internal static void GetZoneAndOriginHelper(PermissionSet grantSet, PermissionSet deniedSet, ArrayList zoneList, ArrayList originList) { ZoneIdentityPermission zone = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission)); UrlIdentityPermission url = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission)); if (zone != null) { zoneList.Add(zone.SecurityZone); } if (url != null) { originList.Add(url.Url); } }
// note: in 2.0 *all* permissions (including identity permissions) support unrestricted internal static bool IsGranted(Assembly a, IPermission perm) { PermissionSet granted = a.GrantedPermissionSet; if ((granted != null) && !granted.IsUnrestricted()) { CodeAccessPermission grant = (CodeAccessPermission)granted.GetPermission(perm.GetType()); if (!perm.IsSubsetOf(grant)) { return(false); } } PermissionSet denied = a.DeniedPermissionSet; if ((denied != null) && !denied.IsEmpty()) { if (denied.IsUnrestricted()) { return(false); } CodeAccessPermission refuse = (CodeAccessPermission)a.DeniedPermissionSet.GetPermission(perm.GetType()); if ((refuse != null) && perm.IsSubsetOf(refuse)) { return(false); } } return(true); }
internal static bool IsGranted(Assembly a, IPermission perm) { PermissionSet grantedPermissionSet = a.GrantedPermissionSet; if (grantedPermissionSet != null && !grantedPermissionSet.IsUnrestricted()) { CodeAccessPermission target = (CodeAccessPermission)grantedPermissionSet.GetPermission(perm.GetType()); if (!perm.IsSubsetOf(target)) { return(false); } } PermissionSet deniedPermissionSet = a.DeniedPermissionSet; if (deniedPermissionSet != null && !deniedPermissionSet.IsEmpty()) { if (deniedPermissionSet.IsUnrestricted()) { return(false); } CodeAccessPermission codeAccessPermission = (CodeAccessPermission)a.DeniedPermissionSet.GetPermission(perm.GetType()); if (codeAccessPermission != null && perm.IsSubsetOf(codeAccessPermission)) { return(false); } } return(true); }
// Determine if this permission set is a subset of another. public virtual bool IsSubsetOf(PermissionSet target) { // Handle the simple cases first. if (target == null) { return(false); } else if (target.IsUnrestricted()) { return(true); } else if (IsUnrestricted()) { return(false); } // Scan the source permission set and check subset conditions. IPermission other; foreach (IPermission perm in permissions) { other = target.GetPermission(perm.GetType()); if (other == null || !perm.IsSubsetOf(other)) { return(false); } } return(true); }
/// <summary>Determines what permissions to grant to code based on the specified evidence and requests.</summary> /// <returns>The set of permissions that would be granted by the security system.</returns> /// <param name="evidence">The evidence set used to evaluate policy. </param> /// <param name="reqdPset">The required permissions the code needs to run. </param> /// <param name="optPset">The optional permissions that will be used if granted, but aren't required for the code to run. </param> /// <param name="denyPset">The denied permissions that must never be granted to the code even if policy otherwise permits it. </param> /// <param name="denied">An output parameter that contains the set of permissions not granted. </param> /// <exception cref="T:System.Security.Policy.PolicyException">Policy fails to grant the minimum required permissions specified by the <paramref name="reqdPset" /> parameter. </exception> /// <PermissionSet> /// <IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="ControlEvidence" /> /// </PermissionSet> public static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied) { PermissionSet permissionSet = SecurityManager.ResolvePolicy(evidence); if (reqdPset != null && !reqdPset.IsSubsetOf(permissionSet)) { throw new PolicyException(Locale.GetText("Policy doesn't grant the minimal permissions required to execute the assembly.")); } if (SecurityManager.CheckExecutionRights) { bool flag = false; if (permissionSet != null) { if (permissionSet.IsUnrestricted()) { flag = true; } else { IPermission permission = permissionSet.GetPermission(typeof(SecurityPermission)); flag = SecurityManager._execution.IsSubsetOf(permission); } } if (!flag) { throw new PolicyException(Locale.GetText("Policy doesn't grant the right to execute the assembly.")); } } denied = denyPset; return(permissionSet); }
internal static IPermission CheckPermissionSet(AppDomain ad, PermissionSet ps) { if ((ps == null) || ps.IsEmpty()) { return(null); } PermissionSet granted = ad.GrantedPermissionSet; if (granted == null) { return(null); } if (granted.IsUnrestricted()) { return(null); } if (ps.IsUnrestricted()) { return(new SecurityPermission(SecurityPermissionFlag.NoFlags)); } foreach (IPermission p in ps) { if (p is CodeAccessPermission) { CodeAccessPermission grant = (CodeAccessPermission)granted.GetPermission(p.GetType()); if (grant == null) { if (!granted.IsUnrestricted() || !(p is IUnrestrictedPermission)) { if (!p.IsSubsetOf(null)) { return(p); } } } else if (!p.IsSubsetOf(grant)) { return(p); } } else { // but non-CAS will throw on failure... try { p.Demand(); } catch (SecurityException) { // ... so we catch return(p); } } } return(null); }
internal void UpdateGrant(PermissionSet in_g, out ZoneIdentityPermission z, out UrlIdentityPermission u) { z = null; u = null; if (in_g != null) { if (this.GrantSet == null) { this.GrantSet = in_g.Copy(); } else { this.GrantSet.InplaceIntersect(in_g); } z = (ZoneIdentityPermission)in_g.GetPermission(this.ZoneToken); u = (UrlIdentityPermission)in_g.GetPermission(this.UrlToken); } }
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList) { if (cs != null) { cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission))); return; } ZoneIdentityPermission zoneIdentityPermission = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission)); UrlIdentityPermission urlIdentityPermission = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission)); if (zoneIdentityPermission != null) { zoneList.Add(zoneIdentityPermission.SecurityZone); } if (urlIdentityPermission != null) { originList.Add(urlIdentityPermission.Url); } }
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList) { if (cs != null) { cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission))); } else { ZoneIdentityPermission identityPermission1 = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission)); UrlIdentityPermission identityPermission2 = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission)); if (identityPermission1 != null) { zoneList.Add((object)identityPermission1.SecurityZone); } if (identityPermission2 == null) { return; } originList.Add((object)identityPermission2.Url); } }
public bool IsSubsetOf(PermissionSet target) { // if target is empty we must be empty too if ((target == null) || (target.IsEmpty())) { return(this.IsEmpty()); } // all permissions support unrestricted in 2.0 if (target.IsUnrestricted()) { return(true); } if (this.IsUnrestricted()) { return(false); } if (this.IsUnrestricted() && ((target == null) || !target.IsUnrestricted())) { return(false); } // if each of our permission is (a) present and (b) a subset of target foreach (IPermission p in list) { // non CAS permissions must be evaluated for unrestricted Type t = p.GetType(); IPermission i = null; if (target.IsUnrestricted() && (p is CodeAccessPermission) && (p is IUnrestrictedPermission)) { i = (IPermission)Activator.CreateInstance(t, psUnrestricted); } else { i = target.GetPermission(t); } if (!p.IsSubsetOf(i)) { return(false); // not a subset (condition b) } } return(true); }
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission asserted = (CodeAccessPermission)pSet.GetPermission(demand); try { if (pSet.IsUnrestricted() || demand.CheckAssert(asserted)) { return(false); } } catch (ArgumentException) { } } return(true); }
internal void InternalIntersect(PermissionSet intersect, PermissionSet a, PermissionSet b, bool unrestricted) { foreach (IPermission p in b.list) { // for every type in both list IPermission i = a.GetPermission(p.GetType()); if (i != null) { // add intersection for this type intersect.AddPermission(p.Intersect(i)); } // unrestricted is possible for indentity permissions else if (unrestricted) { intersect.AddPermission(p); } // or reject! } }
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission asserted = (CodeAccessPermission) pSet.GetPermission(demand); try { if (pSet.IsUnrestricted() || demand.CheckAssert(asserted)) { return false; } } catch (ArgumentException) { } } return true; }
public virtual bool IsSubsetOf(PermissionSet target) { #endif if (this.IsUnrestricted() && ((target == null) || !target.IsUnrestricted())) { return(false); } // if each of our permission is (a) present and (b) a subset of target foreach (IPermission p in list) { #if !NET_2_0 if (target == null) { if (!p.IsSubsetOf(null)) { return(false); } } else #endif { // non CAS permissions must be evaluated for unrestricted Type t = p.GetType(); IPermission i = null; if (target.IsUnrestricted() && (p is CodeAccessPermission) && (p is IUnrestrictedPermission)) { i = (IPermission)Activator.CreateInstance(t, psUnrestricted); } else { i = target.GetPermission(t); } if (!p.IsSubsetOf(i)) { return(false); // not a subset (condition b) } } } return(true); }
public static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied) { PermissionSet resolved = ResolvePolicy(evidence); // do we have the minimal permission requested by the assembly ? if ((reqdPset != null) && !reqdPset.IsSubsetOf(resolved)) { throw new PolicyException(Locale.GetText( "Policy doesn't grant the minimal permissions required to execute the assembly.")); } // do we check for execution rights ? if (CheckExecutionRights) { bool execute = false; // an empty permissionset doesn't include Execution if (resolved != null) { // unless we have "Full Trust"... if (resolved.IsUnrestricted()) { execute = true; } else { // ... we need to find a SecurityPermission IPermission security = resolved.GetPermission(typeof(SecurityPermission)); execute = _execution.IsSubsetOf(security); } } if (!execute) { throw new PolicyException(Locale.GetText( "Policy doesn't grant the right to execute the assembly.")); } } denied = denyPset; return(resolved); }
static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission perm = (CodeAccessPermission)pSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk try { if (pSet.IsUnrestricted() || demand.CheckAssert(perm)) { return(SecurityRuntime.StackHalt); } } catch (ArgumentException) { } } return(SecurityRuntime.StackContinue); }
internal static IPermission CheckPermissionSet(AppDomain ad, PermissionSet ps) { if (ps == null || ps.IsEmpty()) { return(null); } PermissionSet grantedPermissionSet = ad.GrantedPermissionSet; if (grantedPermissionSet == null) { return(null); } if (grantedPermissionSet.IsUnrestricted()) { return(null); } if (ps.IsUnrestricted()) { return(new SecurityPermission(SecurityPermissionFlag.NoFlags)); } foreach (object obj in ps) { IPermission permission = (IPermission)obj; if (permission is CodeAccessPermission) { CodeAccessPermission codeAccessPermission = (CodeAccessPermission)grantedPermissionSet.GetPermission(permission.GetType()); if (codeAccessPermission == null) { if ((!grantedPermissionSet.IsUnrestricted() || !(permission is IUnrestrictedPermission)) && !permission.IsSubsetOf(null)) { return(permission); } } else if (!permission.IsSubsetOf(codeAccessPermission)) { return(permission); } } else { try { permission.Demand(); } catch (SecurityException) { return(permission); } } } return(null); }
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { if (this.GetPermitOnly(fDeclarative) != null) { this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetDenials(fDeclarative) != null) { this.GetDenials(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetAssertions(fDeclarative) != null) { this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken); } bool flag1 = SecurityManager._SetThreadSecurity(false); try { PermissionSet permitOnly = this.GetPermitOnly(fDeclarative); if (permitOnly != null) { CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission((IPermission)demand); if (permitted == null) { if (!permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } else { bool flag2 = true; try { flag2 = !demand.CheckPermitOnly(permitted); } catch (ArgumentException ex) { } if (flag2) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } } PermissionSet denials = this.GetDenials(fDeclarative); if (denials != null) { CodeAccessPermission denied = (CodeAccessPermission)denials.GetPermission((IPermission)demand); if (denials.IsUnrestricted()) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } bool flag2 = true; try { flag2 = !demand.CheckDeny(denied); } catch (ArgumentException ex) { } if (flag2) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } if (this.GetAssertAllPossible()) { return(false); } PermissionSet assertions = this.GetAssertions(fDeclarative); if (assertions != null) { CodeAccessPermission asserted = (CodeAccessPermission)assertions.GetPermission((IPermission)demand); try { if (!assertions.IsUnrestricted()) { if (!demand.CheckAssert(asserted)) { goto label_35; } } return(false); } catch (ArgumentException ex) { } } } finally { if (flag1) { SecurityManager._SetThreadSecurity(true); } } label_35: return(true); }
[System.Security.SecurityCritical] // auto-generated internal void UpdateGrant(PermissionSet in_g, out ZoneIdentityPermission z,out UrlIdentityPermission u) { z = null; u = null; if (in_g != null) { if (GrantSet == null) GrantSet = in_g.Copy(); else GrantSet.InplaceIntersect(in_g); z = (ZoneIdentityPermission)in_g.GetPermission(ZoneToken); u = (UrlIdentityPermission)in_g.GetPermission(UrlToken); } }
internal static bool CheckHelper(PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, object assemblyOrString, SecurityAction action, bool throwException) { if (permToken == null) { permToken = PermissionToken.GetToken(demand); } if (grantedSet != null) { grantedSet.CheckDecoded(permToken.m_index); } if (refusedSet != null) { refusedSet.CheckDecoded(permToken.m_index); } bool flag = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else if (!grantedSet.IsUnrestricted()) { CodeAccessPermission grant = (CodeAccessPermission)grantedSet.GetPermission(permToken); if (!demand.CheckDemand(grant)) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } } if (refusedSet != null) { CodeAccessPermission codeAccessPermission = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (codeAccessPermission != null && !codeAccessPermission.CheckDeny(demand)) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } if (refusedSet.IsUnrestricted()) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } } } catch (SecurityException) { throw; } catch (Exception) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } finally { if (flag) { SecurityManager._SetThreadSecurity(true); } } return(true); }
private static void CheckHelper(PermissionSet grantedSet, PermissionSet deniedSet, CodeAccessPermission demand, PermissionToken permToken) { #if _DEBUG if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Denied: "); DEBUG_OUT(deniedSet!=null ? deniedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif if (permToken == null) permToken = PermissionToken.GetToken(demand); // If PermissionSet is null, then module does not have Permissions... Fail check. try { if (grantedSet == null) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission)) { // If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted // variety, we need to do the proper callback. BCLDebug.Assert(demand != null,"demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty) // then throw an exception. if (grantedPerm == null) { if (!demand.IsSubsetOf( null )) throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); else return; } // Call the check demand for our permission. grantedPerm.CheckDemand(demand); } // Make the sure the permission is not denied. if (deniedSet != null) { CodeAccessPermission deniedPerm = (CodeAccessPermission)deniedSet.GetPermission(permToken); if (deniedPerm != null) { if (deniedPerm.Intersect(demand) != null) { #if _DEBUG if (debug) DEBUG_OUT( "Permission found in denied set" ); #endif throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } } catch (Exception e) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (e is SecurityException) throw e; else throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } DEBUG_OUT( "Check passed" ); }
public bool IsSubsetOf (PermissionSet target) { // if target is empty we must be empty too if ((target == null) || (target.IsEmpty ())) return this.IsEmpty (); // all permissions support unrestricted in 2.0 if (target.IsUnrestricted ()) return true; if (this.IsUnrestricted ()) return false; if (this.IsUnrestricted () && ((target == null) || !target.IsUnrestricted ())) return false; // if each of our permission is (a) present and (b) a subset of target foreach (IPermission p in list) { // non CAS permissions must be evaluated for unrestricted Type t = p.GetType (); IPermission i = null; if (target.IsUnrestricted () && (p is CodeAccessPermission) && (p is IUnrestrictedPermission)) { i = (IPermission) Activator.CreateInstance (t, psUnrestricted); } else { i = target.GetPermission (t); } if (!p.IsSubsetOf (i)) return false; // not a subset (condition b) } return true; }
internal bool CheckDeny(PermissionSet deniedSet, out IPermission firstPermThatFailed) { firstPermThatFailed = null; if (((deniedSet != null) && !deniedSet.FastIsEmpty()) && !this.FastIsEmpty()) { if (this.m_Unrestricted && deniedSet.m_Unrestricted) { return false; } PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(this); while (internal2.MoveNext()) { CodeAccessPermission current = internal2.Current as CodeAccessPermission; if ((current != null) && !current.IsSubsetOf(null)) { if (deniedSet.m_Unrestricted) { firstPermThatFailed = current; return false; } CodeAccessPermission permission = (CodeAccessPermission) deniedSet.GetPermission(internal2.GetCurrentIndex()); if (!current.CheckDeny(permission)) { firstPermThatFailed = current; return false; } } } if (this.m_Unrestricted) { PermissionSetEnumeratorInternal internal3 = new PermissionSetEnumeratorInternal(deniedSet); while (internal3.MoveNext()) { if (internal3.Current is IPermission) { return false; } } } } return true; }
internal static PermissionSet RemoveRefusedPermissionSet(PermissionSet assertSet, PermissionSet refusedSet, out bool bFailedToCompress) { PermissionSet set = null; bFailedToCompress = false; if (assertSet == null) { return null; } if (refusedSet != null) { if (refusedSet.IsUnrestricted()) { return null; } PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(refusedSet); while (internal2.MoveNext()) { CodeAccessPermission current = (CodeAccessPermission) internal2.Current; int currentIndex = internal2.GetCurrentIndex(); if (current != null) { CodeAccessPermission permission = (CodeAccessPermission) assertSet.GetPermission(currentIndex); try { if (current.Intersect(permission) == null) { continue; } if (current.Equals(permission)) { if (set == null) { set = assertSet.Copy(); } set.RemovePermission(currentIndex); continue; } bFailedToCompress = true; return assertSet; } catch (ArgumentException) { if (set == null) { set = assertSet.Copy(); } set.RemovePermission(currentIndex); continue; } } } } if (set != null) { return set; } return assertSet; }
internal static void RemoveAssertedPermissionSet(PermissionSet demandSet, PermissionSet assertSet, out PermissionSet alteredDemandSet) { alteredDemandSet = null; PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(demandSet); while (internal2.MoveNext()) { CodeAccessPermission current = (CodeAccessPermission) internal2.Current; int currentIndex = internal2.GetCurrentIndex(); if (current != null) { CodeAccessPermission permission = (CodeAccessPermission) assertSet.GetPermission(currentIndex); try { if (current.CheckAssert(permission)) { if (alteredDemandSet == null) { alteredDemandSet = demandSet.Copy(); } alteredDemandSet.RemovePermission(currentIndex); } continue; } catch (ArgumentException) { continue; } } } }
internal bool IsSubsetOfHelper(PermissionSet target, IsSubsetOfType type, out IPermission firstPermThatFailed, bool ignoreNonCas) { firstPermThatFailed = null; if ((target == null) || target.FastIsEmpty()) { if (this.IsEmpty()) { return true; } firstPermThatFailed = this.GetFirstPerm(); return false; } if (this.IsUnrestricted() && !target.IsUnrestricted()) { return false; } if (this.m_permSet != null) { target.CheckSet(); for (int i = this.m_permSet.GetStartingIndex(); i <= this.m_permSet.GetMaxUsedIndex(); i++) { IPermission permission = this.GetPermission(i); if ((permission != null) && !permission.IsSubsetOf(null)) { IPermission permission2 = target.GetPermission(i); if (!target.m_Unrestricted) { CodeAccessPermission permission3 = permission as CodeAccessPermission; if (permission3 == null) { if (!ignoreNonCas && !permission.IsSubsetOf(permission2)) { firstPermThatFailed = permission; return false; } continue; } firstPermThatFailed = permission; switch (type) { case IsSubsetOfType.Normal: if (permission.IsSubsetOf(permission2)) { break; } return false; case IsSubsetOfType.CheckDemand: if (permission3.CheckDemand((CodeAccessPermission) permission2)) { break; } return false; case IsSubsetOfType.CheckPermitOnly: if (permission3.CheckPermitOnly((CodeAccessPermission) permission2)) { break; } return false; case IsSubsetOfType.CheckAssertion: if (permission3.CheckAssert((CodeAccessPermission) permission2)) { break; } return false; } firstPermThatFailed = null; } } } } return true; }
internal static bool IsIntersectingAssertedPermissions(PermissionSet assertSet1, PermissionSet assertSet2) { bool flag = false; if ((assertSet1 != null) && (assertSet2 != null)) { PermissionSetEnumeratorInternal internal2 = new PermissionSetEnumeratorInternal(assertSet2); while (internal2.MoveNext()) { CodeAccessPermission current = (CodeAccessPermission) internal2.Current; int currentIndex = internal2.GetCurrentIndex(); if (current != null) { CodeAccessPermission permission = (CodeAccessPermission) assertSet1.GetPermission(currentIndex); try { if ((permission != null) && !permission.Equals(current)) { flag = true; } continue; } catch (ArgumentException) { flag = true; continue; } } } } return flag; }
[System.Security.SecurityCritical] // auto-generated #pragma warning disable 618 internal static bool CheckHelper(PermissionSet grantedSet, #pragma warning restore 618 PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, Object assemblyOrString, SecurityAction action, bool throwException) { // We should never get here with a null demand Contract.Assert(demand != null, "Should not reach here with a null demand"); #if _DEBUG && FEATURE_CAS_POLICY if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Refused: "); DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif // _DEBUG && FEATURE_CAS_POLICY if (permToken == null) { permToken = PermissionToken.GetToken(demand); } if (grantedSet != null) { grantedSet.CheckDecoded(permToken.m_index); } if (refusedSet != null) { refusedSet.CheckDecoded(permToken.m_index); } // If PermissionSet is null, then module does not have Permissions... Fail check. bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } else if (!grantedSet.IsUnrestricted()) { // If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted // variety, we need to do the proper callback. Contract.Assert(demand != null, "demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // Make sure the demand has been granted if (!demand.CheckDemand(grantedPerm)) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } // Make the sure the permission is not refused. if (refusedSet != null) { CodeAccessPermission refusedPerm = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (refusedPerm != null) { if (!refusedPerm.CheckDeny(demand)) { #if _DEBUG if (debug) { DEBUG_OUT("Permission found in refused set"); } #endif if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } if (refusedSet.IsUnrestricted()) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } } catch (SecurityException) { throw; } catch (Exception) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } finally { if (bThreadSecurity) { SecurityManager._SetThreadSecurity(true); } } DEBUG_OUT("Check passed"); return(true); }
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet) { if (((grantSet != null) && grantSet.IsUnrestricted()) && ((deniedSet == null) || deniedSet.IsEmpty())) { return(-1); } SecurityPermission permission = null; SecurityPermissionFlag noFlags = SecurityPermissionFlag.NoFlags; ReflectionPermission permission2 = null; ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] permissionArray = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { noFlags = SecurityPermissionFlag.AllFlags; reflectionPermissionFlags = ReflectionPermissionFlag.RestrictedMemberAccess | ReflectionPermissionFlag.AllFlags; for (int i = 0; i < permissionArray.Length; i++) { permissionArray[i] = s_UnrestrictedSpecialPermissionMap[i]; } } else { permission = grantSet.GetPermission(6) as SecurityPermission; if (permission != null) { noFlags = permission.Flags; } permission2 = grantSet.GetPermission(4) as ReflectionPermission; if (permission2 != null) { reflectionPermissionFlags = permission2.Flags; } for (int j = 0; j < permissionArray.Length; j++) { permissionArray[j] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[j][0]) as CodeAccessPermission; } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { noFlags = SecurityPermissionFlag.NoFlags; reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; for (int k = 0; k < s_BuiltInPermissionIndexMap.Length; k++) { permissionArray[k] = null; } } else { permission = deniedSet.GetPermission(6) as SecurityPermission; if (permission != null) { noFlags &= ~permission.Flags; } permission2 = deniedSet.GetPermission(4) as ReflectionPermission; if (permission2 != null) { reflectionPermissionFlags &= ~permission2.Flags; } for (int m = 0; m < s_BuiltInPermissionIndexMap.Length; m++) { CodeAccessPermission permission3 = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[m][0]) as CodeAccessPermission; if ((permission3 != null) && !permission3.IsSubsetOf(null)) { permissionArray[m] = null; } } } } int num5 = MapToSpecialFlags(noFlags, reflectionPermissionFlags); if (num5 != -1) { for (int n = 0; n < permissionArray.Length; n++) { if ((permissionArray[n] != null) && ((IUnrestrictedPermission)permissionArray[n]).IsUnrestricted()) { num5 |= ((int)1) << s_BuiltInPermissionIndexMap[n][1]; } } } return(num5); }
internal bool CheckDeny(PermissionSet deniedSet, out IPermission firstPermThatFailed) { firstPermThatFailed = null; if (deniedSet == null || deniedSet.FastIsEmpty() || this.FastIsEmpty()) return true; if(this.m_Unrestricted && deniedSet.m_Unrestricted) return false; CodeAccessPermission permThis, permThat; PermissionSetEnumeratorInternal enumThis = new PermissionSetEnumeratorInternal(this); while (enumThis.MoveNext()) { permThis = enumThis.Current as CodeAccessPermission; if(permThis == null || permThis.IsSubsetOf(null)) continue; // ignore non-CAS permissions in the grant set. if (deniedSet.m_Unrestricted) { firstPermThatFailed = permThis; return false; } permThat = (CodeAccessPermission)deniedSet.GetPermission(enumThis.GetCurrentIndex()); if (!permThis.CheckDeny(permThat)) { firstPermThatFailed = permThis; return false; } } if(this.m_Unrestricted) { PermissionSetEnumeratorInternal enumThat = new PermissionSetEnumeratorInternal(deniedSet); while (enumThat.MoveNext()) { if(enumThat.Current is IPermission) return false; } } return true; }
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet) { if (((grantSet != null) && grantSet.IsUnrestricted()) && ((deniedSet == null) || deniedSet.IsEmpty())) { return -1; } SecurityPermission permission = null; SecurityPermissionFlag noFlags = SecurityPermissionFlag.NoFlags; ReflectionPermission permission2 = null; ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] permissionArray = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { noFlags = SecurityPermissionFlag.AllFlags; reflectionPermissionFlags = ReflectionPermissionFlag.RestrictedMemberAccess | ReflectionPermissionFlag.AllFlags; for (int i = 0; i < permissionArray.Length; i++) { permissionArray[i] = s_UnrestrictedSpecialPermissionMap[i]; } } else { permission = grantSet.GetPermission(6) as SecurityPermission; if (permission != null) { noFlags = permission.Flags; } permission2 = grantSet.GetPermission(4) as ReflectionPermission; if (permission2 != null) { reflectionPermissionFlags = permission2.Flags; } for (int j = 0; j < permissionArray.Length; j++) { permissionArray[j] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[j][0]) as CodeAccessPermission; } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { noFlags = SecurityPermissionFlag.NoFlags; reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; for (int k = 0; k < s_BuiltInPermissionIndexMap.Length; k++) { permissionArray[k] = null; } } else { permission = deniedSet.GetPermission(6) as SecurityPermission; if (permission != null) { noFlags &= ~permission.Flags; } permission2 = deniedSet.GetPermission(4) as ReflectionPermission; if (permission2 != null) { reflectionPermissionFlags &= ~permission2.Flags; } for (int m = 0; m < s_BuiltInPermissionIndexMap.Length; m++) { CodeAccessPermission permission3 = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[m][0]) as CodeAccessPermission; if ((permission3 != null) && !permission3.IsSubsetOf(null)) { permissionArray[m] = null; } } } } int num5 = MapToSpecialFlags(noFlags, reflectionPermissionFlags); if (num5 != -1) { for (int n = 0; n < permissionArray.Length; n++) { if ((permissionArray[n] != null) && ((IUnrestrictedPermission) permissionArray[n]).IsUnrestricted()) { num5 |= ((int) 1) << s_BuiltInPermissionIndexMap[n][1]; } } } return num5; }
internal void InternalIntersect (PermissionSet intersect, PermissionSet a, PermissionSet b, bool unrestricted) { foreach (IPermission p in b.list) { // for every type in both list IPermission i = a.GetPermission (p.GetType ()); if (i != null) { // add intersection for this type intersect.AddPermission (p.Intersect (i)); } // unrestricted is possible for indentity permissions else if (unrestricted) { intersect.AddPermission (p); } // or reject! } }
[System.Security.SecurityCritical] // auto-generated internal static void GetZoneAndOriginHelper( CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList ) { if (cs != null) cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission))); else { ZoneIdentityPermission zone = (ZoneIdentityPermission)grantSet.GetPermission( typeof( ZoneIdentityPermission ) ); UrlIdentityPermission url = (UrlIdentityPermission)grantSet.GetPermission( typeof( UrlIdentityPermission ) ); if (zone != null) zoneList.Add( zone.SecurityZone ); if (url != null) originList.Add( url.Url ); } }
internal static int GetSpecialFlags (PermissionSet grantSet, PermissionSet deniedSet) { if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty())) { return -1; } else { SecurityPermission securityPermission = null; #pragma warning disable 618 SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags; #pragma warning restore 618 ReflectionPermission reflectionPermission = null; ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { securityPermissionFlags = SecurityPermissionFlag.AllFlags; reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore; for (int i = 0; i < specialPermissions.Length; i++) { specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i]; } } else { securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission; if (securityPermission != null) securityPermissionFlags = securityPermission.Flags; reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission; if (reflectionPermission != null) reflectionPermissionFlags = reflectionPermission.Flags; for (int i = 0; i < specialPermissions.Length; i++) { specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission; } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { securityPermissionFlags = SecurityPermissionFlag.NoFlags; reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) { specialPermissions[i] = null; } } else { securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission; if (securityPermission != null) securityPermissionFlags &= ~securityPermission.Flags; reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission; if (reflectionPermission != null) reflectionPermissionFlags &= ~reflectionPermission.Flags; for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) { CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission; if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null)) specialPermissions[i] = null; // we don't care about the exact value here. } } } int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags); if (flags != -1) { for (int i = 0; i < specialPermissions.Length; i++) { if (specialPermissions[i] != null && ((IUnrestrictedPermission) specialPermissions[i]).IsUnrestricted()) flags |= (1 << (int) s_BuiltInPermissionIndexMap[i][1]); } } return flags; } }
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet) { if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty())) { return(-1); } else { SecurityPermission securityPermission = null; #pragma warning disable 618 SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags; #pragma warning restore 618 ReflectionPermission reflectionPermission = null; ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { #pragma warning disable 618 securityPermissionFlags = SecurityPermissionFlag.AllFlags; #pragma warning restore 618 reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore; for (int i = 0; i < specialPermissions.Length; i++) { specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i]; } } else { securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission; if (securityPermission != null) { securityPermissionFlags = securityPermission.Flags; } reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlags = reflectionPermission.Flags; } for (int i = 0; i < specialPermissions.Length; i++) { specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission; } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { #pragma warning disable 618 securityPermissionFlags = SecurityPermissionFlag.NoFlags; #pragma warning restore 618 reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) { specialPermissions[i] = null; } } else { securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission; if (securityPermission != null) { securityPermissionFlags &= ~securityPermission.Flags; } reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlags &= ~reflectionPermission.Flags; } for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) { CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission; if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null)) { specialPermissions[i] = null; // we don't care about the exact value here. } } } } int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags); if (flags != -1) { for (int i = 0; i < specialPermissions.Length; i++) { if (specialPermissions[i] != null && ((IUnrestrictedPermission)specialPermissions[i]).IsUnrestricted()) { flags |= (1 << (int)s_BuiltInPermissionIndexMap[i][1]); } } } return(flags); } }
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { if (this.GetPermitOnly(fDeclarative) != null) { this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetDenials(fDeclarative) != null) { this.GetDenials(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetAssertions(fDeclarative) != null) { this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken); } bool flag = SecurityManager._SetThreadSecurity(false); try { PermissionSet permitOnly = this.GetPermitOnly(fDeclarative); if (permitOnly != null) { CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission(demand); if (permitted == null) { if (!permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } else { bool flag2 = true; try { flag2 = !demand.CheckPermitOnly(permitted); } catch (ArgumentException) { } if (flag2) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } } permitOnly = this.GetDenials(fDeclarative); if (permitOnly != null) { CodeAccessPermission permission = (CodeAccessPermission)permitOnly.GetPermission(demand); if (permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } bool flag3 = true; try { flag3 = !demand.CheckDeny(permission); } catch (ArgumentException) { } if (flag3) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } if (this.GetAssertAllPossible()) { return(false); } permitOnly = this.GetAssertions(fDeclarative); if (permitOnly != null) { CodeAccessPermission asserted = (CodeAccessPermission)permitOnly.GetPermission(demand); try { if (permitOnly.IsUnrestricted() || demand.CheckAssert(asserted)) { return(false); } } catch (ArgumentException) { } } } finally { if (flag) { SecurityManager._SetThreadSecurity(true); } } return(true); }
public void GetPermission_Null () { PermissionSet ps = new PermissionSet (PermissionState.None); Assert.IsNull (ps.GetPermission (null), "Empty"); }
[System.Security.SecurityCritical] // auto-generated static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission perm = (CodeAccessPermission)pSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk try { if (pSet.IsUnrestricted() || demand.CheckAssert(perm)) { return SecurityRuntime.StackHalt; } } catch (ArgumentException) { } } return SecurityRuntime.StackContinue; }
public void GetPermission_Unrestricted () { PermissionSet ps = new PermissionSet (PermissionState.Unrestricted); Assert.IsNull (ps.GetPermission (typeof (SecurityPermission)), "Empty"); }
internal static bool CheckHelper(PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, object assemblyOrString, SecurityAction action, bool throwException) { if (permToken == null) { permToken = PermissionToken.GetToken(demand); } if (grantedSet != null) { grantedSet.CheckDecoded(permToken.m_index); } if (refusedSet != null) { refusedSet.CheckDecoded(permToken.m_index); } bool flag = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (!throwException) { return false; } ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else if (!grantedSet.IsUnrestricted()) { CodeAccessPermission grant = (CodeAccessPermission) grantedSet.GetPermission(permToken); if (!demand.CheckDemand(grant)) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return false; } } } if (refusedSet != null) { CodeAccessPermission permission = (CodeAccessPermission) refusedSet.GetPermission(permToken); if ((permission != null) && !permission.CheckDeny(demand)) { if (!throwException) { return false; } ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } if (refusedSet.IsUnrestricted()) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return false; } } } } catch (SecurityException) { throw; } catch (Exception) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return false; } } finally { if (flag) { SecurityManager._SetThreadSecurity(true); } } return true; }
// Token: 0x06001E28 RID: 7720 RVA: 0x0006948C File Offset: 0x0006768C internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet) { if (grantSet != null && grantSet.IsUnrestricted() && (deniedSet == null || deniedSet.IsEmpty())) { return(-1); } SecurityPermissionFlag securityPermissionFlag = SecurityPermissionFlag.NoFlags; ReflectionPermissionFlag reflectionPermissionFlag = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] array = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { securityPermissionFlag = SecurityPermissionFlag.AllFlags; reflectionPermissionFlag = (ReflectionPermissionFlag.TypeInformation | ReflectionPermissionFlag.MemberAccess | ReflectionPermissionFlag.ReflectionEmit | ReflectionPermissionFlag.RestrictedMemberAccess); for (int i = 0; i < array.Length; i++) { array[i] = SecurityManager.s_UnrestrictedSpecialPermissionMap[i]; } } else { SecurityPermission securityPermission = grantSet.GetPermission(6) as SecurityPermission; if (securityPermission != null) { securityPermissionFlag = securityPermission.Flags; } ReflectionPermission reflectionPermission = grantSet.GetPermission(4) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlag = reflectionPermission.Flags; } for (int j = 0; j < array.Length; j++) { array[j] = (grantSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[j][0]) as CodeAccessPermission); } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { securityPermissionFlag = SecurityPermissionFlag.NoFlags; reflectionPermissionFlag = ReflectionPermissionFlag.NoFlags; for (int k = 0; k < SecurityManager.s_BuiltInPermissionIndexMap.Length; k++) { array[k] = null; } } else { SecurityPermission securityPermission = deniedSet.GetPermission(6) as SecurityPermission; if (securityPermission != null) { securityPermissionFlag &= ~securityPermission.Flags; } ReflectionPermission reflectionPermission = deniedSet.GetPermission(4) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlag &= ~reflectionPermission.Flags; } for (int l = 0; l < SecurityManager.s_BuiltInPermissionIndexMap.Length; l++) { CodeAccessPermission codeAccessPermission = deniedSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[l][0]) as CodeAccessPermission; if (codeAccessPermission != null && !codeAccessPermission.IsSubsetOf(null)) { array[l] = null; } } } } int num = SecurityManager.MapToSpecialFlags(securityPermissionFlag, reflectionPermissionFlag); if (num != -1) { for (int m = 0; m < array.Length; m++) { if (array[m] != null && ((IUnrestrictedPermission)array[m]).IsUnrestricted()) { num |= 1 << SecurityManager.s_BuiltInPermissionIndexMap[m][1]; } } } return(num); }
public static bool IsGranted(this IRole role, IPermission permission) { var permissionSet = new PermissionSet(PermissionState.None); role.Permissions.Each(perm => permissionSet.AddPermission(perm)); var getPermission = permissionSet.GetPermission(typeof(ObjectAccessPermission)); return getPermission != null && permission.IsSubsetOf(getPermission); }
internal static bool IsIntersectingAssertedPermissions(PermissionSet assertSet1, PermissionSet assertSet2) { bool isIntersecting = false; if (assertSet1 != null && assertSet2 != null) { PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(assertSet2); while (enumerator.MoveNext()) { CodeAccessPermission perm2 = (CodeAccessPermission)enumerator.Current; int i = enumerator.GetCurrentIndex(); if (perm2 != null) { CodeAccessPermission perm1 = (CodeAccessPermission)assertSet1.GetPermission(i); try { if (perm1 != null && !perm1.Equals(perm2)) { isIntersecting = true; // Same type of permission, but with different flags or something - cannot union them } } catch (ArgumentException) { isIntersecting = true; //assume worst case } } } } return isIntersecting; }
internal bool IsSubsetOfHelper(PermissionSet target, IsSubsetOfType type, out IPermission firstPermThatFailed, bool ignoreNonCas) { #if _DEBUG if (debug) DEBUG_WRITE("IsSubsetOf\n" + "Other:\n" + (target == null ? "<null>" : target.ToString()) + "\nMe:\n" + ToString()); #endif firstPermThatFailed = null; if (target == null || target.FastIsEmpty()) { if(this.IsEmpty()) return true; else { firstPermThatFailed = GetFirstPerm(); return false; } } else if (this.IsUnrestricted() && !target.IsUnrestricted()) return false; else if (this.m_permSet == null) return true; else { target.CheckSet(); for (int i = m_permSet.GetStartingIndex(); i <= this.m_permSet.GetMaxUsedIndex(); ++i) { IPermission thisPerm = this.GetPermission(i); if (thisPerm == null || thisPerm.IsSubsetOf(null)) continue; IPermission targetPerm = target.GetPermission(i); #if _DEBUG PermissionToken token = (PermissionToken)PermissionToken.s_tokenSet.GetItem( i ); Contract.Assert(targetPerm == null || (token.m_type & PermissionTokenType.DontKnow) == 0, "Token not properly initialized"); #endif if (target.m_Unrestricted) continue; // targetPerm can be null here, but that is fine since it thisPerm is a subset // of empty/null then we can continue in the loop. CodeAccessPermission cap = thisPerm as CodeAccessPermission; if(cap == null) { if (!ignoreNonCas && !thisPerm.IsSubsetOf( targetPerm )) { firstPermThatFailed = thisPerm; return false; } } else { firstPermThatFailed = thisPerm; switch(type) { case IsSubsetOfType.Normal: if (!thisPerm.IsSubsetOf( targetPerm )) return false; break; case IsSubsetOfType.CheckDemand: if (!cap.CheckDemand( (CodeAccessPermission)targetPerm )) return false; break; case IsSubsetOfType.CheckPermitOnly: if (!cap.CheckPermitOnly( (CodeAccessPermission)targetPerm )) return false; break; case IsSubsetOfType.CheckAssertion: if (!cap.CheckAssert( (CodeAccessPermission)targetPerm )) return false; break; } firstPermThatFailed = null; } } } return true; }
private static void CheckHelper(PermissionSet grantedSet, PermissionSet deniedSet, CodeAccessPermission demand, PermissionToken permToken) { #if _DEBUG if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Denied: "); DEBUG_OUT(deniedSet != null ? deniedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif if (permToken == null) { permToken = PermissionToken.GetToken(demand); } // If PermissionSet is null, then module does not have Permissions... Fail check. try { if (grantedSet == null) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission)) { // If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted // variety, we need to do the proper callback. BCLDebug.Assert(demand != null, "demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty) // then throw an exception. if (grantedPerm == null) { if (!demand.IsSubsetOf(null)) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } else { return; } } // Call the check demand for our permission. grantedPerm.CheckDemand(demand); } // Make the sure the permission is not denied. if (deniedSet != null) { CodeAccessPermission deniedPerm = (CodeAccessPermission)deniedSet.GetPermission(permToken); if (deniedPerm != null) { if (deniedPerm.Intersect(demand) != null) { #if _DEBUG if (debug) { DEBUG_OUT("Permission found in denied set"); } #endif throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } if (deniedSet.IsUnrestricted() && (demand is IUnrestrictedPermission)) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } catch (Exception e) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (e is SecurityException) { throw e; } else { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } DEBUG_OUT("Check passed"); }
[System.Security.SecurityCritical] // auto-generated #pragma warning disable 618 internal static bool CheckHelper(PermissionSet grantedSet, #pragma warning restore 618 PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, Object assemblyOrString, SecurityAction action, bool throwException) { // We should never get here with a null demand Contract.Assert(demand != null, "Should not reach here with a null demand"); #if _DEBUG && FEATURE_CAS_POLICY if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Refused: "); DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif // _DEBUG && FEATURE_CAS_POLICY if (permToken == null) permToken = PermissionToken.GetToken(demand); if (grantedSet != null) grantedSet.CheckDecoded(permToken.m_index); if (refusedSet != null) refusedSet.CheckDecoded(permToken.m_index); // If PermissionSet is null, then module does not have Permissions... Fail check. bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } else if (!grantedSet.IsUnrestricted()) { // If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted // variety, we need to do the proper callback. Contract.Assert(demand != null,"demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // Make sure the demand has been granted if (!demand.CheckDemand( grantedPerm )) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } // Make the sure the permission is not refused. if (refusedSet != null) { CodeAccessPermission refusedPerm = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (refusedPerm != null) { if (!refusedPerm.CheckDeny(demand)) { #if _DEBUG if (debug) DEBUG_OUT( "Permission found in refused set" ); #endif if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } if (refusedSet.IsUnrestricted()) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } } catch (SecurityException) { throw; } catch (Exception) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } finally { if (bThreadSecurity) SecurityManager._SetThreadSecurity(true); } DEBUG_OUT( "Check passed" ); return true; }
protected override IsolatedStoragePermission GetPermission (PermissionSet ps) { if (ps == null) return null; return (IsolatedStoragePermission) ps.GetPermission (typeof (IsolatedStorageFilePermission)); }
/// <include file='doc\IsolatedStorageFile.uex' path='docs/doc[@for="IsolatedStorageFile.GetPermission"]/*' /> protected override IsolatedStoragePermission GetPermission( PermissionSet ps) { if (ps == null) return null; else if (ps.IsUnrestricted()) return new IsolatedStorageFilePermission( PermissionState.Unrestricted); return (IsolatedStoragePermission) ps. GetPermission(typeof(IsolatedStorageFilePermission)); }
public virtual bool IsSubsetOf (PermissionSet target) { #endif if (this.IsUnrestricted () && ((target == null) || !target.IsUnrestricted ())) return false; // if each of our permission is (a) present and (b) a subset of target foreach (IPermission p in list) { #if !NET_2_0 if (target == null) { if (!p.IsSubsetOf (null)) return false; } else #endif { // non CAS permissions must be evaluated for unrestricted Type t = p.GetType (); IPermission i = null; if (target.IsUnrestricted () && (p is CodeAccessPermission) && (p is IUnrestrictedPermission)) { i = (IPermission) Activator.CreateInstance (t, psUnrestricted); } else { i = target.GetPermission (t); } if (!p.IsSubsetOf (i)) return false; // not a subset (condition b) } } return true; }
public void AddPermission_NoCopy () { PermissionSet ps = new PermissionSet (PermissionState.None); SecurityPermission sp1 = new SecurityPermission (SecurityPermissionFlag.ControlEvidence); SecurityPermission result = (SecurityPermission)ps.AddPermission (sp1); SecurityPermission entry = (SecurityPermission)ps.GetPermission (typeof (SecurityPermission)); // are they the same (reference) or different ? sp1.Flags = SecurityPermissionFlag.AllFlags; result.Flags = SecurityPermissionFlag.Assertion; }
internal static PermissionSet RemoveRefusedPermissionSet(PermissionSet assertSet, PermissionSet refusedSet, out bool bFailedToCompress) { Contract.Assert((assertSet == null || !assertSet.IsUnrestricted()), "Cannot be unrestricted here"); PermissionSet retPs = null; bFailedToCompress = false; if (assertSet == null) return null; if (refusedSet != null) { if (refusedSet.IsUnrestricted()) return null; // we're refusing everything...cannot assert anything now. PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(refusedSet); while (enumerator.MoveNext()) { CodeAccessPermission refusedPerm = (CodeAccessPermission)enumerator.Current; int i = enumerator.GetCurrentIndex(); if (refusedPerm != null) { CodeAccessPermission perm = (CodeAccessPermission)assertSet.GetPermission(i); try { if (refusedPerm.Intersect(perm) != null) { if (refusedPerm.Equals(perm)) { if (retPs == null) retPs = assertSet.Copy(); retPs.RemovePermission(i); } else { // Asserting a permission, part of which is already denied/refused // cannot compress this assert bFailedToCompress = true; return assertSet; } } } catch (ArgumentException) { // Any exception during removing a refused set from assert set => we play it safe and not assert that perm if (retPs == null) retPs = assertSet.Copy(); retPs.RemovePermission(i); } } } } if (retPs != null) return retPs; return assertSet; }
public void GetPermission_None () { PermissionSet ps = new PermissionSet (PermissionState.None); Assert.IsNull (ps.GetPermission (typeof (SecurityPermission)), "Empty"); }
internal static void RemoveAssertedPermissionSet(PermissionSet demandSet, PermissionSet assertSet, out PermissionSet alteredDemandSet) { Contract.Assert(!assertSet.IsUnrestricted(), "Cannot call this function if assertSet is unrestricted"); alteredDemandSet = null; PermissionSetEnumeratorInternal enumerator = new PermissionSetEnumeratorInternal(demandSet); while (enumerator.MoveNext()) { CodeAccessPermission demandDerm = (CodeAccessPermission)enumerator.Current; int i = enumerator.GetCurrentIndex(); if (demandDerm != null) { CodeAccessPermission assertPerm = (CodeAccessPermission)assertSet.GetPermission(i); try { if (demandDerm.CheckAssert(assertPerm)) { if (alteredDemandSet == null) alteredDemandSet = demandSet.Copy(); alteredDemandSet.RemovePermission(i); } } catch (ArgumentException) { } } } return; }
public void GetPermission_Subclass () { IsolatedStorageFilePermission isfp = new IsolatedStorageFilePermission (PermissionState.Unrestricted); PermissionSet ps = new PermissionSet (PermissionState.None); ps.AddPermission (isfp); Assert.IsNull (ps.GetPermission (typeof (IsolatedStoragePermission)), "Subclass"); }
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet) { if (grantSet != null && grantSet.IsUnrestricted() && (deniedSet == null || deniedSet.IsEmpty())) { return(-1); } SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags; ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; CodeAccessPermission[] accessPermissionArray = new CodeAccessPermission[6]; if (grantSet != null) { if (grantSet.IsUnrestricted()) { securityPermissionFlags = SecurityPermissionFlag.AllFlags; reflectionPermissionFlags = ReflectionPermissionFlag.AllFlags | ReflectionPermissionFlag.RestrictedMemberAccess; for (int index = 0; index < accessPermissionArray.Length; ++index) { accessPermissionArray[index] = SecurityManager.s_UnrestrictedSpecialPermissionMap[index]; } } else { SecurityPermission securityPermission = grantSet.GetPermission(6) as SecurityPermission; if (securityPermission != null) { securityPermissionFlags = securityPermission.Flags; } ReflectionPermission reflectionPermission = grantSet.GetPermission(4) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlags = reflectionPermission.Flags; } for (int index = 0; index < accessPermissionArray.Length; ++index) { accessPermissionArray[index] = grantSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission; } } } if (deniedSet != null) { if (deniedSet.IsUnrestricted()) { securityPermissionFlags = SecurityPermissionFlag.NoFlags; reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags; for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index) { accessPermissionArray[index] = (CodeAccessPermission)null; } } else { SecurityPermission securityPermission = deniedSet.GetPermission(6) as SecurityPermission; if (securityPermission != null) { securityPermissionFlags &= ~securityPermission.Flags; } ReflectionPermission reflectionPermission = deniedSet.GetPermission(4) as ReflectionPermission; if (reflectionPermission != null) { reflectionPermissionFlags &= ~reflectionPermission.Flags; } for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index) { CodeAccessPermission accessPermission = deniedSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission; if (accessPermission != null && !accessPermission.IsSubsetOf((IPermission)null)) { accessPermissionArray[index] = (CodeAccessPermission)null; } } } } int specialFlags = SecurityManager.MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags); if (specialFlags != -1) { for (int index = 0; index < accessPermissionArray.Length; ++index) { if (accessPermissionArray[index] != null && ((IUnrestrictedPermission)accessPermissionArray[index]).IsUnrestricted()) { specialFlags |= 1 << SecurityManager.s_BuiltInPermissionIndexMap[index][1]; } } } return(specialFlags); }