/// <summary> /// Gets lockdown policy as applied to a file. /// </summary> /// <returns>An EnforcementMode that describes policy.</returns> public static SystemEnforcementMode GetLockdownPolicy(string path, SafeHandle handle) { // Check the WLDP File policy via API var wldpFilePolicy = GetWldpPolicy(path, handle); if (wldpFilePolicy == SystemEnforcementMode.Enforce) { return(wldpFilePolicy); } // Check the AppLocker File policy via API // This needs to be checked before WLDP audit policy // So, that we don't end up in Audit mode, // when we should be enforce mode. var appLockerFilePolicy = GetAppLockerPolicy(path, handle); if (appLockerFilePolicy == SystemEnforcementMode.Enforce) { return(appLockerFilePolicy); } // At this point, LockdownPolicy = Audit or Allowed. // If there was a WLDP policy, but WLDP didn't block it, // then it was explicitly allowed. Therefore, return the result for the file. SystemEnforcementMode systemWldpPolicy = s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None); if ((systemWldpPolicy == SystemEnforcementMode.Audit) || (systemWldpPolicy == SystemEnforcementMode.Enforce)) { return(wldpFilePolicy); } // If there was a system-wide AppLocker policy, but AppLocker didn't block it, // then return AppLocker's status. if (s_cachedSaferSystemPolicy.GetValueOrDefault(SaferPolicy.Allowed) == SaferPolicy.Disallowed) { return(appLockerFilePolicy); } // If it's not set to 'Enforce' by the platform, allow debug overrides return(GetDebugLockdownPolicy(path)); }
/// <summary> /// Common initialization for all constructors. /// </summary> private void CommonInitialization() { // Assume external scripts are untrusted by default (for Get-Command, etc) // until we've actually parsed their script block. if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.None) { // Get the lock down policy with no handle. This only impacts command discovery, // as the real language mode assignment will be done when we read the script // contents. SystemEnforcementMode scriptSpecificPolicy = SystemPolicy.GetLockdownPolicy(_path, null); if (scriptSpecificPolicy != SystemEnforcementMode.Enforce) { this.DefiningLanguageMode = PSLanguageMode.FullLanguage; } else { this.DefiningLanguageMode = PSLanguageMode.ConstrainedLanguage; } } }
/// <summary> /// Gets lockdown policy as applied to a file /// </summary> /// <returns>An EnforcementMode that describes policy</returns> public static SystemEnforcementMode GetLockdownPolicy(string path, SafeHandle handle) { // Check the WLDP API SystemEnforcementMode lockdownPolicy = GetWldpPolicy(path, handle); if (lockdownPolicy == SystemEnforcementMode.Enforce) { return(lockdownPolicy); } // At this point, LockdownPolicy = Audit or Allowed. // If there was a WLDP policy, but WLDP didn't block it, // then it was explicitly allowed. Therefore, return the result for the file. SystemEnforcementMode systemWldpPolicy = s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None); if ((systemWldpPolicy == SystemEnforcementMode.Enforce) || (systemWldpPolicy == SystemEnforcementMode.Audit)) { return(lockdownPolicy); } // Check the AppLocker API lockdownPolicy = GetAppLockerPolicy(path, handle); if (lockdownPolicy == SystemEnforcementMode.Enforce) { return(lockdownPolicy); } // If there was a system-wide AppLocker policy, but AppLocker didn't block it, // then return AppLocker's status. if (s_cachedSaferSystemPolicy.GetValueOrDefault(SaferPolicy.Allowed) == SaferPolicy.Disallowed) { return(lockdownPolicy); } // If it's not set to 'Enforce' by the platform, allow debug overrides return(GetDebugLockdownPolicy(path)); }
private void ReadScriptContents() { if (_scriptContents == null) { // make sure we can actually load the script and that it's non-empty // before we call it. // Note, although we are passing ASCII as the encoding, the StreamReader // class still obeys the byte order marks at the beginning of the file // if present. If not present, then ASCII is used as the default encoding. try { using (FileStream readerStream = new FileStream(_path, FileMode.Open, FileAccess.Read)) { Encoding defaultEncoding = ClrFacade.GetDefaultEncoding(); Microsoft.Win32.SafeHandles.SafeFileHandle safeFileHandle = readerStream.SafeFileHandle; using (StreamReader scriptReader = new StreamReader(readerStream, defaultEncoding)) { _scriptContents = scriptReader.ReadToEnd(); _originalEncoding = scriptReader.CurrentEncoding; // Check if this came from a trusted path. If so, set its language mode to FullLanguage. if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.None) { SystemEnforcementMode scriptSpecificPolicy = SystemPolicy.GetLockdownPolicy(_path, safeFileHandle); if (scriptSpecificPolicy != SystemEnforcementMode.Enforce) { this.DefiningLanguageMode = PSLanguageMode.FullLanguage; } else { this.DefiningLanguageMode = PSLanguageMode.ConstrainedLanguage; } } else { if (this.Context != null) { this.DefiningLanguageMode = this.Context.LanguageMode; } } } } } catch (ArgumentException e) { // This catches PSArgumentException as well. ThrowCommandNotFoundException(e); } catch (IOException e) { ThrowCommandNotFoundException(e); } catch (NotSupportedException e) { ThrowCommandNotFoundException(e); } catch (UnauthorizedAccessException e) { // this is unadvertised exception thrown by the StreamReader ctor when // no permission to read the script file ThrowCommandNotFoundException(e); } } }
private static SystemEnforcementMode GetWldpPolicy(string path, SafeHandle handle) { // If the WLDP assembly is missing (such as windows 7 or down OS), return default/None to skip WLDP valification if (s_hadMissingWldpAssembly || !IO.File.Exists(IO.Path.Combine(Environment.SystemDirectory, "wldp.dll"))) { s_hadMissingWldpAssembly = true; return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None)); } // If path is NULL, see if we have the cached system-wide lockdown policy. if (String.IsNullOrEmpty(path)) { if ((s_cachedWldpSystemPolicy != null) && (!InternalTestHooks.BypassAppLockerPolicyCaching)) { return(s_cachedWldpSystemPolicy.Value); } } try { WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION(); hostInformation.dwRevision = WldpNativeConstants.WLDP_HOST_INFORMATION_REVISION; hostInformation.dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL; if (!String.IsNullOrEmpty(path)) { hostInformation.szSource = path; if (handle != null) { IntPtr fileHandle = IntPtr.Zero; fileHandle = handle.DangerousGetHandle(); hostInformation.hSource = fileHandle; } } uint pdwLockdownState = 0; int result = WldpNativeMethods.WldpGetLockdownPolicy(ref hostInformation, ref pdwLockdownState, 0); if (result >= 0) { SystemEnforcementMode resultingLockdownPolicy = GetLockdownPolicyForResult(pdwLockdownState); // If this is a query for the system-wide lockdown policy, cache it. if (String.IsNullOrEmpty(path)) { s_cachedWldpSystemPolicy = resultingLockdownPolicy; } return(resultingLockdownPolicy); } else { // API failure? return(SystemEnforcementMode.Enforce); } } catch (DllNotFoundException) { s_hadMissingWldpAssembly = true; return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None)); } }