private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { if (executionSecurityPermission == null) { executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } PermissionSet other = null; Exception exception = null; PermissionSet set2 = optPset; if (reqdPset == null) { other = set2; } else { other = (set2 == null) ? null : reqdPset.Union(set2); } if ((other != null) && !other.IsUnrestricted()) { other.AddPermission(executionSecurityPermission); } if (evidence == null) { evidence = new Evidence(); } PermissionSet target = polmgr.Resolve(evidence); if (other != null) { target.InplaceIntersect(other); } if (checkExecutionPermission && (!target.Contains(executionSecurityPermission) || ((denyPset != null) && denyPset.Contains(executionSecurityPermission)))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception); } if ((reqdPset != null) && !reqdPset.IsSubsetOf(target)) { throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception); } if (denyPset != null) { denied = denyPset.Copy(); target.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = null; } } else { denied = null; } target.IgnoreTypeLoadFailures = true; return(target); }
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { if (SecurityManager.executionSecurityPermission == null) { SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } Exception exception = null; PermissionSet permissionSet; if (reqdPset == null) { permissionSet = optPset; } else { permissionSet = ((optPset == null) ? null : reqdPset.Union(optPset)); } if (permissionSet != null && !permissionSet.IsUnrestricted()) { permissionSet.AddPermission(SecurityManager.executionSecurityPermission); } if (evidence == null) { evidence = new Evidence(); } PermissionSet permissionSet2 = SecurityManager.polmgr.Resolve(evidence); if (permissionSet != null) { permissionSet2.InplaceIntersect(permissionSet); } if (checkExecutionPermission && (!permissionSet2.Contains(SecurityManager.executionSecurityPermission) || (denyPset != null && denyPset.Contains(SecurityManager.executionSecurityPermission)))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception); } if (reqdPset != null && !reqdPset.IsSubsetOf(permissionSet2)) { throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception); } if (denyPset != null) { denied = denyPset.Copy(); permissionSet2.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = null; } } else { denied = null; } permissionSet2.IgnoreTypeLoadFailures = true; return(permissionSet2); }
public static bool IsGranted(IPermission perm) { if (perm == null) { return(true); } PermissionSet permissionSet = null; PermissionSet permissionSet2 = null; StackCrawlMark stackCrawlMark = StackCrawlMark.LookForMyCaller; SecurityManager.GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref permissionSet), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref permissionSet2), JitHelpers.GetStackCrawlMarkHandle(ref stackCrawlMark)); return(permissionSet.Contains(perm) && (permissionSet2 == null || !permissionSet2.Contains(perm))); }
public static bool IsGranted(IPermission perm) { if (perm == null) { return(true); } PermissionSet granted = null, denied = null; StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack(ref granted), JitHelpers.GetObjectHandleOnStack(ref denied), JitHelpers.GetStackCrawlMarkHandle(ref stackMark)); return(granted.Contains(perm) && (denied == null || !denied.Contains(perm))); }
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { if (SecurityManager.executionSecurityPermission == null) { SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } Exception exception = (Exception)null; PermissionSet other1 = optPset; PermissionSet other2 = reqdPset != null ? (other1 == null ? (PermissionSet)null : reqdPset.Union(other1)) : other1; if (other2 != null && !other2.IsUnrestricted()) { other2.AddPermission((IPermission)SecurityManager.executionSecurityPermission); } if (evidence == null) { evidence = new Evidence(); } PermissionSet target = SecurityManager.polmgr.Resolve(evidence); if (other2 != null) { target.InplaceIntersect(other2); } if (checkExecutionPermission && (!target.Contains((IPermission)SecurityManager.executionSecurityPermission) || denyPset != null && denyPset.Contains((IPermission)SecurityManager.executionSecurityPermission))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception); } if (reqdPset != null && !reqdPset.IsSubsetOf(target)) { throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception); } if (denyPset != null) { denied = denyPset.Copy(); target.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = (PermissionSet)null; } } else { denied = (PermissionSet)null; } target.IgnoreTypeLoadFailures = true; return(target); }
public static bool IsGranted(IPermission perm) { if (perm != null) { PermissionSet o = null; PermissionSet set2 = null; StackCrawlMark lookForMyCaller = StackCrawlMark.LookForMyCaller; GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref set2), JitHelpers.GetStackCrawlMarkHandle(ref lookForMyCaller)); if (!o.Contains(perm)) { return(false); } if (set2 != null) { return(!set2.Contains(perm)); } } return(true); }
public static bool IsGranted(IPermission perm) { if (perm == null) { return(true); } PermissionSet o1 = (PermissionSet)null; PermissionSet o2 = (PermissionSet)null; StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; SecurityManager.GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o1), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o2), JitHelpers.GetStackCrawlMarkHandle(ref stackMark)); if (!o1.Contains(perm)) { return(false); } if (o2 != null) { return(!o2.Contains(perm)); } return(true); }
[System.Security.SecurityCritical] // auto-generated static private PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled); if (executionSecurityPermission == null) { executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } PermissionSet requested = null; PermissionSet optional; PermissionSet allowed; Exception savedException = null; // We don't want to recurse back into here as a result of a // stackwalk during resolution. So simply assert full trust (this // implies that custom permissions cannot use any permissions that // don't implement IUnrestrictedPermission. // PermissionSet.s_fullTrust.Assert(); // The requested set is the union of the minimal request and the // optional request. Minimal request defaults to empty, optional // is "AllPossible" (includes any permission that can be defined) // which is symbolized by null. optional = optPset; if (reqdPset == null) { requested = optional; } else { // If optional is null, the requested set becomes null/"AllPossible". requested = optional == null ? null : reqdPset.Union(optional); } // Make sure that the right to execute is requested (if this feature is // enabled). if (requested != null && !requested.IsUnrestricted()) { requested.AddPermission(executionSecurityPermission); } // If we aren't passed any evidence, just make an empty object if (evidence == null) { evidence = new Evidence(); } allowed = polmgr.Resolve(evidence); // Intersect the grant with the RequestOptional if (requested != null) { allowed.InplaceIntersect(requested); } // Check that we were granted the right to execute. if (checkExecutionPermission) { if (!allowed.Contains(executionSecurityPermission) || (denyPset != null && denyPset.Contains(executionSecurityPermission))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), System.__HResults.CORSEC_E_NO_EXEC_PERM, savedException); } } // Check that we were granted at least the minimal set we asked for. Do // this before pruning away any overlap with the refused set so that // users have the flexability of defining minimal permissions that are // only expressable as set differences (e.g. allow access to "C:\" but // disallow "C:\Windows"). if (reqdPset != null && !reqdPset.IsSubsetOf(allowed)) { BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled"); throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), System.__HResults.CORSEC_E_MIN_GRANT_FAIL, savedException); } // Remove any granted permissions that are safe subsets of some denied // permission. The remaining denied permissions (if any) are returned // along with the modified grant set for use in checks. if (denyPset != null) { BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled"); denied = denyPset.Copy(); allowed.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = null; } } else { denied = null; } allowed.IgnoreTypeLoadFailures = true; return(allowed); }
[System.Security.SecurityCritical] // auto-generated static private PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled); if (executionSecurityPermission == null) executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); PermissionSet requested = null; PermissionSet optional; PermissionSet allowed; Exception savedException = null; // We don't want to recurse back into here as a result of a // stackwalk during resolution. So simply assert full trust (this // implies that custom permissions cannot use any permissions that // don't implement IUnrestrictedPermission. // PermissionSet.s_fullTrust.Assert(); // The requested set is the union of the minimal request and the // optional request. Minimal request defaults to empty, optional // is "AllPossible" (includes any permission that can be defined) // which is symbolized by null. optional = optPset; if (reqdPset == null) requested = optional; else // If optional is null, the requested set becomes null/"AllPossible". requested = optional == null ? null : reqdPset.Union(optional); // Make sure that the right to execute is requested (if this feature is // enabled). if (requested != null && !requested.IsUnrestricted()) requested.AddPermission( executionSecurityPermission ); // If we aren't passed any evidence, just make an empty object if (evidence == null) { evidence = new Evidence(); } allowed = polmgr.Resolve(evidence); // Intersect the grant with the RequestOptional if (requested != null) allowed.InplaceIntersect(requested); // Check that we were granted the right to execute. if (checkExecutionPermission) { if (!allowed.Contains(executionSecurityPermission) || (denyPset != null && denyPset.Contains(executionSecurityPermission))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), System.__HResults.CORSEC_E_NO_EXEC_PERM, savedException); } } // Check that we were granted at least the minimal set we asked for. Do // this before pruning away any overlap with the refused set so that // users have the flexability of defining minimal permissions that are // only expressable as set differences (e.g. allow access to "C:\" but // disallow "C:\Windows"). if (reqdPset != null && !reqdPset.IsSubsetOf(allowed)) { BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled"); throw new PolicyException(Environment.GetResourceString( "Policy_NoRequiredPermission" ), System.__HResults.CORSEC_E_MIN_GRANT_FAIL, savedException ); } // Remove any granted permissions that are safe subsets of some denied // permission. The remaining denied permissions (if any) are returned // along with the modified grant set for use in checks. if (denyPset != null) { BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled"); denied = denyPset.Copy(); allowed.MergeDeniedSet(denied); if (denied.IsEmpty()) denied = null; } else denied = null; allowed.IgnoreTypeLoadFailures = true; return allowed; }
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { if (executionSecurityPermission == null) { executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } PermissionSet other = null; Exception exception = null; PermissionSet set2 = optPset; if (reqdPset == null) { other = set2; } else { other = (set2 == null) ? null : reqdPset.Union(set2); } if ((other != null) && !other.IsUnrestricted()) { other.AddPermission(executionSecurityPermission); } if (evidence == null) { evidence = new Evidence(); } PermissionSet target = polmgr.Resolve(evidence); if (other != null) { target.InplaceIntersect(other); } if (checkExecutionPermission && (!target.Contains(executionSecurityPermission) || ((denyPset != null) && denyPset.Contains(executionSecurityPermission)))) { throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception); } if ((reqdPset != null) && !reqdPset.IsSubsetOf(target)) { throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception); } if (denyPset != null) { denied = denyPset.Copy(); target.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = null; } } else { denied = null; } target.IgnoreTypeLoadFailures = true; return target; }
internal static QuickCacheEntryType GenerateQuickCache(PolicyLevel level) { QuickCacheEntryType[] ExecutionMap = new QuickCacheEntryType[] { QuickCacheEntryType.ExecutionZoneMyComputer, QuickCacheEntryType.ExecutionZoneIntranet, QuickCacheEntryType.ExecutionZoneInternet, QuickCacheEntryType.ExecutionZoneTrusted, QuickCacheEntryType.ExecutionZoneUntrusted }; QuickCacheEntryType[] UnmanagedMap = new QuickCacheEntryType[] { QuickCacheEntryType.UnmanagedZoneMyComputer, QuickCacheEntryType.UnmanagedZoneIntranet, QuickCacheEntryType.UnmanagedZoneInternet, QuickCacheEntryType.UnmanagedZoneTrusted, QuickCacheEntryType.UnmanagedZoneUntrusted }; QuickCacheEntryType[] RequestSkipVerificationMap = new QuickCacheEntryType[] { QuickCacheEntryType.RequestSkipVerificationZoneMyComputer, QuickCacheEntryType.RequestSkipVerificationZoneIntranet, QuickCacheEntryType.RequestSkipVerificationZoneInternet, QuickCacheEntryType.RequestSkipVerificationZoneTrusted, QuickCacheEntryType.RequestSkipVerificationZoneUntrusted }; QuickCacheEntryType[] SkipVerificationMap = new QuickCacheEntryType[] { QuickCacheEntryType.SkipVerificationZoneMyComputer, QuickCacheEntryType.SkipVerificationZoneIntranet, QuickCacheEntryType.SkipVerificationZoneInternet, QuickCacheEntryType.SkipVerificationZoneTrusted, QuickCacheEntryType.SkipVerificationZoneUntrusted }; QuickCacheEntryType[] FullTrustMap = new QuickCacheEntryType[] { QuickCacheEntryType.FullTrustZoneMyComputer, QuickCacheEntryType.FullTrustZoneIntranet, QuickCacheEntryType.FullTrustZoneInternet, QuickCacheEntryType.FullTrustZoneTrusted, QuickCacheEntryType.FullTrustZoneUntrusted }; QuickCacheEntryType accumulator = (QuickCacheEntryType)0; SecurityPermission execPerm = new SecurityPermission(SecurityPermissionFlag.Execution); SecurityPermission unmanagedPerm = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); SecurityPermission skipVerifPerm = new SecurityPermission(SecurityPermissionFlag.SkipVerification); Evidence noEvidence = new Evidence(); PermissionSet policy = null; try { policy = level.Resolve(noEvidence).PermissionSet; if (policy.Contains(execPerm)) { accumulator |= QuickCacheEntryType.ExecutionAll; } if (policy.Contains(unmanagedPerm)) { accumulator |= QuickCacheEntryType.UnmanagedAll; } if (policy.Contains(skipVerifPerm)) { accumulator |= QuickCacheEntryType.SkipVerificationAll; } if (policy.IsUnrestricted()) { accumulator |= QuickCacheEntryType.FullTrustAll; } } catch (PolicyException) { } PermissionSet permSet = new PermissionSet(PermissionState.None); permSet.AddPermission(skipVerifPerm); PermissionRequestEvidence permRequest = new PermissionRequestEvidence(permSet, null, null); try { noEvidence.AddHost(permRequest); policy = level.Resolve(noEvidence).PermissionSet; if (policy.Contains(skipVerifPerm)) { accumulator |= QuickCacheEntryType.RequestSkipVerificationAll; } } catch (PolicyException) { } Array zones = Enum.GetValues(typeof(SecurityZone)); for (int i = 0; i < zones.Length; ++i) { if (((SecurityZone)zones.GetValue(i)) == SecurityZone.NoZone) { continue; } Evidence zoneEvidence = new Evidence(); zoneEvidence.AddHost(new Zone((SecurityZone)zones.GetValue(i))); PermissionSet zonePolicy = null; try { zonePolicy = level.Resolve(zoneEvidence).PermissionSet; if (zonePolicy.Contains(execPerm)) { accumulator |= ExecutionMap[i]; } if (zonePolicy.Contains(unmanagedPerm)) { accumulator |= UnmanagedMap[i]; } if (zonePolicy.Contains(skipVerifPerm)) { accumulator |= SkipVerificationMap[i]; } if (zonePolicy.IsUnrestricted()) { accumulator |= FullTrustMap[i]; } } catch (PolicyException) { } zoneEvidence.AddHost(permRequest); try { zonePolicy = level.Resolve(zoneEvidence).PermissionSet; if (zonePolicy.Contains(skipVerifPerm)) { accumulator |= RequestSkipVerificationMap[i]; } } catch (PolicyException) { } } return(accumulator); }