{
#define CMDI_ENTRY(f) NativeImageDumper::EnumMnemonics(CORCOMPILE_DEPENDENCY_ ## f, W(#f))
-#ifdef FEATURE_APTCA
- CMDI_ENTRY(IS_APTCA),
- CMDI_ENTRY(IS_CAPTCA),
-#endif //FEATURE_APTCA
#undef CMDI_ENTRY
};
{
#define MSD_ENTRY(f) NativeImageDumper::EnumMnemonics(ModuleSecurityDescriptorFlags_ ## f, W(#f))
MSD_ENTRY(IsComputed),
-#ifdef FEATURE_APTCA
- MSD_ENTRY(IsAPTCA),
-#endif // FEATURE_APTCA
MSD_ENTRY(IsAllCritical),
MSD_ENTRY(IsAllTransparent),
MSD_ENTRY(IsTreatAsSafe),
BEGIN
IDS_ACCESS_EXCEPTION_CONTEXT_LEVEL2_APTCA "Assembly '%1' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may be the cause of this exception."
IDS_ACCESS_EXCEPTION_CONTEXT_PT_TRANSPARENT "Assembly '%1' is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself. In order to access security critical code, this assembly must be fully trusted."
-#ifdef FEATURE_APTCA
- IDS_ACCESS_EXCEPTION_CONTEXT_APTCA_KILLBIT "Assembly '%1' has had an APTCA killbit set for it, which prevents it from being used by partial trust or security transparent code."
- IDS_ACCESS_EXCEPTION_CONTEXT_CONDITIONAL_APTCA "Assembly '%1' is a conditionally APTCA assembly which is not enabled in the current AppDomain. To enable this assembly to be used by partial trust or security transparent code, please add assembly name '%2' to the the PartialTrustVisibleAssemblies list when creating the AppDomain."
-#endif // FEATURE_APTCA
END
// These strings are generated from within the EE for streams
#ifndef FEATURE_CORECLR
enum CorCompileDependencyInfo
{
-#ifdef FEATURE_APTCA
- CORCOMPILE_DEPENDENCY_IS_APTCA = 0x1,
- CORCOMPILE_DEPENDENCY_IS_CAPTCA = 0x2,
-#endif //FEATURE_APTCA
CORCOMPILE_DEPENDENCY_PEKIND_MASK = 0xff00,
CORCOMPILE_DEPENDENCY_PEKIND_SHIFT = 8,
CORCOMPILE_NGEN_SIGNATURE signNativeImage; // INVALID_NGEN_SIGNATURE if this a soft-bound dependency
-#ifdef FEATURE_APTCA
- // Win32 version info for tracking dependency references to strong-named assemblies with APTCA
- ULARGE_INTEGER uliFileVersion; // OS file version ~ NOT assembly version
-#endif //FEATURE_APTCA
#ifndef FEATURE_CORECLR
CorCompileDependencyInfo dependencyInfo; //Flags about the dependency
#endif // FEATURE_CAS_POLICY
-#ifdef FEATURE_APTCA
-
-// static
-void QCALLTYPE AppDomainNative::SetCanonicalConditionalAptcaList(QCall::AppDomainHandle adhTarget,
- LPCWSTR wszCanonicalConditionalAptcaList)
-{
- QCALL_CONTRACT;
-
- BEGIN_QCALL;
-
- IApplicationSecurityDescriptor *pAppSecDesc = adhTarget->GetSecurityDescriptor();
-
- GCX_COOP();
- pAppSecDesc->SetCanonicalConditionalAptcaList(wszCanonicalConditionalAptcaList);
-
- END_QCALL;
-}
-
-#endif // FEATURE_APTCA
FCIMPL1(Object*, AppDomainNative::GetFriendlyName, AppDomainBaseObject* refThisUNSAFE)
{
BOOL QCALLTYPE IsLegacyCasPolicyEnabled(QCall::AppDomainHandle adhTarget);
#endif // FEATURE_CAS_POLICY
-#ifdef FEATURE_APTCA
- static
- void QCALLTYPE SetCanonicalConditionalAptcaList(QCall::AppDomainHandle adhTarget,
- LPCWSTR wszCanonicalConditionalAptcaList);
-#endif // FEATURE_APTCA
#ifdef FEATURE_APPDOMAINMANAGER_INITOPTIONS
static
#ifndef __APTCA_H__
#define __APTCA_H__
-#ifndef FEATURE_APTCA
#error FEATURE_APTCA is required for this file
-#endif // FEATURE_APTCA
#include "securitymeta.h"
if (args->flags & kTreatAsSafeAssembly)
tokenFlags |= TokenSecurityDescriptorFlags_TreatAsSafe;
-#ifdef FEATURE_APTCA
- if (args->aptcaBlob != NULL)
- {
- tokenFlags |= ParseAptcaAttribute(args->aptcaBlob->GetDirectPointerToNonObjectElements(),
- args->aptcaBlob->GetNumComponents());
- }
-
-#endif // FEATURE_APTCA
#ifndef FEATURE_CORECLR
// Use the security rules given to us if the emitting code has selected a specific one. Otherwise,
BOOL GetModuleZapFile(LPCWSTR name, SString &path);
-#if defined(FEATURE_APTCA) || defined(FEATURE_CORESYSTEM)
+#if defined(FEATURE_CORESYSTEM)
BOOL AllowUntrustedCaller();
#endif // defined(FEATURE_APTCA) || defined(FEATURE_CORESYSTEM)
}
#endif // FEATURE_CORECLR
-#if defined(FEATURE_APTCA) && !defined(CROSSGEN_COMPILE)
- // If the target assembly is conditionally APTCA, then it may needed to have been enabled in the domain
- SString conditionalAptcaContext = Security::GetConditionalAptcaAccessExceptionContext(pTargetAssembly);
- if (!conditionalAptcaContext.IsEmpty())
- {
- pContextInformation->Append(conditionalAptcaContext);
- }
-
- // If the target assembly is APTCA killbitted, then indicate that as well
- SString aptcaKillBitContext = Security::GetAptcaKillBitAccessExceptionContext(pTargetAssembly);
- if (!aptcaKillBitContext.IsEmpty())
- {
- pContextInformation->Append(aptcaKillBitContext);
- }
-#endif // FEATURE_APTCA && !CROSSGEN_COMPILE
}
// Generate additional context about the root cause of an access exception which may help in debugging it (for
pDependency->dwAssemblyDef = def;
pDependency->signNativeImage = INVALID_NGEN_SIGNATURE;
-#ifdef FEATURE_APTCA
- pDependency->dependencyInfo = CorCompileDependencyInfo(0);
-#endif //FEATURE_APTCA
if (pFile)
{
// Note that this can trigger an assembly load (of mscorlib)
pAssembly->GetOptimizedIdentitySignature(&pDependency->signAssemblyDef);
-#if defined(FEATURE_APTCA) || !defined(FEATURE_CORECLR)
+#if !defined(FEATURE_CORECLR)
ReleaseHolder<IMDInternalImport> pAssemblyMD(pFile->GetMDImportWithRef());
#endif
-#ifdef FEATURE_APTCA
- // determine if there's an APTCA reference, before we retrieve the target file version (for killbit)
- TokenSecurityDescriptorFlags assemblySecurityAttributes =
- TokenSecurityDescriptor::ReadSecurityAttributes(pAssemblyMD, TokenFromRid(1, mdtAssembly));
-
- pFile->AddRef();
-
- BOOL fIsAptca = assemblySecurityAttributes & (TokenSecurityDescriptorFlags_APTCA
- | TokenSecurityDescriptorFlags_ConditionalAPTCA);
- if (fIsAptca)
- {
- // get the file path
- LPCWSTR pwszPath = pFile->GetPath().GetUnicode();
- if (pwszPath == NULL)
- {
- return E_FAIL;
- }
- // retrieve the file version based on the file path (using Watson OS wrapper)
- if (FAILED(GetFileVersion(pwszPath, &pDependency->uliFileVersion)))
- // ignore failures (e.g. platform doesn't support file version, or version info missing
-
- {
- fIsAptca = FALSE;
- }
- }
- if (fIsAptca)
- {
- pDependency->dependencyInfo = CorCompileDependencyInfo(pDependency->dependencyInfo
- | CORCOMPILE_DEPENDENCY_IS_APTCA);
- }
-
- if (assemblySecurityAttributes & TokenSecurityDescriptorFlags_ConditionalAPTCA)
- {
- pDependency->dependencyInfo = CorCompileDependencyInfo(pDependency->dependencyInfo
- | CORCOMPILE_DEPENDENCY_IS_CAPTCA);
- }
-#endif //FEATURE_APTCA
#ifdef FEATURE_CORECLR // hardbinding
//
static CCLRAppDomainResourceMonitor s_Arm;
#endif //FEATURE_APPDOMAIN_RESOURCE_MONITORING
-#ifdef FEATURE_APTCA
-class CLRDomainManager : public ICLRDomainManager
-{
-public:
- virtual HRESULT STDMETHODCALLTYPE SetAppDomainManagerType(__in LPCWSTR wszAppDomainManagerAssembly,
- __in LPCWSTR wszAppDomainManagerType,
- EInitializeNewDomainFlags dwInitializeDomainFlags)
- {
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- ENTRY_POINT;
- }
- CONTRACTL_END;
-
- HRESULT hr = S_OK;
- BEGIN_ENTRYPOINT_NOTHROW;
-
- hr = CorHost2::SetAppDomainManagerType(wszAppDomainManagerAssembly,
- wszAppDomainManagerType,
- dwInitializeDomainFlags);
- END_ENTRYPOINT_NOTHROW;
- return hr;
- }
-
- virtual HRESULT STDMETHODCALLTYPE SetPropertiesForDefaultAppDomain(DWORD nProperties,
- __in_ecount(nProperties) LPCWSTR *pwszPropertyNames,
- __in_ecount(nProperties) LPCWSTR *pwszPropertyValues)
- {
- CONTRACTL
- {
- NOTHROW;
- GC_NOTRIGGER;
- }
- CONTRACTL_END;
-
- HRESULT hr = S_OK;
- BEGIN_ENTRYPOINT_NOTHROW;
-
- hr = CorHost2::SetPropertiesForDefaultAppDomain(nProperties, pwszPropertyNames, pwszPropertyValues);
-
- END_ENTRYPOINT_NOTHROW;
- return hr;
- }
-
- virtual ULONG STDMETHODCALLTYPE AddRef()
- {
- LIMITED_METHOD_CONTRACT;
- return 1;
- }
-
- virtual ULONG STDMETHODCALLTYPE Release()
- {
- LIMITED_METHOD_CONTRACT;
- return 1;
- }
-
- virtual HRESULT STDMETHODCALLTYPE QueryInterface(__in REFIID riid, __out LPVOID *ppvObject)
- {
- LIMITED_METHOD_CONTRACT;
-
- if (ppvObject == NULL)
- return E_POINTER;
-
- *ppvObject = NULL;
-
- if (riid == IID_ICLRDomainManager)
- {
- *ppvObject = this;
- }
- else if (riid == IID_IUnknown)
- {
- *ppvObject = static_cast<IUnknown *>(this);
- }
-
- if (*ppvObject == NULL)
- return E_NOINTERFACE;
-
- AddRef();
- return S_OK;
- }
-};
-
-static CLRDomainManager s_CLRDomainManager;
-#endif // FEATURE_APTCA
BOOL g_CLRPolicyRequested = FALSE;
return S_OK;
}
#endif //FEATURE_APPDOMAIN_RESOURCE_MONITORING
-#ifdef FEATURE_APTCA
- else if (riid == IID_ICLRDomainManager)
- {
- *ppObject = &s_CLRDomainManager;
- return S_OK;
- }
-#endif // FEATURE_APTCA
else
return (E_NOINTERFACE);
}
return TRUE;
#else
-#ifdef FEATURE_APTCA
- if (!Security::NativeImageHasValidAptcaDependencies(pNativeImage, this))
- {
- return FALSE;
- }
-#endif // !FEATURE_APTCA
GCX_COOP();
FCFuncElement("nIsDefaultAppDomainForEvidence", AppDomainNative::IsDefaultAppDomainForEvidence)
FCFuncElement("nGetAssemblies", AppDomainNative::GetAssemblies)
#endif
-#ifdef FEATURE_APTCA
- QCFuncElement("SetCanonicalConditionalAptcaList", AppDomainNative::SetCanonicalConditionalAptcaList)
-#endif // FEATURE_ATPCA
QCFuncElement("SetSecurityHomogeneousFlag", AppDomainNative::SetSecurityHomogeneousFlag)
QCFuncElement("SetupDomainSecurity", AppDomainNative::SetupDomainSecurity)
FCFuncElement("nSetupFriendlyName", AppDomainNative::SetupFriendlyName)
FCFuncElement("IsReflectionOnly", AssemblyNative::IsReflectionOnly)
FCFuncElement("GetManifestModule", AssemblyHandle::GetManifestModule)
FCFuncElement("GetToken", AssemblyHandle::GetToken)
-#ifdef FEATURE_APTCA
- FCFuncElement("AptcaCheck", AssemblyHandle::AptcaCheck)
-#endif // FEATURE_APTCA
FCFuncEnd()
#ifdef FEATURE_CORECLR
// stack walks in order to close security holes in poorly written
// reflection users.
-#ifdef FEATURE_APTCA
- if (Security::IsUntrustedCallerCheckNeeded(pMeth))
- {
- if (pSCtx->GetCallerMT())
- {
- // Check for untrusted caller
- // It is possible that wrappers like VBHelper libraries that are
- // fully trusted, make calls to public methods that do not have
- // safe for Untrusted caller custom attribute set.
- // Like all other link demand that gets transformed to a full stack
- // walk for reflection, calls to public methods also gets
- // converted to full stack walk
-
- Security::DoUntrustedCallerChecks(
- pSCtx->GetCallerMT()->GetAssembly(), pMeth,
- TRUE);
- }
- }
-#endif // FEATURE_APTCA
struct _gc
{
DEFINE_METASIG_T(SM(Str_Evidence_Str_Str_Bool_RetAppDomain, s C(EVIDENCE) s s F, C(APP_DOMAIN)))
DEFINE_METASIG_T(SM(Str_RetAppDomain, s, C(APP_DOMAIN)))
DEFINE_METASIG_T(SM(Str_AppDomainSetup_Evidence_Evidence_IntPtr_Str_ArrStr_ArrStr_RetObj, s C(APPDOMAIN_SETUP) C(EVIDENCE) C(EVIDENCE) I s a(s) a(s), j))
-#ifdef FEATURE_APTCA
-DEFINE_METASIG(IM(PtrChar_Int_PtrByte_Int_RetBool, P(u) i P(b) i, F))
-#endif //FEATURE_APTCA
#ifdef FEATURE_COMINTEROP
// System.AppDomain.OnReflectionOnlyNamespaceResolveEvent
DEFINE_METASIG_T(IM(Assembly_Str_RetArrAssembly, C(ASSEMBLY) s, a(C(ASSEMBLY))))
OBJECTREF m_pProcessExitEventHandler; // Delegate for 'process exit' event. Only used in Default appdomain.
OBJECTREF m_pDomainUnloadEventHandler; // Delegate for 'about to unload domain' event
OBJECTREF m_pUnhandledExceptionEventHandler; // Delegate for 'unhandled exception' event
-#ifdef FEATURE_APTCA
- OBJECTREF m_aptcaVisibleAssemblies; // array of conditional APTCA assembly names that should be APTCA visible
-#endif
OBJECTREF m_compatFlags;
return !!m_bIsFastFullTrustDomain;
}
-#ifdef FEATURE_APTCA
- OBJECTREF GetPartialTrustVisibleAssemblies()
- {
- LIMITED_METHOD_CONTRACT
- return m_aptcaVisibleAssemblies;
- }
-#endif // FEATURE_APTCA
// Ref needs to be a PTRARRAYREF
void SetPolicies(OBJECTREF ref)
I1ARRAYREF m_ConfigurationBytes;
STRINGREF m_AppDomainManagerAssembly;
STRINGREF m_AppDomainManagerType;
-#if FEATURE_APTCA
- PTRARRAYREF m_AptcaVisibleAssemblies;
-#endif
OBJECTREF m_CompatFlags;
STRINGREF m_TargetFrameworkName;
#ifndef FEATURE_CORECLR
m_dwPEKind(0),
m_dwMachine(0),
m_fCachedKindAndMachine(FALSE)
-#ifdef FEATURE_APTCA
- , m_fMayBeConditionalAptca(TRUE)
-#endif // FEATURE_APTCA
#ifdef FEATURE_LAZY_COW_PAGES
,m_bAllocatedLazyCOWPages(FALSE)
#endif // FEATURE_LAZY_COW_PAGES
DWORD m_dwMachine;
BOOL m_fCachedKindAndMachine;
-#ifdef FEATURE_APTCA
- BOOL m_fMayBeConditionalAptca;
-#endif // FEATURE_APTCA
#ifdef FEATURE_FUSION
PEFingerprint *m_pILFingerprint; // has to be the real type (as opposed to an interface) so we can delete it
PEKIND GetFusionProcessorArchitecture();
#endif
-#ifdef FEATURE_APTCA
- inline BOOL MayBeConditionalAptca();
- inline void SetIsNotConditionalAptca();
-#endif // FEATURE_APTCA
};
FORCEINLINE void PEImageRelease(PEImage *i)
*pdwMachine = m_dwMachine;
}
-#ifdef FEATURE_APTCA
-inline BOOL PEImage::MayBeConditionalAptca()
-{
- LIMITED_METHOD_CONTRACT;
- return m_fMayBeConditionalAptca;
-}
-
-inline void PEImage::SetIsNotConditionalAptca()
-{
- LIMITED_METHOD_CONTRACT;
- m_fMayBeConditionalAptca = FALSE;
-}
-#endif // FEATURE_APTCA
#ifndef FEATURE_CORECLR
inline BOOL PEImage::IsReportedToUsageLog()
}
FCIMPLEND
-#ifdef FEATURE_APTCA
-FCIMPL2(FC_BOOL_RET, AssemblyHandle::AptcaCheck, AssemblyBaseObject* pTargetAssemblyUNSAFE, AssemblyBaseObject* pSourceAssemblyUNSAFE)
-{
- FCALL_CONTRACT;
-
- ASSEMBLYREF refTargetAssembly = (ASSEMBLYREF)ObjectToOBJECTREF(pTargetAssemblyUNSAFE);
- ASSEMBLYREF refSourceAssembly = (ASSEMBLYREF)ObjectToOBJECTREF(pSourceAssemblyUNSAFE);
-
- if ((refTargetAssembly == NULL) || (refSourceAssembly == NULL))
- FCThrowRes(kArgumentNullException, W("Arg_InvalidHandle"));
-
- DomainAssembly *pTargetAssembly = refTargetAssembly->GetDomainAssembly();
- DomainAssembly *pSourceAssembly = refSourceAssembly->GetDomainAssembly();
-
- if (pTargetAssembly == pSourceAssembly)
- FC_RETURN_BOOL(TRUE);
-
- BOOL bResult = TRUE;
-
- HELPER_METHOD_FRAME_BEGIN_RET_2(refSourceAssembly, refTargetAssembly);
- {
- bResult = ( pTargetAssembly->GetAssembly()->AllowUntrustedCaller() || // target assembly allows untrusted callers unconditionally
- pSourceAssembly->GetSecurityDescriptor()->IsFullyTrusted());
- }
- HELPER_METHOD_FRAME_END();
-
- FC_RETURN_BOOL(bResult);
-}
-FCIMPLEND
-#endif // FEATURE_APTCA
void QCALLTYPE ModuleHandle::GetPEKind(QCall::ModuleHandle pModule, DWORD* pdwPEKind, DWORD* pdwMachine)
{
static FCDECL1(ReflectModuleBaseObject*, GetManifestModule, AssemblyBaseObject *pAssemblyUNSAFE);
static FCDECL1(INT32, GetToken, AssemblyBaseObject *pAssemblyUNSAFE);
-#ifdef FEATURE_APTCA
- static FCDECL2(FC_BOOL_RET, AptcaCheck, AssemblyBaseObject *pTargetAssemblyUNSAFE, AssemblyBaseObject *pSourceAssemblyUNSAFE);
-#endif // FEATURE_APTCA
};
class SignatureNative;
#include "securitydeclarative.h"
#include "securitytransparentassembly.h"
-#ifdef FEATURE_APTCA
-#include "aptca.h"
-#endif
class IAssemblySecurityDescriptor;
class IApplicationSecurityDescriptor;
// security enforcement
inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);
-#ifdef FEATURE_APTCA
- inline BOOL IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem = NULL) ;
- inline void DoUntrustedCallerChecks(Assembly *pCaller, MethodDesc *pCalee, BOOL fFullStackWalk) ;
-
- inline bool NativeImageHasValidAptcaDependencies(PEImage *pNativeImage, DomainAssembly *pDomainAssembly);
-
- inline SString GetAptcaKillBitAccessExceptionContext(Assembly *pTargetAssembly);
- inline SString GetConditionalAptcaAccessExceptionContext(Assembly *pTargetAssembly);
-#endif // FEATURE_APTCA
inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);
virtual BOOL AllowsLoadsFromRemoteSources() = 0;
#endif // FEATURE_CAS_POLICY
-#ifdef FEATURE_APTCA
- virtual ConditionalAptcaCache *GetConditionalAptcaCache() = 0;
- virtual void SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList) = 0;
-#endif // FEATURE_APTCA
#endif // !DACCESS_COMPILE
};
return SecurityAttributes::ContainsBuiltinCASPermsOnly(pAttrSet);
}
-#ifdef FEATURE_APTCA
-inline BOOL Security::IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem)
-{
- WRAPPER_NO_CONTRACT;
- return SecurityDeclarative::IsUntrustedCallerCheckNeeded(pCalleeMD, pCallerAssem);
-}
-
-inline void Security::DoUntrustedCallerChecks(Assembly *pCaller, MethodDesc *pCalee, BOOL fFullStackWalk)
-{
- WRAPPER_NO_CONTRACT;
- SecurityDeclarative::DoUntrustedCallerChecks(pCaller, pCalee, fFullStackWalk);
-}
-
-inline bool Security::NativeImageHasValidAptcaDependencies(PEImage *pNativeImage, DomainAssembly *pDomainAssembly)
-{
- WRAPPER_NO_CONTRACT;
- return ::NativeImageHasValidAptcaDependencies(pNativeImage, pDomainAssembly);
-}
-
-inline SString Security::GetAptcaKillBitAccessExceptionContext(Assembly *pTargetAssembly)
-{
- WRAPPER_NO_CONTRACT;
- return ::GetAptcaKillBitAccessExceptionContext(pTargetAssembly);
-}
-
-inline SString Security::GetConditionalAptcaAccessExceptionContext(Assembly *pTargetAssembly)
-{
- WRAPPER_NO_CONTRACT;
- return ::GetConditionalAptcaAccessExceptionContext(pTargetAssembly);
-}
-
-#endif // FEATURE_APTCA
inline bool Security::SecurityCalloutQuickCheck(MethodDesc *pCallerMD)
{
{
WRAPPER_NO_CONTRACT;
-#ifdef FEATURE_APTCA
- if (!DomainCanShareAptcaAssembly(pAssembly))
- {
- return false;
- }
-#endif // FEATURE_APTCA
return true;
}
//
//-----------------------------------------------------------------------------
-#ifdef FEATURE_APTCA
-void DECLSPEC_NORETURN SecurityDeclarative::ThrowAPTCAException(Assembly *pCaller, MethodDesc *pCallee)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- MethodDescCallSite throwSecurityException(METHOD__SECURITY_ENGINE__THROW_SECURITY_EXCEPTION);
-
- OBJECTREF callerObj = NULL;
- if (pCaller != NULL && pCaller->GetDomain() == GetAppDomain())
- callerObj = pCaller->GetExposedObject();
-
- ARG_SLOT args[7];
- args[0] = ObjToArgSlot(callerObj);
- args[1] = ObjToArgSlot(NULL);
- args[2] = ObjToArgSlot(NULL);
- args[3] = PtrToArgSlot(pCallee);
- args[4] = (ARG_SLOT)dclLinktimeCheck;
- args[5] = ObjToArgSlot(NULL);
- args[6] = ObjToArgSlot(NULL);
- throwSecurityException.Call(args);
-
- UNREACHABLE();
-}
-#endif // FEATURE_APTCA
#ifdef FEATURE_CAS_POLICY
void DECLSPEC_NORETURN SecurityDeclarative::ThrowHPException(EApiCategories protectedCategories, EApiCategories demandedCategories)
}
#endif // FEATURE_CAS_POLICY
-#ifdef FEATURE_APTCA
-BOOL SecurityDeclarative::IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_ANY;
- }
- CONTRACTL_END;
-
- Assembly *pCalleeAssembly = pCalleeMD->GetAssembly();
- _ASSERTE(pCalleeAssembly != NULL);
-
- // ATPCA is only enforced for cross-assembly calls, so if the target is not accessable from outside
- // the assembly, or if the caller and callee are both within the same assembly, we do not need to
- // do any APTCA checks
- if (pCallerAssem == pCalleeAssembly)
- {
- return FALSE;
- }
-
- if (!MethodIsVisibleOutsideItsAssembly(pCalleeMD))
- {
- return FALSE;
- }
-
- // If the target assembly allows untrusted callers unconditionally, then the call should be allowed
- if (pCalleeAssembly->AllowUntrustedCaller())
- {
- return FALSE;
- }
-
- // Otherwise, we need to ensure the caller is fully trusted
- return TRUE;
-}
-#endif // FEATURE_APTCA
-
-
-#ifdef FEATURE_APTCA
-// Do a fulltrust check on the caller if the callee is fully trusted and
-// callee did not enable AllowUntrustedCallerChecks
-/*static*/
-void SecurityDeclarative::DoUntrustedCallerChecks(
- Assembly *pCaller, MethodDesc *pCallee,
- BOOL fFullStackWalk)
-{
- CONTRACTL {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- INJECT_FAULT(COMPlusThrowOM(););
- } CONTRACTL_END;
-
- BOOL fRet = TRUE;
-
-#ifdef _DEBUG
- if (!g_pConfig->Do_AllowUntrustedCaller_Checks())
- return;
-#endif
-
- if (!IsUntrustedCallerCheckNeeded(pCallee, pCaller))
- return;
- // Expensive calls after this point, this could end up resolving policy
-
- if (fFullStackWalk)
- {
- // It is possible that wrappers like VBHelper libraries that are
- // fully trusted, make calls to public methods that do not have
- // safe for Untrusted caller custom attribute set.
- // Like all other link demand that gets transformed to a full stack
- // walk for reflection, calls to public methods also gets
- // converted to full stack walk
-
- OBJECTREF permSet = NULL;
- GCPROTECT_BEGIN(permSet);
-
- GetPermissionInstance(&permSet, SECURITY_FULL_TRUST);
- EX_TRY
- {
- SecurityStackWalk::DemandSet(SSWT_LATEBOUND_LINKDEMAND, permSet);
- }
- EX_CATCH
- {
- fRet = FALSE;
- }
- EX_END_CATCH(RethrowTerminalExceptions);
-
- GCPROTECT_END();
- }
- else
- {
- _ASSERTE(pCaller);
-
- // Link Demand only, no full stack walk here
- if (!pCaller->GetSecurityDescriptor()->IsFullyTrusted())
- fRet = FALSE;
- }
-
- if (!fRet)
- {
- ThrowAPTCAException(pCaller, pCallee);
- }
-}
-#endif // FEATURE_APTCA
// Retrieve all linktime demands sets for a method. This includes both CAS and
// non-CAS sets for LDs at the class and the method level, so we could get up to
GCPROTECT_BEGIN(gc);
-#ifdef FEATURE_APTCA
- // Do a fulltrust check on the caller if the callee did not enable
- // AllowUntrustedCallerChecks. Pass a NULL caller assembly:
- // DoUntrustedCallerChecks needs to be able to cope with this.
- SecurityDeclarative::DoUntrustedCallerChecks(NULL, pMD, TRUE);
-#endif // FEATURE_APTCA
// Fetch link demand sets from all the places in metadata where we might
// find them (class and method). These might be split into CAS and non-CAS
inline BOOL FullTrustCheckForLinkOrInheritanceDemand(Assembly *pAssembly);
-#ifdef FEATURE_APTCA
- // Returns TRUE if an APTCA check is necessary
- // Callers:
- // CanAccess
- BOOL IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem = NULL);
-
- // Perform the APTCA check
- // Callers:
- // CanAccess
- // Security::CheckLinkDemandAgainstAppDomain
- void DoUntrustedCallerChecks(
- Assembly *pCaller, MethodDesc *pCalee,
- BOOL fFullStackWalk);
-#endif // FEATURE_APTCA
#ifndef DACCESS_COMPILE
// Calls PermissionSet.Demand
inline BOOL ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass);
-#ifdef FEATURE_APTCA
- // Returns an instance of a SecurityException with the message "This method doesn't allow partially trusted callers"
- // Callers:
- // DoUntrustedCallerChecks
- void DECLSPEC_NORETURN ThrowAPTCAException(Assembly *pCaller, MethodDesc *pCallee);
-#endif // FEATURE_APTCA
#ifdef FEATURE_CAS_POLICY
void DECLSPEC_NORETURN ThrowHPException(EApiCategories protectedCategories, EApiCategories demandedCategories);
#endif // FEATURE_CAS_POLICY
return !m_fHomogeneous || !IsFullyTrusted();
}
-#ifdef FEATURE_APTCA
-ConditionalAptcaCache *ApplicationSecurityDescriptor::GetConditionalAptcaCache()
-{
- LIMITED_METHOD_CONTRACT;
- return m_pConditionalAptcaCache;
-}
-
-void ApplicationSecurityDescriptor::SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList)
-{
- WRAPPER_NO_CONTRACT;
- return this->GetConditionalAptcaCache()->SetCanonicalConditionalAptcaList(wszCanonicalConditionalAptcaList);
-}
-#endif // FEATURE_APTCA
#endif // !DACCESS_COMPILE
BOOL m_fPreResolutionFullTrust; // Was the domain pre-resolved to be full trust
BOOL m_fPreResolutionHomogeneous; // Was the domain pre-resolved to be homogenous
-#ifdef FEATURE_APTCA
- ConditionalAptcaCache* m_pConditionalAptcaCache; // Cache of known conditional APTCA assemblies in this domain
-#endif // FEATURE_APTCA
#ifndef DACCESS_COMPILE
public:
//--------------------
// Destructor
//--------------------
-#ifdef FEATURE_APTCA // The destructor only deletes the ConditionalAptcaCache
- inline ~ApplicationSecurityDescriptor();
-#endif // FEATURE_APTCA
public:
// Indicates whether the initialization phase is in progress.
BOOL QuickIsFullyTrusted();
-#ifdef FEATURE_APTCA
- virtual ConditionalAptcaCache *GetConditionalAptcaCache();
- virtual void SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList);
-#endif // FEATURE_APTCA
#endif // #ifndef DACCESS_COMPILE
};
m_fIsPreResolved(FALSE),
m_fPreResolutionFullTrust(FALSE),
m_fPreResolutionHomogeneous(FALSE)
-#ifdef FEATURE_APTCA
- ,m_pConditionalAptcaCache(new ConditionalAptcaCache(pAppDomain))
-#endif // FEATURE_APTCA
{
CONTRACTL
{
return;
}
-#ifdef FEATURE_APTCA
-inline ApplicationSecurityDescriptor::~ApplicationSecurityDescriptor()
-{
- CONTRACTL
- {
- NOTHROW;
- MODE_ANY;
- GC_TRIGGERS;
- }
- CONTRACTL_END;
-
- delete m_pConditionalAptcaCache;
-}
-#endif // FEATURE_APTCA
inline void ApplicationSecurityDescriptor::ResetInitializationInProgress()
{
inline void SetSignatureLoaded();
#endif
-#ifdef FEATURE_APTCA
- // If you think you need to call this method, you're probably wrong. We shouldn't be making any
- // security enforcement decisions based upon this result -- it's strictly for ensuring that we load
- // conditional APTCA assemblies correctly.
- inline BOOL IsConditionalAptca();
-#endif // FEATURE_APTCA
#endif // #ifndef DACCESS_COMPILE
};
#endif // FEATURE_CAS_POLICY
-#ifdef FEATURE_APTCA
-
-inline BOOL AssemblySecurityDescriptor::IsConditionalAptca()
-{
- WRAPPER_NO_CONTRACT;
- ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(m_pAssem->GetAssembly());
- return (pMSD->GetTokenFlags() & TokenSecurityDescriptorFlags_ConditionalAPTCA) == TokenSecurityDescriptorFlags_ConditionalAPTCA;
-}
-
-#endif // FEATURE_APTCA
#endif // !DACCESS_COMPILE
// choosing.
TokenSecurityDescriptorFlags tokenFlags = GetTokenFlags();
-#ifdef FEATURE_APTCA
- // We need to post-process the APTCA bits on the token security descriptor to handle:
- // 1. Conditional APTCA assemblies, which should appear as either APTCA-enabled or APTCA-disabled
- // 2. APTCA killbitted assemblies, which should appear as APTCA-disabled
- tokenFlags = ProcessAssemblyAptcaFlags(pAssembly->GetDomainAssembly(), tokenFlags);
-#endif // FEATURE_APTCA
#ifndef FEATURE_CORECLR
// Make sure we understand the security rule set being asked for
}
}
-#ifdef FEATURE_APTCA
- // If the security model implies that unsigned assemblies are APTCA, then check to see if we're unsigned
- // and set the APTCA bit.
- if (pTransparencyBehavior->DoesUnsignedImplyAPTCA() && !pAssembly->IsStrongNamed())
- {
- moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA;
- }
-#endif // FEATURE_APTCA
#ifdef _DEBUG
// If we're being forced to generate native code for this assembly which can be used in a partial trust
// Encode a security rule set into token flags - this reverses GetSecurityRuleSet
inline TokenSecurityDescriptorFlags EncodeSecurityRuleSet(SecurityRuleSet ruleSet);
-#ifdef FEATURE_APTCA
-TokenSecurityDescriptorFlags ParseAptcaAttribute(const BYTE *pbAptcaBlob,
- DWORD cbAptcaBlob);
-#endif // FEATURE_APTCA
TokenSecurityDescriptorFlags ParseSecurityRulesAttribute(const BYTE *pbSecurityRulesBlob,
DWORD cbSecurityRulesBlob);
inline ModuleSecurityDescriptorFlags operator~(ModuleSecurityDescriptorFlags flags);
-#ifdef FEATURE_APTCA
-BOOL CheckAssemblyHasBeenKillBitted(LPASSEMBLYNAME pAssemblyName, ULARGE_INTEGER uliFileVersion);
-#endif
// Module security descriptor, this class contains static security information about the module
// this information will get persisted in the NGen image
#endif // !FEATURE_CORECLR
-#if defined(FEATURE_APTCA) || defined(FEATURE_CORESYSTEM)
+#if defined(FEATURE_CORESYSTEM)
inline BOOL ModuleSecurityDescriptor::IsAPTCA()
{
WRAPPER_NO_CONTRACT;
// Callers:
// CanAccess (ReflectionInvocation)
// ReflectionSerialization::GetSafeUninitializedObject
-#ifdef FEATURE_APTCA
- // SecurityDeclarative::DoUntrustedCallerChecks
-#endif // FEATURE_APTCA
static void DemandSet(SecurityStackWalkType eType, OBJECTREF demand);
// Native version of PermissionSet.Demand() that delays instantiating the PermissionSet object
&gc.refMethodCasDemands,
&gc.refMethodNonCasDemands);
-#ifdef FEATURE_APTCA
- BOOL fCallerIsAPTCA = pCallerMD->GetAssembly()->AllowUntrustedCaller();
-
- if ((linktimeCheckReason & LinktimeCheckReason_AptcaCheck))
- {
- if (fCallerIsAPTCA &&
- Security::IsUntrustedCallerCheckNeeded(pCalleeMD, pCallerMD->GetAssembly()))
- {
-#ifdef _DEBUG
- if (g_pConfig->LogTransparencyErrors())
- {
- SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling an APTCA protected assembly", pCalleeMD);
- }
- if (!g_pConfig->DisableTransparencyEnforcement())
-#endif // _DEBUG
- {
- // Depending on the transparency model, we need to either fail the attempt to call a method
- // protected with the APTCA link demand, or conver it to a full demand. Note that we need to
- // upgrade to a full demand if either the caller of callee are in v2 mode, the APTCA check is
- // conceptually a link demand, and for link demands we do the conversion if either assembly is
- // using the v2 rules.
- if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods() ||
- pCalleeMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods())
- {
- OBJECTREF permSet = NULL;
- GCPROTECT_BEGIN(permSet);
- Security::GetPermissionInstance(&permSet, SECURITY_FULL_TRUST);
- Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, permSet);
- GCPROTECT_END();
- }
- else
- {
- ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_LINKDEMAND);
- }
- }
- }
- }
-#endif // FEATURE_APTCA
// The following logic turns link demands on the target method into full stack walks
if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallUnmanagedCode())
{
-#ifdef FEATURE_APTCA
- if (fCallerIsAPTCA)
- {
- // if the caller assembly is APTCA, then only inject this demand, for NON-APTCA we will allow
- // calls to native code
- // NOTE: the JIT would have already performed the LinkDemand for this anyways
- Security::SpecialDemand(SSWT_LATEBOUND_LINKDEMAND, SECURITY_UNMANAGED_CODE);
- }
-#endif // FEATURE_APTCA
}
else
{