//
        // API for PermissionSets
        //

        public virtual void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
        {
            // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
            // you need to change the fourth parameter to a zero.
            FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO(
                CodeAccessSecurityEngine.AssertPermissionToken,
                CodeAccessSecurityEngine.AssertPermission,
                ref stackMark,
                1,
                1);

            BCLDebug.Assert(secObj != null || !SecurityManager.SecurityEnabled, "Failure in SecurityRuntime.Assert() - secObj != null");
            if (secObj == null)
            {
                if (SecurityManager.SecurityEnabled)
                {
                    // Security: REQ_SQ flag is missing. Bad compiler ?
                    throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
                }
            }
            else
            {
                if (secObj.GetAssertions() != null)
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetAssert(permSet);
            }
        }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void Assert(CodeAccessPermission cap, ref StackCrawlMark stackMark)
        {
            // Make sure the caller of assert has the permission to assert
            //WARNING: The placement of the call here is just right to check
            //         the appropriate frame.

            // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
            // you need to change the last parameter to a zero.
            Contract.Assert(AssertPermissionToken != null && AssertPermission != null, "Assert Permission not setup correctly");
            FrameSecurityDescriptor secObj = CheckNReturnSO(AssertPermissionToken,
                                                            AssertPermission,
                                                            ref stackMark,
                                                            1);

            if (secObj == null)
            {
                // Security: REQ_SQ flag is missing. Bad compiler ?
                // This can happen when you create delegates over functions that need the REQ_SQ
                System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
            else
            {
                if (secObj.HasImperativeAsserts())
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetAssert(cap);
            }
        }
Exemple #3
0
 [System.Security.SecurityCritical]  // auto-generated
 private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc,
                                        PermissionSet demandSet,
                                        out PermissionSet alteredDemandSet,
                                        RuntimeMethodHandleInternal rmh)
 {
     return(secDesc.CheckSetDemand(demandSet, out alteredDemandSet, rmh));
 }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
        {
            // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
            // you need to change the fourth parameter to a zero.
            FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO(
                CodeAccessSecurityEngine.AssertPermissionToken,
                CodeAccessSecurityEngine.AssertPermission,
                ref stackMark,
                1);

            Contract.Assert(secObj != null, "Failure in SecurityRuntime.Assert() - secObj != null");
            if (secObj == null)
            {
                // Security: REQ_SQ flag is missing. Bad compiler ?
                System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
            else
            {
                if (secObj.HasImperativeAsserts())
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetAssert(permSet);
            }
        }
Exemple #5
0
 [System.Security.SecurityCritical]  // auto-generated
 private static bool FrameDescHelper(FrameSecurityDescriptor secDesc,
                                     IPermission demandIn,
                                     PermissionToken permToken,
                                     RuntimeMethodHandleInternal rmh)
 {
     return(secDesc.CheckDemand((CodeAccessPermission)demandIn, permToken, rmh));
 }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void Deny(PermissionSet permSet, ref StackCrawlMark stackMark)
        {
#if FEATURE_CAS_POLICY
            // Deny is only valid in legacy mode
            if (!AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled)
            {
                throw new NotSupportedException(Environment.GetResourceString("NotSupported_CasDeny"));
            }
#endif // FEATURE_CAS_POLICY

            FrameSecurityDescriptor secObj =
                SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true);

            Contract.Assert(secObj != null, "Failure in SecurityRuntime.Deny() - secObj != null");
            if (secObj == null)
            {
                // Security: REQ_SQ flag is missing. Bad compiler ?
                System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
            else
            {
                if (secObj.HasImperativeDenials())
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetDeny(permSet);
            }
        }
 [System.Security.SecurityCritical]  // auto-generated
 private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc,
                                        PermissionSet demandSet,
                                        out PermissionSet alteredDemandSet,
                                        RuntimeMethodHandleInternal rmh)
 {
     return secDesc.CheckSetDemand(demandSet, out alteredDemandSet, rmh);
 }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void Deny(CodeAccessPermission cap, ref StackCrawlMark stackMark)
        {
#if FEATURE_CAS_POLICY
            // Deny is only valid in legacy mode
            if (!AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled)
            {
                throw new NotSupportedException(Environment.GetResourceString("NotSupported_CasDeny"));
            }
#endif // FEATURE_CAS_POLICY

            FrameSecurityDescriptor secObj =
                SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true);
            if (secObj == null)
            {
                // Security: REQ_SQ flag is missing. Bad compiler ?
                // This can happen when you create delegates over functions that need the REQ_SQ
                System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
            else
            {
                if (secObj.HasImperativeDenials())
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetDeny(cap);
            }
        }
        internal virtual void Assert(CodeAccessPermission cap, ref StackCrawlMark stackMark)
        {
            // Make sure the caller of assert has the permission to assert
            //WARNING: The placement of the call here is just right to check
            //         the appropriate frame.

            // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
            // you need to change the last parameter to a zero.

            FrameSecurityDescriptor secObj = CheckNReturnSO(AssertPermissionToken,
                                                            AssertPermission,
                                                            ref stackMark,
                                                            1,
                                                            1);

            if (secObj == null)
            {
                if (SecurityManager.SecurityEnabled)
                {
                    // Security: REQ_SQ flag is missing. Bad compiler ?
                    // This can happen when you create delegates over functions that need the REQ_SQ
                    throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
                }
            }
            else
            {
                if (secObj.GetAssertions() != null)
                {
                    throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
                }

                secObj.SetAssert(cap);
            }
        }
 [System.Security.SecurityCritical]  // auto-generated
 private static bool FrameDescHelper(FrameSecurityDescriptor secDesc,
                                        IPermission demandIn, 
                                        PermissionToken permToken,
                                        RuntimeMethodHandleInternal rmh)
 {
     return secDesc.CheckDemand((CodeAccessPermission) demandIn, permToken, rmh);
 }
 internal void RevertPermitOnly()
 {
     if (this.HasImperativeRestrictions())
     {
         FrameSecurityDescriptor.DecrementOverridesCount();
         this.m_restriction = null;
     }
 }
 internal void RevertDeny()
 {
     if (this.HasImperativeDenials())
     {
         FrameSecurityDescriptor.DecrementOverridesCount();
         this.m_denials = null;
     }
 }
 internal void RevertAssertAllPossible()
 {
     if (this.m_assertAllPossible)
     {
         this.m_assertAllPossible = false;
         FrameSecurityDescriptor.DecrementAssertCount();
     }
 }
        // Returns the number of negative overrides(deny/permitonly) in this secDesc
        private static int OverridesHelper(FrameSecurityDescriptor secDesc)
        {
            // check imperative
            int count = OverridesHelper2(secDesc, false);

            // add declarative
            count += OverridesHelper2(secDesc, true);
            return(count);
        }
 internal void RevertPermitOnly()
 {
     if (!this.HasImperativeRestrictions())
     {
         return;
     }
     FrameSecurityDescriptor.DecrementOverridesCount();
     this.m_restriction = (PermissionSet)null;
 }
 internal void RevertDeny()
 {
     if (!this.HasImperativeDenials())
     {
         return;
     }
     FrameSecurityDescriptor.DecrementOverridesCount();
     this.m_denials = (PermissionSet)null;
 }
Exemple #17
0
        // Returns the number of negative overrides(deny/permitonly) in this secDesc
        private static int OverridesHelper(FrameSecurityDescriptor secDesc) 
        { 
            // check imperative
            int count = OverridesHelper2(secDesc, false); 
            // add declarative
            count += OverridesHelper2(secDesc, true);
            return count;
 
        }
Exemple #18
0
        internal static void RevertAll(ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, false);

            if (securityObjectForFrame == null)
            {
                throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
            securityObjectForFrame.RevertAll();
        }
Exemple #19
0
        private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
        {
            bool flag = this.Update2(currentTriple, fsd, false);

            if (!flag)
            {
                flag = this.Update2(currentTriple, fsd, true);
            }
            return(flag);
        }
        static bool StackCompressWalkHelper(PermissionListSet compressedStack,
                                            bool skipGrants,
                                            PermissionSet grantedPerms,
                                            PermissionSet deniedPerms,
                                            FrameSecurityDescriptor frameInfo)
        {
            if (!skipGrants)
            {
                if (!compressedStack.AppendPermissions(grantedPerms,
                                                       PermissionList.MatchChecked))
                {
                    return(false);
                }
                if (deniedPerms != null && !compressedStack.AppendPermissions(deniedPerms,
                                                                              PermissionList.MatchDeny))
                {
                    return(false);
                }
            }

            if (frameInfo != null)
            {
                PermissionSet set = frameInfo.GetPermitOnly();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions(set, PermissionList.MatchPermitOnly))
                    {
                        return(false);
                    }
                }

                set = frameInfo.GetDenials();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions(set, PermissionList.MatchDeny))
                    {
                        return(false);
                    }
                }

                set = frameInfo.GetAssertions();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions(set, PermissionList.MatchAssert))
                    {
                        return(false);
                    }
                }
            }

            return(true);
        }
Exemple #21
0
        private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
        {
            // check imperative
            bool fHalt = Update2(currentTriple, fsd, false);

            if (!fHalt)
            {
                // then declarative
                fHalt = Update2(currentTriple, fsd, true);
            }
            return(fHalt);
        }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void RevertPermitOnly(ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false);

            if (secObj != null)
            {
                secObj.RevertPermitOnly();
            }
            else
            {
                throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
        }
        internal static void RevertAll(ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false);

            if (secObj != null)
            {
                secObj.RevertAll();
            }
            else if (SecurityManager._IsSecurityOn())
            {
                throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
        }
Exemple #24
0
 // Returns the number of negative overrides(deny/permitonly) in this secDesc
 private static int OverridesHelper(FrameSecurityDescriptor secDesc)
 {
     PermissionSet permSet;
     int count = 0;
     
     permSet = secDesc.GetPermitOnly();
     if (permSet != null)
         count++;
     permSet = secDesc.GetDenials();
     if (permSet != null)
         count++;
     return count;
 }
 internal void RevertAssert()
 {
     if (this.m_assertions != null)
     {
         this.m_assertions = null;
         FrameSecurityDescriptor.DecrementAssertCount();
     }
     if (this.m_DeclarativeAssertions != null)
     {
         this.m_AssertFT = this.m_DeclarativeAssertions.IsUnrestricted();
         return;
     }
     this.m_AssertFT = false;
 }
Exemple #26
0
        private static int OverridesHelper2(FrameSecurityDescriptor secDesc, bool fDeclarative)
        {
            int num = 0;

            if (secDesc.GetPermitOnly(fDeclarative) != null)
            {
                num++;
            }
            if (secDesc.GetDenials(fDeclarative) != null)
            {
                num++;
            }
            return(num);
        }
        [System.Security.SecurityCritical]  // auto-generated
        internal static void RevertAll(ref StackCrawlMark stackMark)
        {
#if FEATURE_CAS_POLICY
            FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false);
            if (secObj != null)
            {
                secObj.RevertAll();
            }
            else
            {
                throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
#endif // FEATURE_CAS_POLICY
        }
Exemple #28
0
        private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative)
        {
            PermissionSet denials = fsd.GetDenials(fDeclarative);

            if (denials != null)
            {
                currentTriple.UpdateRefused(denials);
            }
            PermissionSet permitOnly = fsd.GetPermitOnly(fDeclarative);

            if (permitOnly != null)
            {
                currentTriple.UpdateGrant(permitOnly);
            }
            if (fsd.GetAssertAllPossible())
            {
                if (currentTriple.GrantSet == null)
                {
                    currentTriple.GrantSet = PermissionSet.s_fullTrust;
                }
                this.UpdateTripleListAndCreateNewTriple(currentTriple, this.m_permSetTriples);
                currentTriple.GrantSet = PermissionSet.s_fullTrust;
                currentTriple.UpdateAssert(fsd.GetAssertions(fDeclarative));
                return(true);
            }
            PermissionSet assertions = fsd.GetAssertions(fDeclarative);

            if (assertions != null)
            {
                if (assertions.IsUnrestricted())
                {
                    if (currentTriple.GrantSet == null)
                    {
                        currentTriple.GrantSet = PermissionSet.s_fullTrust;
                    }
                    this.UpdateTripleListAndCreateNewTriple(currentTriple, this.m_permSetTriples);
                    currentTriple.GrantSet = PermissionSet.s_fullTrust;
                    currentTriple.UpdateAssert(assertions);
                    return(true);
                }
                PermissionSetTriple permissionSetTriple = currentTriple.UpdateAssert(assertions);
                if (permissionSetTriple != null)
                {
                    this.EnsureTriplesListCreated();
                    this.m_permSetTriples.Add((object)permissionSetTriple);
                }
            }
            return(false);
        }
Exemple #29
0
        internal static void PermitOnly(PermissionSet permSet, ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true);

            if (securityObjectForFrame == null)
            {
                Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
                return;
            }
            if (securityObjectForFrame.HasImperativeRestrictions())
            {
                throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
            }
            securityObjectForFrame.SetPermitOnly(permSet);
        }
        public virtual void RevertAll(ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false);

            if (secObj != null)
            {
                secObj = secObj.Copy();
                secObj.RevertAll();
                SetSecurityObjectForFrame(ref stackMark, secObj);
            }
            else if (SecurityManager.SecurityEnabled)
            {
                throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
            }
        }
Exemple #31
0
        internal static void AssertAllPossible(ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true);

            if (securityObjectForFrame == null)
            {
                Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
                return;
            }
            if (securityObjectForFrame.GetAssertAllPossible())
            {
                throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
            }
            securityObjectForFrame.SetAssertAllPossible();
        }
Exemple #32
0
        internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
        {
            FrameSecurityDescriptor frameSecurityDescriptor = CodeAccessSecurityEngine.CheckNReturnSO(CodeAccessSecurityEngine.AssertPermissionToken, CodeAccessSecurityEngine.AssertPermission, ref stackMark, 1);

            if (frameSecurityDescriptor == null)
            {
                Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
                return;
            }
            if (frameSecurityDescriptor.HasImperativeAsserts())
            {
                throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
            }
            frameSecurityDescriptor.SetAssert(permSet);
        }
Exemple #33
0
        private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
        {
            FrameSecurityDescriptorWithResolver fsdWithResolver = fsd as FrameSecurityDescriptorWithResolver;

            if (fsdWithResolver != null)
            {
                return(this.Update2(currentTriple, fsdWithResolver));
            }
            bool flag = this.Update2(currentTriple, fsd, false);

            if (!flag)
            {
                flag = this.Update2(currentTriple, fsd, true);
            }
            return(flag);
        }
        internal FrameSecurityDescriptor Copy()
        {
            FrameSecurityDescriptor desc = new FrameSecurityDescriptor();
            if (this.m_assertions != null)
                desc.m_assertions = this.m_assertions.Copy();

            if (this.m_denials != null)
                desc.m_denials = this.m_denials.Copy();

            if (this.m_restriction != null)
                desc.m_restriction = this.m_restriction.Copy();

            desc.m_assertAllPossible = this.m_assertAllPossible;

            return desc;
        }
 internal WindowsImpersonationContext(SafeTokenHandle safeTokenHandle, WindowsIdentity wi, bool isImpersonating, FrameSecurityDescriptor fsd)
 {
     this.m_safeTokenHandle = SafeTokenHandle.InvalidHandle;
     if (safeTokenHandle.IsInvalid)
     {
         throw new ArgumentException(Environment.GetResourceString("Argument_InvalidImpersonationToken"));
     }
     if (isImpersonating)
     {
         if (!Win32Native.DuplicateHandle(Win32Native.GetCurrentProcess(), safeTokenHandle, Win32Native.GetCurrentProcess(), ref this.m_safeTokenHandle, 0, true, 2))
         {
             throw new SecurityException(Win32Native.GetMessage(Marshal.GetLastWin32Error()));
         }
         this.m_wi = wi;
     }
     this.m_fsd = fsd;
 }
        // Returns the number of negative overrides(deny/permitonly) in this secDesc
        private static int OverridesHelper(FrameSecurityDescriptor secDesc)
        {
            PermissionSet permSet;
            int           count = 0;

            permSet = secDesc.GetPermitOnly();
            if (permSet != null)
            {
                count++;
            }
            permSet = secDesc.GetDenials();
            if (permSet != null)
            {
                count++;
            }
            return(count);
        }
 internal static extern bool GetDescriptorInfo(IntPtr dcs, int index, out PermissionSet granted, out PermissionSet refused, out Assembly assembly, out FrameSecurityDescriptor fsd);
Exemple #38
0
     private static bool FrameDescHelper(FrameSecurityDescriptor secDesc,
                                            IPermission demand, 
                                            PermissionToken permToken)
     {
         PermissionSet permSet;
         
         // If the demand is null, there is no need to continue
         if (demand == null || demand.IsSubsetOf( null ))
             return StackHalt;
             
         // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper 
         
         // Check Reduction
         
         try
         {
             permSet = secDesc.GetPermitOnly();
             if (permSet != null)
             {
                 IPermission perm = permSet.GetPermission(demand);
 #if _DEBUG
                 if (debug)
                 {
                     DEBUG_OUT("Checking PermitOnly");
                     DEBUG_OUT("permit only set =\n" + permSet.ToXml().ToString() );
                     DEBUG_OUT("demand =\n" + ((CodeAccessPermission)demand).ToXml().ToString() );
                 }
 #endif
         
                 // If the permit only set does not contain the demanded permission, throw a security exception
                 
                 if (perm == null)
                 {
                     if(!(demand is IUnrestrictedPermission && permSet.IsUnrestricted()))
                         throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                 }
                 else
                 {
                     if (!demand.IsSubsetOf( perm ))
                         throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
                 }
             }
         }
         catch (Exception)
         {
             throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
         }
         
         
         // Check Denials
         
         try
         {
             permSet = secDesc.GetDenials();
             if (permSet != null)
             {
 #if _DEBUG
                 if (debug)
                 {
                     DEBUG_OUT("Checking Denials");
                     DEBUG_OUT("denied set =\n" + permSet.ToXml().ToString() );
                 }
 #endif
                 IPermission perm = permSet.GetPermission(demand);
                 
                 // If the deny set does contain the demanded permission, throw a security exception
         
                 if ((perm != null && perm.Intersect( demand ) != null) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted()))
                     throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
             }
         }
         catch (Exception)
         {
             throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
         }                
 
         if (secDesc.GetAssertAllPossible())
         {
             return StackHalt;
         }        
 
         try
         {
             permSet = secDesc.GetAssertions();
             // Check Assertions
             if (permSet != null)
             {
 #if _DEBUG
                 if (debug)
                     DEBUG_OUT("Checking Assertions");
 #endif
         
                 IPermission perm = permSet.GetPermission(demand);
             
                 // If the assert set does contain the demanded permission, halt the stackwalk
         
                 if ((perm != null && (demand.IsSubsetOf( perm )) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted())))
                 {
 #if _DEBUG
                     if (debug)
                         DEBUG_OUT("Assert halting stackwalk");
 #endif                       
                     return StackHalt;
                 }
             }
         }
         catch (Exception)
         {
         }
         
         return StackContinue;
     }
        [System.Security.SecurityCritical]  // auto-generated 
        private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative)
        { 
            // Deny 
            PermissionSet deniedPset = fsd.GetDenials(fDeclarative);
            if (deniedPset != null) 
            {
                currentTriple.UpdateRefused(deniedPset);
            }
 
            // permit only
            PermissionSet permitOnlyPset = fsd.GetPermitOnly(fDeclarative); 
            if (permitOnlyPset != null) 
            {
                currentTriple.UpdateGrant(permitOnlyPset); 
            }

            // Assert all possible
            if (fsd.GetAssertAllPossible()) 
            {
                // If we have no grant set, it means that the only assembly we've seen on the stack so 
                // far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the 
                // compressed stack is also FullTrust.
                if (currentTriple.GrantSet == null) 
                    currentTriple.GrantSet = PermissionSet.s_fullTrust;

                return true; // halt the construction
            } 

            // Assert 
            PermissionSet assertPset = fsd.GetAssertions(fDeclarative); 
            if (assertPset != null)
            { 
                if (assertPset.IsUnrestricted())
                {
                    // If we have no grant set, it means that the only assembly we've seen on the stack so
                    // far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the 
                    // compressed stack is also FullTrust.
                    if (currentTriple.GrantSet == null) 
                        currentTriple.GrantSet = PermissionSet.s_fullTrust; 

                    return true; // halt the construction 
                }

                PermissionSetTriple retTriple = currentTriple.UpdateAssert(assertPset);
                if (retTriple != null) 
                {
                    EnsureTriplesListCreated(); 
                    m_permSetTriples.Add(retTriple); 
                }
            } 

            return false;
        }
 [System.Security.SecurityCritical]  // auto-generated 
 private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
 {
    // check imperative
    bool fHalt = Update2(currentTriple, fsd, false); 
    if (!fHalt)
    { 
         // then declarative 
         fHalt = Update2(currentTriple, fsd, true);
    } 
    return fHalt;
 }
        private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative)
        {
            // Deny
            PermissionSet deniedPset = fsd.GetDenials(fDeclarative);
            if (deniedPset != null)
            {
                currentTriple.UpdateRefused(deniedPset);
            }

            // permit only
            PermissionSet permitOnlyPset = fsd.GetPermitOnly(fDeclarative);
            if (permitOnlyPset != null)
            {
                currentTriple.UpdateGrant(permitOnlyPset);
            }

            // Assert all possible
            if (fsd.GetAssertAllPossible())
                return true; // halt the construction
                
            // Assert
            PermissionSet assertPset = fsd.GetAssertions(fDeclarative);
            if (assertPset != null)
            {
                if (assertPset.IsUnrestricted())
                    return true; // halt the construction
                PermissionSetTriple retTriple = currentTriple.UpdateAssert(assertPset);
                if (retTriple != null)
                {
                    EnsureTriplesListCreated();
                    m_permSetTriples.Add(retTriple);
                }
            }
                
            return false;
        }
 private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
 {
     bool flag = this.Update2(currentTriple, fsd, false);
     if (!flag)
     {
         flag = this.Update2(currentTriple, fsd, true);
     }
     return flag;
 }
 private static int OverridesHelper2(FrameSecurityDescriptor secDesc, bool fDeclarative)
 {
     int num = 0;
     if (secDesc.GetPermitOnly(fDeclarative) != null)
     {
         num++;
     }
     if (secDesc.GetDenials(fDeclarative) != null)
     {
         num++;
     }
     return num;
 }
 private static int OverridesHelper(FrameSecurityDescriptor secDesc)
 {
     return (OverridesHelper2(secDesc, false) + OverridesHelper2(secDesc, true));
 }
Exemple #45
0
 void SetSecurityObjectForFrame(ref StackCrawlMark stackMark,
                                FrameSecurityDescriptor desc);
 private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative)
 {
     PermissionSet denials = fsd.GetDenials(fDeclarative);
     if (denials != null)
     {
         currentTriple.UpdateRefused(denials);
     }
     PermissionSet permitOnly = fsd.GetPermitOnly(fDeclarative);
     if (permitOnly != null)
     {
         currentTriple.UpdateGrant(permitOnly);
     }
     if (fsd.GetAssertAllPossible())
     {
         if (currentTriple.GrantSet == null)
         {
             currentTriple.GrantSet = PermissionSet.s_fullTrust;
         }
         return true;
     }
     PermissionSet assertions = fsd.GetAssertions(fDeclarative);
     if (assertions != null)
     {
         if (assertions.IsUnrestricted())
         {
             if (currentTriple.GrantSet == null)
             {
                 currentTriple.GrantSet = PermissionSet.s_fullTrust;
             }
             return true;
         }
         PermissionSetTriple triple = currentTriple.UpdateAssert(assertions);
         if (triple != null)
         {
             this.EnsureTriplesListCreated();
             this.m_permSetTriples.Add(triple);
         }
     }
     return false;
 }
Exemple #47
0
        private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc,
                                               PermissionSet demandSet,
                                               out PermissionSet alteredDemandSet)
        {
            PermissionSet permSet;

            // In the common case we are not going to alter the demand set, so just to
            // be safe we'll set it to null up front.
            
            // There's some oddness in here to deal with exceptions.  The general idea behind
            // this is that we need some way of dealing with custom permissions that may not
            // handle all possible scenarios of Union(), Intersect(), and IsSubsetOf() properly
            // (they don't support it, throw null reference exceptions, etc.).
            
            alteredDemandSet = null;

            // An empty demand always succeeds.
            if (demandSet == null || demandSet.IsEmpty())
                return StackHalt;
            
            // In the case of permit only, we define an exception to be failure of the check
            // and therefore we throw a security exception.
            
            try
            {
                permSet = secDesc.GetPermitOnly();
                if (permSet != null)
                {
                    if (!demandSet.IsSubsetOf(permSet))
                    {
                        throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
                    }
                }
            }
            catch (Exception)
            {
                throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
            }
                
            // In the case of denial, we define an exception to be failure of the check
            // and therefore we throw a security exception.
                
            try
            {
                permSet = secDesc.GetDenials();

    #if _DEBUG
                if (debug)
                {
                    DEBUG_OUT("Checking Denials");
                    DEBUG_OUT("denials set =\n" + permSet.ToXml().ToString() );
                    DEBUG_OUT("demandSet =\n" + demandSet.ToXml().ToString() );
                }
    #endif

                if (permSet != null)
                {
                    PermissionSet intersection = demandSet.Intersect(permSet);
            
                    if (intersection != null && !intersection.IsEmpty())
                    {
                        throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
                    }
                }
            }
            catch (Exception)
            {
                throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
            }
            
            // The assert case is more complex.  Since asserts have the ability to "bleed through"
            // (where part of a demand is handled by an assertion, but the rest is passed on to
            // continue the stackwalk), we need to be more careful in handling the "failure" case.
            // Therefore, if an exception is thrown in performing any operation, we make sure to keep
            // that permission in the demand set thereby continuing the demand for that permission
            // walking down the stack.
            
            if (secDesc.GetAssertAllPossible())
            {
                return StackHalt;
            }        
            
            permSet = secDesc.GetAssertions();
            if (permSet != null)
            {
                // If this frame asserts a superset of the demand set we're done
                
                try
                {
                    if (demandSet.IsSubsetOf( permSet ))
                        return StackHalt;
                }
                catch (Exception)
                {
                }
                
                // Determine whether any of the demand set asserted.  We do this by
                // copying the demand set and removing anything in it that is asserted.
                    
                if (!permSet.IsUnrestricted())
                {
                    PermissionSetEnumerator enumerator = (PermissionSetEnumerator)demandSet.GetEnumerator();
                    while (enumerator.MoveNext())
                    {
                        IPermission perm
                            = (IPermission)enumerator.Current;
                        int i = enumerator.GetCurrentIndex();
                        if (perm != null)
                        {
                            bool unrestricted = perm is System.Security.Permissions.IUnrestrictedPermission;
                            IPermission assertPerm
                                = (IPermission)permSet.GetPermission(i, unrestricted);
                            
                            bool removeFromAlteredDemand = false;
                            try
                            {
                                removeFromAlteredDemand = perm.IsSubsetOf(assertPerm);
                            }
                            catch (Exception)
                            {
                            }
                        
                            if (removeFromAlteredDemand)
                            {
                                if (alteredDemandSet == null)
                                    alteredDemandSet = demandSet.Copy();
                                alteredDemandSet.RemovePermission(i, unrestricted);
                            }                        
                        
                        }
                    }
                }
            }
            
            return StackContinue;
        }
        [System.Security.SecurityCritical]  // auto-generated
        private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd)
        {
#if FEATURE_COMPRESSEDSTACK
           FrameSecurityDescriptorWithResolver fsdWithResolver = fsd as FrameSecurityDescriptorWithResolver;
           if (fsdWithResolver != null)
           {
               return Update2(currentTriple, fsdWithResolver);
           }
#endif // FEATURE_COMPRESSEDSTACK

           // check imperative
           bool fHalt = Update2(currentTriple, fsd, false);
           if (!fHalt)            
           {
                // then declarative
                fHalt = Update2(currentTriple, fsd, true);
           }
           return fHalt;
        }
        static bool StackCompressWalkHelper(PermissionListSet compressedStack,
                                               bool skipGrants,
                                               PermissionSet grantedPerms,
                                               PermissionSet deniedPerms,
                                               FrameSecurityDescriptor frameInfo)
        {
            if (!skipGrants)
            {
                if (!compressedStack.AppendPermissions(grantedPerms,
                                                       PermissionList.MatchChecked))
                    return false;
                if (deniedPerms != null && !compressedStack.AppendPermissions(deniedPerms,
                                                                              PermissionList.MatchDeny))
                    return false;
            }
            
            if (frameInfo != null)
            {
                PermissionSet set = frameInfo.GetPermitOnly();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions( set, PermissionList.MatchPermitOnly ))
                        return false;
                }

                set = frameInfo.GetDenials();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions( set, PermissionList.MatchDeny ))
                        return false;
                }

                set = frameInfo.GetAssertions();

                if (set != null)
                {
                    if (!compressedStack.AppendPermissions( set, PermissionList.MatchAssert ))
                        return false;
                }
            }
            
            return true;
        }