// static default constructor. This will be called before any of the static members are accessed.
static CodeAccessSecurityEngine()
{
#pragma warning disable 618
AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion);
#pragma warning restore 618
AssertPermissionToken = PermissionToken.GetToken(AssertPermission);
}
[System.Security.SecurityCritical] // auto-generated
private static bool FrameDescHelper(FrameSecurityDescriptor secDesc,
IPermission demandIn,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh)
{
return secDesc.CheckDemand((CodeAccessPermission) demandIn, permToken, rmh);
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
bool flag = this.CheckDemand2(demand, permToken, rmh, false);
if (flag)
{
flag = this.CheckDemand2(demand, permToken, rmh, true);
}
return flag;
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandle rmh)
{
this.CompleteConstruction(null);
if (this.PLS != null)
{
this.PLS.CheckDemand(demand, permToken, rmh);
}
return false;
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
if (!CheckAssert(this.AssertSet, demand, permToken))
{
return false;
}
CodeAccessSecurityEngine.CheckHelper(this.GrantSet, this.RefusedSet, demand, permToken, rmh, null, SecurityAction.Demand, true);
return true;
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
bool flag = true;
if (this.m_permSetTriples != null)
{
for (int i = 0; (i < this.m_permSetTriples.Count) && flag; i++)
{
flag = ((PermissionSetTriple) this.m_permSetTriples[i]).CheckDemand(demand, permToken, rmh);
}
}
else if (this.m_firstPermSetTriple != null)
{
flag = this.m_firstPermSetTriple.CheckDemand(demand, permToken, rmh);
}
return false;
}
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission asserted = (CodeAccessPermission) pSet.GetPermission(demand);
try
{
if (pSet.IsUnrestricted() || demand.CheckAssert(asserted))
{
return false;
}
}
catch (ArgumentException)
{
}
}
return true;
}
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken)
{
if (m_zoneList != null)
{
zoneList.AddRange(m_zoneList);
}
if (m_originList != null)
{
originList.AddRange(m_originList);
}
}
private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
return(secDesc.CheckDemand((CodeAccessPermission)demandIn, permToken, rmh));
}
internal static extern FrameSecurityDescriptor CheckNReturnSO(PermissionToken permToken, CodeAccessPermission demand, ref StackCrawlMark stackMark, int create);
internal static bool CheckHelper(PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, object assemblyOrString, SecurityAction action, bool throwException)
{
if (permToken == null)
{
permToken = PermissionToken.GetToken(demand);
}
if (grantedSet != null)
{
grantedSet.CheckDecoded(permToken.m_index);
}
if (refusedSet != null)
{
refusedSet.CheckDecoded(permToken.m_index);
}
bool flag = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else if (!grantedSet.IsUnrestricted())
{
CodeAccessPermission grant = (CodeAccessPermission)grantedSet.GetPermission(permToken);
if (!demand.CheckDemand(grant))
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
}
if (refusedSet != null)
{
CodeAccessPermission codeAccessPermission = (CodeAccessPermission)refusedSet.GetPermission(permToken);
if (codeAccessPermission != null && !codeAccessPermission.CheckDeny(demand))
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
if (refusedSet.IsUnrestricted())
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
finally
{
if (flag)
{
SecurityManager._SetThreadSecurity(true);
}
}
return(true);
}
internal PermissionToken GetToken(Type cls, IPermission perm)
{
IntPtr value = cls.TypeHandle.Value;
object obj = this.m_handleTable[value];
if (obj == null)
{
string assemblyQualifiedName = cls.AssemblyQualifiedName;
obj = ((this.m_tokenTable != null) ? this.m_tokenTable[assemblyQualifiedName] : null);
if (obj == null)
{
lock (this)
{
if (this.m_tokenTable != null)
{
obj = this.m_tokenTable[assemblyQualifiedName];
}
else
{
this.m_tokenTable = new Hashtable(this.m_size, 1f, new PermissionTokenKeyComparer());
}
if (obj == null)
{
if (perm != null)
{
int index = this.m_index;
this.m_index = index + 1;
obj = new PermissionToken(index, PermissionTokenType.IUnrestricted, assemblyQualifiedName);
}
else if (cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null)
{
int index = this.m_index;
this.m_index = index + 1;
obj = new PermissionToken(index, PermissionTokenType.IUnrestricted, assemblyQualifiedName);
}
else
{
int index = this.m_index;
this.m_index = index + 1;
obj = new PermissionToken(index, PermissionTokenType.Normal, assemblyQualifiedName);
}
this.m_tokenTable.Add(assemblyQualifiedName, obj);
this.m_indexTable.Add(this.m_index - 1, obj);
PermissionToken.s_tokenSet.SetItem(((PermissionToken)obj).m_index, obj);
}
if (!this.m_handleTable.Contains(value))
{
this.m_handleTable.Add(value, obj);
}
goto IL_1DA;
}
}
lock (this)
{
if (!this.m_handleTable.Contains(value))
{
this.m_handleTable.Add(value, obj);
}
}
}
IL_1DA:
if ((((PermissionToken)obj).m_type & PermissionTokenType.DontKnow) != (PermissionTokenType)0)
{
if (perm != null)
{
((PermissionToken)obj).m_type = PermissionTokenType.IUnrestricted;
((PermissionToken)obj).m_strTypeName = perm.GetType().AssemblyQualifiedName;
}
else
{
if (cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null)
{
((PermissionToken)obj).m_type = PermissionTokenType.IUnrestricted;
}
else
{
((PermissionToken)obj).m_type = PermissionTokenType.Normal;
}
((PermissionToken)obj).m_strTypeName = cls.AssemblyQualifiedName;
}
}
return((PermissionToken)obj);
}
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken)
{
if (this.m_zoneList != null)
{
zoneList.AddRange((ICollection)this.m_zoneList);
}
if (this.m_originList == null)
{
return;
}
originList.AddRange((ICollection)this.m_originList);
}
internal CodeAccessSecurityEngine()
{
InitSecurityEngine();
AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion);
AssertPermissionToken = PermissionToken.GetToken(AssertPermission);
}
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
{
if (this.GetPermitOnly(fDeclarative) != null)
{
this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
}
if (this.GetDenials(fDeclarative) != null)
{
this.GetDenials(fDeclarative).CheckDecoded(demand, permToken);
}
if (this.GetAssertions(fDeclarative) != null)
{
this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
}
bool flag = SecurityManager._SetThreadSecurity(false);
try
{
PermissionSet permitOnly = this.GetPermitOnly(fDeclarative);
if (permitOnly != null)
{
CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission(demand);
if (permitted == null)
{
if (!permitOnly.IsUnrestricted())
{
throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
else
{
bool flag2 = true;
try
{
flag2 = !demand.CheckPermitOnly(permitted);
}
catch (ArgumentException)
{
}
if (flag2)
{
throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
}
permitOnly = this.GetDenials(fDeclarative);
if (permitOnly != null)
{
CodeAccessPermission permission = (CodeAccessPermission)permitOnly.GetPermission(demand);
if (permitOnly.IsUnrestricted())
{
throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
bool flag3 = true;
try
{
flag3 = !demand.CheckDeny(permission);
}
catch (ArgumentException)
{
}
if (flag3)
{
throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
if (this.GetAssertAllPossible())
{
return(false);
}
permitOnly = this.GetAssertions(fDeclarative);
if (permitOnly != null)
{
CodeAccessPermission asserted = (CodeAccessPermission)permitOnly.GetPermission(demand);
try
{
if (permitOnly.IsUnrestricted() || demand.CheckAssert(asserted))
{
return(false);
}
}
catch (ArgumentException)
{
}
}
}
finally
{
if (flag)
{
SecurityManager._SetThreadSecurity(true);
}
}
return(true);
}
internal PermissionToken BuiltInGetToken(int index, IPermission perm, Type cls)
{
PermissionToken token = m_builtIn[index];
if (token == null)
{
lock (this)
{
token = m_builtIn[index];
if (token == null)
{
PermissionTokenType permType = PermissionTokenType.DontKnow;
if (perm != null)
{
if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || perm is IUnrestrictedPermission)
{
permType = PermissionTokenType.IUnrestricted;
}
else
{
permType = PermissionTokenType.Normal;
}
}
else if (cls != null)
{
if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null)
{
permType = PermissionTokenType.IUnrestricted;
}
else
{
permType = PermissionTokenType.Normal;
}
}
token = new PermissionToken(index, permType | PermissionTokenType.BuiltIn, null);
m_builtIn[index] = token;
PermissionToken.s_tokenSet.SetItem(token.m_index, token);
}
}
}
if ((token.m_type & PermissionTokenType.DontKnow) != 0)
{
token.m_type = PermissionTokenType.BuiltIn;
if (perm != null)
{
if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || perm is IUnrestrictedPermission)
{
token.m_type |= PermissionTokenType.IUnrestricted;
}
else
{
token.m_type |= PermissionTokenType.Normal;
}
}
else if (cls != null)
{
if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null)
{
token.m_type |= PermissionTokenType.IUnrestricted;
}
else
{
token.m_type |= PermissionTokenType.Normal;
}
}
else
{
token.m_type |= PermissionTokenType.DontKnow;
}
}
return(token);
}
internal PermissionToken GetToken(Type cls, IPermission perm)
{
Contract.Assert(cls != null, "Must pass in valid type");
IntPtr typePtr = cls.TypeHandle.Value;
object tok = m_handleTable[typePtr];
if (tok == null)
{
String typeStr = cls.AssemblyQualifiedName;
tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe
if (tok == null)
{
lock (this)
{
if (m_tokenTable != null)
{
tok = m_tokenTable[typeStr]; // Make sure it wasn't just added
}
else
{
m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer());
}
if (tok == null)
{
if (perm != null)
{
tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr);
}
else
{
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
{
tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr);
}
else
{
tok = new PermissionToken(m_index++, PermissionTokenType.Normal, typeStr);
}
}
m_tokenTable.Add(typeStr, tok);
m_indexTable.Add(m_index - 1, tok);
PermissionToken.s_tokenSet.SetItem(((PermissionToken)tok).m_index, tok);
}
if (!m_handleTable.Contains(typePtr))
{
m_handleTable.Add(typePtr, tok);
}
}
}
else
{
lock (this)
{
if (!m_handleTable.Contains(typePtr))
{
m_handleTable.Add(typePtr, tok);
}
}
}
}
if ((((PermissionToken)tok).m_type & PermissionTokenType.DontKnow) != 0)
{
if (perm != null)
{
Contract.Assert(!(perm is IBuiltInPermission), "This should not be called for built-ins");
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
#if FEATURE_CAS_POLICY
((PermissionToken)tok).m_strTypeName = perm.GetType().AssemblyQualifiedName;
#endif // FEATURE_CAS_POLICY
}
else
{
Contract.Assert(cls.GetInterface("System.Security.Permissions.IBuiltInPermission") == null, "This shoudl not be called for built-ins");
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
{
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
}
else
{
((PermissionToken)tok).m_type = PermissionTokenType.Normal;
}
#if FEATURE_CAS_POLICY
((PermissionToken)tok).m_strTypeName = cls.AssemblyQualifiedName;
#endif // FEATURE_CAS_POLICY
}
}
return((PermissionToken)tok);
}
[System.Security.SecurityCritical] // auto-generated
#pragma warning disable 618
internal static bool CheckHelper(PermissionSet grantedSet,
#pragma warning restore 618
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh,
Object assemblyOrString,
SecurityAction action,
bool throwException)
{
// We should never get here with a null demand
Contract.Assert(demand != null, "Should not reach here with a null demand");
#if _DEBUG && FEATURE_CAS_POLICY
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Refused: ");
DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif // _DEBUG && FEATURE_CAS_POLICY
if (permToken == null)
{
permToken = PermissionToken.GetToken(demand);
}
if (grantedSet != null)
{
grantedSet.CheckDecoded(permToken.m_index);
}
if (refusedSet != null)
{
refusedSet.CheckDecoded(permToken.m_index);
}
// If PermissionSet is null, then module does not have Permissions... Fail check.
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
else if (!grantedSet.IsUnrestricted())
{
// If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
Contract.Assert(demand != null, "demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// Make sure the demand has been granted
if (!demand.CheckDemand(grantedPerm))
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
// Make the sure the permission is not refused.
if (refusedSet != null)
{
CodeAccessPermission refusedPerm =
(CodeAccessPermission)refusedSet.GetPermission(permToken);
if (refusedPerm != null)
{
if (!refusedPerm.CheckDeny(demand))
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Permission found in refused set");
}
#endif
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
if (refusedSet.IsUnrestricted())
{
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (throwException)
{
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
}
else
{
return(false);
}
}
finally
{
if (bThreadSecurity)
{
SecurityManager._SetThreadSecurity(true);
}
}
DEBUG_OUT("Check passed");
return(true);
}
public void FromXml(SecurityElement elRoot)
{
elRoot.Tag.Equals("PermissionToken");
string typeStr = elRoot.Attribute("Name");
PermissionToken permissionToken = typeStr == null?PermissionToken.FindTokenByIndex(int.Parse(elRoot.Attribute("Index"), (IFormatProvider)CultureInfo.InvariantCulture)) : PermissionToken.GetToken(typeStr, true);
this.m_index = permissionToken.m_index;
this.m_type = (PermissionTokenType)Enum.Parse(typeof(PermissionTokenType), elRoot.Attribute("Type"));
this.m_strTypeName = permissionToken.m_strTypeName;
}
private static void CheckHelper(PermissionSet grantedSet,
PermissionSet deniedSet,
CodeAccessPermission demand,
PermissionToken permToken)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Denied: ");
DEBUG_OUT(deniedSet != null ? deniedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
{
permToken = PermissionToken.GetToken(demand);
}
// If PermissionSet is null, then module does not have Permissions... Fail check.
try
{
if (grantedSet == null)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
{
// If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null, "demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
// then throw an exception.
if (grantedPerm == null)
{
if (!demand.IsSubsetOf(null))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
else
{
return;
}
}
// Call the check demand for our permission.
grantedPerm.CheckDemand(demand);
}
// Make the sure the permission is not denied.
if (deniedSet != null)
{
CodeAccessPermission deniedPerm =
(CodeAccessPermission)deniedSet.GetPermission(permToken);
if (deniedPerm != null)
{
if (deniedPerm.Intersect(demand) != null)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Permission found in denied set");
}
#endif
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
if (deniedSet.IsUnrestricted() && (demand is IUnrestrictedPermission))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
catch (Exception e)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (e is SecurityException)
{
throw e;
}
else
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
DEBUG_OUT("Check passed");
}
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
{
if (this.GetPermitOnly(fDeclarative) != null)
{
this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
}
if (this.GetDenials(fDeclarative) != null)
{
this.GetDenials(fDeclarative).CheckDecoded(demand, permToken);
}
if (this.GetAssertions(fDeclarative) != null)
{
this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
}
bool flag1 = SecurityManager._SetThreadSecurity(false);
try
{
PermissionSet permitOnly = this.GetPermitOnly(fDeclarative);
if (permitOnly != null)
{
CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission((IPermission)demand);
if (permitted == null)
{
if (!permitOnly.IsUnrestricted())
{
throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
}
}
else
{
bool flag2 = true;
try
{
flag2 = !demand.CheckPermitOnly(permitted);
}
catch (ArgumentException ex)
{
}
if (flag2)
{
throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
}
}
}
PermissionSet denials = this.GetDenials(fDeclarative);
if (denials != null)
{
CodeAccessPermission denied = (CodeAccessPermission)denials.GetPermission((IPermission)demand);
if (denials.IsUnrestricted())
{
throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
}
bool flag2 = true;
try
{
flag2 = !demand.CheckDeny(denied);
}
catch (ArgumentException ex)
{
}
if (flag2)
{
throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand);
}
}
if (this.GetAssertAllPossible())
{
return(false);
}
PermissionSet assertions = this.GetAssertions(fDeclarative);
if (assertions != null)
{
CodeAccessPermission asserted = (CodeAccessPermission)assertions.GetPermission((IPermission)demand);
try
{
if (!assertions.IsUnrestricted())
{
if (!demand.CheckAssert(asserted))
{
goto label_35;
}
}
return(false);
}
catch (ArgumentException ex)
{
}
}
}
finally
{
if (flag1)
{
SecurityManager._SetThreadSecurity(true);
}
}
label_35:
return(true);
}
public static bool IsTokenProperlyAssigned(IPermission perm, PermissionToken token)
{
PermissionToken token1 = PermissionToken.GetToken(perm);
return(token1.m_index == token.m_index && token.m_type == token1.m_type && (!(perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly()) || token1.m_index < 17));
}
private extern void Check(PermissionToken permToken,
CodeAccessPermission demand,
ref StackCrawlMark stackMark,
int checkFrames,
int unrestrictedOverride);
public static PermissionToken GetToken(string typeStr)
{
return(PermissionToken.GetToken(typeStr, false));
}
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken)
{
BCLDebug.Assert(AssertSet == null, "AssertSet not null");
return(CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, s_emptyRMH, null, SecurityAction.Demand, false));
}
internal static void CheckHelper(CompressedStack cs, PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action)
{
if (cs != null)
{
cs.CheckDemand(demand, permToken, rmh);
return;
}
CodeAccessSecurityEngine.CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, asm, action, true);
}
public PermissionList FindPermissionList(Type permClass)
{
BCLDebug.Assert(permClass != null, "permClass != null");
return(FindPermissionList(PermissionToken.GetToken(permClass)));
}
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList)
{
if (cs != null)
{
cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission)));
return;
}
ZoneIdentityPermission zoneIdentityPermission = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission));
UrlIdentityPermission urlIdentityPermission = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission));
if (zoneIdentityPermission != null)
{
zoneList.Add(zoneIdentityPermission.SecurityZone);
}
if (urlIdentityPermission != null)
{
originList.Add(urlIdentityPermission.Url);
}
}
internal PermissionList FindPermissionList(PermissionToken permToken)
{
BCLDebug.Assert(permToken != null, "permToken != null");
return(FindPermissionList(permToken.m_index, permToken.m_isUnrestricted));
}
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList)
{
if (cs != null)
{
cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission)));
}
else
{
ZoneIdentityPermission identityPermission1 = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission));
UrlIdentityPermission identityPermission2 = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission));
if (identityPermission1 != null)
{
zoneList.Add((object)identityPermission1.SecurityZone);
}
if (identityPermission2 == null)
{
return;
}
originList.Add((object)identityPermission2.Url);
}
}
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, bool createException, out Exception exception)
{
BCLDebug.Assert(demand != null, "demand != null");
BCLDebug.Assert(permToken != null, "permToken != null");
// First, find if there is a permission list of this type.
PermissionList permList = FindPermissionList(permToken);
if (permList != null)
{
// If so, check against it to determine our action.
bool cont = permList.CheckDemandInternal(demand, createException, out exception);
// We don't record modifiers for the unrestricted permission set in the
// individual lists. Therefore, permList.CheckDemandInternal may say
// that we have to continue the stackwalk, but we know better.
if (cont && permToken.m_isUnrestricted)
{
if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
else
{
cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
}
return(cont);
}
#if _DEBUG
// Let's check to make sure we always pass demands for empty permissions.
else if (demand.IsSubsetOf(null))
{
BCLDebug.Assert(false, "We should pick of empty demands before this point");
exception = null;
return(true);
}
#endif
// If the permission is not unrestricted, the lack of a permission list
// denotes that no frame on the stack granted this permission, and therefore
// we pass back the failure condition.
else if (!permToken.m_isUnrestricted)
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
// If this permission list set is not unrestricted and there is no unrestricted assert
// then the lack of a permission list denotes that no frame on the stack granted
// this permission, and therefore we pass back the failure condition. If there is
// an unrestricted assert, then we pass back success and terminate the stack walk.
else if (!this.IsUnrestricted())
{
if (createException)
{
exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName));
}
else
{
exception = GetStaticException();
}
return(false);
}
// If we made it all the way through, that means that we are in the unrestricted
// state and that this permission is encompassed in that. If we have an unrestricted
// assert, we are done with the state walk (return false), otherwise keep going.
exception = null;
return((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken)
{
Contract.Assert(AssertSet == null, "AssertSet not null");
#pragma warning disable 618
return CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, RuntimeMethodHandleInternal.EmptyHandle, null, SecurityAction.Demand, false);
#pragma warning restore 618
}
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, out Exception exception)
{
BCLDebug.Assert(demand != null, "demand != null");
BCLDebug.Assert(permToken != null, "permToken != null");
// First, find if there is a permission list of this type.
PermissionList permList = FindPermissionList(permToken);
if (permList != null)
{
// If so, check against it to determine our action.
bool cont = permList.CheckDemandInternal(demand, out exception);
// We don't record modifiers for the unrestricted permission set in the
// individual lists. Therefore, permList.CheckDemandInternal may say
// that we have to continue the stackwalk, but we know better.
if (cont && permToken.m_isUnrestricted)
{
if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0)
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
else
{
cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0);
}
}
return cont;
}
#if _DEBUG
// Let's check to make sure we always pass demands for empty permissions.
else if (demand.IsSubsetOf( null ))
{
BCLDebug.Assert( false, "We should pick of empty demands before this point" );
exception = null;
return true;
}
#endif
// If the permission is not unrestricted, the lack of a permission list
// denotes that no frame on the stack granted this permission, and therefore
// we pass back the failure condition.
else if (!permToken.m_isUnrestricted)
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
// If this permission list set is not unrestricted and there is no unrestricted assert
// then the lack of a permission list denotes that no frame on the stack granted
// this permission, and therefore we pass back the failure condition. If there is
// an unrestricted assert, then we pass back success and terminate the stack walk.
else if (!this.IsUnrestricted())
{
exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) );
return false;
}
// If we made it all the way through, that means that we are in the unrestricted
// state and that this permission is encompassed in that. If we have an unrestricted
// assert, we are done with the state walk (return false), otherwise keep going.
exception = null;
return (m_state & PermissionListSetState.UnrestrictedAssert) == 0;
}
private static bool CheckDynamicMethodHelper(System.Reflection.Emit.DynamicResolver dynamicResolver,
IPermission demandIn,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh)
{
System.Threading.CompressedStack creationStack = dynamicResolver.GetSecurityContext();
bool result;
try
{
result = creationStack.CheckDemandNoHalt((CodeAccessPermission)demandIn, permToken, rmh);
}
catch (SecurityException ex)
{
throw new SecurityException(Environment.GetResourceString("Security_AnonymouslyHostedDynamicMethodCheckFailed"), ex);
}
return result;
}
// Returns true to continue, or false to halt
private static bool FrameDescHelper(FrameSecurityDescriptor secDesc,
IPermission demand,
PermissionToken permToken)
{
PermissionSet permSet;
// If the demand is null, there is no need to continue
if (demand == null || demand.IsSubsetOf(null))
{
return(StackHalt);
}
// NOTE: See notes about exceptions and exception handling in FrameDescSetHelper
// Check Reduction
try
{
permSet = secDesc.GetPermitOnly();
if (permSet != null)
{
IPermission perm = permSet.GetPermission(demand);
#if _DEBUG
if (debug)
{
DEBUG_OUT("Checking PermitOnly");
DEBUG_OUT("permit only set =\n" + permSet.ToXml().ToString());
DEBUG_OUT("demand =\n" + ((CodeAccessPermission)demand).ToXml().ToString());
}
#endif
// If the permit only set does not contain the demanded permission, throw a security exception
if (perm == null)
{
if (!(demand is IUnrestrictedPermission && permSet.IsUnrestricted()))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
else
{
if (!demand.IsSubsetOf(perm))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
}
catch (Exception)
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
// Check Denials
try
{
permSet = secDesc.GetDenials();
if (permSet != null)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Checking Denials");
DEBUG_OUT("denied set =\n" + permSet.ToXml().ToString());
}
#endif
IPermission perm = permSet.GetPermission(demand);
// If the deny set does contain the demanded permission, throw a security exception
if ((perm != null && perm.Intersect(demand) != null) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted()))
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
catch (Exception)
{
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
if (secDesc.GetAssertAllPossible())
{
return(StackHalt);
}
try
{
permSet = secDesc.GetAssertions();
// Check Assertions
if (permSet != null)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Checking Assertions");
}
#endif
IPermission perm = permSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
if ((perm != null && (demand.IsSubsetOf(perm)) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted())))
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Assert halting stackwalk");
}
#endif
return(StackHalt);
}
}
}
catch (Exception)
{
}
return(StackContinue);
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
bool bRet = SecurityRuntime.StackContinue;
if (m_permSetTriples != null)
{
for (int i=0; (i < m_permSetTriples.Count && bRet != SecurityRuntime.StackHalt) ; i++)
{
PermissionSetTriple psTriple = (PermissionSetTriple)m_permSetTriples[i];
bRet = psTriple.CheckDemand(demand, permToken, rmh);
}
}
else if (m_firstPermSetTriple != null)
{
bRet = m_firstPermSetTriple.CheckDemand(demand, permToken, rmh);
}
return SecurityRuntime.StackHalt; // CS demand check always terminates the stackwalk
}
[System.Security.SecurityCritical] // auto-generated
private static Object Deserialize(byte[] blob)
{
if (blob == null)
return null;
if (blob[0] == 0)
{
Parser parser = new Parser( blob, Tokenizer.ByteTokenEncoding.UTF8Tokens, 1 );
SecurityElement root = parser.GetTopElement();
if (root.Tag.Equals( "IPermission" ) || root.Tag.Equals( "Permission" ))
{
IPermission ip = System.Security.Util.XMLUtil.CreatePermission( root, PermissionState.None, false );
if (ip == null)
{
return null;
}
ip.FromXml( root );
return ip;
}
else if (root.Tag.Equals( "PermissionSet" ))
{
PermissionSet permissionSet = new PermissionSet();
permissionSet.FromXml( root, false, false );
return permissionSet;
}
else if (root.Tag.Equals( "PermissionToken" ))
{
PermissionToken pToken = new PermissionToken();
pToken.FromXml( root );
return pToken;
}
else
{
return null;
}
}
else
{
Object obj = null;
using(MemoryStream stream = new MemoryStream( blob, 1, blob.Length - 1 )) {
obj = CrossAppDomainSerializer.DeserializeObject(stream);
}
Contract.Assert( !(obj is IPermission), "IPermission should be xml deserialized" );
Contract.Assert( !(obj is PermissionSet), "PermissionSet should be xml deserialized" );
return obj;
}
}
internal PermissionList RemovePermissionList(PermissionToken permToken)
{
if (permToken.m_isUnrestricted)
return (PermissionList)m_unrestrictedPermSet.RemoveItem(permToken.m_index);
else
return (PermissionList)m_normalPermSet.RemoveItem(permToken.m_index);
}
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission asserted = (CodeAccessPermission)pSet.GetPermission((IPermission)demand);
try
{
if (!pSet.IsUnrestricted())
{
if (!demand.CheckAssert(asserted))
{
goto label_6;
}
}
return(false);
}
catch (ArgumentException ex)
{
}
}
label_6:
return(true);
}
internal PermissionToken BuiltInGetToken( int index, IPermission perm, Type cls )
{
PermissionToken token = Volatile.Read(ref m_builtIn[index]);
if (token == null)
{
lock (this)
{
token = m_builtIn[index];
if (token == null)
{
PermissionTokenType permType = PermissionTokenType.DontKnow;
if (perm != null)
{
permType = PermissionTokenType.IUnrestricted;
}
else if (cls != null)
{
permType = PermissionTokenType.IUnrestricted;
}
token = new PermissionToken( index, permType | PermissionTokenType.BuiltIn, null );
Volatile.Write(ref m_builtIn[index], token);
PermissionToken.s_tokenSet.SetItem( token.m_index, token );
}
}
}
if ((token.m_type & PermissionTokenType.DontKnow) != 0)
{
token.m_type = PermissionTokenType.BuiltIn;
if (perm != null)
{
token.m_type |= PermissionTokenType.IUnrestricted;
}
else if (cls != null)
{
token.m_type |= PermissionTokenType.IUnrestricted;
}
else
{
token.m_type |= PermissionTokenType.DontKnow;
}
}
return token;
}
[System.Security.SecurityCritical] // auto-generated
internal static void CheckHelper(CompressedStack cs,
PermissionSet grantedSet,
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh,
RuntimeAssembly asm,
SecurityAction action)
{
if (cs != null)
cs.CheckDemand(demand, permToken, rmh);
else
CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, (Object)asm, action, true);
}
internal PermissionToken GetToken(Type cls, IPermission perm)
{
Contract.Assert( cls != null, "Must pass in valid type" );
IntPtr typePtr = cls.TypeHandle.Value;
object tok = m_handleTable[typePtr];
if (tok == null)
{
String typeStr = cls.AssemblyQualifiedName;
tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe
if (tok == null)
{
lock (this)
{
if (m_tokenTable != null)
{
tok = m_tokenTable[typeStr]; // Make sure it wasn't just added
}
else
m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer());
if (tok == null)
{
if (perm != null)
{
tok = new PermissionToken( m_index++, PermissionTokenType.IUnrestricted, typeStr );
}
else
{
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
tok = new PermissionToken( m_index++, PermissionTokenType.IUnrestricted, typeStr );
else
tok = new PermissionToken( m_index++, PermissionTokenType.Normal, typeStr );
}
m_tokenTable.Add(typeStr, tok);
m_indexTable.Add(m_index - 1, tok);
PermissionToken.s_tokenSet.SetItem( ((PermissionToken)tok).m_index, tok );
}
if (!m_handleTable.Contains(typePtr))
m_handleTable.Add( typePtr, tok );
}
}
else
{
lock (this)
{
if (!m_handleTable.Contains(typePtr))
m_handleTable.Add( typePtr, tok );
}
}
}
if ((((PermissionToken)tok).m_type & PermissionTokenType.DontKnow) != 0)
{
if (perm != null)
{
Contract.Assert( !(perm is IBuiltInPermission), "This should not be called for built-ins" );
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
#if FEATURE_CAS_POLICY
((PermissionToken)tok).m_strTypeName = perm.GetType().AssemblyQualifiedName;
#endif // FEATURE_CAS_POLICY
}
else
{
Contract.Assert( cls.GetInterface( "System.Security.Permissions.IBuiltInPermission" ) == null, "This shoudl not be called for built-ins" );
if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null)
((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted;
else
((PermissionToken)tok).m_type = PermissionTokenType.Normal;
#if FEATURE_CAS_POLICY
((PermissionToken)tok).m_strTypeName = cls.AssemblyQualifiedName;
#endif // FEATURE_CAS_POLICY
}
}
return (PermissionToken)tok;
}
internal PermissionToken GetToken(String typeStr)
{
Object tok = null;
tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe
if (tok == null)
{
lock (this)
{
if (m_tokenTable != null)
{
tok = m_tokenTable[typeStr]; // Make sure it wasn't just added
}
else
m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer());
if (tok == null)
{
tok = new PermissionToken( m_index++, PermissionTokenType.DontKnow, typeStr );
m_tokenTable.Add(typeStr, tok);
m_indexTable.Add(m_index - 1, tok);
PermissionToken.s_tokenSet.SetItem(((PermissionToken)tok).m_index, tok);
}
}
}
return (PermissionToken)tok;
}
public static bool IsTokenProperlyAssigned( IPermission perm, PermissionToken token )
{
PermissionToken heldToken = GetToken( perm );
if (heldToken.m_index != token.m_index)
return false;
if (token.m_type != heldToken.m_type)
return false;
if (perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly() &&
heldToken.m_index >= BuiltInPermissionIndex.NUM_BUILTIN_NORMAL + BuiltInPermissionIndex.NUM_BUILTIN_UNRESTRICTED)
return false;
return true;
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
{
PermissionSet permSet;
// If the demand is null, there is no need to continue
Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");
// decode imperative
if (GetPermitOnly(fDeclarative) != null)
GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
if (GetDenials(fDeclarative) != null)
GetDenials(fDeclarative).CheckDecoded(demand, permToken);
if (GetAssertions(fDeclarative) != null)
GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
// NOTE: See notes about exceptions and exception handling in FrameDescSetHelper
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
// Check Reduction
try
{
permSet = GetPermitOnly(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the permit only set does not contain the demanded permission, throw a security exception
if (perm == null)
{
if (!permSet.IsUnrestricted())
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
else
{
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckPermitOnly(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
// Check Denials
permSet = GetDenials(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If an unrestricted set was denied and the demand implements IUnrestricted
if (permSet.IsUnrestricted())
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
// If the deny set does contain the demanded permission, throw a security exception
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckDeny(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
if (GetAssertAllPossible())
{
return SecurityRuntime.StackHalt;
}
permSet = GetAssertions(fDeclarative);
// Check Assertions
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if (permSet.IsUnrestricted() || demand.CheckAssert(perm))
{
return SecurityRuntime.StackHalt;
}
}
catch (ArgumentException)
{
}
}
}
finally
{
if (bThreadSecurity)
SecurityManager._SetThreadSecurity(true);
}
return SecurityRuntime.StackContinue;
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
// imperative security
bool fContinue = CheckDemand2(demand, permToken, rmh, false);
if (fContinue == SecurityRuntime.StackContinue)
{
// declarative security
fContinue = CheckDemand2(demand, permToken, rmh, true);
}
return fContinue;
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken)
{
Exception exception;
bool cont = CheckDemandInternal( demand, permToken, out exception );
if (exception != null)
{
throw exception;
}
return cont;
}
[System.Security.SecurityCritical] // auto-generated
#endif
#pragma warning disable 618
internal static void CheckHelper(Object notUsed,
#pragma warning restore 618
PermissionSet grantedSet,
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh,
RuntimeAssembly asm,
SecurityAction action)
{
// To reduce the amount of ifdef-code-churn, a dummy arg is used for the first parameter - instead of a CompressedStack object,
// we use a System.Object that should always be null. If we tried to change the signature of the function, there will need to be
// corresponding changes in VM (metasig.h, mscorlib.h, securitystackwalk.cpp, number of elements in the arg array, etc.)
Contract.Assert(notUsed == null, "Should not reach here with a non-null first arg which is the CompressedStack");
CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, (Object)asm, action, true);
}
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken)
{
Exception exception;
CheckDemandInternal( demand, permToken, out exception );
return (exception == null);
}
[System.Security.SecurityCritical] // auto-generated
#pragma warning disable 618
internal static bool CheckHelper(PermissionSet grantedSet,
#pragma warning restore 618
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh,
Object assemblyOrString,
SecurityAction action,
bool throwException)
{
// We should never get here with a null demand
Contract.Assert(demand != null, "Should not reach here with a null demand");
#if _DEBUG && FEATURE_CAS_POLICY
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Refused: ");
DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif // _DEBUG && FEATURE_CAS_POLICY
if (permToken == null)
permToken = PermissionToken.GetToken(demand);
if (grantedSet != null)
grantedSet.CheckDecoded(permToken.m_index);
if (refusedSet != null)
refusedSet.CheckDecoded(permToken.m_index);
// If PermissionSet is null, then module does not have Permissions... Fail check.
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
else if (!grantedSet.IsUnrestricted())
{
// If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
Contract.Assert(demand != null,"demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// Make sure the demand has been granted
if (!demand.CheckDemand( grantedPerm ))
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
// Make the sure the permission is not refused.
if (refusedSet != null)
{
CodeAccessPermission refusedPerm =
(CodeAccessPermission)refusedSet.GetPermission(permToken);
if (refusedPerm != null)
{
if (!refusedPerm.CheckDeny(demand))
{
#if _DEBUG
if (debug)
DEBUG_OUT( "Permission found in refused set" );
#endif
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
if (refusedSet.IsUnrestricted())
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
finally
{
if (bThreadSecurity)
SecurityManager._SetThreadSecurity(true);
}
DEBUG_OUT( "Check passed" );
return true;
}
private static object Deserialize(byte[] blob)
{
if (blob == null)
{
return null;
}
if (blob[0] == 0)
{
SecurityElement topElement = new Parser(blob, Tokenizer.ByteTokenEncoding.UTF8Tokens, 1).GetTopElement();
if (topElement.Tag.Equals("IPermission") || topElement.Tag.Equals("Permission"))
{
IPermission permission = XMLUtil.CreatePermission(topElement, PermissionState.None, false);
if (permission == null)
{
return null;
}
permission.FromXml(topElement);
return permission;
}
if (topElement.Tag.Equals("PermissionSet"))
{
PermissionSet set = new PermissionSet();
set.FromXml(topElement, false, false);
return set;
}
if (topElement.Tag.Equals("PermissionToken"))
{
PermissionToken token = new PermissionToken();
token.FromXml(topElement);
return token;
}
return null;
}
using (MemoryStream stream = new MemoryStream(blob, 1, blob.Length - 1))
{
return CrossAppDomainSerializer.DeserializeObject(stream);
}
}
internal static extern FrameSecurityDescriptor CheckNReturnSO(PermissionToken permToken,
CodeAccessPermission demand,
ref StackCrawlMark stackMark,
int create );
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken)
{
return(CodeAccessSecurityEngine.CheckHelper(this.GrantSet, this.RefusedSet, demand, permToken, RuntimeMethodHandleInternal.EmptyHandle, (object)null, SecurityAction.Demand, false));
}
public static bool IsTokenProperlyAssigned(IPermission perm, PermissionToken token)
{
PermissionToken token2 = GetToken(perm);
if (token2.m_index != token.m_index)
{
return false;
}
if (token.m_type != token2.m_type)
{
return false;
}
if ((perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly()) && (token2.m_index >= 0x11))
{
return false;
}
return true;
}
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken)
{
if (m_zoneList != null)
zoneList.AddRange(m_zoneList);
if (m_originList != null)
originList.AddRange(m_originList);
}
internal PermissionList FindPermissionList(PermissionToken permToken)
{
BCLDebug.Assert(permToken != null, "permToken != null");
return FindPermissionList(permToken.m_index, permToken.m_isUnrestricted);
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative)
{
PermissionSet permSet;
// If the demand is null, there is no need to continue
Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point");
// decode imperative
if (GetPermitOnly(fDeclarative) != null)
{
GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken);
}
if (GetDenials(fDeclarative) != null)
{
GetDenials(fDeclarative).CheckDecoded(demand, permToken);
}
if (GetAssertions(fDeclarative) != null)
{
GetAssertions(fDeclarative).CheckDecoded(demand, permToken);
}
// NOTE: See notes about exceptions and exception handling in FrameDescSetHelper
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
// Check Reduction
try
{
permSet = GetPermitOnly(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the permit only set does not contain the demanded permission, throw a security exception
if (perm == null)
{
if (!permSet.IsUnrestricted())
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
else
{
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckPermitOnly(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
}
// Check Denials
permSet = GetDenials(fDeclarative);
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If an unrestricted set was denied and the demand implements IUnrestricted
if (permSet.IsUnrestricted())
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
// If the deny set does contain the demanded permission, throw a security exception
bool bNeedToThrow = true;
try
{
bNeedToThrow = !demand.CheckDeny(perm);
}
catch (ArgumentException)
{
}
if (bNeedToThrow)
{
throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand);
}
}
if (GetAssertAllPossible())
{
return(SecurityRuntime.StackHalt);
}
permSet = GetAssertions(fDeclarative);
// Check Assertions
if (permSet != null)
{
CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if (permSet.IsUnrestricted() || demand.CheckAssert(perm))
{
return(SecurityRuntime.StackHalt);
}
}
catch (ArgumentException)
{
}
}
}
finally
{
if (bThreadSecurity)
{
SecurityManager._SetThreadSecurity(true);
}
}
return(SecurityRuntime.StackContinue);
}
private PermissionList GetListForToken(PermissionToken permToken, bool create)
{
TokenBasedSet permSet;
BCLDebug.Assert(permToken != null, "permToken != null");
if (permToken.m_isUnrestricted)
permSet = m_unrestrictedPermSet;
else
permSet = m_normalPermSet;
PermissionList plist = (PermissionList)permSet.GetItem(permToken.m_index);
if (plist == null && create)
{
plist = new PermissionList();
permSet.SetItem(permToken.m_index, plist);
}
return plist;
}
// static default constructor. This will be called before any of the static members are accessed.
static CodeAccessSecurityEngine()
{
AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion);
AssertPermissionToken = PermissionToken.GetToken(AssertPermission);
}
private static bool CheckDynamicMethodHelper(DynamicResolver dynamicResolver, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
CompressedStack securityContext = dynamicResolver.GetSecurityContext();
try
{
return(securityContext.CheckDemandNoHalt((CodeAccessPermission)demandIn, permToken, rmh));
}
catch (SecurityException ex)
{
throw new SecurityException(Environment.GetResourceString("Security_AnonymouslyHostedDynamicMethodCheckFailed"), (Exception)ex);
}
}
