- IAssemblySecurityDescriptor *pASD = GetAssembly()->GetSecurityDescriptor();
- const BOOL fNeedPartialTrustInterfaceMappingCheck = !pASD->IsFullyTrusted();
-
- // Iterate through each interface
- MethodTable *pMT = GetHalfBakedMethodTable();
- MethodTable::InterfaceMapIterator itfIt = pMT->IterateInterfaceMap();
- while (itfIt.Next())
- {
- // Get current interface details
- MethodTable *pCurItfMT = itfIt.GetInterface();
- CONSISTENCY_CHECK(CheckPointer(pCurItfMT));
-
- if (fNeedTransparencyInheritanceCheck &&
- !(Security::IsTypeAllTransparent(itfIt.GetInterface()) &&
- fCurrentTypeAllTransparent)
- )
- {
- // An interface is introduced by this type either if it is explicitly declared on the
- // type's interface list or if one of the type's explicit interfaces requires the
- // interface. This is detected by seeing an interface which is not declared on this
- // type, but also wasn't implemented by our parent.
- //
- // For instance:
- //
- // interface I1 { void M(); }
- // interface I2 : I1 { }
- // class B { public void M(); }
- // class D : B, I2 { }
- //
- // In this case, when we see D pulls in I2 explictly (IsDeclaredOnType) but I1 only
- // because I2 requires I2 (!IsDeclaredOnType and !IsImplementedByParent).
- bmtInterfaceEntry interfaceEntry = bmtInterface->pInterfaceMap[itfIt.GetIndex()];
- BOOL fDeclaredOnType = interfaceEntry.IsDeclaredOnType() ||
- !interfaceEntry.IsImplementedByParent();
-
- // Now iterate through every method contributing any implementation
- // and if it lies within the interface vtable, then we must evaluate demands
- // NOTE: Avoid caching the MethodData object for the type being built.
- BOOL fImplementedOnCurrentType = FALSE;
- MethodTable::MethodDataWrapper
- hItfImplData(MethodTable::GetMethodData(itfIt.GetInterface(), pMT, FALSE));
- MethodTable::MethodIterator methIt(hItfImplData);
- for (;methIt.IsValid(); methIt.Next())
- {
- // Check the security only if valid method implementation exists!
- if (methIt.GetTarget().IsNull() == FALSE)
- {
- MethodDesc *pMDImpl = methIt.GetMethodDesc();
- MethodDesc *pMDInterface = methIt.GetDeclMethodDesc();
-
- //
- // Check the security method helper if either:
- // 1. The interface was explicitly declared by the current type (even if the
- // interface implementation is found on a parent type) OR
- // 2. The interface implementation method is on the current type
- //
- // For instance, we want to catch patterns such as:
- //
- // interface I { void M(); }
- // class B { public void M(); }
- // class D : B, I { }
- //
- // In which D causes I::M to map to B::M because D brought in the interface
- // declaration.
- //
-
- if (fDeclaredOnType || pMDImpl->GetMethodTable() == pMT)
- {
- // Check security on the interface for this method in its default slot placement
- VerifyMethodInheritanceSecurityHelper(pMDInterface, pMDImpl);
-
- fImplementedOnCurrentType = TRUE;
- }
-
- // See code:PartialTrustInterfaceMappingCheck - we need to see if we're mapping
- // an interface to another type cross-assembly that might have requested link
- // time protection.
- if (fDeclaredOnType && fNeedPartialTrustInterfaceMappingCheck)
- {
- if (pMDImpl->GetAssembly() != GetAssembly())
- {
- ConvertLinkDemandToInheritanceDemand(pMDImpl);
- }
- }
- }
- }
-
- // If any previous methods contributed to this interface's implementation, that means we
- // need to check the type-level inheritance for the interface.
- if (fDeclaredOnType || fImplementedOnCurrentType)
- {
- VerifyClassInheritanceSecurityHelper(pCurItfMT, pMT);
- }
- }
- }
- }
-}
-
//*******************************************************************************
//
// Used by BuildMethodTable
BOOL HasExplicitFieldOffsetLayout() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->HasExplicitFieldOffsetLayout(); }
BOOL IsManagedSequential() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->IsManagedSequential(); }
BOOL HasExplicitSize() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->HasExplicitSize(); }
- BOOL RequiresLinktimeCheck() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->RequiresLinktimeCheck(); }
- BOOL RequiresLinktimeCheckHostProtectionOnly() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->RequiresLinkTimeCheckHostProtectionOnly(); }
-
- SecurityProperties* GetSecurityProperties() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->GetSecurityProperties(); }
+
#ifdef _DEBUG
BOOL IsAppDomainAgilityDone() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->IsAppDomainAgilityDone(); }
LPCUTF8 GetDebugClassName() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->GetDebugClassName(); }
GetMethodClassification(METHOD_TYPE type);
// --------------------------------------------------------------------------------------------
- // Will determine if a method requires or inherits any security settings and will set the
- // appropriate flags on the MethodDesc.
- VOID
- SetSecurityFlagsOnMethod(
- bmtRTMethod * pParentMethod,
- MethodDesc* pNewMD,
- mdToken tokMethod,
- DWORD dwMemberAttrs,
- bmtInternalInfo* bmtInternal,
- bmtMetaDataInfo* bmtMetaData);
-
- // --------------------------------------------------------------------------------------------
// Essentially, this is a helper method that combines calls to InitMethodDesc and
// SetSecurityFlagsOnMethod. It then assigns the newly initialized MethodDesc to
// the bmtMDMethod.
VOID HandleGCForValueClasses(
MethodTable **);
- // These methods deal with inheritance security. They're executed
- // after the type has been constructed, but before it is published.
- VOID VerifyMethodInheritanceSecurityHelper(
- MethodDesc *pParentMD,
- MethodDesc *pChildMD);
-
- VOID VerifyClassInheritanceSecurityHelper(
- MethodTable *pParentMT,
- MethodTable *pChildMT);
-
- VOID ConvertLinkDemandToInheritanceDemand(MethodDesc *pMDLinkDemand);
-
- VOID VerifyInheritanceSecurity();
-
- VOID VerifyEquivalenceSecurity();
-
VOID VerifyVirtualMethodsImplemented(MethodTable::MethodData * hMTData);
VOID CheckForTypeEquivalence(
DEFINE_FIELD_U(_domainManager, AppDomainBaseObject, m_pDomainManager)
DEFINE_FIELD_U(_LocalStore, AppDomainBaseObject, m_LocalStore)
DEFINE_FIELD_U(_FusionStore, AppDomainBaseObject, m_FusionTable)
-DEFINE_FIELD_U(_SecurityIdentity, AppDomainBaseObject, m_pSecurityIdentity)
-DEFINE_FIELD_U(_Policies, AppDomainBaseObject, m_pPolicies)
DEFINE_FIELD_U(AssemblyLoad, AppDomainBaseObject, m_pAssemblyEventHandler)
DEFINE_FIELD_U(_TypeResolve, AppDomainBaseObject, m_pTypeEventHandler)
DEFINE_FIELD_U(_ResourceResolve, AppDomainBaseObject, m_pResourceEventHandler)
DEFINE_FIELD_U(_AssemblyResolve, AppDomainBaseObject, m_pAsmResolveEventHandler)
-DEFINE_FIELD_U(_applicationTrust, AppDomainBaseObject, m_pApplicationTrust)
DEFINE_FIELD_U(_processExit, AppDomainBaseObject, m_pProcessExitEventHandler)
DEFINE_FIELD_U(_domainUnload, AppDomainBaseObject, m_pDomainUnloadEventHandler)
DEFINE_FIELD_U(_unhandledException, AppDomainBaseObject, m_pUnhandledExceptionEventHandler)
DEFINE_FIELD_U(_compatFlags, AppDomainBaseObject, m_compatFlags)
DEFINE_FIELD_U(_firstChanceException, AppDomainBaseObject, m_pFirstChanceExceptionHandler)
DEFINE_FIELD_U(_pDomain, AppDomainBaseObject, m_pDomain)
-DEFINE_FIELD_U(_HasSetPolicy, AppDomainBaseObject, m_bHasSetPolicy)
-DEFINE_FIELD_U(_IsFastFullTrustDomain, AppDomainBaseObject, m_bIsFastFullTrustDomain)
DEFINE_FIELD_U(_compatFlagsInitialized, AppDomainBaseObject, m_compatFlagsInitialized)
DEFINE_CLASS(APP_DOMAIN, System, AppDomain)
-DEFINE_METHOD(APP_DOMAIN, PREPARE_DATA_FOR_SETUP,PrepareDataForSetup,SM_Str_AppDomainSetup_Evidence_Evidence_IntPtr_Str_ArrStr_ArrStr_RetObj)
+DEFINE_METHOD(APP_DOMAIN, PREPARE_DATA_FOR_SETUP,PrepareDataForSetup,SM_Str_AppDomainSetup_ArrStr_ArrStr_RetObj)
DEFINE_METHOD(APP_DOMAIN, SETUP,Setup,SM_Obj_RetObj)
DEFINE_METHOD(APP_DOMAIN, ON_ASSEMBLY_LOAD, OnAssemblyLoadEvent, IM_Assembly_RetVoid)
DEFINE_METHOD(APP_DOMAIN, ON_RESOURCE_RESOLVE, OnResourceResolveEvent, IM_Assembly_Str_RetAssembly)
DEFINE_METHOD(APP_DOMAIN, ON_DESIGNER_NAMESPACE_RESOLVE, OnDesignerNamespaceResolveEvent, IM_Str_RetArrStr)
#endif //FEATURE_COMINTEROP
DEFINE_METHOD(APP_DOMAIN, SETUP_DOMAIN, SetupDomain, IM_Bool_Str_Str_ArrStr_ArrStr_RetVoid)
-DEFINE_METHOD(APP_DOMAIN, CREATE_APP_DOMAIN_MANAGER, CreateAppDomainManager, IM_RetVoid)
DEFINE_METHOD(APP_DOMAIN, INITIALIZE_COMPATIBILITY_FLAGS, InitializeCompatibilityFlags, IM_RetVoid)
-DEFINE_METHOD(APP_DOMAIN, INITIALIZE_DOMAIN_SECURITY, InitializeDomainSecurity, IM_Evidence_Evidence_Bool_IntPtr_Bool_RetVoid)
DEFINE_CLASS(CLEANUP_WORK_LIST, StubHelpers, CleanupWorkList)
DEFINE_CLASS_U(System, AppDomainSetup, AppDomainSetupObject)
DEFINE_FIELD_U(_Entries, AppDomainSetupObject, m_Entries)
DEFINE_FIELD_U(_AppBase, AppDomainSetupObject, m_AppBase)
-DEFINE_FIELD_U(_AppDomainInitializer, AppDomainSetupObject, m_AppDomainInitializer)
-DEFINE_FIELD_U(_AppDomainInitializerArguments, AppDomainSetupObject, m_AppDomainInitializerArguments)
-DEFINE_FIELD_U(_ApplicationTrust, AppDomainSetupObject, m_ApplicationTrust)
-DEFINE_FIELD_U(_ConfigurationBytes, AppDomainSetupObject, m_ConfigurationBytes)
-DEFINE_FIELD_U(_AppDomainManagerAssembly, AppDomainSetupObject, m_AppDomainManagerAssembly)
-DEFINE_FIELD_U(_AppDomainManagerType, AppDomainSetupObject, m_AppDomainManagerType)
DEFINE_FIELD_U(_CompatFlags, AppDomainSetupObject, m_CompatFlags)
DEFINE_FIELD_U(_TargetFrameworkName, AppDomainSetupObject, m_TargetFrameworkName)
-DEFINE_FIELD_U(_LoaderOptimization, AppDomainSetupObject, m_LoaderOptimization)
-#ifdef FEATURE_COMINTEROP
-DEFINE_FIELD_U(_DisableInterfaceCache, AppDomainSetupObject, m_DisableInterfaceCache)
-#endif // FEATURE_COMINTEROP
DEFINE_FIELD_U(_CheckedForTargetFrameworkName, AppDomainSetupObject, m_CheckedForTargetFrameworkName)
#ifdef FEATURE_RANDOMIZED_STRING_HASHING
DEFINE_FIELD_U(_UseRandomizedStringHashing, AppDomainSetupObject, m_UseRandomizedStringHashing)
DEFINE_CLASS(EVENT_INFO, Reflection, EventInfo)
-DEFINE_CLASS(EVIDENCE, Policy, Evidence)
-
DEFINE_CLASS_U(System, Exception, ExceptionObject)
DEFINE_FIELD_U(_className, ExceptionObject, _className)
DEFINE_FIELD_U(_exceptionMethod, ExceptionObject, _exceptionMethod)
DEFINE_CLASS(LCID_CONVERSION_TYPE, Interop, LCIDConversionAttribute)
#endif // FEATURE_COMINTEROP
-DEFINE_CLASS(LOADER_OPTIMIZATION, System, LoaderOptimization)
-
DEFINE_CLASS(MARSHAL, Interop, Marshal)
#ifdef FEATURE_COMINTEROP
spec.SetBindingContext(m_pBinderContext);
}
- DomainAssembly *pDomainAssembly = NULL;
-
- // Setup the AssemblyLoadSecurity to perform the assembly load
- GCX_COOP();
-
- PTR_AppDomain pCurDomain = GetAppDomain();
- IApplicationSecurityDescriptor *pDomainSecDesc = pCurDomain->GetSecurityDescriptor();
-
- OBJECTREF refGrantedPermissionSet = NULL;
- AssemblyLoadSecurity loadSecurity;
-
- GCPROTECT_BEGIN(refGrantedPermissionSet);
-
- loadSecurity.m_dwSpecialFlags = pDomainSecDesc->GetSpecialFlags();
- refGrantedPermissionSet = pDomainSecDesc->GetGrantedPermissionSet();
- loadSecurity.m_pGrantSet = &refGrantedPermissionSet;
-
// Bind and load the assembly.
- pDomainAssembly = spec.LoadDomainAssembly(
+ return spec.LoadDomainAssembly(
FILE_LOADED,
- &loadSecurity,
FALSE); // Don't throw on FileNotFound.
-
- GCPROTECT_END();
-
- return pDomainAssembly;
}
typedef SafeHandle * SAFEHANDLEREF;
#endif // USE_CHECKED_OBJECTREFS
-class PermissionListSetObject: public Object
-{
- friend class MscorlibBinder;
-
-private:
- OBJECTREF _firstPermSetTriple;
- OBJECTREF _permSetTriples;
-
-public:
- BOOL IsEmpty()
- {
- LIMITED_METHOD_CONTRACT;
- return (_firstPermSetTriple == NULL &&
- _permSetTriples == NULL
- );
- }
-};
-#ifdef USE_CHECKED_OBJECTREFS
-typedef REF<PermissionListSetObject> PERMISSIONLISTSETREF;
-#else
-typedef PermissionListSetObject* PERMISSIONLISTSETREF;
-#endif
-
#define SYNCCTXPROPS_REQUIRESWAITNOTIFICATION 0x1 // Keep in sync with SynchronizationContext.cs SynchronizationContextFlags
class ThreadBaseObject;
OBJECTREF m_pDomainManager; // AppDomainManager for host settings.
OBJECTREF m_LocalStore;
OBJECTREF m_FusionTable;
- OBJECTREF m_pSecurityIdentity; // Evidence associated with this domain
- OBJECTREF m_pPolicies; // Array of context policies associated with this domain
OBJECTREF m_pAssemblyEventHandler; // Delegate for 'loading assembly' event
OBJECTREF m_pTypeEventHandler; // Delegate for 'resolve type' event
OBJECTREF m_pResourceEventHandler; // Delegate for 'resolve resource' event
OBJECTREF m_pAsmResolveEventHandler; // Delegate for 'resolve assembly' event
- OBJECTREF m_pApplicationTrust; // App ApplicationTrust.
OBJECTREF m_pProcessExitEventHandler; // Delegate for 'process exit' event. Only used in Default appdomain.
OBJECTREF m_pDomainUnloadEventHandler; // Delegate for 'about to unload domain' event
OBJECTREF m_pUnhandledExceptionEventHandler; // Delegate for 'unhandled exception' event
OBJECTREF m_pFirstChanceExceptionHandler; // Delegate for 'FirstChance Exception' event
AppDomain* m_pDomain; // Pointer to the BaseDomain Structure
- CLR_BOOL m_bHasSetPolicy; // SetDomainPolicy has been called for this domain
- CLR_BOOL m_bIsFastFullTrustDomain; // We know for sure that this is a homogeneous full trust domain.
CLR_BOOL m_compatFlagsInitialized;
protected:
return m_pDomain;
}
- OBJECTREF GetSecurityIdentity()
- {
- LIMITED_METHOD_CONTRACT;
- return m_pSecurityIdentity;
- }
-
OBJECTREF GetAppDomainManager()
{
LIMITED_METHOD_CONTRACT;
return m_pDomainManager;
}
- OBJECTREF GetApplicationTrust()
- {
- LIMITED_METHOD_CONTRACT;
- return m_pApplicationTrust;
- }
-
- BOOL GetIsFastFullTrustDomain()
- {
- LIMITED_METHOD_CONTRACT;
- return !!m_bIsFastFullTrustDomain;
- }
-
-
- // Ref needs to be a PTRARRAYREF
- void SetPolicies(OBJECTREF ref)
- {
- WRAPPER_NO_CONTRACT;
- SetObjectReference(&m_pPolicies, ref, m_pDomain );
- }
- BOOL HasSetPolicy()
- {
- LIMITED_METHOD_CONTRACT;
- return m_bHasSetPolicy;
- }
-
-
// Returns the reference to the delegate of the first chance exception notification handler
OBJECTREF GetFirstChanceExceptionNotificationHandler()
{
protected:
PTRARRAYREF m_Entries;
STRINGREF m_AppBase;
- OBJECTREF m_AppDomainInitializer;
- PTRARRAYREF m_AppDomainInitializerArguments;
- STRINGREF m_ApplicationTrust;
- I1ARRAYREF m_ConfigurationBytes;
- STRINGREF m_AppDomainManagerAssembly;
- STRINGREF m_AppDomainManagerType;
OBJECTREF m_CompatFlags;
STRINGREF m_TargetFrameworkName;
- INT32 m_LoaderOptimization;
-#ifdef FEATURE_COMINTEROP
- CLR_BOOL m_DisableInterfaceCache;
-#endif // FEATURE_COMINTEROP
CLR_BOOL m_CheckedForTargetFrameworkName;
#ifdef FEATURE_RANDOMIZED_STRING_HASHING
CLR_BOOL m_UseRandomizedStringHashing;
protected:
AppDomainSetupObject() { LIMITED_METHOD_CONTRACT; }
~AppDomainSetupObject() { LIMITED_METHOD_CONTRACT; }
-
- public:
-#ifdef FEATURE_RANDOMIZED_STRING_HASHING
- BOOL UseRandomizedStringHashing() { LIMITED_METHOD_CONTRACT; return (BOOL) m_UseRandomizedStringHashing; }
-#endif // FEATURE_RANDOMIZED_STRING_HASHING
};
typedef DPTR(AppDomainSetupObject) PTR_AppDomainSetupObject;
#ifdef USE_CHECKED_OBJECTREFS
NEW_WRAPPER_TEMPLATE1(CoTaskNewHolder, CoTaskFree<_TYPE>);
-BOOL PEFile::CanLoadLibrary()
-{
- WRAPPER_NO_CONTRACT;
-
- // Dynamic and resource modules don't need LoadLibrary.
- if (IsDynamic() || IsResource()||IsLoaded())
- return TRUE;
-
- // If we're been granted skip verification, OK
- if (HasSkipVerification())
- return TRUE;
-
- // Otherwise, we can only load if IL only.
- return IsILOnly();
-}
-
-
//-----------------------------------------------------------------------------------------------------
// Catch attempts to load x64 assemblies on x86, etc.
}
#endif
- // Don't do this if we are unverifiable
- if (!CanLoadLibrary())
- ThrowHR(SECURITY_E_UNVERIFIABLE);
-
-
// We need contents now
if (!HasNativeImage())
{
{
INSTANCE_CHECK;
PRECONDITION(CheckPointer(hMod));
- PRECONDITION(CanLoadLibrary());
POSTCONDITION(CheckLoaded());
THROWS;
GC_TRIGGERS;
friend class NativeImageDumper;
#endif
- // Load actually triggers loading side effects of the module. This should ONLY
- // be done after validation has been passed
- BOOL CanLoadLibrary();
public:
void LoadLibrary(BOOL allowNativeSkip = TRUE);
BOOL fFromThunk);
void SetLoadedHMODULE(HMODULE hMod);
- BOOL HasSkipVerification();
- void SetSkipVerification();
-
// DO NOT USE !!! this is to be removed when we move to new fusion binding API
friend class DomainAssembly;
// Full name is the most descriptive name available (path, codebase, or name as appropriate)
void GetCodeBaseOrName(SString &result);
-
- // Returns security information for the assembly based on the codebase
- void GetSecurityIdentity(SString &codebase, SecZone *pdwZone, DWORD dwFlags, BYTE *pbUniqueID, DWORD *pcbUniqueID);
- void InitializeSecurityManager();
#ifdef LOGGING
// This is useful for log messages
#endif // DACCESS_COMPILE
PTR_CVOID GetLoadedImageContents(COUNT_T *pSize = NULL);
-
- // SetInProcSxSLoadVerified can run concurrently as we don't hold locks during LoadLibrary but
- // it is the only flag that can be set during this phase so no mutual exclusion is necessary.
- void SetInProcSxSLoadVerified() { LIMITED_METHOD_CONTRACT; m_flags |= PEFILE_SXS_LOAD_VERIFIED; }
- BOOL IsInProcSxSLoadVerified() { LIMITED_METHOD_CONTRACT; return m_flags & PEFILE_SXS_LOAD_VERIFIED; }
// ------------------------------------------------------------
// Native image access
PEFILE_SYSTEM = 0x01,
PEFILE_ASSEMBLY = 0x02,
PEFILE_MODULE = 0x04,
- PEFILE_SKIP_VERIFICATION = 0x08,
+ // = 0x08,
PEFILE_SKIP_MODULE_HASH_CHECKS= 0x10,
PEFILE_ISTREAM = 0x100,
#ifdef FEATURE_PREJIT
PEFILE_SAFE_TO_HARDBINDTO = 0x4000, // NGEN-only flag
#endif
PEFILE_INTROSPECTIONONLY = 0x400,
- PEFILE_SXS_LOAD_VERIFIED = 0x2000
};
// ------------------------------------------------------------
}
// ------------------------------------------------------------
-// Loader support routines
-// ------------------------------------------------------------
-
-inline void PEFile::SetSkipVerification()
-{
- LIMITED_METHOD_CONTRACT;
-
- m_flags |= PEFILE_SKIP_VERIFICATION;
-}
-
-inline BOOL PEFile::HasSkipVerification()
-{
- LIMITED_METHOD_CONTRACT;
-
- return (m_flags & (PEFILE_SKIP_VERIFICATION | PEFILE_SYSTEM)) != 0;
-}
-
-// ------------------------------------------------------------
// Descriptive strings
// ------------------------------------------------------------
} // end else if (IsIL() || IsNoMetadata())
else if (IsNDirect())
{
- if (!GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode())
- Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE);
-
pCode = GetStubForInteropMethod(this);
GetOrCreatePrecode();
}
}
FCIMPLEND
-
-FCIMPL1(void, ReflectionInvocation::PrepareContractedDelegate, Object * delegateUNSAFE)
-{
- CONTRACTL {
- FCALL_CHECK;
- PRECONDITION(CheckPointer(delegateUNSAFE, NULL_OK));
- }
- CONTRACTL_END;
-
-}
-FCIMPLEND
-
-
-FCIMPL0(void, ReflectionInvocation::ProbeForSufficientStack)
-{
- FCALL_CONTRACT;
-
-#ifdef FEATURE_STACK_PROBE
- // probe for our entry point amount and throw if not enough stack
- RetailStackProbe(ADJUST_PROBE(DEFAULT_ENTRY_PROBE_AMOUNT));
-#else
- FCUnique(0x69);
-#endif
-
-}
-FCIMPLEND
-
// This method checks to see if there is sufficient stack to execute the average Framework method.
// If there is not, then it throws System.InsufficientExecutionStackException. The limit for each
// thread is precomputed when the thread is created.
StaticAccessCheckContext accessContext(NULL, pDecoratedMT, pDecoratedModule->GetAssembly());
- // Don't do transparency check here. Custom attributes have different transparency rules.
- // The checks are done by AllowCriticalCustomAttributes and CheckLinktimeDemands in CustomAttribute.cs.
return ClassLoader::CanAccess(
&accessContext,
pCAMT,
}
// static
-BOOL QCALLTYPE RuntimeMethodHandle::IsSecurityCritical(MethodDesc *pMD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- BOOL fIsCritical = TRUE;
-
- BEGIN_QCALL;
-
- if (pMD == NULL)
- COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle"));
-
- fIsCritical = Security::IsMethodCritical(pMD);
-
- END_QCALL;
-
- return fIsCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeMethodHandle::IsSecuritySafeCritical(MethodDesc *pMD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- BOOL fIsSafeCritical = TRUE;
-
- BEGIN_QCALL;
-
- if (pMD == NULL)
- COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle"));
-
- fIsSafeCritical = Security::IsMethodSafeCritical(pMD);
-
- END_QCALL;
-
- return fIsSafeCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeMethodHandle::IsSecurityTransparent(MethodDesc *pMD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- BOOL fIsTransparent = TRUE;
-
- BEGIN_QCALL;
-
- if (pMD == NULL)
- COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle"));
-
- fIsTransparent = Security::IsMethodTransparent(pMD);
-
- END_QCALL;
-
- return fIsTransparent;
-}
-
-FCIMPL2(FC_BOOL_RET, RuntimeMethodHandle::IsTokenSecurityTransparent, ReflectModuleBaseObject *pModuleUNSAFE, INT32 tkToken) {
- CONTRACTL {
- FCALL_CHECK;
- }
- CONTRACTL_END;
-
- REFLECTMODULEBASEREF refModule = (REFLECTMODULEBASEREF)ObjectToOBJECTREF(pModuleUNSAFE);
-
- if(refModule == NULL)
- FCThrowRes(kArgumentNullException, W("Arg_InvalidHandle"));
-
- Module *pModule = refModule->GetModule();
-
- BOOL bIsSecurityTransparent = TRUE;
-
- HELPER_METHOD_FRAME_BEGIN_RET_1(refModule);
- {
- bIsSecurityTransparent = Security::IsTokenTransparent(pModule, tkToken);
- }
- HELPER_METHOD_FRAME_END();
-
- FC_RETURN_BOOL(bIsSecurityTransparent );
-
-}
-FCIMPLEND
-
-static bool DoAttributeTransparencyChecks(Assembly *pAttributeAssembly, Assembly *pDecoratedAssembly)
-{
- CONTRACTL
- {
- THROWS;
- MODE_COOPERATIVE;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pAttributeAssembly));
- PRECONDITION(CheckPointer(pDecoratedAssembly));
- }
- CONTRACTL_END;
-
- // Do transparency checks - if both the decorated assembly and attribute use the v4 security model,
- // then we can do a direct transparency check. However, if the decorated assembly uses the v2
- // security model, then we need to convert the security critical attribute to looking as though it
- // has a LinkDemand for full trust.
- const SecurityTransparencyBehavior *pTargetTransparency = pDecoratedAssembly->GetSecurityTransparencyBehavior();
- const SecurityTransparencyBehavior *pAttributeTransparency = pAttributeAssembly->GetSecurityTransparencyBehavior();
-
- // v2 transparency did not impose checks for using its custom attributes, so if the attribute is
- // defined in an assembly using the v2 transparency model then we don't need to do any
- // additional checks.
- if (pAttributeTransparency->DoAttributesRequireTransparencyChecks())
- {
- if (pTargetTransparency->CanTransparentCodeCallLinkDemandMethods() &&
- pAttributeTransparency->CanCriticalMembersBeConvertedToLinkDemand())
- {
- // We have a v4 critical attribute being applied to a v2 transparent target. Since v2
- // transparency doesn't understand externally visible critical attributes, we convert the
- // attribute to a LinkDemand for full trust. v2 transparency did not convert
- // LinkDemands on its attributes into full demands so we do not do that second level of
- // conversion here either.
- Security::FullTrustLinkDemand(pDecoratedAssembly);
- return true;
- }
- else
- {
- // If we are here either the target of the attribute uses the v4 security model, or the
- // attribute itself uses the v2 model. In these cases, we cannot perform a conversion of
- // the critical attribute into a LinkDemand, and we have an error condition.
- return false;
- }
- }
-
- return true;
-}
-
-FCIMPL3(void, RuntimeMethodHandle::CheckLinktimeDemands, ReflectMethodObject *pMethodUNSAFE, ReflectModuleBaseObject *pModuleUNSAFE, CLR_BOOL isDecoratedTargetSecurityTransparent)
-{
- CONTRACTL
- {
- FCALL_CHECK;
- PRECONDITION(CheckPointer(pModuleUNSAFE));
- PRECONDITION(CheckPointer(pMethodUNSAFE));
- }
- CONTRACTL_END;
-
- if(!Security::IsTransparencyEnforcementEnabled())
- {
- FCUnique(0xb0);
- return;
- }
-
- REFLECTMETHODREF refMethod = (REFLECTMETHODREF)ObjectToOBJECTREF(pMethodUNSAFE);
- REFLECTMODULEBASEREF refModule = (REFLECTMODULEBASEREF)ObjectToOBJECTREF(pModuleUNSAFE);
-
- HELPER_METHOD_FRAME_BEGIN_2(refMethod, refModule);
- {
- MethodDesc *pCallee = refMethod->GetMethod(); // pCallee is the CA ctor or CA setter method
- Module *pDecoratedModule = refModule->GetModule();
-
- bool isAttributeSecurityCritical = Security::IsMethodCritical(pCallee) &&
- !Security::IsMethodSafeCritical(pCallee);
-
- if (isDecoratedTargetSecurityTransparent && isAttributeSecurityCritical)
- {
- if (!DoAttributeTransparencyChecks(pCallee->GetAssembly(), pDecoratedModule->GetAssembly()))
- {
- SecurityTransparent::ThrowMethodAccessException(pCallee);
- }
- }
-
- }
- HELPER_METHOD_FRAME_END();
-}
-FCIMPLEND
-
NOINLINE static ReflectClassBaseObject* GetRuntimeTypeHelper(LPVOID __me, TypeHandle typeHandle, OBJECTREF keepAlive)
{
FC_INNER_PROLOG_NO_ME_SETUP();
}
FCIMPLEND
-// static
-BOOL QCALLTYPE RuntimeFieldHandle::IsSecurityCritical(FieldDesc *pFD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- BOOL fIsCritical = FALSE;
-
- BEGIN_QCALL;
-
- fIsCritical = Security::IsFieldCritical(pFD);
-
- END_QCALL;
-
- return fIsCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeFieldHandle::IsSecuritySafeCritical(FieldDesc *pFD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- BOOL fIsSafeCritical = FALSE;
-
- BEGIN_QCALL;
-
- fIsSafeCritical = Security::IsFieldSafeCritical(pFD);
-
- END_QCALL;
-
- return fIsSafeCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeFieldHandle::IsSecurityTransparent(FieldDesc *pFD)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- BOOL fIsTransparent = FALSE;
-
- BEGIN_QCALL;
-
- fIsTransparent = Security::IsFieldTransparent(pFD);
-
- END_QCALL;
-
- return fIsTransparent;
-}
-
-// static
-void QCALLTYPE RuntimeFieldHandle::CheckAttributeAccess(FieldDesc *pFD, QCall::ModuleHandle pModule)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pFD));
- PRECONDITION(CheckPointer(pModule.m_pModule));
- }
- CONTRACTL_END;
-
- if(!Security::IsTransparencyEnforcementEnabled())
- {
- FCUnique(0xb1);
- return;
- }
-
- BEGIN_QCALL;
-
- if (Security::IsFieldCritical(pFD) && !Security::IsFieldSafeCritical(pFD))
- {
- GCX_COOP();
-
- if (!DoAttributeTransparencyChecks(pFD->GetModule()->GetAssembly(), pModule->GetAssembly()))
- {
- ThrowFieldAccessException(NULL, pFD, TRUE, IDS_E_CRITICAL_FIELD_ACCESS_DENIED);
- }
- }
-
- END_QCALL;
-}
-
FCIMPL1(ReflectModuleBaseObject*, RuntimeTypeHandle::GetModule, ReflectClassBaseObject *pTypeUNSAFE) {
CONTRACTL {
FCALL_CHECK;
return fIsExternallyVisible;
} // RuntimeTypeHandle::IsVisible
-// static
-BOOL QCALLTYPE RuntimeTypeHandle::IsSecurityCritical(EnregisteredTypeHandle pTypeHandle)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pTypeHandle));
- }
- CONTRACTL_END;
-
- BOOL fIsCritical = FALSE;
-
- BEGIN_QCALL;
-
- MethodTable *pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable();
- if (pMT != NULL)
- {
- fIsCritical = Security::IsTypeCritical(pMT);
- }
-
- END_QCALL;
-
- return fIsCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeTypeHandle::IsSecuritySafeCritical(EnregisteredTypeHandle pTypeHandle)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pTypeHandle));
- }
- CONTRACTL_END;
-
- BOOL fIsSafeCritical = FALSE;
-
- BEGIN_QCALL;
-
- MethodTable *pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable();
- if (pMT != NULL)
- {
- fIsSafeCritical = Security::IsTypeSafeCritical(pMT);
- }
-
- END_QCALL;
-
- return fIsSafeCritical;
-}
-
-// static
-BOOL QCALLTYPE RuntimeTypeHandle::IsSecurityTransparent(EnregisteredTypeHandle pTypeHandle)
-{
- CONTRACTL
- {
- QCALL_CHECK;
- PRECONDITION(CheckPointer(pTypeHandle));
- }
- CONTRACTL_END;
-
- BOOL fIsTransparent = TRUE;
-
- BEGIN_QCALL;
-
- MethodTable * pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable();
- if (pMT != NULL)
- {
- fIsTransparent = Security::IsTypeTransparent(pMT);
- }
-
- END_QCALL;
-
- return fIsTransparent;
-}
-
FCIMPL1(FC_BOOL_RET, RuntimeTypeHandle::HasProxyAttribute, ReflectClassBaseObject *pTypeUNSAFE) {
CONTRACTL {
FCALL_CHECK;
static
BOOL QCALLTYPE IsVisible(EnregisteredTypeHandle pTypeHandle);
-
- static
- BOOL QCALLTYPE IsSecurityCritical(EnregisteredTypeHandle pTypeHandle);
-
- static
- BOOL QCALLTYPE IsSecuritySafeCritical(EnregisteredTypeHandle pTypeHandle);
-
- static
- BOOL QCALLTYPE IsSecurityTransparent(EnregisteredTypeHandle pTypeHandle);
static FCDECL1(FC_BOOL_RET, HasProxyAttribute, ReflectClassBaseObject *pType);
static FCDECL2(FC_BOOL_RET, IsComObject, ReflectClassBaseObject *pType, CLR_BOOL isGenericCOM);
BOOL isBinderDefault, Assembly *caller, Assembly *reflectedClassAssembly, TypeHandle declaringType, SignatureNative* pSig, BOOL verifyAccess);
static
- BOOL QCALLTYPE IsSecurityCritical(MethodDesc *pMD);
-
- static
- BOOL QCALLTYPE IsSecuritySafeCritical(MethodDesc *pMD);
-
- static
- BOOL QCALLTYPE IsSecurityTransparent(MethodDesc *pMD);
-
- static FCDECL2(FC_BOOL_RET, IsTokenSecurityTransparent, ReflectModuleBaseObject *pModuleUNSAFE, INT32 tkToken);
-
- static
BOOL QCALLTYPE IsCAVisibleFromDecoratedType(
EnregisteredTypeHandle targetTypeHandle,
MethodDesc * pTargetCtor,
EnregisteredTypeHandle sourceTypeHandle,
QCall::ModuleHandle sourceModuleHandle);
- static FCDECL3(void, CheckLinktimeDemands, ReflectMethodObject *pMethodUNSAFE, ReflectModuleBaseObject *pModuleUNSAFE, CLR_BOOL isDecoratedTargetSecurityTransparent);
static FCDECL4(void, SerializationInvoke, ReflectMethodObject *pMethodUNSAFE, Object* targetUNSAFE,
Object* serializationInfoUNSAFE, struct StreamingContextData * pContext);
static FCDECL1(INT32, GetToken, ReflectFieldObject *pFieldUNSAFE);
static FCDECL2(FieldDesc*, GetStaticFieldForGenericType, FieldDesc *pField, ReflectClassBaseObject *pDeclaringType);
static FCDECL1(FC_BOOL_RET, AcquiresContextFromThis, FieldDesc *pField);
-
- static
- BOOL QCALLTYPE IsSecurityCritical(FieldDesc *pFD);
-
- static
- BOOL QCALLTYPE IsSecuritySafeCritical(FieldDesc *pFD);
-
- static
- BOOL QCALLTYPE IsSecurityTransparent(FieldDesc *pFD);
-
- static
- void QCALLTYPE CheckAttributeAccess(FieldDesc *pFD, QCall::ModuleHandle pModule);
};
class ModuleHandle {
// See the LICENSE file in the project root for more information.
//
-//
-
-
#include "common.h"
#include "security.h"
-#include "securitydescriptor.h"
-#include "securitydescriptorappdomain.h"
-#include "securitydescriptorassembly.h"
-
-IApplicationSecurityDescriptor * Security::CreateApplicationSecurityDescriptor(AppDomain * pDomain)
-{
- WRAPPER_NO_CONTRACT;
-
- return static_cast<IApplicationSecurityDescriptor*>(new ApplicationSecurityDescriptor(pDomain));
-}
-
-IAssemblySecurityDescriptor* Security::CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator)
-{
- WRAPPER_NO_CONTRACT;
-
- return static_cast<IAssemblySecurityDescriptor*>(new AssemblySecurityDescriptor(pDomain, pAssembly, pLoaderAllocator));
-}
-
-ISharedSecurityDescriptor* Security::CreateSharedSecurityDescriptor(Assembly* pAssembly)
-{
- WRAPPER_NO_CONTRACT;
-
- return static_cast<ISharedSecurityDescriptor*>(new SharedSecurityDescriptor(pAssembly));
-}
-void Security::DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor)
-{
- WRAPPER_NO_CONTRACT;
-
- delete static_cast<SharedSecurityDescriptor *>(descriptor);
-}
-
-
-BOOL Security::IsTransparencyEnforcementEnabled()
-{
- LIMITED_METHOD_CONTRACT;
-
- // No transparency enforcement in .NET Core
- return FALSE;
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Determine if security checks should be bypassed for a method because the method is
-// being used by a profiler.
//
-// Profilers often do things like inject unverifiable IL or P/Invoke which won't be allowed
-// if they're working with a transparent method. This hook allows those checks to be
-// suppressed if we're currently profiling.
-//
-// Arguments:
-// pMD - Method we're checking to see if security checks may be bypassed for
+// The method in this file have nothing to do with security. They historically lived in security subsystem.
+// TODO: Move them to move appropriate place.
//
-BOOL Security::BypassSecurityChecksForProfiler(MethodDesc *pMD)
+void Security::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* ppbData, OUT DWORD* pcbData)
{
- CONTRACTL
- {
- NOTHROW;
+ CONTRACTL {
+ THROWS;
GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
+ MODE_COOPERATIVE;
+ PRECONDITION(CheckPointer(pArray));
+ PRECONDITION(CheckPointer(ppbData));
+ PRECONDITION(CheckPointer(pcbData));
+ PRECONDITION(*pArray != NULL);
+ } CONTRACTL_END;
+
+ DWORD size = (DWORD) (*pArray)->GetNumComponents();
+ *ppbData = new BYTE[size];
+ *pcbData = size;
+
+ CopyMemory(*ppbData, (*pArray)->GetDirectPointerToNonObjectElements(), size);
+}
-#if defined(PROFILING_SUPPORTED) && !defined(CROSSGEN_COMPILE)
- return CORProfilerPresent() &&
- CORProfilerBypassSecurityChecks() &&
- pMD->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted();
-#else
- return FALSE;
-#endif
+void Security::CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray)
+{
+ CONTRACTL {
+ THROWS;
+ GC_TRIGGERS;
+ MODE_COOPERATIVE;
+ } CONTRACTL_END;
+
+ U1ARRAYREF pObj;
+ _ASSERTE(pArray);
+
+ pObj = (U1ARRAYREF)AllocatePrimitiveArray(ELEMENT_TYPE_U1,cbData);
+ memcpyNoGCRefs(pObj->m_Array, pbData, cbData);
+ *pArray = (OBJECTREF) pObj;
}
// See the LICENSE file in the project root for more information.
//
-
-//
-
-
#ifndef __security_h__
#define __security_h__
-#include "securitypolicy.h"
-#include "securityattributes.h"
-#include "securitydeclarativecache.h"
-#include "securitydeclarative.h"
-#include "securitytransparentassembly.h"
-
-
-class IAssemblySecurityDescriptor;
-class IApplicationSecurityDescriptor;
-class IPEFileSecurityDescriptor;
+//
+// Stubbed out implementation of security subsystem
+// TODO: Eliminate this file
+//
enum SecurityStackWalkType
{
SSWT_GET_ZONE_AND_URL = 8,
};
-// AssemblyLoadSecurity is used to describe to the loader security information to apply to an assembly at
-// load time. This includes information such as the assembly's evidence, as well as if we should resolve
-// policy on the assembly or push a grant set to its security descriptor.
-struct AssemblyLoadSecurity
-{
- OBJECTREF *m_pEvidence;
- OBJECTREF *m_pAdditionalEvidence;
- OBJECTREF *m_pGrantSet;
- OBJECTREF *m_pRefusedSet;
- DWORD m_dwSpecialFlags;
- bool m_fCheckLoadFromRemoteSource;
- bool m_fSuppressSecurityChecks;
- bool m_fPropagatingAnonymouslyHostedDynamicMethodGrant;
-
- inline AssemblyLoadSecurity();
-
- // Should the assembly have policy resolved on it, or should it use a pre-determined grant set
- inline bool ShouldResolvePolicy();
-};
+// special flags
+#define SECURITY_UNMANAGED_CODE 0
+#define SECURITY_SKIP_VER 1
+#define REFLECTION_TYPE_INFO 2
+#define SECURITY_ASSERT 3
+#define REFLECTION_MEMBER_ACCESS 4
+#define SECURITY_SERIALIZATION 5
+#define REFLECTION_RESTRICTED_MEMBER_ACCESS 6
+#define SECURITY_FULL_TRUST 7
+#define SECURITY_BINDING_REDIRECTS 8
// Ultimately this will become the only interface through
// which the VM will access security code.
namespace Security
{
- // ----------------------------------------
- // SecurityPolicy
- // ----------------------------------------
-
- // Init
- inline void Start();
- inline void Stop();
- inline void SaveCache();
-
- // Policy
-
- BOOL IsTransparencyEnforcementEnabled();
+ inline BOOL IsTransparencyEnforcementEnabled() { return false; }
- BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD);
- inline BOOL CanCallUnmanagedCode(Module *pModule);
- inline BOOL CanAssert(Module *pModule);
- inline DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags);
+ inline BOOL CanCallUnmanagedCode(Module *pModule) { return true; }
#ifndef DACCESS_COMPILE
- inline BOOL CanTailCall(MethodDesc* pMD);
- inline BOOL CanHaveRVA(Assembly * pAssembly);
- inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD);
- inline BOOL CanSkipVerification(MethodDesc * pMethod);
+ inline BOOL CanTailCall(MethodDesc* pMD) { return true; }
+ inline BOOL CanHaveRVA(Assembly * pAssembly) { return true; }
+ inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD) { return true; }
+ inline BOOL CanSkipVerification(MethodDesc * pMethod) { return true; }
#endif
- inline BOOL CanSkipVerification(DomainAssembly * pAssembly);
- inline CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly);
- inline CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD);
+ inline BOOL CanSkipVerification(DomainAssembly * pAssembly) { return true; }
// ----------------------------------------
// SecurityAttributes
// ----------------------------------------
- inline OBJECTREF CreatePermissionSet(BOOL fTrusted);
- inline void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData);
- inline void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray);
+ void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData);
+ void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray);
- // ----------------------------------------
- // SecurityDeclarative
- // ----------------------------------------
- inline HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL);
- inline void RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas);
- inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) ;
-
- inline LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD,
- OBJECTREF *pClassCasDemands,
- OBJECTREF *pClassNonCasDemands,
- OBJECTREF *pMethodCasDemands,
- OBJECTREF *pMethodNonCasDemands);
-
- inline void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee);
- inline void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent);
- inline void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent);
- inline void GetPermissionInstance(OBJECTREF *perm, int index);
- inline void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL);
-#ifndef DACCESS_COMPILE
- inline void CheckNonCasDemand(OBJECTREF *prefDemand);
-#endif // #ifndef DACCESS_COMPILE
- inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD);
- inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass);
-
- // ----------------------------------------
- // SecurityStackWalk
- // ----------------------------------------
-
- // other CAS Actions
- inline void Demand(SecurityStackWalkType eType, OBJECTREF demand) ;
- inline void DemandSet(SecurityStackWalkType eType, OBJECTREF demand) ;
- inline void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) ;
- inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) ;
-
- inline void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand);
-
- inline void FullTrustInheritanceDemand(Assembly *pTargetAssembly);
- inline void FullTrustLinkDemand(Assembly *pTargetAssembly);
-
- // Compressed Stack
-
- // Misc - todo: put these in better categories
-
- inline BOOL AllDomainsOnStackFullyTrusted();
- IApplicationSecurityDescriptor* CreateApplicationSecurityDescriptor(AppDomain * pDomain);
- IAssemblySecurityDescriptor* CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
- ISharedSecurityDescriptor* CreateSharedSecurityDescriptor(Assembly* pAssembly);
- void DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor);
- inline void SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD);
- inline void SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD);
-
-
- // Checks for one of the special domain wide flags
- // such as if we are currently in a "fully trusted" environment
- // or if unmanaged code access is allowed at this time
- // Note: This is an inline method instead of a virtual method on IApplicationSecurityDescriptor
- // for stackwalk perf.
- inline BOOL CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags);
-
- inline BOOL IsResolved(Assembly *pAssembly);
-
- FORCEINLINE VOID IncrementSecurityPerfCounter() ;
- inline BOOL IsSpecialRunFrame(MethodDesc *pMeth) ;
- inline BOOL SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
- inline BOOL SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
+ inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) { }
// Transparency checks
- inline BOOL IsMethodTransparent(MethodDesc * pMD);
- inline BOOL IsMethodCritical(MethodDesc * pMD);
- inline BOOL IsMethodSafeCritical(MethodDesc * pMD);
-
- inline BOOL IsTypeCritical(MethodTable *pMT);
- inline BOOL IsTypeSafeCritical(MethodTable *pMT);
- inline BOOL IsTypeTransparent(MethodTable * pMT);
- inline BOOL IsTypeAllTransparent(MethodTable * pMT);
-
- inline BOOL IsFieldTransparent(FieldDesc * pFD);
- inline BOOL IsFieldCritical(FieldDesc * pFD);
- inline BOOL IsFieldSafeCritical(FieldDesc * pFD);
+ inline BOOL IsMethodTransparent(MethodDesc * pMD) { return false; }
+ inline BOOL IsMethodCritical(MethodDesc * pMD) { return true; }
+ inline BOOL IsMethodSafeCritical(MethodDesc * pMD) { return false; }
- inline BOOL IsTokenTransparent(Module* pModule, mdToken token);
-
- inline void DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
- const TypeHandle &calleeTH,
- CorInfoSecurityRuntimeChecks check);
+ inline BOOL IsTypeCritical(MethodTable *pMT) { return true; }
+ inline BOOL IsTypeSafeCritical(MethodTable *pMT) { return false; }
+ inline BOOL IsTypeTransparent(MethodTable * pMT) { return false; }
+ inline BOOL IsTypeAllTransparent(MethodTable * pMT) { return false; }
- inline CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
- MethodDesc* pCallee,
- SecurityTransparencyError *pError);
- inline VOID EnforceTransparentAssemblyChecks(MethodDesc* pCallee, MethodDesc* pCaller);
- inline VOID EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller);
- inline VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc);
+ inline BOOL IsFieldTransparent(FieldDesc * pFD) { return false; }
+ inline BOOL IsFieldCritical(FieldDesc * pFD) { return true; }
+ inline BOOL IsFieldSafeCritical(FieldDesc * pFD) { return false; }
- inline bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands = false);
+ inline BOOL IsTokenTransparent(Module* pModule, mdToken token) { return false; }
inline BOOL CheckCriticalAccess(AccessCheckContext* pContext,
MethodDesc* pOptionalTargetMethod = NULL,
FieldDesc* pOptionalTargetField = NULL,
- MethodTable * pOptionalTargetType = NULL);
-
- // declarative security
- inline HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry = NULL) ;
-
- // security enforcement
- inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);
-
-
- inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);
-
- inline bool CanShareAssembly(DomainAssembly *pAssembly);
-};
-
-class ISecurityDescriptor
-{
-public:
- VPTR_BASE_VTABLE_CLASS_AND_CTOR(ISecurityDescriptor)
-
- virtual ~ISecurityDescriptor() { LIMITED_METHOD_CONTRACT; }
-
- virtual BOOL IsFullyTrusted() = 0;
-
- virtual BOOL CanCallUnmanagedCode() const = 0;
-
-#ifndef DACCESS_COMPILE
- virtual DWORD GetSpecialFlags() const = 0;
-
- virtual AppDomain* GetDomain() const = 0;
-
- virtual void Resolve() = 0;
- virtual BOOL IsResolved() const = 0;
-
-
- virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) = 0;
-#endif // !DACCESS_COMPILE
-};
-
-class IApplicationSecurityDescriptor : public ISecurityDescriptor
-{
-public:
- VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IApplicationSecurityDescriptor, ISecurityDescriptor)
-
-#ifndef DACCESS_COMPILE
-public:
- virtual BOOL IsHomogeneous() const = 0;
- virtual void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) = 0;
- virtual BOOL ContainsAnyRefusedPermissions() = 0;
-
- virtual BOOL IsDefaultAppDomain() const = 0;
- virtual BOOL IsDefaultAppDomainEvidence() = 0;
- virtual BOOL DomainMayContainPartialTrustCode() = 0;
-
- virtual BOOL CallHostSecurityManager() = 0;
- virtual void SetHostSecurityManagerFlags(DWORD dwFlags) = 0;
- virtual void SetPolicyLevelFlag() = 0;
-
- virtual void FinishInitialization() = 0;
- virtual BOOL IsInitializationInProgress() = 0;
-
- // Determine the security state that an AppDomain will arrive in if nothing changes during domain
- // initialization. (ie, get the input security state of the domain)
- virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) = 0;
-
- // Gets special domain wide flags that specify things
- // such as whether we are currently in a "fully trusted" environment
- // or if unmanaged code access is allowed at this time
- virtual DWORD GetDomainWideSpecialFlag() const = 0;
-
-
-#endif // !DACCESS_COMPILE
-};
-
-class IAssemblySecurityDescriptor : public ISecurityDescriptor
-{
-public:
- VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IAssemblySecurityDescriptor, ISecurityDescriptor)
-
-#ifndef DACCESS_COMPILE
- virtual SharedSecurityDescriptor *GetSharedSecDesc() = 0;
-
- virtual BOOL CanAssert() = 0;
- virtual BOOL HasUnrestrictedUIPermission() = 0;
- virtual BOOL IsAllCritical() = 0;
- virtual BOOL IsAllSafeCritical() = 0;
- virtual BOOL IsAllPublicAreaSafeCritical() = 0;
- virtual BOOL IsAllTransparent() = 0;
- virtual BOOL IsSystem() = 0;
- virtual BOOL AllowSkipVerificationInFullTrust() = 0;
-
- virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution) = 0;
-
-
- virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) = 0;
-
-
- // Check to make sure that security will allow this assembly to load. Throw an exception if the
- // assembly should be forbidden from loading for security related purposes
- virtual void CheckAllowAssemblyLoad() = 0;
-#endif // #ifndef DACCESS_COMPILE
+ MethodTable * pOptionalTargetType = NULL)
+ {
+ return true;
+ }
+
+ inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD)
+ {
+ }
};
-class ISharedSecurityDescriptor
-{
-public:
- virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL) = 0;
- virtual BOOL IsResolved() const = 0;
- virtual BOOL IsSystem() = 0;
- virtual Assembly* GetAssembly() = 0;
-};
-
-
-#include "security.inl"
-#include "securitydeclarative.inl"
-#include "securityattributes.inl"
-
#endif
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-
-//
-
-#ifndef _INL_SECURITY_
-#define _INL_SECURITY_
-
-#include "securitydescriptorassembly.h"
-#include "securitydescriptorappdomain.h"
-#include "securitystackwalk.h"
-
-// Init
-inline void Security::Start()
-{
- WRAPPER_NO_CONTRACT;
- SecurityPolicy::Start();
-}
-
-inline void Security::Stop()
-{
- WRAPPER_NO_CONTRACT;
- SecurityPolicy::Stop();
-}
-// ----------------------------------------
-// SecurityPolicy
-// ----------------------------------------
-
-
-inline BOOL Security::CanCallUnmanagedCode(Module *pModule)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityPolicy::CanCallUnmanagedCode(pModule);
-}
-
-#ifndef DACCESS_COMPILE
-inline BOOL Security::CanAssert(Module *pModule)
-{
- WRAPPER_NO_CONTRACT;
- SharedSecurityDescriptor *pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pModule->GetAssembly()->GetSharedSecurityDescriptor());
- if (pSharedSecDesc)
- return pSharedSecDesc->CanAssert();
-
- AssemblySecurityDescriptor *pSec = static_cast<AssemblySecurityDescriptor*>(pModule->GetSecurityDescriptor());
- _ASSERTE(pSec);
- return pSec->CanAssert();
-}
-
-inline DECLSPEC_NORETURN void Security::ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags)
-{
- WRAPPER_NO_CONTRACT;
- SecurityPolicy::ThrowSecurityException(szDemandClass, dwFlags);
-}
-
-inline BOOL Security::CanTailCall(MethodDesc* pMD)
-{
- WRAPPER_NO_CONTRACT;
- return Security::CanSkipVerification(pMD);
-}
-
-inline BOOL Security::CanAccessNonVerifiableExplicitField(MethodDesc* pMD)
-{
- WRAPPER_NO_CONTRACT
- // just check if the method can have unverifiable code
- return Security::CanSkipVerification(pMD);
-}
-#endif
-
-// ----------------------------------------
-// SecurityAttributes
-// ----------------------------------------
-
-inline OBJECTREF Security::CreatePermissionSet(BOOL fTrusted)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityAttributes::CreatePermissionSet(fTrusted);
-}
-
-inline void Security::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData)
-{
- WRAPPER_NO_CONTRACT;
- SecurityAttributes::CopyByteArrayToEncoding(pArray, pbData, cbData);
-}
-
-inline void Security::CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray)
-{
- WRAPPER_NO_CONTRACT;
- SecurityAttributes::CopyEncodingToByteArray(pbData, cbData, pArray);
-}
-
-// ----------------------------------------
-// SecurityDeclarative
-// ----------------------------------------
-
-inline HRESULT Security::GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityDeclarative::GetDeclarationFlags(pInternalImport, token, pdwFlags, pdwNullFlags, fHasSuppressUnmanagedCodeAccessAttr);
-}
-
-inline void Security::RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas)
-{
- WRAPPER_NO_CONTRACT;
- SecurityDeclarative::RetrieveLinktimeDemands(pMD, pClassCas, pClassNonCas, pMethodCas, pMethodNonCas);
-}
-
-inline LinktimeCheckReason Security::GetLinktimeCheckReason(MethodDesc *pMD,
- OBJECTREF *pClassCasDemands,
- OBJECTREF *pClassNonCasDemands,
- OBJECTREF *pMethodCasDemands,
- OBJECTREF *pMethodNonCasDemands)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityDeclarative::GetLinktimeCheckReason(pMD,
- pClassCasDemands,
- pClassNonCasDemands,
- pMethodCasDemands,
- pMethodNonCasDemands);
-}
-
-inline void Security::CheckLinkDemandAgainstAppDomain(MethodDesc *pMD)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-inline void Security::LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-inline void Security::ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent)
-{
- WRAPPER_NO_CONTRACT;
- SecurityDeclarative::ClassInheritanceCheck(pClass, pParent);
-}
-
-inline void Security::MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent)
-{
- WRAPPER_NO_CONTRACT;
- SecurityDeclarative::MethodInheritanceCheck(pMethod, pParent);
-}
-
-inline void Security::DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-#ifndef DACCESS_COMPILE
-inline void Security::CheckNonCasDemand(OBJECTREF *prefDemand)
-{
- WRAPPER_NO_CONTRACT;
-}
-#endif // #ifndef DACCESS_COMPILE
-
-inline BOOL Security::MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(pMD);
-}
-
-inline BOOL Security::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(dwMethodAttr, dwClassAttr, fIsGlobalClass);
-}
-
-// ----------------------------------------
-// SecurityStackWalk
-// ----------------------------------------
-
-// other CAS Actions
-inline void Security::Demand(SecurityStackWalkType eType, OBJECTREF demand)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-
-inline void Security::DemandSet(SecurityStackWalkType eType, OBJECTREF demand)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-}
-
-inline void Security::DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-
-inline void Security::SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-inline void Security::InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-inline void Security::FullTrustInheritanceDemand(Assembly *pTargetAssembly)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-inline void Security::FullTrustLinkDemand(Assembly *pTargetAssembly)
-{
- WRAPPER_NO_CONTRACT;
-}
-
-// Misc - todo: put these in better categories
-
-FORCEINLINE VOID Security::IncrementSecurityPerfCounter()
-{
- WRAPPER_NO_CONTRACT;
- SecurityStackWalk::IncrementSecurityPerfCounter();
-}
-
-inline BOOL Security::IsSpecialRunFrame(MethodDesc *pMeth)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityStackWalk::IsSpecialRunFrame(pMeth);
-}
-
-inline BOOL Security::SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain )
-{
- WRAPPER_NO_CONTRACT;
- return SecurityStackWalk::SkipAndFindFunctionInfo(i, ppMD, ppOR, ppAppDomain);
-}
-
-inline BOOL Security::SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain )
-{
- WRAPPER_NO_CONTRACT;
- return SecurityStackWalk::SkipAndFindFunctionInfo(pSCM, ppMD, ppOR, ppAppDomain);
-}
-
-#ifndef DACCESS_COMPILE
-inline BOOL Security::AllDomainsOnStackFullyTrusted()
-{
- WRAPPER_NO_CONTRACT;
- return (SecurityStackWalk::HasFlagsOrFullyTrusted(0));
-}
-
-inline void Security::SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD)
- {WRAPPER_NO_CONTRACT; static_cast<ApplicationSecurityDescriptor*>(pASD)->SetDefaultAppDomain();}
-
-inline void Security::SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD)
- {WRAPPER_NO_CONTRACT; static_cast<ApplicationSecurityDescriptor*>(pASD)->SetDefaultAppDomainEvidence();}
-
-inline BOOL Security::CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags)
-{
- WRAPPER_NO_CONTRACT;
- return static_cast<ApplicationSecurityDescriptor*>(pASD)->CheckDomainWideSpecialFlag(flags);
-}
-
-inline BOOL Security::IsResolved(Assembly *pAssembly)
-{
- WRAPPER_NO_CONTRACT;
-
- ISharedSecurityDescriptor *pSSD = pAssembly->GetSharedSecurityDescriptor();
- if (pSSD != NULL)
- {
- return pSSD->IsResolved();
- }
- else
- {
- IAssemblySecurityDescriptor *pSD = pAssembly->GetSecurityDescriptor();
- return pSD->IsResolved();
- }
-}
-#endif //! DACCESS_COMPILE
-
-inline BOOL Security::IsMethodTransparent(MethodDesc * pMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsMethodTransparent(pMD);
-}
-
-inline BOOL Security::IsMethodCritical(MethodDesc * pMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsMethodCritical(pMD);
-}
-
-inline BOOL Security::IsMethodSafeCritical(MethodDesc * pMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsMethodSafeCritical(pMD);
-}
-
-inline BOOL Security::IsTypeCritical(MethodTable *pMT)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsTypeCritical(pMT);
-}
-
-inline BOOL Security::IsTypeSafeCritical(MethodTable *pMT)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsTypeSafeCritical(pMT);
-}
-
-inline BOOL Security::IsTypeTransparent(MethodTable * pMT)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsTypeTransparent(pMT);
-}
-
-inline BOOL Security::IsTypeAllTransparent(MethodTable * pMT)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsTypeAllTransparent(pMT);
-}
-
-inline BOOL Security::IsFieldTransparent(FieldDesc * pFD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsFieldTransparent(pFD);
-}
-
-inline BOOL Security::IsFieldCritical(FieldDesc * pFD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsFieldCritical(pFD);
-}
-
-inline BOOL Security::IsFieldSafeCritical(FieldDesc * pFD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsFieldSafeCritical(pFD);
-}
-
-inline BOOL Security::IsTokenTransparent(Module* pModule, mdToken token)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::IsTokenTransparent(pModule, token);
-}
-
-inline void Security::DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
- const TypeHandle &calleeTH,
- CorInfoSecurityRuntimeChecks checks)
-{
- WRAPPER_NO_CONTRACT;
- SecurityTransparent::DoSecurityClassAccessChecks(pCallerMD, calleeTH, checks);
-}
-
-// Transparency checks
-inline CorInfoIsAccessAllowedResult Security::RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
- MethodDesc* pCallee,
- SecurityTransparencyError *pError)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::RequiresTransparentAssemblyChecks(pCaller, pCallee, pError);
-}
-
-inline VOID Security::EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller)
-{
- WRAPPER_NO_CONTRACT;
- SecurityTransparent::EnforceTransparentDelegateChecks(pDelegateMT, pCaller);
-}
-
-inline VOID Security::EnforceTransparentAssemblyChecks( MethodDesc* pCallee, MethodDesc* pCaller)
-{
- WRAPPER_NO_CONTRACT;
- SecurityTransparent::EnforceTransparentAssemblyChecks( pCallee, pCaller);
-}
-
-inline VOID Security::PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc)
-{
- WRAPPER_NO_CONTRACT;
- SecurityTransparent::PerformTransparencyChecksForLoadByteArray(pCallersMD, static_cast<AssemblySecurityDescriptor*>(pLoadedSecDesc));
-}
-
-inline bool Security::TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands /*= false*/)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::TypeRequiresTransparencyCheck(type, checkForLinkDemands);
-}
-
-inline BOOL Security::CheckCriticalAccess(AccessCheckContext* pContext,
- MethodDesc* pOptionalTargetMethod,
- FieldDesc* pOptionalTargetField,
- MethodTable * pOptionalTargetType)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::CheckCriticalAccess(pContext,
- pOptionalTargetMethod,
- pOptionalTargetField,
- pOptionalTargetType);
-}
-
-#ifndef DACCESS_COMPILE
-inline BOOL Security::CanHaveRVA(Assembly * pAssembly)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
- return Security::CanSkipVerification(pAssembly->GetDomainAssembly());
-}
-
-inline BOOL Security::CanSkipVerification(MethodDesc * pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // Always skip verification on CoreCLR
- return TRUE;
-}
-#endif //!DACCESS_COMPILE
-
-
-inline BOOL Security::CanSkipVerification(DomainAssembly * pAssembly)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityPolicy::CanSkipVerification(pAssembly);
-}
-
-inline CorInfoCanSkipVerificationResult Security::JITCanSkipVerification(DomainAssembly * pAssembly)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::JITCanSkipVerification(pAssembly);
-}
-
-inline CorInfoCanSkipVerificationResult Security::JITCanSkipVerification(MethodDesc * pMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::JITCanSkipVerification(pMD);
-}
-
-inline BOOL Security::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityAttributes::ContainsBuiltinCASPermsOnly(pAttrSet);
-}
-
-
-inline bool Security::SecurityCalloutQuickCheck(MethodDesc *pCallerMD)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityTransparent::SecurityCalloutQuickCheck(pCallerMD);
-}
-
-inline bool Security::CanShareAssembly(DomainAssembly *pAssembly)
-{
- WRAPPER_NO_CONTRACT;
-
-
- return true;
-}
-
-inline HRESULT Security::GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry )
-{
- WRAPPER_NO_CONTRACT;
- return SecurityAttributes::GetDeclaredPermissions(pInternalImport, token, action, pDeclaredPermissions, pPSCacheEntry);
-}
-
-#ifndef DACCESS_COMPILE
- // Returns true if everyone is fully trusted or has the indicated flags
-FORCEINLINE BOOL SecurityStackWalk::HasFlagsOrFullyTrustedIgnoreMode (DWORD flags) {
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- SO_TOLERANT;
- }
- CONTRACTL_END;
-
- return TRUE;
-}
-
-// Returns true if everyone is fully trusted or has the indicated flags AND we're not in legacy CAS mode
-FORCEINLINE BOOL SecurityStackWalk::HasFlagsOrFullyTrusted (DWORD flags) {
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- SO_TOLERANT;
- }
- CONTRACTL_END;
- return (HasFlagsOrFullyTrustedIgnoreMode(flags));
-
-}
-
-FORCEINLINE BOOL SecurityStackWalk::QuickCheckForAllDemands(DWORD flags)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- SO_TOLERANT;
- } CONTRACTL_END;
-
- return (SecurityStackWalk::HasFlagsOrFullyTrusted(flags));
-}
-
-inline void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (handle == NULL)
- {
- // Storing NULL doesn't require us to allocate a handle
- if (ref != NULL)
- {
- GCPROTECT_BEGIN(ref);
- // Atomically create a handle and store it
- LOADERHANDLE tmpHandle = la->AllocateHandle(NULL);
- if (FastInterlockCompareExchangePointer(&handle, tmpHandle, static_cast<LOADERHANDLE>(NULL)) != NULL)
- {
- // Another thread snuck in and created the handle - this should be unusual and acceptable to leak here. (Only leaks till end of AppDomain or Assembly lifetime)
- }
- else
- {
- la->SetHandleValue(handle, ref);
- }
- GCPROTECT_END();
- }
- }
- else
- {
- la->SetHandleValue(handle, ref);
- }
-}
-#endif // #ifndef DACCESS_COMPILE
-
-
-#endif
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-
-#include "security.h"
-#include "field.h"
-#include "comcallablewrapper.h"
-#include "typeparse.h"
-#include "appdomain.inl"
-#include "mdaassistants.h"
-#include "fstring.h"
-
-
-HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction);
-
-#ifndef CROSSGEN_COMPILE
-
-//
-// Determine if a security action allows an optimization where an empty permission set can be represented as
-// NULL. Some VM optimizations kick in if an empty permission set can be represented as NULL; however since
-// some security actions have a semantic difference between not being specified at all and having an explicit
-// empty permission set specified, permission sets associated with those actions must be represented as an
-// empty object rather than as NULL.
-//
-// Arguments:
-// action - security action to check
-//
-// Return Value:
-// true if the security action may have an empty permission set optimized to NULL, false otherwise
-//
-// Notes:
-// The security actions which cannot have NULL represent an empty permission set are:
-//
-// * PermitOnly - a PermitOnly set containing no permissions means that all demands should fail, as
-// opposed to not having a PermitOnly set on a method.
-// * RequestOptional - not specifying a RequestOptional set is equivilent to having a RequestOptional set
-// of FullTrust, rather than having an empty RequestOptional set.
-//
-
-// static
-bool SecurityAttributes::ActionAllowsNullPermissionSet(CorDeclSecurity action)
-{
- LIMITED_METHOD_CONTRACT;
- return action != dclPermitOnly && action != dclRequestOptional;
-}
-
-void SecurityAttributes::CopyEncodingToByteArray(IN PBYTE pbData,
- IN DWORD cbData,
- OUT OBJECTREF* pArray)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
- U1ARRAYREF pObj;
- _ASSERTE(pArray);
-
- pObj = (U1ARRAYREF)AllocatePrimitiveArray(ELEMENT_TYPE_U1,cbData);
- memcpyNoGCRefs(pObj->m_Array, pbData, cbData);
- *pArray = (OBJECTREF) pObj;
-}
-
-void SecurityAttributes::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray,
- OUT PBYTE* ppbData,
- OUT DWORD* pcbData)
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pArray));
- PRECONDITION(CheckPointer(ppbData));
- PRECONDITION(CheckPointer(pcbData));
- PRECONDITION(*pArray != NULL);
- } CONTRACTL_END;
-
- DWORD size = (DWORD) (*pArray)->GetNumComponents();
- *ppbData = new BYTE[size];
- *pcbData = size;
-
- CopyMemory(*ppbData, (*pArray)->GetDirectPointerToNonObjectElements(), size);
-}
-
-//
-// This is a public exported method
-//
-
-// Translate a set of security custom attributes into a serialized permission set blob.
-HRESULT STDMETHODCALLTYPE TranslateSecurityAttributes(CORSEC_ATTRSET *pAttrSet,
- BYTE **ppbOutput,
- DWORD *pcbOutput,
- BYTE **ppbNonCasOutput,
- DWORD *pcbNonCasOutput,
- DWORD *pdwErrorIndex)
-{
- return E_NOTIMPL;
-}
-
-
-//
-// This is a public exported method
-//
-
-// Reads permission requests (if any) from the manifest of an assembly.
-HRESULT STDMETHODCALLTYPE GetPermissionRequests(LPCWSTR pwszFileName,
- BYTE **ppbMinimal,
- DWORD *pcbMinimal,
- BYTE **ppbOptional,
- DWORD *pcbOptional,
- BYTE **ppbRefused,
- DWORD *pcbRefused)
-{
- CONTRACTL {
- NOTHROW;
- GC_TRIGGERS;
- MODE_PREEMPTIVE;
- ENTRY_POINT;
- } CONTRACTL_END;
-
- HRESULT hr = S_OK;
-
- BEGIN_EXTERNAL_ENTRYPOINT(&hr)
- {
- IMetaDataDispenser *pMD = NULL;
- IMetaDataAssemblyImport *pMDAsmImport = NULL;
- IMetaDataImport *pMDImport = NULL;
- mdAssembly mdAssembly;
- BYTE *pbMinimal = NULL;
- DWORD cbMinimal = 0;
- BYTE *pbOptional = NULL;
- DWORD cbOptional = 0;
- BYTE *pbRefused = NULL;
- DWORD cbRefused = 0;
- HCORENUM hEnumDcl = NULL;
- mdPermission rPSets[dclMaximumValue + 1];
- DWORD dwSets;
- DWORD i;
-
- *ppbMinimal = NULL;
- *pcbMinimal = 0;
- *ppbOptional = NULL;
- *pcbOptional = 0;
- *ppbRefused = NULL;
- *pcbRefused = 0;
-
- // Get the meta data interface dispenser.
- hr = MetaDataGetDispenser(CLSID_CorMetaDataDispenser,
- IID_IMetaDataDispenserEx,
- (void **)&pMD);
- if (FAILED(hr))
- goto Error;
-
- // Open a scope on the assembly file.
- hr = pMD->OpenScope(pwszFileName,
- 0,
- IID_IMetaDataAssemblyImport,
- (IUnknown**)&pMDAsmImport);
- if (FAILED(hr))
- goto Error;
-
- // Determine the assembly token.
- hr = pMDAsmImport->GetAssemblyFromScope(&mdAssembly);
- if (FAILED(hr))
- goto Error;
-
- // QI for a normal import interface.
- hr = pMDAsmImport->QueryInterface(IID_IMetaDataImport, (void**)&pMDImport);
- if (FAILED(hr))
- goto Error;
-
- // Look for permission request sets hung off the assembly token.
- hr = pMDImport->EnumPermissionSets(&hEnumDcl,
- mdAssembly,
- dclActionNil,
- rPSets,
- dclMaximumValue + 1,
- &dwSets);
- if (FAILED(hr))
- goto Error;
-
- for (i = 0; i < dwSets; i++) {
- BYTE *pbData;
- DWORD cbData;
- DWORD dwAction;
-
- pMDImport->GetPermissionSetProps(rPSets[i],
- &dwAction,
- (void const **)&pbData,
- &cbData);
-
- switch (dwAction) {
- case dclRequestMinimum:
- _ASSERTE(pbMinimal == NULL);
- pbMinimal = pbData;
- cbMinimal = cbData;
- break;
- case dclRequestOptional:
- _ASSERTE(pbOptional == NULL);
- pbOptional = pbData;
- cbOptional = cbData;
- break;
- case dclRequestRefuse:
- _ASSERTE(pbRefused == NULL);
- pbRefused = pbData;
- cbRefused = cbData;
- break;
- default:
- _ASSERTE(FALSE);
- }
- }
-
- pMDImport->CloseEnum(hEnumDcl);
-
- // Buffer the results (since we're about to close the metadata scope and
- // lose the original data).
- if (pbMinimal) {
- *ppbMinimal = new (nothrow) BYTE[cbMinimal];
- if (*ppbMinimal == NULL) {
- hr = E_OUTOFMEMORY;
- goto Error;
- }
- memcpy(*ppbMinimal, pbMinimal, cbMinimal);
- *pcbMinimal = cbMinimal;
- }
-
- if (pbOptional) {
- *ppbOptional = new (nothrow) BYTE[cbOptional];
- if (*ppbOptional == NULL) {
- hr = E_OUTOFMEMORY;
- goto Error;
- }
- memcpy(*ppbOptional, pbOptional, cbOptional);
- *pcbOptional = cbOptional;
- }
-
- if (pbRefused) {
- *ppbRefused = new (nothrow) BYTE[cbRefused];
- if (*ppbRefused == NULL) {
- hr = E_OUTOFMEMORY;
- goto Error;
- }
- memcpy(*ppbRefused, pbRefused, cbRefused);
- *pcbRefused = cbRefused;
- }
-
- Error:
- if (pMDImport)
- pMDImport->Release();
- if (pMDAsmImport)
- pMDAsmImport->Release();
- if (pMD)
- pMD->Release();
- }
- END_EXTERNAL_ENTRYPOINT;
-
- return hr;
-}
-
-// Load permission requests in their serialized form from assembly metadata.
-// This consists of a required permissions set and optionally an optional and
-// deny permission set.
-void SecurityAttributes::LoadPermissionRequestsFromAssembly(IN IMDInternalImport* pImport,
- OUT OBJECTREF* pReqdPermissions,
- OUT OBJECTREF* pOptPermissions,
- OUT OBJECTREF* pDenyPermissions)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pReqdPermissions));
- PRECONDITION(CheckPointer(pOptPermissions));
- PRECONDITION(CheckPointer(pDenyPermissions));
- } CONTRACTL_END;
-
- mdAssembly mdAssembly;
- HRESULT hr;
-
- *pReqdPermissions = NULL;
- *pOptPermissions = NULL;
- *pDenyPermissions = NULL;
-
- // It's OK to be called with a NULL assembly. This can happen in the code
- // path where we're just checking for a signature, nothing else. So just
- // return without doing anything.
- if (pImport == NULL)
- return;
-
- // Locate assembly metadata token since the various permission sets are
- // written as custom values against this token.
- if (pImport->GetAssemblyFromScope(&mdAssembly) != S_OK) {
- _ASSERT(FALSE);
- return;
- }
-
- struct _gc
- {
- OBJECTREF reqdPset;
- OBJECTREF optPset;
- OBJECTREF denyPset;
- } gc;
- ZeroMemory(&gc, sizeof(gc));
-
- {
- GCX_COOP(); // because GetDeclaredPermissions may call into managed code
- GCPROTECT_BEGIN(gc);
-
- // Read and translate required permission set.
- hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestMinimum, &gc.reqdPset, NULL);
- _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND));
-
- // Now the optional permission set.
- PsetCacheEntry *pOptPSCacheEntry = NULL;
- hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestOptional, &gc.optPset, &pOptPSCacheEntry);
- _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND));
-
- // An empty permission set has semantic meaning if it is an assembly's optional permission set.
- // If we have an optional set, then we need to make sure it is created.
- if (SUCCEEDED(hr) && gc.optPset == NULL && pOptPSCacheEntry != NULL)
- {
- gc.optPset = pOptPSCacheEntry->CreateManagedPsetObject(dclRequestOptional, /* createEmptySet */ true);
- }
-
- // And finally the refused permission set.
- hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestRefuse, &gc.denyPset, NULL);
- _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND));
-
- *pReqdPermissions = gc.reqdPset;
- *pOptPermissions = gc.optPset;
- *pDenyPermissions = gc.denyPset;
-
- GCPROTECT_END();
- }
-}
-
-// Determine whether a RequestOptional or RequestRefused are made in the assembly manifest.
-BOOL SecurityAttributes::RestrictiveRequestsInAssembly(IMDInternalImport* pImport)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- mdAssembly mdAssembly;
- HRESULT hr;
- HENUMInternal hEnumDcl;
-
- // Locate assembly metadata token since the various permission sets are
- // written as custom values against this token.
- hr = pImport->GetAssemblyFromScope(&mdAssembly);
- if (FAILED(hr))
- return TRUE;
-
- hr = pImport->EnumPermissionSetsInit(mdAssembly,
- dclRequestRefuse,
- &hEnumDcl);
-
- BOOL bFoundRequestRefuse = (hr != CLDB_E_RECORD_NOTFOUND);
- pImport->EnumClose(&hEnumDcl);
-
- if (bFoundRequestRefuse)
- return TRUE;
-
- hr = pImport->EnumPermissionSetsInit(mdAssembly,
- dclRequestOptional,
- &hEnumDcl);
- BOOL bFoundRequestOptional = (hr != CLDB_E_RECORD_NOTFOUND);
- pImport->EnumClose(&hEnumDcl);
-
- return bFoundRequestOptional;
-}
-#endif // CROSSGEN_COMPILE
-
-HRESULT SecurityAttributes::GetPermissionsFromMetaData(IN IMDInternalImport *pInternalImport,
- IN mdToken token,
- IN CorDeclSecurity action,
- OUT PBYTE* ppbPerm,
- OUT ULONG* pcbPerm)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
- HRESULT hr = S_OK;
- mdPermission tkPerm;
- void const ** ppData = const_cast<void const**> (reinterpret_cast<void**> (ppbPerm));
- DWORD dwActionDummy;
- // Get the blob for the CAS action from the security action table in metadata
- HENUMInternalHolder hEnumDcl(pInternalImport);
- if (hEnumDcl.EnumPermissionSetsInit(token,action))
- {
- _ASSERTE(pInternalImport->EnumGetCount(&hEnumDcl) == 1 && "Multiple permissions sets for the same declaration aren't currently supported.");
- if (pInternalImport->EnumNext(&hEnumDcl, &tkPerm))
- {
- hr = pInternalImport->GetPermissionSetProps(
- tkPerm,
- &dwActionDummy,
- ppData,
- pcbPerm);
-
- if (FAILED(hr) )
- {
- COMPlusThrowHR(hr);
- }
- }
- else
- {
- _ASSERTE(!"At least one enumeration expected");
- }
- }
- else
- {
- hr = CLDB_E_RECORD_NOTFOUND;
- }
- return hr;
-}
-
-void SecurityAttributes::CreateAndCachePermissions(
- IN PBYTE pbPerm,
- IN ULONG cbPerm,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPSCacheEntry)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
- SecurityDeclarativeCache *pSDC;
- PsetCacheEntry* pPCE;
-
- pSDC = &(GetAppDomain()->m_pSecContext->m_pSecurityDeclarativeCache);
-
-
- pPCE = pSDC->CreateAndCachePset (pbPerm, cbPerm);
- if (pDeclaredPermissions) {
-#ifdef CROSSGEN_COMPILE
- _ASSERTE(!"This codepath should be unreachable during crossgen");
- *pDeclaredPermissions = NULL;
-#else
- *pDeclaredPermissions = pPCE->CreateManagedPsetObject (action);
-#endif
- }
- if (pPSCacheEntry) {
- *pPSCacheEntry = pPCE;
- }
-}
-
-// Returns the declared PermissionSet for the specified action type.
-HRESULT SecurityAttributes::GetDeclaredPermissions(IN IMDInternalImport *pInternalImport,
- IN mdToken token,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPSCacheEntry)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
- HRESULT hr = S_FALSE;
- PBYTE pbPerm = NULL;
- ULONG cbPerm = 0;
-
-
-
- _ASSERTE(action > dclActionNil && action <= dclMaximumValue);
-
- // Initialize the output parameters.
- if (pDeclaredPermissions)
- *pDeclaredPermissions = NULL;
- if(pPSCacheEntry)
- *pPSCacheEntry = NULL;
-
- bool bCas = !(action == dclNonCasDemand || action == dclNonCasLinkDemand || action == dclNonCasInheritance);
-
- hr = GetPermissionsFromMetaData(pInternalImport, token, action, &pbPerm, &cbPerm);
- if(pbPerm && cbPerm > 0)
- {
- CreateAndCachePermissions(pbPerm, cbPerm, action, pDeclaredPermissions, pPSCacheEntry);
- }
- else if(!bCas)
- {
- // We're looking for a non-CAS action which may be encoded with the corresponding CAS action
- // Pre-Whidbey, we used to encode CAS and non-CAS actions separately because we used to do
- // declarative security processing at build time (we used to create a
- // permset object corresponding to a declarative action, convert it into XML and then store the serialized
- // XML in the assembly).
- //
- // In Whidbey the default is what we call LAZY declarative security (LAZY_DECL_SEC_FLAG below) - to not do any
- // declarative security processing at build time (we just take the declarative annotiation and store it as a
- // serialzied blob - no permsets created/converted to XML). And at runtime, we do the actual processing (create permsets etc.)
- //
- // What does this mean? It means that in Whidbey (and beyond), we cannot tell at build time if it is a declarative CAS action
- // or non-CAS action. So at runtime, we need to check the permset stored under the cas action for a non-CAS action.
- // Of course, we need to do this only if LAZY_DECL_SEC_FLAG is in effect.
-
- // Determine the corresponding CAS action
- CorDeclSecurity casAction = dclDemand;
- if(action == dclNonCasLinkDemand)
- casAction = dclLinktimeCheck;
- else if(action == dclNonCasInheritance)
- casAction = dclInheritanceCheck;
-
- // Get the blob for the CAS action from the security action table in metadata
- hr = GetPermissionsFromMetaData(pInternalImport, token, casAction, &pbPerm, &cbPerm);
-
- if(pbPerm && cbPerm > 0 && pbPerm[0] == LAZY_DECL_SEC_FLAG) // if it's a serialized CORSEC_ATTRSET
- {
- CreateAndCachePermissions(pbPerm, cbPerm, casAction, pDeclaredPermissions, pPSCacheEntry);
- }
-
- }
-
- return hr;
-}
-
-bool SecurityAttributes::IsHostProtectionAttribute(CORSEC_ATTRIBUTE* pAttr)
-{
- static const char s_HostProtectionAttributeName[] = "System.Security.Permissions.HostProtectionAttribute, mscorlib";
-
- return (strncmp(pAttr->pName, s_HostProtectionAttributeName, sizeof(s_HostProtectionAttributeName)-1) == 0);
-}
-
-bool SecurityAttributes::IsBuiltInCASPermissionAttribute(CORSEC_ATTRIBUTE* pAttr)
-{
- WRAPPER_NO_CONTRACT;
- static const char s_permissionsNamespace[] = "System.Security.Permissions.";
- if(strncmp(pAttr->pName, s_permissionsNamespace, sizeof(s_permissionsNamespace) - 1) != 0)
- return false; // not built-in permission
- static const char s_principalPermissionName[] = "System.Security.Permissions.PrincipalPermissionAttribute, mscorlib";
-
- // ASSERT: at this point we know we are in builtin namespace...so compare with PrincipalPermissionAttribute
- if (strncmp(pAttr->pName, s_principalPermissionName, sizeof(s_principalPermissionName)-1) == 0)
- return false; // found a principal permission => Not a built-in CAS permission
-
- // special-case the unrestricted permission set attribute.
- static const char s_PermissionSetName[] = "System.Security.Permissions.PermissionSetAttribute, mscorlib";
- if (strncmp(pAttr->pName, s_PermissionSetName, sizeof(s_PermissionSetName)-1) == 0)
- return IsUnrestrictedPermissionSetAttribute(pAttr);
-
- return true; //built-in perm, but not principal perm => IsBuiltInCASPermissionAttribute
-}
-
-bool SecurityAttributes::IsUnrestrictedPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- BYTE const * pbBuffer = pPerm->pbValues;
- SIZE_T cbBuffer = pPerm->cbValues;
- BYTE const * pbBufferEnd = pbBuffer + cbBuffer;
-
- if (cbBuffer < 2 * sizeof(BYTE))
- return false;
-
- // Get the field/property specifier
- if (*(BYTE*)pbBuffer == SERIALIZATION_TYPE_FIELD)
- return false;
-
- _ASSERTE(*(BYTE*)pbBuffer == SERIALIZATION_TYPE_PROPERTY);
- pbBuffer += sizeof(BYTE);
- cbBuffer -= sizeof(BYTE);
-
- // Get the value type
- DWORD dwType = *(BYTE*)pbBuffer;
- pbBuffer += sizeof(BYTE);
- cbBuffer -= sizeof(BYTE);
- if (dwType != SERIALIZATION_TYPE_BOOLEAN)
- return false;
-
- // Grab the field/property name and length.
- DWORD cbName;
- BYTE const * pbName;
- if (FAILED(CPackedLen::SafeGetData(pbBuffer,
- pbBufferEnd,
- &cbName,
- &pbName)))
- {
- return false;
- }
-
- PREFIX_ASSUME(pbName != NULL);
-
- // SafeGetData will ensure the name is within the buffer
- SIZE_T cbNameOffset = pbName - pbBuffer;
- _ASSERTE(FitsIn<DWORD>(cbNameOffset));
- DWORD dwLength = static_cast<DWORD>(cbNameOffset + cbName);
- pbBuffer += dwLength;
- cbBuffer -= dwLength;
-
- // Buffer the name of the property and null terminate it.
- DWORD allocLen = cbName + 1;
- if (allocLen < cbName)
- return false;
-
- LPSTR szName = (LPSTR)_alloca(allocLen);
- memcpy(szName, pbName, cbName);
- szName[cbName] = '\0';
-
- if (strcmp(szName, "Unrestricted") != 0)
- return false;
-
- // Make sure the value isn't "false"
- return (*pbBuffer != 0);
-}
-
-// This takes a PermissionSetAttribute blob and looks to see if it uses the "FILE" property. If it
-// does, then it loads the file now and modifies the attribute to use the XML property instead
-// (because the file may not be available at runtime.)
-HRESULT SecurityAttributes::FixUpPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm)
-{
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- _ASSERTE(pPerm->wValues == 1 && strcmp(pPerm->pName, "System.Security.Permissions.PermissionSetAttribute") == 0);
- BYTE const * pbBuffer = pPerm->pbValues;
- SIZE_T cbBuffer = pPerm->cbValues;
- BYTE const * pbBufferEnd = pbBuffer + cbBuffer;
- HRESULT hr;
-
- // Check we've got at least the field/property specifier and the
- // type code.
- _ASSERTE(cbBuffer >= (sizeof(BYTE) + sizeof(BYTE)));
-
- // Grab the field/property specifier.
- bool bIsField = *(BYTE*)pbBuffer == SERIALIZATION_TYPE_FIELD;
- _ASSERTE(bIsField || (*(BYTE*)pbBuffer == SERIALIZATION_TYPE_PROPERTY));
- pbBuffer += sizeof(BYTE);
- cbBuffer -= sizeof(BYTE);
-
- // Grab the value type.
- DWORD dwType = *(BYTE*)pbBuffer;
- pbBuffer += sizeof(BYTE);
- cbBuffer -= sizeof(BYTE);
-
- if(bIsField)
- return S_OK;
- if(dwType != SERIALIZATION_TYPE_STRING)
- return S_OK;
-
- // Grab the field/property name and length.
- ULONG cbName;
- BYTE const * pbName;
- IfFailRet(CPackedLen::SafeGetData(pbBuffer, pbBufferEnd, &cbName, &pbName));
- PREFIX_ASSUME(pbName != NULL);
-
- // SafeGetData ensures name is within buffer
- SIZE_T cbNameOffset = pbName - pbBuffer;
- _ASSERTE(FitsIn<DWORD>(cbNameOffset));
- DWORD dwLength = static_cast<DWORD>(cbNameOffset + cbName);
- pbBuffer += dwLength;
- cbBuffer -= dwLength;
-
- // Buffer the name of the property and null terminate it.
- DWORD allocLen = cbName + 1;
- LPSTR szName = (LPSTR)_alloca(allocLen);
- memcpy(szName, pbName, cbName);
- szName[cbName] = '\0';
-
- if(strcmp(szName, "File") != 0)
- return S_OK;
- if(*pbBuffer == 0xFF) // special case that represents NULL string
- return S_OK;
-
- IfFailRet(CPackedLen::SafeGetData(pbBuffer, pbBufferEnd, &cbName, &pbName));
- PREFIX_ASSUME(pbName != NULL);
-
- // SafeGetData ensures name is within buffer
- cbNameOffset = pbName - pbBuffer;
- _ASSERTE(FitsIn<DWORD>(cbNameOffset));
- dwLength = static_cast<DWORD>(cbNameOffset + cbName);
- _ASSERTE(cbBuffer >= dwLength);
-
- // Open the file
- MAKE_WIDEPTR_FROMUTF8N(wszFileName, (LPCSTR)pbName, cbName);
- HandleHolder hFile(WszCreateFile (wszFileName,
- GENERIC_READ,
- FILE_SHARE_READ,
- NULL,
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN,
- NULL));
- if (hFile == INVALID_HANDLE_VALUE)
- return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
- DWORD dwFileLen = SafeGetFileSize(hFile, 0);
- if (dwFileLen == 0xFFFFFFFF)
- return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
-
- // Read the file
- BYTE* pFileBuffer = new (nothrow) BYTE[(dwFileLen + 4) * sizeof(BYTE)];
- if(!pFileBuffer)
- return E_OUTOFMEMORY;
- DWORD dwBytesRead;
- if ((SetFilePointer(hFile, 0, NULL, FILE_BEGIN) == 0xFFFFFFFF) ||
- (!ReadFile(hFile, pFileBuffer, dwFileLen, &dwBytesRead, NULL)))
- {
- delete [] pFileBuffer;
- return E_FAIL;
- }
- if(dwBytesRead < dwFileLen)
- {
- delete [] pFileBuffer;
- return E_FAIL;
- }
-
- // Make the new attribute blob
- BYTE* pNewAttrBuffer = new (nothrow) BYTE[(dwFileLen + 10) * 2 * sizeof(BYTE)];
- if(!pNewAttrBuffer)
- return E_OUTOFMEMORY;
- BYTE* pCurBuf = pNewAttrBuffer;
- *pCurBuf = (BYTE)SERIALIZATION_TYPE_PROPERTY;
- pCurBuf++;
- *pCurBuf = (BYTE)SERIALIZATION_TYPE_STRING;
- pCurBuf++;
- pCurBuf = (BYTE*)CPackedLen::PutLength(pCurBuf, 3);
- memcpy(pCurBuf, "Hex", 3);
- pCurBuf += 3;
- pCurBuf = (BYTE*)CPackedLen::PutLength(pCurBuf, dwFileLen * 2);
- DWORD n;
- BYTE b;
- for(n = 0; n < dwFileLen; n++)
- {
- b = (pFileBuffer[n] >> 4) & 0xf;
- *pCurBuf = (b < 10 ? '0' + b : 'a' + b - 10);
- pCurBuf++;
- b = pFileBuffer[n] & 0xf;
- *pCurBuf = (b < 10 ? '0' + b : 'a' + b - 10);
- pCurBuf++;
- }
- delete [] pFileBuffer;
-
- // We shouldn't have a serialized permission set that can be this large, but to be safe we'll ensure
- // that we fit in the output DWORD size.
- SIZE_T cbNewAttrSize = pCurBuf - pNewAttrBuffer;
-
- // Set the new values
- delete(pPerm->pbValues);
- pPerm->pbValues = pNewAttrBuffer;
- pPerm->cbValues = cbNewAttrSize;
- return S_OK;
-}
-
-// if tkAssemblyRef is NULL, this assumes the type is in this assembly
-// uszClassName should be a UTF8 string including both namespace and class
-HRESULT GetFullyQualifiedTypeName(SString* pString, mdAssemblyRef tkAssemblyRef, __in_z CHAR* uszClassName, IMetaDataAssemblyImport *pImport, mdToken tkCtor)
-{
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- // Add class name
- MAKE_WIDEPTR_FROMUTF8(wszClassName, uszClassName);
- (*pString) += (LPCWSTR) wszClassName;
- if(IsNilToken(tkAssemblyRef))
- tkAssemblyRef = TokenFromRid(1, mdtAssembly);
-
- // Add a comma separator
- (*pString) += W(", ");
-
- DWORD dwDisplayFlags = ASM_DISPLAYF_VERSION | ASM_DISPLAYF_PUBLIC_KEY_TOKEN | ASM_DISPLAYF_CULTURE;
- HRESULT hr;
- AssemblySpec spec;
- StackSString name;
-
- IfFailRet(spec.Init((mdToken)tkAssemblyRef,pImport));
- spec.GetFileOrDisplayName(dwDisplayFlags,name);
- _ASSERTE(!name.IsEmpty() && "the assembly name should not be empty here");
-
- (*pString) += name;
- return S_OK;
-}
-
-HRESULT SecurityAttributes::SerializeAttribute(CORSEC_ATTRIBUTE* pAttr, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport)
-{
- // pBuffer can be NULL if the caller is only trying to determine the size of the serialized blob. In that case, let's make a little temp buffer to facilitate CPackedLen::PutLength
- SIZE_T cbPos = *pCount;
- BYTE* pTempBuf = pBuffer;
- SIZE_T const* pTempPos = &cbPos;
- BYTE tempBuf[8];
- const SIZE_T zero = 0;
- if(!pTempBuf)
- {
- pTempBuf = tempBuf;
- pTempPos = &zero;
- }
- BYTE* pOldPos;
-
- // Get the fully qualified type name
- SString sType;
- HRESULT hr = GetFullyQualifiedTypeName(&sType, pAttr->tkAssemblyRef, pAttr->pName, pImport, pAttr->tkCtor);
- if(FAILED(hr))
- return hr;
-
- // Convert assembly name to UTF8.
- const WCHAR* wszTypeName = sType.GetUnicode();
- MAKE_UTF8PTR_FROMWIDE(uszTypeName, wszTypeName);
- DWORD dwUTF8TypeNameLen = (DWORD)strlen(uszTypeName);
-
- // Serialize the type name length
- pOldPos = &pTempBuf[*pTempPos];
- cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], dwUTF8TypeNameLen) - pOldPos;
-
- // Serialize the type name
- if(pBuffer)
- memcpy(&pBuffer[cbPos], uszTypeName, dwUTF8TypeNameLen);
- cbPos += dwUTF8TypeNameLen;
-
- // Serialize the size of the properties blob
- BYTE temp[32];
- SIZE_T cbSizeOfCompressedPropertiesCount = (BYTE*)CPackedLen::PutLength(temp, pAttr->wValues) - temp;
- pOldPos = &pTempBuf[*pTempPos];
-
- _ASSERTE(FitsIn<ULONG>(pAttr->cbValues + cbSizeOfCompressedPropertiesCount));
- ULONG propertiesLength = static_cast<ULONG>(pAttr->cbValues + cbSizeOfCompressedPropertiesCount);
- cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], propertiesLength) - pOldPos;
-
- // Serialize the count of properties
- pOldPos = &pTempBuf[*pTempPos];
- cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], pAttr->wValues) - pOldPos;
-
- // Serialize the properties blob
- if(pBuffer)
- memcpy(&pBuffer[cbPos], pAttr->pbValues, pAttr->cbValues);
- cbPos += pAttr->cbValues;
-
- *pCount = cbPos;
- return hr;
-}
-
-HRESULT SecurityAttributes::DeserializeAttribute(CORSEC_ATTRIBUTE *pAttr, BYTE* pBuffer, ULONG cbBuffer, SIZE_T* pPos)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- HRESULT hr;
-
- // Deserialize the size of the type name
- BYTE* pClassName;
- ULONG dwClassNameSize;
- BYTE* pBufferEnd = pBuffer + cbBuffer;
- IfFailRet(CPackedLen::SafeGetData((BYTE const *)&pBuffer[*pPos],
- (BYTE const *)pBufferEnd,
- &dwClassNameSize,
- (BYTE const **)&pClassName));
- (*pPos) += pClassName - &pBuffer[*pPos];
-
- // Deserialize the type name
- (*pPos) += dwClassNameSize;
- pAttr->pName = new (nothrow) CHAR[dwClassNameSize + 1];
- if(!pAttr->pName)
- return E_OUTOFMEMORY;
- memcpy(pAttr->pName, pClassName, dwClassNameSize);
- pAttr->pName[dwClassNameSize] = '\0';
-
- // Deserialize the CA blob size
- BYTE* pCABlob;
- ULONG cbCABlob;
- IfFailRet(CPackedLen::SafeGetData((BYTE const *)&pBuffer[*pPos],
- (BYTE const *)pBufferEnd,
- &cbCABlob,
- (BYTE const **)&pCABlob));
-
- (*pPos) += pCABlob - &pBuffer[*pPos];
-
- // Deserialize the CA blob value count
- BYTE* pCABlobValues;
- ULONG cCABlobValues;
- IfFailRet(CPackedLen::SafeGetLength((BYTE const *)&pBuffer[*pPos],
- (BYTE const *)pBufferEnd,
- &cCABlobValues,
- (BYTE const **)&pCABlobValues));
-
- (*pPos) += pCABlobValues - &pBuffer[*pPos];
- if (!FitsIn<WORD>(cCABlobValues))
- return COR_E_OVERFLOW;
- pAttr->wValues = static_cast<WORD>(cCABlobValues);
-
- // We know that pCABlobValues - pCABlob will be a positive result.
- if (cbCABlob < (ULONG)(pCABlobValues - pCABlob))
- return COR_E_OVERFLOW;
-
- pAttr->cbValues = cbCABlob - (pCABlobValues - pCABlob);
-
- // Deserialize the CA blob
- pAttr->pbValues = new (nothrow) BYTE[pAttr->cbValues];
- if(!pAttr->pbValues)
- return E_OUTOFMEMORY;
- memcpy(pAttr->pbValues, pCABlobValues, pAttr->cbValues);
-
- (*pPos) += pAttr->cbValues;
-
- return S_OK;
-}
-
-HRESULT AttributeSetToBlob(CORSEC_ATTRSET* pAttrSet, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport, DWORD dwAction)
-{
- STANDARD_VM_CONTRACT;
-
- // pBuffer can be NULL if the caller is only trying to determine the size of the serialized blob. In that case, let's make a little temp buffer to facilitate CPackedLen::PutLength
- SIZE_T cbPos = 0;
- BYTE* pTempBuf = pBuffer;
- SIZE_T const *pTempPos = &cbPos;
- BYTE tempBuf[8];
- const SIZE_T zero = 0;
- if(!pTempBuf)
- {
- pTempBuf = tempBuf;
- pTempPos = &zero;
- }
- BYTE* pOldPos;
- HRESULT hr = S_OK;
-
- // Serialize a LAZY_DECL_SEC_FLAG to identify the blob format (as opposed to '<' which would indicate the older XML format)
- if(pBuffer)
- pBuffer[cbPos] = LAZY_DECL_SEC_FLAG;
- cbPos++;
-
- // Serialize the attribute count
- pOldPos = &pTempBuf[*pTempPos];
- cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], pAttrSet->dwAttrCount) - pOldPos;
-
- // Serialize the attributes
- DWORD i;
- for(i = 0; i < pAttrSet->dwAttrCount; i++)
- {
- // Get the attribute
- CORSEC_ATTRIBUTE *pAttr = &pAttrSet->pAttrs[i];
-
- // Perform any necessary fix-ups on it
- if(pAttr->wValues == 1 && strcmp(pAttr->pName, "System.Security.Permissions.PermissionSetAttribute") == 0)
- IfFailGo(SecurityAttributes::FixUpPermissionSetAttribute(pAttr));
- else if((dwAction == dclLinktimeCheck ||
- dwAction == dclInheritanceCheck) &&
- strcmp(pAttr->pName, "System.Security.Permissions.PrincipalPermissionAttribute") == 0)
- {
- VMPostError(CORSECATTR_E_BAD_NONCAS);
- return CORSECATTR_E_BAD_NONCAS;
- }
-
- // Serialize it
- SIZE_T dwAttrSize = 0;
- IfFailGo(SecurityAttributes::SerializeAttribute(pAttr, pBuffer ? pBuffer + cbPos : NULL, &dwAttrSize, pImport));
- cbPos += dwAttrSize;
- }
- if(pCount != NULL)
- *pCount = cbPos;
-
-ErrExit:
- if (FAILED(hr))
- VMPostError(CORSECATTR_E_FAILED_TO_CREATE_PERM); // Allows for the correct message to be printed by the compiler
-
- return hr;
-}
-
-HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- HRESULT hr = S_OK;
- SIZE_T cbPos = 0;
- BYTE* pBufferEnd = pBuffer + cbBuffer;
- memset(pAttrSet, '\0', sizeof(CORSEC_ATTRSET));
- if (dwAction >= dclDemand && dwAction <= dclRequestRefuse)
- pAttrSet->dwAction = dwAction; // Already lies in the publicly visible range ( values that managed enum SecurityAction can take)
- else
- {
- // Map the action to a publicly visible value
- if (dwAction == dclNonCasDemand)
- pAttrSet->dwAction = dclDemand;
- else if (dwAction == dclNonCasInheritance)
- pAttrSet->dwAction = dclInheritanceCheck;
- else if (dwAction == dclNonCasLinkDemand)
- pAttrSet->dwAction = dclLinktimeCheck;
- else
- {
- // We have an unexpected security action here. It would be nice to fail, but for compatibility we need to simply
- // reset the action to Nil.
- pAttrSet->dwAction = dclActionNil;
- }
- }
-
- // Deserialize the LAZY_DECL_SEC_FLAG to identify serialization of CORSEC_ATTRSET (as opposed to '<' which would indicate a serialized permission as Xml)
- BYTE firstChar = pBuffer[cbPos];
- cbPos++;
- if(firstChar != LAZY_DECL_SEC_FLAG)
- return S_FALSE;
-
- // Deserialize the attribute count
- BYTE* pBufferNext;
- IfFailRet(CPackedLen::SafeGetLength((BYTE const *)&pBuffer[cbPos],
- (BYTE const *)pBufferEnd,
- &pAttrSet->dwAttrCount,
- (BYTE const **)&pBufferNext));
-
- cbPos += pBufferNext - &pBuffer[cbPos];
- if(pAttrSet->dwAttrCount > 0)
- {
- pAttrSet->pAttrs = new (nothrow) CORSEC_ATTRIBUTE[pAttrSet->dwAttrCount];
- if(!pAttrSet->pAttrs)
- return E_OUTOFMEMORY;
- pAttrSet->dwAllocated = pAttrSet->dwAttrCount;
- }
-
- // Deserialize the attributes
- DWORD i;
- for(i = 0; i < pAttrSet->dwAttrCount; i++)
- {
- CORSEC_ATTRIBUTE *pAttr = &pAttrSet->pAttrs[i];
- hr = SecurityAttributes::DeserializeAttribute(pAttr, pBuffer, cbBuffer, &cbPos);
- if(FAILED(hr))
- return hr;
- }
-
- return S_OK;
-}
-
-// This function takes an array of COR_SECATTR (which wrap custom security attribute blobs) and
-// converts it to an array of CORSEC_ATTRSET (which contains partially-parsed custom security attribute
-// blobs grouped by SecurityAction). Note that you must delete all the pPermissions that this allocates
-// for each COR_SECATTR
-HRESULT STDMETHODCALLTYPE GroupSecurityAttributesByAction(
- CORSEC_ATTRSET /*OUT*/rPermSets[],
- COR_SECATTR rSecAttrs[],
- ULONG cSecAttrs,
- mdToken tkObj,
- ULONG *pulErrorAttr,
- CMiniMdRW* pMiniMd,
- IMDInternalImport* pInternalImport)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- HRESULT hr = S_OK;
- DWORD i, j, k;
- DWORD dwAction;
- BYTE* pData = NULL;
- CORSEC_ATTRIBUTE* pPerm;
- mdTypeDef tkParent;
- TypeDefRec* pTypeDefRec;
- MemberRefRec* pMemberRefRec;
- TypeRefRec* pTypeRefRec;
- SIZE_T cbAllocationSize;
-
- // If you are calling this at compile-time, you should pass in pMiniMd, and pInternalImport should be NULL
- // If you are calling this at run-time, you should pass in pInternalImport, and pMiniMd should be NULL
- _ASSERTE((pMiniMd && !pInternalImport) || (!pMiniMd && pInternalImport));
-
- // Calculate number and sizes of permission sets to produce. This depends on
- // the security action code encoded as the single parameter to the
- // constructor for each security custom attribute.
- for (i = 0; i < cSecAttrs; i++)
- {
- if (pulErrorAttr)
- *pulErrorAttr = i;
-
- // Perform basic validation of the header of each security custom
- // attribute constructor call.
- pData = (BYTE*)rSecAttrs[i].pCustomAttribute;
-
- // Check minimum length.
- if (rSecAttrs[i].cbCustomAttribute < (sizeof(WORD) + sizeof(DWORD) + sizeof(WORD)))
- {
- VMPostError(CORSECATTR_E_TRUNCATED);
- IfFailGo(CORSECATTR_E_TRUNCATED);
- }
-
- // Check version.
- if (GET_UNALIGNED_VAL16(pData) != 1)
- {
- VMPostError(CORSECATTR_E_BAD_VERSION);
- IfFailGo(CORSECATTR_E_BAD_VERSION);
- }
- pData += sizeof(WORD);
-
- // Extract and check security action.
- if(pData[2] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action
- dwAction = dclLinktimeCheck;
- else
- dwAction = GET_UNALIGNED_VAL32(pData);
- if (dwAction == dclActionNil || dwAction > dclMaximumValue)
- {
- VMPostError(CORSECATTR_E_BAD_ACTION);
- IfFailGo(CORSECATTR_E_BAD_ACTION);
- }
-
- // All other declarative security only valid on types and methods.
- if (TypeFromToken(tkObj) == mdtAssembly)
- {
- // Assemblies can only take permission requests.
- if (dwAction != dclRequestMinimum &&
- dwAction != dclRequestOptional &&
- dwAction != dclRequestRefuse)
- {
- VMPostError(CORSECATTR_E_BAD_ACTION_ASM);
- IfFailGo(CORSECATTR_E_BAD_ACTION_ASM);
- }
- }
- else if (TypeFromToken(tkObj) == mdtTypeDef || TypeFromToken(tkObj) == mdtMethodDef)
- {
- // Types and methods can only take declarative security.
- if (dwAction != dclRequest &&
- dwAction != dclDemand &&
- dwAction != dclAssert &&
- dwAction != dclDeny &&
- dwAction != dclPermitOnly &&
- dwAction != dclLinktimeCheck &&
- dwAction != dclInheritanceCheck)
- {
- VMPostError(CORSECATTR_E_BAD_ACTION_OTHER);
- IfFailGo(CORSECATTR_E_BAD_ACTION_OTHER);
- }
- }
- else
- {
- // Permission sets can't be attached to anything else.
- VMPostError(CORSECATTR_E_BAD_PARENT);
- IfFailGo(CORSECATTR_E_BAD_PARENT);
- }
-
- rPermSets[dwAction].dwAttrCount++;
- }
-
- // Initialize the descriptor for each type of permission set we are going to
- // produce.
- for (i = 0; i <= dclMaximumValue; i++)
- {
- if (rPermSets[i].dwAttrCount == 0)
- continue;
-
- rPermSets[i].tkObj = tkObj;
- rPermSets[i].dwAction = i;
- rPermSets[i].pImport = NULL;
- rPermSets[i].pAppDomain = NULL;
- rPermSets[i].pAttrs = new (nothrow) CORSEC_ATTRIBUTE[rPermSets[i].dwAttrCount];
- IfNullGo(rPermSets[i].pAttrs);
-
- // Initialize a descriptor for each permission within the permission set.
- for (j = 0, k = 0; j < rPermSets[i].dwAttrCount; j++, k++)
- {
- // Locate the next security attribute that contributes to this
- // permission set.
- for (; k < cSecAttrs; k++)
- {
- pData = (BYTE*)rSecAttrs[k].pCustomAttribute;
- if(pData[4] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action
- dwAction = dclLinktimeCheck;
- else
- dwAction = GET_UNALIGNED_VAL32(pData + sizeof(WORD));
- if (dwAction == i)
- break;
- }
- _ASSERTE(k < cSecAttrs);
-
- if (pulErrorAttr)
- *pulErrorAttr = k;
-
- // Initialize the permission.
- pPerm = &rPermSets[i].pAttrs[j];
- pPerm->tkCtor = rSecAttrs[k].tkCtor;
- pPerm->dwIndex = k;
- if(pData[4] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action
- {
- _ASSERTE(!pPerm->pbValues);
- //pPerm->pbValues = pData + (sizeof (WORD) + sizeof(WORD));
- if (!ClrSafeInt<SIZE_T>::subtraction(rSecAttrs[k].cbCustomAttribute, (sizeof (WORD) + sizeof(WORD)), pPerm->cbValues))
- return COR_E_OVERFLOW;
- pPerm->wValues = GET_UNALIGNED_VAL16(pData + sizeof (WORD));
- // Prefast overflow sanity check the addition.
- if (!ClrSafeInt<SIZE_T>::addition(pPerm->cbValues, sizeof(WORD), cbAllocationSize))
- return COR_E_OVERFLOW;
- pPerm->pbValues = new (nothrow) BYTE[cbAllocationSize];
- if(!pPerm->pbValues)
- return E_OUTOFMEMORY;
- memcpy(pPerm->pbValues, pData + (sizeof (WORD) + sizeof(WORD)), pPerm->cbValues);
- }
- else
- {
- _ASSERTE(!pPerm->pbValues);
- //pPerm->pbValues = pData + (sizeof (WORD) + sizeof(DWORD) + sizeof(WORD));
- if (!ClrSafeInt<SIZE_T>::subtraction(rSecAttrs[k].cbCustomAttribute, (sizeof (WORD) + sizeof (DWORD) + sizeof(WORD)), pPerm->cbValues))
- return COR_E_OVERFLOW;
- pPerm->wValues = GET_UNALIGNED_VAL16(pData + sizeof (WORD) + sizeof(DWORD));
- // Prefast overflow sanity check the addition.
- if (!ClrSafeInt<SIZE_T>::addition(pPerm->cbValues, sizeof(WORD), cbAllocationSize))
- return COR_E_OVERFLOW;
- pPerm->pbValues = new (nothrow) BYTE[cbAllocationSize];
- if(!pPerm->pbValues)
- return E_OUTOFMEMORY;
- memcpy(pPerm->pbValues, pData + (sizeof (WORD) + sizeof(DWORD) + sizeof(WORD)), pPerm->cbValues);
- }
-
- CQuickBytes qbFullName;
- CHAR* szFullName = NULL;
-
- LPCSTR szTypeName;
- LPCSTR szTypeNamespace;
-
- // Follow the security custom attribute constructor back up to its
- // defining assembly (so we know how to load its definition). If the
- // token resolution scope is not defined, it's assumed to be
- // mscorlib.
- if (TypeFromToken(rSecAttrs[k].tkCtor) == mdtMethodDef)
- {
- if (pMiniMd != NULL)
- {
- // scratch buffer for full type name
- szFullName = (CHAR*) qbFullName.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR));
- if(szFullName == NULL)
- return E_OUTOFMEMORY;
-
- // grab the type that contains the security attribute constructor
- IfFailGo(pMiniMd->FindParentOfMethodHelper(rSecAttrs[k].tkCtor, &tkParent));
-
- // scratch buffer for nested type names
- CQuickBytes qbBuffer;
- CHAR* szBuffer;
-
- CHAR* szName = NULL;
- BOOL fFirstLoop = TRUE;
- pTypeDefRec = NULL;
- do
- {
- // get outer type name
- IfFailGo(pMiniMd->GetTypeDefRecord(RidFromToken(tkParent), &pTypeDefRec));
- IfFailGo(pMiniMd->getNameOfTypeDef(pTypeDefRec, (LPCSTR *)&szName));
-
- // If this is the first time through the loop, just assign values, otherwise build nested type name.
- if (!fFirstLoop)
- {
- szBuffer = (CHAR*) qbBuffer.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR));
- if(szBuffer == NULL)
- return E_OUTOFMEMORY;
-
- ns::MakeNestedTypeName(szBuffer, (MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR), szName, szFullName);
- szName = szBuffer;
- }
- else
- {
- fFirstLoop = FALSE;
- }
-
- // copy into buffer
- size_t localLen = strlen(szName) + 1;
- strcpy_s(szFullName, localLen, szName);
-
- // move to next parent
- DWORD dwFlags = pMiniMd->getFlagsOfTypeDef(pTypeDefRec);
- if (IsTdNested(dwFlags))
- {
- RID ridNestedRec;
- IfFailGo(pMiniMd->FindNestedClassHelper(tkParent, &ridNestedRec));
- _ASSERTE(!InvalidRid(ridNestedRec));
- NestedClassRec *pNestedRec;
- IfFailGo(pMiniMd->GetNestedClassRecord(ridNestedRec, &pNestedRec));
- tkParent = pMiniMd->getEnclosingClassOfNestedClass(pNestedRec);
- }
- else
- {
- tkParent = NULL;
- }
- } while (tkParent != NULL);
-
- IfFailGo(pMiniMd->getNamespaceOfTypeDef(pTypeDefRec, &szTypeNamespace));
- szTypeName = szFullName;
- }
- else
- {
- IfFailGo(pInternalImport->GetParentToken(rSecAttrs[k].tkCtor, &tkParent));
- IfFailGo(pInternalImport->GetNameOfTypeDef(tkParent, &szTypeName, &szTypeNamespace));
- }
- pPerm->tkTypeRef = mdTokenNil;
- pPerm->tkAssemblyRef = mdTokenNil;
- }
- else
- {
- _ASSERTE(TypeFromToken(rSecAttrs[k].tkCtor) == mdtMemberRef);
-
- // Get the type ref
- if (pMiniMd != NULL)
- {
- IfFailGo(pMiniMd->GetMemberRefRecord(RidFromToken(rSecAttrs[k].tkCtor), &pMemberRefRec));
- pPerm->tkTypeRef = pMiniMd->getClassOfMemberRef(pMemberRefRec);
- }
- else
- {
- IfFailGo(pInternalImport->GetParentOfMemberRef(rSecAttrs[k].tkCtor, &pPerm->tkTypeRef));
- }
-
- _ASSERTE(TypeFromToken(pPerm->tkTypeRef) == mdtTypeRef);
-
- // Get an assembly ref
- pPerm->tkAssemblyRef = pPerm->tkTypeRef;
- pTypeRefRec = NULL;
- do
- {
- if (pMiniMd != NULL)
- {
- IfFailGo(pMiniMd->GetTypeRefRecord(RidFromToken(pPerm->tkAssemblyRef), &pTypeRefRec));
- pPerm->tkAssemblyRef = pMiniMd->getResolutionScopeOfTypeRef(pTypeRefRec);
- }
- else
- {
- IfFailGo(pInternalImport->GetResolutionScopeOfTypeRef(pPerm->tkAssemblyRef, &pPerm->tkAssemblyRef));
- }
- // loop because nested types have a resolution scope of the parent type rather than an assembly
- } while(TypeFromToken(pPerm->tkAssemblyRef) == mdtTypeRef);
-
- // Figure out the fully qualified type name
- if (pMiniMd != NULL)
- {
- IfFailGo(pMiniMd->getNamespaceOfTypeRef(pTypeRefRec, &szTypeNamespace));
- IfFailGo(pMiniMd->getNameOfTypeRef(pTypeRefRec, &szTypeName));
- }
- else
- {
- IfFailGo(pInternalImport->GetNameOfTypeRef(pPerm->tkTypeRef, &szTypeNamespace, &szTypeName));
- }
- }
-
- CQuickBytes qb;
- CHAR* szTmp = (CHAR*) qb.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR));
- if(szTmp == NULL)
- return E_OUTOFMEMORY;
-
- ns::MakePath(szTmp, MAX_CLASSNAME_LENGTH, szTypeNamespace, szTypeName);
-
- size_t len = strlen(szTmp) + 1;
- pPerm->pName = new (nothrow) CHAR[len];
- if(!pPerm->pName)
- return E_OUTOFMEMORY;
- strcpy_s(pPerm->pName, len, szTmp);
- }
- }
-
-ErrExit:
- return hr;
-}
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYATTRIBUTES_H__
-#define __SECURITYATTRIBUTES_H__
-
-#include "vars.hpp"
-#include "eehash.h"
-#include "corperm.h"
-
-class SecurityDescriptor;
-class AssemblySecurityDescriptor;
-class SecurityStackWalk;
-class COMCustomAttribute;
-class PsetCacheEntry;
-struct TokenDeclActionInfo;
-
-extern HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction);
-
-namespace SecurityAttributes
-{
- // Retrieves a previously loaded PermissionSet
- // object index (this will work even if the permission set was loaded in
- // a different appdomain).
- OBJECTREF GetPermissionSet(DWORD dwIndex, DWORD dwAction);
-
- // Locate the index of a permission set in the cache (returns false if the
- // permission set has not yet been seen and decoded).
- BOOL LookupPermissionSet(IN PBYTE pbPset,
- IN DWORD cbPset,
- OUT DWORD *pdwSetIndex);
-
- // Creates a new permission set
- OBJECTREF CreatePermissionSet(BOOL fTrusted);
-
-
- // Uses new to create the byte array that is returned.
- void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray,
- OUT PBYTE* pbData,
- OUT DWORD* cbData);
-
-
- // Generic routine, use with encoding calls that
- // use the EncodePermission client data
- // Uses new to create the byte array that is returned.
- void CopyEncodingToByteArray(IN PBYTE pbData,
- IN DWORD cbData,
- IN OBJECTREF* pArray);
-
- BOOL RestrictiveRequestsInAssembly(IMDInternalImport* pImport);
-
- // Returns the declared PermissionSet or PermissionSetCollection for the
- // specified action type.
- HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport,
- IN mdToken token, // token for method, class, or assembly
- IN CorDeclSecurity action, // SecurityAction
- OUT OBJECTREF *pDeclaredPermissions, // The returned PermissionSet for that SecurityAction
- OUT PsetCacheEntry **pPSCacheEntry = NULL); // The cache entry for the PermissionSet blob.
-
-
- HRESULT TranslateSecurityAttributesHelper(
- CORSEC_ATTRSET *pAttrSet,
- BYTE **ppbOutput,
- DWORD *pcbOutput,
- BYTE **ppbNonCasOutput,
- DWORD *pcbNonCasOutput,
- DWORD *pdwErrorIndex);
-
- HRESULT FixUpPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm);
- HRESULT SerializeAttribute(CORSEC_ATTRIBUTE* pAttr, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport);
- HRESULT DeserializeAttribute(CORSEC_ATTRIBUTE *pAttr, BYTE* pBuffer, ULONG cbBuffer, SIZE_T* pPos);
-
- inline bool ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);
-
- inline bool ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet, bool* pHostProtectionOnly);
-
- void CreateAndCachePermissions(IN PBYTE pbPerm,
- IN ULONG cbPerm,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPSCacheEntry);
-
- HRESULT GetPermissionsFromMetaData(IN IMDInternalImport *pInternalImport,
- IN mdToken token,
- IN CorDeclSecurity action,
- OUT PBYTE* ppbPerm,
- OUT ULONG* pcbPerm);
-
- bool IsUnrestrictedPermissionSetAttribute(CORSEC_ATTRIBUTE* pAttr);
- bool IsBuiltInCASPermissionAttribute(CORSEC_ATTRIBUTE* pAttr);
- bool IsHostProtectionAttribute(CORSEC_ATTRIBUTE* pAttr);
-
- void LoadPermissionRequestsFromAssembly(IN IMDInternalImport *pImport,
- OUT OBJECTREF* pReqdPermissions,
- OUT OBJECTREF* pOptPermissions,
- OUT OBJECTREF* pDenyPermissions);
-
- // Insert a decoded permission set into the cache. Duplicates are discarded.
- void InsertPermissionSet(IN PBYTE pbPset,
- IN DWORD cbPset,
- IN OBJECTREF orPset,
- OUT DWORD *pdwSetIndex);
-
- Assembly* LoadAssemblyFromToken(IMetaDataAssemblyImport *pImport, mdAssemblyRef tkAssemblyRef);
- Assembly* LoadAssemblyFromNameString(__in_z WCHAR* pAssemblyName);
- HRESULT AttributeSetToManaged(OBJECTREF* /*OUT*/obj, CORSEC_ATTRSET* pAttrSet, OBJECTREF* pThrowable, DWORD* pdwErrorIndex, bool bLazy);
- HRESULT SetAttrFieldsAndProperties(CORSEC_ATTRIBUTE *pAttr, OBJECTREF* pThrowable, MethodTable* pMT, OBJECTREF* pObj);
- HRESULT SetAttrField(BYTE** ppbBuffer, SIZE_T* pcbBuffer, DWORD dwType, TypeHandle hEnum, MethodTable* pMT, __in_z LPSTR szName, OBJECTREF* pObj, DWORD dwLength, BYTE* pbName, DWORD cbName, CorElementType eEnumType);
- HRESULT SetAttrProperty(BYTE** ppbBuffer, SIZE_T* pcbBuffer, MethodTable* pMT, DWORD dwType, __in_z LPSTR szName, OBJECTREF* pObj, DWORD dwLength, BYTE* pbName, DWORD cbName, CorElementType eEnumType);
- void AttrArrayToPermissionSet(OBJECTREF* attrArray, bool fSerialize, DWORD attrCount, BYTE **ppbOutput, DWORD *pcbOutput, BYTE **ppbNonCasOutput, DWORD *pcbNonCasOutput, bool fAllowEmptyPermissionSet, OBJECTREF* pPermSet);
- void AttrSetBlobToPermissionSets(IN BYTE* pbRawPermissions, IN DWORD cbRawPermissions, OUT OBJECTREF* pObj, IN DWORD dwAction);
-
-
-
- bool ActionAllowsNullPermissionSet(CorDeclSecurity action);
-}
-
-#define LAZY_DECL_SEC_FLAG '.'
-
-#endif // __SECURITYATTRIBUTES_H__
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYATTRIBUTES_INL__
-#define __SECURITYATTRIBUTES_INL__
-
-#include "securityattributes.h"
-
-
-inline bool SecurityAttributes::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet)
-{
- bool hostProtectiononly;
- return ContainsBuiltinCASPermsOnly(pAttrSet, &hostProtectiononly);
-}
-
-
-inline bool SecurityAttributes::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet, bool* pHostProtectionOnly)
-{
- DWORD n;
- *pHostProtectionOnly = true; // Assume that it's all HostProtection only
- for(n = 0; n < pAttrSet->dwAttrCount; n++)
- {
- CORSEC_ATTRIBUTE* pAttr = &pAttrSet->pAttrs[n];
- if(!IsBuiltInCASPermissionAttribute(pAttr))
- {
- *pHostProtectionOnly = false;
- return false;
- }
- if (*pHostProtectionOnly && !IsHostProtectionAttribute(pAttr))
- {
- *pHostProtectionOnly = false;
- }
- }
-
- return true;
-}
-
-#endif // __SECURITYATTRIBUTES_INL__
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-
-#include "security.h"
-#include "securitydeclarative.inl"
-#include "eventtrace.h"
-
-
-
-//-----------------------------------------------------------------------------
-//
-//
-// CODE FOR MAKING THE SECURITY STUB AT JIT-TIME
-//
-//
-//-----------------------------------------------------------------------------
-
-
-enum DeclSecMergeMethod
-{
- DS_METHOD_OVERRIDE,
- DS_CLASS_OVERRIDE,
- DS_UNION,
- DS_INTERSECT,
- DS_APPLY_METHOD_THEN_CLASS, // not supported with stack modifier actions
- DS_APPLY_CLASS_THEN_METHOD, // not supported with stack modifier actions
- DS_NOT_APPLICABLE, // action not supported on both method and class
-};
-
-// (Note: The values that are DS_NOT_APPLICABLE are not hooked up to
-// this table, so changing one of those values will have no effect)
-const DeclSecMergeMethod g_DeclSecClassAndMethodMergeTable[] =
-{
- DS_NOT_APPLICABLE, // dclActionNil = 0
- DS_NOT_APPLICABLE, // dclRequest = 1
- DS_UNION, // dclDemand = 2
- DS_METHOD_OVERRIDE, // dclAssert = 3
- DS_UNION, // dclDeny = 4
- DS_INTERSECT, // dclPermitOnly = 5
- DS_NOT_APPLICABLE, // dclLinktimeCheck = 6
- DS_NOT_APPLICABLE, // dclInheritanceCheck = 7
- DS_NOT_APPLICABLE, // dclRequestMinimum = 8
- DS_NOT_APPLICABLE, // dclRequestOptional = 9
- DS_NOT_APPLICABLE, // dclRequestRefuse = 10
- DS_NOT_APPLICABLE, // dclPrejitGrant = 11
- DS_NOT_APPLICABLE, // dclPrejitDenied = 12
- DS_UNION, // dclNonCasDemand = 13
- DS_NOT_APPLICABLE, // dclNonCasLinkDemand = 14
- DS_NOT_APPLICABLE, // dclNonCasInheritance = 15
-};
-
-// This table specifies the order in which runtime declarative actions will be performed
-// (Note that for stack-modifying actions, this means the order in which they are applied to the
-// frame descriptor, not the order in which they are evaluated when a demand is performed.
-// That order is determined by the code in System.Security.FrameSecurityDescriptor.)
-const CorDeclSecurity g_RuntimeDeclSecOrderTable[] =
-{
- dclPermitOnly, // 5
- dclDeny, // 4
- dclAssert, // 3
- dclDemand, // 2
- dclNonCasDemand, // 13
-};
-
-#define DECLSEC_RUNTIME_ACTION_COUNT (sizeof(g_RuntimeDeclSecOrderTable) / sizeof(CorDeclSecurity))
-
-
-TokenDeclActionInfo* TokenDeclActionInfo::Init(DWORD dwAction, PsetCacheEntry *pPCE)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- AppDomain *pDomain = GetAppDomain();
-
- TokenDeclActionInfo *pTemp =
- static_cast<TokenDeclActionInfo*>((void*)pDomain->GetLowFrequencyHeap()
- ->AllocMem(S_SIZE_T(sizeof(TokenDeclActionInfo))));
-
- pTemp->dwDeclAction = dwAction;
- pTemp->pPCE = pPCE;
- pTemp->pNext = NULL;
-
- return pTemp;
-}
-
-void TokenDeclActionInfo::LinkNewDeclAction(TokenDeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- TokenDeclActionInfo *temp = Init(DclToFlag(action), pPCE);
- if (!(*ppActionList))
- *ppActionList = temp;
- else
- {
- temp->pNext = *ppActionList;
- *ppActionList = temp;
- }
-}
-
-DeclActionInfo *DeclActionInfo::Init(MethodDesc *pMD, DWORD dwAction, PsetCacheEntry *pPCE)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- DeclActionInfo *pTemp = (DeclActionInfo *)(void*)pMD->GetDomainSpecificLoaderAllocator()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(DeclActionInfo)));
-
- pTemp->dwDeclAction = dwAction;
- pTemp->pPCE = pPCE;
- pTemp->pNext = NULL;
-
- return pTemp;
-}
-
-void LinkNewDeclAction(DeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE, MethodDesc *pMeth)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- DeclActionInfo *temp = DeclActionInfo::Init(pMeth, DclToFlag(action), pPCE);
- if (!(*ppActionList))
- *ppActionList = temp;
- else
- {
- // Add overrides to the end of the list, all others to the front
- if (IsDclActionAnyStackModifier(action))
- {
- DeclActionInfo *w = *ppActionList;
- while (w->pNext != NULL)
- w = w->pNext;
- w->pNext = temp;
- }
- else
- {
- temp->pNext = *ppActionList;
- *ppActionList = temp;
- }
- }
-}
-
-void SecurityDeclarative::AddDeclAction(CorDeclSecurity action, PsetCacheEntry *pClassPCE, PsetCacheEntry *pMethodPCE, DeclActionInfo** ppActionList, MethodDesc *pMeth)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- if(pClassPCE == NULL)
- {
- if(pMethodPCE == NULL)
- return;
- LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth);
- return;
- }
- else if(pMethodPCE == NULL)
- {
- LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth);
- return;
- }
-
- // Merge class and method declarations
- switch(g_DeclSecClassAndMethodMergeTable[action])
- {
- case DS_METHOD_OVERRIDE:
- LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth);
- break;
-
- case DS_CLASS_OVERRIDE:
- LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth);
- break;
-
- case DS_UNION:
- _ASSERTE(!"Declarative permission sets may not be unioned together in CoreCLR. Are you attempting to have a declarative demand or deny on both a method and its enclosing class?");
- break;
-
- case DS_INTERSECT:
- _ASSERTE(!"Declarative permission sets may not be intersected in CoreCLR. Are you attempting to have a declarative permit only on both a method and its enclosing class?");
- break;
-
- case DS_APPLY_METHOD_THEN_CLASS:
- LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth); // note: order reversed because LinkNewDeclAction inserts at beginning of list
- LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth);
- break;
-
- case DS_APPLY_CLASS_THEN_METHOD:
- LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth); // note: order reversed because LinkNewDeclAction inserts at beginning of list
- LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth);
- break;
-
- case DS_NOT_APPLICABLE:
- _ASSERTE(!"not a runtime action");
- break;
-
- default:
- _ASSERTE(!"unexpected merge type");
- break;
- }
-}
-
-
-// Here we see what declarative actions are needed everytime a method is called,
-// and create a list of these actions, which will be emitted as an argument to
-// DoDeclarativeSecurity
-DeclActionInfo* SecurityDeclarative::DetectDeclActions(MethodDesc *pMeth, DWORD dwDeclFlags)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- GCX_COOP();
-
- DeclActionInfo *pDeclActions = NULL;
-
- IMDInternalImport *pInternalImport = pMeth->GetMDImport();
-
- // Lets check the Ndirect/Interop cases first
- if (dwDeclFlags & DECLSEC_UNMNGD_ACCESS_DEMAND)
- {
- HRESULT hr = S_FALSE;
- if (pMeth->HasSuppressUnmanagedCodeAccessAttr())
- {
- dwDeclFlags &= ~DECLSEC_UNMNGD_ACCESS_DEMAND;
- }
- else
- {
- MethodTable * pMT = pMeth->GetMethodTable();
- EEClass * pClass = pMT->GetClass();
-
- // If speculatively true then check the CA
-
- if (pClass->HasSuppressUnmanagedCodeAccessAttr())
- {
- hr = S_OK;
- if (hr != S_OK)
- {
- g_IBCLogger.LogEEClassCOWTableAccess(pMT);
- pClass->SetDoesNotHaveSuppressUnmanagedCodeAccessAttr();
- }
- }
- _ASSERTE(SUCCEEDED(hr));
- if (hr == S_OK)
- dwDeclFlags &= ~DECLSEC_UNMNGD_ACCESS_DEMAND;
- }
- // Check if now there are no actions left
- if (dwDeclFlags == 0)
- return NULL;
-
- if (dwDeclFlags & DECLSEC_UNMNGD_ACCESS_DEMAND)
- {
- // A NDirect/Interop demand is required.
- DeclActionInfo *temp = DeclActionInfo::Init(pMeth, DECLSEC_UNMNGD_ACCESS_DEMAND, NULL);
- if (!pDeclActions)
- pDeclActions = temp;
- else
- {
- temp->pNext = pDeclActions;
- pDeclActions = temp;
- }
- }
- } // if DECLSEC_UNMNGD_ACCESS_DEMAND
-
- // Find class declarations
- PsetCacheEntry* classSetPermissions[dclMaximumValue + 1];
- DetectDeclActionsOnToken(pMeth->GetMethodTable()->GetCl(), dwDeclFlags, classSetPermissions, pInternalImport);
-
- // Find method declarations
- PsetCacheEntry* methodSetPermissions[dclMaximumValue + 1];
- DetectDeclActionsOnToken(pMeth->GetMemberDef(), dwDeclFlags, methodSetPermissions, pInternalImport);
-
- // Make sure the g_DeclSecClassAndMethodMergeTable is okay
- _ASSERTE(sizeof(g_DeclSecClassAndMethodMergeTable) == sizeof(DeclSecMergeMethod) * (dclMaximumValue + 1) &&
- "g_DeclSecClassAndMethodMergeTable wrong size!");
-
- // Merge class and method runtime declarations into a single linked list of set indexes
- int i;
- for(i = DECLSEC_RUNTIME_ACTION_COUNT - 1; i >= 0; i--) // note: the loop uses reverse order because AddDeclAction inserts at beginning of the list
- {
- CorDeclSecurity action = g_RuntimeDeclSecOrderTable[i];
- _ASSERTE(action > dclActionNil && action <= dclMaximumValue && "action out of range");
- AddDeclAction(action, classSetPermissions[action], methodSetPermissions[action], &pDeclActions, pMeth);
- }
-
- return pDeclActions;
-}
-
-void SecurityDeclarative::DetectDeclActionsOnToken(mdToken tk, DWORD dwDeclFlags, PsetCacheEntry** pSets, IMDInternalImport *pInternalImport)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
- // Make sure the DCL to Flag table is okay
- _ASSERTE(DclToFlag(dclDemand) == DECLSEC_DEMANDS &&
- sizeof(DCL_FLAG_MAP) == sizeof(DWORD) * (dclMaximumValue + 1) &&
- "DCL_FLAG_MAP out of sync with CorDeclSecurity!");
-
- // Initialize the array
- int i;
- for(i = 0; i < dclMaximumValue + 1; i++)
- pSets[i] = NULL;
-
- // Look up declarations on the token for each SecurityAction
- DWORD dwAction;
- for (dwAction = 0; dwAction <= dclMaximumValue; dwAction++)
- {
- // don't bother with actions that are not in the requested mask
- CorDeclSecurity action = (CorDeclSecurity)dwAction;
- DWORD dwActionFlag = DclToFlag(action);
- if ((dwDeclFlags & dwActionFlag) == 0)
- continue;
-
- // Load the PermissionSet or PermissionSetCollection from the security action table in the metadata
- PsetCacheEntry *pPCE;
- HRESULT hr = SecurityAttributes::GetDeclaredPermissions(pInternalImport, tk, action, NULL, &pPCE);
- if (hr != S_OK) // returns S_FALSE if it didn't find anything in the metadata
- continue;
-
- pSets[dwAction] = pPCE;
- }
-}
-
-// Returns TRUE if there is a possibility that a token has declarations of the type specified by 'action'
-// Returns FALSE if it can determine that the token definately does not.
-BOOL SecurityDeclarative::TokenMightHaveDeclarations(IMDInternalImport *pInternalImport, mdToken token, CorDeclSecurity action)
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- HRESULT hr = S_OK;
- HENUMInternal hEnumDcl;
- DWORD cDcl;
-
- // Check if the token has declarations for
- // the action specified.
- hr = pInternalImport->EnumPermissionSetsInit(
- token,
- action,
- &hEnumDcl);
-
- if (FAILED(hr) || hr == S_FALSE)
- {
- // PermissionSets for non-CAS actions are special cases because they may be mixed with
- // the set for the corresponding CAS action in a serialized CORSEC_PSET
- if(action == dclNonCasDemand || action == dclNonCasLinkDemand || action == dclNonCasInheritance)
- {
- // See if the corresponding CAS action has permissions
- BOOL fDoCheck = FALSE;
- if(action == dclNonCasDemand)
- fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclDemand);
- else if(action == dclNonCasLinkDemand)
- fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclLinktimeCheck);
- else if(action == dclNonCasInheritance)
- fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclInheritanceCheck);
- if(fDoCheck)
- {
- // We can't tell for sure if there are declarations unless we deserializing something
- // (which is too expensive), so we'll just return TRUE
- return TRUE;
- /*
- OBJECTREF refPermSet = NULL;
- DWORD dwIndex = ~0;
- hr = SecurityAttributes::GetDeclaredPermissionsWithCache(pInternalImport, token, action, &refPermSet, &dwIndex);
- if(refPermSet != NULL)
- {
- _ASSERTE(dwIndex != (~0));
- return TRUE;
- }
- */
- }
- }
- pInternalImport->EnumClose(&hEnumDcl);
- return FALSE;
- }
-
- cDcl = pInternalImport->EnumGetCount(&hEnumDcl);
- pInternalImport->EnumClose(&hEnumDcl);
-
- return (cDcl > 0);
-}
-
-
-bool SecurityDeclarative::BlobMightContainNonCasPermission(PBYTE pbAttrSet, ULONG cbAttrSet, DWORD dwAction, bool* pHostProtectionOnly)
-{
- CONTRACTL {
- THROWS;
- } CONTRACTL_END;
-
- // Deserialize the CORSEC_ATTRSET
- CORSEC_ATTRSET attrSet;
- HRESULT hr = BlobToAttributeSet(pbAttrSet, cbAttrSet, &attrSet, dwAction);
- if(FAILED(hr))
- COMPlusThrowHR(hr);
-
- // this works because SecurityAttributes::CanUnrestrictedOverride only returns
- // true if the attribute set contains only well-known non-CAS permissions
- return !SecurityAttributes::ContainsBuiltinCASPermsOnly(&attrSet, pHostProtectionOnly);
-}
-
-// Accumulate status of declarative security.
-HRESULT SecurityDeclarative::GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* pfHasSuppressUnmanagedCodeAccessAttr /*[IN:TRUE if Pinvoke/Cominterop][OUT:FALSE if doesn't have attr]*/)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- HENUMInternal hEnumDcl;
- HRESULT hr;
- DWORD dwFlags = 0;
- DWORD dwNullFlags = 0;
-
- _ASSERTE(pdwFlags);
- *pdwFlags = 0;
-
- if (pdwNullFlags)
- *pdwNullFlags = 0;
-
- hr = pInternalImport->EnumPermissionSetsInit(token, dclActionNil, &hEnumDcl);
- if (FAILED(hr))
- goto Exit;
-
- if (hr == S_OK)
- {
- //Look through the security action table in the metadata for declared permission sets
- mdPermission perms;
- DWORD dwAction;
- DWORD dwDclFlags;
- ULONG cbPerm;
- PBYTE pbPerm;
- while (pInternalImport->EnumNext(&hEnumDcl, &perms))
- {
- hr = pInternalImport->GetPermissionSetProps(
- perms,
- &dwAction,
- (const void**)&pbPerm,
- &cbPerm);
- if (FAILED(hr))
- {
- goto Exit;
- }
-
- dwDclFlags = DclToFlag(dwAction);
-
- if ((cbPerm > 0) && (pbPerm[0] == LAZY_DECL_SEC_FLAG)) // indicates a serialized CORSEC_PSET
- {
- bool hostProtectionOnly; // gets initialized in call to BlobMightContainNonCasPermission
- if (BlobMightContainNonCasPermission(pbPerm, cbPerm, dwAction, &hostProtectionOnly))
- {
- switch (dwAction)
- {
- case dclDemand:
- dwFlags |= DclToFlag(dclNonCasDemand);
- break;
- case dclLinktimeCheck:
- dwFlags |= DclToFlag(dclNonCasLinkDemand);
- break;
- case dclInheritanceCheck:
- dwFlags |= DclToFlag(dclNonCasInheritance);
- break;
- }
- }
- else
- {
- if (hostProtectionOnly)
- {
- // If this is a linkcheck for HostProtection only, let's capture that in the flags.
- // Subsequently, this will be captured in the bit mask on EEClass/MethodDesc
- // and used when deciding whether to insert runtime callouts for transparency
- dwDclFlags |= DECLSEC_LINK_CHECKS_HPONLY;
- }
- }
- }
-
- dwFlags |= dwDclFlags;
- }
- }
- pInternalImport->EnumClose(&hEnumDcl);
-
- // Disable any runtime checking of UnmanagedCode permission if the correct
- // custom attribute is present.
- // By default, check except when told not to by the passed in BOOL*
-
- BOOL hasSuppressUnmanagedCodeAccessAttr;
- if (pfHasSuppressUnmanagedCodeAccessAttr == NULL)
- {
- hasSuppressUnmanagedCodeAccessAttr = TRUE;
- }
- else
- hasSuppressUnmanagedCodeAccessAttr = *pfHasSuppressUnmanagedCodeAccessAttr;
-
-
- if (hasSuppressUnmanagedCodeAccessAttr)
- {
- dwFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND;
- dwNullFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND;
- }
-
- *pdwFlags = dwFlags;
- if (pdwNullFlags)
- *pdwNullFlags = dwNullFlags;
-
-Exit:
- return hr;
-}
-
-void SecurityDeclarative::ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pClass));
- PRECONDITION(CheckPointer(pParent));
- PRECONDITION(!pClass->IsInterface());
- }
- CONTRACTL_END;
-
- // Regular check since Fast path check didn't succeed
- TypeSecurityDescriptor typeSecDesc(pParent);
- typeSecDesc.InvokeInheritanceChecks(pClass);
-}
-
-void SecurityDeclarative::MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pMethod));
- PRECONDITION(CheckPointer(pParent));
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- // Regular check since Fast path check didn't succeed
- MethodSecurityDescriptor MDSecDesc(pParent);
- MDSecDesc.InvokeInheritanceChecks(pMethod);
-}
-
-#ifndef CROSSGEN_COMPILE
-//-----------------------------------------------------------------------------
-//
-//
-// CODE FOR PERFORMING JIT-TIME CHECKS
-//
-//
-//-----------------------------------------------------------------------------
-
-
-
-
-
-
-// Retrieve all linktime demands sets for a method. This includes both CAS and
-// non-CAS sets for LDs at the class and the method level, so we could get up to
-// four sets.
-void SecurityDeclarative::RetrieveLinktimeDemands(MethodDesc *pMD,
- OBJECTREF *pClassCas,
- OBJECTREF *pClassNonCas,
- OBJECTREF *pMethodCas,
- OBJECTREF *pMethodNonCas)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
-}
-
-//
-// Determine the reason why a method has been marked as requiring a link time check
-//
-// Arguments:
-// pMD - the method to figure out what link checks are needed for
-// pClassCasDemands - [out, optional] the CAS link demands found on the class containing the method
-// pClassNonCasDemands - [out, optional] the non-CAS link demands found on the class containing the method
-// pMethodCasDemands - [out, optional] the CAS link demands found on the method itself
-// pMethodNonCasDemands - [out, optional] the non-CAS link demands found on the method itself
-//
-// Return Value:
-// Flags indicating why the method has a link time check requirement
-//
-
-// static
-LinktimeCheckReason SecurityDeclarative::GetLinktimeCheckReason(MethodDesc *pMD,
- OBJECTREF *pClassCasDemands,
- OBJECTREF *pClassNonCasDemands,
- OBJECTREF *pMethodCasDemands,
- OBJECTREF *pMethodNonCasDemands)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pMD));
- PRECONDITION(CheckPointer(pClassCasDemands, NULL_OK));
- PRECONDITION(CheckPointer(pClassNonCasDemands, NULL_OK));
- PRECONDITION(CheckPointer(pMethodCasDemands, NULL_OK));
- PRECONDITION(CheckPointer(pMethodNonCasDemands, NULL_OK));
- PRECONDITION(pMD->RequiresLinktimeCheck());
- }
- CONTRACTL_END;
-
- LinktimeCheckReason reason = LinktimeCheckReason_None;
-
-#if defined(FEATURE_CORESYSTEM)
- ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pMD->GetAssembly());
-
- // If the method does not allow partially trusted callers, then the check is because we need to ensure all
- // callers are fully trusted.
- if (!pMSD->IsAPTCA())
- {
- reason |= LinktimeCheckReason_AptcaCheck;
- }
-#endif // defined(FEATURE_CORESYSTEM)
-
- //
- // If the method has a LinkDemand on it for either CAS or non-CAS permissions, get those and set the
- // flags for the appropriate type of permission.
- //
-
- struct gc
- {
- OBJECTREF refClassCasDemands;
- OBJECTREF refClassNonCasDemands;
- OBJECTREF refMethodCasDemands;
- OBJECTREF refMethodNonCasDemands;
- }
- gc;
- ZeroMemory(&gc, sizeof(gc));
-
- GCPROTECT_BEGIN(gc);
-
- // Fetch link demand sets from all the places in metadata where we might
- // find them (class and method). These might be split into CAS and non-CAS
- // sets as well.
- Security::RetrieveLinktimeDemands(pMD,
- &gc.refClassCasDemands,
- &gc.refClassNonCasDemands,
- &gc.refMethodCasDemands,
- &gc.refMethodNonCasDemands);
-
- if (gc.refClassCasDemands != NULL || gc.refMethodCasDemands != NULL)
- {
- reason |= LinktimeCheckReason_CasDemand;
-
- if (pClassCasDemands != NULL)
- {
- *pClassCasDemands = gc.refClassCasDemands;
- }
- if (pMethodCasDemands != NULL)
- {
- *pMethodCasDemands = gc.refMethodCasDemands;
- }
- }
-
- if (gc.refClassNonCasDemands != NULL || gc.refMethodNonCasDemands != NULL)
- {
- reason |= LinktimeCheckReason_NonCasDemand;
-
- if (pClassNonCasDemands != NULL)
- {
- *pClassNonCasDemands = gc.refClassNonCasDemands;
- }
-
- if (pMethodNonCasDemands != NULL)
- {
- *pMethodNonCasDemands = gc.refMethodNonCasDemands;
- }
-
- }
-
- GCPROTECT_END();
-
- //
- // Check to see if the target of the method is unmanaged code
- //
- // We detect linktime checks for UnmanagedCode in three cases:
- // o P/Invoke calls.
- // o Calls through an interface that have a suppress runtime check attribute on them (these are almost
- // certainly interop calls).
- // o Interop calls made through method impls.
- //
-
- if (pMD->IsNDirect())
- {
- reason |= LinktimeCheckReason_NativeCodeCall;
- }
-#ifdef FEATURE_COMINTEROP
- else if (pMD->IsComPlusCall() && !pMD->IsInterface())
- {
- reason |= LinktimeCheckReason_NativeCodeCall;
- }
- else if (pMD->IsInterface())
- {
- // We also consider calls to interfaces that contain the SuppressUnmanagedCodeSecurity attribute to
- // be COM calls, so check for those.
- bool fSuppressUnmanagedCheck =
- pMD->GetMDImport()->GetCustomAttributeByName(pMD->GetMethodTable()->GetCl(),
- COR_SUPPRESS_UNMANAGED_CODE_CHECK_ATTRIBUTE_ANSI,
- NULL,
- NULL) == S_OK ||
- pMD->GetMDImport()->GetCustomAttributeByName(pMD->GetMemberDef(),
- COR_SUPPRESS_UNMANAGED_CODE_CHECK_ATTRIBUTE_ANSI,
- NULL,
- NULL) == S_OK;
- if (fSuppressUnmanagedCheck)
- {
- reason |= LinktimeCheckReason_NativeCodeCall;
- }
- }
-#endif // FEATURE_COMINTEROP
-
- return reason;
-}
-
-
-#endif // CROSSGEN_COMPILE
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDECLARATIVE_H__
-#define __SECURITYDECLARATIVE_H__
-
-class SecurityStackWalk;
-class MethodSecurityDescriptor;
-class TokenSecurityDescriptor;
-struct TokenDeclActionInfo;
-class TypeSecurityDescriptor;
-class PsetCacheEntry;
-
-// Reasons why a method may have been flagged as requiring a LinkDemand
-enum LinktimeCheckReason
-{
- LinktimeCheckReason_None = 0x00000000, // The method does not require a LinkDemand
- LinktimeCheckReason_CasDemand = 0x00000001, // The method has CAS LinkDemands
- LinktimeCheckReason_NonCasDemand = 0x00000002, // The method has non-CAS LinkDemands
- LinktimeCheckReason_AptcaCheck = 0x00000004, // The method is a member of a non-APTCA assembly that requires its caller to be trusted
- LinktimeCheckReason_NativeCodeCall = 0x00000008 // The method may represent a call to native code
-};
-
-struct DeclActionInfo
-{
- DWORD dwDeclAction; // This'll tell InvokeDeclarativeSecurity whats the action needed
- PsetCacheEntry *pPCE; // The cached permissionset on which to demand/assert/deny/blah
- DeclActionInfo *pNext; // Next declarative action needed on this method, if any.
-
- static DeclActionInfo *Init(MethodDesc *pMD, DWORD dwAction, PsetCacheEntry *pPCE);
-};
-
-inline LinktimeCheckReason operator|(LinktimeCheckReason lhs, LinktimeCheckReason rhs);
-inline LinktimeCheckReason operator|=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs);
-inline LinktimeCheckReason operator&(LinktimeCheckReason lhs, LinktimeCheckReason rhs);
-inline LinktimeCheckReason operator&=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs);
-
-namespace SecurityDeclarative
-{
- // Perform the declarative actions
- // Callers:
- // DoDeclarativeSecurity
- void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL);
- void DoDeclarativeStackModifiers(MethodDesc *pMeth, AppDomain* pAppDomain, LPVOID pSecObj);
- void DoDeclarativeStackModifiersInternal(MethodDesc *pMeth, LPVOID pSecObj);
- void EnsureAssertAllowed(MethodDesc *pMeth, MethodSecurityDescriptor* pMSD); // throws exception if assert is not allowed for MethodDesc
- // Determine which declarative SecurityActions are used on this type and return a
- // DWORD of flags to represent the results
- // Callers:
- // MethodTableBuilder::CreateClass
- // MethodTableBuilder::EnumerateClassMembers
- // MethodDesc::GetSecurityFlags
- HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL);
-
- // Query the metadata to get all LinkDemands on this method (and it's class)
- // Callers:
- // CanAccess (ReflectionInvocation)
- // ReflectionInvocation::GetSpecialSecurityFlags
- // RuntimeMethodHandle::InvokeMethod_Internal
- // Security::CheckLinkDemandAgainstAppDomain
- void RetrieveLinktimeDemands(MethodDesc* pMD,
- OBJECTREF* pClassCas,
- OBJECTREF* pClassNonCas,
- OBJECTREF* pMethodCas,
- OBJECTREF* pMethodNonCas);
-
- // Determine why the method is marked as requiring a linktime check, optionally returning the declared
- // CAS link demands on the method itself.
- LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD,
- OBJECTREF *pClassCasDemands,
- OBJECTREF *pClassNonCasDemands,
- OBJECTREF *pMethodCasDemands,
- OBJECTREF *pMethodNonCasDemands);
-
- // Used by interop to simulate the effect of link demands when the caller is
- // in fact script constrained by an appdomain setup by IE.
- // Callers:
- // DispatchInfo::InvokeMember
- // COMToCLRWorkerBody (COMToCLRCall)
- void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD);
-
- // Perform a LinkDemand
- // Callers:
- // COMCustomAttribute::CreateCAObject
- // CheckMethodAccess
- // InvokeUtil::CheckLinktimeDemand
- // CEEInfo::findMethod
- // RuntimeMethodHandle::InvokeMethod_Internal
- void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee);
-
- // Perform inheritance link demand
- // Called by:
- // MethodTableBuilder::ConvertLinkDemandToInheritanceDemand
- void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand);
-
- // Perform an InheritanceDemand against the target assembly
- void InheritanceDemand(Assembly *pTargetAssembly, OBJECTREF refDemand);
-
- // Perform a FullTrust InheritanceDemand against the target assembly
- void FullTrustInheritanceDemand(Assembly *pTargetAssembly);
-
- // Perform a FullTrust LinkDemand against the target assembly
- void FullTrustLinkDemand(Assembly *pTargetAssembly);
-
- // Do InheritanceDemands on the type
- // Called by:
- // MethodTableBuilder::VerifyInheritanceSecurity
- void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent);
-
- // Do InheritanceDemands on the Method
- // Callers:
- // MethodTableBuilder::VerifyInheritanceSecurity
- void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent);
-
- // Returns a managed instance of a well-known PermissionSet
- // Callers:
- // COMCodeAccessSecurityEngine::SpecialDemand
- // ReflectionSerialization::GetSafeUninitializedObject
- inline void GetPermissionInstance(OBJECTREF *perm, int index);
-
- inline BOOL FullTrustCheckForLinkOrInheritanceDemand(Assembly *pAssembly);
-
-
-
-#ifndef DACCESS_COMPILE
- // Calls PermissionSet.Demand
- // Callers:
- // CanAccess (ReflectionInvocation)
- // Security::CheckLinkDemandAgainstAppDomain
- void CheckNonCasDemand(OBJECTREF *prefDemand);
-#endif // #ifndef DACCESS_COMPILE
-
- // Returns TRUE if the method is visible outside its assembly
- // Callers:
- // MethodTableBuilder::SetSecurityFlagsOnMethod
- inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD);
- inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass);
-
- BOOL TokenMightHaveDeclarations(IMDInternalImport *pInternalImport, mdToken token, CorDeclSecurity action);
- DeclActionInfo *DetectDeclActions(MethodDesc *pMeth, DWORD dwDeclFlags);
- void DetectDeclActionsOnToken(mdToken tk, DWORD dwDeclFlags, PsetCacheEntry** pSets, IMDInternalImport *pInternalImport);
- void InvokeLinktimeChecks(Assembly *pCaller,
- Module *pModule,
- mdToken token);
-
- inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr);
-
- inline BOOL ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass);
-
-
- // Add a declarative action and PermissionSet index to the linked list
- void AddDeclAction(CorDeclSecurity action, PsetCacheEntry *pClassPCE, PsetCacheEntry *pMethodPCE, DeclActionInfo** ppActionList, MethodDesc *pMeth);
-
- // Helper for DoDeclarativeActions
- void InvokeDeclarativeActions(MethodDesc *pMeth, DeclActionInfo *pActions, MethodSecurityDescriptor *pMSD);
- void InvokeDeclarativeStackModifiers (MethodDesc *pMeth, DeclActionInfo *pActions, OBJECTREF * pSecObj);
-
- bool BlobMightContainNonCasPermission(PBYTE pbPerm, ULONG cbPerm, DWORD dwAction, bool* pHostProtectionOnly);
-
-// Delayed Declarative Security processing
-#ifndef DACCESS_COMPILE
- inline void DoDeclarativeSecurityAtStackWalk(MethodDesc* pFunc, AppDomain* pAppDomain, OBJECTREF* pFrameObjectSlot);
-#endif
-}
-
-#endif // __SECURITYDECLARATIVE_H__
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDECLARATIVE_INL__
-#define __SECURITYDECLARATIVE_INL__
-
-#include "security.h"
-
-inline LinktimeCheckReason operator|(LinktimeCheckReason lhs, LinktimeCheckReason rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<LinktimeCheckReason>(static_cast<DWORD>(lhs) | static_cast<DWORD>(rhs));
-}
-
-inline LinktimeCheckReason operator|=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = lhs | rhs;
- return lhs;
-}
-
-inline LinktimeCheckReason operator&(LinktimeCheckReason lhs, LinktimeCheckReason rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<LinktimeCheckReason>(static_cast<DWORD>(lhs) & static_cast<DWORD>(rhs));
-}
-
-
-inline LinktimeCheckReason operator&=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = lhs & rhs;
- return lhs;
-}
-
-inline BOOL SecurityDeclarative::FullTrustCheckForLinkOrInheritanceDemand(Assembly *pAssembly)
-{
- WRAPPER_NO_CONTRACT;
-#ifndef DACCESS_COMPILE
- IAssemblySecurityDescriptor* pSecDesc = pAssembly->GetSecurityDescriptor();
- if (pSecDesc->IsSystem())
- return TRUE;
-
- if (pSecDesc->IsFullyTrusted())
- return TRUE;
-#endif
- return FALSE;
-
-}
-
-inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr)
-{
- LIMITED_METHOD_CONTRACT;
- return ( IsMdPublic(dwMethodAttr) ||
- IsMdFamORAssem(dwMethodAttr)||
- IsMdFamily(dwMethodAttr) );
-}
-
-inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(
- MethodDesc * pMD)
-{
- LIMITED_METHOD_CONTRACT;
-
- MethodTable * pMT = pMD->GetMethodTable();
-
- if (!ClassIsVisibleOutsideItsAssembly(pMT->GetAttrClass(), pMT->IsGlobalClass()))
- return FALSE;
-
- return MethodIsVisibleOutsideItsAssembly(pMD->GetAttrs());
-}
-
-inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass)
-{
- LIMITED_METHOD_CONTRACT;
-
- if (!ClassIsVisibleOutsideItsAssembly(dwClassAttr, fIsGlobalClass))
- return FALSE;
-
- return MethodIsVisibleOutsideItsAssembly(dwMethodAttr);
-}
-
-inline BOOL SecurityDeclarative::ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass)
-{
- LIMITED_METHOD_CONTRACT;
-
- if (fIsGlobalClass)
- {
- return TRUE;
- }
-
- return ( IsTdPublic(dwClassAttr) ||
- IsTdNestedPublic(dwClassAttr)||
- IsTdNestedFamily(dwClassAttr)||
- IsTdNestedFamORAssem(dwClassAttr));
-}
-
-#ifndef DACCESS_COMPILE
-inline void SecurityDeclarative::DoDeclarativeSecurityAtStackWalk(MethodDesc* pFunc, AppDomain* pAppDomain, OBJECTREF* pFrameObjectSlot)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
-
- BOOL hasDeclarativeStackModifier = (pFunc->IsInterceptedForDeclSecurity() && !pFunc->IsInterceptedForDeclSecurityCASDemandsOnly());
- if (hasDeclarativeStackModifier)
- {
-
- _ASSERTE(pFrameObjectSlot != NULL);
- if (*pFrameObjectSlot == NULL || !( ((FRAMESECDESCREF)(*pFrameObjectSlot))->IsDeclSecComputed()) )
- {
- // Populate the FSD with declarative assert/deny/PO
- SecurityDeclarative::DoDeclarativeStackModifiers(pFunc, pAppDomain, pFrameObjectSlot);
- }
- }
-}
-#endif
-
-
-
-#endif // __SECURITYDECLARATIVE_INL__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-#include "appdomain.inl"
-#include "security.h"
-#include "field.h"
-#include "comcallablewrapper.h"
-#include "typeparse.h"
-
-
-//
-//----------------------------------------------------
-//
-//Brief design overview:
-//
-//Essentially we moved away from the old scheme of a per-process hash table for blob->index mapping,
-//and a growable per appdomain array containing the managed objects. The new scheme has a per
-//appdomain hash that does memory allocs from the appdomain heap. The hash table maps the metadata
-//blob to a data structure called PsetCacheEntry. PsetCacheEntry has the metadata blob and a handle
-//to the managed pset object. It is the central place where caching/creation of the managed pset
-//objects happen. Essentially whenever we see a new decl security blob, we insert it into the
-//appdomain hash (if it's not already there). The object is lazily created as needed (we let
-//threads race for object creation).
-//
-//----------------------------------------------------
-//
-
-BOOL PsetCacheKey::IsEquiv(PsetCacheKey *pOther)
-{
- WRAPPER_NO_CONTRACT;
- if (m_cbPset != pOther->m_cbPset || !m_pbPset || !pOther->m_pbPset)
- return FALSE;
- return memcmp(m_pbPset, pOther->m_pbPset, m_cbPset) == 0;
-}
-
-DWORD PsetCacheKey::Hash()
-{
- LIMITED_METHOD_CONTRACT;
- DWORD dwHash = 0;
- for (DWORD i = 0; i < (m_cbPset / sizeof(DWORD)); i++)
- dwHash ^= GET_UNALIGNED_VAL32(&((DWORD*)m_pbPset)[i]);
- return dwHash;
-}
-
-void PsetCacheEntry::Init (PsetCacheKey *pKey, AppDomain *pDomain)
-{
- CONTRACTL
- {
- GC_NOTRIGGER;
- THROWS; // From CreateHandle()
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- m_pKey = pKey;
- m_eCanUnrestrictedOverride = CUO_DontKnow;
- m_fEmptyPermissionSet = false;
-#ifndef CROSSGEN_COMPILE
- m_handle = pDomain->CreateHandle(NULL);
-#endif // CROSSGEN_COMPILE
-}
-
-#ifndef CROSSGEN_COMPILE
-OBJECTREF PsetCacheEntry::CreateManagedPsetObject(DWORD dwAction, bool createEmptySet /* = false */)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- } CONTRACTL_END;
-
- return NULL;
-}
-#endif // CROSSGEN_COMPILE
-
-bool PsetCacheEntry::ContainsBuiltinCASPermsOnly (DWORD dwAction)
-{
-
- if (m_eCanUnrestrictedOverride == CUO_Yes) {
- return true;
- }
-
- if (m_eCanUnrestrictedOverride == CUO_No) {
- return false;
- }
-
- bool bRet = ContainsBuiltinCASPermsOnlyInternal(dwAction);
-
- //
- // Cache the results.
- //
-
- if(bRet) {
- m_eCanUnrestrictedOverride = CUO_Yes;
- } else {
- m_eCanUnrestrictedOverride = CUO_No;
- }
-
- return bRet;
-}
-
-bool PsetCacheEntry::ContainsBuiltinCASPermsOnlyInternal(DWORD dwAction)
-{
- //
- // Deserialize the CORSEC_ATTRSET
- //
-
- CORSEC_ATTRSET attrSet;
- HRESULT hr = BlobToAttributeSet(m_pKey->m_pbPset, m_pKey->m_cbPset, &attrSet, dwAction);
-
- if(FAILED(hr)) {
- COMPlusThrowHR(hr);
- }
-
- if (hr == S_FALSE) {
- //
- // BlobToAttributeSet didn't work as expected - bail out early
- //
- return FALSE;
- }
-
- // Check the attributes
- return SecurityAttributes::ContainsBuiltinCASPermsOnly(&attrSet);
-}
-
-void SecurityDeclarativeCache::Init(LoaderHeap *pHeap)
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- _ASSERTE (pHeap);
-
- m_pHeap = pHeap;
-
- m_pCachedPsetsHash = new EEPsetHashTable;
-
- m_prCachedPsetsLock = new SimpleRWLock (COOPERATIVE_OR_PREEMPTIVE,
- LOCK_TYPE_DEFAULT);
-
- if (!m_pCachedPsetsHash->Init(19, &g_lockTrustMeIAmThreadSafe, m_pHeap)) {
- ThrowOutOfMemory();
- }
-}
-
-PsetCacheEntry* SecurityDeclarativeCache::CreateAndCachePset(
- IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- )
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- PsetCacheEntry *pPCE;
- LoaderHeap *pHeap;
- SimpleWriteLockHolder writeLockHolder(m_prCachedPsetsLock);
-
- //
- // Check for Duplicates.
- //
-
- pPCE = GetCachedPsetWithoutLocks (pbAttrBlob, cbAttrBlob);
- if (pPCE) {
- return pPCE;
- }
-
- AppDomain *pDomain;
- PsetCacheKey *pKey;
- HashDatum datum;
-
- //
- // Buffer permission set blob (it might go away if the metadata scope it
- // came from is closed).
- //
-
- pDomain = GetAppDomain ();
- pHeap = pDomain->GetLowFrequencyHeap ();
-
- pKey = (PsetCacheKey*) ((void*) pHeap->AllocMem ((S_SIZE_T)sizeof(PsetCacheKey)));
-
- pKey->Init (pbAttrBlob, cbAttrBlob, TRUE, pHeap);
-
-
-
- pPCE = (PsetCacheEntry*)
- ((void*) pHeap->AllocMem ((S_SIZE_T)sizeof(PsetCacheEntry)));
-
- pPCE->Init (pKey, pDomain);
-
- datum = reinterpret_cast<HashDatum>(pPCE);
- m_pCachedPsetsHash->InsertValue (pKey, datum);
-
- return pPCE;
-}
-
-PsetCacheEntry* SecurityDeclarativeCache::GetCachedPset(IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- )
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- PsetCacheEntry *pPCE;
- SimpleReadLockHolder readLockHolder(m_prCachedPsetsLock);
-
- pPCE = GetCachedPsetWithoutLocks(pbAttrBlob, cbAttrBlob);
- return pPCE;
-}
-
-PsetCacheEntry* SecurityDeclarativeCache::GetCachedPsetWithoutLocks(
- IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- )
-{
- CONTRACTL {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- PsetCacheKey sKey;
- PsetCacheEntry *pPCE;
- BOOL found;
- HashDatum datum;
-
- sKey.Init (pbAttrBlob, cbAttrBlob, FALSE, NULL);
-
- found = m_pCachedPsetsHash->GetValue(&sKey, &datum);
-
- if (found) {
- pPCE = reinterpret_cast<PsetCacheEntry*>(datum);
- return pPCE;
- } else {
- return NULL;
- }
-}
-
-SecurityDeclarativeCache::~SecurityDeclarativeCache()
-{
- WRAPPER_NO_CONTRACT;
-
- // Destroy the hash table even if entries are allocated from
- // appdomain heap: the hash table may have used non heap memory for internal data structures
- if (m_pCachedPsetsHash)
- {
- delete m_pCachedPsetsHash;
- }
-
- if (m_prCachedPsetsLock)
- {
- delete m_prCachedPsetsLock;
- }
-}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SecurityDecarativeCache_h__
-#define __SecurityDecarativeCache_h__
-
-struct PsetCacheKey
-{
-public:
- PBYTE m_pbPset;
- DWORD m_cbPset;
- BOOL m_bCopyArray;
-
- void Init (PBYTE pbPset, DWORD cbPset, BOOL CopyArray, LoaderHeap *pHeap)
- {
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- m_cbPset = cbPset;
-
- if (CopyArray) {
- m_pbPset = (PBYTE) ((void*)pHeap->AllocMem((S_SIZE_T)(cbPset * sizeof(BYTE)))) ;
- memcpy (m_pbPset, pbPset, cbPset);
- } else {
- m_pbPset = pbPset;
- }
- }
-
- BOOL IsEquiv(PsetCacheKey *pOther);
- DWORD Hash();
-};
-
-//
-// Records a serialized permission set we've seen and decoded.
-//
-
-enum CanUnrestrictedOverride
-{
- CUO_DontKnow = 0,
- CUO_Yes = 1,
- CUO_No = 2,
-};
-
-class PsetCacheEntry
-{
-private:
- PsetCacheKey* m_pKey;
- OBJECTHANDLE m_handle;
- BYTE m_eCanUnrestrictedOverride;
- bool m_fEmptyPermissionSet;
-
- bool ContainsBuiltinCASPermsOnlyInternal(DWORD dwAction);
-
-public:
-
- void Init(PsetCacheKey* pKey, AppDomain* pDomain);
-
- OBJECTREF CreateManagedPsetObject(DWORD dwAction, bool createEmptySet = false);
-
- OBJECTREF GetManagedPsetObject()
- {
- WRAPPER_NO_CONTRACT;
- return ObjectFromHandle(m_handle);
- }
-
- bool ContainsBuiltinCASPermsOnly (DWORD dwAction);
- PsetCacheEntry() {m_pKey = NULL;}
- ~PsetCacheEntry()
- {
- if (m_pKey) {
- delete m_pKey;
- }
- }
-};
-
-
-
-class SecurityDeclarativeCache {
-
-private:
- EEPsetHashTable* m_pCachedPsetsHash;
- SimpleRWLock* m_prCachedPsetsLock;
- LoaderHeap* m_pHeap;
-
- PsetCacheEntry* GetCachedPsetWithoutLocks(IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- );
-
-public:
- void Init(LoaderHeap *pHeap);
-
- SecurityDeclarativeCache() :
- m_pCachedPsetsHash(NULL),
- m_prCachedPsetsLock(NULL),
- m_pHeap(NULL)
- {
- LIMITED_METHOD_CONTRACT;
- }
-
- ~SecurityDeclarativeCache();
-
- PsetCacheEntry* CreateAndCachePset(IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- );
-
- PsetCacheEntry* GetCachedPset(IN PBYTE pbAttrBlob,
- IN DWORD cbAttrBlob
- );
-
-
-};
-
-#endif
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-
-#include "security.h"
-#include "eventtrace.h"
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// [SecurityDescriptor]
-// |
-// |
-// +----[PEFileSecurityDescriptor]
-//
-///////////////////////////////////////////////////////////////////////////////
-
-BOOL SecurityDescriptor::CanCallUnmanagedCode () const
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress());
- } CONTRACTL_END;
-
- return CheckSpecialFlag(1 << SECURITY_UNMANAGED_CODE);
-}
-
-#ifndef DACCESS_COMPILE
-
-OBJECTREF SecurityDescriptor::GetGrantedPermissionSet(OBJECTREF* pRefusedPermissions)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress());
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
-#ifndef CROSSGEN_COMPILE
- if (pRefusedPermissions)
- *pRefusedPermissions = ObjectFromLazyHandle(m_hGrantDeniedPermissionSet, m_pLoaderAllocator);
- return ObjectFromLazyHandle(m_hGrantedPermissionSet, m_pLoaderAllocator);
-#else
- return NULL;
-#endif
-}
-
-//
-// Returns TRUE if the given zone has the given special permission.
-//
-
-#endif // DACCESS_COMPILE
-
-
-//
-// This method will return TRUE if this object is fully trusted.
-//
-
-BOOL SecurityDescriptor::IsFullyTrusted ()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- SUPPORTS_DAC;
- SO_TOLERANT;
- PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress());
- } CONTRACTL_END;
-
- return CheckSpecialFlag(1 << SECURITY_FULL_TRUST);
-}
-
-BOOL SecurityDescriptor::IsResolved() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_fSDResolved;
-}
-
-DWORD SecurityDescriptor::GetSpecialFlags() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_dwSpecialFlags;
-}
-
-#ifndef DACCESS_COMPILE
-void SecurityDescriptor::SetGrantedPermissionSet(OBJECTREF GrantedPermissionSet,
- OBJECTREF DeniedPermissionSet,
- DWORD dwSpecialFlags)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
-#ifndef CROSSGEN_COMPILE
- GCPROTECT_BEGIN(DeniedPermissionSet);
- StoreObjectInLazyHandle(m_hGrantedPermissionSet, GrantedPermissionSet, m_pLoaderAllocator);
- StoreObjectInLazyHandle(m_hGrantDeniedPermissionSet, DeniedPermissionSet, m_pLoaderAllocator);
- GCPROTECT_END();
-#endif
-
- if (dwSpecialFlags & (1 << SECURITY_FULL_TRUST))
- {
- m_dwSpecialFlags = 0xFFFFFFFF; // Fulltrust means that all possible quick checks should succeed, so we set all flags
- }
- else
- {
- m_dwSpecialFlags = dwSpecialFlags;
- }
-
- m_fSDResolved = TRUE;
-}
-
-
-#endif // !DACCESS_COMPILE
-
-AppDomain* SecurityDescriptor::GetDomain() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_pAppDomain;
-}
-
-#ifndef DACCESS_COMPILE
-
-
-
-#endif // !DACCESS_COMPILE
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDESCRIPTOR_H__
-#define __SECURITYDESCRIPTOR_H__
-
-#include "securityattributes.h"
-#include "securitypolicy.h"
-
-class ISecurityDescriptor;
-class IPEFileSecurityDescriptor;
-
-// Security flags for the objects that store security information
-#define CORSEC_ASSERTED 0x000020 // Asseted permission set present on frame
-#define CORSEC_DENIED 0x000040 // Denied permission set present on frame
-#define CORSEC_REDUCED 0x000080 // Reduced permission set present on frame
-
-// Inline Functions to support lazy handles - read/write to handle that may not have been created yet
-// SecurityDescriptor and ApplicationSecurityDescriptor currently use these
-inline OBJECTREF ObjectFromLazyHandle(LOADERHANDLE handle, LoaderAllocator* la);
-
-#ifndef DACCESS_COMPILE
-
-inline void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la);
-
-
-#endif // #ifndef DACCESS_COMPILE
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// [SecurityDescriptor]
-// |
-// +----[PEFileSecurityDescriptor]
-// |
-// +----[ApplicationSecurityDescriptor]
-// |
-// +----[AssemblySecurityDescriptor]
-//
-// [SharedSecurityDescriptor]
-//
-///////////////////////////////////////////////////////////////////////////////
-//
-// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects.
-// AppDomain and Assembly could be from different zones.
-// Security Descriptor could also be placed on a native frame.
-//
-///////////////////////////////////////////////////////////////////////////////
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// SecurityDescriptor is the base class for all security descriptors.
-// Extend this class to implement SecurityDescriptors for Assemblies and
-// AppDomains.
-//
-// WARNING : Do not add virtual methods to this class! Doing so results
-// in derived classes such as AssemblySecurityDescriptor having two v-table
-// pointers, which the DAC doesn't support.
-//
-///////////////////////////////////////////////////////////////////////////////
-
-class SecurityDescriptor
-{
-protected:
-
- // The unmanaged DomainAssembly object
- DomainAssembly *m_pAssem;
-
- // The PEFile associated with the DomainAssembly
- PEFile *m_pPEFile;
-
- // The AppDomain context
- AppDomain* m_pAppDomain;
-
- BOOL m_fSDResolved;
-
- DWORD m_dwSpecialFlags;
- LoaderAllocator *m_pLoaderAllocator;
-
-private:
-#ifndef CROSSGEN_COMPILE
- LOADERHANDLE m_hGrantedPermissionSet; // Granted Permission
- LOADERHANDLE m_hGrantDeniedPermissionSet;// Specifically Denied Permissions
-#endif // CROSSGEN_COMPILE
-
-public:
- BOOL IsFullyTrusted();
- DWORD GetSpecialFlags() const;
-
- AppDomain* GetDomain() const;
- BOOL CanCallUnmanagedCode() const;
-
-
-#ifndef DACCESS_COMPILE
- void SetGrantedPermissionSet(OBJECTREF GrantedPermissionSet,
- OBJECTREF DeniedPermissionSet,
- DWORD dwSpecialFlags);
- OBJECTREF GetGrantedPermissionSet(OBJECTREF* pRefusedPermissions = NULL);
-#endif // DACCESS_COMPILE
-
- BOOL IsResolved() const;
-
- // Checks for one of the special security flags such as FullTrust or UnmanagedCode
- FORCEINLINE BOOL CheckSpecialFlag (DWORD flags) const;
-
- // Used to locate the assembly
- inline PEFile *GetPEFile() const;
-
-protected:
- //--------------------
- // Constructor
- //--------------------
-#ifndef DACCESS_COMPILE
- inline SecurityDescriptor(AppDomain *pAppDomain, DomainAssembly *pAssembly, PEFile* pPEFile, LoaderAllocator *pLoaderAllocator);
-#ifdef FEATURE_PAL
- SecurityDescriptor() {}
-#endif // FEATURE_PAL
-#endif // !DACCESS_COMPILE
-};
-
-template<typename IT>
-class SecurityDescriptorBase : public IT, public SecurityDescriptor
-{
-public:
- VPTR_ABSTRACT_VTABLE_CLASS(SecurityDescriptorBase, IT) // needed for the DAC
-
- inline SecurityDescriptorBase(AppDomain *pAppDomain, DomainAssembly *pAssembly, PEFile* pPEFile, LoaderAllocator *pLoaderAllocator);
-
-public:
- virtual BOOL IsFullyTrusted() { return SecurityDescriptor::IsFullyTrusted(); }
- virtual BOOL CanCallUnmanagedCode() const { return SecurityDescriptor::CanCallUnmanagedCode(); }
- virtual DWORD GetSpecialFlags() const { return SecurityDescriptor::GetSpecialFlags(); }
-
- virtual AppDomain* GetDomain() const { return SecurityDescriptor::GetDomain(); }
-
- virtual BOOL IsResolved() const { return SecurityDescriptor::IsResolved(); }
-
-
-#ifndef DACCESS_COMPILE
- virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) { return SecurityDescriptor::GetGrantedPermissionSet(RefusedPermissions); }
-#endif
-};
-
-
-#include "securitydescriptor.inl"
-
-#endif // #define __SECURITYDESCRIPTOR_H__
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDESCRIPTOR_INL__
-#define __SECURITYDESCRIPTOR_INL__
-
-// Inline Functions to support lazy handles - read/write to handle that may not have been created yet
-// SecurityDescriptor and ApplicationSecurityDescriptor currently use these
-inline OBJECTREF ObjectFromLazyHandle(LOADERHANDLE handle, LoaderAllocator *pLoaderAllocator)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- SO_TOLERANT;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (handle != NULL)
- {
- return pLoaderAllocator->GetHandleValue(handle);
- }
- else
- {
- return NULL;
- }
-}
-
-#ifndef DACCESS_COMPILE
-
-inline SecurityDescriptor::SecurityDescriptor(AppDomain *pAppDomain,
- DomainAssembly *pAssembly,
- PEFile* pPEFile,
- LoaderAllocator *pLoaderAllocator) :
- m_pAssem(pAssembly),
- m_pPEFile(pPEFile),
- m_pAppDomain(pAppDomain),
- m_fSDResolved(FALSE),
- m_dwSpecialFlags(0),
- m_pLoaderAllocator(pLoaderAllocator)
-#ifndef CROSSGEN_COMPILE
- , m_hGrantedPermissionSet(NULL),
- m_hGrantDeniedPermissionSet(NULL)
-#endif // CROSSGEN_COMPILE
-{
- LIMITED_METHOD_CONTRACT;
-}
-#endif // !DACCESS_COMPILE
-
-
-// Checks for one of the special security flags such as FullTrust or UnmanagedCode
-FORCEINLINE BOOL SecurityDescriptor::CheckSpecialFlag (DWORD flags) const
-{
- LIMITED_METHOD_CONTRACT;
- SUPPORTS_DAC;
-
- return (m_dwSpecialFlags & flags);
-}
-
-inline PEFile *SecurityDescriptor::GetPEFile() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_pPEFile;
-}
-
-#ifndef DACCESS_COMPILE
-template<typename IT>
-inline SecurityDescriptorBase<IT>::SecurityDescriptorBase(AppDomain *pAppDomain,
- DomainAssembly *pAssembly,
- PEFile* pPEFile,
- LoaderAllocator *pLoaderAllocator) :
- SecurityDescriptor(pAppDomain, pAssembly, pPEFile, pLoaderAllocator)
-{
-}
-#endif // !DACCESS_COMPILE
-
-
-#endif // #define __SECURITYDESCRIPTOR_INL__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-#include "security.h"
-#include "callhelpers.h"
-
-#ifndef DACCESS_COMPILE
-
-void ApplicationSecurityDescriptor::Resolve()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- SO_TOLERANT;
- } CONTRACTL_END;
-
- if (IsResolved())
- return;
-
- SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF);
-}
-
-#ifndef CROSSGEN_COMPILE
-//---------------------------------------------------------------------------------------
-//
-// Determine the security state of an AppDomain before the domain is fully configured.
-// This method is used to detect the input configuration of a domain - specifically, if it
-// is homogenous and fully trusted before domain setup is completed.
-//
-// Note that this state may not reflect the final state of the AppDomain when it is
-// configured, since components like the AppDomainManager can modify these bits during execution.
-//
-
-void ApplicationSecurityDescriptor::PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous)
-{
- CONTRACTL
- {
- GC_TRIGGERS;
- THROWS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pfIsFullyTrusted));
- PRECONDITION(CheckPointer(pfIsHomogeneous));
- PRECONDITION(IsInitializationInProgress()); // We shouldn't be looking at the pre-resolved state if we've already done real resolution
- }
- CONTRACTL_END;
-
- if (m_fIsPreResolved)
- {
- *pfIsFullyTrusted = m_fPreResolutionFullTrust;
- *pfIsHomogeneous = m_fPreResolutionHomogeneous;
- return;
- }
-
- GCX_COOP();
-
- // On CoreCLR all domains are partial trust homogenous
- m_fPreResolutionFullTrust = FALSE;
- m_fPreResolutionHomogeneous = TRUE;
-
- *pfIsFullyTrusted = m_fPreResolutionFullTrust;
- *pfIsHomogeneous = m_fPreResolutionHomogeneous;
- m_fIsPreResolved = TRUE;
-}
-#endif // CROSSGEN_COMPILE
-
-
-//
-// PLS (PermissionListSet) optimization Implementation
-// The idea of the PLS optimization is to maintain the intersection
-// of the grant sets of all assemblies loaded into the AppDomain (plus
-// the grant set of the AppDomain itself) and the union of all denied
-// sets. When a demand is evaluated, we first check the permission
-// that is being demanded against the combined grant and denied set
-// and if that check succeeds, then we know the demand is satisfied
-// in the AppDomain without having to perform an entire stack walk.
-//
-
-// Creates the PermissionListSet which holds the AppDomain level intersection of
-// granted and denied permission sets of all assemblies in the domain and updates
-// the granted and denied set with those of the AppDomain.
-void ApplicationSecurityDescriptor::InitializePLS()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(IsResolved());
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- m_dwDomainWideSpecialFlags = m_dwSpecialFlags;
-}
-
-// Whenever a new assembly is added to the domain, we need to update the PermissionListSet
-void ApplicationSecurityDescriptor::AddNewSecDescToPLS(AssemblySecurityDescriptor *pNewSecDescriptor)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(pNewSecDescriptor->IsResolved());
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- //
- // If the assembly is fully trusted, this should be a no-op as the PLS is unaffected.
- // Note it's Ok to call this method before the AppDomain is fully initialized (and so
- // before the PLS is created for the AppDomain) because we enforce that all assemblies
- // loaded during that phase are fully trusted.
- //
-
- if (!pNewSecDescriptor->IsFullyTrusted()) {
-
- LONG dwNewDomainWideSpecialFlags = 0;
- LONG dwOldDomainWideSpecialFlags = 0;
- do {
- dwOldDomainWideSpecialFlags = m_dwDomainWideSpecialFlags;
- dwNewDomainWideSpecialFlags = (dwOldDomainWideSpecialFlags & pNewSecDescriptor->GetSpecialFlags());
- }
- while (InterlockedCompareExchange((LONG*)&m_dwDomainWideSpecialFlags, dwNewDomainWideSpecialFlags, dwOldDomainWideSpecialFlags) != dwOldDomainWideSpecialFlags);
- }
-}
-
-
-DWORD ApplicationSecurityDescriptor::GetDomainWideSpecialFlag() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_dwDomainWideSpecialFlags;
-}
-
-void ApplicationSecurityDescriptor::FinishInitialization()
-{
- WRAPPER_NO_CONTRACT;
- // Resolve the AppDomain security descriptor.
- this->Resolve();
-
- // Reset the initialization in-progress flag.
- this->ResetInitializationInProgress();
-
- // Initialize the PLS with the grant set of the AppDomain
- this->InitializePLS();
-}
-
-void ApplicationSecurityDescriptor::SetHostSecurityManagerFlags(DWORD dwFlags)
-{
- LIMITED_METHOD_CONTRACT;
- m_dwHostSecurityManagerFlags |= dwFlags;
-}
-
-void ApplicationSecurityDescriptor::SetPolicyLevelFlag()
-{
- LIMITED_METHOD_CONTRACT;
- m_dwHostSecurityManagerFlags |= HOST_POLICY_LEVEL;
-}
-
-BOOL ApplicationSecurityDescriptor::IsHomogeneous() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_fHomogeneous;
-}
-
-// Should the HSM be consulted for security decisions in this AppDomain.
-BOOL ApplicationSecurityDescriptor::CallHostSecurityManager()
-{
- LIMITED_METHOD_CONTRACT;
- return (m_dwHostSecurityManagerFlags & HOST_APP_DOMAIN_EVIDENCE ||
- m_dwHostSecurityManagerFlags & HOST_POLICY_LEVEL ||
- m_dwHostSecurityManagerFlags & HOST_ASM_EVIDENCE ||
- m_dwHostSecurityManagerFlags & HOST_RESOLVE_POLICY);
-}
-
-// The AppDomain is considered a default one (FT) if the property is set and it's not a homogeneous AppDomain
-BOOL ApplicationSecurityDescriptor::IsDefaultAppDomain() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_fIsDefaultAppdomain
- ;
-}
-
-BOOL ApplicationSecurityDescriptor::IsDefaultAppDomainEvidence()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fIsDefaultAppdomainEvidence;// This need not be a default AD, but has no evidence. So we'll use the default AD evidence
-}
-
-// Indicates whether the initialization phase is in progress.
-BOOL ApplicationSecurityDescriptor::IsInitializationInProgress()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fIsInitializationInProgress;
-}
-
-BOOL ApplicationSecurityDescriptor::ContainsAnyRefusedPermissions()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fContainsAnyRefusedPermissions;
-}
-
-// Is it possible for the AppDomain to contain partial trust code. This method may return true even if the
-// domain does not currently have partial trust code in it - a true value simply means that it is possible
-// for partial trust code to eventually end up in the domain.
-BOOL ApplicationSecurityDescriptor::DomainMayContainPartialTrustCode()
-{
- WRAPPER_NO_CONTRACT;
- return !m_fHomogeneous || !IsFullyTrusted();
-}
-
-
-#endif // !DACCESS_COMPILE
-
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDESCRIPTOR_APPDOMAIN_H__
-#define __SECURITYDESCRIPTOR_APPDOMAIN_H__
-#include "security.h"
-#include "securitydescriptor.h"
-#include "securitymeta.h"
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// [SecurityDescriptor]
-// |
-// +----[PEFileSecurityDescriptor]
-// |
-// +----[ApplicationSecurityDescriptor]
-// |
-// +----[AssemblySecurityDescriptor]
-//
-// [SharedSecurityDescriptor]
-//
-///////////////////////////////////////////////////////////////////////////////
-
-//------------------------------------------------------------------
-//
-// APPDOMAIN SECURITY DESCRIPTOR
-//
-//------------------------------------------------------------------
-
-class ApplicationSecurityDescriptor : public SecurityDescriptorBase<IApplicationSecurityDescriptor>
-{
-public:
- VPTR_VTABLE_CLASS(ApplicationSecurityDescriptor, SecurityDescriptorBase<IApplicationSecurityDescriptor>)
-
-private:
- // Dependency in managed : System.Security.HostSecurityManager.cs
- enum HostSecurityManagerFlags
- {
- // Flags to control which HostSecurityManager features are provided by the host
- HOST_NONE = 0x0000,
- HOST_APP_DOMAIN_EVIDENCE = 0x0001,
- HOST_POLICY_LEVEL = 0x0002,
- HOST_ASM_EVIDENCE = 0x0004,
- HOST_DAT = 0x0008,
- HOST_RESOLVE_POLICY = 0x0010
- };
-
-
- // The bits represent the status of security checks on some specific permissions within this domain
- Volatile<DWORD> m_dwDomainWideSpecialFlags;
- // m_dwDomainWideSpecialFlags bit map
- // Bit 0 = Unmanaged Code access permission. Accessed via SECURITY_UNMANAGED_CODE
- // Bit 1 = Skip verification permission. SECURITY_SKIP_VER
- // Bit 2 = Permission to Reflect over types. REFLECTION_TYPE_INFO
- // Bit 3 = Permission to Assert. SECURITY_ASSERT
- // Bit 4 = Permission to invoke methods. REFLECTION_MEMBER_ACCESS
- // Bit 7 = PermissionSet, fulltrust SECURITY_FULL_TRUST
- // Bit 9 = UIPermission (unrestricted)
-
- BOOL m_fIsInitializationInProgress; // appdomain is in the initialization stage and is considered FullTrust by the security system.
- BOOL m_fIsDefaultAppdomain; // appdomain is the default appdomain, or created by the default appdomain without an explicit evidence
- BOOL m_fIsDefaultAppdomainEvidence; // Evidence for this AD is the same as the Default AD.
- // m_ifIsDefaultAppDomain is TRUE => m_fIsDefaultAppdomainEvidence is TRUE
- // m_fIsDefaultAppdomainEvidence can be TRUE when m_fIsDefaultAppdomain is FALSE if a homogeneous AD was
- // created without evidence (non-null PermissionSet though).
- // m_fIsDefaultAppdomainEvidence and m_fIsDefaultAppdomain are both FALSE when an explicit evidence
- // exists on the AppDomain. (In the managed world: AppDomain._SecurityIdentity != null)
- BOOL m_fHomogeneous; // This AppDomain has an ApplicationTrust
- BOOL m_fRuntimeSuppliedHomogenousGrantSet; // This AppDomain is homogenous only because the v4 CLR defaults to creating homogenous domains, and would not have been homogenous in v2
- DWORD m_dwHostSecurityManagerFlags; // Flags indicating what decisions the host wants to participate in.
- BOOL m_fContainsAnyRefusedPermissions;
-
- BOOL m_fIsPreResolved; // Have we done a pre-resolve on this domain yet
- BOOL m_fPreResolutionFullTrust; // Was the domain pre-resolved to be full trust
- BOOL m_fPreResolutionHomogeneous; // Was the domain pre-resolved to be homogenous
-
-
-#ifndef DACCESS_COMPILE
-public:
- //--------------------
- // Constructor
- //--------------------
- inline ApplicationSecurityDescriptor(AppDomain *pAppDomain);
-
- //--------------------
- // Destructor
- //--------------------
-
-public:
- // Indicates whether the initialization phase is in progress.
- virtual BOOL IsInitializationInProgress();
- inline void ResetInitializationInProgress();
-
- // The AppDomain is considered a default one (FT) if the property is
- // set and it's not a homogeneous AppDomain (ClickOnce case for example).
- virtual BOOL IsDefaultAppDomain() const;
- inline void SetDefaultAppDomain();
-
- virtual BOOL IsDefaultAppDomainEvidence();
- inline void SetDefaultAppDomainEvidence();
-
- virtual VOID Resolve();
-
- void ResolveWorker();
-
- virtual void FinishInitialization();
-
- virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous);
-
- virtual void SetHostSecurityManagerFlags(DWORD dwFlags);
- virtual void SetPolicyLevelFlag();
-
- inline void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet);
- virtual BOOL IsHomogeneous() const;
-
-
- virtual BOOL ContainsAnyRefusedPermissions();
-
- // Should the HSM be consulted for security decisions in this AppDomain.
- virtual BOOL CallHostSecurityManager();
-
-
- // Initialize the PLS on the AppDomain.
- void InitializePLS();
-
- // Called everytime an AssemblySecurityDescriptor is resolved.
- void AddNewSecDescToPLS(AssemblySecurityDescriptor *pNewSecDescriptor);
-
-
- // Checks for one of the special domain wide flags
- // such as if we are currently in a "fully trusted" environment
- // or if unmanaged code access is allowed at this time
- inline BOOL CheckDomainWideSpecialFlag(DWORD flags) const;
- virtual DWORD GetDomainWideSpecialFlag() const;
-
-
- virtual BOOL DomainMayContainPartialTrustCode();
-
- BOOL QuickIsFullyTrusted();
-
-#endif // #ifndef DACCESS_COMPILE
-};
-
-#include "securitydescriptorappdomain.inl"
-
-#endif // #define __SECURITYDESCRIPTOR_APPDOMAIN_H__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-#ifndef __SECURITYDESCRIPTORAPPDOMAIN_INL__
-#define __SECURITYDESCRIPTORAPPDOMAIN_INL__
-
-#ifndef DACCESS_COMPILE
-
-inline ApplicationSecurityDescriptor::ApplicationSecurityDescriptor(AppDomain *pAppDomain) :
- SecurityDescriptorBase<IApplicationSecurityDescriptor>(pAppDomain, NULL, NULL, pAppDomain->GetLoaderAllocator()),
- m_dwDomainWideSpecialFlags(0xFFFFFFFF),
- m_fIsInitializationInProgress(TRUE),
- m_fIsDefaultAppdomain(FALSE),
- m_fIsDefaultAppdomainEvidence(FALSE),
- m_fHomogeneous(FALSE),
- m_fRuntimeSuppliedHomogenousGrantSet(FALSE),
- m_dwHostSecurityManagerFlags(HOST_NONE),
- m_fContainsAnyRefusedPermissions(FALSE),
- m_fIsPreResolved(FALSE),
- m_fPreResolutionFullTrust(FALSE),
- m_fPreResolutionHomogeneous(FALSE)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- return;
-}
-
-
-inline void ApplicationSecurityDescriptor::ResetInitializationInProgress()
-{
- LIMITED_METHOD_CONTRACT;
- m_fIsInitializationInProgress = FALSE;
-}
-
-// Checks for one of the special domain wide flags such as if we are currently in a "fully trusted"
-// environment or if unmanaged code access is allowed at this time
-inline BOOL ApplicationSecurityDescriptor::CheckDomainWideSpecialFlag(DWORD flags) const
-{
- LIMITED_METHOD_CONTRACT;
- return (m_dwDomainWideSpecialFlags & flags);
-}
-inline void ApplicationSecurityDescriptor::SetDefaultAppDomain()
-{
- LIMITED_METHOD_CONTRACT;
- m_fIsDefaultAppdomain = TRUE;
- m_fIsDefaultAppdomainEvidence = TRUE; // Follows from the fact that this is a default AppDomain
-}
-
-inline void ApplicationSecurityDescriptor::SetDefaultAppDomainEvidence()
-{
- LIMITED_METHOD_CONTRACT;
- m_fIsDefaultAppdomainEvidence = TRUE; // This need not be a default AD, but has no evidence. So we'll use the default AD evidence
-}
-
-inline void ApplicationSecurityDescriptor::SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet)
-{
- LIMITED_METHOD_CONTRACT;
- m_fHomogeneous = TRUE;
- m_fRuntimeSuppliedHomogenousGrantSet = fRuntimeSuppliedHomogenousGrantSet;
-}
-
-
-#endif // #ifndef DACCESS_COMPILE
-
-#endif // !__SECURITYDESCRIPTORAPPDOMAIN_INL__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#include "common.h"
-#include "security.h"
-
-#ifndef DACCESS_COMPILE
-AssemblySecurityDescriptor::AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator) :
- SecurityDescriptorBase<IAssemblySecurityDescriptor>(pDomain, pAssembly, pAssembly->GetFile(), pLoaderAllocator),
- m_dwNumPassedDemands(0),
- m_pSignature(NULL),
- m_pSharedSecDesc(NULL),
- m_fMicrosoftPlatform(FALSE),
- m_fAllowSkipVerificationInFullTrust(TRUE)
-{
- CONTRACTL
- {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- } CONTRACTL_END;
-}
-
-//
-// This method will return TRUE if this assembly is allowed to skip verification.
-//
-
-BOOL AssemblySecurityDescriptor::CanSkipVerification()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(IsResolved());
- }
- CONTRACTL_END;
-
-
- // Assemblies loaded into the verification domain never get to skip verification
- // unless they are coming from the GAC.
- if (m_pAppDomain->IsVerificationDomain())
- {
- if (!m_pAssem->GetFile()->IsSourceGAC() && m_pAssem->IsIntrospectionOnly())
- {
- return FALSE;
- }
- }
-
- return CheckSpecialFlag(1 << SECURITY_SKIP_VER);
-}
-
-BOOL AssemblySecurityDescriptor::AllowSkipVerificationInFullTrust()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fAllowSkipVerificationInFullTrust;
-}
-
-//
-// This method will return TRUE if this assembly has assertion permission.
-//
-
-BOOL AssemblySecurityDescriptor::CanAssert()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved());
- } CONTRACTL_END;
-
- return CheckSpecialFlag(1 << SECURITY_ASSERT);
-}
-
-//
-// This method will return TRUE if this assembly has unrestricted UI permissions.
-//
-
-BOOL AssemblySecurityDescriptor::HasUnrestrictedUIPermission()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved());
- } CONTRACTL_END;
-
- return CheckSpecialFlag(1 << UI_PERMISSION);
-}
-
-//
-// Assembly transparency access methods. These methods what the default transparency level are for methods
-// and types introduced by the assembly.
-//
-
-BOOL AssemblySecurityDescriptor::IsAllCritical()
-{
- STANDARD_VM_CONTRACT;
-
- ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
- return pMsd->IsAllCritical();
-}
-
-BOOL AssemblySecurityDescriptor::IsAllSafeCritical()
-{
- STANDARD_VM_CONTRACT;
-
- ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
- return pMsd->IsAllCritical() && pMsd->IsTreatAsSafe();
-}
-
-BOOL AssemblySecurityDescriptor::IsAllPublicAreaSafeCritical()
-{
- STANDARD_VM_CONTRACT;
-
- ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
-
- bool fIsPublicAreaSafeCritical = SecurityTransparencyBehavior::GetTransparencyBehavior(pMsd->GetSecurityRuleSet())->DoesPublicImplyTreatAsSafe();
-
- return pMsd->IsAllCritical() && (pMsd->IsTreatAsSafe() || fIsPublicAreaSafeCritical);
-}
-
-BOOL AssemblySecurityDescriptor::IsAllTransparent()
-{
- STANDARD_VM_CONTRACT;
-
- ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
- return pMsd->IsAllTransparent();
-}
-
-BOOL AssemblySecurityDescriptor::QuickIsFullyTrusted()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- } CONTRACTL_END;
-
- if (IsSystem())
- return TRUE;
-
- // See if we've already determined that the assembly is FT
- // in another AppDomain, in case this is a shared assembly.
- SharedSecurityDescriptor* pSharedSecDesc = GetSharedSecDesc();
- if (pSharedSecDesc && pSharedSecDesc->IsResolved() && pSharedSecDesc->IsFullyTrusted())
- return TRUE;
-
- return FALSE;
-}
-
-#ifndef DACCESS_COMPILE
-
-void AssemblySecurityDescriptor::PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // If we're propagating a permission set, then we don't want to allow an assembly to skip verificaiton in
- // full trust. This prevents people leapfrogging from the fully trusted anonymously hosted dynamic methods
- // assembly into running unverifiable code. (Note that we already enforce that transaprent code must only load
- // other transparent code - so this restriction simply enforces that it is truly transparent.) It would
- // be nicer to throw an exception in this case, however that would be a breaking change. Instead, since the
- // SkipVerificationInFullTrust feature has always been described as a performance optimization and nothing more,
- // we can simply turn off the optimization in these cases.
- m_fAllowSkipVerificationInFullTrust = FALSE;
-
- SetGrantedPermissionSet(GrantedPermissionSet, DeniedPermissionSet, dwSpecialFlags);
-
- // make sure the shared security descriptor is updated in case this
- // is a security descriptor for a shared assembly.
- Resolve();
-}
-
-#endif // !DACCESS_COMPILE
-
-BOOL AssemblySecurityDescriptor::IsSystem()
-{
- WRAPPER_NO_CONTRACT;
- return m_pAssem->GetFile()->IsSystem();
-}
-
-void AssemblySecurityDescriptor::Resolve()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(m_pAssem != NULL);
- INJECT_FAULT(COMPlusThrowOM(););
- SO_TOLERANT;
- } CONTRACTL_END;
-
- // Always resolve the assembly security descriptor in the new AppDomain
- if (!IsResolved())
- ResolveWorker();
-
- // Update the info in the shared security descriptor
- SharedSecurityDescriptor* pSharedSecDesc = GetSharedSecDesc();
- if (pSharedSecDesc)
- pSharedSecDesc->Resolve(this);
-}
-
-
-void AssemblySecurityDescriptor::ResolveWorker()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF);
-}
-
-void AssemblySecurityDescriptor::ResolvePolicy(ISharedSecurityDescriptor *pSharedSecDesc, BOOL fShouldSkipPolicyResolution)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- PRECONDITION(CheckPointer(pSharedSecDesc));
- } CONTRACTL_END;
-
- OVERRIDE_TYPE_LOAD_LEVEL_LIMIT(CLASS_LOADED);
-
- m_pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pSharedSecDesc);
-
- ETWOnStartup (SecurityCatchCall_V1, SecurityCatchCallEnd_V1);
- //
- // In V1.x, we used to check whether execution checking is enabled in caspol.exe
- // or whether the assembly has assembly requests before resolving the assembly.
- // This leads to several unnecessary complications in the code and the way assembly
- // resolution is tracked throughout the lifetime of the AssemblySecurityDescriptor.
- //
- // In Whidbey, we will always resolve the policy eagerly while the assembly is being
- // loaded. The perf concern is less of an issue in Whidbey as GAC assemblies are now
- // automatically granted FullTrust.
- //
-
- // Push this frame around resolving the assembly for security to ensure the
- // debugger can properly recognize any managed code that gets run
- // as "class initializaion" code.
- FrameWithCookie<DebuggerClassInitMarkFrame> __dcimf;
-
- Resolve();
-
- if (!fShouldSkipPolicyResolution)
- {
- // update the PLS with the grant/denied sets of the loaded assembly
- ApplicationSecurityDescriptor* pAppDomainSecDesc = static_cast<ApplicationSecurityDescriptor*>(GetDomain()->GetSecurityDescriptor());
- pAppDomainSecDesc->AddNewSecDescToPLS(this);
-
- // Make sure that module transparency information is calculated so that we can verify that if the assembly
- // is being loaded in partial trust it is transparent. This check is done in the ModuleSecurityDescriptor,
- // so we just need to force it to calculate here.
- ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly());
- pMSD->VerifyDataComputed();
- _ASSERTE(IsFullyTrusted() || pMSD->IsAllTransparent());
- }
-
- __dcimf.Pop();
-}
-
-
-Assembly* AssemblySecurityDescriptor::GetAssembly()
-{
- return m_pAssem->GetAssembly();
-}
-
-BOOL AssemblySecurityDescriptor::CanSkipPolicyResolution()
-{
- WRAPPER_NO_CONTRACT;
- Assembly* pAssembly = GetAssembly();
- return pAssembly && pAssembly->CanSkipPolicyResolution();
-}
-
-
-
-
-// Check to make sure that security will allow this assembly to load. Throw an exception if the assembly
-// should be forbidden from loading for security related purposes
-void AssemblySecurityDescriptor::CheckAllowAssemblyLoad()
-{
- STANDARD_VM_CONTRACT;
-
- if (m_pAssem->IsSystem())
- {
- return;
- }
-
- // If we're running PEVerify, then we need to allow the assembly to load in to be verified
- if (m_pAppDomain->IsVerificationDomain())
- {
- return;
- }
-
- // Similarly, in the NGEN domain we don't want to force policy resolution, and we want
- // to allow all assemblies to load
- if (m_pAppDomain->IsCompilationDomain())
- {
- return;
- }
-
- // Reflection only loads are also always allowed
- if (m_pAssem->IsIntrospectionOnly())
- {
- return;
- }
-
- if (!IsResolved())
- {
- GCX_COOP();
- Resolve();
- }
-
- if (!IsFullyTrusted() && (!m_pAppDomain->IsCompilationDomain() || !NingenEnabled()))
- {
- // Only fully trusted assemblies are allowed to be loaded when
- // the AppDomain is in the initialization phase.
- if (m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress())
- {
- COMPlusThrow(kApplicationException, W("Policy_CannotLoadSemiTrustAssembliesDuringInit"));
- }
-
-#ifdef FEATURE_COMINTEROP
- // WinRT is not supported in partial trust, so block it by throwing if a partially trusted winmd is loaded
- if (IsAfContentType_WindowsRuntime(m_pAssem->GetFile()->GetFlags()))
- {
- COMPlusThrow(kNotSupportedException, W("NotSupported_WinRT_PartialTrust"));
- }
-#endif // FEATURE_COMINTEROP
- }
-}
-
-SharedSecurityDescriptor::SharedSecurityDescriptor(Assembly *pAssembly) :
- m_pAssembly(pAssembly),
- m_fResolved(FALSE),
- m_fFullyTrusted(FALSE),
- m_fCanCallUnmanagedCode(FALSE),
- m_fCanAssert(FALSE),
- m_fMicrosoftPlatform(FALSE)
-{
- LIMITED_METHOD_CONTRACT;
-}
-
-void SharedSecurityDescriptor::Resolve(IAssemblySecurityDescriptor *pSecDesc)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(pSecDesc->IsResolved());
- }
- CONTRACTL_END;
-
- if (!m_fResolved)
- {
- m_fFullyTrusted = pSecDesc->IsFullyTrusted();
- m_fCanCallUnmanagedCode = pSecDesc->CanCallUnmanagedCode();
- m_fCanAssert = pSecDesc->CanAssert();
-
- m_fResolved = TRUE;
- }
-
- _ASSERTE(!!m_fFullyTrusted == !!pSecDesc->IsFullyTrusted());
- _ASSERTE(!!m_fCanCallUnmanagedCode == !!pSecDesc->CanCallUnmanagedCode());
- _ASSERTE(!!m_fCanAssert == !!pSecDesc->CanAssert());
-}
-
-BOOL SharedSecurityDescriptor::IsFullyTrusted()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved());
- } CONTRACTL_END;
-
- return m_fFullyTrusted;
-}
-
-BOOL SharedSecurityDescriptor::CanCallUnmanagedCode() const
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved());
- } CONTRACTL_END;
-
- return m_fCanCallUnmanagedCode;
-}
-
-BOOL SharedSecurityDescriptor::IsResolved() const
-{
- LIMITED_METHOD_CONTRACT;
- return m_fResolved;
-}
-
-BOOL SharedSecurityDescriptor::CanAssert()
-{
- CONTRACTL {
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- PRECONDITION(IsResolved());
- } CONTRACTL_END;
-
- return m_fCanAssert;
-}
-
-BOOL SharedSecurityDescriptor::IsSystem()
-{
- WRAPPER_NO_CONTRACT;
- return m_pAssembly->IsSystem();
-}
-
-Assembly* SharedSecurityDescriptor::GetAssembly()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pAssembly;
-}
-
-SharedSecurityDescriptor *AssemblySecurityDescriptor::GetSharedSecDesc()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pSharedSecDesc;
-}
-#endif // #ifndef DACCESS_COMPILE
-
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_H__
-#define __SECURITYDESCRIPTOR_ASSEMBLY_H__
-
-#include "security.h"
-#include "securitydescriptor.h"
-struct AssemblyLoadSecurity;
-
-class Assembly;
-class DomainAssembly;
-
-// Security flags for the objects that store security information
-#define CORSEC_ASSERTED 0x000020 // Asseted permission set present on frame
-#define CORSEC_DENIED 0x000040 // Denied permission set present on frame
-#define CORSEC_REDUCED 0x000080 // Reduced permission set present on frame
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// [SecurityDescriptor]
-// |
-// +----[PEFileSecurityDescriptor]
-// |
-// +----[ApplicationSecurityDescriptor]
-// |
-// +----[AssemblySecurityDescriptor]
-//
-// [SharedSecurityDescriptor]
-//
-///////////////////////////////////////////////////////////////////////////////
-//
-// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects.
-// AppDomain and Assembly could be from different zones.
-// Security Descriptor could also be placed on a native frame.
-//
-///////////////////////////////////////////////////////////////////////////////
-
-#define MAX_PASSED_DEMANDS 10
-
-//------------------------------------------------------------------
-//
-// ASSEMBLY SECURITY DESCRIPTOR
-//
-//------------------------------------------------------------------
-
-#ifndef DACCESS_COMPILE
-void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la);
-#endif
-class AssemblySecurityDescriptor : public SecurityDescriptorBase<IAssemblySecurityDescriptor>
-{
-public:
- VPTR_VTABLE_CLASS(AssemblySecurityDescriptor, SecurityDescriptorBase<IAssemblySecurityDescriptor>)
-
-private:
- PsetCacheEntry* m_arrPassedLinktimeDemands[MAX_PASSED_DEMANDS];
- DWORD m_dwNumPassedDemands;
-
- COR_TRUST *m_pSignature; // Contains the publisher, requested permission
- SharedSecurityDescriptor *m_pSharedSecDesc; // Shared state for assemblies loaded into multiple appdomains
-
-
- BOOL m_fMicrosoftPlatform;
- BOOL m_fAllowSkipVerificationInFullTrust;
-
-#ifndef DACCESS_COMPILE
-public:
- virtual SharedSecurityDescriptor *GetSharedSecDesc();
-
- virtual BOOL CanAssert();
- virtual BOOL HasUnrestrictedUIPermission();
- virtual BOOL IsAllCritical();
- virtual BOOL IsAllSafeCritical();
- virtual BOOL IsAllPublicAreaSafeCritical();
- virtual BOOL IsAllTransparent();
- virtual BOOL IsSystem();
- BOOL QuickIsFullyTrusted();
-
- BOOL CanSkipVerification();
- virtual BOOL AllowSkipVerificationInFullTrust();
-
- virtual VOID Resolve();
-
- virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution);
-
- AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
-
- inline BOOL AlreadyPassedDemand(PsetCacheEntry *pCasDemands);
- inline void TryCachePassedDemand(PsetCacheEntry *pCasDemands);
- Assembly* GetAssembly();
-
-#ifndef DACCESS_COMPILE
- virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags);
-#endif // !DACCESS_COMPILE
-
-
-
- virtual void CheckAllowAssemblyLoad();
-
-private:
- BOOL CanSkipPolicyResolution();
- OBJECTREF UpgradePEFileEvidenceToAssemblyEvidence(const OBJECTREF& objPEFileEvidence);
-
- void ResolveWorker();
-
-
-
-#endif // #ifndef DACCESS_COMPILE
-};
-
-
-// This really isn't in the SecurityDescriptor hierarchy, per-se. It's attached
-// to the unmanaged assembly object and used to store common information when
-// the assembly is shared across multiple appdomains.
-class SharedSecurityDescriptor : public ISharedSecurityDescriptor
-{
-private:
- // Unmanaged assembly this descriptor is attached to.
- Assembly *m_pAssembly;
-
- // All policy resolution is funnelled through the shared descriptor so we
- // can guarantee everyone's using the same grant/denied sets.
- BOOL m_fResolved;
- BOOL m_fFullyTrusted;
- BOOL m_fCanCallUnmanagedCode;
- BOOL m_fCanAssert;
- BOOL m_fMicrosoftPlatform;
-
-public:
- SharedSecurityDescriptor(Assembly *pAssembly);
- virtual ~SharedSecurityDescriptor() {}
-
- // All policy resolution is funnelled through the shared descriptor so we
- // can guarantee everyone's using the same grant/denied sets.
- virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL);
- virtual BOOL IsResolved() const;
-
- // Is this assembly a system assembly?
- virtual BOOL IsSystem();
- virtual Assembly* GetAssembly();
-
- BOOL IsFullyTrusted();
- BOOL CanCallUnmanagedCode() const;
- BOOL CanAssert();
-};
-
-#include "securitydescriptorassembly.inl"
-
-#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_H__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_INL__
-#define __SECURITYDESCRIPTOR_ASSEMBLY_INL__
-
-#ifndef DACCESS_COMPILE
-
-inline BOOL AssemblySecurityDescriptor::AlreadyPassedDemand(PsetCacheEntry *pCasDemands)
-{
- LIMITED_METHOD_CONTRACT;
-
- BOOL result = false;
- for (UINT index = 0; index < m_dwNumPassedDemands; index++)
- {
- if (m_arrPassedLinktimeDemands[index] == pCasDemands)
- {
- result = true;
- break;
- }
- }
-
- return result;
-}
-
-inline void AssemblySecurityDescriptor::TryCachePassedDemand(PsetCacheEntry *pCasDemands)
-{
- LIMITED_METHOD_CONTRACT;
-
- if (m_dwNumPassedDemands <= (MAX_PASSED_DEMANDS - 1))
- m_arrPassedLinktimeDemands[m_dwNumPassedDemands++] = pCasDemands;
-}
-
-
-
-#endif // !DACCESS_COMPILE
-
-inline AssemblyLoadSecurity::AssemblyLoadSecurity() :
- m_pEvidence(NULL),
- m_pAdditionalEvidence(NULL),
- m_pGrantSet(NULL),
- m_pRefusedSet(NULL),
- m_dwSpecialFlags(0),
- m_fCheckLoadFromRemoteSource(false),
- m_fSuppressSecurityChecks(false),
- m_fPropagatingAnonymouslyHostedDynamicMethodGrant(false)
-{
- LIMITED_METHOD_CONTRACT;
- return;
-}
-
-// Should the assembly have policy resolved on it, or should it use a pre-determined grant set
-inline bool AssemblyLoadSecurity::ShouldResolvePolicy()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pGrantSet == NULL;
-}
-
-#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_INL__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securitymeta.cpp
-//
-//pre-computes security meta information, from declarative and run-time information
-//
-
-
-//
-//--------------------------------------------------------------------------
-
-
-
-#include "common.h"
-
-#include "object.h"
-#include "excep.h"
-#include "vars.hpp"
-#include "security.h"
-
-#include "perfcounters.h"
-#include "frames.h"
-#include "dllimport.h"
-#include "strongname.h"
-#include "eeconfig.h"
-#include "field.h"
-#include "threads.h"
-#include "eventtrace.h"
-#include "typestring.h"
-#include "securitydeclarative.h"
-#include "customattribute.h"
-#include "../md/compiler/custattr.h"
-
-#include "securitymeta.h"
-#include "caparser.h"
-
-void FieldSecurityDescriptor::VerifyDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- if (m_flags & FieldSecurityDescriptorFlags_IsComputed)
- {
- return;
- }
-
-
-#ifdef _DEBUG
- // If we've setup a breakpoint when we compute the transparency of this field, then stop in the debugger
- // now.
- static ConfigMethodSet fieldTransparencyBreak;
- fieldTransparencyBreak.ensureInit(CLRConfig::INTERNAL_Security_TransparencyFieldBreak);
- if (fieldTransparencyBreak.contains(m_pFD->GetName(), m_pFD->GetApproxEnclosingMethodTable()->GetDebugClassName()))
- {
- DebugBreak();
- }
-#endif // _DEBUG
-
- FieldSecurityDescriptorFlags fieldFlags = FieldSecurityDescriptorFlags_None;
-
- // check to see if the class has the critical attribute
- MethodTable* pMT = m_pFD->GetApproxEnclosingMethodTable();
- TypeSecurityDescriptor typeSecDesc(pMT);
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = m_pFD->GetModule()->GetAssembly()->GetSecurityTransparencyBehavior();
- _ASSERTE(pTransparencyBehavior);
-
- TokenSecurityDescriptor tokenSecDesc(m_pFD->GetModule(), m_pFD->GetMemberDef());
-
- // If the containing type is all transparent or all critical / safe critical, then the field must also be
- // transparent or critical / safe critical. If the type is mixed, then we need to look at the field's
- // token first to see what its transparency level is
- if (typeSecDesc.IsAllTransparent())
- {
- fieldFlags = FieldSecurityDescriptorFlags_None;
- }
- else if (typeSecDesc.IsOpportunisticallyCritical())
- {
- // Field opportunistically critical rules:
- // Level 1 -> safe critical
- // Level 2 -> critical
- // If the containing type is participating in type equivalence -> transparent
-
- if (!typeSecDesc.IsTypeEquivalent())
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsCritical;
-
- if (typeSecDesc.IsTreatAsSafe() || pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods())
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
- }
- else if (typeSecDesc.IsAllCritical())
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsCritical;
-
- if (typeSecDesc.IsTreatAsSafe())
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
- else if (pTransparencyBehavior->CanIntroducedCriticalMembersAddTreatAsSafe() &&
- (tokenSecDesc.GetMetadataFlags() & (TokenSecurityDescriptorFlags_TreatAsSafe | TokenSecurityDescriptorFlags_SafeCritical)))
- {
- // If the transparency model allows members introduced into a critical scope to add their own
- // TreatAsSafe attributes, then we need to look for a token level TreatAsSafe as well.
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
- else
- {
- fieldFlags |= pTransparencyBehavior->MapFieldAttributes(tokenSecDesc.GetMetadataFlags());
- }
-
- // TreatAsSafe from the type we're contained in always propigates to its fields
- if ((fieldFlags & FieldSecurityDescriptorFlags_IsCritical) &&
- typeSecDesc.IsTreatAsSafe())
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- // If the field is public and critical, it may additionally need to be marked treat as safe
- if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() &&
- typeSecDesc.IsTypeExternallyVisibleForTransparency() &&
- (m_pFD->IsPublic() || m_pFD->IsProtected() || IsFdFamORAssem(m_pFD->GetFieldProtection())) &&
- (fieldFlags & FieldSecurityDescriptorFlags_IsCritical) &&
- !(fieldFlags & FieldSecurityDescriptorFlags_IsTreatAsSafe))
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- // mark computed
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), fieldFlags | FieldSecurityDescriptorFlags_IsComputed);
-}
-
-
-// All callers to his method will pass in a valid memory location for pMethodSecurityDesc which they are responsible for
-// free-ing when done using it. Typically this will be a stack location for perf reasons.
-//
-// Some details about when we cache MethodSecurityDescriptors and how the linkdemand process works:
-// - When we perform the LinkTimeCheck, we follow this order of checks
-// : APTCA check
-// : Class-level declarative security using TypeSecurityDescriptor
-// : Method-level declarative security using MethodSecurityDescriptor
-// : Unmanaged-code check (if required)
-//
-// For APTCA and Unmanaged code checks, we don't have a permissionset entry in the hashtable that we use when performing the demand. Since
-// these are well-known demands, we special-case them. What this means is that we may have a MethodSecurityDescriptor that requires a linktime check
-// but does not have DeclActionInfo or TokenDeclActionInfo fields inside.
-//
-// For cases where the Type causes the Link/Inheritance demand, the MethodDesc has the flag set, but the MethodSecurityDescriptor will not have any
-// DeclActionInfo or TokenDeclActionInfo.
-//
-// And the relevance all this has to this method is the following: Don't automatically insert a MethodSecurityDescriptor into the hash table if it has
-// linktime or inheritance time check. Only do so if either of the DeclActionInfo or TokenDeclActionInfo fields are non-NULL.
-void MethodSecurityDescriptor::LookupOrCreateMethodSecurityDescriptor(MethodSecurityDescriptor* ret_methSecDesc)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(ret_methSecDesc));
- } CONTRACTL_END;
-
- _ASSERTE(CanMethodSecurityDescriptorBeCached(ret_methSecDesc->m_pMD));
-
- MethodSecurityDescriptor* pMethodSecurityDesc = (MethodSecurityDescriptor*)TokenSecurityDescriptor::LookupSecurityDescriptor(ret_methSecDesc->m_pMD);
- if (pMethodSecurityDesc == NULL)
- {
- ret_methSecDesc->VerifyDataComputedInternal();// compute all the data that is needed.
-
- // cache method security desc using some simple heuristics
- // we have some token actions computed, let us cache this method security desc
-
- if (ret_methSecDesc->GetRuntimeDeclActionInfo() != NULL ||
- ret_methSecDesc->GetTokenDeclActionInfo() != NULL ||
- // NGEN accesses MethodSecurityDescriptors frequently to check for security callouts
- IsCompilationProcess())
- {
-
- // Need to insert this methodSecDesc
- LPVOID pMem = GetAppDomain()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(MethodSecurityDescriptor)));
-
- // allocate a method security descriptor, using the appdomain heap memory
- pMethodSecurityDesc = new (pMem) MethodSecurityDescriptor(ret_methSecDesc->m_pMD);
-
- *pMethodSecurityDesc = *ret_methSecDesc; // copy over the fields
-
- MethodSecurityDescriptor* pExistingMethodSecurityDesc = NULL;
- // insert pMethodSecurityDesc into our hash table
- pExistingMethodSecurityDesc = reinterpret_cast<MethodSecurityDescriptor*>(TokenSecurityDescriptor::InsertSecurityDescriptor(ret_methSecDesc->m_pMD, (HashDatum) pMethodSecurityDesc));
- if (pExistingMethodSecurityDesc != NULL)
- {
- // if we found an existing method security desc, use it
- // no need to delete the one we had created, as we allocated it in the Appdomain heap
- pMethodSecurityDesc = pExistingMethodSecurityDesc;
- }
- }
- }
- else
- {
- *ret_methSecDesc = *pMethodSecurityDesc;
- }
-
- return;
-}
-
-BOOL MethodSecurityDescriptor::CanMethodSecurityDescriptorBeCached(MethodDesc* pMD)
-{
- LIMITED_METHOD_CONTRACT;
-
- return pMD->IsInterceptedForDeclSecurity() ||
- pMD->RequiresLinktimeCheck() ||
- pMD->RequiresInheritanceCheck()||
- pMD->IsVirtual()||
- pMD->IsMethodImpl()||
- pMD->IsLCGMethod();
-}
-
-void MethodSecurityDescriptor::VerifyDataComputedInternal()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- if (m_flags & MethodSecurityDescriptorFlags_IsComputed)
- {
- return;
- }
-
- // If the method hasn't already cached it's transparency information, then we need to calculate it here.
- // It can be cached if we're loading the method from a native image, but are creating the security
- // descriptor in order to figure out declarative security.
- if (!m_pMD->HasCriticalTransparentInfo())
- {
- ComputeCriticalTransparentInfo();
- }
-
- // compute RUN-TIME DECLARATIVE SECURITY STUFF
- // (merges both class and method level run-time declarative security info).
- if (HasRuntimeDeclarativeSecurity())
- {
- ComputeRuntimeDeclarativeSecurityInfo();
- }
-
- // compute method specific DECLARATIVE STUFF
- if (HasRuntimeDeclarativeSecurity() || HasLinkOrInheritanceDeclarativeSecurity())
- {
- ComputeMethodDeclarativeSecurityInfo();
- }
-
- // mark computed
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_IsComputed);
-}
-
-void MethodSecurityDescriptor::ComputeCriticalTransparentInfo()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
-
- MethodTable* pMT = m_pMD->GetMethodTable();
-
-#ifdef _DEBUG
- // If we've setup a breakpoint when we compute the transparency of this method, then stop in the debugger
- // now.
- static ConfigMethodSet methodTransparencyBreak;
- methodTransparencyBreak.ensureInit(CLRConfig::INTERNAL_Security_TransparencyMethodBreak);
- if (methodTransparencyBreak.contains(m_pMD->GetName(), pMT->GetDebugClassName()))
- {
- DebugBreak();
- }
-#endif // _DEBUG
-
- MethodSecurityDescriptorFlags methodFlags = MethodSecurityDescriptorFlags_None;
- TypeSecurityDescriptor typeSecDesc(pMT);
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = m_pMD->GetAssembly()->GetSecurityTransparencyBehavior();
- _ASSERTE(pTransparencyBehavior);
-
- // If the transparency model used by this method cares about the location of the introduced method,
- // then we need to figure out where the method was introduced. This is only important when the type is
- // all critical or opportunistically critical, since otherwise we'll look at the method directly anyway.
- MethodDesc *pIntroducingMD = NULL;
- bool fWasIntroducedLocally = true;
- if (pTransparencyBehavior->DoesScopeApplyOnlyToIntroducedMethods() &&
- (typeSecDesc.IsOpportunisticallyCritical() || typeSecDesc.IsAllCritical()))
- {
- if (m_pMD->IsVirtual() &&
- !m_pMD->IsInterface() &&
- m_pMD->GetSlot() < m_pMD->GetMethodTable()->GetNumVirtuals())
- {
- pIntroducingMD = m_pMD->GetMethodTable()->GetIntroducingMethodDesc(m_pMD->GetSlot());
- }
-
- fWasIntroducedLocally = pIntroducingMD == NULL || pIntroducingMD == m_pMD;
-
- //
- // #OpportunisticallyCriticalMultipleImplement
- //
- // One method can be the target of multiple interfaces and also an override of a base class. Further,
- // there could be conflicting inheritance requirements; for instance overriding a critical method and
- // implementing a transparent interface with the same method desc.
- //
- // For APTCA assemblies, we require that they seperate out to explicit interface implementations to
- // solve this problem, however we cannot push this requirement to opportunistically critical
- // assemblies. Therefore, in those assemblies we create the following non-introduced method rule:
- //
- // 1. If both the base override and all of the interfaces that a method desc is implementing have the
- // same accessibility, then the method must agree with that accessibility.
- //
- // 2. If there is a mix of transparent accessibilities, then the method desc will be safe critical.
- // This leads to a situation where a safe critical method can implement a critical interface,
- // which is not a security hole, but does create some strangeness around the fact that transparent
- // code can call the method directly but not via the interface (or base type).
- //
- // Since there is no way for all inheritance requirements to be satisfied here, we choose to
- // violate the overriding critical one because looking directly at the method will indicate that
- // it is callable from transparent, whereas allowing a critical implementation of a transparent
- // interface would create a worse situation of the method desc saying that it is not callable from
- // transparent, while it would be via the interface.
- //
- // A variation of this problem can also occur with MethodImpls. For example, a virtual method could
- // implement both a transparent and a critical virtual. This case follows the same rules laid out
- // above for interface implementations.
-
- // We need to check the interfaces and MethodImpls if we were introduced locally, or if we're
- // opportunistically critical and the introducing method was not safe critical.
- bool fCheckInterfacesAndMethodImpls = fWasIntroducedLocally;
- if (!fCheckInterfacesAndMethodImpls && typeSecDesc.IsOpportunisticallyCritical())
- {
- _ASSERTE(pIntroducingMD != NULL);
- // Make sure the introducing method has its transparency calculated
- if (!pIntroducingMD->HasCriticalTransparentInfo())
- {
- MethodSecurityDescriptor introducingMSD(pIntroducingMD);
- introducingMSD.ComputeCriticalTransparentInfo();
- }
-
- // We need to keep looking at the interfaces and MethodImpls if we override a critical method. If
- // we're overriding a safe critical or transparent method, then we'll end up being safe critical
- // anyway.
- fCheckInterfacesAndMethodImpls = pIntroducingMD->IsCritical() && !pIntroducingMD->IsTreatAsSafe();
- }
-
- if (fCheckInterfacesAndMethodImpls &&
- !m_pMD->IsCtor() &&
- !m_pMD->IsStatic())
- {
- // Interface implementation or MethodImpl that we choose to use to calculate transparency - for
- // opportunistically critical methods, this is the first safe critical / transparent method if one
- // is found, otherwise the first critical method. For all other methods, it is the first
- // interface / MethodImpl method found.
- MethodDesc *pSelectedMD = NULL;
-
- // Iterate over the implemented methods to see if we're implementing any interfaces or virtuals
- MethodImplementationIterator implementationIterator(m_pMD);
- bool fFoundTargetMethod = false;
- for (; implementationIterator.IsValid() && !fFoundTargetMethod; implementationIterator.Next())
- {
- MethodDesc *pImplementedMD = implementationIterator.Current();
-
- // If we're opportunistically critical, then we need to figure out if the implemented
- // method is critical or not, and continue looking if we only found critical methods
- // to this point.
- if (typeSecDesc.IsOpportunisticallyCritical())
- {
- // We should either have not found a candidate yet, or that candidate should be critical
- _ASSERTE(pSelectedMD == NULL ||
- (pSelectedMD->IsCritical() && !pSelectedMD->IsTreatAsSafe()));
-
- if (!pImplementedMD->HasCriticalTransparentInfo())
- {
- MethodSecurityDescriptor implementedMSD(pImplementedMD);
- implementedMSD.ComputeCriticalTransparentInfo();
- }
-
- // If this is the first interface method or MethodImpl we've seen, save it away. Otherwise,
- // we've so far implemented only critical interfaces and methods, so if we see a
- // transparent or safe critical interface method, we should note that and stop looking
- // further.
- if (!pImplementedMD->IsCritical() || pImplementedMD->IsTreatAsSafe())
- {
- pSelectedMD = pImplementedMD;
- fFoundTargetMethod = true;
- }
- else if (pSelectedMD == NULL)
- {
- pSelectedMD = pImplementedMD;
- }
- }
- else
- {
- // If we're not opportunistically critical, then we only care about the first interface
- // implementation or MethodImpl that we see.
- _ASSERTE(pSelectedMD == NULL);
- pSelectedMD = pImplementedMD;
- fFoundTargetMethod = true;
- }
- }
-
- // If we found an interface method or MethodImpl, then use that as the introducing method
- if (pSelectedMD != NULL)
- {
- pIntroducingMD = pSelectedMD;
- fWasIntroducedLocally = false;
- }
- }
-
- // If we're not working with a method that we introduced, make sure it has its transparency calculated
- // before we need to use it.
- if (!fWasIntroducedLocally && !pIntroducingMD->HasCriticalTransparentInfo())
- {
- MethodSecurityDescriptor introducingMSD(pIntroducingMD);
- introducingMSD.ComputeCriticalTransparentInfo();
- _ASSERTE(pIntroducingMD->HasCriticalTransparentInfo());
- }
- }
-
- // In a couple of cases we know the transparency of the method directly:
- // 1. If our parent type is all transparent, we must also be transparent
- // 2. If we're opprotunstically critical, then we can figure out the annotation based upon the override
- // 3. If our parent type is all critical, and we were introduced by that type, we must also be critical
- // (we could also be safe critical as well).
- //
- // Otherwise, we need to ask the current transparency implementation what this method is, because it
- // will vary depending upon if we're in legacy mode or not.
- TokenSecurityDescriptor methodTokenSecDesc(m_pMD->GetModule(), GetToken());
- if (typeSecDesc.IsAllTransparent())
- {
- methodFlags = MethodSecurityDescriptorFlags_None;
- }
- else if (typeSecDesc.IsOpportunisticallyCritical())
- {
- // Opportunistically critical methods will always be critical
- methodFlags |= MethodSecurityDescriptorFlags_IsCritical;
-
- // If we're overriding a safe critical or transparent method, we also need to be treat as safe
- //
- // Virtuals on value types have multiple entries in the method table, so we may not have mapped
- // it back to the override that it was implementing. In order to compensate for this, we simply
- // allow all virtuals in opportunistically critical value types to be safe critical. This doesn't
- // introduce any extra risk, because unless we're overriding one of the Object overloads, there is
- // nothing that transparent code can cast the ValueType to in order to access the virtual since the
- // value type itself will be critical.
- //
- // If we're in a transparency model where all opportunistically critical methods are safe critical, we
- // need to add the treat as safe bit.
- //
- // Finally, if we're in a type participating in type equivalence, then we need to add the treat as
- // safe bit. This keeps the transparency of methods in type equivalent interfaces consistent across
- // security rule sets in opportunistically critical assemblies, which allows types from v2 PIAs to
- // be embedded successfully into v4 assemblies for instance.
- if (!fWasIntroducedLocally &&
- (!pIntroducingMD->IsCritical() || pIntroducingMD->IsTreatAsSafe()))
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- else if (pMT->IsValueType() && m_pMD->IsVirtual())
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- else if (pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods())
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- else if (typeSecDesc.IsTypeEquivalent())
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
- else if (typeSecDesc.IsAllCritical() && fWasIntroducedLocally)
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsCritical;
-
- if (typeSecDesc.IsTreatAsSafe())
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- else if (pTransparencyBehavior->CanIntroducedCriticalMembersAddTreatAsSafe() &&
- (methodTokenSecDesc.GetMetadataFlags() & (TokenSecurityDescriptorFlags_TreatAsSafe | TokenSecurityDescriptorFlags_SafeCritical)))
- {
- // If the transparency model allows members introduced into a critical scope to add their own
- // TreatAsSafe attributes, then we need to look for a token level TreatAsSafe as well.
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
- else
- {
- // We don't have a larger scope that tells us what to do with the method, so ask the transparency
- // implementation to map our attributes to a set of flags
- methodFlags |= pTransparencyBehavior->MapMethodAttributes(methodTokenSecDesc.GetMetadataFlags());
- }
-
- // TreatAsSafe from the type we're contained in always propigates to its methods
- if (fWasIntroducedLocally &&
- (methodFlags & MethodSecurityDescriptorFlags_IsCritical) &&
- typeSecDesc.IsTreatAsSafe())
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- // The compiler can introduce default constructors implicitly, and for an explicitly critical type they
- // will always be transparent - resulting in a type load exception. If we are a transparent default .ctor
- // of an explicitly critical type, then we'll switch to being safe critical to allow the type to load and
- // allow us access to our this pointer
- if (!typeSecDesc.IsAllCritical() &&
- typeSecDesc.IsCritical() &&
- !(methodFlags & MethodSecurityDescriptorFlags_IsCritical) &&
- m_pMD->IsCtor())
- {
- if (pMT->HasDefaultConstructor() &&
- pMT->GetDefaultConstructor() == m_pMD)
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsCritical |
- MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- // See if we're a public critical method, then we may need to additionally make ourselves treat as safe
- if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() &&
- typeSecDesc.IsTypeExternallyVisibleForTransparency() &&
- (m_pMD->IsPublic() || m_pMD->IsProtected() || IsMdFamORAssem(m_pMD->GetAttrs())) &&
- (methodFlags & MethodSecurityDescriptorFlags_IsCritical) &&
- !(methodFlags & MethodSecurityDescriptorFlags_IsTreatAsSafe))
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- // Cache our state on the MethodDesc
- m_pMD->SetCriticalTransparentInfo(methodFlags & MethodSecurityDescriptorFlags_IsCritical,
- methodFlags & MethodSecurityDescriptorFlags_IsTreatAsSafe);
-}
-
-void MethodSecurityDescriptor::ComputeRuntimeDeclarativeSecurityInfo()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- // Load declarative security attributes
- _ASSERTE(HasRuntimeDeclarativeSecurity());
- m_declFlagsDuringPreStub = m_pMD->GetSecurityFlagsDuringPreStub();
- _ASSERTE(m_declFlagsDuringPreStub && " Expected some runtime security action");
- m_pRuntimeDeclActionInfo = SecurityDeclarative::DetectDeclActions(m_pMD, m_declFlagsDuringPreStub);
-}
-
-void MethodSecurityDescriptor::ComputeMethodDeclarativeSecurityInfo()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- DWORD flags = 0;
-
- _ASSERTE(HasRuntimeDeclarativeSecurity()|| HasLinkOrInheritanceDeclarativeSecurity());
- DWORD dwDeclFlags;
- HRESULT hr = SecurityDeclarative::GetDeclarationFlags(GetIMDInternalImport(), GetToken(), &dwDeclFlags, NULL, NULL);
-
- if (SUCCEEDED(hr))
- {
- GCX_COOP();
- PsetCacheEntry *tokenSetIndexes[dclMaximumValue + 1];
- SecurityDeclarative::DetectDeclActionsOnToken(GetToken(), dwDeclFlags, tokenSetIndexes, GetIMDInternalImport());
-
- // Create single linked list of set indexes
- DWORD dwLocalAction;
- bool builtInCASPermsOnly = TRUE;
- for (dwLocalAction = 0; dwLocalAction <= dclMaximumValue; dwLocalAction++)
- {
- if (tokenSetIndexes[dwLocalAction] != NULL)
- {
- TokenDeclActionInfo::LinkNewDeclAction(&m_pTokenDeclActionInfo, (CorDeclSecurity)dwLocalAction, tokenSetIndexes[dwLocalAction]);
- builtInCASPermsOnly = builtInCASPermsOnly && (tokenSetIndexes[dwLocalAction]->ContainsBuiltinCASPermsOnly(dwLocalAction));
- }
- }
-
- if (builtInCASPermsOnly)
- flags |= MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly;
- SecurityProperties sp(dwDeclFlags);
- if (sp.FDemandsOnly())
- flags |= MethodSecurityDescriptorFlags_IsDemandsOnly;
- if (sp.FAssertionsExist())
- {
- // Do a check to see if the assembly has been granted permission to assert and let's cache that value in the MethodSecurityDesriptor
- Module* pModule = m_pMD->GetModule();
- PREFIX_ASSUME_MSG(pModule != NULL, "Should be a Module pointer here");
-
- if (Security::CanAssert(pModule))
- {
- flags |= MethodSecurityDescriptorFlags_AssertAllowed;
- }
- }
- }
-
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), flags);
-}
-
-void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pChildMD));
- }
- CONTRACTL_END;
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = pChildMD->GetAssembly()->GetSecurityTransparencyBehavior();
- if (pTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled())
- {
- // The profiler may want to suppress these checks if it's currently running on the child type
- if (Security::BypassSecurityChecksForProfiler(pChildMD))
- {
- return;
- }
-
- /*
- Allowed Inheritance Patterns (cannot change accessibility)
- ----------------------------
-
- Base Class/Method Derived Class/ Method
- ----------------- ---------------------
- Transparent Transparent
- Transparent SafeCritical
- SafeCritical SafeCritical
- SafeCritical Transparent
- Critical Critical
-
-
- Disallowed Inheritance patterns
- -------------------------------
-
- Base Class/Method Derived Class /Method
- ----------------- ---------------------
- Transparent Critical
- SafeCritical Critical
- Critical Transparent
- Critical SafeCritical
- */
-
- MethodSecurityDescriptor methSecurityDescriptor(pChildMD, FALSE);
- TokenSecurityDescriptor methTokenSecurityDescriptor(pChildMD->GetModule(), pChildMD->GetMemberDef());
- if (IsCritical())
- {
- if (IsTreatAsSafe())
- {
- // Base: SafeCritical. Check if Child is Critical
- if (methSecurityDescriptor.IsCritical() && !methSecurityDescriptor.IsTreatAsSafe())
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a SafeCritical base method", m_pMD);
- }
-#endif // _DEBUG
- SecurityTransparent::ThrowTypeLoadException(pChildMD);
- }
- }
- else
- {
- // Base: Critical.
- if (!methSecurityDescriptor.IsCritical())
- {
- // Child is transparent
- // throw
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMD, "Transparent method overriding a critical base method", m_pMD);
- }
-#endif // _DEBUG
- SecurityTransparent::ThrowTypeLoadException(pChildMD);
- }
- else if (methSecurityDescriptor.IsTreatAsSafe() && !methSecurityDescriptor.IsOpportunisticallyCritical())
- {
- // The child is safe critical and not opportunistically critical (see code:#OpportunisticallyCriticalMultipleImplement)
- // throw.
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMD, "Safe critical method overriding a SafeCritical base method", m_pMD);
- }
-#endif // _DEBUG
- SecurityTransparent::ThrowTypeLoadException(pChildMD);
- }
- }
- }
- else
- {
- // Base: Transparent. Throw if derived is Critical and not SafeCritical
- if (methSecurityDescriptor.IsCritical() && !methSecurityDescriptor.IsTreatAsSafe())
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a transparent base method", m_pMD);
- }
-#endif // _DEBUG
- SecurityTransparent::ThrowTypeLoadException(pChildMD);
- }
- }
- }
-
-}
-
-MethodSecurityDescriptor::MethodImplementationIterator::MethodImplementationIterator(MethodDesc *pMD)
- : m_interfaceIterator(pMD->GetMethodTable()),
- m_pMD(pMD),
- m_iMethodImplIndex(0),
- m_fInterfaceIterationBegun(false),
- m_fMethodImplIterationBegun(false)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(pMD != NULL);
- }
- CONTRACTL_END;
-
- Next();
-}
-
-MethodDesc *MethodSecurityDescriptor::MethodImplementationIterator::Current()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(IsValid());
- }
- CONTRACTL_END;
-
- if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid())
- {
- _ASSERTE(m_fInterfaceIterationBegun);
- MethodTable *pInterface = m_pMD->GetMethodTable()->LookupDispatchMapType(m_interfaceIterator.Entry()->GetTypeID());
- return pInterface->GetMethodDescForSlot(m_interfaceIterator.Entry()->GetSlotNumber());
- }
- else
- {
- _ASSERTE(m_fMethodImplIterationBegun);
- _ASSERTE(m_pMD->IsMethodImpl());
- _ASSERTE(m_iMethodImplIndex < m_pMD->GetMethodImpl()->GetSize());
- return m_pMD->GetMethodImpl()->GetImplementedMDs()[m_iMethodImplIndex];
- }
-}
-
-bool MethodSecurityDescriptor::MethodImplementationIterator::IsValid()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- // We're valid as long as we still have interface maps or method impls to process
- if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid())
- {
- return true;
- }
- else if (m_pMD->IsMethodImpl())
- {
- return m_iMethodImplIndex < m_pMD->GetMethodImpl()->GetSize();
- }
- else
- {
- return false;
- }
-}
-
-void MethodSecurityDescriptor::MethodImplementationIterator::Next()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- bool fFoundImpl = false;
-
- // First iterate over the interface implementations
- if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid())
- {
- while (m_interfaceIterator.IsValid() && !fFoundImpl)
- {
- // If we haven't yet begun iterating interfaces then don't call Next right away - otherwise
- // we'll potentially skip over the first interface method.
- if (m_fInterfaceIterationBegun)
- {
- m_interfaceIterator.Next();
- }
- else
- {
- m_fInterfaceIterationBegun = true;
- }
-
- if (m_interfaceIterator.IsValid())
- {
- _ASSERTE(!m_interfaceIterator.Entry()->GetTypeID().IsThisClass());
- fFoundImpl = (m_interfaceIterator.Entry()->GetTargetSlotNumber() == m_pMD->GetSlot());
- }
- }
- }
-
- // Once we're done with the interface implementations, check for a MethodImpl
- if (!fFoundImpl && m_pMD->IsMethodImpl())
- {
- MethodImpl * pMethodImpl = m_pMD->GetMethodImpl();
- while ((m_iMethodImplIndex < pMethodImpl->GetSize()) && !fFoundImpl)
- {
- // If we haven't yet begun iterating method impls then don't move to the next element right away
- // - otehrwise we'll potentially skip over the first MethodImpl
- if (m_fMethodImplIterationBegun)
- {
- ++m_iMethodImplIndex;
- }
- else
- {
- m_fMethodImplIterationBegun = true;
- }
-
- if (m_iMethodImplIndex < pMethodImpl->GetSize())
- {
- // Skip over the interface MethodImpls since we already processed those
- fFoundImpl = !pMethodImpl->GetImplementedMDs()[m_iMethodImplIndex]->IsInterface();
- }
- }
- }
-} // MethodSecurityDescriptor::MethodImplementationIterator::Next
-
-TypeSecurityDescriptor* TypeSecurityDescriptor::GetTypeSecurityDescriptor(MethodTable* pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- TypeSecurityDescriptor* pTypeSecurityDesc =NULL;
-
-
- pTypeSecurityDesc = (TypeSecurityDescriptor*)TokenSecurityDescriptor::LookupSecurityDescriptor(pMT);
- if (pTypeSecurityDesc == NULL)
- {
- // didn't find a security descriptor, create one and insert it
- LPVOID pMem = GetAppDomain()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(TypeSecurityDescriptor)));
-
- // allocate a security descriptor, using the appdomain help memory
- pTypeSecurityDesc = new (pMem) TypeSecurityDescriptor(pMT);
- pTypeSecurityDesc->VerifyDataComputedInternal(); // compute all the data that is needed.
-
- TypeSecurityDescriptor* pExistingTypeSecurityDesc = NULL;
- // insert securitydesc into our hash table
- pExistingTypeSecurityDesc = (TypeSecurityDescriptor*)TokenSecurityDescriptor::InsertSecurityDescriptor(pMT, (HashDatum) pTypeSecurityDesc);
- if (pExistingTypeSecurityDesc != NULL)
- {
- // if we found an existing security desc, use it
- // no need to delete the one we had created, as we allocated it in the Appdomain help
- pTypeSecurityDesc = pExistingTypeSecurityDesc;
- }
- }
-
- return pTypeSecurityDesc;
-}
-
-
-void TypeSecurityDescriptor::ComputeCriticalTransparentInfo()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
-
-#ifdef _DEBUG
- // If we've setup a breakpoint when we compute the transparency of this type, then stop in the debugger now
- SString strTypeTransparencyBreak(CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_TransparencyTypeBreak));
- SString strClassName(SString::Utf8, m_pMT->GetDebugClassName());
- if (strTypeTransparencyBreak.EqualsCaseInsensitive(strClassName))
- {
- // Do not break in fuzzed assemblies where class name can be empty
- if (!strClassName.IsEmpty())
- {
- DebugBreak();
- }
- }
-#endif // _DEBUG
-
- // check to see if the assembly has the critical attribute
- Assembly* pAssembly = m_pMT->GetAssembly();
- _ASSERTE(pAssembly);
- ModuleSecurityDescriptor* pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pAssembly);
- pModuleSecDesc->VerifyDataComputed();
-
- EEClass *pClass = m_pMT->GetClass();
- TypeSecurityDescriptorFlags typeFlags = TypeSecurityDescriptorFlags_None;
-
- // If we're contained within another type, then we inherit the transparency of that type. Otherwise we
- // check the module to see what type of transparency we have.
- if (pClass->IsNested())
- {
- // If the type is nested, see if the outer class tells us what our transparency is. Note that we cannot
- // use a TypeSecurityDescriptor here since we may still be in the process of loading our outer type.
- TokenSecurityDescriptor enclosingTokenSecurityDescriptor(m_pMT->GetModule(), m_pMT->GetEnclosingCl());
- if (enclosingTokenSecurityDescriptor.IsSemanticCritical())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical;
- }
-
- // We want to propigate the TreatAsSafe bit even if the outer class is not critical because in the legacy
- // transparency model you could have a TAS but not critical type, and the TAS propigated to all nested
- // types.
- if (enclosingTokenSecurityDescriptor.IsSemanticTreatAsSafe())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = m_pMT->GetAssembly()->GetSecurityTransparencyBehavior();
- _ASSERTE(pTransparencyBehavior);
-
- // If we're not nested, or if the outer type didn't give us enough information to determine what we were,
- // then we need to look at the module to see what we are.
- if (typeFlags == TypeSecurityDescriptorFlags_None)
- {
- if (pModuleSecDesc->IsAllTransparent())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsAllTransparent;
- }
- else if (pModuleSecDesc->IsOpportunisticallyCritical())
- {
- // In level 1 transparency, opportunistically critical types are transparent, in level 2 they
- // are critical. However, this causes problems when doing type equivalence between levels (for
- // instance a type from a v2 PIA which was embedded into a v4 assembly). In order to allow type
- // equivalence to work across security rule sets, we consider all types participating in
- // equivalence to be transparent under the opportunistically critical rules:
- // Participating in equivalence -> Transparent
- // Level 1 -> Transparent
- // Level 2 -> All critical
- if (!pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods() &&
- !IsTypeEquivalent())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical;
- }
- }
- else if (pModuleSecDesc->IsAllCritical())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical;
- if (pModuleSecDesc->IsTreatAsSafe())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
- }
-
- // We need to look at the type token for more information if we still don't know if we're transparent or
- // critical. This can also happen if the type is in an opportunistically critical module, however the
- // transparency model requires opportunistically critical types to be transparent. In this case, we need
- // to make sure that we do not look at the metadata token.
- TokenSecurityDescriptor classTokenSecurityDescriptor(m_pMT->GetModule(),
- m_pMT->GetCl());
-
- const TypeSecurityDescriptorFlags transparencyMask = TypeSecurityDescriptorFlags_IsCritical |
- TypeSecurityDescriptorFlags_IsAllCritical |
- TypeSecurityDescriptorFlags_IsAllTransparent;
-
- if (!(typeFlags & transparencyMask) &&
- !pModuleSecDesc->IsOpportunisticallyCritical())
- {
- // First, ask the transparency behavior implementation to map from the metadata attributes to the real
- // behavior that we should be seeing.
- typeFlags |= pTransparencyBehavior->MapTypeAttributes(classTokenSecurityDescriptor.GetMetadataFlags());
-
- // If we still don't know what the transparency of the type is, then we're transparent, but not all
- // transparent. That implies that we're in a mixed assembly.
- _ASSERTE((typeFlags & transparencyMask) || pModuleSecDesc->IsMixedTransparency());
- }
-
- // If the transparency behavior dictates that publics must be safe critical, then also set the treat as safe bit.
- if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() &&
- ((typeFlags & TypeSecurityDescriptorFlags_IsCritical) || (typeFlags & TypeSecurityDescriptorFlags_IsAllCritical)) &&
- !(typeFlags & TypeSecurityDescriptorFlags_IsTreatAsSafe))
- {
- if (IsTypeExternallyVisibleForTransparency())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- // It is common for a v2 assembly to mark a delegate type as explicitly critical rather than all critical,
- // since in C# the syntax for creating a delegate type does not make it obvious that a new type is being
- // defined. That leads to situations where we commonly have critical types with transparent memebers -
- // a nonsense scenario that we reject due to the members not having access to their own this pointer.
- //
- // For compatibility, we implicitly convert all explicitly critical delegate types into all critical
- // types, which is likely what the code intended in the first place, and allows delegate types which
- // loaded on v2.0 to continue to load on future runtimes.
- //
- // Note: While loading BCL classes, we may be running this codepath before it is safe to call MethodTable::IsDelegate.
- // That call can only happen after CLASS__MULTICASTDELEGATE has been loaded. However, we should not have any
- // explicit critical Delegate types in mscorlib (that can only happen if you're loading v2.0 assembly or have SecurityScope.Explicit).
- if ((typeFlags & TypeSecurityDescriptorFlags_IsCritical) &&
- !(typeFlags & TypeSecurityDescriptorFlags_IsAllCritical) &&
- m_pMT->IsDelegate())
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical;
- }
-
- // Update the cached values in the EE Class.
- g_IBCLogger.LogEEClassCOWTableAccess(m_pMT);
- pClass->SetCriticalTransparentInfo(
- typeFlags & TypeSecurityDescriptorFlags_IsTreatAsSafe,
- typeFlags & TypeSecurityDescriptorFlags_IsAllTransparent,
- typeFlags & TypeSecurityDescriptorFlags_IsAllCritical);
-}
-
-void TypeSecurityDescriptor::ComputeTypeDeclarativeSecurityInfo()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // if method doesn't have any security return
- if (!IsTdHasSecurity(m_pMT->GetAttrClass()))
- {
- return;
- }
-
- DWORD dwDeclFlags;
- HRESULT hr = SecurityDeclarative::GetDeclarationFlags(GetIMDInternalImport(), GetToken(), &dwDeclFlags, NULL, NULL);
-
- if (SUCCEEDED(hr))
- {
- GCX_COOP();
- PsetCacheEntry *tokenSetIndexes[dclMaximumValue + 1];
- SecurityDeclarative::DetectDeclActionsOnToken(GetToken(), dwDeclFlags, tokenSetIndexes, GetIMDInternalImport());
-
- // Create single linked list of set indexes
- DWORD dwLocalAction;
- for (dwLocalAction = 0; dwLocalAction <= dclMaximumValue; dwLocalAction++)
- {
- if (tokenSetIndexes[dwLocalAction] != NULL)
- {
- TokenDeclActionInfo::LinkNewDeclAction(&m_pTokenDeclActionInfo,
- (CorDeclSecurity)dwLocalAction,
- tokenSetIndexes[dwLocalAction]);
- }
- }
- }
-}
-
-BOOL TypeSecurityDescriptor::CanTypeSecurityDescriptorBeCached(MethodTable* pMT)
-{
- LIMITED_METHOD_CONTRACT;
-
- EEClass *pClass = pMT->GetClass();
- return pClass->RequiresLinktimeCheck() ||
- pClass->RequiresInheritanceCheck() ||
- // NGEN accesses security descriptors frequently to check for security callouts
- IsCompilationProcess();
-}
-
-BOOL TypeSecurityDescriptor::IsTypeExternallyVisibleForTransparency()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(m_pMT->GetAssembly()->GetSecurityTransparencyBehavior()->DoesPublicImplyTreatAsSafe());
- }
- CONTRACTL_END;
-
- if (m_pMT->IsExternallyVisible())
- {
- // If the type is genuinely externally visible, then it is also visible for transparency
- return TRUE;
- }
- else if (m_pMT->IsGlobalClass())
- {
- // Global methods are externally visible
- return TRUE;
- }
- else if (m_pMT->IsSharedByGenericInstantiations())
- {
- TokenSecurityDescriptor tokenSecDesc(m_pMT->GetModule(), m_pMT->GetCl());
-
- // Canonical method tables for shared generic instantiations will appear to us as
- // GenericClass<__Canon>, rather than the actual generic type parameter, and since __Canon is not
- // public, these method tables will not appear to be public either.
- //
- // For these types, we'll look at the metadata directly, and ignore generic parameters to see
- // if the type is public. Note that this will under-enforce; for instance G<CriticalRefType> will
- // have it's G<__Canon> calls refered to as safe critical (which is necessary, since G<__Canon>
- // is also the canonical representation for G<TransparentRefType>. We rely on the checks done by
- // CheckTransparentAccessToCriticalCode in the CanAccess code path to reject any attempts to use
- // the generic type over a critical parameter.
- if (tokenSecDesc.IsSemanticExternallyVisible())
- {
- return TRUE;
- }
- }
-
- return FALSE;
-}
-
-void TypeSecurityDescriptor::VerifyDataComputedInternal()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- if (m_fIsComputed)
- {
- return;
- }
-
- // If the type hasn't already cached it's transparency information, then we need to calculate it here. It
- // can be cached if we're loading the type from a native image, but are creating the security descriptor
- // in order to figure out declarative security.
- if (!m_pMT->GetClass()->HasCriticalTransparentInfo())
- {
- ComputeCriticalTransparentInfo();
- }
-
- // COMPUTE Type DECLARATIVE SECURITY INFO
- ComputeTypeDeclarativeSecurityInfo();
-
- // mark computed
- InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_fIsComputed), TRUE, FALSE);
-}
-
-void TypeSecurityDescriptor::InvokeInheritanceChecks(MethodTable* pChildMT)
-{
- CONTRACTL
- {
- STANDARD_VM_CHECK;
- PRECONDITION(CheckPointer(pChildMT));
- }
- CONTRACTL_END;
-
- const SecurityTransparencyBehavior *pChildTransparencyBehavior = pChildMT->GetAssembly()->GetSecurityTransparencyBehavior();
- if (pChildTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled())
- {
- // We compare the child class with the most critical base class in the type hierarchy.
- //
- // We can stop walking the inheritance chain if we find a type that also enforces inheritance rules,
- // since we know that it must be at least as critical as the most critical of all its base types.
- // Similarly, we can stop walking when we find a critical parent, because we know that this is the
- // most critical we can get.
- bool fFoundCriticalParent = false;
- bool fFoundSafeCriticalParent = false;
- bool fFoundParentWithEnforcedInheritance = false;
-
- for (MethodTable *pParentMT = m_pMT;
- pParentMT != NULL && !fFoundParentWithEnforcedInheritance && !fFoundCriticalParent;
- pParentMT = pParentMT->GetParentMethodTable())
- {
- EEClass *pParentClass = pParentMT->GetClass();
-
- // Make sure this parent class has its transparency information computed
- if (!pParentClass->HasCriticalTransparentInfo())
- {
- TypeSecurityDescriptor parentSecurityDescriptor(pParentMT);
- parentSecurityDescriptor.ComputeCriticalTransparentInfo();
- }
-
- // See if it is critical or safe critical
- if (pParentClass->IsCritical() && pParentClass->IsTreatAsSafe())
- {
- fFoundSafeCriticalParent = true;
- }
- else if (pParentClass->IsCritical() && !pParentClass->IsTreatAsSafe())
- {
- fFoundCriticalParent = true;
- }
-
- // If this parent class enforced transparency, we can stop looking at further parents
- const SecurityTransparencyBehavior *pParentTransparencyBehavior = pParentMT->GetAssembly()->GetSecurityTransparencyBehavior();
- fFoundParentWithEnforcedInheritance = pParentTransparencyBehavior->AreInheritanceRulesEnforced();
- }
-
- /*
- Allowed Inheritance Patterns
- ----------------------------
-
- Base Class/Method Derived Class/ Method
- ----------------- ---------------------
- Transparent Transparent
- Transparent SafeCritical
- Transparent Critical
- SafeCritical SafeCritical
- SafeCritical Critical
- Critical Critical
-
-
- Disallowed Inheritance patterns
- -------------------------------
-
- Base Class/Method Derived Class /Method
- ----------------- ---------------------
- SafeCritical Transparent
- Critical Transparent
- Critical SafeCritical
- */
-
- // Make sure the child class has its transparency calculated
- EEClass *pChildClass = pChildMT->GetClass();
- if (!pChildClass->HasCriticalTransparentInfo())
- {
- TypeSecurityDescriptor childSecurityDescriptor(pChildMT);
- childSecurityDescriptor.ComputeCriticalTransparentInfo();
- }
-
- if (fFoundCriticalParent)
- {
- if (!pChildClass->IsCritical() || pChildClass->IsTreatAsSafe())
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMT, "Transparent or safe critical type deriving from a critical base type");
- }
-#endif // _DEBUG
- // The parent class is critical, but the child class is not
- SecurityTransparent::ThrowTypeLoadException(pChildMT);
- }
- }
- else if (fFoundSafeCriticalParent)
- {
- if (!pChildClass->IsCritical())
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pChildMT, "Transparent type deriving from a safe critical base type");
- }
-#endif // _DEBUG
- // The parent class is safe critical, but the child class is transparent
- SecurityTransparent::ThrowTypeLoadException(pChildMT);
- }
- }
- }
-
-}
-
-// Module security descriptor contains static security information about the module
-// this information could get persisted in the NGen image
-void ModuleSecurityDescriptor::VerifyDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- if (m_flags & ModuleSecurityDescriptorFlags_IsComputed)
- {
- return;
- }
-
-
- // Read the security attributes from the assembly
- Assembly *pAssembly = m_pModule->GetAssembly();
-
- // Get the metadata flags on the assembly. Note that we cannot use a TokenSecurityDescriptor directly
- // here because Reflection.Emit may have overriden the metadata flags with different ones of its own
- // choosing.
- TokenSecurityDescriptorFlags tokenFlags = GetTokenFlags();
-
-
-
- // Get a transparency behavior object for the assembly.
- const SecurityTransparencyBehavior *pTransparencyBehavior =
- SecurityTransparencyBehavior::GetTransparencyBehavior(GetSecurityRuleSet());
- pAssembly->SetSecurityTransparencyBehavior(pTransparencyBehavior);
-
- ModuleSecurityDescriptorFlags moduleFlags = pTransparencyBehavior->MapModuleAttributes(tokenFlags);
-
- AssemblySecurityDescriptor *pAssemSecDesc = static_cast<AssemblySecurityDescriptor*>(pAssembly->GetSecurityDescriptor());
-
- // We shouldn't be both all transparent and all critical
- const ModuleSecurityDescriptorFlags invalidMask = ModuleSecurityDescriptorFlags_IsAllCritical |
- ModuleSecurityDescriptorFlags_IsAllTransparent;
- if ((moduleFlags & invalidMask) == invalidMask)
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pAssembly, "Found both critical and transparent assembly level annotations");
- }
- if (!g_pConfig->DisableTransparencyEnforcement())
-#endif // _DEBUG
- {
- COMPlusThrow(kInvalidOperationException, W("InvalidOperation_CriticalTransparentAreMutuallyExclusive"));
- }
- }
-
- const ModuleSecurityDescriptorFlags transparencyMask = ModuleSecurityDescriptorFlags_IsAllCritical |
- ModuleSecurityDescriptorFlags_IsAllTransparent |
- ModuleSecurityDescriptorFlags_IsTreatAsSafe |
- ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical;
-
- // See if the assembly becomes implicitly transparent if loaded in partial trust
- if (pTransparencyBehavior->DoesPartialTrustImplyAllTransparent())
- {
- if (!pAssemSecDesc->IsFullyTrusted())
- {
- moduleFlags &= ~transparencyMask;
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent;
-
- moduleFlags |= ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust;
-
- SString strAssemblyName;
- pAssembly->GetDisplayName(strAssemblyName);
- LOG((LF_SECURITY,
- LL_INFO10,
- "Assembly '%S' was loaded in partial trust and was made implicitly all transparent.\n",
- strAssemblyName.GetUnicode()));
- }
- }
-
- // If the assembly is not allowed to use the SkipVerificationInFullTrust optimization, then disable that bit
- if (!pAssembly->GetSecurityDescriptor()->AllowSkipVerificationInFullTrust())
- {
- moduleFlags &= ~ModuleSecurityDescriptorFlags_SkipFullTrustVerification;
- }
-
- // Make sure that if the assembly is being loaded in partial trust that it is all transparent. This is a
- // change from v2.0 rules, and for compatibility we use the DoesPartialTrustImplyAllTransparent check to
- // ensure that v2 assemblies can load in partial trust unmodified. This change does allow us to follow
- // the CoreCLR model of using transparency for security enforcement, rather than the v2.0 model of using
- // transparency only for audit.
- if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted() &&
- !(moduleFlags & ModuleSecurityDescriptorFlags_IsAllTransparent))
- {
- SString strAssemblyName;
- pAssembly->GetDisplayName(strAssemblyName);
-
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pAssembly, "Attempt to load an assembly which is not fully transparent in partial trust");
- }
- if (g_pConfig->DisableTransparencyEnforcement())
- {
- SecurityTransparent::LogTransparencyError(pAssembly, "Forcing partial trust assembly to be fully transparent");
- if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted())
- {
- moduleFlags &= ~transparencyMask;
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent;
-
- }
- }
- else
-#endif // _DEBUG
- {
- COMPlusThrow(kFileLoadException, IDS_E_LOAD_CRITICAL_IN_PARTIAL_TRUST, strAssemblyName.GetUnicode());
- }
- }
-
-
-#ifdef _DEBUG
- // If we're being forced to generate native code for this assembly which can be used in a partial trust
- // context, then we need to ensure that the assembly is entirely transparent -- otherwise the code may
- // perform a critical operation preventing the ngen image from being loaded into partial trust.
- if (CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_NGenForPartialTrust) != 0)
- {
- moduleFlags &= ~transparencyMask;
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent;
- }
-#endif // _DEBUG
-
- // Mark the module as having its security state computed
- moduleFlags |= ModuleSecurityDescriptorFlags_IsComputed;
- InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_flags),
- moduleFlags,
- ModuleSecurityDescriptorFlags_None);
-
- // If this assert fires, we ended up racing to different outcomes
- _ASSERTE(m_flags == moduleFlags);
-}
-
-
-ModuleSecurityDescriptor* ModuleSecurityDescriptor::GetModuleSecurityDescriptor(Assembly *pAssembly)
-{
- WRAPPER_NO_CONTRACT;
-
- Module* pModule = pAssembly->GetManifestModule();
- _ASSERTE(pModule);
-
- ModuleSecurityDescriptor* pModuleSecurityDesc = pModule->m_pModuleSecurityDescriptor;
- _ASSERTE(pModuleSecurityDesc);
-
- return pModuleSecurityDesc;
-}
-
-#ifdef FEATURE_NATIVE_IMAGE_GENERATION
-VOID ModuleSecurityDescriptor::Save(DataImage *image)
-{
- STANDARD_VM_CONTRACT;
- VerifyDataComputed();
- image->StoreStructure(this,
- sizeof(ModuleSecurityDescriptor),
- DataImage::ITEM_MODULE_SECDESC);
-}
-
-VOID ModuleSecurityDescriptor::Fixup(DataImage *image)
-{
- STANDARD_VM_CONTRACT;
- image->FixupPointerField(this, offsetof(ModuleSecurityDescriptor, m_pModule));
-}
-#endif
-
-#if defined(FEATURE_CORESYSTEM)
-
-//---------------------------------------------------------------------------------------
-//
-// Parse an APTCA blob into its corresponding token security descriptor flags.
-//
-
-TokenSecurityDescriptorFlags ParseAptcaAttribute(const BYTE *pbAptcaBlob, DWORD cbAptcaBlob)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pbAptcaBlob));
- }
- CONTRACTL_END;
-
- TokenSecurityDescriptorFlags aptcaFlags = TokenSecurityDescriptorFlags_None;
-
- CustomAttributeParser cap(pbAptcaBlob, cbAptcaBlob);
- if (SUCCEEDED(cap.SkipProlog()))
- {
- aptcaFlags |= TokenSecurityDescriptorFlags_APTCA;
-
- // Look for the PartialTrustVisibilityLevel named argument
- CaNamedArg namedArgs[1] = {{0}};
- namedArgs[0].InitI4FieldEnum(g_PartialTrustVisibilityLevel, g_SecurityPartialTrustVisibilityLevel);
-
- if (SUCCEEDED(ParseKnownCaNamedArgs(cap, namedArgs, _countof(namedArgs))))
- {
- // If we have a partial trust visiblity level, then we may additionally be conditionally APTCA.
- PartialTrustVisibilityLevel visibilityLevel = static_cast<PartialTrustVisibilityLevel>(namedArgs[0].val.u4);
- if (visibilityLevel == PartialTrustVisibilityLevel_NotVisibleByDefault)
- {
- aptcaFlags |= TokenSecurityDescriptorFlags_ConditionalAPTCA;
- }
- }
- }
-
- return aptcaFlags;
-}
-
-#endif // defined(FEATURE_CORESYSTEM)
-
-//---------------------------------------------------------------------------------------
-//
-// Parse a security rules attribute blob into its corresponding token security descriptor
-// flags.
-//
-
-TokenSecurityDescriptorFlags ParseSecurityRulesAttribute(const BYTE *pbSecurityRulesBlob,
- DWORD cbSecurityRulesBlob)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pbSecurityRulesBlob));
- }
- CONTRACTL_END;
-
- TokenSecurityDescriptorFlags rulesFlags = TokenSecurityDescriptorFlags_None;
-
- CustomAttributeParser cap(pbSecurityRulesBlob, cbSecurityRulesBlob);
- if (SUCCEEDED(cap.SkipProlog()))
- {
- rulesFlags |= TokenSecurityDescriptorFlags_SecurityRules;
-
- // Read out the version number
- UINT8 bRulesLevel = 0;
- if (SUCCEEDED(cap.GetU1(&bRulesLevel)))
- {
- rulesFlags |= EncodeSecurityRuleSet(static_cast<SecurityRuleSet>(bRulesLevel));
- }
-
- // See if the attribute specified that full trust transparent code should not be verified
- CaNamedArg skipVerificationArg;
- skipVerificationArg.InitBoolField("SkipVerificationInFullTrust", FALSE);
- if (SUCCEEDED(ParseKnownCaNamedArgs(cap, &skipVerificationArg, 1)))
- {
- if (skipVerificationArg.val.boolean)
- {
- rulesFlags |= TokenSecurityDescriptorFlags_SkipFullTrustVerification;
- }
- }
- }
-
- return rulesFlags;
-}
-
-// grok the meta data and compute the necessary attributes
-void TokenSecurityDescriptor::VerifyDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(m_pModule));
- }
- CONTRACTL_END;
-
- if (m_flags & TokenSecurityDescriptorFlags_IsComputed)
- {
- return;
- }
-
- // Loop over the attributes on the token, reading off bits that are interesting for security
- TokenSecurityDescriptorFlags flags = ReadSecurityAttributes(m_pModule->GetMDImport(), m_token);
- flags |= TokenSecurityDescriptorFlags_IsComputed;
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), flags);
-}
-
-// static
-TokenSecurityDescriptorFlags TokenSecurityDescriptor::ReadSecurityAttributes(IMDInternalImport *pmdImport, mdToken token)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pmdImport));
- }
- CONTRACTL_END;
-
- TokenSecurityDescriptorFlags flags = TokenSecurityDescriptorFlags_None;
-
- HENUMInternalHolder hEnum(pmdImport);
- hEnum.EnumInit(mdtCustomAttribute, token);
-
- mdCustomAttribute currentAttribute;
- while (hEnum.EnumNext(¤tAttribute))
- {
- LPCSTR szAttributeName;
- LPCSTR szAttributeNamespace;
-
- if (FAILED(pmdImport->GetNameOfCustomAttribute(currentAttribute, &szAttributeNamespace, &szAttributeName)))
- {
- continue;
- }
-
- // The only attributes we care about are in System.Security, so move on if we found something in a
- // different namespace
- if (szAttributeName != NULL &&
- szAttributeNamespace != NULL &&
- strcmp(g_SecurityNS, szAttributeNamespace) == 0)
- {
-#if defined(FEATURE_CORESYSTEM)
- if (strcmp(g_SecurityAPTCA + sizeof(g_SecurityNS), szAttributeName) == 0)
- {
- // Check the visibility parameter
- const BYTE *pbAttributeBlob;
- ULONG cbAttributeBlob;
-
- if (FAILED(pmdImport->GetCustomAttributeAsBlob(currentAttribute, reinterpret_cast<const void **>(&pbAttributeBlob), &cbAttributeBlob)))
- {
- continue;
- }
-
- TokenSecurityDescriptorFlags aptcaFlags = ParseAptcaAttribute(pbAttributeBlob, cbAttributeBlob);
- flags |= aptcaFlags;
- }
- else
-#endif // defined(FEATURE_CORESYSTEM)
- if (strcmp(g_SecurityCriticalAttribute + sizeof(g_SecurityNS), szAttributeName) == 0)
- {
- flags |= TokenSecurityDescriptorFlags_Critical;
-
- }
- else if (strcmp(g_SecuritySafeCriticalAttribute + sizeof(g_SecurityNS), szAttributeName) == 0)
- {
- flags |= TokenSecurityDescriptorFlags_SafeCritical;
- }
- else if (strcmp(g_SecurityTransparentAttribute + sizeof(g_SecurityNS), szAttributeName) == 0)
- {
- flags |= TokenSecurityDescriptorFlags_Transparent;
- }
- }
- }
-
- return flags;
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Calculate the semantic critical / transparent state for this metadata token.
-// See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup
-//
-
-void TokenSecurityDescriptor::VerifySemanticDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- if (m_flags & TokenSecurityDescriptorFlags_IsSemanticComputed)
- {
- return;
- }
-
-
- bool fIsSemanticallyCritical = false;
- bool fIsSemanticallyTreatAsSafe = false;
- bool fIsSemanticallyExternallyVisible = false;
-
- // Check the module to see if every type in the module is the same
- Assembly *pAssembly = m_pModule->GetAssembly();
- ModuleSecurityDescriptor* pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pAssembly);
- if (pModuleSecDesc->IsAllTransparent())
- {
- // If the module is explicitly Transparent, then everything in it is Transparent
- fIsSemanticallyCritical = false;
- fIsSemanticallyTreatAsSafe = false;
- }
- else if (pModuleSecDesc->IsAllCritical())
- {
- // If the module is critical or safe critical, then everything in it matches
- fIsSemanticallyCritical = true;
-
- if (pModuleSecDesc->IsTreatAsSafe())
- {
- fIsSemanticallyTreatAsSafe = true;
- }
- }
- else if (pModuleSecDesc->IsOpportunisticallyCritical())
- {
- // There are three cases for an opportunistically critical type:
- // 1. Level 2 transparency - all types are critical
- // 2. Level 1 transparency - all types are transparent
- // 3. Types participating in type equivalence (regardless of level) - types are transparent
- //
- // Therefore, we consider the type critical only if it is level 2, otherwise keep it transparent.
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior();
- if (!pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods() &&
- !IsTypeEquivalent())
- {
- // If the module is opportunistically critical, then every type in it is critical
- fIsSemanticallyCritical = true;
- }
- }
- // Mixed transparency
- else
- {
- const TypeSecurityDescriptorFlags criticalMask = TypeSecurityDescriptorFlags_IsAllCritical |
- TypeSecurityDescriptorFlags_IsCritical;
- const TypeSecurityDescriptorFlags treatAsSafeMask = TypeSecurityDescriptorFlags_IsTreatAsSafe;
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior();
- _ASSERTE(pTransparencyBehavior != NULL);
-
- // We don't have full module-level state, so we need to loop over the tokens to figure it out.
- IMDInternalImport* pMdImport = m_pModule->GetMDImport();
- mdToken tkCurrent = m_token;
- mdToken tkPrev = mdTokenNil;
-
- // First, we need to walk the chain inside out, building up a stack so that we can pop the stack from
- // the outside in, looking for the largest scope with a statement about the transparency of the types.
- CStackArray<mdToken> typeTokenStack;
- while (tkPrev != tkCurrent)
- {
- typeTokenStack.Push(tkCurrent);
- tkPrev = tkCurrent;
- IfFailThrow(pMdImport->GetParentToken(tkPrev, &tkCurrent));
- }
-
- //
- // Walk up the chain of containing types, starting with the current metadata token. At each step on the
- // chain, keep track of if we've been marked critical / treat as safe yet.
- //
- // It's important that we use only metadata tokens here, rather than using EEClass and
- // TypeSecurityDescriptors, since this method can be called while loading nested types and using
- // TypESecurityDescriptor can lead to recursion during type load.
- //
- // We also need to walk the chain from the outside in, since we listen to the outermost marking. We
- // can stop looking at tokens once we found one that has a transparency marking (we've become either
- // critical or safe critical), and we've determined that the inner types are not publicly visible.
- //
-
- // We'll start out by saying all tokens are not public if public doesn't imply treat as safe - that
- // way we don't flip over to safe critical even if they are all public
- bool fAllTokensPublic = pTransparencyBehavior->DoesPublicImplyTreatAsSafe();
-
- while (typeTokenStack.Count() > 0 && !fIsSemanticallyCritical)
- {
- mdToken *ptkCurrentType = typeTokenStack.Pop();
- TokenSecurityDescriptor currentTokenSD(m_pModule, *ptkCurrentType);
-
- // Check to see if the current type is critical / treat as safe. We only want to check this if we
- // haven't already found an outer type that had a transparency attribute; otherwise we would let
- // an inner scope have more priority than its containing scope
- TypeSecurityDescriptorFlags currentTypeFlags = pTransparencyBehavior->MapTypeAttributes(currentTokenSD.GetMetadataFlags());
- if (!fIsSemanticallyCritical)
- {
- fIsSemanticallyCritical = !!(currentTypeFlags & criticalMask);
- fIsSemanticallyTreatAsSafe |= !!(currentTypeFlags & treatAsSafeMask);
- }
-
- // If the assembly uses a transparency model where publicly visible items are treat as safe, then
- // we need to check to see if all the types in the containment chain are visible
- if (fAllTokensPublic)
- {
- DWORD dwTypeAttrs;
- IfFailThrow(pMdImport->GetTypeDefProps(tkCurrent, &dwTypeAttrs, NULL));
-
- fAllTokensPublic = IsTdPublic(dwTypeAttrs) ||
- IsTdNestedPublic(dwTypeAttrs) ||
- IsTdNestedFamily(dwTypeAttrs) ||
- IsTdNestedFamORAssem(dwTypeAttrs);
- }
- }
-
- // If public implies treat as safe, all the types were visible, and we are semantically critical
- // then we're actually semantically safe critical
- if (fAllTokensPublic)
- {
- _ASSERTE(pTransparencyBehavior->DoesPublicImplyTreatAsSafe());
-
- fIsSemanticallyExternallyVisible = true;
-
- if (fIsSemanticallyCritical)
- {
- fIsSemanticallyTreatAsSafe = true;
- }
- }
- }
-
- // Further, if we're critical due to the assembly, and public implies treat as safe,
- // and the outermost nested type is public, then we are safe critical
- if (pModuleSecDesc->IsAllCritical() ||
- pModuleSecDesc->IsOpportunisticallyCritical())
- {
- // We shouldn't have determined if we're externally visible or not yet
- _ASSERTE(!fIsSemanticallyExternallyVisible);
-
- const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior();
-
- if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() &&
- fIsSemanticallyCritical &&
- !fIsSemanticallyTreatAsSafe)
- {
- IMDInternalImport* pMdImport = m_pModule->GetMDImport();
- mdToken tkCurrent = m_token;
- mdToken tkPrev = mdTokenNil;
- HRESULT hrIter = S_OK;
-
- while (SUCCEEDED(hrIter) && tkCurrent != tkPrev)
- {
- tkPrev = tkCurrent;
- hrIter = pMdImport->GetNestedClassProps(tkPrev, &tkCurrent);
-
- if (!SUCCEEDED(hrIter))
- {
- if (hrIter == CLDB_E_RECORD_NOTFOUND)
- {
- // We don't have a parent class, so use the previous as our outermost
- tkCurrent = tkPrev;
- }
- else
- {
- ThrowHR(hrIter);
- }
- }
-
- DWORD dwOuterTypeAttrs;
- IfFailThrow(pMdImport->GetTypeDefProps(tkCurrent, &dwOuterTypeAttrs, NULL));
- if (IsTdPublic(dwOuterTypeAttrs))
- {
- fIsSemanticallyExternallyVisible = true;
- fIsSemanticallyTreatAsSafe = true;
- }
- }
- }
- }
-
- // Save away the semantic state that we just computed
- TokenSecurityDescriptorFlags semanticFlags = TokenSecurityDescriptorFlags_IsSemanticComputed;
- if (fIsSemanticallyCritical)
- semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticCritical;
- if (fIsSemanticallyTreatAsSafe)
- semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe;
- if (fIsSemanticallyExternallyVisible)
- semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticExternallyVisible;
-
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), static_cast<DWORD>(semanticFlags));
-}
-
-HashDatum TokenSecurityDescriptor::LookupSecurityDescriptor(void* pKey)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- HashDatum datum;
- AppDomain* pDomain = GetAppDomain();
-
- EEPtrHashTable &rCachedMethodPermissionsHash = pDomain->m_pSecContext->m_pCachedMethodPermissionsHash;
-
- // We need to switch to cooperative GC here. But using GCX_COOP here
- // causes 20% perf degrade in some declarative security assert scenario.
- // We should fix this one.
- CONTRACT_VIOLATION(ModeViolation);
- // Fast attempt, that may fail (and return FALSE):
- if (!rCachedMethodPermissionsHash.GetValueSpeculative(pKey, &datum))
- {
- // Slow call
- datum = LookupSecurityDescriptor_Slow(pDomain, pKey, rCachedMethodPermissionsHash);
- }
- return datum;
-}
-
-HashDatum TokenSecurityDescriptor::LookupSecurityDescriptor_Slow(AppDomain* pDomain,
- void* pKey,
- EEPtrHashTable &rCachedMethodPermissionsHash )
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- HashDatum datum;
- SimpleRWLock* prGlobalLock = pDomain->m_pSecContext->m_prCachedMethodPermissionsLock;
- // look up the cache in the slow mode
- // in the false failure case, we'll recheck the cache anyway
- SimpleReadLockHolder readLockHolder(prGlobalLock);
- if (rCachedMethodPermissionsHash.GetValue(pKey, &datum))
- {
- return datum;
- }
- return NULL;
-}
-
-HashDatum TokenSecurityDescriptor::InsertSecurityDescriptor(void* pKey, HashDatum pHashDatum)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- AppDomain* pDomain = GetAppDomain();
- SimpleRWLock* prGlobalLock = pDomain->m_pSecContext->m_prCachedMethodPermissionsLock;
- EEPtrHashTable &rCachedMethodPermissionsHash = pDomain->m_pSecContext->m_pCachedMethodPermissionsHash;
-
- HashDatum pFoundHashDatum = NULL;
- // insert the computed details in our hash table
- {
- SimpleWriteLockHolder writeLockHolder(prGlobalLock);
- // since the hash table doesn't support duplicates by
- // default, we need to recheck in case another thread
- // added the value during a context switch
- if (!rCachedMethodPermissionsHash.GetValue(pKey, &pFoundHashDatum))
- {
- // no entry was found
- _ASSERTE(pFoundHashDatum == NULL);
- // Place the new entry into the hash.
- rCachedMethodPermissionsHash.InsertValue(pKey, pHashDatum);
- }
- }
- // return the value found in the lookup, in case there was a duplicate
- return pFoundHashDatum;
-}
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securitymeta.h
-//
-// pre-computes various security information, declarative and runtime meta-info
-//
-
-
-//
-//--------------------------------------------------------------------------
-
-
-#ifndef __SECURITYMETA_H__
-#define __SECURITYMETA_H__
-
-class SecurityStackWalk;
-class AssertStackWalk;
-class PsetCacheEntry;
-class SecurityTransparencyBehavior;
-struct DeclActionInfo;
-
-#define INVALID_SET_INDEX ((DWORD)~0)
-
-// The enum that describes the value of the SecurityCriticalFlags in SecurityCritical attribute.
-enum SecurityCriticalFlags
-{
- SecurityCriticalFlags_None = 0,
- SecurityCriticalFlags_All = 0x1
-};
-
-// Security rule sets that can be used - this enum should match the BCL SecurityRuleSet enum
-enum SecurityRuleSet
-{
- SecurityRuleSet_Level1 = 1, // v2.0 rules
- SecurityRuleSet_Level2 = 2, // v4.0 rules
-
- SecurityRuleSet_Min = SecurityRuleSet_Level1, // Smallest rule set we understand
- SecurityRuleSet_Max = SecurityRuleSet_Level2, // Largest rule set we understand
- SecurityRuleSet_Default = SecurityRuleSet_Level2 // Rule set to use if unspecified
-};
-
-// Partial trust visibility level for APTCA assemblies - this enum should match the BCL
-// PartialTrustVisibilityLevel enum
-enum PartialTrustVisibilityLevel
-{
- PartialTrustVisibilityLevel_VisibleToAllHosts = 0,
- PartialTrustVisibilityLevel_NotVisibleByDefault = 1
-};
-
-SELECTANY const DWORD DCL_FLAG_MAP[] =
-{
- 0, // dclActionNil = 0
- DECLSEC_REQUESTS, // dclRequest = 1
- DECLSEC_DEMANDS, // dclDemand = 2
- DECLSEC_ASSERTIONS, // dclAssert = 3
- DECLSEC_DENIALS, // dclDeny = 4
- DECLSEC_PERMITONLY, // dclPermitOnly = 5
- DECLSEC_LINK_CHECKS, // dclLinktimeCheck = 6
- DECLSEC_INHERIT_CHECKS, // dclInheritanceCheck = 7
- DECLSEC_REQUESTS, // dclRequestMinimum = 8
- DECLSEC_REQUESTS, // dclRequestOptional = 9
- DECLSEC_REQUESTS, // dclRequestRefuse = 10
- 0, // dclPrejitGrant = 11
- 0, // dclPrejitDenied = 12
- DECLSEC_NONCAS_DEMANDS, // dclNonCasDemand = 13
- DECLSEC_NONCAS_LINK_DEMANDS, // dclNonCasLinkDemand = 14
- DECLSEC_NONCAS_INHERITANCE, // dclNonCasInheritance = 15
-};
-#define DCL_FLAG_MAP_SIZE (sizeof(DCL_FLAG_MAP)/sizeof(DWORD))
-#define DclToFlag(dcl) (((size_t)dcl < DCL_FLAG_MAP_SIZE) ? DCL_FLAG_MAP[dcl] : 0)
-
-
-struct TokenDeclActionInfo
-{
- DWORD dwDeclAction; // This'll tell InvokeDeclarativeSecurity whats the action needed
- PsetCacheEntry *pPCE; // The cached permissionset on which to demand/assert/deny/etc
- TokenDeclActionInfo* pNext; // pointer to next action link in chain
-
- static TokenDeclActionInfo *Init(DWORD dwAction, PsetCacheEntry *pPCE);
- static void LinkNewDeclAction(TokenDeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE);
-
-
- HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE);
-
- OBJECTREF GetLinktimePermissions(OBJECTREF *prefNonCasDemands);
- void InvokeLinktimeChecks(Assembly* pCaller);
-};
-
-// Flags about the raw security attributes found on a metadata token, as well as semantic interpretations of
-// them in some cases (see code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup). These flags
-// are split into several sections:
-//
-// 32 28 16 12 4 0
-// | Rules version | Rules Bits | Semantic data | Raw attributes | Metabits |
-//
-// Rules version - the SecurityRuleSet selected by a SecurityRules attribute
-// Rules bits - extra flags set on a SecurityRules attribute
-// Semantic data - Flags indicating the security state of the item represented by the token taking into
-// account parent types and modules - giving the true semantic security state
-// (see code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup)
-// Raw attributes - Flags for data we read directly out of metadata; these only indicate that the attributes
-// are set, and do not indicate the actual security state of the token until they have been
-// interpreted by the assembly they are applied within.
-// Metabits - Flags about the state of the token security descriptor itself
-enum TokenSecurityDescriptorFlags
-{
- // Metabits
- TokenSecurityDescriptorFlags_None = 0x00000000,
- TokenSecurityDescriptorFlags_IsComputed = 0x00000001,
-
- // Raw attributes
- TokenSecurityDescriptorFlags_RawAttributeMask = 0x00000FF0,
- TokenSecurityDescriptorFlags_AllCritical = 0x00000010, // [SecurityCritical(SecurityCriticalScope.All)]
- TokenSecurityDescriptorFlags_APTCA = 0x00000020, // [AllowPartiallyTrustedCallers] (VisibleByDefault)
- TokenSecurityDescriptorFlags_ConditionalAPTCA = 0x00000040, // [AllowPartiallyTrustedCallers] (NotVisibleByDefault)
- TokenSecurityDescriptorFlags_Critical = 0x00000080, // [SecurityCritical] (regardless of scope)
- TokenSecurityDescriptorFlags_SecurityRules = 0x00000100, // [SecurityRules]
- TokenSecurityDescriptorFlags_SafeCritical = 0x00000200, // [SecuritySafeCritical]
- TokenSecurityDescriptorFlags_Transparent = 0x00000400, // [SecurityTransparent]
- TokenSecurityDescriptorFlags_TreatAsSafe = 0x00000800, // [SecurityTreatAsSafe]
-
- // Semantic data
- TokenSecurityDescriptorFlags_SemanticMask = 0x000FF000,
- TokenSecurityDescriptorFlags_IsSemanticComputed = 0x00001000,
- TokenSecurityDescriptorFlags_IsSemanticCritical = 0x00002000,
- TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe = 0x00004000,
- TokenSecurityDescriptorFlags_IsSemanticExternallyVisible= 0x00008000,
-
- // Rules bits
- TokenSecurityDescriptorFlags_RulesMask = 0x0FFF0000,
- TokenSecurityDescriptorFlags_SkipFullTrustVerification = 0x00010000, // In full trust do not do IL verificaiton for transparent code
-
- // Rules version
- TokenSecurityDescriptorFlags_RulesVersionMask = 0xF0000000
-};
-
-inline TokenSecurityDescriptorFlags operator|(TokenSecurityDescriptorFlags lhs,
- TokenSecurityDescriptorFlags rhs);
-
-inline TokenSecurityDescriptorFlags operator|=(TokenSecurityDescriptorFlags& lhs,
- TokenSecurityDescriptorFlags rhs);
-
-inline TokenSecurityDescriptorFlags operator&(TokenSecurityDescriptorFlags lhs,
- TokenSecurityDescriptorFlags rhs);
-
-inline TokenSecurityDescriptorFlags operator&=(TokenSecurityDescriptorFlags& lhs,
- TokenSecurityDescriptorFlags rhs);
-
-inline TokenSecurityDescriptorFlags operator~(TokenSecurityDescriptorFlags flags);
-
-// Get the version of the security rules that token security descriptor flags are requesting
-inline SecurityRuleSet GetSecurityRuleSet(TokenSecurityDescriptorFlags flags);
-
-// Encode a security rule set into token flags - this reverses GetSecurityRuleSet
-inline TokenSecurityDescriptorFlags EncodeSecurityRuleSet(SecurityRuleSet ruleSet);
-
-
-TokenSecurityDescriptorFlags ParseSecurityRulesAttribute(const BYTE *pbSecurityRulesBlob,
- DWORD cbSecurityRulesBlob);
-
-//
-// #TokenSecurityDescriptorSemanticLookup
-//
-// Token security descriptors are used to get information on the security state of a specific metadata
-// token. They have two types of lookup - standard and semantic. Standard lookup is cheaper and only looks at
-// the specific metadata token. Semantic lookup will follow the token to its parents, figuring out if the
-// token is semanticaly critical or transparent due to a containing item. For instance:
-//
-// [SecurityCritical]
-// class A
-// {
-// class B { }
-// }
-//
-// A TokenSecurityDescriptor's standard lookup for B will say that it is transparent because B does not
-// directly have a critical attribute. However, a semantic lookup will notice that A is critical and
-// contains B, therefore B is also critical.
-//
-
-class TokenSecurityDescriptor
-{
-private:
- PTR_Module m_pModule;
- mdToken m_token;
- TokenSecurityDescriptorFlags m_flags;
-
-public:
- inline TokenSecurityDescriptor(PTR_Module pModule, mdToken token);
-
- void VerifyDataComputed();
- void VerifySemanticDataComputed();
-
- // Get the raw flags for the token
- inline TokenSecurityDescriptorFlags GetFlags();
-
- //
- // Critical / transparent checks for the specific metadata token only - these methods do not take into
- // account the containment of the token and therefore only include information about the token itself
- // and cannot be used to determine if the item represented by the token is semantically critical.
- //
- // See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup
- //
-
- // Get the attributes that were set on the token
- inline TokenSecurityDescriptorFlags GetMetadataFlags();
-
- //
- // Semantic critical / transparent checks for the metadata token - these methods take into account
- // containers of the token to get a true semantic security status for the token.
- //
- // See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup
- //
-
- inline BOOL IsSemanticCritical();
-
- inline BOOL IsSemanticTreatAsSafe();
-
- inline BOOL IsSemanticExternallyVisible();
-
- // static helper to find cached security descriptors based on token
- static HashDatum LookupSecurityDescriptor(void* pKey);
-
- static HashDatum LookupSecurityDescriptor_Slow(AppDomain* pDomain,
- void* pKey,
- EEPtrHashTable &rCachedMethodPermissionsHash );
-
- // static helper to insert a security descriptor for a token, dupes not allowed, returns previous entry in hash table
- static HashDatum InsertSecurityDescriptor(void* pKey, HashDatum pHashDatum);
-
- // static helper to parse the security attributes for a token from a given metadata importer
- static TokenSecurityDescriptorFlags ReadSecurityAttributes(IMDInternalImport *pmdImport, mdToken token);
-
-private:
- // does the type represented by this TokenSecurityDescriptor particpate in type equivalence
- inline BOOL IsTypeEquivalent();
-
-private:
- // Helper class which fires transparency calculation begin/end ETW events
- class TokenSecurityDescriptorTransparencyEtwEvents
- {
- private:
- const TokenSecurityDescriptor *m_pTSD;
-
- public:
- inline TokenSecurityDescriptorTransparencyEtwEvents(const TokenSecurityDescriptor *pTSD);
- inline ~TokenSecurityDescriptorTransparencyEtwEvents();
- };
-};
-
-enum MethodSecurityDescriptorFlags
-{
- MethodSecurityDescriptorFlags_None = 0x0000,
- MethodSecurityDescriptorFlags_IsComputed = 0x0001,
-
- // Method transparency info is cached directly on MethodDesc for performance reasons
- // These flags are used only during calculation of transparency information; runtime data
- // should be read from the method desc
- MethodSecurityDescriptorFlags_IsCritical = 0x0002,
- MethodSecurityDescriptorFlags_IsTreatAsSafe = 0x0004,
-
- MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly = 0x0008,
- MethodSecurityDescriptorFlags_IsDemandsOnly = 0x0010,
- MethodSecurityDescriptorFlags_AssertAllowed = 0x0020,
- MethodSecurityDescriptorFlags_CanCache = 0x0040,
-};
-
-inline MethodSecurityDescriptorFlags operator|(MethodSecurityDescriptorFlags lhs,
- MethodSecurityDescriptorFlags rhs);
-
-inline MethodSecurityDescriptorFlags operator|=(MethodSecurityDescriptorFlags& lhs,
- MethodSecurityDescriptorFlags rhs);
-
-inline MethodSecurityDescriptorFlags operator&(MethodSecurityDescriptorFlags lhs,
- MethodSecurityDescriptorFlags rhs);
-
-inline MethodSecurityDescriptorFlags operator&=(MethodSecurityDescriptorFlags& lhs,
- MethodSecurityDescriptorFlags rhs);
-
-class MethodSecurityDescriptor
-{
-private:
- MethodDesc *m_pMD;
- DeclActionInfo *m_pRuntimeDeclActionInfo; // run-time declarative actions list
- TokenDeclActionInfo *m_pTokenDeclActionInfo; // link-time declarative actions list
- MethodSecurityDescriptorFlags m_flags;
- DWORD m_declFlagsDuringPreStub; // declarative run-time security flags,
-
-public:
- explicit inline MethodSecurityDescriptor(MethodDesc* pMD, BOOL fCanCache = TRUE);
-
- inline BOOL CanAssert();
- inline void SetCanAssert();
-
- inline BOOL CanCache();
- inline void SetCanCache();
-
- inline BOOL HasRuntimeDeclarativeSecurity();
- inline BOOL HasLinkOrInheritanceDeclarativeSecurity();
- inline BOOL HasLinktimeDeclarativeSecurity();
- inline BOOL HasInheritanceDeclarativeSecurity();
-
- inline mdToken GetToken();
- inline MethodDesc *GetMethod();
- inline IMDInternalImport *GetIMDInternalImport();
-
- inline BOOL ContainsBuiltInCASDemandsOnly();
- inline DeclActionInfo* GetRuntimeDeclActionInfo();
- inline DWORD GetDeclFlagsDuringPreStub();
- inline TokenDeclActionInfo* GetTokenDeclActionInfo();
-
- inline BOOL IsCritical();
- inline BOOL IsTreatAsSafe();
-
- inline BOOL IsOpportunisticallyCritical();
-
- inline HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE);
-
- static HRESULT GetDeclaredPermissionsWithCache(MethodDesc* pMD,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE);
-
- static OBJECTREF GetLinktimePermissions(MethodDesc* pMD, OBJECTREF *prefNonCasDemands);
-
- inline void InvokeLinktimeChecks(Assembly* pCaller);
- static inline void InvokeLinktimeChecks(MethodDesc* pMD, Assembly* pCaller);
-
- void InvokeInheritanceChecks(MethodDesc *pMethod);
-
- // This method will look for the cached copy of the MethodSecurityDescriptor corresponding to ret_methSecDesc->_pMD
- // If the cache lookup succeeds, we get back the cached copy in ret_methSecDesc
- // If the cache lookup fails, then the data is computed in ret_methSecDesc. If we find that this is a cache-able MSD,
- // a copy is made in AppDomain heap and inserted into the hash table for future lookups.
- static void LookupOrCreateMethodSecurityDescriptor(MethodSecurityDescriptor* ret_methSecDesc);
- static BOOL IsDeclSecurityCASDemandsOnly(DWORD dwMethDeclFlags,
- mdToken _mdToken,
- IMDInternalImport *pInternalImport);
-
-private:
- void ComputeRuntimeDeclarativeSecurityInfo();
- void ComputeMethodDeclarativeSecurityInfo();
-
- inline void VerifyDataComputed();
- void VerifyDataComputedInternal();
-
- // Force the type to figure out if it is transparent or critial.
- // NOTE: Generally this is not needed, as the data is cached on the MethodDesc for you. This method should
- // only be called if the MethodDesc is returning FALSE from HasCriticalTransparentInfo
- void ComputeCriticalTransparentInfo();
-
- static BOOL CanMethodSecurityDescriptorBeCached(MethodDesc* pMD);
-
-private:
- // Helper class which fires transparency calculation begin/end ETW events
- class MethodSecurityDescriptorTransparencyEtwEvents
- {
- private:
- const MethodSecurityDescriptor *m_pMSD;
-
- public:
- inline MethodSecurityDescriptorTransparencyEtwEvents(const MethodSecurityDescriptor *pMSD);
- inline ~MethodSecurityDescriptorTransparencyEtwEvents();
- };
-
- // Helper class to iterater over methods that the MethodSecurityDescriptor's MethodDesc may be
- // implementing. This type iterates over interface implementations followed by MethodImpls for virtuals
- // that the input MethodDesc implements.
- class MethodImplementationIterator
- {
- private:
- DispatchMap::Iterator m_interfaceIterator;
- MethodDesc *m_pMD;
- DWORD m_iMethodImplIndex;
- bool m_fInterfaceIterationBegun;
- bool m_fMethodImplIterationBegun;
-
- public:
- MethodImplementationIterator(MethodDesc *pMD);
-
- MethodDesc *Current();
- bool IsValid();
- void Next();
- };
-};
-
-enum FieldSecurityDescriptorFlags
-{
- FieldSecurityDescriptorFlags_None = 0x0000,
- FieldSecurityDescriptorFlags_IsComputed = 0x0001,
- FieldSecurityDescriptorFlags_IsCritical = 0x0002,
- FieldSecurityDescriptorFlags_IsTreatAsSafe = 0x0004,
-};
-
-inline FieldSecurityDescriptorFlags operator|(FieldSecurityDescriptorFlags lhs,
- FieldSecurityDescriptorFlags rhs);
-
-inline FieldSecurityDescriptorFlags operator|=(FieldSecurityDescriptorFlags& lhs,
- FieldSecurityDescriptorFlags rhs);
-
-inline FieldSecurityDescriptorFlags operator&(FieldSecurityDescriptorFlags lhs,
- FieldSecurityDescriptorFlags rhs);
-
-inline FieldSecurityDescriptorFlags operator&=(FieldSecurityDescriptorFlags& lhs,
- FieldSecurityDescriptorFlags rhs);
-
-class FieldSecurityDescriptor
-{
-private:
- FieldDesc *m_pFD;
- FieldSecurityDescriptorFlags m_flags;
-
-public:
- explicit inline FieldSecurityDescriptor(FieldDesc* pFD);
-
- void VerifyDataComputed();
-
- inline BOOL IsCritical();
- inline BOOL IsTreatAsSafe();
-
-private:
- // Helper class which fires transparency calculation begin/end ETW events
- class FieldSecurityDescriptorTransparencyEtwEvents
- {
- private:
- const FieldSecurityDescriptor *m_pFSD;
-
- public:
- inline FieldSecurityDescriptorTransparencyEtwEvents(const FieldSecurityDescriptor *pFSD);
- inline ~FieldSecurityDescriptorTransparencyEtwEvents();
- };
-};
-
-enum TypeSecurityDescriptorFlags
-{
- TypeSecurityDescriptorFlags_None = 0x0000,
-
- // Type transparency info is cached directly on EEClass for performance reasons; these bits are used only
- // as intermediate state while calculating the final set of bits to cache on the EEClass
- TypeSecurityDescriptorFlags_IsAllCritical = 0x0001, // Everything introduced by this type is critical
- TypeSecurityDescriptorFlags_IsAllTransparent = 0x0002, // All code in the type is transparent
- TypeSecurityDescriptorFlags_IsCritical = 0x0004, // The type is critical, but its introduced methods may not be
- TypeSecurityDescriptorFlags_IsTreatAsSafe = 0x0008, // Combined with IsAllCritical or IsCritical makes the type SafeCritical
-};
-
-inline TypeSecurityDescriptorFlags operator|(TypeSecurityDescriptorFlags lhs,
- TypeSecurityDescriptorFlags rhs);
-
-inline TypeSecurityDescriptorFlags operator|=(TypeSecurityDescriptorFlags& lhs,
- TypeSecurityDescriptorFlags rhs);
-
-inline TypeSecurityDescriptorFlags operator&(TypeSecurityDescriptorFlags lhs,
- TypeSecurityDescriptorFlags rhs);
-
-inline TypeSecurityDescriptorFlags operator&=(TypeSecurityDescriptorFlags& lhs,
- TypeSecurityDescriptorFlags rhs);
-
-class TypeSecurityDescriptor
-{
-private:
- MethodTable *m_pMT;
- TokenDeclActionInfo *m_pTokenDeclActionInfo;
- BOOL m_fIsComputed;
-
-public:
- explicit inline TypeSecurityDescriptor(MethodTable *pMT);
-
- inline BOOL HasLinkOrInheritanceDeclarativeSecurity();
- inline BOOL HasLinktimeDeclarativeSecurity();
- inline BOOL HasInheritanceDeclarativeSecurity();
-
- // Is everything introduced by the type critical
- inline BOOL IsAllCritical();
-
- // Does the type contain only transparent code
- inline BOOL IsAllTransparent();
-
- // Combined with IsCritical/IsAllCritical is the type safe critical
- inline BOOL IsTreatAsSafe();
-
- // Is the type critical, but not necessarially its conatined methods
- inline BOOL IsCritical();
-
- // Is the type in an assembly that doesn't care about transparency, and therefore wants the CLR to make
- // sure that all annotations are correct for it.
- inline BOOL IsOpportunisticallyCritical();
-
- // Should this type be considered externally visible when calculating the transpraency of the type
- // and its members. (For instance, when seeing if public implies treat as safe)
- BOOL IsTypeExternallyVisibleForTransparency();
-
- inline mdToken GetToken();
- inline IMDInternalImport *GetIMDInternalImport();
-
- inline TokenDeclActionInfo* GetTokenDeclActionInfo();
-
- inline HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE);
-
- static HRESULT GetDeclaredPermissionsWithCache(MethodTable* pTargetMT,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE);
-
- static OBJECTREF GetLinktimePermissions(MethodTable* pMT, OBJECTREF *prefNonCasDemands);
-
- // Is the type represented by this TypeSecurityDescripter participating in type equivalence
- inline BOOL IsTypeEquivalent();
-
- void InvokeInheritanceChecks(MethodTable* pMT);
- inline void InvokeLinktimeChecks(Assembly* pCaller);
- static inline void InvokeLinktimeChecks(MethodTable* pMT, Assembly* pCaller);
-
-private:
- inline TypeSecurityDescriptor& operator=(const TypeSecurityDescriptor &tsd);
- void ComputeTypeDeclarativeSecurityInfo();
- static TypeSecurityDescriptor* GetTypeSecurityDescriptor(MethodTable* pMT);
- void VerifyDataComputedInternal();
- inline void VerifyDataComputed();
- // Force the type to figure out if it is transparent or critial.
- // NOTE: Generally this is not needed, as the data is cached on the EEClass for you. This method should
- // only be called if the EEClass is returning FALSE from HasCriticalTransparentInfo
- void ComputeCriticalTransparentInfo();
- static BOOL CanTypeSecurityDescriptorBeCached(MethodTable* pMT);
-
-private:
- // Helper class which fires transparency calculation begin/end ETW events
- class TypeSecurityDescriptorTransparencyEtwEvents
- {
- private:
- const TypeSecurityDescriptor *m_pTSD;
-
- public:
- inline TypeSecurityDescriptorTransparencyEtwEvents(const TypeSecurityDescriptor *pTSD);
- inline ~TypeSecurityDescriptorTransparencyEtwEvents();
- };
-};
-
-
-enum ModuleSecurityDescriptorFlags
-{
- ModuleSecurityDescriptorFlags_None = 0x0000,
- ModuleSecurityDescriptorFlags_IsComputed = 0x0001,
-
- ModuleSecurityDescriptorFlags_IsAPTCA = 0x0002, // The assembly allows partially trusted callers
- ModuleSecurityDescriptorFlags_IsAllCritical = 0x0004, // Every type and method introduced by the assembly is critical
- ModuleSecurityDescriptorFlags_IsAllTransparent = 0x0008, // Every type and method in the assembly is transparent
- ModuleSecurityDescriptorFlags_IsTreatAsSafe = 0x0010, // Combined with IsAllCritical - every type and method introduced by the assembly is safe critical
- ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical = 0x0020, // Ensure that the assembly follows all transparency rules by making all methods critical or safe critical as needed
- ModuleSecurityDescriptorFlags_SkipFullTrustVerification = 0x0040, // Fully trusted transparent code does not require verification
- ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust = 0x0080, // Whether we made the assembly all transparent because it was partially-trusted
-};
-
-inline ModuleSecurityDescriptorFlags operator|(ModuleSecurityDescriptorFlags lhs,
- ModuleSecurityDescriptorFlags rhs);
-
-inline ModuleSecurityDescriptorFlags operator|=(ModuleSecurityDescriptorFlags& lhs,
- ModuleSecurityDescriptorFlags rhs);
-
-inline ModuleSecurityDescriptorFlags operator&(ModuleSecurityDescriptorFlags lhs,
- ModuleSecurityDescriptorFlags rhs);
-
-inline ModuleSecurityDescriptorFlags operator&=(ModuleSecurityDescriptorFlags& lhs,
- ModuleSecurityDescriptorFlags rhs);
-
-inline ModuleSecurityDescriptorFlags operator~(ModuleSecurityDescriptorFlags flags);
-
-
-// Module security descriptor, this class contains static security information about the module
-// this information will get persisted in the NGen image
-class ModuleSecurityDescriptor
-{
- friend class Module;
-
-private:
- PTR_Module m_pModule;
- ModuleSecurityDescriptorFlags m_flags;
- TokenSecurityDescriptorFlags m_tokenFlags;
-
-private:
- explicit inline ModuleSecurityDescriptor(PTR_Module pModule);
-
-public:
- static inline BOOL IsMarkedTransparent(Assembly* pAssembly);
-
- static ModuleSecurityDescriptor* GetModuleSecurityDescriptor(Assembly* pAssembly);
-
- void Save(DataImage *image);
- void Fixup(DataImage *image);
-
- void VerifyDataComputed();
-
- inline void OverrideTokenFlags(TokenSecurityDescriptorFlags tokenFlags);
- inline TokenSecurityDescriptorFlags GetTokenFlags();
-
- inline Module *GetModule();
-
-#ifdef DACCESS_COMPILE
- // Get the value of the module security descriptor flags without forcing them to be computed
- inline ModuleSecurityDescriptorFlags GetRawFlags();
-#endif // DACCESS_COMPILE
-
- // Is every method and type in the assembly transparent
- inline BOOL IsAllTransparent();
-
- // Is every method and type introduced by the assembly critical
- inline BOOL IsAllCritical();
-
- // Combined with IsAllCritical - is every method and type introduced by the assembly safe critical
- inline BOOL IsTreatAsSafe();
-
- // Does the assembly not care about transparency, and wants the CLR to take care of making sure everything
- // is annotated properly in the assembly.
- inline BOOL IsOpportunisticallyCritical();
-
- // Does the assembly contain a mix of critical and transparent code
- inline BOOL IsMixedTransparency();
-
- // Partial trust assemblies are forced all-transparent under some conditions. This
- // tells us whether that is true for this particular assembly.
- inline BOOL IsAllTransparentDueToPartialTrust();
-
- // Get the rule set the assembly uses
- inline SecurityRuleSet GetSecurityRuleSet();
-
-
-#if defined(FEATURE_CORESYSTEM)
- // Does the assembly allow partially trusted callers
- inline BOOL IsAPTCA();
-#endif // defined(FEATURE_CORESYSTEM)
-
-
-private:
- // Helper class which fires transparency calculation begin/end ETW events
- class ModuleSecurityDescriptorTransparencyEtwEvents
- {
- private:
- ModuleSecurityDescriptor *m_pMSD;
-
- public:
- inline ModuleSecurityDescriptorTransparencyEtwEvents(ModuleSecurityDescriptor *pMSD);
- inline ~ModuleSecurityDescriptorTransparencyEtwEvents();
- };
-};
-
-#include "securitymeta.inl"
-
-#endif // __SECURITYMETA_H__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securitymeta.inl
-//
-// pre-computes various security information, declarative and runtime meta-info
-//
-
-
-//
-//--------------------------------------------------------------------------
-
-
-#include "typestring.h"
-
-#include "securitypolicy.h"
-#include "securitydeclarative.h"
-
-#ifndef __SECURITYMETA_INL__
-#define __SECURITYMETA_INL__
-
-inline TokenSecurityDescriptorFlags operator|(TokenSecurityDescriptorFlags lhs,
- TokenSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline TokenSecurityDescriptorFlags operator|=(TokenSecurityDescriptorFlags& lhs,
- TokenSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline TokenSecurityDescriptorFlags operator&(TokenSecurityDescriptorFlags lhs,
- TokenSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline TokenSecurityDescriptorFlags operator&=(TokenSecurityDescriptorFlags& lhs,
- TokenSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline TokenSecurityDescriptorFlags operator~(TokenSecurityDescriptorFlags flags)
-{
- LIMITED_METHOD_CONTRACT;
-
- // Invert all the bits which aren't part of the rules version number
- DWORD flagBits = flags & ~static_cast<DWORD>(TokenSecurityDescriptorFlags_RulesVersionMask);
- return static_cast<TokenSecurityDescriptorFlags>(
- (EncodeSecurityRuleSet(GetSecurityRuleSet(flags)) << 24 ) |
- (~flagBits));
-}
-
-// Get the version of the security rules that token security descriptor flags are requesting
-inline SecurityRuleSet GetSecurityRuleSet(TokenSecurityDescriptorFlags flags)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<SecurityRuleSet>((flags & TokenSecurityDescriptorFlags_RulesMask) >> 24);
-}
-
-// Encode a security rule set into token flags - this reverses GetSecurityRuleSet
-inline TokenSecurityDescriptorFlags EncodeSecurityRuleSet(SecurityRuleSet ruleSet)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(ruleSet) << 24);
-}
-
-inline TokenSecurityDescriptor::TokenSecurityDescriptor(PTR_Module pModule, mdToken token)
- : m_pModule(pModule),
- m_token(token),
- m_flags(TokenSecurityDescriptorFlags_None)
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pModule);
-}
-
-inline TokenSecurityDescriptorFlags TokenSecurityDescriptor::GetFlags()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_flags;
-}
-
-// Get the attributes that were set on the token
-inline TokenSecurityDescriptorFlags TokenSecurityDescriptor::GetMetadataFlags()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_flags & TokenSecurityDescriptorFlags_RawAttributeMask;
-}
-
-inline BOOL TokenSecurityDescriptor::IsSemanticCritical()
-{
- WRAPPER_NO_CONTRACT;
- VerifySemanticDataComputed();
- return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticCritical);
-}
-
-inline BOOL TokenSecurityDescriptor::IsSemanticTreatAsSafe()
-{
- WRAPPER_NO_CONTRACT;
- VerifySemanticDataComputed();
- return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe);
-}
-
-inline BOOL TokenSecurityDescriptor::IsSemanticExternallyVisible()
-{
- WRAPPER_NO_CONTRACT;
- VerifySemanticDataComputed();
- return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticExternallyVisible);
-}
-
-// Determine if the type represented by the token in this TokenSecurityDescriptor is participating in type
-// equivalence.
-inline BOOL TokenSecurityDescriptor::IsTypeEquivalent()
-{
- WRAPPER_NO_CONTRACT;
-
- _ASSERTE(TypeFromToken(m_token) == mdtTypeDef);
- return IsTypeDefEquivalent(m_token, m_pModule);
-}
-
-#ifndef DACCESS_COMPILE
-
-inline TokenSecurityDescriptor::TokenSecurityDescriptorTransparencyEtwEvents::TokenSecurityDescriptorTransparencyEtwEvents(const TokenSecurityDescriptor *pTSD)
- : m_pTSD(pTSD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TokenTransparencyComputationStart))
- {
- LPCWSTR module = m_pTSD->m_pModule->GetPathForErrorMessages();
-
- ETW::SecurityLog::FireTokenTransparencyComputationStart(m_pTSD->m_token,
- module,
- ::GetAppDomain()->GetId().m_dwId);
- }
-}
-
-inline TokenSecurityDescriptor::TokenSecurityDescriptorTransparencyEtwEvents::~TokenSecurityDescriptorTransparencyEtwEvents()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TokenTransparencyComputationEnd))
- {
- LPCWSTR module = m_pTSD->m_pModule->GetPathForErrorMessages();
-
- ETW::SecurityLog::FireTokenTransparencyComputationEnd(m_pTSD->m_token,
- module,
- !!(m_pTSD->m_flags & TokenSecurityDescriptorFlags_IsSemanticCritical),
- !!(m_pTSD->m_flags & TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe),
- ::GetAppDomain()->GetId().m_dwId);
- }
-}
-
-#endif //!DACCESS_COMPILE
-
-inline MethodSecurityDescriptor::MethodSecurityDescriptor(MethodDesc* pMD, BOOL fCanCache /* = TRUE */) :
- m_pMD(pMD),
- m_pRuntimeDeclActionInfo(NULL),
- m_pTokenDeclActionInfo(NULL),
- m_flags(MethodSecurityDescriptorFlags_None),
- m_declFlagsDuringPreStub(0)
-{
- WRAPPER_NO_CONTRACT;
-
- if (fCanCache)
- {
- SetCanCache();
- }
-}
-
-inline BOOL MethodSecurityDescriptor::CanAssert()
-{
- // No need to do a VerifyDataComputed here -> this value is set by SecurityDeclarative::EnsureAssertAllowed as an optmization
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & MethodSecurityDescriptorFlags_AssertAllowed);
-}
-
-inline void MethodSecurityDescriptor::SetCanAssert()
-{
- LIMITED_METHOD_CONTRACT;
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_AssertAllowed);
-}
-
-inline BOOL MethodSecurityDescriptor::CanCache()
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & MethodSecurityDescriptorFlags_CanCache);
-}
-
-inline void MethodSecurityDescriptor::SetCanCache()
-{
- LIMITED_METHOD_CONTRACT;
- FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_CanCache);
-}
-
-inline BOOL MethodSecurityDescriptor::HasRuntimeDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD->IsInterceptedForDeclSecurity();
-}
-
-inline BOOL MethodSecurityDescriptor::HasLinkOrInheritanceDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return HasLinktimeDeclarativeSecurity() || HasInheritanceDeclarativeSecurity();
-}
-
-inline BOOL MethodSecurityDescriptor::HasLinktimeDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD->RequiresLinktimeCheck();
-}
-
-inline BOOL MethodSecurityDescriptor::HasInheritanceDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD->RequiresInheritanceCheck();
-}
-
-inline mdToken MethodSecurityDescriptor::GetToken()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD->GetMemberDef();
-}
-
-inline MethodDesc *MethodSecurityDescriptor::GetMethod()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD;
-}
-
-inline IMDInternalImport *MethodSecurityDescriptor::GetIMDInternalImport()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMD->GetMDImport();
-}
-
-
-inline BOOL MethodSecurityDescriptor::ContainsBuiltInCASDemandsOnly()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return ((m_flags & MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly) &&
- (m_flags & MethodSecurityDescriptorFlags_IsDemandsOnly));
-}
-
-inline DeclActionInfo* MethodSecurityDescriptor::GetRuntimeDeclActionInfo()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_pRuntimeDeclActionInfo;
-}
-
-inline DWORD MethodSecurityDescriptor::GetDeclFlagsDuringPreStub()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_declFlagsDuringPreStub;
-}
-
-inline TokenDeclActionInfo* MethodSecurityDescriptor::GetTokenDeclActionInfo()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_pTokenDeclActionInfo;
-}
-
-inline BOOL MethodSecurityDescriptor::IsCritical()
-{
- WRAPPER_NO_CONTRACT;
-
- if (!m_pMD->HasCriticalTransparentInfo())
- ComputeCriticalTransparentInfo();
- return m_pMD->IsCritical();
-}
-
-inline BOOL MethodSecurityDescriptor::IsTreatAsSafe()
-{
- WRAPPER_NO_CONTRACT;
-
- if (!m_pMD->HasCriticalTransparentInfo())
- ComputeCriticalTransparentInfo();
- return m_pMD->IsTreatAsSafe();
-}
-
-inline BOOL MethodSecurityDescriptor::IsOpportunisticallyCritical()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- TypeSecurityDescriptor typeSecDesc(m_pMD->GetMethodTable());
- return typeSecDesc.IsOpportunisticallyCritical();
-}
-
-inline HRESULT MethodSecurityDescriptor::GetDeclaredPermissionsWithCache(IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE)
-{
- WRAPPER_NO_CONTRACT;
- return GetTokenDeclActionInfo()->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE);
-}
-
-// static
-inline HRESULT MethodSecurityDescriptor::GetDeclaredPermissionsWithCache(MethodDesc* pMD,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE)
-{
- WRAPPER_NO_CONTRACT;
- MethodSecurityDescriptor methodSecurityDesc(pMD);
- LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc);
- return methodSecurityDesc.GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE);
-}
-
-// static
-inline OBJECTREF MethodSecurityDescriptor::GetLinktimePermissions(MethodDesc* pMD,
- OBJECTREF *prefNonCasDemands)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (!pMD->RequiresLinktimeCheck())
- return NULL;
-
- MethodSecurityDescriptor methodSecurityDesc(pMD);
- LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc);
- return methodSecurityDesc.GetTokenDeclActionInfo()->GetLinktimePermissions(prefNonCasDemands);
-}
-
-inline void MethodSecurityDescriptor::InvokeLinktimeChecks(Assembly* pCaller)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (!HasLinktimeDeclarativeSecurity())
- return;
-
- GetTokenDeclActionInfo()->InvokeLinktimeChecks(pCaller);
-}
-
-// staitc
-inline void MethodSecurityDescriptor::InvokeLinktimeChecks(MethodDesc* pMD, Assembly* pCaller)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (!pMD->RequiresLinktimeCheck())
- return;
-
- MethodSecurityDescriptor methodSecurityDesc(pMD);
- LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc);
- methodSecurityDesc.InvokeLinktimeChecks(pCaller);
-}
-
-// static
-inline BOOL MethodSecurityDescriptor::IsDeclSecurityCASDemandsOnly(DWORD dwMethDeclFlags,
- mdToken _mdToken,
- IMDInternalImport *pInternalImport)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // Non-CAS demands are not supported in CoreCLR
- return TRUE;
-}
-
-#ifndef DACCESS_COMPILE
-
-inline MethodSecurityDescriptor::MethodSecurityDescriptorTransparencyEtwEvents::MethodSecurityDescriptorTransparencyEtwEvents(const MethodSecurityDescriptor *pMSD)
- : m_pMSD(pMSD)
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, MethodTransparencyComputationStart))
- {
- LPCWSTR module = m_pMSD->m_pMD->GetModule()->GetPathForErrorMessages();
-
- SString method;
- m_pMSD->m_pMD->GetFullMethodInfo(method);
-
- ETW::SecurityLog::FireMethodTransparencyComputationStart(method.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId);
- }
-}
-
-inline MethodSecurityDescriptor::MethodSecurityDescriptorTransparencyEtwEvents::~MethodSecurityDescriptorTransparencyEtwEvents()
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, MethodTransparencyComputationEnd))
- {
- LPCWSTR module = m_pMSD->m_pMD->GetModule()->GetPathForErrorMessages();
-
- SString method;
- m_pMSD->m_pMD->GetFullMethodInfo(method);
-
- BOOL fIsCritical = FALSE;
- BOOL fIsTreatAsSafe = FALSE;
-
- if (m_pMSD->m_pMD->HasCriticalTransparentInfo())
- {
- fIsCritical = m_pMSD->m_pMD->IsCritical();
- fIsTreatAsSafe = m_pMSD->m_pMD->IsTreatAsSafe();
- }
-
- ETW::SecurityLog::FireMethodTransparencyComputationEnd(method.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId,
- fIsCritical,
- fIsTreatAsSafe);
- }
-}
-
-#endif //!DACCESS_COMPILE
-
-inline FieldSecurityDescriptorFlags operator|(FieldSecurityDescriptorFlags lhs,
- FieldSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline FieldSecurityDescriptorFlags operator|=(FieldSecurityDescriptorFlags& lhs,
- FieldSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline FieldSecurityDescriptorFlags operator&(FieldSecurityDescriptorFlags lhs,
- FieldSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline FieldSecurityDescriptorFlags operator&=(FieldSecurityDescriptorFlags& lhs,
- FieldSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline FieldSecurityDescriptor::FieldSecurityDescriptor(FieldDesc* pFD) :
- m_pFD(pFD),
- m_flags(FieldSecurityDescriptorFlags_None)
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pFD);
-}
-
-inline BOOL FieldSecurityDescriptor::IsCritical()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & FieldSecurityDescriptorFlags_IsCritical);
-}
-
-inline BOOL FieldSecurityDescriptor::IsTreatAsSafe()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & FieldSecurityDescriptorFlags_IsTreatAsSafe);
-}
-
-#ifndef DACCESS_COMPILE
-
-inline FieldSecurityDescriptor::FieldSecurityDescriptorTransparencyEtwEvents::FieldSecurityDescriptorTransparencyEtwEvents(const FieldSecurityDescriptor *pFSD)
- : m_pFSD(pFSD)
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, FieldTransparencyComputationStart))
- {
- LPCWSTR module = m_pFSD->m_pFD->GetModule()->GetPathForErrorMessages();
-
- SString field;
- TypeString::AppendType(field, TypeHandle(m_pFSD->m_pFD->GetApproxEnclosingMethodTable()));
- field.AppendUTF8("::");
- field.AppendUTF8(m_pFSD->m_pFD->GetName());
-
- ETW::SecurityLog::FireFieldTransparencyComputationStart(field.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId);
- }
-}
-
-inline FieldSecurityDescriptor::FieldSecurityDescriptorTransparencyEtwEvents::~FieldSecurityDescriptorTransparencyEtwEvents()
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, FieldTransparencyComputationEnd))
- {
- LPCWSTR module = m_pFSD->m_pFD->GetModule()->GetPathForErrorMessages();
-
- SString field;
- TypeString::AppendType(field, TypeHandle(m_pFSD->m_pFD->GetApproxEnclosingMethodTable()));
- field.AppendUTF8("::");
- field.AppendUTF8(m_pFSD->m_pFD->GetName());
-
- ETW::SecurityLog::FireFieldTransparencyComputationEnd(field.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId,
- !!(m_pFSD->m_flags & FieldSecurityDescriptorFlags_IsCritical),
- !!(m_pFSD->m_flags & FieldSecurityDescriptorFlags_IsTreatAsSafe));
- }
-}
-
-#endif //!DACCESS_COMPILE
-
-inline TypeSecurityDescriptor::TypeSecurityDescriptor(MethodTable *pMT) :
- m_pMT(pMT->GetCanonicalMethodTable()),
- m_pTokenDeclActionInfo(NULL),
- m_fIsComputed(FALSE)
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pMT);
-}
-
-inline BOOL TypeSecurityDescriptor::HasLinkOrInheritanceDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return HasLinktimeDeclarativeSecurity() || HasInheritanceDeclarativeSecurity();
-}
-
-inline BOOL TypeSecurityDescriptor::HasLinktimeDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMT->GetClass()->RequiresLinktimeCheck();
-}
-
-inline BOOL TypeSecurityDescriptor::HasInheritanceDeclarativeSecurity()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMT->GetClass()->RequiresInheritanceCheck();
-}
-
-inline BOOL TypeSecurityDescriptor::IsCritical()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- EEClass *pClass = m_pMT->GetClass();
- if (!pClass->HasCriticalTransparentInfo())
- {
- ComputeCriticalTransparentInfo();
- }
-
- return pClass->IsAllCritical()
- ;
-}
-
-inline BOOL TypeSecurityDescriptor::IsOpportunisticallyCritical()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
- ModuleSecurityDescriptor *pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(m_pMT->GetAssembly());
- return pModuleSecDesc->IsOpportunisticallyCritical();
-}
-
-inline BOOL TypeSecurityDescriptor::IsAllCritical()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- EEClass *pClass = m_pMT->GetClass();
- if (!pClass->HasCriticalTransparentInfo())
- ComputeCriticalTransparentInfo();
- return pClass->IsAllCritical();
-}
-
-inline BOOL TypeSecurityDescriptor::IsAllTransparent()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- EEClass *pClass = m_pMT->GetClass();
- if (!pClass->HasCriticalTransparentInfo())
- ComputeCriticalTransparentInfo();
- return pClass->IsAllTransparent();
-}
-
-inline BOOL TypeSecurityDescriptor::IsTreatAsSafe()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- EEClass *pClass = m_pMT->GetClass();
- if (!pClass->HasCriticalTransparentInfo())
- ComputeCriticalTransparentInfo();
- return pClass->IsTreatAsSafe();
-}
-
-inline mdToken TypeSecurityDescriptor::GetToken()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMT->GetCl();
-}
-
-inline IMDInternalImport *TypeSecurityDescriptor::GetIMDInternalImport()
-{
- WRAPPER_NO_CONTRACT;
- return m_pMT->GetMDImport();
-}
-
-inline TokenDeclActionInfo* TypeSecurityDescriptor::GetTokenDeclActionInfo()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return m_pTokenDeclActionInfo;
-}
-
-inline TypeSecurityDescriptorFlags operator|(TypeSecurityDescriptorFlags lhs,
- TypeSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline TypeSecurityDescriptorFlags operator|=(TypeSecurityDescriptorFlags& lhs,
- TypeSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline TypeSecurityDescriptorFlags operator&(TypeSecurityDescriptorFlags lhs,
- TypeSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline TypeSecurityDescriptorFlags operator&=(TypeSecurityDescriptorFlags& lhs,
- TypeSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline HRESULT TypeSecurityDescriptor::GetDeclaredPermissionsWithCache(IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE)
-{
- WRAPPER_NO_CONTRACT;
- return GetTokenDeclActionInfo()->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE);
-}
-
-// static
-inline HRESULT TypeSecurityDescriptor::GetDeclaredPermissionsWithCache(MethodTable *pTargetMT,
- IN CorDeclSecurity action,
- OUT OBJECTREF *pDeclaredPermissions,
- OUT PsetCacheEntry **pPCE)
-{
- WRAPPER_NO_CONTRACT;
- TypeSecurityDescriptor* pTypeSecurityDesc = GetTypeSecurityDescriptor(pTargetMT);
- _ASSERTE(pTypeSecurityDesc != NULL);
- return pTypeSecurityDesc->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE);
-}
-
-// static
-inline OBJECTREF TypeSecurityDescriptor::GetLinktimePermissions(MethodTable *pMT,
- OBJECTREF *prefNonCasDemands)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- if (!pMT->GetClass()->RequiresLinktimeCheck())
- return NULL;
-
- TypeSecurityDescriptor* pTypeSecurityDesc = GetTypeSecurityDescriptor(pMT);
- _ASSERTE(pTypeSecurityDesc != NULL);
- return pTypeSecurityDesc->GetTokenDeclActionInfo()->GetLinktimePermissions(prefNonCasDemands);
-}
-
-inline void TypeSecurityDescriptor::InvokeLinktimeChecks(Assembly* pCaller)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
- if (!HasLinktimeDeclarativeSecurity())
- return;
- GetTokenDeclActionInfo()->InvokeLinktimeChecks(pCaller);
-}
-
-// Determine if the type by this TypeSecurityDescriptor is participating in type equivalence. Note that this
-// is only checking to see if the type would like to participate in equivalence, and not if it is actually
-// equivalent to anything - which allows its transparency to be the same regardless of what other types have
-// been loaded.
-inline BOOL TypeSecurityDescriptor::IsTypeEquivalent()
-{
- WRAPPER_NO_CONTRACT;
-
- return m_pMT->GetClass()->IsEquivalentType();
-}
-
-// static
-inline void TypeSecurityDescriptor::InvokeLinktimeChecks(MethodTable *pMT, Assembly* pCaller)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
- if (!pMT->GetClass()->RequiresLinktimeCheck())
- return;
- GetTypeSecurityDescriptor(pMT)->InvokeLinktimeChecks(pCaller);
-}
-
-inline void TypeSecurityDescriptor::VerifyDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- if (m_fIsComputed)
- {
- return;
- }
-
- BOOL canTypeSecDescCached = CanTypeSecurityDescriptorBeCached(m_pMT);
- if (!canTypeSecDescCached)
- {
- VerifyDataComputedInternal();
- }
- else
- {
- TypeSecurityDescriptor* pCachedTypeSecurityDesc = GetTypeSecurityDescriptor(m_pMT);
- *this = *pCachedTypeSecurityDesc; // copy the struct
- _ASSERTE(m_fIsComputed);
- }
-
- return;
-}
-
-inline TypeSecurityDescriptor& TypeSecurityDescriptor::operator=(const TypeSecurityDescriptor &tsd)
-{
- LIMITED_METHOD_CONTRACT;
-
- m_pMT = tsd.m_pMT;
- m_pTokenDeclActionInfo = tsd.m_pTokenDeclActionInfo;
- m_fIsComputed = tsd.m_fIsComputed;
-
- return *this;
-}
-
-#ifndef DACCESS_COMPILE
-
-inline TypeSecurityDescriptor::TypeSecurityDescriptorTransparencyEtwEvents::TypeSecurityDescriptorTransparencyEtwEvents(const TypeSecurityDescriptor *pTSD)
- : m_pTSD(pTSD)
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TypeTransparencyComputationStart))
- {
- LPCWSTR module = m_pTSD->m_pMT->GetModule()->GetPathForErrorMessages();
-
- SString type;
- if (!IsNilToken(m_pTSD->m_pMT->GetCl()))
- {
- TypeString::AppendType(type, TypeHandle(m_pTSD->m_pMT));
- }
-
- ETW::SecurityLog::FireTypeTransparencyComputationStart(type.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId);
- }
-
-}
-
-inline TypeSecurityDescriptor::TypeSecurityDescriptorTransparencyEtwEvents::~TypeSecurityDescriptorTransparencyEtwEvents()
-{
- WRAPPER_NO_CONTRACT;
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TypeTransparencyComputationEnd))
- {
- LPCWSTR module = m_pTSD->m_pMT->GetModule()->GetPathForErrorMessages();
-
- SString type;
- if (!IsNilToken(m_pTSD->m_pMT->GetCl()))
- {
- TypeString::AppendType(type, TypeHandle(m_pTSD->m_pMT));
- }
-
- BOOL fIsAllCritical = FALSE;
- BOOL fIsAllTransparent = FALSE;
- BOOL fIsCritical = FALSE;
- BOOL fIsTreatAsSafe = FALSE;
-
- EEClass *pClass = m_pTSD->m_pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- fIsAllCritical = pClass->IsAllCritical();
- fIsAllTransparent = pClass->IsAllTransparent();
- fIsCritical = pClass->IsCritical();
- fIsTreatAsSafe = pClass->IsTreatAsSafe();
- }
-
- ETW::SecurityLog::FireTypeTransparencyComputationEnd(type.GetUnicode(),
- module,
- ::GetAppDomain()->GetId().m_dwId,
- fIsAllCritical,
- fIsAllTransparent,
- fIsCritical,
- fIsTreatAsSafe);
- }
-
-}
-
-#endif //!DACCESS_COMPILE
-
-inline ModuleSecurityDescriptorFlags operator|(ModuleSecurityDescriptorFlags lhs,
- ModuleSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline ModuleSecurityDescriptorFlags operator|=(ModuleSecurityDescriptorFlags& lhs,
- ModuleSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline ModuleSecurityDescriptorFlags operator&(ModuleSecurityDescriptorFlags lhs,
- ModuleSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline ModuleSecurityDescriptorFlags operator&=(ModuleSecurityDescriptorFlags& lhs,
- ModuleSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline ModuleSecurityDescriptorFlags operator~(ModuleSecurityDescriptorFlags flags)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<ModuleSecurityDescriptorFlags>(~static_cast<DWORD>(flags));
-}
-
-inline ModuleSecurityDescriptor::ModuleSecurityDescriptor(PTR_Module pModule) :
- m_pModule(pModule),
- m_flags(ModuleSecurityDescriptorFlags_None),
- m_tokenFlags(TokenSecurityDescriptorFlags_None)
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pModule);
-}
-
-// static
-inline BOOL ModuleSecurityDescriptor::IsMarkedTransparent(Assembly* pAssembly)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
- return GetModuleSecurityDescriptor(pAssembly)->IsAllTransparent();
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Override the token flags that would be read from the metadata directly with a
-// precomputed set of flags. This is used by reflection emit to create a dynamic assembly
-// with security attributes given at creation time.
-//
-
-inline void ModuleSecurityDescriptor::OverrideTokenFlags(TokenSecurityDescriptorFlags tokenFlags)
-{
- CONTRACTL
- {
- LIMITED_METHOD_CONTRACT;
- PRECONDITION(!(m_flags & ModuleSecurityDescriptorFlags_IsComputed));
- PRECONDITION(m_tokenFlags == TokenSecurityDescriptorFlags_None);
- PRECONDITION(CheckPointer(m_pModule));
- PRECONDITION(m_pModule->GetAssembly()->IsDynamic()); // Token overrides should only be used by reflection
- }
- CONTRACTL_END;
-
- m_tokenFlags = tokenFlags;
-}
-
-inline TokenSecurityDescriptorFlags ModuleSecurityDescriptor::GetTokenFlags()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- if (m_tokenFlags == TokenSecurityDescriptorFlags_None)
- {
- Assembly *pAssembly = m_pModule->GetAssembly();
- TokenSecurityDescriptor tsd(pAssembly->GetManifestModule(), pAssembly->GetManifestToken());
- EnsureWritablePages(&m_tokenFlags);
- InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_tokenFlags),
- tsd.GetFlags(),
- TokenSecurityDescriptorFlags_None);
- }
-
- return m_tokenFlags;
-}
-
-inline Module *ModuleSecurityDescriptor::GetModule()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pModule;
-}
-
-#ifdef DACCESS_COMPILE
-inline ModuleSecurityDescriptorFlags ModuleSecurityDescriptor::GetRawFlags()
-{
- LIMITED_METHOD_CONTRACT;
- return m_flags;
-}
-#endif // DACCESS_COMPILE
-
-inline BOOL ModuleSecurityDescriptor::IsAllTransparent()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_IsAllTransparent);
-}
-
-inline BOOL ModuleSecurityDescriptor::IsAllCritical()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_IsAllCritical);
-}
-
-inline BOOL ModuleSecurityDescriptor::IsTreatAsSafe()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_IsTreatAsSafe);
-}
-
-inline BOOL ModuleSecurityDescriptor::IsOpportunisticallyCritical()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical);
-}
-
-inline BOOL ModuleSecurityDescriptor::IsAllTransparentDueToPartialTrust()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust);
-}
-
-inline BOOL ModuleSecurityDescriptor::IsMixedTransparency()
-{
- WRAPPER_NO_CONTRACT;
- return !IsAllCritical() && !IsAllTransparent();
-}
-
-
-#if defined(FEATURE_CORESYSTEM)
-inline BOOL ModuleSecurityDescriptor::IsAPTCA()
-{
- WRAPPER_NO_CONTRACT;
- VerifyDataComputed();
- return !!(m_flags & ModuleSecurityDescriptorFlags_IsAPTCA);
-}
-#endif // defined(FEATURE_CORESYSTEM)
-
-// Get the set of security rules that the assembly is using
-inline SecurityRuleSet ModuleSecurityDescriptor::GetSecurityRuleSet()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // If the assembly specified a rule set, then use that. If it's a v2 assembly, then use the v2 rules.
- // Otherwise, use the default rule set.
- TokenSecurityDescriptorFlags tokenFlags = GetTokenFlags();
- if (tokenFlags & TokenSecurityDescriptorFlags_SecurityRules)
- {
- return ::GetSecurityRuleSet(tokenFlags);
- }
- else
- {
- // The assembly hasn't specified the rule set that it needs to use. We'll just use the default rule
- // set unless the environment is overriding that with another value.
- DWORD dwDefaultRuleSet = CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_DefaultSecurityRuleSet);
-
- if (dwDefaultRuleSet == 0)
- {
- return SecurityRuleSet_Default;
- }
- else
- {
- return static_cast<SecurityRuleSet>(dwDefaultRuleSet);
- }
- }
-}
-
-#ifndef DACCESS_COMPILE
-
-inline ModuleSecurityDescriptor::ModuleSecurityDescriptorTransparencyEtwEvents::ModuleSecurityDescriptorTransparencyEtwEvents(ModuleSecurityDescriptor *pMSD)
- : m_pMSD(pMSD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, ModuleTransparencyComputationStart))
- {
- LPCWSTR module = m_pMSD->m_pModule->GetPathForErrorMessages();
-
- ETW::SecurityLog::FireModuleTransparencyComputationStart(module,
- ::GetAppDomain()->GetId().m_dwId);
- }
-}
-
-inline ModuleSecurityDescriptor::ModuleSecurityDescriptorTransparencyEtwEvents::~ModuleSecurityDescriptorTransparencyEtwEvents()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- }
- CONTRACTL_END
-
- if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, ModuleTransparencyComputationEnd))
- {
- LPCWSTR module = m_pMSD->m_pModule->GetPathForErrorMessages();
-
- ETW::SecurityLog::FireModuleTransparencyComputationEnd(module,
- ::GetAppDomain()->GetId().m_dwId,
- !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsAllCritical),
- !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsAllTransparent),
- !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsTreatAsSafe),
- !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical),
- m_pMSD->GetSecurityRuleSet());
- }
-}
-
-#endif //!DACCESS_COMPILE
-
-inline MethodSecurityDescriptorFlags operator|(MethodSecurityDescriptorFlags lhs,
- MethodSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline MethodSecurityDescriptorFlags operator|=(MethodSecurityDescriptorFlags& lhs,
- MethodSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline MethodSecurityDescriptorFlags operator&(MethodSecurityDescriptorFlags lhs,
- MethodSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline MethodSecurityDescriptorFlags operator&=(MethodSecurityDescriptorFlags& lhs,
- MethodSecurityDescriptorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline void MethodSecurityDescriptor::VerifyDataComputed()
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- if (m_flags & MethodSecurityDescriptorFlags_IsComputed)
- return;
-
- BOOL canMethSecDescCached = (CanCache() && CanMethodSecurityDescriptorBeCached(m_pMD));
- if (!canMethSecDescCached)
- {
- VerifyDataComputedInternal();
- }
- else
- {
- LookupOrCreateMethodSecurityDescriptor(this);
- _ASSERTE(m_flags & MethodSecurityDescriptorFlags_IsComputed);
- }
-
- return;
-}
-
-#endif // __SECURITYMETA_INL__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-//The .NET Foundation licenses this file to you under the MIT license.
-//See the LICENSE file in the project root for more information.
-
-
-#include "common.h"
-
-#include "security.h"
-#include "perfcounters.h"
-#include "eventtrace.h"
-#include "appdomainstack.inl"
-
-#ifndef FEATURE_PAL
-#include <shlobj.h>
-#include <Accctrl.h>
-#include <Aclapi.h>
-#include "urlmon.h"
-#endif // !FEATURE_PAL
-
-#ifndef CROSSGEN_COMPILE
-void *SecurityProperties::operator new(size_t size, LoaderHeap *pHeap)
-{
- WRAPPER_NO_CONTRACT;
- return pHeap->AllocMem(S_SIZE_T(size));
-}
-
-void SecurityProperties::operator delete(void *pMem)
-{
- LIMITED_METHOD_CONTRACT;
- // No action required
-}
-
-
-void SecurityPolicy::Start()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
-#ifndef FEATURE_PAL
- // Making sure we are in sync with URLMon
- _ASSERTE(URLZONE_LOCAL_MACHINE == LocalMachine);
- _ASSERTE(URLZONE_INTRANET == Intranet);
- _ASSERTE(URLZONE_TRUSTED == Trusted);
- _ASSERTE(URLZONE_INTERNET == Internet);
- _ASSERTE(URLZONE_UNTRUSTED == Untrusted);
-#endif // !FEATURE_PAL
-
-}
-
-void SecurityPolicy::Stop()
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
-}
-
-
-void QCALLTYPE SecurityPolicy::GetGrantedPermissions(QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied, QCall::StackCrawlMarkHandle stackmark)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- AppDomain* pDomain = NULL;
-
- Assembly* callerAssembly = SystemDomain::GetCallersAssembly( stackmark, &pDomain );
- _ASSERTE( callerAssembly != NULL);
-
- IAssemblySecurityDescriptor* pSecDesc = callerAssembly->GetSecurityDescriptor(pDomain);
- _ASSERTE( pSecDesc != NULL );
-
- {
- GCX_COOP();
-
- OBJECTREF orDenied;
- OBJECTREF orGranted = pSecDesc->GetGrantedPermissionSet(&orDenied);
-
- retGranted.Set(orGranted);
- retDenied.Set(orDenied);
- }
-
- END_QCALL;
-}
-
-
-void SecurityPolicy::CreateSecurityException(__in_z const char *szDemandClass, DWORD dwFlags, OBJECTREF *pThrowable)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- MAKE_WIDEPTR_FROMUTF8(wszDemandClass, szDemandClass);
-
- MethodTable * pMT = MscorlibBinder::GetClass(CLASS__SECURITY_EXCEPTION);
-
-
- UNREFERENCED_PARAMETER(szDemandClass);
- UNREFERENCED_PARAMETER(dwFlags);
-
- // Allocate the security exception object
- *pThrowable = AllocateObject(pMT);
- CallDefaultConstructor(*pThrowable);
-
-}
-
-DECLSPEC_NORETURN void SecurityPolicy::ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- GCX_COOP();
-
- struct _gc {
- OBJECTREF throwable;
- } gc;
- memset(&gc, 0, sizeof(gc));
-
- GCPROTECT_BEGIN(gc);
-
- CreateSecurityException(szDemandClass, dwFlags, &gc.throwable);
- COMPlusThrow(gc.throwable);
-
- GCPROTECT_END();
-}
-
-
-#endif // CROSSGEN_COMPILE
-
-BOOL SecurityPolicy::CanSkipVerification(DomainAssembly * pAssembly)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- INJECT_FAULT(COMPlusThrowOM(););
- PRECONDITION(CheckPointer(pAssembly));
- } CONTRACTL_END;
-
- BOOL canSkipVerification = TRUE;
- if (!pAssembly->IsSystem())
- {
- AssemblySecurityDescriptor *pSec;
- {
- GCX_COOP();
- pSec = static_cast<AssemblySecurityDescriptor*>(pAssembly->GetSecurityDescriptor());
- }
- _ASSERTE(pSec);
- if (pSec)
- {
- canSkipVerification = pSec->CanSkipVerification();
- }
- else
- {
- canSkipVerification = FALSE;
- }
- }
-
- return canSkipVerification;
-}
-
-BOOL SecurityPolicy::CanCallUnmanagedCode(Module *pModule)
-{
- CONTRACTL {
- THROWS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pModule));
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- SharedSecurityDescriptor *pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pModule->GetAssembly()->GetSharedSecurityDescriptor());
- if (pSharedSecDesc)
- return pSharedSecDesc->CanCallUnmanagedCode();
-
- AssemblySecurityDescriptor *pSec = static_cast<AssemblySecurityDescriptor*>(pModule->GetSecurityDescriptor());
- _ASSERTE(pSec);
- return pSec->CanCallUnmanagedCode();
-}
-
-#ifndef CROSSGEN_COMPILE
-
-
-BOOL QCALLTYPE SecurityPolicy::IsLocalDrive(LPCWSTR wszPath)
-{
- QCALL_CONTRACT;
-
- BOOL retVal = FALSE;
-
-#ifndef FEATURE_PAL
- BEGIN_QCALL;
-
- WCHAR rootPath[4];
- ZeroMemory( rootPath, sizeof( rootPath ) );
-
- rootPath[0] = wszPath[0];
- wcscat_s( rootPath, COUNTOF(rootPath), W(":\\") );
-
- UINT driveType = WszGetDriveType( rootPath );
- retVal =
- (driveType == DRIVE_REMOVABLE ||
- driveType == DRIVE_FIXED ||
- driveType == DRIVE_CDROM ||
- driveType == DRIVE_RAMDISK);
-
- END_QCALL;
-
-#else // !FEATURE_PAL
- retVal = TRUE;
-#endif // !FEATURE_PAL
-
- return retVal;
-}
-
-void QCALLTYPE SecurityPolicy::_GetLongPathName(LPCWSTR wszPath, QCall::StringHandleOnStack retLongPath)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
-#if !defined(PLATFORM_UNIX)
- PathString wszBuffer;
-
- if (SecurityPolicy::GetLongPathNameHelper( wszPath, wszBuffer ) != 0)
- {
- retLongPath.Set( wszBuffer.GetUnicode() );
- }
-#endif // !PLATFORM_UNIX
-
- END_QCALL;
-}
-
-#if !defined(PLATFORM_UNIX)
-size_t GetLongPathNameHelperthatThrows(const WCHAR* wszShortPath, SString& wszBuffer)
-{
- CONTRACTL{
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- DWORD size = WszGetLongPathName(wszShortPath, wszBuffer);
-
- if (size == 0)
- {
- // We have to deal with files that do not exist so just
- // because GetLongPathName doesn't give us anything doesn't
- // mean that we can give up. We iterate through the input
- // trying GetLongPathName on every subdirectory until
- // it succeeds or we run out of string.
-
- size_t len = wcslen(wszShortPath);
- NewArrayHolder<WCHAR> wszIntermediateBuffer = new (nothrow) WCHAR[len + 1];
-
- if (wszIntermediateBuffer == NULL)
- {
- return 0;
- }
-
- wcscpy_s(wszIntermediateBuffer, len + 1, wszShortPath);
-
- size_t index = len;
-
- do
- {
- while (index > 0 && (wszIntermediateBuffer[index - 1] != W('\\') && wszIntermediateBuffer[index - 1] != W('/')))
- --index;
-
- if (index == 0)
- break;
-
-#ifdef _PREFAST_
-#pragma prefast(push)
-#pragma prefast(disable:26001, "suppress prefast warning about underflow by doing index-1 which is checked above.")
-#endif // _PREFAST_
-
- wszIntermediateBuffer[index - 1] = W('\0');
-
-#ifdef _PREFAST_
-#pragma prefast(pop)
-#endif
-
- size = WszGetLongPathName(wszIntermediateBuffer, wszBuffer);
-
- if (size != 0)
- {
-
- int sizeBuffer = wszBuffer.GetCount();
-
- if (wszBuffer[sizeBuffer - 1] != W('\\') && wszBuffer[sizeBuffer - 1] != W('/'))
- wszBuffer.Append(W("\\"));
-
- wszBuffer.Append(&wszIntermediateBuffer[index]);
-
-
- return (DWORD)wszBuffer.GetCount();
-
- }
- } while (true);
-
- return 0;
- }
- else
- {
- return (DWORD)wszBuffer.GetCount();
- }
-}
-size_t SecurityPolicy::GetLongPathNameHelper(const WCHAR* wszShortPath, SString& wszBuffer)
-{
- CONTRACTL{
- NOTHROW;
- GC_NOTRIGGER;
- MODE_ANY;
- } CONTRACTL_END;
-
- HRESULT hr = S_OK;
- size_t retval = 0;
-
- EX_TRY
- {
- retval = GetLongPathNameHelperthatThrows(wszShortPath,wszBuffer);
- }
- EX_CATCH_HRESULT(hr);
-
- if (hr != S_OK)
- {
- retval = 0;
- }
-
- return retval;
-}
-
-#endif // !PLATFORM_UNIX
-
-void QCALLTYPE SecurityPolicy::GetDeviceName(LPCWSTR wszDriveLetter, QCall::StringHandleOnStack retDeviceName)
-{
- QCALL_CONTRACT;
-
-}
-
-
-FCIMPL0(void, SecurityPolicy::IncrementOverridesCount)
-{
- FCALL_CONTRACT;
-
- Thread *pThread = GetThread();
- pThread->IncrementOverridesCount();
-}
-FCIMPLEND
-
-FCIMPL0(void, SecurityPolicy::DecrementOverridesCount)
-{
- FCALL_CONTRACT;
-
- Thread *pThread = GetThread();
- pThread->DecrementOverridesCount();
-}
-FCIMPLEND
-
-FCIMPL0(void, SecurityPolicy::IncrementAssertCount)
-{
- FCALL_CONTRACT;
-
- Thread *pThread = GetThread();
- pThread->IncrementAssertCount();
-}
-FCIMPLEND
-
-FCIMPL0(void, SecurityPolicy::DecrementAssertCount)
-{
- FCALL_CONTRACT;
-
- Thread *pThread = GetThread();
- pThread->DecrementAssertCount();
-}
-FCIMPLEND
-
-
-
-BOOL QCALLTYPE SecurityPolicy::IsSameType(LPCWSTR pLeft, LPCWSTR pRight)
-{
- QCALL_CONTRACT;
-
- BOOL bEqual = FALSE;
-
- BEGIN_QCALL;
-
-// @telesto: Is this #ifdef-#else-#endif required anymore? Used to be needed when security was bypassing
-// loader and accessing Fusion interfaces. Seems like that's been fixed to use GetFusionNameFrom...
- bEqual=TRUE;
-
- END_QCALL;
-
- return bEqual;
-}
-
-FCIMPL1(FC_BOOL_RET, SecurityPolicy::SetThreadSecurity, CLR_BOOL fThreadSecurity)
-{
- FCALL_CONTRACT;
-
- Thread* pThread = GetThread();
- BOOL inProgress = pThread->IsSecurityStackwalkInProgess();
- pThread->SetSecurityStackwalkInProgress(fThreadSecurity);
- FC_RETURN_BOOL(inProgress);
-}
-FCIMPLEND
-
-FCIMPL0(FC_BOOL_RET, SecurityPolicy::IsDefaultThreadSecurityInfo)
-{
- FCALL_CONTRACT;
-
- FC_RETURN_BOOL(SecurityStackWalk::HasFlagsOrFullyTrusted(0));
-}
-FCIMPLEND
-
-#endif // CROSSGEN_COMPILE
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-//
-
-
-#ifndef __SECURITYPOLICY_H__
-#define __SECURITYPOLICY_H__
-
-#include "crst.h"
-#include "objecthandle.h"
-#include "securityattributes.h"
-#include "securitydeclarativecache.h"
-#include "declsec.h"
-#include "fcall.h"
-#include "qcall.h"
-#include "cgensys.h"
-
-#define SPFLAGSASSERTION 0x01
-#define SPFLAGSUNMANAGEDCODE 0x02
-#define SPFLAGSSKIPVERIFICATION 0x04
-
-#define CORSEC_STACKWALK_HALTED 0x00000001 // Stack walk was halted
-#define CORSEC_FT_ASSERT 0x00000004 // Hit a FT-assert during the stackwalk
-
-// Forward declarations to avoid pulling in too many headers.
-class Frame;
-class FramedMethodFrame;
-class ClassLoader;
-class Thread;
-class CrawlFrame;
-class SystemNative;
-class NDirect;
-class SystemDomain;
-class AssemblySecurityDescriptor;
-class SharedSecurityDescriptor;
-class SecurityStackWalkData;
-class DemandStackWalk;
-class SecurityDescriptor;
-class COMPrincipal;
-
-#define CLR_CASOFF_MUTEX W("Global\\CLR_CASOFF_MUTEX")
-
-// This enumeration must be kept in sync with the managed System.Security.Policy.EvidenceTypeGenerated enum
-typedef enum
-{
- kAssemblySupplied, // Evidence supplied by the assembly itself
- kGac, // System.Security.Policy.GacInstalled
- kHash, // System.Security.Policy.Hash
- kPermissionRequest, // System.Security.Policy.PermissionRequestEvidence
- kPublisher, // System.Security.Policy.Publisher
- kSite, // System.Security.Policy.Site
- kStrongName, // System.Security.Policy.StrongName
- kUrl, // System.Security.Policy.Url
- kZone // System.Security.Policy.Zone
-}
-EvidenceType;
-
-namespace SecurityPolicy
-{
- // -----------------------------------------------------------
- // FCalls
- // -----------------------------------------------------------
-
- BOOL QCALLTYPE IsSameType(LPCWSTR pLeft, LPCWSTR pRight);
-
- FCDECL1(FC_BOOL_RET, SetThreadSecurity, CLR_BOOL fThreadSecurity);
-
- void QCALLTYPE GetGrantedPermissions(QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied, QCall::StackCrawlMarkHandle stackmark);
-
-
-
- FCDECL0(FC_BOOL_RET, IsDefaultThreadSecurityInfo);
- void QCALLTYPE _GetLongPathName(LPCWSTR wszPath, QCall::StringHandleOnStack retLongPath);
-
- BOOL QCALLTYPE IsLocalDrive(LPCWSTR wszPath);
-
- void QCALLTYPE GetDeviceName(LPCWSTR wszDriveLetter, QCall::StringHandleOnStack retDeviceName);
-
- FCDECL0(VOID, IncrementOverridesCount);
-
- FCDECL0(VOID, DecrementOverridesCount);
-
- FCDECL0(VOID, IncrementAssertCount);
-
- FCDECL0(VOID, DecrementAssertCount);
-
-
-//private:
- // -----------------------------------------------------------
- // Init methods
- // -----------------------------------------------------------
-
- // Calls all the security-related init methods
- // Callers:
- // EEStartupHelper
- void Start();
-
- // Calls all the security-related shutdown methods
- // Callers:
- // <currently unused> @TODO: shouldn't EEShutDownHelper call this?
- void Stop();
-
-
-
- // -----------------------------------------------------------
- // Policy
- // -----------------------------------------------------------
-
- // Returns TRUE if the assembly has permission to call unmanaged code
- // Callers:
- // CEEInfo::getNewHelper
- // MakeStubWorker
- // MethodDesc::DoPrestub
- BOOL CanCallUnmanagedCode(Module *pModule);
-
- // Throws a security exception
- // Callers:
- // JIT_SecurityUnmanagedCodeException
- void CreateSecurityException(__in_z const char *szDemandClass, DWORD dwFlags, OBJECTREF* pThrowable);
- DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags);
-
- BOOL CanSkipVerification(DomainAssembly * pAssembly);
-
- // Like WszGetLongPathName, but it works with nonexistant files too
- size_t GetLongPathNameHelper( const WCHAR* wszShortPath, SString& wszBuffer);
-
-}
-
-struct SharedPermissionObjects
-{
- OBJECTHANDLE hPermissionObject; // Commonly used Permission Object
- BinderClassID idClass; // ID of class
- BinderMethodID idConstructor; // ID of constructor to call
- DWORD dwPermissionFlag; // Flag needed by the constructors (Only a single argument is assumed)
-};
-
-/******** Shared Permission Objects related constants *******/
-#define NUM_PERM_OBJECTS (sizeof(g_rPermObjectsTemplate) / sizeof(SharedPermissionObjects))
-
-// Constants to use with SecurityPermission
-#define SECURITY_PERMISSION_ASSERTION 1 // SecurityPermission.cs
-#define SECURITY_PERMISSION_UNMANAGEDCODE 2 // SecurityPermission.cs
-#define SECURITY_PERMISSION_SKIPVERIFICATION 4 // SecurityPermission.cs
-#define SECURITY_PERMISSION_CONTROLEVIDENCE 0x20 // SecurityPermission.cs
-#define SECURITY_PERMISSION_SERIALIZATIONFORMATTER 0X80 // SecurityPermission.cs
-#define SECURITY_PERMISSION_CONTROLPRINCIPAL 0x200 // SecurityPermission.cs
-#define SECURITY_PERMISSION_BINDINGREDIRECTS 0X2000 // SecurityPermission.cs
-
-// Constants to use with ReflectionPermission
-#define REFLECTION_PERMISSION_TYPEINFO 1 // ReflectionPermission.cs
-#define REFLECTION_PERMISSION_MEMBERACCESS 2 // ReflectionPermission.cs
-#define REFLECTION_PERMISSION_RESTRICTEDMEMBERACCESS 8 // ReflectionPermission.cs
-
-// PermissionState.Unrestricted
-#define PERMISSION_STATE_UNRESTRICTED 1 // PermissionState.cs
-
-// Array index in SharedPermissionObjects array
-// Note: these should all be permissions that implement IUnrestrictedPermission.
-// Any changes to these must be reflected in bcl\system\security\codeaccesssecurityengine.cs and the above table
-
-// special flags
-#define SECURITY_UNMANAGED_CODE 0
-#define SECURITY_SKIP_VER 1
-#define REFLECTION_TYPE_INFO 2
-#define SECURITY_ASSERT 3
-#define REFLECTION_MEMBER_ACCESS 4
-#define SECURITY_SERIALIZATION 5
-#define REFLECTION_RESTRICTED_MEMBER_ACCESS 6
-#define SECURITY_FULL_TRUST 7
-#define SECURITY_BINDING_REDIRECTS 8
-
-// special permissions
-#define UI_PERMISSION 9
-#define ENVIRONMENT_PERMISSION 10
-#define FILEDIALOG_PERMISSION 11
-#define FILEIO_PERMISSION 12
-#define REFLECTION_PERMISSION 13
-#define SECURITY_PERMISSION 14
-
-// additional special flags
-#define SECURITY_CONTROL_EVIDENCE 16
-#define SECURITY_CONTROL_PRINCIPAL 17
-
-// Objects corresponding to the above index could be Permission or PermissionSet objects.
-// Helper macro to identify which kind it is. If you're adding to the index above, please update this also.
-#define IS_SPECIAL_FLAG_PERMISSION_SET(x) ((x) == SECURITY_FULL_TRUST)
-
-// Class holding a grab bag of security stuff we need on a per-appdomain basis.
-struct SecurityContext
-{
- // Cached declarative permissions per method
- EEPtrHashTable m_pCachedMethodPermissionsHash;
- SimpleRWLock * m_prCachedMethodPermissionsLock;
- SecurityDeclarativeCache m_pSecurityDeclarativeCache;
- size_t m_nCachedPsetsSize;
-
- SecurityContext(LoaderHeap* pHeap) :
- m_prCachedMethodPermissionsLock(NULL),
- m_nCachedPsetsSize(0)
- {
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- } CONTRACTL_END;
-
- // initialize cache of method-level declarative security permissions
- // Note that the method-level permissions are stored elsewhere
- m_prCachedMethodPermissionsLock = new SimpleRWLock(PREEMPTIVE, LOCK_TYPE_DEFAULT);
- if (!m_pCachedMethodPermissionsHash.Init(100, &g_lockTrustMeIAmThreadSafe))
- ThrowOutOfMemory();
-
- m_pSecurityDeclarativeCache.Init (pHeap);
- }
-
- ~SecurityContext()
- {
- CONTRACTL {
- NOTHROW;
- GC_TRIGGERS;
- MODE_ANY;
- } CONTRACTL_END;
-
- // no need to explicitly delete the cache contents, since they will be deallocated with the AppDomain's heap
- if (m_prCachedMethodPermissionsLock) delete m_prCachedMethodPermissionsLock;
- }
-};
-
-#ifdef _DEBUG
-
-#define DBG_TRACE_METHOD(cf) \
- do { \
- MethodDesc * __pFunc = cf -> GetFunction(); \
- if (__pFunc) { \
- LOG((LF_SECURITY, LL_INFO1000, \
- " Method: %s.%s\n", \
- (__pFunc->m_pszDebugClassName == NULL) ? \
- "<null>" : __pFunc->m_pszDebugClassName, \
- __pFunc->GetName())); \
- } \
- } while (false)
-
-#define DBG_TRACE_STACKWALK(msg, verbose) LOG((LF_SECURITY, (verbose) ? LL_INFO10000 : LL_INFO1000, msg))
-#else //_DEBUG
-
-#define DBG_TRACE_METHOD(cf)
-#define DBG_TRACE_STACKWALK(msg, verbose)
-
-#endif //_DEBUG
-
-
-#endif // __SECURITYPOLICY_H__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-
-
-//
-
-
-#ifndef __SECURITYSTACKWALK_H__
-#define __SECURITYSTACKWALK_H__
-
-#include "common.h"
-
-#include "object.h"
-#include "util.hpp"
-#include "fcall.h"
-#include "perfcounters.h"
-#include "security.h"
-#include "holder.h"
-
-class ApplicationSecurityDescriptor;
-class DemandStackWalk;
-class CountOverridesStackWalk;
-class AssertStackWalk;
-struct TokenDeclActionInfo;
-
-//-----------------------------------------------------------
-// SecurityStackWalk implements all the native methods
-// for the managed class System.Security.CodeAccessSecurityEngine.
-//-----------------------------------------------------------
-class SecurityStackWalk
-{
-protected:
-
- SecurityStackWalkType m_eStackWalkType;
- DWORD m_dwFlags;
-
-public:
- struct ObjectCache
- {
- struct gc
- {
- OBJECTREF object1;
- OBJECTREF object2;
- }
- m_sGC;
- AppDomain* m_pOriginalDomain;
-
-#ifndef DACCESS_COMPILE
- OBJECTREF GetObjects(AppDomain *pDomain, OBJECTREF *porObject2)
- {
- _ASSERTE(pDomain == ::GetAppDomain());
- _ASSERTE(m_pOriginalDomain == ::GetAppDomain());
- *porObject2 = m_sGC.object2;
- return m_sGC.object1;
- };
- OBJECTREF GetObject(AppDomain *pDomain)
- {
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pDomain == ::GetAppDomain());
- _ASSERTE(m_pOriginalDomain == ::GetAppDomain());
- return m_sGC.object1;
- };
- void SetObject(OBJECTREF orObject)
- {
- LIMITED_METHOD_CONTRACT;
- m_pOriginalDomain = ::GetAppDomain();
- m_sGC.object1 = orObject;
- }
-
- // Set the original values of both cached objects.
- void SetObjects(OBJECTREF orObject1, OBJECTREF orObject2)
- {
- LIMITED_METHOD_CONTRACT;
- m_pOriginalDomain = ::GetAppDomain();
- m_sGC.object1 = orObject1;
- m_sGC.object2 = orObject2;
- }
-
- void UpdateObject(AppDomain *pDomain, OBJECTREF orObject)
- {
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pDomain == ::GetAppDomain());
- _ASSERTE(m_pOriginalDomain == ::GetAppDomain());
- m_sGC.object1 = orObject;
- }
-#endif //!DACCESS_COMPILE
- ObjectCache()
- {
- m_pOriginalDomain = NULL;
- ZeroMemory(&m_sGC,sizeof(m_sGC));
- }
-
- } m_objects;
-
- SecurityStackWalk(SecurityStackWalkType eType, DWORD flags)
- {
- LIMITED_METHOD_CONTRACT;
- m_eStackWalkType = eType;
- m_dwFlags = flags;
- }
-
- // ----------------------------------------------------
- // FCalls
- // ----------------------------------------------------
-
- // FCall wrapper for CheckInternal
- static FCDECL3(void, Check, Object* permOrPermSetUNSAFE, StackCrawlMark* stackMark, CLR_BOOL isPermSet);
- static void CheckFramed(Object* permOrPermSetUNSAFE, StackCrawlMark* stackMark, CLR_BOOL isPermSet);
-
- // FCALL wrapper for quickcheckforalldemands
- static FCDECL0(FC_BOOL_RET, FCallQuickCheckForAllDemands);
- static FCDECL0(FC_BOOL_RET, FCallAllDomainsHomogeneousWithNoStackModifiers);
-
-
- static FCDECL3(void, GetZoneAndOrigin, Object* pZoneListUNSAFE, Object* pOriginListUNSAFE, StackCrawlMark* stackMark);
-
- // Do an imperative assert. (Check the for the permission and return the SecurityObject for the first frame)
- static FCDECL4(Object*, CheckNReturnSO, Object* permTokenUNSAFE, Object* permUNSAFE, StackCrawlMark* stackMark, INT32 create);
-
-
- // Do a demand for a special permission type
- static FCDECL2(void, FcallSpecialDemand, DWORD whatPermission, StackCrawlMark* stackMark);
-
- // ----------------------------------------------------
- // Checks
- // ----------------------------------------------------
-
- // Methods for checking grant and refused sets
-
-public:
- void CheckPermissionAgainstGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly);
-
-protected:
- void CheckSetAgainstGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly);
-
- void GetZoneAndOriginGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly);
-
- // Methods for checking stack modifiers
- BOOL CheckPermissionAgainstFrameData(OBJECTREF refFrameData, AppDomain* pDomain, MethodDesc* pMethod);
- BOOL CheckSetAgainstFrameData(OBJECTREF refFrameData, AppDomain* pDomain, MethodDesc* pMethod);
-
-public:
- // ----------------------------------------------------
- // CAS Actions
- // ----------------------------------------------------
-
- // Native version of CodeAccessPermission.Demand()
- // Callers:
- // <Currently unused>
- static void Demand(SecurityStackWalkType eType, OBJECTREF demand);
-
- // Demand all of the permissions granted to an assembly, with the exception of any identity permissions
- static void DemandGrantSet(AssemblySecurityDescriptor *psdAssembly);
-
- // Native version of PermissionSet.Demand()
- // Callers:
- // CanAccess (ReflectionInvocation)
- // ReflectionSerialization::GetSafeUninitializedObject
- static void DemandSet(SecurityStackWalkType eType, OBJECTREF demand);
-
- // Native version of PermissionSet.Demand() that delays instantiating the PermissionSet object
- // Callers:
- // InvokeDeclarativeActions
- static void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction);
-
-
- static void ReflectionTargetDemand(DWORD dwPermission, AssemblySecurityDescriptor *psdTarget);
-
- static void ReflectionTargetDemand(DWORD dwPermission,
- AssemblySecurityDescriptor *psdTarget,
- DynamicResolver * pAccessContext);
-
- // Optimized demand for a well-known permission
- // Callers:
- // SecurityDeclarative::DoDeclarativeActions
- // Security::CheckLinkDemandAgainstAppDomain
- // TryDemand (ReflectionInvocation)
- // CanAccess (ReflectionInvocation)
- // ReflectionInvocation::CanValueSpecialCast
- // RuntimeTypeHandle::CreateInstance
- // RuntimeMethodHandle::InvokeMethod_Internal
- // InvokeArrayConstructor (ReflectionInvocation)
- // ReflectionInvocation::InvokeDispMethod
- // COMArrayInfo::CreateInstance
- // COMArrayInfo::CreateInstanceEx
- // COMDelegate::BindToMethodName
- // InvokeUtil::CheckArg
- // InvokeUtil::ValidField
- // RefSecContext::CallerHasPerm
- // MngStdItfBase::ForwardCallToManagedView
- // ObjectClone::Clone
- static void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission, StackCrawlMark* stackMark = NULL);
-
- // ----------------------------------------------------
- // Compressed Stack
- // ----------------------------------------------------
-public:
-
-#ifndef DACCESS_COMPILE
- FORCEINLINE static BOOL HasFlagsOrFullyTrustedIgnoreMode (DWORD flags);
- FORCEINLINE static BOOL HasFlagsOrFullyTrusted (DWORD flags);
-#endif // #ifndef DACCESS_COMPILE
-
-public:
- // Perf Counters
- FORCEINLINE static VOID IncrementSecurityPerfCounter()
- {
- CONTRACTL {
- MODE_ANY;
- GC_NOTRIGGER;
- NOTHROW;
- SO_TOLERANT;
- } CONTRACTL_END;
- COUNTER_ONLY(GetPerfCounters().m_Security.cTotalRTChecks++);
- }
-
- // ----------------------------------------------------
- // Misc
- // ----------------------------------------------------
- static bool IsSpecialRunFrame(MethodDesc *pMeth);
-
- static BOOL SkipAndFindFunctionInfo(INT32, MethodDesc**, OBJECTREF**, AppDomain **ppAppDomain = NULL);
- static BOOL SkipAndFindFunctionInfo(StackCrawlMark*, MethodDesc**, OBJECTREF**, AppDomain **ppAppDomain = NULL);
-
- // Check the provided demand set against the provided grant/refused set
- static void CheckSetHelper(OBJECTREF *prefDemand,
- OBJECTREF *prefGrant,
- OBJECTREF *prefDenied,
- AppDomain *pGrantDomain,
- MethodDesc *pMethod,
- OBJECTREF *pAssembly,
- CorDeclSecurity action);
-
- // Check for Link/Inheritance CAS permissions
- static void LinkOrInheritanceCheck(IAssemblySecurityDescriptor *pSecDesc, OBJECTREF refDemands, Assembly* pAssembly, CorDeclSecurity action);
-
-private:
- FORCEINLINE static BOOL QuickCheckForAllDemands(DWORD flags);
-
- // Tries to avoid unnecessary demands
- static BOOL PreCheck(OBJECTREF* orDemand, BOOL fDemandSet = FALSE);
- static DWORD GetPermissionSpecialFlags (OBJECTREF* orDemand);
-
- // Does a demand for a CodeAccessPermission : First does PreCheck. If PreCheck fails then calls Check_StackWalk
- static void Check_PLS_SW(BOOL isPermSet, SecurityStackWalkType eType, OBJECTREF* permOrPermSet, StackCrawlMark* stackMark);
-
- // Calls into Check_PLS_SW after GC protecting "perm "
- static void Check_PLS_SW_GC(BOOL isPermSet, SecurityStackWalkType eType, OBJECTREF permOrPermSet, StackCrawlMark* stackMark);
-
- // Walks the stack for a CodeAccessPermission demand (assumes PreCheck was already called)
- static void Check_StackWalk(SecurityStackWalkType eType, OBJECTREF* pPerm, StackCrawlMark* stackMark, BOOL isPermSet);
-
- // Walk the stack and count all the frame descriptors with an Assert, Deny, or PermitOnly
- static VOID UpdateOverridesCount();
-};
-
-
-#endif /* __SECURITYSTACKWALK_H__ */
-
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securityTransparentAssembly.cpp
-//
-// Implementation for transparent code feature
-//
-//--------------------------------------------------------------------------
-
-
-#include "common.h"
-#include "field.h"
-#include "securitydeclarative.h"
-#include "security.h"
-#include "customattribute.h"
-#include "securitytransparentassembly.h"
-#include "securitymeta.h"
-#include "typestring.h"
-#include "comdelegate.h"
-
-#if defined(FEATURE_PREJIT)
-#include "compile.h"
-#endif
-
-#ifdef _DEBUG
-//
-// In debug builds of the CLR, we support a mode where transparency errors are not enforced with exceptions; instead
-// they are written to the CLR debug log. This allows us to migrate tests from the v2 to the v4 transparency model by
-// allowing test runs to continue to the end of the run, and keeping a log file of which assemblies need migration.
-//
-
-// static
-void SecurityTransparent::LogTransparencyError(Assembly *pAssembly, const LPCSTR szError)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pAssembly));
- PRECONDITION(CheckPointer(szError));
- PRECONDITION(g_pConfig->LogTransparencyErrors());
- }
- CONTRACTL_END;
-
- const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath();
-
- LOG((LF_SECURITY,
- LL_INFO1000,
- "Security Transparency Violation: Assembly '%S': %s\n",
- strAssemblyName.GetUnicode(),
- szError));
-}
-
-// static
-void SecurityTransparent::LogTransparencyError(MethodTable *pMT, const LPCSTR szError)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pMT));
- PRECONDITION(CheckPointer(szError));
- PRECONDITION(g_pConfig->LogTransparencyErrors());
- }
- CONTRACTL_END;
-
- Assembly *pAssembly = pMT->GetAssembly();
- const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath();
-
- LOG((LF_SECURITY,
- LL_INFO1000,
- "Security Transparency Violation: Assembly '%S' - Type '%s': %s\n",
- strAssemblyName.GetUnicode(),
- pMT->GetDebugClassName(),
- szError));
-}
-
-// static
-void SecurityTransparent::LogTransparencyError(MethodDesc *pMD, const LPCSTR szError, MethodDesc *pTargetMD /* = NULL */)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pMD));
- PRECONDITION(CheckPointer(szError));
- PRECONDITION(g_pConfig->LogTransparencyErrors());
- }
- CONTRACTL_END;
-
- Assembly *pAssembly = pMD->GetAssembly();
- const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath();
-
- if (pTargetMD == NULL)
- {
- LOG((LF_SECURITY,
- LL_INFO1000,
- "Security Transparency Violation: Assembly '%S' - Method '%s::%s': %s\n",
- strAssemblyName.GetUnicode(),
- pMD->m_pszDebugClassName,
- pMD->m_pszDebugMethodName,
- szError));
- }
- else
- {
- Assembly *pTargetAssembly = pTargetMD->GetAssembly();
- const SString &strTargetAssemblyName = pTargetAssembly->GetManifestModule()->GetPath();
-
- LOG((LF_SECURITY,
- LL_INFO1000,
- "Security Transparency Violation: Assembly '%S' - Method '%s::%s' - Target Assembly '%S': %s\n",
- strAssemblyName.GetUnicode(),
- pMD->m_pszDebugClassName,
- pMD->m_pszDebugMethodName,
- strTargetAssemblyName.GetUnicode(),
- szError));
- }
-}
-
-#endif // _DEBUG
-
-// There are a few places we throw transparency method access exceptions that aren't "real"
-// method access exceptions - such as unverifiable code in a transparent assembly, and having a critical
-// attribute on a transparent method. Those continue to use the one-MethodDesc form of throwing -
-// everything else should use the standard ::ThrowMethodAccessException call
-
-// static
-void DECLSPEC_NORETURN SecurityTransparent::ThrowMethodAccessException(MethodDesc* pMD,
- DWORD dwMessageId /* = IDS_CRITICAL_METHOD_ACCESS_DENIED */)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- // throw method access exception
- StackSString strMethod;
- TypeString::AppendMethod(strMethod, pMD, pMD->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature);
- COMPlusThrowHR(COR_E_METHODACCESS, dwMessageId, strMethod.GetUnicode());
-}
-
-// static
-void DECLSPEC_NORETURN SecurityTransparent::ThrowTypeLoadException(MethodDesc* pMethod, DWORD dwMessageID /* = IDS_METHOD_INHERITANCE_RULES_VIOLATED */)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pMethod));
- }
- CONTRACTL_END;
-
- // Throw an exception here
- StackSString strMethod;
- StackScratchBuffer buffer;
- TypeString::AppendMethod(strMethod, pMethod, pMethod->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets | TypeString::FormatSignature);
- pMethod->GetAssembly()->ThrowTypeLoadException(strMethod.GetUTF8(buffer), dwMessageID);
-}
-
-// static
-void DECLSPEC_NORETURN SecurityTransparent::ThrowTypeLoadException(MethodTable *pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- // Throw an exception here
- StackScratchBuffer buffer;
- SString strType;
- TypeString::AppendType(strType, TypeHandle(pMT), TypeString::FormatNamespace | TypeString::FormatAngleBrackets );
- pMT->GetAssembly()->ThrowTypeLoadException(strType.GetUTF8(buffer), IDS_TYPE_INHERITANCE_RULES_VIOLATED);
-}
-
-static BOOL IsTransparentCallerAllowed(MethodDesc *pCallerMD, MethodDesc *pCalleeMD, SecurityTransparencyError *pError)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(CheckPointer(pCalleeMD));
- PRECONDITION(CheckPointer(pError, NULL_OK));
- PRECONDITION(pCallerMD->IsTransparent());
- }
- CONTRACTL_END;
-
- // If the target is critical, and not treat as safe, then we cannot allow the call
- if (Security::IsMethodCritical(pCalleeMD) && !Security::IsMethodSafeCritical(pCalleeMD))
- {
- if (pError != NULL)
- {
- *pError = SecurityTransparencyError_CallCriticalMethod;
- }
-
- return FALSE;
- }
-
- return TRUE;
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Convert the critical member to a LinkDemand for FullTrust, and convert that LinkDemand to a
-// full demand. If the current call stack allows this conversion to succeed, this method returns. Otherwise
-// a security exception is thrown.
-//
-// Arguments:
-// pCallerMD - The method calling the critical method
-//
-
-static void ConvertCriticalMethodToLinkDemand(MethodDesc *pCallerMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(pCallerMD->IsTransparent());
- PRECONDITION(pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods());
- }
- CONTRACTL_END;
-
-}
-
-// static
-BOOL SecurityTransparent::CheckCriticalAccess(AccessCheckContext* pContext,
- MethodDesc* pOptionalTargetMethod,
- FieldDesc* pOptionalTargetField,
- MethodTable * pOptionalTargetType)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- PRECONDITION(CheckPointer(pContext));
- }
- CONTRACTL_END;
-
- // At most one of these should be non-NULL
- _ASSERTE(1 >= ((pOptionalTargetMethod ? 1 : 0) +
- (pOptionalTargetField ? 1 : 0) +
- (pOptionalTargetType ? 1 : 0)));
-
- // okay caller is transparent, additional checks needed
- BOOL fIsTargetCritical = FALSE; // check if target is critical
- BOOL fIsTargetSafe = FALSE; // check if target is marked safe
- Assembly *pTargetAssembly = NULL;
-
- if (pOptionalTargetMethod != NULL)
- {
- fIsTargetCritical = IsMethodCritical(pOptionalTargetMethod);
- fIsTargetSafe = IsMethodSafeCritical(pOptionalTargetMethod);
- pTargetAssembly = pOptionalTargetMethod->GetAssembly();
- }
- else if (pOptionalTargetField != NULL)
- {
- FieldSecurityDescriptor fieldSecurityDescriptor(pOptionalTargetField);
- fIsTargetCritical = fieldSecurityDescriptor.IsCritical();
- fIsTargetSafe = fieldSecurityDescriptor.IsTreatAsSafe();
- pTargetAssembly = pOptionalTargetField->GetModule()->GetAssembly();
- }
- else if (pOptionalTargetType != NULL)
- {
- fIsTargetCritical = IsTypeAllCritical(pOptionalTargetType); // check for only all critical classes
- fIsTargetSafe = IsTypeSafeCritical(pOptionalTargetType);
- pTargetAssembly = pOptionalTargetType->GetAssembly();
- }
-
- // If the target is transparent or safe critical, then no further checks are needed. Otherwise, if a
- // legacy caller is targeting a new critical method, we may be able to allow the call by converting
- // the critical method to a LinkDemand for FullTrust and converting the LinkDemand to a full demand.
- //
- // This allows for the case where a v2 transparent assembly called a method that was proteced by a
- // LinkDemand in v2 and followed our suggested path of converting to being critical in v4. By treating
- // the v4 critical method as if it were protected with a LinkDmeand instead, we're simply reversing this
- // conversion to provide compatible behavior with legacy binaries
- if (!fIsTargetCritical || fIsTargetSafe)
- {
- return TRUE;
- }
-
- if (pContext->IsCalledFromInterop())
- return TRUE;
-
- MethodDesc* pCurrentMD = pContext->GetCallerMethod();
- MethodTable* pCurrentMT = pContext->GetCallerMT();
-
- // Not from interop but the caller is NULL, this can only happen
- // when we are checking from a Type/Assembly.
- if (pCurrentMD != NULL)
- {
- // TODO: need to probably CheckCastToClass as well..
- if (!IsMethodTransparent(pCurrentMD))
- {
- // Return TRUE if caller is NULL (interop caller) or critical.
- return TRUE;
- }
-
- // On the coreCLR, a method can be transparent even if the containing type is marked Critical.
- // This will happen when that method is an override of a base transparent method, and the type that
- // contains the override is marked Critical. And that's the only case it can happen.
- // This particular case is not a failure. To state this another way, from a security transpararency perspective,
- // a method will always have access to the type that it is a member of.
- if (pOptionalTargetType == pCurrentMD->GetMethodTable())
- {
- return TRUE;
- }
-
- // an attached profiler may wish to have these checks suppressed
- if (Security::BypassSecurityChecksForProfiler(pCurrentMD))
- {
- return TRUE;
- }
-
- if (pTargetAssembly != NULL &&
- pTargetAssembly->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand() &&
- pCurrentMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods())
- {
- // Convert the critical member to a LinkDemand for FullTrust, and convert that LinkDemand to a
- // full demand. If the resulting full demand for FullTrust is successful, then we'll allow the access
- // to the critical method to succeed
- ConvertCriticalMethodToLinkDemand(pCurrentMD);
- return TRUE;
- }
- }
- else if (pCurrentMT != NULL)
- {
- if (!IsTypeTransparent(pCurrentMT))
- {
- return TRUE;
- }
- }
-
- return FALSE;
-}
-
-// Determine if a method is allowed to perform a CAS assert within the transparency rules. Generally, only
-// critical code may assert. However, for compatibility with v2.0 we allow asserts from transparent code if
-// the following criteria are met:
-// 1. The assembly is a true v2.0 binary, and is not just using v2.0 transparency rules via the
-// SecurityRuleSet.Level1 annotation.
-// 2. The assembly is agnostic to transparency (that is, if it were fully trusted it would be
-// opprotunistically critical).
-// 3. We are currently in a heterogenous AppDomain.
-//
-// This compensates for the fact that while partial trust code could have asserted in v2.0, it can no longer
-// assert in v4.0 as we force it to be transparent. While the v2.0 transparency rules still don't allow
-// asserting, assemblies that would have been critical in v2.0 are allowed to continue asserting in v4.0.
-
-// static
-BOOL SecurityTransparent::IsAllowedToAssert(MethodDesc *pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- // Critical code is always allowed to assert
- if (IsMethodCritical(pMD))
- {
- return TRUE;
- }
-
- // On CoreCLR only critical code may ever assert - there are no compatibility reasons to allow
- // transparent asserts.
- return FALSE;
-}
-
-// Functor class to aid in determining if a type requires a transparency check
-class TypeRequiresTransparencyCheckFunctor
-{
-private:
- bool m_requiresTransparencyCheck;
- bool m_checkForLinkDemands;
-
-public:
- TypeRequiresTransparencyCheckFunctor(bool checkForLinkDemands) :
- m_requiresTransparencyCheck(false),
- m_checkForLinkDemands(checkForLinkDemands)
- {
- LIMITED_METHOD_CONTRACT;
- }
-
- TypeRequiresTransparencyCheckFunctor(const TypeRequiresTransparencyCheckFunctor &other); // not implemented
-
- bool RequiresTransparencyCheck() const
- {
- LIMITED_METHOD_CONTRACT;
- return m_requiresTransparencyCheck;
- }
-
- void operator()(MethodTable *pMT)
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- // We only need to do a check if so far none of the other component typpes required a transparency
- // check. Critical, but not safe critical, types require transparency checks of their callers.
- if (!m_requiresTransparencyCheck)
- {
- m_requiresTransparencyCheck = Security::IsTypeCritical(pMT) && !Security::IsTypeSafeCritical(pMT) &&
- (!m_checkForLinkDemands || pMT->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand());
- }
- }
-};
-
-// Determine if accessing a type requires doing a transparency check - this checks to see if the type
-// itself, or any of its generic variables are security critical.
-
-// static
-bool SecurityTransparent::TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- TypeRequiresTransparencyCheckFunctor typeChecker(checkForLinkDemands);
- type.ForEachComponentMethodTable(typeChecker);
- return typeChecker.RequiresTransparencyCheck();
-}
-
-CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(MethodDesc * pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
- /* XXX Fri 1/12/2007
- * This code is cloned from security.inl!Security::CanSkipVerification(MethodDesc, BOOL).
- */
- // Special case the System.Object..ctor:
- // System.Object..ctor is not verifiable according to current verifier rules (that require to call the
- // base class ctor). But since we want System.Object..ctor() to be marked transparent, it cannot be
- // unverifiable (telesto security rules prohibit transparent code from being unverifiable)
-
-#ifndef DACCESS_COMPILE
- if (g_pObjectCtorMD == pMD)
- return CORINFO_VERIFICATION_CAN_SKIP;
-#endif //!DACCESS_COMPILE
-
- // If a profiler is attached, we may want to bypass verification as well
- if (Security::BypassSecurityChecksForProfiler(pMD))
- {
- return CORINFO_VERIFICATION_CAN_SKIP;
- }
-
- BOOL hasSkipVerificationPermisson = false;
- DomainAssembly * pDomainAssembly = pMD->GetAssembly()->GetDomainAssembly();
- hasSkipVerificationPermisson = Security::CanSkipVerification(pDomainAssembly);
-
- CorInfoCanSkipVerificationResult canSkipVerif = hasSkipVerificationPermisson ? CORINFO_VERIFICATION_CAN_SKIP : CORINFO_VERIFICATION_CANNOT_SKIP;
-
-
- return canSkipVerif;
-}
-
-CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(DomainAssembly * pAssembly)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_PREEMPTIVE;
- }
- CONTRACTL_END;
-
- BOOL hasSkipVerificationPermisson = Security::CanSkipVerification(pAssembly);
-
- CorInfoCanSkipVerificationResult canSkipVerif = hasSkipVerificationPermisson ? CORINFO_VERIFICATION_CAN_SKIP : CORINFO_VERIFICATION_CANNOT_SKIP;
-
- // If the assembly has permission to skip verification, but its transparency model requires that
- // transparency can only be skipped with a runtime demand, then we need to make sure that there is a
- // runtime check done.
- if (hasSkipVerificationPermisson)
- {
- // In CoreCLR, do not enable transparency checks here. We depend on this method being "honest" in
- // JITCanSkipVerification to skip transparency checks on profile assemblies.
- }
-
- return canSkipVerif;
-}
-
-// Determine if a method can quickly exit a runtime callout from the JIT - a true return value indicates
-// that the callout is not needed, false means that we cannot quicky exit
-
-// static
-bool SecurityTransparent::SecurityCalloutQuickCheck(MethodDesc *pCallerMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_COOPERATIVE;
- SO_TOLERANT;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(pCallerMD->HasCriticalTransparentInfo());
- }
- CONTRACTL_END;
-
- // In coreclr, we modified the logic in the callout to also do some transparency method access checks
- // These checks need to happen regardless of trust level and we shouldn't be bailing out early
- // just because we happen to be in Full Trust
-
- return false;
-}
-
-CorInfoIsAccessAllowedResult SecurityTransparent::RequiresTransparentAssemblyChecks(MethodDesc* pCallerMD,
- MethodDesc* pCalleeMD,
- SecurityTransparencyError *pError)
-{
- LIMITED_METHOD_CONTRACT;
- return RequiresTransparentCodeChecks(pCallerMD, pCalleeMD, pError);
-}
-
-CorInfoIsAccessAllowedResult SecurityTransparent::RequiresTransparentCodeChecks(MethodDesc* pCallerMD,
- MethodDesc* pCalleeMD,
- SecurityTransparencyError *pError)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(CheckPointer(pCalleeMD));
- PRECONDITION(CheckPointer(pError, NULL_OK));
- PRECONDITION(!pCalleeMD->IsILStub());
- }
- CONTRACTL_END;
-
- // check if the caller assembly is transparent and NOT an interception stub (e.g. marshalling)
- bool doChecks = !pCallerMD->IsILStub() && IsMethodTransparent(pCallerMD);
-
- if (doChecks && Security::IsTransparencyEnforcementEnabled())
- {
- if (!IsTransparentCallerAllowed(pCallerMD, pCalleeMD, pError))
- {
- // intercept the call to throw a MAE at runtime (more debuggable than throwing MAE at JIT-time)
- // IsTransparentCallerAllowed will have set pError if necessary
- return CORINFO_ACCESS_RUNTIME_CHECK;
- }
-
- // Check to see if the callee has a LinkDemand, if so we may need to intercept the call.
- if (pCalleeMD->RequiresLinktimeCheck())
- {
- if (pCalleeMD->RequiresLinkTimeCheckHostProtectionOnly())
- {
- // exclude HPA which are marked as LinkDemand and there is no HostProtection enabled currently
- return CORINFO_ACCESS_ALLOWED;
- }
-
- // There was a reason other than simply conditional APTCA that the method required a linktime
- // check - intercept the call later.
- if (pError != NULL)
- {
- *pError = SecurityTransparencyError_CallLinkDemand;
- }
-
- return CORINFO_ACCESS_RUNTIME_CHECK;
- }
- }
-
- return CORINFO_ACCESS_ALLOWED;
-}
-
-
-#ifndef CROSSGEN_COMPILE
-
-// Perform appropriate Transparency checks if the caller to the Load(byte[] ) without passing in an input Evidence is Transparent
-VOID SecurityTransparent::PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallerMD, AssemblySecurityDescriptor* pLoadedSecDesc)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END
-
-}
-
-static void ConvertLinkDemandToFullDemand(MethodDesc* pCallerMD, MethodDesc* pCalleeMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(CheckPointer(pCalleeMD));
- PRECONDITION(pCallerMD->IsTransparent());
- }
- CONTRACTL_END;
-
- if (!pCalleeMD->RequiresLinktimeCheck() ||
- pCalleeMD->RequiresLinkTimeCheckHostProtectionOnly())
- {
- return;
- }
-
- if (!Security::IsTransparencyEnforcementEnabled())
- {
- return;
- }
-
- // Profilers may wish to suppress linktime checks for methods they're profiling
- if (Security::BypassSecurityChecksForProfiler(pCallerMD))
- {
- return;
- }
-
- struct
- {
- OBJECTREF refClassNonCasDemands;
- OBJECTREF refClassCasDemands;
- OBJECTREF refMethodNonCasDemands;
- OBJECTREF refMethodCasDemands;
- OBJECTREF refThrowable;
- }
- gc;
- ZeroMemory(&gc, sizeof(gc));
- GCPROTECT_BEGIN(gc);
-
- LinktimeCheckReason linktimeCheckReason = Security::GetLinktimeCheckReason(pCalleeMD,
- &gc.refClassCasDemands,
- &gc.refClassNonCasDemands,
- &gc.refMethodCasDemands,
- &gc.refMethodNonCasDemands);
-
-
-
- // The following logic turns link demands on the target method into full stack walks
-
- if ((linktimeCheckReason & LinktimeCheckReason_CasDemand) ||
- (linktimeCheckReason & LinktimeCheckReason_NonCasDemand))
- {
- // If we found a link demand, then we need to make sure that both the callee's transparency model
- // allows for it to satisfy a link demand. We check both since a v4 caller calling a v2 assembly may
- // be attempting to satisfy a LinkDemand which the v2 assembly has not yet had a chance to remove.
- if (!pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods() &&
- !pCalleeMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods() &&
- (gc.refClassCasDemands != NULL || gc.refMethodCasDemands != NULL))
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling a LinkDemand protected method", pCalleeMD);
- }
- if (!g_pConfig->DisableTransparencyEnforcement())
-#endif // _DEBUG
- {
- ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_LINKDEMAND);
- }
- }
-
- // CAS Link Demands
- if (gc.refClassCasDemands != NULL)
- Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refClassCasDemands);
- if (gc.refMethodCasDemands != NULL)
- Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refMethodCasDemands);
-
- // Non-CAS demands are not applied against a grant set, they're standalone.
- if (gc.refClassNonCasDemands != NULL)
- Security::CheckNonCasDemand(&gc.refClassNonCasDemands);
- if (gc.refMethodNonCasDemands != NULL)
- Security::CheckNonCasDemand(&gc.refMethodNonCasDemands);
- }
-
-
- //
- // Make sure that the callee is allowed to call unmanaged code if the target is native.
- //
-
- if (linktimeCheckReason & LinktimeCheckReason_NativeCodeCall)
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling unmanaged code");
- }
-#endif // _DEBUG
-
- if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallUnmanagedCode())
- {
- }
- else
- {
- ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_NATIVE);
- }
- }
-
- GCPROTECT_END();
-}
-
-
-VOID SecurityTransparent::EnforceTransparentAssemblyChecks(MethodDesc* pCallerMD, MethodDesc* pCalleeMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(CheckPointer(pCallerMD));
- PRECONDITION(Security::IsMethodTransparent(pCallerMD));
- PRECONDITION(CheckPointer(pCalleeMD));
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- if (!Security::IsTransparencyEnforcementEnabled())
- {
- return;
- }
-
- // Profilers may wish to suppress transparency checks for methods they're profiling
- if (Security::BypassSecurityChecksForProfiler(pCallerMD))
- {
- return;
- }
-
- // if target is critical, and not marked as TreatAsSafe, Access ERROR.
- if (Security::IsMethodCritical(pCalleeMD) && !Security::IsMethodSafeCritical(pCalleeMD))
- {
-
- const SecurityTransparencyBehavior *pCalleeTransparency =
- pCalleeMD->GetAssembly()->GetSecurityTransparencyBehavior();
- const SecurityTransparencyBehavior *pCallerTransparency =
- pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior();
-
- // If critical methods in the target can be converted to a link demand for legacy callers, then we
- // need to do that conversion. Otherwise, this access is disallowed.
- if (pCalleeTransparency->CanCriticalMembersBeConvertedToLinkDemand() &&
- pCallerTransparency->CanTransparentCodeCallLinkDemandMethods())
- {
- ConvertCriticalMethodToLinkDemand(pCallerMD);
- }
- else
- {
- // Conversion to a LinkDemand was not allowed, so we need to
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- LogTransparencyError(pCallerMD, "Transparent method accessing a critical method", pCalleeMD);
- }
-#endif // _DEBUG
- ::ThrowMethodAccessException(pCallerMD, pCalleeMD, TRUE, IDS_E_CRITICAL_METHOD_ACCESS_DENIED);
- }
- }
-
- ConvertLinkDemandToFullDemand(pCallerMD, pCalleeMD);
-}
-
-
-VOID SecurityTransparent::EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCalleeMD)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(pDelegateMT));
- PRECONDITION(CheckPointer(pCalleeMD));
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- // We only enforce delegate binding rules in partial trust
- if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted())
- return;
-
- StackSString strMethod;
- TypeString::AppendMethod(strMethod, pCalleeMD, pCalleeMD->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature);
- StackSString strDelegateType;
- TypeString::AppendType(strDelegateType, pDelegateMT, TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature);
-
- COMPlusThrowHR(COR_E_METHODACCESS, IDS_E_DELEGATE_BINDING_TRANSPARENCY, strDelegateType.GetUnicode(), strMethod.GetUnicode());
-}
-
-#endif // CROSSGEN_COMPILE
-
-
-BOOL SecurityTransparent::IsMethodTransparent(MethodDesc* pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- // Is transparency info cached?
- if (pMD->HasCriticalTransparentInfo())
- {
- return !pMD->IsCritical();
- }
-
- MethodSecurityDescriptor methSecurityDescriptor(pMD);
- return !methSecurityDescriptor.IsCritical();
-}
-
-BOOL SecurityTransparent::IsMethodCritical(MethodDesc* pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- // Is transparency info cached?
- if (pMD->HasCriticalTransparentInfo())
- {
- return pMD->IsCritical();
- }
-
- MethodSecurityDescriptor methSecurityDescriptor(pMD);
- return methSecurityDescriptor.IsCritical();
-}
-
-// Returns True if a method is SafeCritical (=> not Transparent and not Critical)
-BOOL SecurityTransparent::IsMethodSafeCritical(MethodDesc* pMD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMD));
- }
- CONTRACTL_END;
-
- // Is transparency info cached?
- if (pMD->HasCriticalTransparentInfo())
- {
- return (pMD->IsCritical() && pMD->IsTreatAsSafe());
- }
-
- MethodSecurityDescriptor methSecurityDescriptor(pMD);
- return (methSecurityDescriptor.IsCritical() && methSecurityDescriptor.IsTreatAsSafe());
-}
-
-BOOL SecurityTransparent::IsTypeCritical(MethodTable *pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- EEClass *pClass = pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- return pClass->IsCritical();
- }
-
- TypeSecurityDescriptor typeSecurityDescriptor(pMT);
- return typeSecurityDescriptor.IsCritical();
-}
-
-BOOL SecurityTransparent::IsTypeSafeCritical(MethodTable *pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- EEClass *pClass = pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- return pClass->IsCritical() && pClass->IsTreatAsSafe();
- }
-
- TypeSecurityDescriptor typeSecurityDescriptor(pMT);
- return typeSecurityDescriptor.IsCritical() &&
- typeSecurityDescriptor.IsTreatAsSafe();
-}
-
-BOOL SecurityTransparent::IsTypeTransparent(MethodTable *pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- EEClass *pClass = pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- return !pClass->IsCritical();
- }
-
- TypeSecurityDescriptor typeSecurityDescriptor(pMT);
- return !typeSecurityDescriptor.IsCritical();
-}
-
-// Returns TRUE if a type is transparent and contains only transparent members
-// static
-BOOL SecurityTransparent::IsTypeAllTransparent(MethodTable * pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- EEClass *pClass = pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- return pClass->IsAllTransparent();
- }
-
- TypeSecurityDescriptor typeSecurityDescriptor(pMT);
- return typeSecurityDescriptor.IsAllTransparent();
-}
-
-BOOL SecurityTransparent::IsTypeAllCritical(MethodTable * pMT)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pMT));
- }
- CONTRACTL_END;
-
- EEClass *pClass = pMT->GetClass();
- if (pClass->HasCriticalTransparentInfo())
- {
- return pClass->IsAllCritical();
- }
-
- TypeSecurityDescriptor typeSecurityDescriptor(pMT);
- return typeSecurityDescriptor.IsAllCritical();
-}
-
-BOOL SecurityTransparent::IsFieldTransparent(FieldDesc* pFD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- FieldSecurityDescriptor fsd(pFD);
- return !fsd.IsCritical();
-}
-
-BOOL SecurityTransparent::IsFieldCritical(FieldDesc* pFD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- FieldSecurityDescriptor fsd(pFD);
- return fsd.IsCritical();
-}
-
-// Returns True if a method is SafeCritical (=> not Transparent and not Critical)
-BOOL SecurityTransparent::IsFieldSafeCritical(FieldDesc* pFD)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- PRECONDITION(CheckPointer(pFD));
- }
- CONTRACTL_END;
-
- FieldSecurityDescriptor fsd(pFD);
- return fsd.IsCritical() && fsd.IsTreatAsSafe();
-}
-
-// Returns True if the token is transparent
-BOOL SecurityTransparent::IsTokenTransparent(Module *pModule, mdToken tkToken)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
- ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pModule->GetAssembly());
- if (pMsd->IsAllCritical())
- {
- return FALSE;
- }
-
- const TokenSecurityDescriptorFlags criticalMask = TokenSecurityDescriptorFlags_AllCritical |
- TokenSecurityDescriptorFlags_Critical |
- TokenSecurityDescriptorFlags_SafeCritical;
- TokenSecurityDescriptor tokenSecurityDescriptor(pModule, tkToken);
- return !(tokenSecurityDescriptor.GetMetadataFlags() & criticalMask);
-}
-
-// Fuctor type to do perform class access checks on any disallowed transparent -> critical accesses.
-class DoSecurityClassAccessChecksFunctor
-{
-private:
- MethodDesc *m_pCallerMD;
- CorInfoSecurityRuntimeChecks m_check;
-
-public:
- DoSecurityClassAccessChecksFunctor(MethodDesc *pCallerMD, CorInfoSecurityRuntimeChecks check)
- : m_pCallerMD(pCallerMD),
- m_check(check)
- {
- LIMITED_METHOD_CONTRACT;
- }
-
- DoSecurityClassAccessChecksFunctor(const DoSecurityClassAccessChecksFunctor &other); // not implemented
-
- void operator()(MethodTable *pMT)
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- // We can get caller checks of 0 if we're in AlwaysInsertCallout mode, so make sure to do all of our
- // work under checks for specific flags
- if (m_check & CORINFO_ACCESS_SECURITY_TRANSPARENCY)
- {
- StaticAccessCheckContext accessContext(m_pCallerMD);
-
- if (!Security::CheckCriticalAccess(&accessContext, NULL, NULL, pMT))
- {
- ThrowTypeAccessException(m_pCallerMD, pMT, TRUE, IDS_E_CRITICAL_TYPE_ACCESS_DENIED);
- }
- }
- }
-};
-
-// Check that a calling method is allowed to access a type handle for security reasons. This checks:
-// 1. That transparency allows the caller to use the type
-//
-// The method returns if the checks succeed and throws on error.
-//
-// static
-void SecurityTransparent::DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
- const TypeHandle &calleeTH,
- CorInfoSecurityRuntimeChecks check)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- DoSecurityClassAccessChecksFunctor classAccessChecks(pCallerMD, check);
- calleeTH.ForEachComponentMethodTable(classAccessChecks);
-}
-
-//
-// Transparency behavior implementations
-//
-
-//---------------------------------------------------------------------------------------
-//
-// Transparency behavior implementation for v4 and CoreCLR assemblies
-//
-
-class TransparencyBehaviorImpl : public ISecurityTransparencyImpl
-{
-public:
-
- // Get bits that indicate how transparency should behave in different situations
- virtual SecurityTransparencyBehaviorFlags GetBehaviorFlags() const
- {
- LIMITED_METHOD_CONTRACT;
- return SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck |
- SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand |
- SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced |
- SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent |
- SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods;
- }
-
- // Transparency field behavior mappings:
- // Attribute Behavior
- // -----------------------------------------------------
- // Critical (any) Critical
- // SafeCritical Safe critical
- // TAS (no critical) No effect
- // TAS (with any critical) Safe critical
- virtual FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- FieldSecurityDescriptorFlags fieldFlags = FieldSecurityDescriptorFlags_None;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_Critical)
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsCritical;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe)
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical)
- {
- fieldFlags |= FieldSecurityDescriptorFlags_IsCritical | FieldSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- return fieldFlags;
- }
-
- // Transparency module behavior mappings for an introduced method:
- // Attribute Behavior
- // -----------------------------------------------------
- // Critical (any) Critical
- // SafeCritical Safe critical
- // TAS (no critical) No effect
- // TAS (with any critical) Safe critical
- virtual MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- MethodSecurityDescriptorFlags methodFlags = MethodSecurityDescriptorFlags_None;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_Critical)
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsCritical;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe)
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical)
- {
- methodFlags |= MethodSecurityDescriptorFlags_IsCritical |
- MethodSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- return methodFlags;
- }
-
- // Transparency module behavior mappings:
- // Attribute Behavior
- // -----------------------------------------------------
- // APTCA Mixed transparency + APTCA
- // Critical (scoped) All critical + APTCA
- // Critical (all) All critical + APTCA
- // SafeCritical No effect
- // TAS (no critical) No effect
- // TAS (with scoped critical) All safe critical + APTCA
- // TAS (with all critical) All safe critical + APTCA
- // Transparent All transparent + APTCA
- //
- // If the assembly has no attributes, then it will be opportunistically critical.
- //
- // APTCA is granted to all assemblies because we rely upon transparent code being unable to call critical
- // code to enforce the APTCA check. Since all partial trust code must be transparent, this provides the
- // same effect.
- virtual ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- ModuleSecurityDescriptorFlags moduleFlags = ModuleSecurityDescriptorFlags_None;
-
-#if defined(FEATURE_CORESYSTEM)
- if (tokenFlags & TokenSecurityDescriptorFlags_APTCA)
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA;
- }
-#endif // defined(FEATURE_CORESYSTEM)
-
- if (tokenFlags & TokenSecurityDescriptorFlags_Critical)
- {
- // We don't pay attention to the critical scope if we're not a legacy assembly
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAllCritical;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe)
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_IsTreatAsSafe;
- }
- }
-
- if (tokenFlags & TokenSecurityDescriptorFlags_Transparent)
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent;
- }
-
- // If we didn't see APTCA/CA, Transparent, or any form of Critical, then the assembly is opportunistically
- // critical.
- const ModuleSecurityDescriptorFlags transparencyMask = ModuleSecurityDescriptorFlags_IsAPTCA |
- ModuleSecurityDescriptorFlags_IsAllTransparent |
- ModuleSecurityDescriptorFlags_IsAllCritical;
- if (!(moduleFlags & transparencyMask))
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical;
- }
-
- // If the token asks to not have IL verification done in full trust, propigate that to the module
- if (tokenFlags & TokenSecurityDescriptorFlags_SkipFullTrustVerification)
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_SkipFullTrustVerification;
- }
-
- // We rely on transparent / critical checks to provide APTCA enforcement in the v4 model, so all assemblies
- // get APTCA.
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA;
-
- return moduleFlags;
- }
-
- // Transparency type behavior mappings:
- // Attribute Behavior
- // -----------------------------------------------------
- // Critical (any) All critical
- // SafeCritical All safe critical
- // TAS (no critical) No effect on the type, but save TAS bit since members of the type may be critical
- // TAS (with any critical) All SafeCritical
- virtual TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const
- {
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- SO_INTOLERANT;
- }
- CONTRACTL_END;
-
- TypeSecurityDescriptorFlags typeFlags = TypeSecurityDescriptorFlags_None;
-
- if (tokenFlags & TokenSecurityDescriptorFlags_Critical)
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsCritical |
- TypeSecurityDescriptorFlags_IsAllCritical;
- }
-
- // SafeCritical always means all critical + TAS
- if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical)
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsCritical |
- TypeSecurityDescriptorFlags_IsAllCritical |
- TypeSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe)
- {
- typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe;
- }
-
- return typeFlags;
- }
-};
-
-//
-// Shared transparency behavior objects
-//
-
-//---------------------------------------------------------------------------------------
-//
-// Access a shared security transparency behavior object, creating it if the object has
-// not yet been used.
-//
-
-template <class T>
-const SecurityTransparencyBehavior *GetOrCreateTransparencyBehavior(SecurityTransparencyBehavior **ppBehavior)
-{
- CONTRACT(const SecurityTransparencyBehavior *)
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(CheckPointer(ppBehavior));
- POSTCONDITION(CheckPointer(RETVAL));
- }
- CONTRACT_END;
-
- if (*ppBehavior == NULL)
- {
- NewHolder<ISecurityTransparencyImpl> pImpl(new T);
- NewHolder<SecurityTransparencyBehavior> pBehavior(new SecurityTransparencyBehavior(pImpl));
-
- SecurityTransparencyBehavior *pPrevBehavior =
- InterlockedCompareExchangeT(ppBehavior, pBehavior.GetValue(), NULL);
-
- if (pPrevBehavior == NULL)
- {
- pBehavior.SuppressRelease();
- pImpl.SuppressRelease();
- }
- }
-
- RETURN(*ppBehavior);
-}
-
-// Transparency behavior object for v4 transparent assemblies
-// static
-SecurityTransparencyBehavior *SecurityTransparencyBehavior::s_pStandardTransparencyBehavior = NULL;
-
-
-//---------------------------------------------------------------------------------------
-//
-// Get a security transparency object for an assembly with the specified attributes on
-// its manifest
-//
-// Arguments:
-// moduleTokenFlags - flags from reading the security attributes of the assembly's
-// manifest module
-//
-
-const SecurityTransparencyBehavior *SecurityTransparencyBehavior::GetTransparencyBehavior(SecurityRuleSet ruleSet)
-{
- CONTRACT(const SecurityTransparencyBehavior *)
- {
- THROWS;
- GC_TRIGGERS;
- PRECONDITION(ruleSet == SecurityRuleSet_Level1 || ruleSet == SecurityRuleSet_Level2);
- POSTCONDITION(CheckPointer(RETVAL));
- }
- CONTRACT_END;
-
- {
- // Level 2 rules - v4.0 behavior
- RETURN(GetOrCreateTransparencyBehavior<TransparencyBehaviorImpl>(&s_pStandardTransparencyBehavior));
- }
-}
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securityTransparentAssembly.h
-//
-// Implementation for transparent code feature
-//
-
-
-//--------------------------------------------------------------------------
-
-
-#ifndef __SECURITYTRANSPARENT_H__
-#define __SECURITYTRANSPARENT_H__
-
-#include "securitymeta.h"
-
-// Reason that a transparency error was flagged
-enum SecurityTransparencyError
-{
- SecurityTransparencyError_None,
- SecurityTransparencyError_CallCriticalMethod, // A transparent method tried to call a critical method
- SecurityTransparencyError_CallLinkDemand // A transparent method tried to call a method with a LinkDemand
-};
-
-namespace SecurityTransparent
-{
-//private:
- BOOL IsMethodTransparent(MethodDesc *pMD);
- BOOL IsMethodCritical(MethodDesc *pMD);
- BOOL IsMethodSafeCritical(MethodDesc *pMD);
- BOOL IsTypeCritical(MethodTable *pMT);
- BOOL IsTypeSafeCritical(MethodTable *pMT);
- BOOL IsTypeTransparent(MethodTable *pMT);
- BOOL IsTypeAllTransparent(MethodTable *pMT);
- BOOL IsTypeAllCritical(MethodTable *pMT);
- BOOL IsFieldTransparent(FieldDesc *pFD);
- BOOL IsFieldCritical(FieldDesc *pFD);
- BOOL IsFieldSafeCritical(FieldDesc *pFD);
- BOOL IsTokenTransparent(Module *pModule, mdToken tkToken);
-
-//public:
- bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);
-
- CorInfoIsAccessAllowedResult RequiresTransparentCodeChecks(MethodDesc* pCaller,
- MethodDesc* pCallee,
- SecurityTransparencyError *pError);
- CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
- MethodDesc* pCallee,
- SecurityTransparencyError *pError);
- void EnforceTransparentAssemblyChecks(MethodDesc* pCaller, MethodDesc* pCallee);
- void EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCallee);
- CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly);
- CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD);
- VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, AssemblySecurityDescriptor* pLoadedSecDesc);
- BOOL CheckCriticalAccess(AccessCheckContext* pContext,
- MethodDesc* pOptionalTargetMethod,
- FieldDesc* pOptionalTargetField,
- MethodTable * pOptionalTargetType);
- BOOL IsAllowedToAssert(MethodDesc *pMD);
-
- bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands);
-
- void DECLSPEC_NORETURN ThrowMethodAccessException(MethodDesc* pMD, DWORD dwMessageId = IDS_CRITICAL_METHOD_ACCESS_DENIED);
-
- void DECLSPEC_NORETURN ThrowTypeLoadException(MethodDesc* pMD, DWORD dwMessageId = IDS_METHOD_INHERITANCE_RULES_VIOLATED);
- void DECLSPEC_NORETURN ThrowTypeLoadException(MethodTable* pMT);
-
- void DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
- const TypeHandle &calleeTH,
- CorInfoSecurityRuntimeChecks checks);
-#ifdef _DEBUG
- void LogTransparencyError(Assembly *pAssembly, const LPCSTR szError);
- void LogTransparencyError(MethodTable *pMT, const LPCSTR szError);
- void LogTransparencyError(MethodDesc *pMD, const LPCSTR szError, MethodDesc *pTargetMD = NULL);
-#endif // _DEBUG
-};
-
-//
-// Transparency is implemented slightly differently between v2 desktop, v4 desktop, and CoreCLR. In order to
-// support running v2 desktop assemblies on the v4 CLR without modifying their expected transparency behavior,
-// we indirect all questions about what transparency means through a SecurityTransparencyBehavior object.
-//
-// The SecurityTransparencyBehavior object uses implementations of ISecurityTransparencyImpl to query about
-// specific behavior differences.
-//
-
-enum SecurityTransparencyBehaviorFlags
-{
- SecurityTransparencyBehaviorFlags_None = 0x0000,
-
- // Custom attributes require transparency checks in order to be used by transparent code
- SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck = 0x0001,
-
- // Public critical members of an assembly can behave as if they were safe critical with a LinkDemand
- // for FullTrust
- SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand = 0x0002,
-
- // Types and methods must obey the transparency inheritance rules
- SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced = 0x0004,
-
- // Members contained within a scope that introduces members as critical may add their own treat as safe
- SecurityTransparencyBehaviorFlags_IntroducedCriticalsMayAddTreatAsSafe = 0x0008,
-
- // Opportunistically critical assemblies consist of entirely transparent types with entirely safe
- // critical methods.
- SecurityTransparencyBehaviorFlags_OpportunisticIsSafeCriticalMethods = 0x0010,
-
- // Assemblies loaded in partial trust are implicitly all transparent
- SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent = 0x0020,
-
- // All public critical types and methods get an implicit treat as safe marking
- SecurityTransparencyBehaviorFlags_PublicImpliesTreatAsSafe = 0x0040,
-
- // Security critical or safe critical at a larger than method scope applies only to methods introduced
- // within that scope, rather than all methods contained in the scope
- SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods = 0x0080,
-
- // Security transparent code can call methods protected with a LinkDemand
- SecurityTransparencyBehaviorFlags_TransparentCodeCanCallLinkDemand = 0x0100,
-
- // Security transparent code can call native code via P/Invoke or COM Interop
- SecurityTransaprencyBehaviorFlags_TransparentCodeCanCallUnmanagedCode = 0x0200,
-
- // Security transparent code can skip verification with a runtime check
- SecurityTransparencyBehaviorFlags_TransparentCodeCanSkipVerification = 0x0400,
-
- // Unsigned assemblies implicitly are APTCA
- SecurityTransparencyBehaviorFlags_UnsignedImpliesAPTCA = 0x0800,
-};
-
-inline SecurityTransparencyBehaviorFlags operator|(SecurityTransparencyBehaviorFlags lhs,
- SecurityTransparencyBehaviorFlags rhs);
-
-inline SecurityTransparencyBehaviorFlags operator|=(SecurityTransparencyBehaviorFlags& lhs,
- SecurityTransparencyBehaviorFlags rhs);
-
-inline SecurityTransparencyBehaviorFlags operator&(SecurityTransparencyBehaviorFlags lhs,
- SecurityTransparencyBehaviorFlags rhs);
-
-inline SecurityTransparencyBehaviorFlags operator&=(SecurityTransparencyBehaviorFlags &lhs,
- SecurityTransparencyBehaviorFlags rhs);
-
-// Base interface for transparency behavior implementations
-class ISecurityTransparencyImpl
-{
-public:
- virtual ~ISecurityTransparencyImpl()
- {
- LIMITED_METHOD_CONTRACT;
- }
-
- // Get flags that indicate specific on/off behaviors of transparency
- virtual SecurityTransparencyBehaviorFlags GetBehaviorFlags() const = 0;
-
- // Map security attributes that a field contains to the set of behaviors it supports
- virtual FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0;
-
- // Map security attributes that a method contains to the set of behaviors it supports
- virtual MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0;
-
- // Map security attributes that a module contains to the set of behaviors it supports
- virtual ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0;
-
- // Map security attributes that a type contains to the set of behaviors it supports
- virtual TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0;
-};
-
-class SecurityTransparencyBehavior
-{
-public:
- // Get a transparency behavior for a module with the given attributes applied to it
- static
- const SecurityTransparencyBehavior *GetTransparencyBehavior(SecurityRuleSet ruleSet);
-
-public:
- // Are types and methods required to obey the transparency inheritance rules
- inline bool AreInheritanceRulesEnforced() const;
-
- // Can public critical members of an assembly behave as if they were safe critical with a LinkDemand
- // for FullTrust
- inline bool CanCriticalMembersBeConvertedToLinkDemand() const;
-
- // Can members contained within a scope that introduces members as critical add their own TreatAsSafe
- // attribute
- inline bool CanIntroducedCriticalMembersAddTreatAsSafe() const;
-
- // Can transparent methods call methods protected with a LinkDemand
- inline bool CanTransparentCodeCallLinkDemandMethods() const;
-
- // Can transparent methods call native code
- inline bool CanTransparentCodeCallUnmanagedCode() const;
-
- // Can transparent members skip verification if the callstack passes a runtime check
- inline bool CanTransparentCodeSkipVerification() const;
-
- // Custom attributes require transparency checks in order to be used by transparent code
- inline bool DoAttributesRequireTransparencyChecks() const;
-
- // Opportunistically critical assemblies consist of entirely transparent types with entirely safe
- // critical methods.
- inline bool DoesOpportunisticRequireOnlySafeCriticalMethods() const;
-
- // Does being loaded in partial trust imply that the assembly is implicitly all transparent
- inline bool DoesPartialTrustImplyAllTransparent() const;
-
- // Do all public members of the assembly get an implicit treat as safe marking
- inline bool DoesPublicImplyTreatAsSafe() const;
-
- // Do security critical or safe critical at a larger than method scope apply only to methods introduced
- // within that scope, or to all methods conateind within the scope.
- inline bool DoesScopeApplyOnlyToIntroducedMethods() const;
-
- // Do unsigned assemblies implicitly become APTCA
- inline bool DoesUnsignedImplyAPTCA() const;
-
- // Get flags that indicate specific on/off behaviors of transparency
- inline FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const;
-
- // Map security attributes that a method contains to the set of behaviors it supports
- inline MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const;
-
- // Map security attributes that a module contains to the set of behaviors it supports
- inline ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const;
-
- // Map security attributes that a type contains to the set of behaviors it supports
- inline TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const;
-
-private:
- explicit inline SecurityTransparencyBehavior(ISecurityTransparencyImpl *pTransparencyImpl);
- SecurityTransparencyBehavior(const SecurityTransparencyBehavior &); // not implemented
- SecurityTransparencyBehavior &operator=(const SecurityTransparencyBehavior &); // not implemented
-
-private:
- template <class T>
- friend const SecurityTransparencyBehavior *GetOrCreateTransparencyBehavior(SecurityTransparencyBehavior **ppBehavior);
-
-private:
- static SecurityTransparencyBehavior *s_pStandardTransparencyBehavior;
- static SecurityTransparencyBehavior *s_pLegacyTransparencyBehavior;
-
- ISecurityTransparencyImpl *m_pTransparencyImpl;
- SecurityTransparencyBehaviorFlags m_flags;
-};
-
-#include "securitytransparentassembly.inl"
-
-#endif // __SECURITYTRANSPARENT_H__
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//--------------------------------------------------------------------------
-// securitytransparentassembly.inl
-//
-// Implementation for transparent code feature
-//
-
-
-//--------------------------------------------------------------------------
-
-
-#ifndef __SECURITYTRANSPARENT_INL__
-#define __SECURITYTRANSPARENT_INL__
-
-//---------------------------------------------------------------------------------------
-//
-// Create a transparency behavior object
-//
-// Arguments:
-// pTransparencyImpl - transparency implementation to base behavior decisions on
-//
-// Notes:
-// The tranparency implementation object must have a lifetime at least as long as the
-// created transparency behavior object.
-//
-
-inline SecurityTransparencyBehavior::SecurityTransparencyBehavior(ISecurityTransparencyImpl *pTransparencyImpl) :
- m_pTransparencyImpl(pTransparencyImpl),
- m_flags(pTransparencyImpl->GetBehaviorFlags())
-{
- LIMITED_METHOD_CONTRACT;
- _ASSERTE(pTransparencyImpl);
-}
-
-//
-// Typed logical operators for transparency flags
-//
-
-inline SecurityTransparencyBehaviorFlags operator|(SecurityTransparencyBehaviorFlags lhs,
- SecurityTransparencyBehaviorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
-}
-
-inline SecurityTransparencyBehaviorFlags operator|=(SecurityTransparencyBehaviorFlags& lhs,
- SecurityTransparencyBehaviorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) |
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-inline SecurityTransparencyBehaviorFlags operator&(SecurityTransparencyBehaviorFlags lhs,
- SecurityTransparencyBehaviorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- return static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
-}
-
-inline SecurityTransparencyBehaviorFlags operator&=(SecurityTransparencyBehaviorFlags& lhs,
- SecurityTransparencyBehaviorFlags rhs)
-{
- LIMITED_METHOD_CONTRACT;
- lhs = static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) &
- static_cast<DWORD>(rhs));
- return lhs;
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Are types and methods required to obey the transparency inheritance rules
-//
-
-inline bool SecurityTransparencyBehavior::AreInheritanceRulesEnforced() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Can public critical members of an assembly behave as if they were safe critical with a
-// LinkDemand for FullTrust
-//
-
-inline bool SecurityTransparencyBehavior::CanCriticalMembersBeConvertedToLinkDemand() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Can members contained within a scope that introduces members as critical add their own
-// TreatAsSafe attribute
-//
-
-inline bool SecurityTransparencyBehavior::CanIntroducedCriticalMembersAddTreatAsSafe() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_IntroducedCriticalsMayAddTreatAsSafe);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Can transparent methods call methods protected with a LinkDemand
-//
-
-inline bool SecurityTransparencyBehavior::CanTransparentCodeCallLinkDemandMethods() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_TransparentCodeCanCallLinkDemand);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Can transparent members call native code directly
-//
-
-inline bool SecurityTransparencyBehavior::CanTransparentCodeCallUnmanagedCode() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransaprencyBehaviorFlags_TransparentCodeCanCallUnmanagedCode);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Can transparent members skip verification if the callstack passes a runtime check
-//
-
-inline bool SecurityTransparencyBehavior::CanTransparentCodeSkipVerification() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_TransparentCodeCanSkipVerification);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Custom attributes require transparency checks in order to be used by critical code
-//
-
-inline bool SecurityTransparencyBehavior::DoAttributesRequireTransparencyChecks() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Opportunistically critical assemblies consist of entirely transparent types with entirely safe
-// critical methods.
-inline bool SecurityTransparencyBehavior::DoesOpportunisticRequireOnlySafeCriticalMethods() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_OpportunisticIsSafeCriticalMethods);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Does being loaded in partial trust imply that the assembly is implicitly all transparent
-//
-
-inline bool SecurityTransparencyBehavior::DoesPartialTrustImplyAllTransparent() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Do all public types and methods automatically become treat as safe
-//
-
-inline bool SecurityTransparencyBehavior::DoesPublicImplyTreatAsSafe() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_PublicImpliesTreatAsSafe);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Do security critical or safe critical at a larger than method scope apply only to methods introduced
-// within that scope, or to all methods conateind within the scope.
-//
-// For instance, if this method returns true, a critical type does not make a method it overrides critical
-// because that method was introduced in a base type.
-//
-
-inline bool SecurityTransparencyBehavior::DoesScopeApplyOnlyToIntroducedMethods() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Do unsigned assemblies implicitly become APTCA
-//
-
-inline bool SecurityTransparencyBehavior::DoesUnsignedImplyAPTCA() const
-{
- LIMITED_METHOD_CONTRACT;
- return !!(m_flags & SecurityTransparencyBehaviorFlags_UnsignedImpliesAPTCA);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Map the attributes found on a field into bits that represent what those attributes
-// mean to this field.
-//
-
-inline FieldSecurityDescriptorFlags SecurityTransparencyBehavior::MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const
-{
- WRAPPER_NO_CONTRACT;
- return m_pTransparencyImpl->MapFieldAttributes(tokenFlags);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Map the attributes found on a method to the security transparency of that method
-//
-
-inline MethodSecurityDescriptorFlags SecurityTransparencyBehavior::MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const
-{
- WRAPPER_NO_CONTRACT;
- return m_pTransparencyImpl->MapMethodAttributes(tokenFlags);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Map the attributes found on an assembly into bits that represent what those
-// attributes mean to this assembly.
-//
-
-inline ModuleSecurityDescriptorFlags SecurityTransparencyBehavior::MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const
-{
- WRAPPER_NO_CONTRACT;
- return m_pTransparencyImpl->MapModuleAttributes(tokenFlags);
-}
-
-//---------------------------------------------------------------------------------------
-//
-// Map the attributes found on a type into bits that represent what those
-// attributes mean to this type.
-//
-
-inline TypeSecurityDescriptorFlags SecurityTransparencyBehavior::MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const
-{
- WRAPPER_NO_CONTRACT;
- return m_pTransparencyImpl->MapTypeAttributes(tokenFlags);
-}
-
-#endif // __SECURTYTRANSPARENT_INL__
// take care of that possibility
pModule->EnsureAllocated();
- // 5. Type is in a fully trusted assembly
- if (!pModule->GetSecurityDescriptor()->IsFullyTrusted())
- return FALSE;
-
// 6. If type is nested, nesting type must be equivalent.
if (IsTdNested(dwAttrType))
{
// TODO: fix this another way!
// if (IsRequestPending())
{
- //This holder resets our thread's security state when exiting this scope
- ThreadSecurityStateHolder secState(pThread);
-
ManagedThreadBase::ThreadPool(appDomainId, QueueUserWorkItemManagedCallback, wasNotRecalled);
}
#include "corhost.h"
#include "win32threadpool.h"
#include "jitinterface.h"
-#include "appdomainstack.inl"
#include "eventtrace.h"
#include "comutilnative.h"
#include "finalizerthread.h"
return pThread;
}
-FCIMPL0(INT32, GetRuntimeId_Wrapper)
-{
- FCALL_CONTRACT;
-
- return GetRuntimeId();
-}
-FCIMPLEND
-
//-------------------------------------------------------------------------
// Public function: DestroyThread()
// Destroys the specified Thread object, for a thread which is about to die.
m_pDomain = m_Context->GetDomain();
_ASSERTE(m_pDomain);
m_pDomain->ThreadEnter(this, NULL);
-
- // Every thread starts in the default domain, so push it here.
- PushDomain((ADID)DefaultADID);
}
void Thread::ClearContext()
m_fDisableComObjectEagerCleanup = false;
#endif //FEATURE_COMINTEROP
m_Context = NULL;
- m_ADStack.ClearDomainStack();
}
_ASSERTE(pFrame);
- PushDomain(pDomain->GetId());
STRESS_LOG1(LF_APPDOMAIN, LL_INFO100000, "Entering into ADID=%d\n", pDomain->GetId().m_dwId);
if (fChangedDomains)
{
- pADOnStack = m_ADStack.PopDomain();
STRESS_LOG2(LF_APPDOMAIN, LL_INFO100000, "Returning from %d to %d\n", pADOnStack.m_dwId, pReturnContext->GetDomain()->GetId().m_dwId);
_ASSERTE(pADOnStack == m_pDomain->GetId());
GCX_FORBID();
DeleteThreadStaticData();
- ResetSecurityInfo();
m_alloc_context.alloc_bytes = 0;
m_fPromoted = FALSE;
#include "context.h"
#include "regdisp.h"
#include "mscoree.h"
-#include "appdomainstack.h"
#include "gcheaputilities.h"
#include "gchandleutilities.h"
#include "gcinfotypes.h"
void DestroyThread(Thread *th);
-FCDECL0(INT32, GetRuntimeId_Wrapper);
-
//---------------------------------------------------------------------------
//---------------------------------------------------------------------------
#ifndef FEATURE_IMPLICIT_TLS
private:
//-------------------------------------------------------------------------
- // AppDomains on the current call stack
- //-------------------------------------------------------------------------
- AppDomainStack m_ADStack;
-
- //-------------------------------------------------------------------------
// Support creation of assemblies in DllMain (see ceemain.cpp)
//-------------------------------------------------------------------------
DomainFile* m_pLoadingFile;
return m_fInteropDebuggingHijacked;
}
- inline DWORD IncrementOverridesCount();
- inline DWORD DecrementOverridesCount();
- inline DWORD GetOverridesCount();
- inline DWORD IncrementAssertCount();
- inline DWORD DecrementAssertCount();
- inline DWORD GetAssertCount();
- inline void PushDomain(ADID pDomain);
- inline ADID PopDomain();
- inline DWORD GetNumAppDomainsOnThread();
- inline BOOL CheckThreadWideSpecialFlag(DWORD flags);
- inline void InitDomainIteration(DWORD *pIndex);
- inline ADID GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts);
- inline void UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides);
-
- BOOL IsDefaultSecurityInfo(void)
- {
- WRAPPER_NO_CONTRACT;
- return m_ADStack.IsDefaultSecurityInfo();
- }
-
- BOOL AllDomainsHomogeneousWithNoStackModifiers(void)
- {
- WRAPPER_NO_CONTRACT;
- return m_ADStack.AllDomainsHomogeneousWithNoStackModifiers();
- }
-
- const AppDomainStack& GetAppDomainStack(void)
- {
- LIMITED_METHOD_CONTRACT;
- return m_ADStack;
- }
- AppDomainStack* GetAppDomainStackPointer(void)
- {
- LIMITED_METHOD_CONTRACT;
- return &m_ADStack;
- }
-
- void SetAppDomainStack(const AppDomainStack& appDomainStack)
- {
- WRAPPER_NO_CONTRACT;
- m_ADStack = appDomainStack; // this is a function call, massive operator=
- }
-
- void ResetSecurityInfo( void )
- {
- WRAPPER_NO_CONTRACT;
- m_ADStack.ClearDomainStack();
- }
-
void SetFilterContext(T_CONTEXT *pContext);
T_CONTEXT *GetFilterContext(void);
#endif
}
-inline DWORD Thread::IncrementOverridesCount()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.IncrementOverridesCount();
-}
-
-inline DWORD Thread::DecrementOverridesCount()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.DecrementOverridesCount();
-}
-
-inline DWORD Thread::GetOverridesCount()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.GetOverridesCount();
-}
-
-inline DWORD Thread::IncrementAssertCount()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.IncrementAssertCount();
-}
-
-inline DWORD Thread::DecrementAssertCount()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.DecrementAssertCount();
-}
-
-inline DWORD Thread::GetAssertCount()
-{
- LIMITED_METHOD_CONTRACT;
- return m_ADStack.GetAssertCount();
-}
-
-#ifndef DACCESS_COMPILE
-inline void Thread::PushDomain(ADID pDomain)
-{
- WRAPPER_NO_CONTRACT;
- m_ADStack.PushDomain(pDomain);
-}
-
-inline ADID Thread::PopDomain()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.PopDomain();
-}
-#endif // DACCESS_COMPILE
-
-inline DWORD Thread::GetNumAppDomainsOnThread()
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.GetNumDomains();
-}
-
-inline BOOL Thread::CheckThreadWideSpecialFlag(DWORD flags)
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.GetThreadWideSpecialFlag() & flags;
-}
-
-inline void Thread::InitDomainIteration(DWORD *pIndex)
-{
- WRAPPER_NO_CONTRACT;
- m_ADStack.InitDomainIteration(pIndex);
-}
-
-inline ADID Thread::GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts)
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.GetNextDomainOnStack(pIndex, pOverrides, pAsserts);
-}
-
-inline void Thread::UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides)
-{
- WRAPPER_NO_CONTRACT;
- return m_ADStack.UpdateDomainOnStack(pIndex, asserts, overrides);
-}
-
#ifdef FEATURE_COMINTEROP
inline void Thread::RevokeApartmentSpy()
{
}
#endif // FEATURE_COMINTEROP
-#include "appdomainstack.inl"
-
inline bool Thread::IsGCSpecial()
{
LIMITED_METHOD_CONTRACT;
}
//-----------------------------------------------------------------------------
-// Helper method to load mscorsn.dll. It is used when an app requests a legacy
-// mode where mscorsn.dll it to be loaded during startup.
-//-----------------------------------------------------------------------------
-const WCHAR g_pwzOldStrongNameLibrary[] = W("mscorsn.dll");
-#define cchOldStrongNameLibrary ( \
- (sizeof(g_pwzOldStrongNameLibrary)/sizeof(WCHAR)))
-
-HRESULT LoadMscorsn()
-{
- CONTRACTL
- {
- NOTHROW;
- GC_TRIGGERS;
- INJECT_FAULT(return FALSE;);
- }
- CONTRACTL_END;
-
- DWORD size = 0;
- HRESULT hr = GetInternalSystemDirectory(NULL, &size);
- if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER))
- return hr;
-
- DWORD dwLength = size + cchOldStrongNameLibrary;
- if (dwLength < size)
- return HRESULT_FROM_WIN32(ERROR_ARITHMETIC_OVERFLOW);
- NewArrayHolder<WCHAR> wszPath(new (nothrow) WCHAR[dwLength]);
- if (!wszPath)
- return E_OUTOFMEMORY;
-
- hr = GetInternalSystemDirectory(wszPath, &size);
- if (FAILED(hr))
- return hr;
-
- wcscat_s(wszPath, dwLength, g_pwzOldStrongNameLibrary);
- CLRLoadLibrary(wszPath);
- return S_OK;
-}
-
#ifndef FEATURE_PAL
-//-----------------------------------------------------------------------------
-// WszSHGetFolderPath
-//
-// @func takes the CSIDL of a folder and returns the path name
-//
-// @rdesc Result Handle
-//-----------------------------------------------------------------------------------
-HRESULT WszSHGetFolderPath(
- HWND hwndOwner,
- int nFolder,
- HANDLE hToken,
- DWORD dwFlags,
- size_t cchPathMax,
- __out_ecount(MAX_LONGPATH) LPWSTR pwszPath)
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_PREEMPTIVE;
- INJECT_FAULT(return E_OUTOFMEMORY;);
- }
- CONTRACTL_END;
-
- // SHGetFolderPath requirement: path buffer >= MAX_LONGPATH chars
- _ASSERTE(cchPathMax >= MAX_LONGPATH);
-
- HRESULT hr;
- ULONG maxLength = MAX_LONGPATH;
- HMODULE _hmodShell32 = 0;
- HMODULE _hmodSHFolder = 0;
-
- ETWOnStartup (LdLibShFolder_V1, LdLibShFolderEnd_V1);
-
- typedef HRESULT (*PFNSHGETFOLDERPATH_W) (HWND hwndOwner, int nFolder, HANDLE hToken, DWORD dwFlags, LPWSTR pszPath);
- static PFNSHGETFOLDERPATH_W pfnW = NULL;
- if (NULL == pfnW)
- {
- _hmodShell32 = CLRLoadLibrary(W("shell32.dll"));
-
- if (_hmodShell32)
- pfnW = (PFNSHGETFOLDERPATH_W)GetProcAddress(_hmodShell32, "SHGetFolderPathW");
-
- if (NULL == pfnW)
- {
- if (NULL == _hmodSHFolder)
- _hmodSHFolder = CLRLoadLibrary(W("shfolder.dll"));
-
- if (_hmodSHFolder)
- pfnW = (PFNSHGETFOLDERPATH_W)GetProcAddress(_hmodSHFolder, "SHGetFolderPathW");
- }
- }
-
- if (pfnW)
- hr = pfnW(hwndOwner, nFolder, hToken, dwFlags, pwszPath);
- else
- hr = HRESULT_FROM_WIN32(GetLastError());
-
- // NOTE: We leak the module handles and let the OS gather them at process shutdown.
-
- return hr;
-}
-
-//-----------------------------------------------------------------------------
-// WszShellExecute
-//
-// @func calls ShellExecute with the provided parameters
-//
-// @rdesc Result
-//-----------------------------------------------------------------------------------
-HRESULT WszShellExecute(
- HWND hwnd,
- LPCTSTR lpOperation,
- LPCTSTR lpFile,
- LPCTSTR lpParameters,
- LPCTSTR lpDirectory,
- INT nShowCmd)
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_PREEMPTIVE;
- INJECT_FAULT(return E_OUTOFMEMORY;);
- }
- CONTRACTL_END;
-
- HRESULT hr = S_OK;
- HMODULE _hmodShell32 = 0;
-
- typedef HINSTANCE (*PFNSHELLEXECUTE_W) (HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
- static PFNSHELLEXECUTE_W pfnW = NULL;
- if (NULL == pfnW)
- {
- _hmodShell32 = CLRLoadLibrary(W("shell32.dll"));
-
- if (_hmodShell32)
- pfnW = (PFNSHELLEXECUTE_W)GetProcAddress(_hmodShell32, "ShellExecuteW");
- }
-
- if (pfnW)
- {
- HINSTANCE hSE = pfnW(hwnd, lpOperation, lpFile, lpParameters, lpDirectory, nShowCmd);
-
- if ((int) hSE <= 32)
- {
- hr = HRESULT_FROM_WIN32((int) hSE);
- }
- }
- else
- {
- hr = HRESULT_FROM_WIN32(GetLastError());
- }
-
- // NOTE: We leak the module handles and let the OS gather them at process shutdown.
-
- return hr;
-}
-
-#ifndef DACCESS_COMPILE
-//-----------------------------------------------------------------------------
-
-//-----------------------------------------------------------------------------
-// WszShellExecuteEx
-//
-// @func calls ShellExecuteEx with the provided parameters
-//
-// @rdesc Result
-//-----------------------------------------------------------------------------------
-HRESULT WszShellExecuteEx(
- LPSHELLEXECUTEINFO lpExecInfo)
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_PREEMPTIVE;
- INJECT_FAULT(return E_OUTOFMEMORY;);
- }
- CONTRACTL_END;
-
- HRESULT hr = S_OK;
- HMODULE _hmodShell32 = 0;
-
- typedef BOOL (*PFNSHELLEXECUTEEX_W) (LPSHELLEXECUTEINFO lpExecInfo);
- static PFNSHELLEXECUTEEX_W pfnW = NULL;
- if (NULL == pfnW)
- {
- _hmodShell32 = CLRLoadLibrary(W("shell32.dll"));
-
- if (_hmodShell32)
- pfnW = (PFNSHELLEXECUTEEX_W)GetProcAddress(_hmodShell32, "ShellExecuteExW");
- }
-
- if (pfnW)
- {
- BOOL bSE = pfnW(lpExecInfo);
-
- if (bSE)
- {
- hr = HRESULT_FROM_WIN32(GetLastError());
- }
- }
- else
- {
- hr = HRESULT_FROM_WIN32(GetLastError());
- }
-
- // NOTE: We leak the module handles and let the OS gather them at process shutdown.
-
- return hr;
-}
-
-#endif // #ifndef DACCESS_COMPILE
-
-BOOL IsUsingValidAppDataPath(__in_z WCHAR *userPath)
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_PREEMPTIVE;
- }
- CONTRACTL_END;
-
- WCHAR defaultPath[MAX_LONGPATH];
- HRESULT hr;
- HANDLE hToken;
-
- hToken = (HANDLE)(-1);
-
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA, hToken, SHGFP_TYPE_CURRENT, MAX_LONGPATH, defaultPath);
- if (FAILED(hr))
- {
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA, hToken, SHGFP_TYPE_DEFAULT, MAX_LONGPATH, defaultPath);
- }
- if (FAILED(hr))
- return FALSE;
-
- int result = wcscmp(defaultPath, userPath);
-
- return result != 0;
-}
-
-#define FOLDER_LOCAL_SETTINGS_W W("Local Settings")
-#define FOLDER_APP_DATA_W W("\\Application Data")
-#define FOLDER_APP_DATA "\\Application Data"
-
-// Gets the location for roaming and local AppData
-BOOL GetUserDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount, BOOL fRoaming)
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_PREEMPTIVE;
- INJECT_FAULT(return FALSE;);
- }
- CONTRACTL_END;
-
- // SHGetFolderPath will return the default user profile if the context is that of a user
- // without a user profile. Since we never want to end up writing files into the default profile
- // which is used as a template for future user profiles, we first try to find out if the user
- // profile is not loaded; and if that's the case we return an error.
-
- if (!IsUserProfileLoaded())
- return FALSE;
-
- HRESULT hr;
-
- // In Windows ME, there is currently a bug that makes local appdata and roaming appdata
- // point to the same location, so we've decided to "do our own thing" and add \Local Settings before \Application Data
- if (!fRoaming) {
- WCHAR appdatafolder[MAX_LONGPATH];
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, MAX_LONGPATH, appdatafolder);
- if (FAILED(hr))
- {
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, MAX_LONGPATH, appdatafolder);
- }
- if (FAILED(hr))
- return FALSE;
- hr = WszSHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer);
- if (FAILED(hr))
- {
- hr = WszSHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer);
- }
- if (FAILED(hr))
- return FALSE;
-
- // folders are the same or failed to get local folder
-
- if (!wcscmp(appdatafolder, buffer))
- {
- WCHAR tempPartialPath[MAX_LONGPATH];
- ULONG slen = (ULONG)wcslen(buffer);
-
- if (buffer[slen - 1] == W('\\'))
- {
- --slen;
- }
-
- // Search for the parent directory.
-
- WCHAR* parentDirectoryEnd = &buffer[slen - 1];
- tempPartialPath[0] = W('\0');
-
- for (ULONG index = slen - 1; index > 0; --index)
- {
- if (buffer[index] == W('\\'))
- {
- if (wcslen(&buffer[index]) >= NumItems(tempPartialPath))
- {
- _ASSERTE(!"Buffer not large enough");
- return FALSE;
- }
-
- wcscpy_s( tempPartialPath, COUNTOF(tempPartialPath), &buffer[index] );
- parentDirectoryEnd = &buffer[index+1];
- break;
- }
- }
-
- // Create the intermediate directory if it is not present
- if ((parentDirectoryEnd + wcslen(FOLDER_LOCAL_SETTINGS_W)) >= (buffer + bufferCount))
- {
- _ASSERTE(!"Buffer not large enough");
- return FALSE;
- }
-
- SIZE_T cchSafe;
- // Prefast overflow sanity check the subtraction.
- if (!ClrSafeInt<SIZE_T>::subtraction(bufferCount, (parentDirectoryEnd - buffer), cchSafe))
- {
- _ASSERTE(!"ClrSafeInt: Buffer is not large enough");
- return FALSE;
- }
-
- wcscpy_s(parentDirectoryEnd, cchSafe, FOLDER_LOCAL_SETTINGS_W);
-
- LONG lresult;
-
- {
- // Check if the directory is already present
- lresult = WszGetFileAttributes(buffer);
-
- if (lresult == -1)
- {
- if (!WszCreateDirectory(buffer, NULL) &&
- !(WszGetFileAttributes(buffer) & FILE_ATTRIBUTE_DIRECTORY))
- return FALSE;
- }
- else if ((lresult & FILE_ATTRIBUTE_DIRECTORY) == 0)
- {
- return FALSE;
- }
- }
- if ((bufferCount - wcslen(buffer)) <= wcslen(tempPartialPath))
- {
- _ASSERTE(!"Buffer not large enough");
- return FALSE;
- }
-
- wcscat_s(buffer, bufferCount, tempPartialPath);
-
- // Check if the directory is already present
- lresult = WszGetFileAttributes(buffer);
-
- if (lresult == -1)
- {
- if (!WszCreateDirectory(buffer, NULL) &&
- !(WszGetFileAttributes(buffer) & FILE_ATTRIBUTE_DIRECTORY))
- return FALSE;
- }
- else if ((lresult & FILE_ATTRIBUTE_DIRECTORY) == 0)
- {
- return FALSE;
- }
- }
- }
- else {
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer);
- if (FAILED(hr))
- {
- hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer);
- }
- if (FAILED(hr))
- return FALSE;
-
- if (!IsUsingValidAppDataPath(buffer))
- return FALSE;
- }
-
- return TRUE;
-}
-
-const WCHAR PROFILE_LIST_PATH[] = W("Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\");
-#define nProfileListPathKeyLen ( \
- sizeof(PROFILE_LIST_PATH)/sizeof(WCHAR))
-
-HRESULT GetUserSidString (HANDLE hToken, __deref_out LPWSTR *pwszSid) {
- DWORD dwSize = 0;
- GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
- NewArrayHolder<BYTE> pb(new (nothrow) BYTE[dwSize]);
- if (pb == NULL)
- return E_OUTOFMEMORY;
- if (!GetTokenInformation(hToken, TokenUser, pb, dwSize, &dwSize))
- return HRESULT_FROM_GetLastError();
-
- PTOKEN_USER pUser = (PTOKEN_USER) pb.GetValue();
-
- typedef BOOL (*CONVERTSIDTOSTRINGSID_W) (PSID Sid, LPWSTR* StringSid);
- static CONVERTSIDTOSTRINGSID_W pfnW = NULL;
- if (NULL == pfnW) {
- HMODULE hModAdvapi32 = CLRLoadLibrary(W("advapi32.dll"));
- if (hModAdvapi32)
- pfnW = (CONVERTSIDTOSTRINGSID_W) GetProcAddress(hModAdvapi32, "ConvertSidToStringSidW");
- }
-
- if (!pfnW)
- return E_NOTIMPL;
- if (!pfnW(pUser->User.Sid, pwszSid))
- return HRESULT_FROM_GetLastError();
- return S_OK;
-}
-
-BOOL IsUserProfileLoaded() {
- HandleHolder hToken;
- if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken))
- if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
- return FALSE;
-
- // Get the SID string
- LPWSTR wszSid = NULL;
- if (FAILED(GetUserSidString(hToken, &wszSid)))
- return FALSE;
-
- // Concatenate the Sid string with the profile list path
- size_t cchProfileRegPath = nProfileListPathKeyLen + wcslen(wszSid) + 1;
- NewArrayHolder<WCHAR> wszProfileRegPath(new (nothrow) WCHAR[cchProfileRegPath]);
- if (wszProfileRegPath == NULL) {
-#undef LocalFree
- LocalFree(wszSid);
-#define LocalFree(hMem) Dont_Use_LocalFree(hMem)
- return FALSE;
- }
- wcscpy_s(wszProfileRegPath, cchProfileRegPath, PROFILE_LIST_PATH);
- wcscat_s(wszProfileRegPath, cchProfileRegPath, wszSid);
-
-#undef LocalFree
- LocalFree(wszSid);
-#define LocalFree(hMem) Dont_Use_LocalFree(hMem)
-
- // Open the user profile registry key
- HKEYHolder hKey;
- return (WszRegOpenKeyEx(HKEY_LOCAL_MACHINE, wszProfileRegPath, 0, KEY_READ, &hKey) == ERROR_SUCCESS);
-}
-
-BOOL GetInternetCacheDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount)
-{
- CONTRACTL
- {
- NOTHROW;
- GC_TRIGGERS;
- INJECT_FAULT(return FALSE;);
- }
- CONTRACTL_END;
-
- _ASSERTE( bufferCount == MAX_LONGPATH && "You should pass in a buffer of size MAX_LONGPATH" );
-
- HRESULT hr = WszSHGetFolderPath( NULL, CSIDL_INTERNET_CACHE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer );
- if (FAILED(hr))
- hr = WszSHGetFolderPath( NULL, CSIDL_INTERNET_CACHE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer );
-
- return SUCCEEDED(hr);
-}
-
-//-----------------------------------------------------------------------------
// Wrap registry functions to use CQuickWSTR to allocate space. This does it
// in a stack friendly manner.
//-----------------------------------------------------------------------------
//=====================================================================
// Displays the messaage box or logs the message, corresponding to the last COM+ error occurred
void VMDumpCOMErrors(HRESULT hrErr);
-HRESULT LoadMscorsn();
#include "nativevaraccessors.h"
-#ifndef FEATURE_PAL
-
-HRESULT WszSHGetFolderPath(HWND hwndOwner, int nFolder, HANDLE hToken, DWORD dwFlags, size_t cchPath, __out_ecount(MAX_LONGPATH) LPWSTR pszwPath);
-HRESULT WszShellExecute(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
-
-#ifndef DACCESS_COMPILE
-#include "shellapi.h"
-HRESULT WszShellExecuteEx(LPSHELLEXECUTEINFO lpExecInfo);
-#endif // #ifndef DACCESS_COMPILE
-
-#endif // !FEATURE_PAL
-
-BOOL GetUserDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount, BOOL fRoaming);
-BOOL GetInternetCacheDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount );
-
-HRESULT GetUserSidString (HANDLE hToken, __deref_out LPWSTR *wszSid);
-BOOL IsUserProfileLoaded();
-
//======================================================================
// Stack friendly registry helpers
//
DWORD g_FinalizerWaiterStatus = 0;
-const WCHAR g_pwzClickOnceEnv_FullName[] = W("__COR_COMMAND_LINE_APP_FULL_NAME__");
-const WCHAR g_pwzClickOnceEnv_Manifest[] = W("__COR_COMMAND_LINE_MANIFEST__");
-const WCHAR g_pwzClickOnceEnv_Parameter[] = W("__COR_COMMAND_LINE_PARAMETER__");
-
-#ifdef FEATURE_LOADER_OPTIMIZATION
-DWORD g_dwGlobalSharePolicy = AppDomain::SHARE_POLICY_UNSPECIFIED;
-#endif
-
//
// Do we own the lifetime of the process, ie. is it an EXE?
//
LPWSTR g_pCachedCommandLine = NULL;
LPWSTR g_pCachedModuleFileName = 0;
-// host configuration file. If set, it is added to every AppDomain (fusion context)
-LPCWSTR g_pszHostConfigFile = NULL;
-SIZE_T g_dwHostConfigFile = 0;
-
-// AppDomainManager assembly and type names provided as environment variables.
-LPWSTR g_wszAppDomainManagerAsm = NULL;
-LPWSTR g_wszAppDomainManagerType = NULL;
-bool g_fDomainManagerInitialized = false;
-
//
// IJW needs the shim HINSTANCE
//
#endif // FEATURE_COMINTEROP
#endif // DACCESS_COMPILE
-EXTERN const WCHAR g_pwzClickOnceEnv_FullName[];
-EXTERN const WCHAR g_pwzClickOnceEnv_Manifest[];
-EXTERN const WCHAR g_pwzClickOnceEnv_Parameter[];
-
-#ifdef FEATURE_LOADER_OPTIMIZATION
-EXTERN DWORD g_dwGlobalSharePolicy;
-#endif
-
//
// Do we own the lifetime of the process, ie. is it an EXE?
//
extern LPWSTR g_pCachedModuleFileName;
//
-// Host configuration file. One per process.
-//
-extern LPCWSTR g_pszHostConfigFile;
-extern SIZE_T g_dwHostConfigFile;
-
-// AppDomainManager type
-extern LPWSTR g_wszAppDomainManagerAsm;
-extern LPWSTR g_wszAppDomainManagerType;
-extern bool g_fDomainManagerInitialized;
-
-//
// Macros to check debugger and profiler settings.
//
inline bool CORDebuggerPendingAttach()
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-// verifier.cpp
-//
-
-//
-//
-//
-// Registry / Environment settings :
-//
-// Create registry entries in CURRENT_USER\Software\Microsoft\.NETFramework
-// or set environment variables COMPlus_* with the names given below.
-// Environment settings override registry settings.
-//
-// For breaking into the debugger / Skipping verification :
-// (available only in the debug build).
-//
-// VerBreakOnError [STRING] Break into the debugger on error. Set to 1
-// VerSkip [STRING] method names (case sensitive)
-// VerBreak [STRING] method names (case sensitive)
-// VerOffset [STRING] Offset in the method in hex
-// VerPass [STRING] 1 / 2 ==> First pass, second pass
-// VerMsgMethodInfoOff [STRING] Print method / module info on error
-//
-// NOTE : If there are more than one methods in the list and an offset
-// is specified, this offset is applicable to all methods in the list
-//
-// NOTE : Verifier should be enabled for this to work.
-//
-// To Switch the verifier Off (Default is On) :
-// (available on all builds).
-//
-// VerifierOff [STRING] 1 ==> Verifier is Off, 0 ==> Verifier is On
-//
-// [See EEConfig.h / EEConfig.cpp]
-//
-//
-// Meaning of code marked with @XXX
-//
-// @VER_ASSERT : Already verified.
-// @VER_IMPL : Verification rules implemented here.
-// @DEBUG : To be removed/commented before checkin.
-//
-
-
-#include "common.h"
-
-#include "verifier.hpp"
-#include "ceeload.h"
-#include "clsload.hpp"
-#include "method.hpp"
-#include "vars.hpp"
-#include "object.h"
-#include "field.h"
-#include "comdelegate.h"
-#include "security.h"
-#include "dbginterface.h"
-#include "securityattributes.h"
-#include "eeconfig.h"
-#include "sourceline.h"
-#include "typedesc.h"
-#include "typestring.h"
-#include "../dlls/mscorrc/resource.h"
-
-
-#define VER_NAME_INFO_SIZE 128
-#define VER_SMALL_BUF_LEN 256
-#define VER_FAILED_TO_LOAD_RESOURCE_STRING "(Failed to load resource string)"
-
-#define VER_LD_RES(e, fld) \
- { \
- if ((sRes.LoadResource(CCompRC::Error, e ))) \
- { \
- sPrint.Printf(sRes.GetUnicode(), err.fld); \
- sMessage += sPrint; \
- } \
- else \
- { \
- SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); \
- sMessage += s; \
- } \
- }
-
-// Copies the error message to the input char*
-WCHAR* Verifier::GetErrorMsg(
- HRESULT hrError,
- VerError err,
- __inout_ecount(len) WCHAR *wszMsg,
- int len,
- ValidateWorkerArgs* pArgs)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- } CONTRACTL_END;
-
- SString sMessage; // to debug, watch "(WCHAR*)sMessage.m_buffer"
- SString sPrint;
- LPCSTR szMethodName;
-
- NewHolder<SourceLine> pSL(NULL);
-
- if (pArgs->pMethodDesc)
- {
- // source lines
- if (pArgs->fShowSourceLines && pArgs->wszFileName)
- {
- pSL = new SourceLine(pArgs->wszFileName);
- if(pSL->IsInitialized())
- {
- DWORD dwFunctionToken = pArgs->pMethodDesc->GetMemberDef();
- WCHAR wcBuffer[VER_SMALL_BUF_LEN];
- wcBuffer[0] = 0;
- DWORD dwLineNumber;
- HRESULT hr;
- hr = pSL->GetSourceLine( dwFunctionToken, err.dwOffset, wcBuffer, VER_SMALL_BUF_LEN, &dwLineNumber );
- sPrint.Printf(W("%s(%d) : "), wcBuffer, dwLineNumber);
- sMessage += sPrint;
- }
- SString sRes;
- sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_ILERROR);
- sMessage += sRes;
- }
-
- // module
- sMessage += W("[");
- sMessage += pArgs->pMethodDesc->GetModule()->GetPath();
-
- // class
- sMessage += W(" : ");
- if (pArgs->pMethodDesc->GetMethodTable() != NULL)
- {
- // DefineFullyQualifiedNameForClass();
- // GetFullyQualifiedNameForClassNestedAware(pClass);
- // sMessage += FilterAscii(_szclsname_, szTemp, VER_NAME_INFO_SIZE);
- SString clsname;
- TypeString::AppendType(clsname,TypeHandle(pArgs->pMethodDesc->GetMethodTable()));
- sMessage += clsname;
- }
- else
- {
- SString sRes;
- sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_GLOBAL);
- sMessage += sRes;
- }
-
- // method
- sMessage += W("::");
- if (FAILED(pArgs->pMethodDesc->GetModule()->GetMDImport()->GetNameOfMethodDef(pArgs->pMethodDesc->GetMemberDef(), &szMethodName)))
- {
- szMethodName = "Invalid MethodDef record";
- }
- SString sNameOfMethod(SString::Utf8, szMethodName);
- sMessage += sNameOfMethod;
-
- if (pArgs->pMethodDesc->IsGenericMethodDefinition())
- {
- SString inst;
- TypeString::AppendInst(inst,pArgs->pMethodDesc->GetMethodInstantiation(),TypeString::FormatBasic);
- sMessage += inst;
- }
-
- sMessage += W("]");
-
- // MD token
- if(pArgs->fVerbose)
- {
- SString sRes;
- sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_MDTOKEN);
- DWORD dwMDToken = pArgs->pMethodDesc->GetMemberDef();
- sPrint.Printf(sRes.GetUnicode(), dwMDToken);
- sMessage += sPrint;
- }
- }
-
- // Fill In the details
- SString sRes;
-
- // Create the generic error fields
-
- if (err.dwFlags & VER_ERR_OFFSET)
- VER_LD_RES(VER_E_OFFSET, dwOffset);
-
- if (err.dwFlags & VER_ERR_OPCODE)
- {
- if (sRes.LoadResource(CCompRC::Error, VER_E_OPCODE))
- {
- sPrint.Printf(sRes, ppOpcodeNameList[err.opcode]);
- sMessage += W(" ");
- sMessage += sPrint;
- }
- }
-
- if (err.dwFlags & VER_ERR_OPERAND)
- VER_LD_RES(VER_E_OPERAND, dwOperand);
-
- if (err.dwFlags & VER_ERR_TOKEN)
- VER_LD_RES(VER_E_TOKEN, token);
-
- if (err.dwFlags & VER_ERR_EXCEP_NUM_1)
- VER_LD_RES(VER_E_EXCEPT, dwException1);
-
- if (err.dwFlags & VER_ERR_EXCEP_NUM_2)
- VER_LD_RES(VER_E_EXCEPT, dwException2);
-
- if (err.dwFlags & VER_ERR_STACK_SLOT)
- VER_LD_RES(VER_E_STACK_SLOT, dwStackSlot);
-
- if ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_LOCAL_SIG)
- {
- if (err.dwVarNumber != VER_ERR_NO_LOC)
- {
- if(pArgs->fShowSourceLines && pSL && pSL->IsInitialized() && pArgs->pMethodDesc)
- {
- if ((sRes.LoadResource(CCompRC::Error, VER_E_LOC_BYNAME)))
- {
- DWORD dwFunctionToken = pArgs->pMethodDesc->GetMemberDef();
- WCHAR wcBuffer[VER_SMALL_BUF_LEN];
- wcBuffer[0] = 0;
- HRESULT hr;
- hr = pSL->GetLocalName(dwFunctionToken, err.dwVarNumber, wcBuffer, VER_SMALL_BUF_LEN);
- sPrint.Printf(sRes.GetUnicode(), wcBuffer);
- }
- else
- {
- SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING);
- sPrint = s;
- }
- }
- else
- {
- if ((sRes.LoadResource(CCompRC::Error, VER_E_LOC)))
- sPrint.Printf(sRes.GetUnicode(), err.dwVarNumber);
- else
- {
- SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING);
- sPrint = s;
- }
- }
- sMessage += sPrint;
- }
- }
-
- if ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_FIELD_SIG)
- {
- if (sRes.LoadResource(CCompRC::Error, VER_E_FIELD_SIG))
- {
- sMessage += W(" ");
- sMessage += sRes;
- }
- }
-
- if (((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_METHOD_SIG) ||
- ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_CALL_SIG))
- {
- if (err.dwArgNumber != VER_ERR_NO_ARG)
- {
- if (err.dwArgNumber != VER_ERR_ARG_RET)
- {
- VER_LD_RES(VER_E_ARG, dwArgNumber);
- }
- else if (sRes.LoadResource(CCompRC::Error, VER_E_RET_SIG))
- {
- sMessage += W(" ");
- sMessage += sRes;
- }
- }
- }
-
- if (err.dwFlags & VER_ERR_TYPE_1)
- sMessage += err.wszType1;
-
- if (err.dwFlags & VER_ERR_TYPE_2)
- sMessage += err.wszType2;
-
- if (err.dwFlags & VER_ERR_ADDL_MSG)
- sMessage += err.wszAdditionalMessage;
-
- if (err.dwFlags & VER_ERR_TYPE_F)
- {
- if (sRes.LoadResource(CCompRC::Error, VER_E_FOUND))
- {
- sPrint.Printf(sRes, err.wszTypeFound);
- sMessage += sPrint;
- }
- }
-
- if (err.dwFlags & VER_ERR_TYPE_E)
- {
- if (sRes.LoadResource(CCompRC::Error, VER_E_EXPECTED))
- {
- sPrint.Printf(sRes, err.wszTypeExpected);
- sMessage += sPrint;
- }
- }
-
- // Handle the special cases
- switch (hrError)
- {
- case VER_E_UNKNOWN_OPCODE:
- VER_LD_RES(VER_E_UNKNOWN_OPCODE, opcode);
- break;
-
- case VER_E_SIG_CALLCONV:
- VER_LD_RES(VER_E_SIG_CALLCONV, bCallConv);
- break;
-
- case VER_E_SIG_ELEMTYPE:
- VER_LD_RES(VER_E_SIG_ELEMTYPE, elem);
- break;
-
- case COR_E_ASSEMBLYEXPECTED:
- Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs);
- break;
-
- case SECURITY_E_UNVERIFIABLE:
- Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs);
- break;
-
- case CORSEC_E_MIN_GRANT_FAIL:
- Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs);
- break;
-
- case __HRESULT_FROM_WIN32(ERROR_BAD_FORMAT):
- // fall through
-
- default:
- Verifier::GetDefaultMessage(hrError,sMessage, sRes, sPrint);
- }
-
- wcsncpy_s(wszMsg, len, sMessage.GetUnicode(), _TRUNCATE);
- return wszMsg;
-}
-
-/*static*/ VOID Verifier::GetDefaultMessage(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint)
-{
- if (sMessage.GetCount() > 0)
- sMessage += W(" ");
-
- if (HRESULT_FACILITY(hrError) == FACILITY_URT && sRes.LoadResource(CCompRC::Error, MSG_FOR_URT_HR(hrError)))
- sMessage += sRes;
- else
- {
- WCHAR win32Msg[VER_SMALL_BUF_LEN];
- BOOL useWin32Msg = WszFormatMessage( FORMAT_MESSAGE_FROM_SYSTEM |
- FORMAT_MESSAGE_IGNORE_INSERTS,
- NULL,
- hrError,
-#if FEATURE_USE_LCID
- MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
-#else
- 0,
-#endif
- (LPTSTR) win32Msg,
- VER_SMALL_BUF_LEN - 1,
- NULL );
-
- if (sRes.LoadResource(CCompRC::Error, VER_E_HRESULT))
- {
- sPrint.Printf(sRes, hrError);
-
- if (useWin32Msg)
- {
- sPrint += W(" - ");
- sPrint += win32Msg;
- }
-
- sMessage += W(" ");
- sMessage += sPrint;
- }
- else
- {
- SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING);
- sMessage += s;
- }
- }
-}
-
-/*static*/ HRESULT Verifier::ReportError(IVEHandler *pVeh, HRESULT hrError, VEContext* pVec, ValidateWorkerArgs* pArgs)
-{
- CONTRACTL {
- NOTHROW;
- GC_TRIGGERS;
- } CONTRACTL_END;
-
- // Filter out error messages that require parameters
- switch(hrError)
- {
- case COR_E_TYPELOAD: hrError = VER_E_TYPELOAD; break;
- }
-
- HRESULT hr = E_FAIL;
- EX_TRY
- {
- GCX_PREEMP();
-
- // There is no room for expansion in the VEHandler interface, so we're
- // stuffing our extra data into the SafeArray that was originally
- // designed to be used only by the MDValidator.
-
- // Note: VT_VARIANT is the only supported safe array type on Rotor
- SAFEARRAY* pSafeArray = SafeArrayCreateVector(VT_VARIANT, 0, 1);
- _ASSERTE(pSafeArray);
- if (pSafeArray)
- {
- VARIANT var;
-#ifdef _WIN64
- V_VT(&var) = VT_UI8; // machine sized int. (VT_UI8 not supported on Windows 2000)
- V_UINT_PTR(&var) = (UINT64)(size_t)(pArgs);
-#else
- V_VT(&var) = VT_UINT; // machine sized int
- V_UINT_PTR(&var) = (ULONG_PTR)(pArgs);
-#endif
- LONG i = 0;
- HRESULT hrPutElement;
- hrPutElement = SafeArrayPutElement(pSafeArray, &i, &var);
- _ASSERTE(hrPutElement == S_OK);
- }
-
- // Call the handler
- hr = pVeh->VEHandler(hrError, *pVec, pSafeArray);
-
- // Clean up the SafeArray we allocated
- HRESULT hrDestroy;
- hrDestroy = SafeArrayDestroy(pSafeArray);
- _ASSERTE(hrDestroy == S_OK);
- }
- EX_CATCH_HRESULT(hr);
-
- return hr;
-}
-
-/*static*/ VOID Verifier::GetAssemblyName(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint, ValidateWorkerArgs* pArgs)
-{
- CONTRACTL
- {
- THROWS;
- GC_NOTRIGGER;
- MODE_ANY;
- }
- CONTRACTL_END;
- if(sRes.LoadResource(CCompRC::Error, hrError))
- {
- // find the '%1'
- SString::Iterator i = sRes.Begin();
- if (sRes.Find(i, W("'%1'")))
- {
- // replace the '%1' with the module name
- if(pArgs->wszFileName)
- {
- sPrint = pArgs->wszFileName;
- sRes.Replace(i + 1, 2, sPrint);
- }
- else
- {
- sPrint = W("");
- sRes.Replace(i, 4, sPrint);
- }
- sMessage += sRes;
- }
- }
- else
- {
- SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING);
- sMessage += s;
- }
-}
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-// verifier.hpp
-//
-
-//
-//
-//
-// Dead code verification is for supporting FJIT. If FJIT gets fixed so that it
-// can handle dead code, remove code #ifdefed in _VER_VERIFY_DEAD_CODE
-//
-
-
-#ifndef _VERIFIER_HPP
-#define _VERIFIER_HPP
-
-#define _VER_VERIFY_DEAD_CODE 1 // Verifies dead code
-
-#include "ivehandler.h"
-#include "vererror.h"
-
-class Verifier;
-class CValidator;
-class ValidateWorkerArgs;
-
-#define VER_FORCE_VERIFY 0x0001 // Fail even for fully trusted code
-#define VER_STOP_ON_FIRST_ERROR 0x0002 // Tools can handle multiple errors
-
-// Extensions to ELEMENT_TYPE_* enumeration in cor.h
-
-// Any objref
-#define VER_ELEMENT_TYPE_OBJREF (ELEMENT_TYPE_MAX)
-
-// Any value class
-#define VER_ELEMENT_TYPE_VALUE_CLASS (ELEMENT_TYPE_MAX+1)
-
-// A by-ref anything
-#define VER_ELEMENT_TYPE_BYREF (ELEMENT_TYPE_MAX+2)
-
-// Unknown/invalid type
-#define VER_ELEMENT_TYPE_UNKNOWN (ELEMENT_TYPE_MAX+3)
-
-// Sentinel value (stored at slots -1 and -2 of the stack to catch stack overflow)
-#define VER_ELEMENT_TYPE_SENTINEL (ELEMENT_TYPE_MAX+4)
-
-#define VER_LAST_BASIC_TYPE (ELEMENT_TYPE_MAX+4)
-
-#define VER_ARG_RET VER_ERR_ARG_RET
-#define VER_NO_ARG VER_ERR_NO_ARG
-
-
-
-#include "cor.h"
-#include "veropcodes.hpp"
-#include "util.hpp"
-
-
-#define MAX_SIGMSG_LENGTH 100
-#define MAX_FAILMSG_LENGTH 384 + MAX_SIGMSG_LENGTH
-
-
-struct VerExceptionInfo;
-struct VerExceptionBlock;
-class Verifier;
-
-
-
-class Verifier
-{
- friend class VerSig;
- friend class Item;
-
-public:
- static WCHAR* GetErrorMsg(HRESULT hError, VerError err, __inout_ecount(len) WCHAR *wszMsg, int len, ValidateWorkerArgs* pArgs);
- static HRESULT ReportError(IVEHandler *pVeh, HRESULT hrError, VEContext* pVec, ValidateWorkerArgs* pArgs);
-
-private:
- static VOID GetDefaultMessage(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint);
- static VOID GetAssemblyName(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint, ValidateWorkerArgs* pArgs);
-};
-
-
-class ValidateWorkerArgs
-{
-public:
- CValidator *val;
- HRESULT hr;
- bool fDeletePEFile;
- MethodDesc* pMethodDesc;
- LPWSTR wszFileName;
- BYTE *pe;
- unsigned int size;
- bool fVerbose;
- bool fShowSourceLines;
- bool fTransparentMethodsOnly;
-
- ValidateWorkerArgs()
- : val(NULL),
- hr(S_OK),
- fDeletePEFile(true),
- pMethodDesc(NULL),
- wszFileName(NULL),
- fVerbose(false),
- fShowSourceLines(false),
- fTransparentMethodsOnly(false)
- {LIMITED_METHOD_CONTRACT; }
-};
-
-#endif /* _VERIFIER_HPP */
+++ /dev/null
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-// See the LICENSE file in the project root for more information.
-//
-// veropcodes.hpp
-//
-
-//
-// Declares the enumeration of the opcodes and the decoding tables.
-//
-
-#include "openum.h"
-
-#define HackInlineAnnData 0x7F
-
-#ifdef DECLARE_DATA
-#define OPDEF(c,s,pop,push,args,type,l,s1,s2,ctrl) L##s,
-
-const WCHAR * const ppOpcodeNameList[] =
-{
-#include "../inc/opcode.def"
-};
-
-#undef OPDEF
-
-#else /* !DECLARE_DATA */
-
-extern const WCHAR * const ppOpcodeNameList[];
-
-#endif /* DECLARE_DATA */
#include "weakreferencenative.h"
#include "handletablepriv.h"
+#include "typestring.h"
+#include "typeparse.h"
//************************************************************************
dwFlags));
Assembly* pRedirectedAssembly = spec.LoadAssembly(
FILE_LOADED,
- NULL, // pLoadSecurity
FALSE); // fThrowOnFileNotFound
if (pRedirectedAssembly == NULL)
projects / platform / upstream / coreclr.git / commitdiff