// // API for PermissionSets // public virtual void Assert(PermissionSet permSet, ref StackCrawlMark stackMark) { // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission // you need to change the fourth parameter to a zero. FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO( CodeAccessSecurityEngine.AssertPermissionToken, CodeAccessSecurityEngine.AssertPermission, ref stackMark, 1, 1); BCLDebug.Assert(secObj != null || !SecurityManager.SecurityEnabled, "Failure in SecurityRuntime.Assert() - secObj != null"); if (secObj == null) { if (SecurityManager.SecurityEnabled) { // Security: REQ_SQ flag is missing. Bad compiler ? throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } } else { if (secObj.GetAssertions() != null) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetAssert(permSet); } }
[System.Security.SecurityCritical] // auto-generated internal static void Assert(CodeAccessPermission cap, ref StackCrawlMark stackMark) { // Make sure the caller of assert has the permission to assert //WARNING: The placement of the call here is just right to check // the appropriate frame. // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission // you need to change the last parameter to a zero. Contract.Assert(AssertPermissionToken != null && AssertPermission != null, "Assert Permission not setup correctly"); FrameSecurityDescriptor secObj = CheckNReturnSO(AssertPermissionToken, AssertPermission, ref stackMark, 1); if (secObj == null) { // Security: REQ_SQ flag is missing. Bad compiler ? // This can happen when you create delegates over functions that need the REQ_SQ System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } else { if (secObj.HasImperativeAsserts()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetAssert(cap); } }
[System.Security.SecurityCritical] // auto-generated private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc, PermissionSet demandSet, out PermissionSet alteredDemandSet, RuntimeMethodHandleInternal rmh) { return(secDesc.CheckSetDemand(demandSet, out alteredDemandSet, rmh)); }
[System.Security.SecurityCritical] // auto-generated internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark) { // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission // you need to change the fourth parameter to a zero. FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO( CodeAccessSecurityEngine.AssertPermissionToken, CodeAccessSecurityEngine.AssertPermission, ref stackMark, 1); Contract.Assert(secObj != null, "Failure in SecurityRuntime.Assert() - secObj != null"); if (secObj == null) { // Security: REQ_SQ flag is missing. Bad compiler ? System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } else { if (secObj.HasImperativeAsserts()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetAssert(permSet); } }
[System.Security.SecurityCritical] // auto-generated private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { return(secDesc.CheckDemand((CodeAccessPermission)demandIn, permToken, rmh)); }
[System.Security.SecurityCritical] // auto-generated internal static void Deny(PermissionSet permSet, ref StackCrawlMark stackMark) { #if FEATURE_CAS_POLICY // Deny is only valid in legacy mode if (!AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled) { throw new NotSupportedException(Environment.GetResourceString("NotSupported_CasDeny")); } #endif // FEATURE_CAS_POLICY FrameSecurityDescriptor secObj = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true); Contract.Assert(secObj != null, "Failure in SecurityRuntime.Deny() - secObj != null"); if (secObj == null) { // Security: REQ_SQ flag is missing. Bad compiler ? System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } else { if (secObj.HasImperativeDenials()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetDeny(permSet); } }
[System.Security.SecurityCritical] // auto-generated private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc, PermissionSet demandSet, out PermissionSet alteredDemandSet, RuntimeMethodHandleInternal rmh) { return secDesc.CheckSetDemand(demandSet, out alteredDemandSet, rmh); }
[System.Security.SecurityCritical] // auto-generated internal static void Deny(CodeAccessPermission cap, ref StackCrawlMark stackMark) { #if FEATURE_CAS_POLICY // Deny is only valid in legacy mode if (!AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled) { throw new NotSupportedException(Environment.GetResourceString("NotSupported_CasDeny")); } #endif // FEATURE_CAS_POLICY FrameSecurityDescriptor secObj = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true); if (secObj == null) { // Security: REQ_SQ flag is missing. Bad compiler ? // This can happen when you create delegates over functions that need the REQ_SQ System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } else { if (secObj.HasImperativeDenials()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetDeny(cap); } }
internal virtual void Assert(CodeAccessPermission cap, ref StackCrawlMark stackMark) { // Make sure the caller of assert has the permission to assert //WARNING: The placement of the call here is just right to check // the appropriate frame. // Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission // you need to change the last parameter to a zero. FrameSecurityDescriptor secObj = CheckNReturnSO(AssertPermissionToken, AssertPermission, ref stackMark, 1, 1); if (secObj == null) { if (SecurityManager.SecurityEnabled) { // Security: REQ_SQ flag is missing. Bad compiler ? // This can happen when you create delegates over functions that need the REQ_SQ throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } } else { if (secObj.GetAssertions() != null) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } secObj.SetAssert(cap); } }
[System.Security.SecurityCritical] // auto-generated private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { return secDesc.CheckDemand((CodeAccessPermission) demandIn, permToken, rmh); }
internal void RevertPermitOnly() { if (this.HasImperativeRestrictions()) { FrameSecurityDescriptor.DecrementOverridesCount(); this.m_restriction = null; } }
internal void RevertDeny() { if (this.HasImperativeDenials()) { FrameSecurityDescriptor.DecrementOverridesCount(); this.m_denials = null; } }
internal void RevertAssertAllPossible() { if (this.m_assertAllPossible) { this.m_assertAllPossible = false; FrameSecurityDescriptor.DecrementAssertCount(); } }
// Returns the number of negative overrides(deny/permitonly) in this secDesc private static int OverridesHelper(FrameSecurityDescriptor secDesc) { // check imperative int count = OverridesHelper2(secDesc, false); // add declarative count += OverridesHelper2(secDesc, true); return(count); }
internal void RevertPermitOnly() { if (!this.HasImperativeRestrictions()) { return; } FrameSecurityDescriptor.DecrementOverridesCount(); this.m_restriction = (PermissionSet)null; }
internal void RevertDeny() { if (!this.HasImperativeDenials()) { return; } FrameSecurityDescriptor.DecrementOverridesCount(); this.m_denials = (PermissionSet)null; }
// Returns the number of negative overrides(deny/permitonly) in this secDesc private static int OverridesHelper(FrameSecurityDescriptor secDesc) { // check imperative int count = OverridesHelper2(secDesc, false); // add declarative count += OverridesHelper2(secDesc, true); return count; }
internal static void RevertAll(ref StackCrawlMark stackMark) { FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, false); if (securityObjectForFrame == null) { throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } securityObjectForFrame.RevertAll(); }
private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { bool flag = this.Update2(currentTriple, fsd, false); if (!flag) { flag = this.Update2(currentTriple, fsd, true); } return(flag); }
static bool StackCompressWalkHelper(PermissionListSet compressedStack, bool skipGrants, PermissionSet grantedPerms, PermissionSet deniedPerms, FrameSecurityDescriptor frameInfo) { if (!skipGrants) { if (!compressedStack.AppendPermissions(grantedPerms, PermissionList.MatchChecked)) { return(false); } if (deniedPerms != null && !compressedStack.AppendPermissions(deniedPerms, PermissionList.MatchDeny)) { return(false); } } if (frameInfo != null) { PermissionSet set = frameInfo.GetPermitOnly(); if (set != null) { if (!compressedStack.AppendPermissions(set, PermissionList.MatchPermitOnly)) { return(false); } } set = frameInfo.GetDenials(); if (set != null) { if (!compressedStack.AppendPermissions(set, PermissionList.MatchDeny)) { return(false); } } set = frameInfo.GetAssertions(); if (set != null) { if (!compressedStack.AppendPermissions(set, PermissionList.MatchAssert)) { return(false); } } } return(true); }
private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { // check imperative bool fHalt = Update2(currentTriple, fsd, false); if (!fHalt) { // then declarative fHalt = Update2(currentTriple, fsd, true); } return(fHalt); }
[System.Security.SecurityCritical] // auto-generated internal static void RevertPermitOnly(ref StackCrawlMark stackMark) { FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false); if (secObj != null) { secObj.RevertPermitOnly(); } else { throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } }
internal static void RevertAll(ref StackCrawlMark stackMark) { FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false); if (secObj != null) { secObj.RevertAll(); } else if (SecurityManager._IsSecurityOn()) { throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } }
// Returns the number of negative overrides(deny/permitonly) in this secDesc private static int OverridesHelper(FrameSecurityDescriptor secDesc) { PermissionSet permSet; int count = 0; permSet = secDesc.GetPermitOnly(); if (permSet != null) count++; permSet = secDesc.GetDenials(); if (permSet != null) count++; return count; }
internal void RevertAssert() { if (this.m_assertions != null) { this.m_assertions = null; FrameSecurityDescriptor.DecrementAssertCount(); } if (this.m_DeclarativeAssertions != null) { this.m_AssertFT = this.m_DeclarativeAssertions.IsUnrestricted(); return; } this.m_AssertFT = false; }
private static int OverridesHelper2(FrameSecurityDescriptor secDesc, bool fDeclarative) { int num = 0; if (secDesc.GetPermitOnly(fDeclarative) != null) { num++; } if (secDesc.GetDenials(fDeclarative) != null) { num++; } return(num); }
[System.Security.SecurityCritical] // auto-generated internal static void RevertAll(ref StackCrawlMark stackMark) { #if FEATURE_CAS_POLICY FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false); if (secObj != null) { secObj.RevertAll(); } else { throw new InvalidOperationException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } #endif // FEATURE_CAS_POLICY }
private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative) { PermissionSet denials = fsd.GetDenials(fDeclarative); if (denials != null) { currentTriple.UpdateRefused(denials); } PermissionSet permitOnly = fsd.GetPermitOnly(fDeclarative); if (permitOnly != null) { currentTriple.UpdateGrant(permitOnly); } if (fsd.GetAssertAllPossible()) { if (currentTriple.GrantSet == null) { currentTriple.GrantSet = PermissionSet.s_fullTrust; } this.UpdateTripleListAndCreateNewTriple(currentTriple, this.m_permSetTriples); currentTriple.GrantSet = PermissionSet.s_fullTrust; currentTriple.UpdateAssert(fsd.GetAssertions(fDeclarative)); return(true); } PermissionSet assertions = fsd.GetAssertions(fDeclarative); if (assertions != null) { if (assertions.IsUnrestricted()) { if (currentTriple.GrantSet == null) { currentTriple.GrantSet = PermissionSet.s_fullTrust; } this.UpdateTripleListAndCreateNewTriple(currentTriple, this.m_permSetTriples); currentTriple.GrantSet = PermissionSet.s_fullTrust; currentTriple.UpdateAssert(assertions); return(true); } PermissionSetTriple permissionSetTriple = currentTriple.UpdateAssert(assertions); if (permissionSetTriple != null) { this.EnsureTriplesListCreated(); this.m_permSetTriples.Add((object)permissionSetTriple); } } return(false); }
internal static void PermitOnly(PermissionSet permSet, ref StackCrawlMark stackMark) { FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true); if (securityObjectForFrame == null) { Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); return; } if (securityObjectForFrame.HasImperativeRestrictions()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } securityObjectForFrame.SetPermitOnly(permSet); }
public virtual void RevertAll(ref StackCrawlMark stackMark) { FrameSecurityDescriptor secObj = GetSecurityObjectForFrame(ref stackMark, false); if (secObj != null) { secObj = secObj.Copy(); secObj.RevertAll(); SetSecurityObjectForFrame(ref stackMark, secObj); } else if (SecurityManager.SecurityEnabled) { throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); } }
internal static void AssertAllPossible(ref StackCrawlMark stackMark) { FrameSecurityDescriptor securityObjectForFrame = SecurityRuntime.GetSecurityObjectForFrame(ref stackMark, true); if (securityObjectForFrame == null) { Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); return; } if (securityObjectForFrame.GetAssertAllPossible()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } securityObjectForFrame.SetAssertAllPossible(); }
internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark) { FrameSecurityDescriptor frameSecurityDescriptor = CodeAccessSecurityEngine.CheckNReturnSO(CodeAccessSecurityEngine.AssertPermissionToken, CodeAccessSecurityEngine.AssertPermission, ref stackMark, 1); if (frameSecurityDescriptor == null) { Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor")); return; } if (frameSecurityDescriptor.HasImperativeAsserts()) { throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride")); } frameSecurityDescriptor.SetAssert(permSet); }
private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { FrameSecurityDescriptorWithResolver fsdWithResolver = fsd as FrameSecurityDescriptorWithResolver; if (fsdWithResolver != null) { return(this.Update2(currentTriple, fsdWithResolver)); } bool flag = this.Update2(currentTriple, fsd, false); if (!flag) { flag = this.Update2(currentTriple, fsd, true); } return(flag); }
internal FrameSecurityDescriptor Copy() { FrameSecurityDescriptor desc = new FrameSecurityDescriptor(); if (this.m_assertions != null) desc.m_assertions = this.m_assertions.Copy(); if (this.m_denials != null) desc.m_denials = this.m_denials.Copy(); if (this.m_restriction != null) desc.m_restriction = this.m_restriction.Copy(); desc.m_assertAllPossible = this.m_assertAllPossible; return desc; }
internal WindowsImpersonationContext(SafeTokenHandle safeTokenHandle, WindowsIdentity wi, bool isImpersonating, FrameSecurityDescriptor fsd) { this.m_safeTokenHandle = SafeTokenHandle.InvalidHandle; if (safeTokenHandle.IsInvalid) { throw new ArgumentException(Environment.GetResourceString("Argument_InvalidImpersonationToken")); } if (isImpersonating) { if (!Win32Native.DuplicateHandle(Win32Native.GetCurrentProcess(), safeTokenHandle, Win32Native.GetCurrentProcess(), ref this.m_safeTokenHandle, 0, true, 2)) { throw new SecurityException(Win32Native.GetMessage(Marshal.GetLastWin32Error())); } this.m_wi = wi; } this.m_fsd = fsd; }
// Returns the number of negative overrides(deny/permitonly) in this secDesc private static int OverridesHelper(FrameSecurityDescriptor secDesc) { PermissionSet permSet; int count = 0; permSet = secDesc.GetPermitOnly(); if (permSet != null) { count++; } permSet = secDesc.GetDenials(); if (permSet != null) { count++; } return(count); }
internal static extern bool GetDescriptorInfo(IntPtr dcs, int index, out PermissionSet granted, out PermissionSet refused, out Assembly assembly, out FrameSecurityDescriptor fsd);
private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demand, PermissionToken permToken) { PermissionSet permSet; // If the demand is null, there is no need to continue if (demand == null || demand.IsSubsetOf( null )) return StackHalt; // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper // Check Reduction try { permSet = secDesc.GetPermitOnly(); if (permSet != null) { IPermission perm = permSet.GetPermission(demand); #if _DEBUG if (debug) { DEBUG_OUT("Checking PermitOnly"); DEBUG_OUT("permit only set =\n" + permSet.ToXml().ToString() ); DEBUG_OUT("demand =\n" + ((CodeAccessPermission)demand).ToXml().ToString() ); } #endif // If the permit only set does not contain the demanded permission, throw a security exception if (perm == null) { if(!(demand is IUnrestrictedPermission && permSet.IsUnrestricted())) throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } else { if (!demand.IsSubsetOf( perm )) throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } catch (Exception) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } // Check Denials try { permSet = secDesc.GetDenials(); if (permSet != null) { #if _DEBUG if (debug) { DEBUG_OUT("Checking Denials"); DEBUG_OUT("denied set =\n" + permSet.ToXml().ToString() ); } #endif IPermission perm = permSet.GetPermission(demand); // If the deny set does contain the demanded permission, throw a security exception if ((perm != null && perm.Intersect( demand ) != null) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted())) throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } catch (Exception) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } if (secDesc.GetAssertAllPossible()) { return StackHalt; } try { permSet = secDesc.GetAssertions(); // Check Assertions if (permSet != null) { #if _DEBUG if (debug) DEBUG_OUT("Checking Assertions"); #endif IPermission perm = permSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk if ((perm != null && (demand.IsSubsetOf( perm )) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted()))) { #if _DEBUG if (debug) DEBUG_OUT("Assert halting stackwalk"); #endif return StackHalt; } } } catch (Exception) { } return StackContinue; }
[System.Security.SecurityCritical] // auto-generated private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative) { // Deny PermissionSet deniedPset = fsd.GetDenials(fDeclarative); if (deniedPset != null) { currentTriple.UpdateRefused(deniedPset); } // permit only PermissionSet permitOnlyPset = fsd.GetPermitOnly(fDeclarative); if (permitOnlyPset != null) { currentTriple.UpdateGrant(permitOnlyPset); } // Assert all possible if (fsd.GetAssertAllPossible()) { // If we have no grant set, it means that the only assembly we've seen on the stack so // far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the // compressed stack is also FullTrust. if (currentTriple.GrantSet == null) currentTriple.GrantSet = PermissionSet.s_fullTrust; return true; // halt the construction } // Assert PermissionSet assertPset = fsd.GetAssertions(fDeclarative); if (assertPset != null) { if (assertPset.IsUnrestricted()) { // If we have no grant set, it means that the only assembly we've seen on the stack so // far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the // compressed stack is also FullTrust. if (currentTriple.GrantSet == null) currentTriple.GrantSet = PermissionSet.s_fullTrust; return true; // halt the construction } PermissionSetTriple retTriple = currentTriple.UpdateAssert(assertPset); if (retTriple != null) { EnsureTriplesListCreated(); m_permSetTriples.Add(retTriple); } } return false; }
[System.Security.SecurityCritical] // auto-generated private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { // check imperative bool fHalt = Update2(currentTriple, fsd, false); if (!fHalt) { // then declarative fHalt = Update2(currentTriple, fsd, true); } return fHalt; }
private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative) { // Deny PermissionSet deniedPset = fsd.GetDenials(fDeclarative); if (deniedPset != null) { currentTriple.UpdateRefused(deniedPset); } // permit only PermissionSet permitOnlyPset = fsd.GetPermitOnly(fDeclarative); if (permitOnlyPset != null) { currentTriple.UpdateGrant(permitOnlyPset); } // Assert all possible if (fsd.GetAssertAllPossible()) return true; // halt the construction // Assert PermissionSet assertPset = fsd.GetAssertions(fDeclarative); if (assertPset != null) { if (assertPset.IsUnrestricted()) return true; // halt the construction PermissionSetTriple retTriple = currentTriple.UpdateAssert(assertPset); if (retTriple != null) { EnsureTriplesListCreated(); m_permSetTriples.Add(retTriple); } } return false; }
private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { bool flag = this.Update2(currentTriple, fsd, false); if (!flag) { flag = this.Update2(currentTriple, fsd, true); } return flag; }
private static int OverridesHelper2(FrameSecurityDescriptor secDesc, bool fDeclarative) { int num = 0; if (secDesc.GetPermitOnly(fDeclarative) != null) { num++; } if (secDesc.GetDenials(fDeclarative) != null) { num++; } return num; }
private static int OverridesHelper(FrameSecurityDescriptor secDesc) { return (OverridesHelper2(secDesc, false) + OverridesHelper2(secDesc, true)); }
void SetSecurityObjectForFrame(ref StackCrawlMark stackMark, FrameSecurityDescriptor desc);
private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative) { PermissionSet denials = fsd.GetDenials(fDeclarative); if (denials != null) { currentTriple.UpdateRefused(denials); } PermissionSet permitOnly = fsd.GetPermitOnly(fDeclarative); if (permitOnly != null) { currentTriple.UpdateGrant(permitOnly); } if (fsd.GetAssertAllPossible()) { if (currentTriple.GrantSet == null) { currentTriple.GrantSet = PermissionSet.s_fullTrust; } return true; } PermissionSet assertions = fsd.GetAssertions(fDeclarative); if (assertions != null) { if (assertions.IsUnrestricted()) { if (currentTriple.GrantSet == null) { currentTriple.GrantSet = PermissionSet.s_fullTrust; } return true; } PermissionSetTriple triple = currentTriple.UpdateAssert(assertions); if (triple != null) { this.EnsureTriplesListCreated(); this.m_permSetTriples.Add(triple); } } return false; }
private static bool FrameDescSetHelper(FrameSecurityDescriptor secDesc, PermissionSet demandSet, out PermissionSet alteredDemandSet) { PermissionSet permSet; // In the common case we are not going to alter the demand set, so just to // be safe we'll set it to null up front. // There's some oddness in here to deal with exceptions. The general idea behind // this is that we need some way of dealing with custom permissions that may not // handle all possible scenarios of Union(), Intersect(), and IsSubsetOf() properly // (they don't support it, throw null reference exceptions, etc.). alteredDemandSet = null; // An empty demand always succeeds. if (demandSet == null || demandSet.IsEmpty()) return StackHalt; // In the case of permit only, we define an exception to be failure of the check // and therefore we throw a security exception. try { permSet = secDesc.GetPermitOnly(); if (permSet != null) { if (!demandSet.IsSubsetOf(permSet)) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } } } catch (Exception) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } // In the case of denial, we define an exception to be failure of the check // and therefore we throw a security exception. try { permSet = secDesc.GetDenials(); #if _DEBUG if (debug) { DEBUG_OUT("Checking Denials"); DEBUG_OUT("denials set =\n" + permSet.ToXml().ToString() ); DEBUG_OUT("demandSet =\n" + demandSet.ToXml().ToString() ); } #endif if (permSet != null) { PermissionSet intersection = demandSet.Intersect(permSet); if (intersection != null && !intersection.IsEmpty()) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } } } catch (Exception) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } // The assert case is more complex. Since asserts have the ability to "bleed through" // (where part of a demand is handled by an assertion, but the rest is passed on to // continue the stackwalk), we need to be more careful in handling the "failure" case. // Therefore, if an exception is thrown in performing any operation, we make sure to keep // that permission in the demand set thereby continuing the demand for that permission // walking down the stack. if (secDesc.GetAssertAllPossible()) { return StackHalt; } permSet = secDesc.GetAssertions(); if (permSet != null) { // If this frame asserts a superset of the demand set we're done try { if (demandSet.IsSubsetOf( permSet )) return StackHalt; } catch (Exception) { } // Determine whether any of the demand set asserted. We do this by // copying the demand set and removing anything in it that is asserted. if (!permSet.IsUnrestricted()) { PermissionSetEnumerator enumerator = (PermissionSetEnumerator)demandSet.GetEnumerator(); while (enumerator.MoveNext()) { IPermission perm = (IPermission)enumerator.Current; int i = enumerator.GetCurrentIndex(); if (perm != null) { bool unrestricted = perm is System.Security.Permissions.IUnrestrictedPermission; IPermission assertPerm = (IPermission)permSet.GetPermission(i, unrestricted); bool removeFromAlteredDemand = false; try { removeFromAlteredDemand = perm.IsSubsetOf(assertPerm); } catch (Exception) { } if (removeFromAlteredDemand) { if (alteredDemandSet == null) alteredDemandSet = demandSet.Copy(); alteredDemandSet.RemovePermission(i, unrestricted); } } } } } return StackContinue; }
[System.Security.SecurityCritical] // auto-generated private bool Update(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd) { #if FEATURE_COMPRESSEDSTACK FrameSecurityDescriptorWithResolver fsdWithResolver = fsd as FrameSecurityDescriptorWithResolver; if (fsdWithResolver != null) { return Update2(currentTriple, fsdWithResolver); } #endif // FEATURE_COMPRESSEDSTACK // check imperative bool fHalt = Update2(currentTriple, fsd, false); if (!fHalt) { // then declarative fHalt = Update2(currentTriple, fsd, true); } return fHalt; }
static bool StackCompressWalkHelper(PermissionListSet compressedStack, bool skipGrants, PermissionSet grantedPerms, PermissionSet deniedPerms, FrameSecurityDescriptor frameInfo) { if (!skipGrants) { if (!compressedStack.AppendPermissions(grantedPerms, PermissionList.MatchChecked)) return false; if (deniedPerms != null && !compressedStack.AppendPermissions(deniedPerms, PermissionList.MatchDeny)) return false; } if (frameInfo != null) { PermissionSet set = frameInfo.GetPermitOnly(); if (set != null) { if (!compressedStack.AppendPermissions( set, PermissionList.MatchPermitOnly )) return false; } set = frameInfo.GetDenials(); if (set != null) { if (!compressedStack.AppendPermissions( set, PermissionList.MatchDeny )) return false; } set = frameInfo.GetAssertions(); if (set != null) { if (!compressedStack.AppendPermissions( set, PermissionList.MatchAssert )) return false; } } return true; }