public void SetPermission_Unrestricted ()
{
SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted);
PermissionSet ps = new PermissionSet (PermissionState.Unrestricted);
Assert.AreEqual (0, ps.Count, "Empty");
Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted");
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
ZoneIdentityPermission zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone");
#if NET_2_0
// Adding a non unrestricted identity permission now results in
// a permission set loosing it's unrestricted status
Assert.IsTrue (!ps.IsUnrestricted (), "State-Unrestricted-2");
#else
Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted-2");
#endif
zip = new ZoneIdentityPermission (SecurityZone.Intranet);
zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission-2");
Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone-2");
SecurityPermission result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (2, ps.Count, "SecurityPermission");
Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None");
sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain);
result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (2, ps.Count, "SecurityPermission-2");
Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags-2");
}
public void PermissionSetNull ()
{
// no exception is thrown
PermissionSet ps = new PermissionSet (null);
#if NET_2_0
Assert ("PermissionStateNull.IsUnrestricted", !ps.IsUnrestricted ());
Assert ("PermissionStateNull.IsEmpty", ps.IsEmpty ());
#else
Assert ("PermissionStateNull.IsUnrestricted", ps.IsUnrestricted ());
Assert ("PermissionStateNull.IsEmpty", !ps.IsEmpty ());
#endif
Assert ("PermissionStateNull.IsReadOnly", !ps.IsReadOnly);
AssertEquals ("PermissionStateNull.ToXml().ToString()==ToString()", ps.ToXml ().ToString (), ps.ToString ());
}
public void PermissionSetNull ()
{
// no exception is thrown
PermissionSet ps = new PermissionSet (null);
#if NET_2_0
Assert.IsTrue (!ps.IsUnrestricted (), "PermissionStateNull.IsUnrestricted");
Assert.IsTrue (ps.IsEmpty (), "PermissionStateNull.IsEmpty");
#else
Assert.IsTrue (ps.IsUnrestricted (), "PermissionStateNull.IsUnrestricted");
Assert.IsTrue (!ps.IsEmpty (), "PermissionStateNull.IsEmpty");
#endif
Assert.IsTrue (!ps.IsReadOnly, "PermissionStateNull.IsReadOnly");
Assert.AreEqual (ps.ToXml ().ToString (), ps.ToString (), "PermissionStateNull.ToXml().ToString()==ToString()");
Assert.IsTrue (!ps.ContainsNonCodeAccessPermissions (), "ContainsNonCodeAccessPermissions");
}
private static bool IsFullTrust(PermissionSet perms)
{
if (perms != null)
{
return perms.IsUnrestricted();
}
return true;
}
public void PermissionStateUnrestricted ()
{
PermissionSet ps = new PermissionSet (PermissionState.Unrestricted);
Assert ("PermissionStateUnrestricted.IsUnrestricted", ps.IsUnrestricted ());
Assert ("PermissionStateUnrestricted.IsEmpty", !ps.IsEmpty ());
Assert ("PermissionStateUnrestricted.IsReadOnly", !ps.IsReadOnly);
AssertEquals ("PermissionStateUnrestricted.ToXml().ToString()==ToString()", ps.ToXml ().ToString (), ps.ToString ());
}
public void PermissionStateUnrestricted ()
{
PermissionSet ps = new PermissionSet (PermissionState.Unrestricted);
Assert.IsTrue (ps.IsUnrestricted (), "PermissionStateUnrestricted.IsUnrestricted");
Assert.IsTrue (!ps.IsEmpty (), "PermissionStateUnrestricted.IsEmpty");
Assert.IsTrue (!ps.IsReadOnly, "PermissionStateUnrestricted.IsReadOnly");
Assert.AreEqual (ps.ToXml ().ToString (), ps.ToString (), "PermissionStateUnrestricted.ToXml().ToString()==ToString()");
Assert.IsTrue (!ps.ContainsNonCodeAccessPermissions (), "ContainsNonCodeAccessPermissions");
}
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission asserted = (CodeAccessPermission) pSet.GetPermission(demand);
try
{
if (pSet.IsUnrestricted() || demand.CheckAssert(asserted))
{
return false;
}
}
catch (ArgumentException)
{
}
}
return true;
}
[System.Security.SecurityCritical] // auto-generated
internal PermissionSetTriple UpdateAssert(PermissionSet in_a)
{
PermissionSetTriple retTriple = null;
if (in_a != null)
{
Contract.Assert((!in_a.IsUnrestricted() || RefusedSet == null), "Cannot be unrestricted or refused must be null");
// if we're already asserting in_a, nothing to do
if (in_a.IsSubsetOf(AssertSet))
return null;
PermissionSet retPs;
if (GrantSet != null)
retPs = in_a.Intersect(GrantSet); // Restrict the assert to what we've already been granted
else
{
GrantSet = new PermissionSet(true);
retPs = in_a.Copy(); // Currently unrestricted Grant: assert the whole assert set
}
bool bFailedToCompress = false;
// removes anything that is already in the refused set from the assert set
if (RefusedSet != null)
{
retPs = PermissionSet.RemoveRefusedPermissionSet(retPs, RefusedSet, out bFailedToCompress);
}
if (!bFailedToCompress)
bFailedToCompress = PermissionSet.IsIntersectingAssertedPermissions(retPs, AssertSet);
if (bFailedToCompress)
{
retTriple = new PermissionSetTriple(this);
this.Reset();
this.GrantSet = retTriple.GrantSet.Copy();
}
if (AssertSet == null)
AssertSet = retPs;
else
AssertSet.InplaceUnion(retPs);
}
return retTriple;
}
internal static QuickCacheEntryType GenerateQuickCache(PolicyLevel level)
{
QuickCacheEntryType[] ExecutionMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.ExecutionZoneMyComputer,
QuickCacheEntryType.ExecutionZoneIntranet,
QuickCacheEntryType.ExecutionZoneInternet,
QuickCacheEntryType.ExecutionZoneTrusted,
QuickCacheEntryType.ExecutionZoneUntrusted };
QuickCacheEntryType[] UnmanagedMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.UnmanagedZoneMyComputer,
QuickCacheEntryType.UnmanagedZoneIntranet,
QuickCacheEntryType.UnmanagedZoneInternet,
QuickCacheEntryType.UnmanagedZoneTrusted,
QuickCacheEntryType.UnmanagedZoneUntrusted };
QuickCacheEntryType[] BindingRedirectMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.BindingRedirectsZoneMyComputer,
QuickCacheEntryType.BindingRedirectsZoneIntranet,
QuickCacheEntryType.BindingRedirectsZoneInternet,
QuickCacheEntryType.BindingRedirectsZoneTrusted,
QuickCacheEntryType.BindingRedirectsZoneUntrusted };
QuickCacheEntryType[] SkipVerificationMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.SkipVerificationZoneMyComputer,
QuickCacheEntryType.SkipVerificationZoneIntranet,
QuickCacheEntryType.SkipVerificationZoneInternet,
QuickCacheEntryType.SkipVerificationZoneTrusted,
QuickCacheEntryType.SkipVerificationZoneUntrusted };
QuickCacheEntryType[] FullTrustMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.FullTrustZoneMyComputer,
QuickCacheEntryType.FullTrustZoneIntranet,
QuickCacheEntryType.FullTrustZoneInternet,
QuickCacheEntryType.FullTrustZoneTrusted,
QuickCacheEntryType.FullTrustZoneUntrusted };
QuickCacheEntryType accumulator = (QuickCacheEntryType)0;
SecurityPermission execPerm = new SecurityPermission(SecurityPermissionFlag.Execution);
SecurityPermission unmanagedPerm = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
SecurityPermission skipVerifPerm = new SecurityPermission(SecurityPermissionFlag.SkipVerification);
SecurityPermission bindingRedirectPerm = new SecurityPermission(SecurityPermissionFlag.BindingRedirects);
Evidence noEvidence = new Evidence();
PermissionSet policy = null;
try
{
policy = level.Resolve(noEvidence).PermissionSet;
if (policy.Contains(execPerm))
{
accumulator |= QuickCacheEntryType.ExecutionAll;
}
if (policy.Contains(unmanagedPerm))
{
accumulator |= QuickCacheEntryType.UnmanagedAll;
}
if (policy.Contains(skipVerifPerm))
{
accumulator |= QuickCacheEntryType.SkipVerificationAll;
}
if (policy.Contains(bindingRedirectPerm))
{
accumulator |= QuickCacheEntryType.BindingRedirectsAll;
}
if (policy.IsUnrestricted())
{
accumulator |= QuickCacheEntryType.FullTrustAll;
}
}
catch (PolicyException)
{
}
Array zones = Enum.GetValues(typeof(SecurityZone));
for (int i = 0; i < zones.Length; ++i)
{
if (((SecurityZone)zones.GetValue(i)) == SecurityZone.NoZone)
{
continue;
}
Evidence zoneEvidence = new Evidence();
zoneEvidence.AddHost(new Zone((SecurityZone)zones.GetValue(i)));
PermissionSet zonePolicy = null;
try
{
zonePolicy = level.Resolve(zoneEvidence).PermissionSet;
if (zonePolicy.Contains(execPerm))
{
accumulator |= ExecutionMap[i];
}
if (zonePolicy.Contains(unmanagedPerm))
{
accumulator |= UnmanagedMap[i];
}
if (zonePolicy.Contains(skipVerifPerm))
{
accumulator |= SkipVerificationMap[i];
}
if (zonePolicy.Contains(bindingRedirectPerm))
{
accumulator |= BindingRedirectMap[i];
}
if (zonePolicy.IsUnrestricted())
{
accumulator |= FullTrustMap[i];
}
}
catch (PolicyException)
{
}
}
return(accumulator);
}
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if (grantSet != null && grantSet.IsUnrestricted() && (deniedSet == null || deniedSet.IsEmpty()))
{
return(-1);
}
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] accessPermissionArray = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.AllFlags | ReflectionPermissionFlag.RestrictedMemberAccess;
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
accessPermissionArray[index] = SecurityManager.s_UnrestrictedSpecialPermissionMap[index];
}
}
else
{
SecurityPermission securityPermission = grantSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags = securityPermission.Flags;
}
ReflectionPermission reflectionPermission = grantSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags = reflectionPermission.Flags;
}
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
accessPermissionArray[index] = grantSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index)
{
accessPermissionArray[index] = (CodeAccessPermission)null;
}
}
else
{
SecurityPermission securityPermission = deniedSet.GetPermission(6) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags &= ~securityPermission.Flags;
}
ReflectionPermission reflectionPermission = deniedSet.GetPermission(4) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags &= ~reflectionPermission.Flags;
}
for (int index = 0; index < SecurityManager.s_BuiltInPermissionIndexMap.Length; ++index)
{
CodeAccessPermission accessPermission = deniedSet.GetPermission(SecurityManager.s_BuiltInPermissionIndexMap[index][0]) as CodeAccessPermission;
if (accessPermission != null && !accessPermission.IsSubsetOf((IPermission)null))
{
accessPermissionArray[index] = (CodeAccessPermission)null;
}
}
}
}
int specialFlags = SecurityManager.MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (specialFlags != -1)
{
for (int index = 0; index < accessPermissionArray.Length; ++index)
{
if (accessPermissionArray[index] != null && ((IUnrestrictedPermission)accessPermissionArray[index]).IsUnrestricted())
{
specialFlags |= 1 << SecurityManager.s_BuiltInPermissionIndexMap[index][1];
}
}
}
return(specialFlags);
}
public void PermissionSetNamedPermissionSet ()
{
NamedPermissionSet nps = new NamedPermissionSet ("Test", PermissionState.Unrestricted);
PermissionSet ps = new PermissionSet (nps);
Assert.IsTrue (ps.IsUnrestricted (), "IsUnrestricted");
Assert.IsTrue (!ps.ContainsNonCodeAccessPermissions (), "ContainsNonCodeAccessPermissions");
}
// Returns true if it is necessary to continue compression,
// or false if there is no value in continuing.
public bool AppendPermissions(PermissionSet permSet, int type)
{
if (permSet == null)
{
// The null permission set has no meaning accept for the case of
// PermitOnly and Checked where it will make all demands fail (except
// demands for empty permissions).
if (type == PermissionList.MatchChecked || type == PermissionList.MatchPermitOnly)
{
TerminateSet( type );
m_unrestricted = false;
return false;
}
return true;
}
if (((m_state & (PermissionListSetState.UnrestrictedAssert | PermissionListSetState.UnrestrictedDeny)) == 0))
{
if (permSet.IsUnrestricted())
{
switch (type)
{
case PermissionList.MatchDeny:
m_state |= PermissionListSetState.UnrestrictedDeny;
m_unrestricted = false;
TerminateSet( type );
break;
case PermissionList.MatchAssert:
m_state |= PermissionListSetState.UnrestrictedAssert;
TerminateSet( type );
break;
case PermissionList.MatchPermitOnly:
case PermissionList.MatchChecked:
break;
default:
throw new ArgumentException(Environment.GetResourceString("Argument_InvalidPermissionListType"));
}
}
else
{
// Handle the "unrestricted" permissions.
AppendTokenBasedSets( this.m_unrestrictedPermSet, permSet.m_unrestrictedPermSet, type, true );
if (type != PermissionList.MatchAssert && type != PermissionList.MatchDeny)
m_unrestricted = false;
}
}
// Handle the "normal" permissions
AppendTokenBasedSets( this.m_normalPermSet, permSet.m_normalPermSet, type, false );
return true;
}
[System.Security.SecurityCritical] // auto-generated
#pragma warning disable 618
internal static bool CheckHelper(PermissionSet grantedSet,
#pragma warning restore 618
PermissionSet refusedSet,
CodeAccessPermission demand,
PermissionToken permToken,
RuntimeMethodHandleInternal rmh,
Object assemblyOrString,
SecurityAction action,
bool throwException)
{
// We should never get here with a null demand
Contract.Assert(demand != null, "Should not reach here with a null demand");
#if _DEBUG && FEATURE_CAS_POLICY
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Refused: ");
DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif // _DEBUG && FEATURE_CAS_POLICY
if (permToken == null)
permToken = PermissionToken.GetToken(demand);
if (grantedSet != null)
grantedSet.CheckDecoded(permToken.m_index);
if (refusedSet != null)
refusedSet.CheckDecoded(permToken.m_index);
// If PermissionSet is null, then module does not have Permissions... Fail check.
bool bThreadSecurity = SecurityManager._SetThreadSecurity(false);
try
{
if (grantedSet == null)
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
else if (!grantedSet.IsUnrestricted())
{
// If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
Contract.Assert(demand != null,"demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// Make sure the demand has been granted
if (!demand.CheckDemand( grantedPerm ))
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
// Make the sure the permission is not refused.
if (refusedSet != null)
{
CodeAccessPermission refusedPerm =
(CodeAccessPermission)refusedSet.GetPermission(permToken);
if (refusedPerm != null)
{
if (!refusedPerm.CheckDeny(demand))
{
#if _DEBUG
if (debug)
DEBUG_OUT( "Permission found in refused set" );
#endif
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
if (refusedSet.IsUnrestricted())
{
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (throwException)
ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand);
else
return false;
}
finally
{
if (bThreadSecurity)
SecurityManager._SetThreadSecurity(true);
}
DEBUG_OUT( "Check passed" );
return true;
}
public bool IsSubsetOf (PermissionSet target)
{
// if target is empty we must be empty too
if ((target == null) || (target.IsEmpty ()))
return this.IsEmpty ();
// all permissions support unrestricted in 2.0
if (target.IsUnrestricted ())
return true;
if (this.IsUnrestricted ())
return false;
if (this.IsUnrestricted () && ((target == null) || !target.IsUnrestricted ()))
return false;
// if each of our permission is (a) present and (b) a subset of target
foreach (IPermission p in list) {
// non CAS permissions must be evaluated for unrestricted
Type t = p.GetType ();
IPermission i = null;
if (target.IsUnrestricted () && (p is CodeAccessPermission) && (p is IUnrestrictedPermission)) {
i = (IPermission) Activator.CreateInstance (t, psUnrestricted);
} else {
i = target.GetPermission (t);
}
if (!p.IsSubsetOf (i))
return false; // not a subset (condition b)
}
return true;
}
public PermissionSet Intersect(PermissionSet other)
{
if (other == null || other.FastIsEmpty() || this.FastIsEmpty())
{
return null;
}
int thisMax = this.m_permSet == null ? -1 : this.m_permSet.GetMaxUsedIndex();
int otherMax = other.m_permSet == null ? -1 : other.m_permSet.GetMaxUsedIndex();
int minMax = thisMax < otherMax ? thisMax : otherMax;
if (this.IsUnrestricted() && minMax < otherMax)
{
minMax = otherMax;
this.CheckSet();
}
if (other.IsUnrestricted() && minMax < thisMax)
{
minMax = thisMax;
other.CheckSet();
}
PermissionSet pset = new PermissionSet( false );
if (minMax > -1)
{
pset.m_permSet = new TokenBasedSet();
}
for (int i = 0; i <= minMax; ++i)
{
Object thisObj = this.m_permSet.GetItem( i );
IPermission thisPerm = thisObj as IPermission;
#if FEATURE_CAS_POLICY
ISecurityElementFactory thisElem = thisObj as ISecurityElementFactory;
#endif // FEATURE_CAS_POLICY
Object otherObj = other.m_permSet.GetItem( i );
IPermission otherPerm = otherObj as IPermission;
#if FEATURE_CAS_POLICY
ISecurityElementFactory otherElem = otherObj as ISecurityElementFactory;
#endif // FEATURE_CAS_POLICY
if (thisObj == null && otherObj == null)
continue;
#if FEATURE_CAS_POLICY
if (thisElem != null && otherElem != null)
{
bool copyOther = true;
bool copyThis = true;
SecurityElement newElem = new SecurityElement( s_str_PermissionIntersection );
newElem.AddAttribute( "class", otherElem.Attribute( "class" ) );
if (this.IsUnrestricted())
{
SecurityElement newElemUU = new SecurityElement( s_str_PermissionUnrestrictedUnion );
newElemUU.AddAttribute( "class", thisElem.Attribute( "class" ) );
SafeChildAdd( newElemUU, thisElem, true );
copyThis = false;
thisElem = newElemUU;
}
if (other.IsUnrestricted())
{
SecurityElement newElemUU = new SecurityElement( s_str_PermissionUnrestrictedUnion );
newElemUU.AddAttribute( "class", otherElem.Attribute( "class" ) );
SafeChildAdd( newElemUU, otherElem, true );
copyOther = false;
otherElem = newElemUU;
}
SafeChildAdd( newElem, otherElem, copyOther );
SafeChildAdd( newElem, thisElem, copyThis );
pset.m_permSet.SetItem( i, newElem );
}
else
#endif // FEATURE_CAS_POLICY
if (thisObj == null)
{
if (this.m_Unrestricted)
{
#if FEATURE_CAS_POLICY
if (otherElem != null)
{
SecurityElement newElem = new SecurityElement( s_str_PermissionUnrestrictedIntersection );
newElem.AddAttribute( "class", otherElem.Attribute( "class" ) );
SafeChildAdd( newElem, otherElem, true );
pset.m_permSet.SetItem( i, newElem );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
else
#endif // FEATURE_CAS_POLICY
if (otherPerm != null)
{
PermissionToken token = (PermissionToken)PermissionToken.s_tokenSet.GetItem( i );
if ((token.m_type & PermissionTokenType.IUnrestricted) != 0)
{
pset.m_permSet.SetItem( i, otherPerm.Copy() );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
}
}
}
else if (otherObj == null)
{
if (other.m_Unrestricted)
{
#if FEATURE_CAS_POLICY
if (thisElem != null)
{
SecurityElement newElem = new SecurityElement( s_str_PermissionUnrestrictedIntersection );
newElem.AddAttribute( "class", thisElem.Attribute( "class" ) );
SafeChildAdd( newElem, thisElem, true );
pset.m_permSet.SetItem( i, newElem );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
else
#endif // FEATURE_CAS_POLICY
if (thisPerm != null)
{
PermissionToken token = (PermissionToken)PermissionToken.s_tokenSet.GetItem( i );
if ((token.m_type & PermissionTokenType.IUnrestricted) != 0)
{
pset.m_permSet.SetItem( i, thisPerm.Copy() );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
}
}
}
else
{
#if FEATURE_CAS_POLICY
if (thisElem != null)
thisPerm = this.CreatePermission(thisElem, i);
if (otherElem != null)
otherPerm = other.CreatePermission(otherElem, i);
#endif // FEATURE_CAS_POLICY
IPermission intersectPerm;
if (thisPerm == null)
intersectPerm = otherPerm;
else if(otherPerm == null)
intersectPerm = thisPerm;
else
intersectPerm = thisPerm.Intersect( otherPerm );
pset.m_permSet.SetItem( i, intersectPerm );
Contract.Assert( intersectPerm == null || PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
}
pset.m_Unrestricted = this.m_Unrestricted && other.m_Unrestricted;
if (pset.FastIsEmpty())
return null;
else
return pset;
}
internal void InplaceIntersect( PermissionSet other )
{
Exception savedException = null;
m_CheckedForNonCas = false;
if (this == other)
return;
if (other == null || other.FastIsEmpty())
{
// If the other is empty or null, make this empty.
Reset();
return;
}
if (this.FastIsEmpty())
return;
int maxMax = this.m_permSet == null ? -1 : this.m_permSet.GetMaxUsedIndex();
int otherMax = other.m_permSet == null ? -1 : other.m_permSet.GetMaxUsedIndex();
if (this.IsUnrestricted() && maxMax < otherMax)
{
maxMax = otherMax;
this.CheckSet();
}
if (other.IsUnrestricted())
{
other.CheckSet();
}
for (int i = 0; i <= maxMax; ++i)
{
Object thisObj = this.m_permSet.GetItem( i );
IPermission thisPerm = thisObj as IPermission;
#if FEATURE_CAS_POLICY
ISecurityElementFactory thisElem = thisObj as ISecurityElementFactory;
#endif // FEATURE_CAS_POLICY
Object otherObj = other.m_permSet.GetItem( i );
IPermission otherPerm = otherObj as IPermission;
#if FEATURE_CAS_POLICY
ISecurityElementFactory otherElem = otherObj as ISecurityElementFactory;
#endif // FEATURE_CAS_POLICY
if (thisObj == null && otherObj == null)
continue;
#if FEATURE_CAS_POLICY
if (thisElem != null && otherElem != null)
{
// If we already have an intersection node, just add another child
if (thisElem.GetTag().Equals( s_str_PermissionIntersection ) ||
thisElem.GetTag().Equals( s_str_PermissionUnrestrictedIntersection ))
{
Contract.Assert( thisElem is SecurityElement, "SecurityElement expected" );
SafeChildAdd( (SecurityElement)thisElem, otherElem, true );
}
// If either set is unrestricted, intersect the nodes unrestricted
else
{
bool copyOther = true;
if (this.IsUnrestricted())
{
SecurityElement newElemUU = new SecurityElement( s_str_PermissionUnrestrictedUnion );
newElemUU.AddAttribute( "class", thisElem.Attribute( "class" ) );
SafeChildAdd( newElemUU, thisElem, false );
thisElem = newElemUU;
}
if (other.IsUnrestricted())
{
SecurityElement newElemUU = new SecurityElement( s_str_PermissionUnrestrictedUnion );
newElemUU.AddAttribute( "class", otherElem.Attribute( "class" ) );
SafeChildAdd( newElemUU, otherElem, true );
otherElem = newElemUU;
copyOther = false;
}
SecurityElement newElem = new SecurityElement( s_str_PermissionIntersection );
newElem.AddAttribute( "class", thisElem.Attribute( "class" ) );
SafeChildAdd( newElem, thisElem, false );
SafeChildAdd( newElem, otherElem, copyOther );
this.m_permSet.SetItem( i, newElem );
}
}
else
#endif // FEATURE_CAS_POLICY
if (thisObj == null)
{
// There is no object in <this>, so intersection is empty except for IUnrestrictedPermissions
if (this.IsUnrestricted())
{
#if FEATURE_CAS_POLICY
if (otherElem != null)
{
SecurityElement newElem = new SecurityElement( s_str_PermissionUnrestrictedIntersection );
newElem.AddAttribute( "class", otherElem.Attribute( "class" ) );
SafeChildAdd( newElem, otherElem, true );
this.m_permSet.SetItem( i, newElem );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
else
#endif // FEATURE_CAS_POLICY
{
PermissionToken token = (PermissionToken)PermissionToken.s_tokenSet.GetItem( i );
if ((token.m_type & PermissionTokenType.IUnrestricted) != 0)
{
this.m_permSet.SetItem( i, otherPerm.Copy() );
Contract.Assert( PermissionToken.s_tokenSet.GetItem( i ) != null, "PermissionToken should already be assigned" );
}
}
}
}
else if (otherObj == null)
{
if (other.IsUnrestricted())
{
#if FEATURE_CAS_POLICY
if (thisElem != null)
{
SecurityElement newElem = new SecurityElement( s_str_PermissionUnrestrictedIntersection );
newElem.AddAttribute( "class", thisElem.Attribute( "class" ) );
SafeChildAdd( newElem, thisElem, false );
this.m_permSet.SetItem( i, newElem );
}
else
#endif // FEATURE_CAS_POLICY
{
PermissionToken token = (PermissionToken)PermissionToken.s_tokenSet.GetItem( i );
if ((token.m_type & PermissionTokenType.IUnrestricted) == 0)
this.m_permSet.SetItem( i, null );
}
}
else
{
this.m_permSet.SetItem( i, null );
}
}
else
{
#if FEATURE_CAS_POLICY
if (thisElem != null)
thisPerm = this.CreatePermission(thisElem, i);
if (otherElem != null)
otherPerm = other.CreatePermission(otherElem, i);
#endif // FEATURE_CAS_POLICY
try
{
IPermission intersectPerm;
if (thisPerm == null)
intersectPerm = otherPerm;
else if(otherPerm == null)
intersectPerm = thisPerm;
else
intersectPerm = thisPerm.Intersect( otherPerm );
this.m_permSet.SetItem( i, intersectPerm );
}
catch (Exception e)
{
if (savedException == null)
savedException = e;
}
}
}
this.m_Unrestricted = this.m_Unrestricted && other.m_Unrestricted;
if (savedException != null)
throw savedException;
}
[System.Security.SecurityCritical] // auto-generated
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet requested = null;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
{
requested = optional;
}
else
{
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
}
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted())
{
requested.AddPermission(executionSecurityPermission);
}
// If we aren't passed any evidence, just make an empty object
if (evidence == null)
{
evidence = new Evidence();
}
allowed = polmgr.Resolve(evidence);
// Intersect the grant with the RequestOptional
if (requested != null)
{
allowed.InplaceIntersect(requested);
}
// Check that we were granted the right to execute.
if (checkExecutionPermission)
{
if (!allowed.Contains(executionSecurityPermission) ||
(denyPset != null && denyPset.Contains(executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException);
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
allowed.IgnoreTypeLoadFailures = true;
return(allowed);
}
[System.Security.SecurityCritical] // auto-generated
internal void SetAssert(PermissionSet permSet)
{
m_assertions = permSet.Copy();
m_AssertFT = m_AssertFT || m_assertions.IsUnrestricted();
IncrementAssertCount();
}
public PermissionSet Intersect (PermissionSet other)
{
// no intersection possible
if ((other == null) || (other.IsEmpty ()) || (this.IsEmpty ()))
return null;
PermissionState state = PermissionState.None;
if (this.IsUnrestricted () && other.IsUnrestricted ())
state = PermissionState.Unrestricted;
PermissionSet interSet = null;
// much simpler with 2.0
if (state == PermissionState.Unrestricted) {
interSet = new PermissionSet (state);
} else if (this.IsUnrestricted ()) {
interSet = other.Copy ();
} else if (other.IsUnrestricted ()) {
interSet = this.Copy ();
} else {
interSet = new PermissionSet (state);
InternalIntersect (interSet, this, other, false);
}
return interSet;
}
public void CompilePlugins(PermissionSet pluginSandboxPermissions, List<String> ignoredPluginClassNames = null) {
try {
if (File.Exists(Path.Combine(this.PluginBaseDirectory, "PluginCache.xml")) == true) {
WritePluginConsole("Loading plugin cache..");
try {
this.PluginCache = XDocument.Load(Path.Combine(this.PluginBaseDirectory, "PluginCache.xml")).Root.FromXElement<PluginCache>();
}
catch (Exception e) {
WritePluginConsole("Error loading plugin cache: {0}", e.Message);
}
}
// Recover from exceptions or logic errors if the document parsed correctly, but didn't deserialize correctly.
if (this.PluginCache == null) {
this.PluginCache = new PluginCache();
}
// Make sure we ignore any plugins passed in. These won't even be loaded again.
if (ignoredPluginClassNames != null) {
IgnoredPluginClassNames = ignoredPluginClassNames;
}
// Clear out all invocations if this is a reload.
Invocations.Clear();
WritePluginConsole("Preparing plugins directory..");
PreparePluginsDirectory();
WritePluginConsole("Moving legacy plugins..");
MoveLegacyPlugins();
WritePluginConsole("Creating compiler..");
// CodeDomProvider pluginsCodeDomProvider = CodeDomProvider.CreateProvider("CSharp");
var providerOptions = new Dictionary<String, String>();
providerOptions.Add("CompilerVersion", "v3.5");
CodeDomProvider pluginsCodeDomProvider = new CSharpCodeProvider(providerOptions);
WritePluginConsole("Configuring compiler..");
CompilerParameters parameters = GenerateCompilerParameters();
// AppDomainSetup domainSetup = new AppDomainSetup() { ApplicationBase = this.PluginBaseDirectory };
// Start of XpKillers mono workaround
AppDomainSetup domainSetup = null;
Type t = Type.GetType("Mono.Runtime");
if (t != null) {
//Console.WriteLine("You are running with the Mono VM");
WritePluginConsole("Running with Mono VM..");
//AppDomain.CurrentDomain.BaseDirectory
domainSetup = new AppDomainSetup() {
ApplicationBase = AppDomain.CurrentDomain.BaseDirectory
};
domainSetup.PrivateBinPath = PluginBaseDirectory;
}
else {
// Console.WriteLine("You are running something else (native .Net)");
WritePluginConsole("Running with native .Net..");
domainSetup = new AppDomainSetup() {
ApplicationBase = PluginBaseDirectory
};
}
// Workaround end
WritePluginConsole("Building sandbox..");
var hostEvidence = new Evidence();
hostEvidence.AddHost(new Zone(SecurityZone.MyComputer));
AppDomainSandbox = AppDomain.CreateDomain(ProconClient.HostName + ProconClient.Port + "Engine", hostEvidence, domainSetup, pluginSandboxPermissions);
WritePluginConsole("Configuring sandbox..");
// create the factory class in the secondary app-domain
PluginFactory = (CPRoConPluginLoaderFactory) AppDomainSandbox.CreateInstance("PRoCon.Core", "PRoCon.Core.Plugin.CPRoConPluginLoaderFactory").Unwrap();
PluginCallbacks = new CPRoConPluginCallbacks(ProconClient.ExecuteCommand, ProconClient.GetAccountPrivileges, ProconClient.GetVariable, ProconClient.GetSvVariable, ProconClient.GetMapDefines, ProconClient.TryGetLocalized, RegisterCommand, UnregisterCommand, GetRegisteredCommands, ProconClient.GetWeaponDefines, ProconClient.GetSpecializationDefines, ProconClient.Layer.GetLoggedInAccounts, RegisterPluginEvents);
WritePluginConsole("Compiling and loading plugins..");
var pluginsDirectoryInfo = new DirectoryInfo(PluginBaseDirectory);
foreach (FileInfo pluginFile in pluginsDirectoryInfo.GetFiles("*.cs")) {
string className = Regex.Replace(pluginFile.Name, "\\.cs$", "");
if (IgnoredPluginClassNames.Contains(className) == false) {
CompilePlugin(pluginFile, className, pluginsCodeDomProvider, parameters);
LoadPlugin(className, PluginFactory, pluginSandboxPermissions.IsUnrestricted());
}
else {
WritePluginConsole("Compiling {0}... ^1^bIgnored", className);
}
}
XDocument pluginCacheDocument = new XDocument(this.PluginCache.ToXElement());
pluginCacheDocument.Save(Path.Combine(this.PluginBaseDirectory, "PluginCache.xml"));
pluginsCodeDomProvider.Dispose();
}
catch (Exception e) {
WritePluginConsole(e.Message);
}
}
public PermissionSet Union (PermissionSet other)
{
if (other == null)
return this.Copy ();
PermissionSet copy = null;
if (this.IsUnrestricted () || other.IsUnrestricted ()) {
// there are no child elements in unrestricted permission sets
return new PermissionSet (PermissionState.Unrestricted);
} else {
copy = this.Copy ();
// PermissionState.None -> copy all permissions
foreach (IPermission p in other.list) {
copy.AddPermission (p);
}
}
return copy;
}
public bool CheckSetDemandInternal(PermissionSet permSet, out Exception exception, bool bNeedAlteredSet, out PermissionSet alteredSet)
{
alteredSet = null;
BCLDebug.Assert(permSet != null, "permSet != null");
// If the compressed stack is not unrestricted and the demand is
// then we just throw an exception.
if (!this.m_unrestricted && permSet.IsUnrestricted())
{
exception = new SecurityException(Environment.GetResourceString("Security_GenericNoType") );
return false;
}
TokenBasedSet normalAlteredSet = null;
TokenBasedSet unrestrictedAlteredSet = null;
// Check the "normal" permissions since we always know we have to check them.
bool normalContinue = CheckTokenBasedSets( this.m_normalPermSet, permSet.m_normalPermSet, false, PermissionListSetState.None, out exception, bNeedAlteredSet, out normalAlteredSet );
if (exception != null)
{
return false;
}
bool unrestrictedContinue = CheckTokenBasedSets( this.m_unrestrictedPermSet, permSet.m_unrestrictedPermSet, m_unrestricted, m_state, out exception, bNeedAlteredSet, out unrestrictedAlteredSet );
if (exception != null)
{
return false;
}
if ((m_state & PermissionListSetState.UnrestrictedAssert) != 0)
{
// If we are unrestricted, we want to terminate the stack walk based
// on us having an unrestricted assert.
if (bNeedAlteredSet)
unrestrictedAlteredSet = new TokenBasedSet( 1, 4 );
unrestrictedContinue = false;
}
if (normalContinue || unrestrictedContinue)
{
if (!bNeedAlteredSet)
return true;
// If we need to continue, let's build the altered set. We only
// need to do this if 1) our original demand is not unrestricted
// and 2) if we have altered token based sets.
if (!permSet.IsUnrestricted())
{
if (normalAlteredSet != null || unrestrictedAlteredSet != null)
{
alteredSet = new PermissionSet( false );
if (normalAlteredSet != null)
alteredSet.m_normalPermSet = normalAlteredSet;
else
alteredSet.m_normalPermSet = CopyTokenBasedSet( permSet.m_normalPermSet );
if (unrestrictedAlteredSet != null)
alteredSet.m_unrestrictedPermSet = unrestrictedAlteredSet;
else
alteredSet.m_unrestrictedPermSet = CopyTokenBasedSet( permSet.m_unrestrictedPermSet );
if (alteredSet.IsEmpty())
return false;
}
}
return true;
}
else
{
return false;
}
}
private void Compare (string msg, PermissionSet ps, bool unrestricted, int count)
{
Assert.IsNotNull (ps, msg + "-NullCheck");
Assert.IsTrue ((ps.IsUnrestricted () == unrestricted), msg + "-State");
Assert.AreEqual (count, ps.Count, msg + "-Count");
}
/// <include file='doc\IsolatedStorageFile.uex' path='docs/doc[@for="IsolatedStorageFile.GetPermission"]/*' />
protected override IsolatedStoragePermission GetPermission(
PermissionSet ps)
{
if (ps == null)
return null;
else if (ps.IsUnrestricted())
return new IsolatedStorageFilePermission(
PermissionState.Unrestricted);
return (IsolatedStoragePermission) ps.
GetPermission(typeof(IsolatedStorageFilePermission));
}
public void SetPermission_None ()
{
PermissionSet ps = new PermissionSet (PermissionState.None);
Assert.AreEqual (0, ps.Count, "Empty");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None");
SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted);
SecurityPermission result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (1, ps.Count, "SecurityPermission");
Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None-2");
sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain);
result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (1, ps.Count, "SecurityPermission-2");
Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags");
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
ZoneIdentityPermission zipr = (ZoneIdentityPermission) ps.SetPermission (zip);
Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone");
zip = new ZoneIdentityPermission (SecurityZone.Intranet);
zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone");
}
public void AddPermission_PermissionUnrestricted ()
{
PermissionSet ps = new PermissionSet (PermissionState.None);
SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted);
IPermission result = ps.AddPermission (sp);
Assert.IsNotNull (result, "Add(SecurityPermission)");
Assert.AreEqual (SecurityPermissionFlag.AllFlags, (result as SecurityPermission).Flags, "SecurityPermission");
Assert.AreEqual (1, ps.Count, "1");
Assert.IsTrue (!ps.IsUnrestricted (), "State");
}
internal static IPermission CheckPermissionSet (AppDomain ad, PermissionSet ps)
{
if ((ps == null) || ps.IsEmpty ())
return null;
PermissionSet granted = ad.GrantedPermissionSet;
if (granted == null)
return null;
if (granted.IsUnrestricted ())
return null;
if (ps.IsUnrestricted ())
return new SecurityPermission (SecurityPermissionFlag.NoFlags);
foreach (IPermission p in ps) {
if (p is CodeAccessPermission) {
CodeAccessPermission grant = (CodeAccessPermission) granted.GetPermission (p.GetType ());
if (grant == null) {
if (!granted.IsUnrestricted () || !(p is IUnrestrictedPermission)) {
if (!p.IsSubsetOf (null))
return p;
}
} else if (!p.IsSubsetOf (grant)) {
return p;
}
} else {
// but non-CAS will throw on failure...
try {
p.Demand ();
}
catch (SecurityException) {
// ... so we catch
return p;
}
}
}
return null;
}
private static void CheckSetHelper(PermissionSet grants,
PermissionSet denied,
PermissionSet demands)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grants.ToXml().ToString());
DEBUG_OUT("Denied: ");
DEBUG_OUT(denied!=null ? denied.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demands!=null ? demands.ToXml().ToString() : "<null>");
}
#endif
if (demands == null || demands.IsEmpty())
return; // demanding the empty set always passes.
if (grants == null)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
if (!grants.IsUnrestricted() || (denied != null))
{
if (demands.IsUnrestricted())
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
CheckTokenBasedSetHelper( grants.IsUnrestricted(), grants.m_unrestrictedPermSet, denied != null ? denied.m_unrestrictedPermSet : null, demands.m_unrestrictedPermSet );
}
CheckTokenBasedSetHelper( false, grants.m_normalPermSet, denied != null ? denied.m_normalPermSet : null, demands.m_normalPermSet );
}
internal static int GetSpecialFlags(PermissionSet grantSet, PermissionSet deniedSet)
{
if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty()))
{
return(-1);
}
else
{
SecurityPermission securityPermission = null;
#pragma warning disable 618
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
ReflectionPermission reflectionPermission = null;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6];
if (grantSet != null)
{
if (grantSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore;
for (int i = 0; i < specialPermissions.Length; i++)
{
specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i];
}
}
else
{
securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags = securityPermission.Flags;
}
reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags = reflectionPermission.Flags;
}
for (int i = 0; i < specialPermissions.Length; i++)
{
specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null)
{
if (deniedSet.IsUnrestricted())
{
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++)
{
specialPermissions[i] = null;
}
}
else
{
securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
{
securityPermissionFlags &= ~securityPermission.Flags;
}
reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
{
reflectionPermissionFlags &= ~reflectionPermission.Flags;
}
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++)
{
CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null))
{
specialPermissions[i] = null; // we don't care about the exact value here.
}
}
}
}
int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (flags != -1)
{
for (int i = 0; i < specialPermissions.Length; i++)
{
if (specialPermissions[i] != null && ((IUnrestrictedPermission)specialPermissions[i]).IsUnrestricted())
{
flags |= (1 << (int)s_BuiltInPermissionIndexMap[i][1]);
}
}
}
return(flags);
}
}
public void PermissionSetPermissionSet ()
{
FileDialogPermission fdp = new FileDialogPermission (FileDialogPermissionAccess.Open);
PermissionSet ps1 = new PermissionSet (PermissionState.None);
ps1.AddPermission (fdp);
Assert.IsTrue (!ps1.IsEmpty (), "ps1.IsEmpty");
PermissionSet ps = new PermissionSet (ps1);
Assert.IsTrue (!ps.IsUnrestricted (), "PermissionSetPermissionSet.IsUnrestricted");
Assert.IsTrue (!ps.IsEmpty (), "PermissionSetPermissionSet.IsEmpty");
Assert.IsTrue (!ps.IsReadOnly, "PermissionSetPermissionSet.IsReadOnly");
Assert.AreEqual (ps.ToXml ().ToString (), ps.ToString (), "PermissionSetPermissionSet.ToXml().ToString()==ToString()");
Assert.IsTrue (!ps.ContainsNonCodeAccessPermissions (), "ContainsNonCodeAccessPermissions");
}
private static void CheckHelper(PermissionSet grantedSet,
PermissionSet deniedSet,
CodeAccessPermission demand,
PermissionToken permToken)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Granted: ");
DEBUG_OUT(grantedSet.ToXml().ToString());
DEBUG_OUT("Denied: ");
DEBUG_OUT(deniedSet!=null ? deniedSet.ToXml().ToString() : "<null>");
DEBUG_OUT("Demanded: ");
DEBUG_OUT(demand.ToString());
}
#endif
if (permToken == null)
permToken = PermissionToken.GetToken(demand);
// If PermissionSet is null, then module does not have Permissions... Fail check.
try
{
if (grantedSet == null)
{
throw new SecurityException(Environment.GetResourceString("Security_GenericNoType"));
}
else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission))
{
// If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted
// variety, we need to do the proper callback.
BCLDebug.Assert(demand != null,"demand != null");
// Find the permission of matching type in the permission set.
CodeAccessPermission grantedPerm =
(CodeAccessPermission)grantedSet.GetPermission(permToken);
// If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty)
// then throw an exception.
if (grantedPerm == null)
{
if (!demand.IsSubsetOf( null ))
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
else
return;
}
// Call the check demand for our permission.
grantedPerm.CheckDemand(demand);
}
// Make the sure the permission is not denied.
if (deniedSet != null)
{
CodeAccessPermission deniedPerm =
(CodeAccessPermission)deniedSet.GetPermission(permToken);
if (deniedPerm != null)
{
if (deniedPerm.Intersect(demand) != null)
{
#if _DEBUG
if (debug)
DEBUG_OUT( "Permission found in denied set" );
#endif
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
}
}
}
catch (Exception e)
{
// Any exception besides a security exception in this code means that
// a permission was unable to properly handle what we asked of it.
// We will define this to mean that the demand failed.
if (e is SecurityException)
throw e;
else
throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString());
}
DEBUG_OUT( "Check passed" );
}
internal static int GetSpecialFlags (PermissionSet grantSet, PermissionSet deniedSet) {
if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty())) {
return -1;
}
else {
SecurityPermission securityPermission = null;
#pragma warning disable 618
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
ReflectionPermission reflectionPermission = null;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6];
if (grantSet != null) {
if (grantSet.IsUnrestricted()) {
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore;
for (int i = 0; i < specialPermissions.Length; i++) {
specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i];
}
}
else {
securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
securityPermissionFlags = securityPermission.Flags;
reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
reflectionPermissionFlags = reflectionPermission.Flags;
for (int i = 0; i < specialPermissions.Length; i++) {
specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null) {
if (deniedSet.IsUnrestricted()) {
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) {
specialPermissions[i] = null;
}
}
else {
securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
securityPermissionFlags &= ~securityPermission.Flags;
reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
reflectionPermissionFlags &= ~reflectionPermission.Flags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) {
CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null))
specialPermissions[i] = null; // we don't care about the exact value here.
}
}
}
int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (flags != -1) {
for (int i = 0; i < specialPermissions.Length; i++) {
if (specialPermissions[i] != null && ((IUnrestrictedPermission) specialPermissions[i]).IsUnrestricted())
flags |= (1 << (int) s_BuiltInPermissionIndexMap[i][1]);
}
}
return flags;
}
}
[System.Security.SecurityCritical] // auto-generated
static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken)
{
if (pSet != null)
{
pSet.CheckDecoded(demand, permToken);
CodeAccessPermission perm = (CodeAccessPermission)pSet.GetPermission(demand);
// If the assert set does contain the demanded permission, halt the stackwalk
try
{
if (pSet.IsUnrestricted() || demand.CheckAssert(perm))
{
return SecurityRuntime.StackHalt;
}
}
catch (ArgumentException)
{
}
}
return SecurityRuntime.StackContinue;
}
internal static void ResolveIdentityPermissions (PermissionSet ps, Evidence evidence)
{
// in 2.0 identity permissions can now be unrestricted
if (ps.IsUnrestricted ())
return;
// Only host evidence are used for policy resolution
IEnumerator ee = evidence.GetHostEnumerator ();
while (ee.MoveNext ()) {
IIdentityPermissionFactory ipf = (ee.Current as IIdentityPermissionFactory);
if (ipf != null) {
IPermission p = ipf.CreateIdentityPermission (evidence);
ps.AddPermission (p);
}
}
}
private bool Update2(PermissionSetTriple currentTriple, FrameSecurityDescriptor fsd, bool fDeclarative)
{
// Deny
PermissionSet deniedPset = fsd.GetDenials(fDeclarative);
if (deniedPset != null)
{
currentTriple.UpdateRefused(deniedPset);
}
// permit only
PermissionSet permitOnlyPset = fsd.GetPermitOnly(fDeclarative);
if (permitOnlyPset != null)
{
currentTriple.UpdateGrant(permitOnlyPset);
}
// Assert all possible
if (fsd.GetAssertAllPossible())
{
// If we have no grant set, it means that the only assembly we've seen on the stack so
// far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the
// compressed stack is also FullTrust.
if (currentTriple.GrantSet == null)
{
currentTriple.GrantSet = PermissionSet.s_fullTrust;
}
UpdateTripleListAndCreateNewTriple(currentTriple, m_permSetTriples);
currentTriple.GrantSet = PermissionSet.s_fullTrust;
currentTriple.UpdateAssert(fsd.GetAssertions(fDeclarative));
return(true);
}
// Assert
PermissionSet assertPset = fsd.GetAssertions(fDeclarative);
if (assertPset != null)
{
if (assertPset.IsUnrestricted())
{
// If we have no grant set, it means that the only assembly we've seen on the stack so
// far is mscorlib. Since mscorlib will always be fully trusted, the grant set of the
// compressed stack is also FullTrust.
if (currentTriple.GrantSet == null)
{
currentTriple.GrantSet = PermissionSet.s_fullTrust;
}
UpdateTripleListAndCreateNewTriple(currentTriple, m_permSetTriples);
currentTriple.GrantSet = PermissionSet.s_fullTrust;
currentTriple.UpdateAssert(assertPset);
return(true);
}
PermissionSetTriple retTriple = currentTriple.UpdateAssert(assertPset);
if (retTriple != null)
{
EnsureTriplesListCreated();
m_permSetTriples.Add(retTriple);
}
}
return(false);
}
