|
public IsSubsetOf ( |
||
| target | ||
| return | bool | |
// Determine if a specific permission has been granted.
public static bool IsGranted(IPermission perm)
{
// Bail out if the requested permission is null.
if(perm == null)
{
return true;
}
// Get the current permission state.
ClrPermissions current = ClrSecurity.GetPermissionsFrom(1);
if(current == null)
{
// Null is equivalent to "unrestricted".
return true;
}
// Build a permission set with just this permission.
PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(perm);
// If "PermitOnly" is set, then only check that set.
if(current.permitOnly != null)
{
return set.IsSubsetOf(current.permitOnly);
}
// The permission must be granted, but not denied.
if(!set.IsSubsetOf(current.granted) ||
set.IsSubsetOf(current.denied))
{
return false;
}
return true;
}
private static bool CanWriteToFolder(string folder)
{
var permission = new FileIOPermission(FileIOPermissionAccess.Write, folder);
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
/// <summary>
/// Checks to see if DNS information is available to the caller
///
/// </summary>
///
/// <returns/>
public bool GetIsDnsAvailable()
{
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
DnsPermission dnsPermission = new DnsPermission(PermissionState.Unrestricted);
permissionSet.AddPermission((IPermission) dnsPermission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
/// <summary>
/// Checks to see if Registry access is available to the caller
///
/// </summary>
///
/// <returns/>
public bool GetIsRegistryAvailable()
{
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
RegistryPermission registryPermission = new RegistryPermission(PermissionState.Unrestricted);
permissionSet.AddPermission((IPermission) registryPermission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
public static bool NeedsAdministratorRights()
{
var permissionSet = new PermissionSet(PermissionState.None);
var writePermission = new FileIOPermission(FileIOPermissionAccess.Write, HostsFileManager.Filename);
permissionSet.AddPermission(writePermission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
private bool HasSerializationFormatterPermission()
{
#if(DOTNET35)
return SecurityManager.IsGranted(new SecurityPermission(SecurityPermissionFlag.SerializationFormatter));
#else
var permission = new PermissionSet(PermissionState.None);
permission.AddPermission(new SecurityPermission(SecurityPermissionFlag.UnmanagedCode));
return permission.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
#endif
}
public static bool IsGranted(this IPermission permission)
{
#if DOTNET35 || MONO26
return SecurityManager.IsGranted(permission);
#else
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
#endif
}
internal static bool CheckAppDomainPermissions(PermissionSet permissions)
{
if (!AppDomain.CurrentDomain.IsHomogenous)
{
return false;
}
else
{
return permissions.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
}
private void CheckPermission()
{
var folder = ConfigurationManager.AppSettings["AttachmentsDirectory"];
var permission = new FileIOPermission(FileIOPermissionAccess.Write, Server.MapPath(folder));
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
if (!permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
WarningLabel.Text = String.Format(CultureInfo.CurrentUICulture, "The directory \"{0}\" is write protected", folder);
//AttachmentPanel.Enabled = false;
}
}
public static bool IsDirectoryWritable(string directory)
{
if (string.IsNullOrWhiteSpace(directory))
{
return false;
}
FileIOPermission permission = new FileIOPermission(FileIOPermissionAccess.Write, HostingEnvironment.MapPath(directory));
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple retTriple = null;
if (in_a != null)
{
Debug.Assert((!in_a.IsUnrestricted() || RefusedSet == null), "Cannot be unrestricted or refused must be null");
// if we're already asserting in_a, nothing to do
if (in_a.IsSubsetOf(AssertSet))
{
return(null);
}
PermissionSet retPs;
if (GrantSet != null)
{
retPs = in_a.Intersect(GrantSet); // Restrict the assert to what we've already been granted
}
else
{
GrantSet = new PermissionSet(true);
retPs = in_a.Copy(); // Currently unrestricted Grant: assert the whole assert set
}
bool bFailedToCompress = false;
// removes anything that is already in the refused set from the assert set
if (RefusedSet != null)
{
retPs = PermissionSet.RemoveRefusedPermissionSet(retPs, RefusedSet, out bFailedToCompress);
}
if (!bFailedToCompress)
{
bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(retPs, AssertSet);
}
if (bFailedToCompress)
{
retTriple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = retTriple.GrantSet.Copy();
}
if (AssertSet == null)
{
AssertSet = retPs;
}
else
{
AssertSet.InplaceUnion(retPs);
}
}
return(retTriple);
}
// Determine if a specific permission has been granted.
public static bool IsGranted(IPermission perm)
{
// Bail out if the requested permission is null.
if (perm == null)
{
return(true);
}
// Get the current permission state.
ClrPermissions current = ClrSecurity.GetPermissionsFrom(1);
if (current == null)
{
// Null is equivalent to "unrestricted".
return(true);
}
// Build a permission set with just this permission.
PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(perm);
// If "PermitOnly" is set, then only check that set.
if (current.permitOnly != null)
{
return(set.IsSubsetOf(current.permitOnly));
}
// The permission must be granted, but not denied.
if (!set.IsSubsetOf(current.granted) ||
set.IsSubsetOf(current.denied))
{
return(false);
}
return(true);
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (SecurityManager.executionSecurityPermission == null)
{
SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
Exception exception = (Exception)null;
PermissionSet other1 = optPset;
PermissionSet other2 = reqdPset != null ? (other1 == null ? (PermissionSet)null : reqdPset.Union(other1)) : other1;
if (other2 != null && !other2.IsUnrestricted())
{
other2.AddPermission((IPermission)SecurityManager.executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = SecurityManager.polmgr.Resolve(evidence);
if (other2 != null)
{
target.InplaceIntersect(other2);
}
if (checkExecutionPermission && (!target.Contains((IPermission)SecurityManager.executionSecurityPermission) || denyPset != null && denyPset.Contains((IPermission)SecurityManager.executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if (reqdPset != null && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = (PermissionSet)null;
}
}
else
{
denied = (PermissionSet)null;
}
target.IgnoreTypeLoadFailures = true;
return(target);
}
internal static bool TryResolveGrantSet(Evidence evidence, out PermissionSet grantSet)
{
HostSecurityManager hostSecurityManager = AppDomain.CurrentDomain.HostSecurityManager;
if (evidence.GetHostEvidence <GacInstalled>() != null)
{
grantSet = new PermissionSet(PermissionState.Unrestricted);
return(true);
}
if ((hostSecurityManager.Flags & HostSecurityManagerOptions.HostResolvePolicy) == HostSecurityManagerOptions.HostResolvePolicy)
{
PermissionSet permissionSet = hostSecurityManager.ResolvePolicy(evidence);
if (permissionSet == null)
{
throw new PolicyException(Environment.GetResourceString("Policy_NullHostGrantSet", new object[]
{
hostSecurityManager.GetType().FullName
}));
}
if (AppDomain.CurrentDomain.IsHomogenous)
{
if (permissionSet.IsEmpty())
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"));
}
PermissionSet permissionSet2 = AppDomain.CurrentDomain.ApplicationTrust.DefaultGrantSet.PermissionSet;
if (!permissionSet.IsUnrestricted() && (!permissionSet.IsSubsetOf(permissionSet2) || !permissionSet2.IsSubsetOf(permissionSet)))
{
throw new PolicyException(Environment.GetResourceString("Policy_GrantSetDoesNotMatchDomain", new object[]
{
hostSecurityManager.GetType().FullName
}));
}
}
grantSet = permissionSet;
return(true);
}
else
{
if (AppDomain.CurrentDomain.IsHomogenous)
{
grantSet = AppDomain.CurrentDomain.GetHomogenousGrantSet(evidence);
return(true);
}
grantSet = null;
return(false);
}
}
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple permissionSetTriple = (PermissionSetTriple)null;
if (in_a != null)
{
if (in_a.IsSubsetOf(this.AssertSet))
{
return((PermissionSetTriple)null);
}
PermissionSet permissionSet;
if (this.GrantSet != null)
{
permissionSet = in_a.Intersect(this.GrantSet);
}
else
{
this.GrantSet = new PermissionSet(true);
permissionSet = in_a.Copy();
}
bool bFailedToCompress = false;
if (this.RefusedSet != null)
{
permissionSet = PermissionSet.RemoveRefusedPermissionSet(permissionSet, this.RefusedSet, out bFailedToCompress);
}
if (!bFailedToCompress)
{
bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(permissionSet, this.AssertSet);
}
if (bFailedToCompress)
{
permissionSetTriple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = permissionSetTriple.GrantSet.Copy();
}
if (this.AssertSet == null)
{
this.AssertSet = permissionSet;
}
else
{
this.AssertSet.InplaceUnion(permissionSet);
}
}
return(permissionSetTriple);
}
public static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied)
{
PermissionSet resolved = ResolvePolicy(evidence);
// do we have the minimal permission requested by the assembly ?
if ((reqdPset != null) && !reqdPset.IsSubsetOf(resolved))
{
throw new PolicyException(Locale.GetText(
"Policy doesn't grant the minimal permissions required to execute the assembly."));
}
// do we check for execution rights ?
if (CheckExecutionRights)
{
bool execute = false;
// an empty permissionset doesn't include Execution
if (resolved != null)
{
// unless we have "Full Trust"...
if (resolved.IsUnrestricted())
{
execute = true;
}
else
{
// ... we need to find a SecurityPermission
IPermission security = resolved.GetPermission(typeof(SecurityPermission));
execute = _execution.IsSubsetOf(security);
}
}
if (!execute)
{
throw new PolicyException(Locale.GetText(
"Policy doesn't grant the right to execute the assembly."));
}
}
denied = denyPset;
return(resolved);
}
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple triple = null;
if (in_a != null)
{
PermissionSet set;
bool flag;
if (in_a.IsSubsetOf(this.AssertSet))
{
return(null);
}
if (this.GrantSet != null)
{
set = in_a.Intersect(this.GrantSet);
}
else
{
this.GrantSet = new PermissionSet(true);
set = in_a.Copy();
}
set = PermissionSet.RemoveRefusedPermissionSet(set, this.RefusedSet, out flag);
if (!flag)
{
flag = PermissionSet.IsIntersectingAssertedPermissions(set, this.AssertSet);
}
if (flag)
{
triple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = triple.GrantSet.Copy();
}
if (this.AssertSet == null)
{
this.AssertSet = set;
return(triple);
}
this.AssertSet.InplaceUnion(set);
}
return(triple);
}
public static bool isDirWritable(String name,bool isDir=true)
{
try
{
string directoryName = null;
if (isDir)
{
directoryName = name;
}
else
{
directoryName = Path.GetDirectoryName(name);
}
if (!String.IsNullOrEmpty(directoryName))
{
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
FileIOPermission writePermission = new FileIOPermission(FileIOPermissionAccess.Write, directoryName);
permissionSet.AddPermission(writePermission);
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
return true;
}
else
{
return false;
}
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
return false;
}
private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc,
PermissionSet demandSet,
out PermissionSet alteredDemandSet)
{
PermissionSet permSet;
// In the common case we are not going to alter the demand set, so just to
// be safe we'll set it to null up front.
// There's some oddness in here to deal with exceptions. The general idea behind
// this is that we need some way of dealing with custom permissions that may not
// handle all possible scenarios of Union(), Intersect(), and IsSubsetOf() properly
// (they don't support it, throw null reference exceptions, etc.).
alteredDemandSet = null;
// An empty demand always succeeds.
if (demandSet == null || demandSet.IsEmpty())
{
return(StackHalt);
}
// In the case of permit only, we define an exception to be failure of the check
// and therefore we throw a security exception.
try
{
permSet = secDesc.GetPermitOnly();
if (permSet != null)
{
if (!demandSet.IsSubsetOf(permSet))
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
}
}
catch (Exception)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
// In the case of denial, we define an exception to be failure of the check
// and therefore we throw a security exception.
try
{
permSet = secDesc.GetDenials();
#if _DEBUG
if (debug)
{
DEBUG_OUT("Checking Denials");
DEBUG_OUT("denials set =\n" + permSet.ToXml().ToString());
DEBUG_OUT("demandSet =\n" + demandSet.ToXml().ToString());
}
#endif
if (permSet != null)
{
PermissionSet intersection = demandSet.Intersect(permSet);
if (intersection != null && !intersection.IsEmpty())
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
}
}
catch (Exception)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
// The assert case is more complex. Since asserts have the ability to "bleed through"
// (where part of a demand is handled by an assertion, but the rest is passed on to
// continue the stackwalk), we need to be more careful in handling the "failure" case.
// Therefore, if an exception is thrown in performing any operation, we make sure to keep
// that permission in the demand set thereby continuing the demand for that permission
// walking down the stack.
if (secDesc.GetAssertAllPossible())
{
return(StackHalt);
}
permSet = secDesc.GetAssertions();
if (permSet != null)
{
// If this frame asserts a superset of the demand set we're done
try
{
if (demandSet.IsSubsetOf(permSet))
{
return(StackHalt);
}
}
catch (Exception)
{
}
// Determine whether any of the demand set asserted. We do this by
// copying the demand set and removing anything in it that is asserted.
if (!permSet.IsUnrestricted())
{
PermissionSetEnumerator enumerator = (PermissionSetEnumerator)demandSet.GetEnumerator();
while (enumerator.MoveNext())
{
IPermission perm
= (IPermission)enumerator.Current;
int i = enumerator.GetCurrentIndex();
if (perm != null)
{
bool unrestricted = perm is System.Security.Permissions.IUnrestrictedPermission;
IPermission assertPerm
= (IPermission)permSet.GetPermission(i, unrestricted);
bool removeFromAlteredDemand = false;
try
{
removeFromAlteredDemand = perm.IsSubsetOf(assertPerm);
}
catch (Exception)
{
}
if (removeFromAlteredDemand)
{
if (alteredDemandSet == null)
{
alteredDemandSet = demandSet.Copy();
}
alteredDemandSet.RemovePermission(i, unrestricted);
}
}
}
}
}
return(StackContinue);
}
private static bool ValidateFilePermissions (string filePath)
{
string directoryName = Directory.GetParent (filePath).FullName;
PermissionSet permissionSet = new PermissionSet (PermissionState.None);
FileIOPermission writePermission = new FileIOPermission(FileIOPermissionAccess.Write, directoryName);
permissionSet.AddPermission(writePermission);
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// Check whether the current user has write permission to the specified path.
/// </summary>
/// <param name="path"></param>
/// <returns></returns>
public static bool HasWritePermissionOnDir(string path)
{
var writeAllow = false;
var writeDeny = false;
try
{
var accessControlList = Directory.GetAccessControl(path);
if (accessControlList == null)
return false;
var accessRules = accessControlList.GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier));
if (accessRules == null)
return false;
foreach (System.Security.AccessControl.FileSystemAccessRule rule in accessRules)
{
if ((System.Security.AccessControl.FileSystemRights.Write & rule.FileSystemRights)
!= System.Security.AccessControl.FileSystemRights.Write)
{
continue;
}
if (rule.AccessControlType == System.Security.AccessControl.AccessControlType.Allow)
{
writeAllow = true;
}
else if (rule.AccessControlType == System.Security.AccessControl.AccessControlType.Deny)
{
writeDeny = true;
}
}
}
catch (System.PlatformNotSupportedException)
{
//#if __MonoCS__
// writeAllow = (0 == Syscall.access(path, AccessModes.W_OK));
//#endif
#if __COCOA__
// TODO check directory permissions
writeAllow = true;
#endif
}
catch(System.UnauthorizedAccessException) {
var permission = new FileIOPermission(FileIOPermissionAccess.Write, path);
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
return true;
}
else
return false;
}
return writeAllow && !writeDeny;
}
/// <summary>
/// Check if user can write to selected DB location
/// </summary>
public bool havePermissions()
{
var permission = new FileIOPermission(FileIOPermissionAccess.Write,
DATABASE_LOCATION);
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(permission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
/// <summary>
/// Gets the MIME content type for a given path extension.
/// </summary>
/// <param name="extension">The input path extension.</param>
/// <param name="def">The default content type to return if any error occurs.</param>
/// <returns>The path extension's MIME content type.</returns>
public static string GetContentTypeForExtension(string extension, string def)
{
if (string.IsNullOrEmpty(extension))
{
return def;
}
string contentType = "";
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(new RegistryPermission(PermissionState.Unrestricted));
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
if (MimeTypes.ContainsKey(extension))
contentType = MimeTypes[extension];
else
contentType = def;
}
permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(new DnsPermission(PermissionState.Unrestricted));
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
//do something.... not at full trust
try
{
RegistryKey reg = Registry.ClassesRoot;
reg = reg.OpenSubKey(extension, false);
if (reg != null) contentType = (string)reg.GetValue("", def);
}
catch (Exception)
{
contentType = def;
}
}
return contentType;
}
internal static bool CheckAppDomainPermissions(PermissionSet permissions)
{
return AppDomain.CurrentDomain.IsHomogenous &&
permissions.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
// Given a set of evidence and some permission requests, resolve policy
// and compare the result against the given grant & deny sets. Return
// whether the two are equivalent.
static private bool CheckGrantSets(Evidence evidence,
PermissionSet minimal,
PermissionSet optional,
PermissionSet refused,
PermissionSet granted,
PermissionSet denied)
{
PermissionSet newGranted = null;
PermissionSet newDenied = null;
int isUnrestricted;
try {
newGranted = ResolvePolicy(evidence,
minimal,
optional,
refused,
out newDenied,
out isUnrestricted,
true);
} catch {
return(false);
}
if (granted == null)
{
if ((newGranted != null) && !newGranted.IsEmpty())
{
return(false);
}
}
else
{
if (newGranted == null)
{
return(granted.IsEmpty());
}
try
{
if (!granted.IsSubsetOf(newGranted) ||
!newGranted.IsSubsetOf(granted))
{
return(false);
}
}
catch (Exception)
{
// We catch any exception and just return false.
// This has to be done because not all permissions
// may support the IsSubsetOf operation.
return(false);
}
}
if (denied == null)
{
if ((newDenied != null) && !newDenied.IsEmpty())
{
return(false);
}
}
else
{
if (newDenied == null)
{
return(denied.IsEmpty());
}
try
{
if (!denied.IsSubsetOf(newDenied) ||
!newDenied.IsSubsetOf(denied))
{
return(false);
}
}
catch (Exception)
{
// We catch any exception and just return false.
// This has to be done because not all permissions
// may support the IsSubsetOf operation.
return(false);
}
}
return(true);
}
public static bool CheckWriteAccess(string path)
{
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
FileIOPermission writePermission = new FileIOPermission(FileIOPermissionAccess.Write | FileIOPermissionAccess.Append, path);
permissionSet.AddPermission(writePermission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
}
public void IsSubset_OneNonIUnrestrictedPermission ()
{
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
PermissionSet ps1 = new PermissionSet (PermissionState.None);
ps1.AddPermission (zip);
PermissionSet ps2 = new PermissionSet (PermissionState.None);
Assert.IsTrue (!ps1.IsSubsetOf (null), "PS1.IsSubset(null)");
Assert.IsTrue (!ps1.IsSubsetOf (ps2), "PS1.IsSubset(None)");
Assert.IsTrue (ps2.IsSubsetOf (ps1), "None.IsSubset(PS1)");
PermissionSet ps3 = ps1.Copy ();
Assert.IsTrue (ps1.IsSubsetOf (ps3), "PS1.IsSubset(PS3)");
Assert.IsTrue (ps3.IsSubsetOf (ps1), "PS3.IsSubset(PS1)");
PermissionSet ups1 = new PermissionSet (PermissionState.Unrestricted);
ups1.AddPermission (zip);
Assert.IsTrue (ps1.IsSubsetOf (ups1), "PS1.IsSubset(Unrestricted)");
Assert.IsTrue (!ups1.IsSubsetOf (ps1), "Unrestricted.IsSubset(PS1)");
PermissionSet ups2 = new PermissionSet (PermissionState.Unrestricted);
#if NET_2_0
// as ZoneIdentityPermission isn't added UPS1Z == UPS2
Assert.IsTrue (ups1.IsSubsetOf (ups2), "UPS1Z.IsSubset(UPS2)");
#else
Assert.IsTrue (!ups1.IsSubsetOf (ups2), "UPS1Z.IsSubset(UPS2)");
#endif
Assert.IsTrue (ups2.IsSubsetOf (ups1), "UPS2.IsSubset(UPS1Z)");
ups2.AddPermission (zip);
Assert.IsTrue (ups1.IsSubsetOf (ups2), "UPS1Z.IsSubset(UPS2Z)");
Assert.IsTrue (ups2.IsSubsetOf (ups1), "UPS2Z.IsSubset(UPS1Z)");
}
/// <summary>
/// Gets the path extension for a given MIME content type.
/// </summary>
/// <param name="contentType">The input MIME content type.</param>
/// <param name="def">The default path extension to return if any error occurs.</param>
/// <returns>The MIME content type's path extension.</returns>
public static string GetExtensionForContentType(string contentType, string def)
{
if (string.IsNullOrEmpty(contentType))
{
return def;
}
string ext = "";
var permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(new RegistryPermission(PermissionState.Unrestricted));
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
if (MimeTypes.ContainsValue(contentType))
{
foreach (KeyValuePair<string, string> pair in MimeTypes)
if (pair.Value == contentType)
return pair.Value;
}
return def;
}
if (permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
try
{
RegistryKey reg = Registry.ClassesRoot;
reg = reg.OpenSubKey(@"MIME\Database\Content Type\" + contentType, false);
if (reg != null) ext = (string)reg.GetValue("Extension", def);
}
catch (Exception)
{
ext = def;
}
}
return ext;
}
[System.Security.SecurityCritical] // auto-generated
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet requested = null;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
{
requested = optional;
}
else
{
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
}
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted())
{
requested.AddPermission(executionSecurityPermission);
}
// If we aren't passed any evidence, just make an empty object
if (evidence == null)
{
evidence = new Evidence();
}
allowed = polmgr.Resolve(evidence);
// Intersect the grant with the RequestOptional
if (requested != null)
{
allowed.InplaceIntersect(requested);
}
// Check that we were granted the right to execute.
if (checkExecutionPermission)
{
if (!allowed.Contains(executionSecurityPermission) ||
(denyPset != null && denyPset.Contains(executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException);
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
allowed.IgnoreTypeLoadFailures = true;
return(allowed);
}
public void IsSubset_Empty ()
{
PermissionSet ps1 = new PermissionSet (PermissionState.None);
PermissionSet ps2 = new PermissionSet (PermissionState.None);
Assert.IsTrue (ps1.IsSubsetOf (null), "None.IsSubsetOf(null)");
Assert.IsTrue (ps1.IsSubsetOf (ps2), "None1.IsSubsetOf(None2)");
Assert.IsTrue (ps2.IsSubsetOf (ps1), "None2.IsSubsetOf(None1)");
PermissionSet ups1 = new PermissionSet (PermissionState.Unrestricted);
Assert.IsTrue (ps1.IsSubsetOf (ups1), "None1.IsSubsetOf(Unrestricted)");
Assert.IsTrue (!ups1.IsSubsetOf (ps1), "Unrestricted.IsSubsetOf(None1)");
Assert.IsTrue (!ups1.IsSubsetOf (null), "Unrestricted.IsSubsetOf(Null)");
PermissionSet ups2 = new PermissionSet (PermissionState.Unrestricted);
Assert.IsTrue (ups1.IsSubsetOf (ups2), "ups1IsSubsetOf(ups2)");
Assert.IsTrue (ups2.IsSubsetOf (ups1), "ups2.IsSubsetOf(ups1)");
}
/// <summary>
/// Creates an _instance of logger. If rootDirectory doesn't exist tries to create it.
/// If everything is successfull sets IsInited to true.
/// </summary>
/// <param name="rootDirectory">The directory, where logs should be created.</param>
/// <param name="level">Level of loggin. Pass LogLevel.Off for turning off logging.</param>
/// <exception cref="AtTaskException">
/// Code: FILE_ACCESS_ERROR: when the rootDirectory doesn't exist and couldn't be created or
/// when there is no permosision to write files in that directory
/// </exception>
private Logger(string rootDirectory, LogLevel level)
{
try
{
if (string.IsNullOrEmpty(rootDirectory))
{
rootDirectory = Path.Combine(Directory.GetCurrentDirectory(), "Logs");
//throw new ArgumentException("rootDirectory is null or empty");
return;
}
if (!Directory.Exists(rootDirectory))
{
try
{
Directory.CreateDirectory(rootDirectory);
}
catch (IOException)
{
//throw new AtTaskException(AtTaskExceptionCode.FILE_ACCESS_ERROR, ex);
return;
}
}
FileIOPermission directoryPermission = new FileIOPermission(FileIOPermissionAccess.Append, rootDirectory);
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
permissionSet.AddPermission(directoryPermission);
if (!permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
//throw new AtTaskException(AtTaskExceptionCode.FILE_ACCESS_ERROR);
return;
}
this.rootDirectory = rootDirectory;
Level = level;
IsInitied = true;
}
catch
{
//DO NOTHING
}
}
private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc,
PermissionSet demandSet,
out PermissionSet alteredDemandSet)
{
PermissionSet permSet;
// In the common case we are not going to alter the demand set, so just to
// be safe we'll set it to null up front.
// There's some oddness in here to deal with exceptions. The general idea behind
// this is that we need some way of dealing with custom permissions that may not
// handle all possible scenarios of Union(), Intersect(), and IsSubsetOf() properly
// (they don't support it, throw null reference exceptions, etc.).
alteredDemandSet = null;
// An empty demand always succeeds.
if (demandSet == null || demandSet.IsEmpty())
return StackHalt;
// In the case of permit only, we define an exception to be failure of the check
// and therefore we throw a security exception.
try
{
permSet = secDesc.GetPermitOnly();
if (permSet != null)
{
if (!demandSet.IsSubsetOf(permSet))
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
}
}
catch (Exception)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
// In the case of denial, we define an exception to be failure of the check
// and therefore we throw a security exception.
try
{
permSet = secDesc.GetDenials();
#if _DEBUG
if (debug)
{
DEBUG_OUT("Checking Denials");
DEBUG_OUT("denials set =\n" + permSet.ToXml().ToString() );
DEBUG_OUT("demandSet =\n" + demandSet.ToXml().ToString() );
}
#endif
if (permSet != null)
{
PermissionSet intersection = demandSet.Intersect(permSet);
if (intersection != null && !intersection.IsEmpty())
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
}
}
catch (Exception)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
// The assert case is more complex. Since asserts have the ability to "bleed through"
// (where part of a demand is handled by an assertion, but the rest is passed on to
// continue the stackwalk), we need to be more careful in handling the "failure" case.
// Therefore, if an exception is thrown in performing any operation, we make sure to keep
// that permission in the demand set thereby continuing the demand for that permission
// walking down the stack.
if (secDesc.GetAssertAllPossible())
{
return StackHalt;
}
permSet = secDesc.GetAssertions();
if (permSet != null)
{
// If this frame asserts a superset of the demand set we're done
try
{
if (demandSet.IsSubsetOf( permSet ))
return StackHalt;
}
catch (Exception)
{
}
// Determine whether any of the demand set asserted. We do this by
// copying the demand set and removing anything in it that is asserted.
if (!permSet.IsUnrestricted())
{
PermissionSetEnumerator enumerator = (PermissionSetEnumerator)demandSet.GetEnumerator();
while (enumerator.MoveNext())
{
IPermission perm
= (IPermission)enumerator.Current;
int i = enumerator.GetCurrentIndex();
if (perm != null)
{
bool unrestricted = perm is System.Security.Permissions.IUnrestrictedPermission;
IPermission assertPerm
= (IPermission)permSet.GetPermission(i, unrestricted);
bool removeFromAlteredDemand = false;
try
{
removeFromAlteredDemand = perm.IsSubsetOf(assertPerm);
}
catch (Exception)
{
}
if (removeFromAlteredDemand)
{
if (alteredDemandSet == null)
alteredDemandSet = demandSet.Copy();
alteredDemandSet.RemovePermission(i, unrestricted);
}
}
}
}
}
return StackContinue;
}
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
PermissionSet requested;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
{
requested = optional;
}
else
{
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
}
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted() && CheckExecution())
{
requested.AddPermission(executionSecurityPermission);
}
if (InitPolicy())
{
// If we aren't passed any evidence, just make an empty object
// If we are passed evidence, copy it before passing it
// to the policy manager.
// Note: this is not a deep copy, the pieces of evidence within the
// Evidence object can still be altered and affect the originals.
if (evidence == null)
{
evidence = new Evidence();
}
else
{
evidence = evidence.ShallowCopy();
}
evidence.AddHost(new PermissionRequestEvidence(reqdPset, optPset, denyPset));
// We need to make sure that no stray exceptions come out of Resolve so
// we wrap it in a try block.
try
{
allowed = polmgr.Resolve(evidence, requested);
}
catch (Exception e)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Exception during resolve");
DEBUG_OUT(e.GetType().FullName);
DEBUG_OUT(e.Message);
DEBUG_OUT(e.StackTrace);
}
#endif
// If we get a policy exception, we are done are we are going to fail to
// load no matter what.
if (e is PolicyException)
{
throw e;
}
// If we get any other kid of exception, we set the allowed set to the
// empty set and continue processing as normal. This allows assemblies
// that make no request to be loaded but blocks any assembly that
// makes a request from being loaded. This seems like a valid design to
// me -- gregfee 6/19/2000
savedException = e;
allowed = new PermissionSet();
}
}
else
{
denied = null;
return(null);
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("ResolvePolicy:");
IEnumerator enumerator = evidence.GetEnumerator();
DEBUG_OUT("Evidence:");
while (enumerator.MoveNext())
{
Object obj = enumerator.Current;
if (obj is Site)
{
DEBUG_OUT(((Site)obj).ToXml().ToString());
}
else if (obj is Zone)
{
DEBUG_OUT(((Zone)obj).ToXml().ToString());
}
else if (obj is Url)
{
DEBUG_OUT(((Url)obj).ToXml().ToString());
}
else if (obj is Publisher)
{
DEBUG_OUT(((Publisher)obj).ToXml().ToString());
}
else if (obj is StrongName)
{
DEBUG_OUT(((StrongName)obj).ToXml().ToString());
}
else if (obj is PermissionRequestEvidence)
{
DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString());
}
}
DEBUG_OUT("Required permissions:");
DEBUG_OUT(reqdPset != null ? reqdPset.ToString() : "<null>");
DEBUG_OUT("Optional permissions:");
DEBUG_OUT(optPset != null ? optPset.ToString() : "<null>");
DEBUG_OUT("Denied permissions:");
DEBUG_OUT(denyPset != null ? denyPset.ToString() : "<null>");
DEBUG_OUT("Requested permissions:");
DEBUG_OUT(requested != null ? requested.ToString() : "<null>");
DEBUG_OUT("Granted permissions:");
DEBUG_OUT(allowed != null ? allowed.ToString() : "<null>");
}
#endif
// Check that we were granted the right to execute.
if (!allowed.IsUnrestricted() && checkExecutionPermission && CheckExecution())
{
SecurityPermission secPerm = (SecurityPermission)allowed.GetPermission(securityPermissionType);
if (secPerm == null || !executionSecurityPermission.IsSubsetOf(secPerm))
{
#if _DEBUG
DEBUG_OUT("No execute permission");
#endif
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
#if _DEBUG
DEBUG_OUT("Didn't get required permissions");
#endif
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException);
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("Final denied permissions:");
DEBUG_OUT(denied != null ? denied.ToString() : "<null>");
}
#endif
return(allowed);
}
[System.Security.SecurityCritical] // auto-generated
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple retTriple = null;
if (in_a != null)
{
Contract.Assert((!in_a.IsUnrestricted() || RefusedSet == null), "Cannot be unrestricted or refused must be null");
// if we're already asserting in_a, nothing to do
if (in_a.IsSubsetOf(AssertSet))
return null;
PermissionSet retPs;
if (GrantSet != null)
retPs = in_a.Intersect(GrantSet); // Restrict the assert to what we've already been granted
else
{
GrantSet = new PermissionSet(true);
retPs = in_a.Copy(); // Currently unrestricted Grant: assert the whole assert set
}
bool bFailedToCompress = false;
// removes anything that is already in the refused set from the assert set
if (RefusedSet != null)
{
retPs = PermissionSet.RemoveRefusedPermissionSet(retPs, RefusedSet, out bFailedToCompress);
}
if (!bFailedToCompress)
bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(retPs, AssertSet);
if (bFailedToCompress)
{
retTriple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = retTriple.GrantSet.Copy();
}
if (AssertSet == null)
AssertSet = retPs;
else
AssertSet.InplaceUnion(retPs);
}
return retTriple;
}
public void IsSubset_OnePermission ()
{
SecurityPermission sp = new SecurityPermission (SecurityPermissionFlag.Assertion);
PermissionSet ps1 = new PermissionSet (PermissionState.None);
ps1.AddPermission (sp);
PermissionSet ps2 = new PermissionSet (PermissionState.None);
Assert.IsTrue (!ps1.IsSubsetOf (null), "PS1.IsSubset(null)");
Assert.IsTrue (!ps1.IsSubsetOf (ps2), "PS1.IsSubset(None)");
Assert.IsTrue (ps2.IsSubsetOf (ps1), "None.IsSubset(PS1)");
PermissionSet ps3 = ps1.Copy ();
Assert.IsTrue (ps1.IsSubsetOf (ps3), "PS1.IsSubset(PS3)");
Assert.IsTrue (ps3.IsSubsetOf (ps1), "PS3.IsSubset(PS1)");
PermissionSet ups1 = new PermissionSet (PermissionState.Unrestricted);
Assert.IsTrue (ps1.IsSubsetOf (ups1), "PS1.IsSubset(Unrestricted)");
Assert.IsTrue (!ups1.IsSubsetOf (ps1), "Unrestricted.IsSubset(PS1)");
}
internal static bool TryResolveGrantSet(Evidence evidence, out PermissionSet grantSet)
{
Contract.Assert(evidence != null);
HostSecurityManager securityManager = AppDomain.CurrentDomain.HostSecurityManager;
// GAC assemblies always are fully trusted
if (evidence.GetHostEvidence <GacInstalled>() != null)
{
grantSet = new PermissionSet(PermissionState.Unrestricted);
return(true);
}
// If the host wants to participate in policy resolution, then our next option is to ask it for
// a grant set
else if ((securityManager.Flags & HostSecurityManagerOptions.HostResolvePolicy) == HostSecurityManagerOptions.HostResolvePolicy)
{
PermissionSet hostGrantSet = securityManager.ResolvePolicy(evidence);
if (hostGrantSet == null)
{
throw new PolicyException(Environment.GetResourceString("Policy_NullHostGrantSet", securityManager.GetType().FullName));
}
// If we're in a homogenous domain, we don't want to allow the host to create multiple
// levels of permissions within the domain. So, if we see the host return something other
// than full trust or the homogenous grant set, we reject the grant set.
if (AppDomain.CurrentDomain.IsHomogenous)
{
// Some hosts, such as ASP.NET, return Nothing as a way of saying that the assembly should
// not be allowed to run in the AppDomain. Reject that with a specific
// no-execution-allowed-here exception message, rather than the return value validation
// exception message we'd hit below.
if (hostGrantSet.IsEmpty())
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"));
}
PermissionSet homogenousGrantSet = AppDomain.CurrentDomain.ApplicationTrust.DefaultGrantSet.PermissionSet;
bool isValidGrantSet = hostGrantSet.IsUnrestricted() ||
(hostGrantSet.IsSubsetOf(homogenousGrantSet) && homogenousGrantSet.IsSubsetOf(hostGrantSet));
if (!isValidGrantSet)
{
throw new PolicyException(Environment.GetResourceString("Policy_GrantSetDoesNotMatchDomain", securityManager.GetType().FullName));
}
}
grantSet = hostGrantSet;
return(true);
}
// If we're in a homogenous domain, we can get the grant set directly from the application trust
else if (AppDomain.CurrentDomain.IsHomogenous)
{
grantSet = AppDomain.CurrentDomain.GetHomogenousGrantSet(evidence);
return(true);
}
// Otherwise we have no way to figure out what the grant set is
else
{
grantSet = null;
return(false);
}
}
public void IsSubset_NonCasPermission_Unrestricted ()
{
PermissionSet ps1 = new PermissionSet (PermissionState.None);
ps1.AddPermission (new PrincipalPermission (PermissionState.Unrestricted));
PermissionSet ps2 = new PermissionSet (PermissionState.None);
Assert.IsTrue (!ps1.IsSubsetOf (null), "PS1.IsSubset(null)");
Assert.IsTrue (!ps1.IsSubsetOf (ps2), "PS1.IsSubset(None)");
Assert.IsTrue (ps2.IsSubsetOf (ps1), "None.IsSubset(PS1)");
PermissionSet ps3 = ps1.Copy ();
Assert.IsTrue (ps1.IsSubsetOf (ps3), "PS1.IsSubset(PS3)");
Assert.IsTrue (ps3.IsSubsetOf (ps1), "PS3.IsSubset(PS1)");
PermissionSet ups1 = new PermissionSet (PermissionState.Unrestricted);
#if NET_2_0
Assert.IsTrue (ps1.IsSubsetOf (ups1), "PS1.IsSubset(Unrestricted)");
#else
Assert.IsTrue (!ps1.IsSubsetOf (ups1), "PS1.IsSubset(Unrestricted)");
#endif
Assert.IsTrue (!ups1.IsSubsetOf (ps1), "Unrestricted.IsSubset(PS1)");
}
private static bool ValidateArgs(string[] args, out StorgaeExporterConfiguration configuration)
{
configuration = null;
if (args.Count() < 2)
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Not enough arguments were provided.\n");
return false;
}
if (!Directory.Exists(args[0]))
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Directory {0} does not exists.\n",args[0]);
return false;
}
if (!StorageExporter.ValidateStorageExsist(args[0]))
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Directory {0} is not a valid RavenDB storage directory.\n", args[0]);
return false;
}
var outputDirectory = Path.GetDirectoryName(args[1]);
if (!Directory.Exists(outputDirectory))
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Output directory {0} does not exists.\n", outputDirectory);
return false;
}
var permissionSet = new PermissionSet(PermissionState.None);
var writePermission = new FileIOPermission(FileIOPermissionAccess.Write, args[1]);
permissionSet.AddPermission(writePermission);
if (!permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet))
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "You don't have premissions to write to {0}.\n", args[1]);
}
if (args.Length % 2 != 0)
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Wrong amount of arguments were passed.\n");
return false;
}
var currArgPos = 2;
configuration = new StorgaeExporterConfiguration() {DatabaseDataDir = args[0], OutputDumpPath = args[1]};
while (currArgPos < args.Length)
{
switch (args[currArgPos])
{
case "-T":
configuration.TableName = args[currArgPos + 1];
currArgPos += 2;
break;
case "-BatchSize":
int batchSize;
if (int.TryParse(args[currArgPos + 1], out batchSize) && batchSize > 0)
{
configuration.BatchSize = batchSize;
currArgPos += 2;
}
else
{
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "BatchSize should be an integer number greater than 0 (BatchSize={0}).\n", args[currArgPos + 1]);
return false;
}
break;
default:
ConsoleUtils.ConsoleWriteLineWithColor(ConsoleColor.Red, "Unidentified argument {0}.\n");
break;
}
}
return true;
}
public static PermissionSet ResolvePolicy (Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied)
{
PermissionSet resolved = ResolvePolicy (evidence);
// do we have the minimal permission requested by the assembly ?
if ((reqdPset != null) && !reqdPset.IsSubsetOf (resolved)) {
throw new PolicyException (Locale.GetText (
"Policy doesn't grant the minimal permissions required to execute the assembly."));
}
// do we check for execution rights ?
if (CheckExecutionRights) {
bool execute = false;
// an empty permissionset doesn't include Execution
if (resolved != null) {
// unless we have "Full Trust"...
if (resolved.IsUnrestricted ()) {
execute = true;
} else {
// ... we need to find a SecurityPermission
IPermission security = resolved.GetPermission (typeof (SecurityPermission));
execute = _execution.IsSubsetOf (security);
}
}
if (!execute) {
throw new PolicyException (Locale.GetText (
"Policy doesn't grant the right to execute the assembly."));
}
}
denied = denyPset;
return resolved;
}
[System.Security.SecurityCritical] // auto-generated
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
if (executionSecurityPermission == null)
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
PermissionSet requested = null;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
requested = optional;
else
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted())
requested.AddPermission( executionSecurityPermission );
// If we aren't passed any evidence, just make an empty object
if (evidence == null)
{
evidence = new Evidence();
}
allowed = polmgr.Resolve(evidence);
// Intersect the grant with the RequestOptional
if (requested != null)
allowed.InplaceIntersect(requested);
// Check that we were granted the right to execute.
if (checkExecutionPermission)
{
if (!allowed.Contains(executionSecurityPermission) ||
(denyPset != null && denyPset.Contains(executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
throw new PolicyException(Environment.GetResourceString( "Policy_NoRequiredPermission" ),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException );
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
denied = null;
}
else
denied = null;
allowed.IgnoreTypeLoadFailures = true;
return allowed;
}
public void Demand()
{
// Get the current permission state.
ClrPermissions current = ClrSecurity.GetPermissionsFrom(1);
if(current == null)
{
// Null is equivalent to "unrestricted".
return;
}
// Build a permission set with just this permission.
PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(this);
// If "PermitOnly" is set, then only check that set.
if(current.permitOnly != null)
{
if(!set.IsSubsetOf(current.permitOnly))
{
throw new SecurityException
(_("Exception_SecurityNotGranted"));
}
return;
}
// The permission must be granted, but not denied.
if(!set.IsSubsetOf(current.granted) ||
set.IsSubsetOf(current.denied))
{
throw new SecurityException
(_("Exception_SecurityNotGranted"));
}
}
/// <summary>
/// Checks to see if DNS information is available to the caller
/// </summary>
/// <returns></returns>
public bool GetIsDnsAvailable()
{
#if NET40 || NET451
var permissionSet = new PermissionSet(PermissionState.None);
var writePermission = new DnsPermission(PermissionState.Unrestricted);
permissionSet.AddPermission(writePermission);
return permissionSet.IsSubsetOf(AppDomain.CurrentDomain.PermissionSet);
#elif NET20
return SecurityManager.IsGranted(new DnsPermission(PermissionState.Unrestricted));
#else
return false;
#endif
}
