// static default constructor. This will be called before any of the static members are accessed. static CodeAccessSecurityEngine() { #pragma warning disable 618 AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion); #pragma warning restore 618 AssertPermissionToken = PermissionToken.GetToken(AssertPermission); }
[System.Security.SecurityCritical] // auto-generated private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { return secDesc.CheckDemand((CodeAccessPermission) demandIn, permToken, rmh); }
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { bool flag = this.CheckDemand2(demand, permToken, rmh, false); if (flag) { flag = this.CheckDemand2(demand, permToken, rmh, true); } return flag; }
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandle rmh) { this.CompleteConstruction(null); if (this.PLS != null) { this.PLS.CheckDemand(demand, permToken, rmh); } return false; }
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { if (!CheckAssert(this.AssertSet, demand, permToken)) { return false; } CodeAccessSecurityEngine.CheckHelper(this.GrantSet, this.RefusedSet, demand, permToken, rmh, null, SecurityAction.Demand, true); return true; }
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { bool flag = true; if (this.m_permSetTriples != null) { for (int i = 0; (i < this.m_permSetTriples.Count) && flag; i++) { flag = ((PermissionSetTriple) this.m_permSetTriples[i]).CheckDemand(demand, permToken, rmh); } } else if (this.m_firstPermSetTriple != null) { flag = this.m_firstPermSetTriple.CheckDemand(demand, permToken, rmh); } return false; }
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission asserted = (CodeAccessPermission) pSet.GetPermission(demand); try { if (pSet.IsUnrestricted() || demand.CheckAssert(asserted)) { return false; } } catch (ArgumentException) { } } return true; }
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken) { if (m_zoneList != null) { zoneList.AddRange(m_zoneList); } if (m_originList != null) { originList.AddRange(m_originList); } }
private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { return(secDesc.CheckDemand((CodeAccessPermission)demandIn, permToken, rmh)); }
internal static extern FrameSecurityDescriptor CheckNReturnSO(PermissionToken permToken, CodeAccessPermission demand, ref StackCrawlMark stackMark, int create);
internal static bool CheckHelper(PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, object assemblyOrString, SecurityAction action, bool throwException) { if (permToken == null) { permToken = PermissionToken.GetToken(demand); } if (grantedSet != null) { grantedSet.CheckDecoded(permToken.m_index); } if (refusedSet != null) { refusedSet.CheckDecoded(permToken.m_index); } bool flag = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else if (!grantedSet.IsUnrestricted()) { CodeAccessPermission grant = (CodeAccessPermission)grantedSet.GetPermission(permToken); if (!demand.CheckDemand(grant)) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } } if (refusedSet != null) { CodeAccessPermission codeAccessPermission = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (codeAccessPermission != null && !codeAccessPermission.CheckDeny(demand)) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } if (refusedSet.IsUnrestricted()) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } } } catch (SecurityException) { throw; } catch (Exception) { if (!throwException) { return(false); } CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } finally { if (flag) { SecurityManager._SetThreadSecurity(true); } } return(true); }
internal PermissionToken GetToken(Type cls, IPermission perm) { IntPtr value = cls.TypeHandle.Value; object obj = this.m_handleTable[value]; if (obj == null) { string assemblyQualifiedName = cls.AssemblyQualifiedName; obj = ((this.m_tokenTable != null) ? this.m_tokenTable[assemblyQualifiedName] : null); if (obj == null) { lock (this) { if (this.m_tokenTable != null) { obj = this.m_tokenTable[assemblyQualifiedName]; } else { this.m_tokenTable = new Hashtable(this.m_size, 1f, new PermissionTokenKeyComparer()); } if (obj == null) { if (perm != null) { int index = this.m_index; this.m_index = index + 1; obj = new PermissionToken(index, PermissionTokenType.IUnrestricted, assemblyQualifiedName); } else if (cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null) { int index = this.m_index; this.m_index = index + 1; obj = new PermissionToken(index, PermissionTokenType.IUnrestricted, assemblyQualifiedName); } else { int index = this.m_index; this.m_index = index + 1; obj = new PermissionToken(index, PermissionTokenType.Normal, assemblyQualifiedName); } this.m_tokenTable.Add(assemblyQualifiedName, obj); this.m_indexTable.Add(this.m_index - 1, obj); PermissionToken.s_tokenSet.SetItem(((PermissionToken)obj).m_index, obj); } if (!this.m_handleTable.Contains(value)) { this.m_handleTable.Add(value, obj); } goto IL_1DA; } } lock (this) { if (!this.m_handleTable.Contains(value)) { this.m_handleTable.Add(value, obj); } } } IL_1DA: if ((((PermissionToken)obj).m_type & PermissionTokenType.DontKnow) != (PermissionTokenType)0) { if (perm != null) { ((PermissionToken)obj).m_type = PermissionTokenType.IUnrestricted; ((PermissionToken)obj).m_strTypeName = perm.GetType().AssemblyQualifiedName; } else { if (cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null) { ((PermissionToken)obj).m_type = PermissionTokenType.IUnrestricted; } else { ((PermissionToken)obj).m_type = PermissionTokenType.Normal; } ((PermissionToken)obj).m_strTypeName = cls.AssemblyQualifiedName; } } return((PermissionToken)obj); }
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken) { if (this.m_zoneList != null) { zoneList.AddRange((ICollection)this.m_zoneList); } if (this.m_originList == null) { return; } originList.AddRange((ICollection)this.m_originList); }
internal CodeAccessSecurityEngine() { InitSecurityEngine(); AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion); AssertPermissionToken = PermissionToken.GetToken(AssertPermission); }
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { if (this.GetPermitOnly(fDeclarative) != null) { this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetDenials(fDeclarative) != null) { this.GetDenials(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetAssertions(fDeclarative) != null) { this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken); } bool flag = SecurityManager._SetThreadSecurity(false); try { PermissionSet permitOnly = this.GetPermitOnly(fDeclarative); if (permitOnly != null) { CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission(demand); if (permitted == null) { if (!permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } else { bool flag2 = true; try { flag2 = !demand.CheckPermitOnly(permitted); } catch (ArgumentException) { } if (flag2) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), null, permitOnly, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } } permitOnly = this.GetDenials(fDeclarative); if (permitOnly != null) { CodeAccessPermission permission = (CodeAccessPermission)permitOnly.GetPermission(demand); if (permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } bool flag3 = true; try { flag3 = !demand.CheckDeny(permission); } catch (ArgumentException) { } if (flag3) { throw new SecurityException(string.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), new object[] { demand.GetType().AssemblyQualifiedName }), permitOnly, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } if (this.GetAssertAllPossible()) { return(false); } permitOnly = this.GetAssertions(fDeclarative); if (permitOnly != null) { CodeAccessPermission asserted = (CodeAccessPermission)permitOnly.GetPermission(demand); try { if (permitOnly.IsUnrestricted() || demand.CheckAssert(asserted)) { return(false); } } catch (ArgumentException) { } } } finally { if (flag) { SecurityManager._SetThreadSecurity(true); } } return(true); }
internal PermissionToken BuiltInGetToken(int index, IPermission perm, Type cls) { PermissionToken token = m_builtIn[index]; if (token == null) { lock (this) { token = m_builtIn[index]; if (token == null) { PermissionTokenType permType = PermissionTokenType.DontKnow; if (perm != null) { if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || perm is IUnrestrictedPermission) { permType = PermissionTokenType.IUnrestricted; } else { permType = PermissionTokenType.Normal; } } else if (cls != null) { if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null) { permType = PermissionTokenType.IUnrestricted; } else { permType = PermissionTokenType.Normal; } } token = new PermissionToken(index, permType | PermissionTokenType.BuiltIn, null); m_builtIn[index] = token; PermissionToken.s_tokenSet.SetItem(token.m_index, token); } } } if ((token.m_type & PermissionTokenType.DontKnow) != 0) { token.m_type = PermissionTokenType.BuiltIn; if (perm != null) { if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || perm is IUnrestrictedPermission) { token.m_type |= PermissionTokenType.IUnrestricted; } else { token.m_type |= PermissionTokenType.Normal; } } else if (cls != null) { if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || cls.GetInterface("System.Security.Permissions.IUnrestrictedPermission") != null) { token.m_type |= PermissionTokenType.IUnrestricted; } else { token.m_type |= PermissionTokenType.Normal; } } else { token.m_type |= PermissionTokenType.DontKnow; } } return(token); }
internal PermissionToken GetToken(Type cls, IPermission perm) { Contract.Assert(cls != null, "Must pass in valid type"); IntPtr typePtr = cls.TypeHandle.Value; object tok = m_handleTable[typePtr]; if (tok == null) { String typeStr = cls.AssemblyQualifiedName; tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe if (tok == null) { lock (this) { if (m_tokenTable != null) { tok = m_tokenTable[typeStr]; // Make sure it wasn't just added } else { m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer()); } if (tok == null) { if (perm != null) { tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr); } else { if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null) { tok = new PermissionToken(m_index++, PermissionTokenType.IUnrestricted, typeStr); } else { tok = new PermissionToken(m_index++, PermissionTokenType.Normal, typeStr); } } m_tokenTable.Add(typeStr, tok); m_indexTable.Add(m_index - 1, tok); PermissionToken.s_tokenSet.SetItem(((PermissionToken)tok).m_index, tok); } if (!m_handleTable.Contains(typePtr)) { m_handleTable.Add(typePtr, tok); } } } else { lock (this) { if (!m_handleTable.Contains(typePtr)) { m_handleTable.Add(typePtr, tok); } } } } if ((((PermissionToken)tok).m_type & PermissionTokenType.DontKnow) != 0) { if (perm != null) { Contract.Assert(!(perm is IBuiltInPermission), "This should not be called for built-ins"); ((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted; #if FEATURE_CAS_POLICY ((PermissionToken)tok).m_strTypeName = perm.GetType().AssemblyQualifiedName; #endif // FEATURE_CAS_POLICY } else { Contract.Assert(cls.GetInterface("System.Security.Permissions.IBuiltInPermission") == null, "This shoudl not be called for built-ins"); if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null) { ((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted; } else { ((PermissionToken)tok).m_type = PermissionTokenType.Normal; } #if FEATURE_CAS_POLICY ((PermissionToken)tok).m_strTypeName = cls.AssemblyQualifiedName; #endif // FEATURE_CAS_POLICY } } return((PermissionToken)tok); }
[System.Security.SecurityCritical] // auto-generated #pragma warning disable 618 internal static bool CheckHelper(PermissionSet grantedSet, #pragma warning restore 618 PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, Object assemblyOrString, SecurityAction action, bool throwException) { // We should never get here with a null demand Contract.Assert(demand != null, "Should not reach here with a null demand"); #if _DEBUG && FEATURE_CAS_POLICY if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Refused: "); DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif // _DEBUG && FEATURE_CAS_POLICY if (permToken == null) { permToken = PermissionToken.GetToken(demand); } if (grantedSet != null) { grantedSet.CheckDecoded(permToken.m_index); } if (refusedSet != null) { refusedSet.CheckDecoded(permToken.m_index); } // If PermissionSet is null, then module does not have Permissions... Fail check. bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } else if (!grantedSet.IsUnrestricted()) { // If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted // variety, we need to do the proper callback. Contract.Assert(demand != null, "demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // Make sure the demand has been granted if (!demand.CheckDemand(grantedPerm)) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } // Make the sure the permission is not refused. if (refusedSet != null) { CodeAccessPermission refusedPerm = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (refusedPerm != null) { if (!refusedPerm.CheckDeny(demand)) { #if _DEBUG if (debug) { DEBUG_OUT("Permission found in refused set"); } #endif if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } if (refusedSet.IsUnrestricted()) { if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } } } catch (SecurityException) { throw; } catch (Exception) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (throwException) { ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); } else { return(false); } } finally { if (bThreadSecurity) { SecurityManager._SetThreadSecurity(true); } } DEBUG_OUT("Check passed"); return(true); }
public void FromXml(SecurityElement elRoot) { elRoot.Tag.Equals("PermissionToken"); string typeStr = elRoot.Attribute("Name"); PermissionToken permissionToken = typeStr == null?PermissionToken.FindTokenByIndex(int.Parse(elRoot.Attribute("Index"), (IFormatProvider)CultureInfo.InvariantCulture)) : PermissionToken.GetToken(typeStr, true); this.m_index = permissionToken.m_index; this.m_type = (PermissionTokenType)Enum.Parse(typeof(PermissionTokenType), elRoot.Attribute("Type")); this.m_strTypeName = permissionToken.m_strTypeName; }
private static void CheckHelper(PermissionSet grantedSet, PermissionSet deniedSet, CodeAccessPermission demand, PermissionToken permToken) { #if _DEBUG if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Denied: "); DEBUG_OUT(deniedSet != null ? deniedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif if (permToken == null) { permToken = PermissionToken.GetToken(demand); } // If PermissionSet is null, then module does not have Permissions... Fail check. try { if (grantedSet == null) { throw new SecurityException(Environment.GetResourceString("Security_GenericNoType")); } else if (!grantedSet.IsUnrestricted() || !(demand is IUnrestrictedPermission)) { // If we aren't unrestricted, there is a denied set, or our permission is not of the unrestricted // variety, we need to do the proper callback. BCLDebug.Assert(demand != null, "demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // If there isn't a matching permission in the set and our demand is not a subset of null (i.e. empty) // then throw an exception. if (grantedPerm == null) { if (!demand.IsSubsetOf(null)) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } else { return; } } // Call the check demand for our permission. grantedPerm.CheckDemand(demand); } // Make the sure the permission is not denied. if (deniedSet != null) { CodeAccessPermission deniedPerm = (CodeAccessPermission)deniedSet.GetPermission(permToken); if (deniedPerm != null) { if (deniedPerm.Intersect(demand) != null) { #if _DEBUG if (debug) { DEBUG_OUT("Permission found in denied set"); } #endif throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } if (deniedSet.IsUnrestricted() && (demand is IUnrestrictedPermission)) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } catch (Exception e) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (e is SecurityException) { throw e; } else { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } DEBUG_OUT("Check passed"); }
internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { if (this.GetPermitOnly(fDeclarative) != null) { this.GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetDenials(fDeclarative) != null) { this.GetDenials(fDeclarative).CheckDecoded(demand, permToken); } if (this.GetAssertions(fDeclarative) != null) { this.GetAssertions(fDeclarative).CheckDecoded(demand, permToken); } bool flag1 = SecurityManager._SetThreadSecurity(false); try { PermissionSet permitOnly = this.GetPermitOnly(fDeclarative); if (permitOnly != null) { CodeAccessPermission permitted = (CodeAccessPermission)permitOnly.GetPermission((IPermission)demand); if (permitted == null) { if (!permitOnly.IsUnrestricted()) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } else { bool flag2 = true; try { flag2 = !demand.CheckPermitOnly(permitted); } catch (ArgumentException ex) { } if (flag2) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)null, (object)permitOnly, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } } PermissionSet denials = this.GetDenials(fDeclarative); if (denials != null) { CodeAccessPermission denied = (CodeAccessPermission)denials.GetPermission((IPermission)demand); if (denials.IsUnrestricted()) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } bool flag2 = true; try { flag2 = !demand.CheckDeny(denied); } catch (ArgumentException ex) { } if (flag2) { throw new SecurityException(string.Format((IFormatProvider)CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), (object)demand.GetType().AssemblyQualifiedName), (object)denials, (object)null, SecurityRuntime.GetMethodInfo(rmh), (object)demand, (IPermission)demand); } } if (this.GetAssertAllPossible()) { return(false); } PermissionSet assertions = this.GetAssertions(fDeclarative); if (assertions != null) { CodeAccessPermission asserted = (CodeAccessPermission)assertions.GetPermission((IPermission)demand); try { if (!assertions.IsUnrestricted()) { if (!demand.CheckAssert(asserted)) { goto label_35; } } return(false); } catch (ArgumentException ex) { } } } finally { if (flag1) { SecurityManager._SetThreadSecurity(true); } } label_35: return(true); }
public static bool IsTokenProperlyAssigned(IPermission perm, PermissionToken token) { PermissionToken token1 = PermissionToken.GetToken(perm); return(token1.m_index == token.m_index && token.m_type == token1.m_type && (!(perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly()) || token1.m_index < 17)); }
private extern void Check(PermissionToken permToken, CodeAccessPermission demand, ref StackCrawlMark stackMark, int checkFrames, int unrestrictedOverride);
public static PermissionToken GetToken(string typeStr) { return(PermissionToken.GetToken(typeStr, false)); }
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken) { BCLDebug.Assert(AssertSet == null, "AssertSet not null"); return(CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, s_emptyRMH, null, SecurityAction.Demand, false)); }
internal static void CheckHelper(CompressedStack cs, PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action) { if (cs != null) { cs.CheckDemand(demand, permToken, rmh); return; } CodeAccessSecurityEngine.CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, asm, action, true); }
public PermissionList FindPermissionList(Type permClass) { BCLDebug.Assert(permClass != null, "permClass != null"); return(FindPermissionList(PermissionToken.GetToken(permClass))); }
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList) { if (cs != null) { cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission))); return; } ZoneIdentityPermission zoneIdentityPermission = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission)); UrlIdentityPermission urlIdentityPermission = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission)); if (zoneIdentityPermission != null) { zoneList.Add(zoneIdentityPermission.SecurityZone); } if (urlIdentityPermission != null) { originList.Add(urlIdentityPermission.Url); } }
internal PermissionList FindPermissionList(PermissionToken permToken) { BCLDebug.Assert(permToken != null, "permToken != null"); return(FindPermissionList(permToken.m_index, permToken.m_isUnrestricted)); }
internal static void GetZoneAndOriginHelper(CompressedStack cs, PermissionSet grantSet, PermissionSet refusedSet, ArrayList zoneList, ArrayList originList) { if (cs != null) { cs.GetZoneAndOrigin(zoneList, originList, PermissionToken.GetToken(typeof(ZoneIdentityPermission)), PermissionToken.GetToken(typeof(UrlIdentityPermission))); } else { ZoneIdentityPermission identityPermission1 = (ZoneIdentityPermission)grantSet.GetPermission(typeof(ZoneIdentityPermission)); UrlIdentityPermission identityPermission2 = (UrlIdentityPermission)grantSet.GetPermission(typeof(UrlIdentityPermission)); if (identityPermission1 != null) { zoneList.Add((object)identityPermission1.SecurityZone); } if (identityPermission2 == null) { return; } originList.Add((object)identityPermission2.Url); } }
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, bool createException, out Exception exception) { BCLDebug.Assert(demand != null, "demand != null"); BCLDebug.Assert(permToken != null, "permToken != null"); // First, find if there is a permission list of this type. PermissionList permList = FindPermissionList(permToken); if (permList != null) { // If so, check against it to determine our action. bool cont = permList.CheckDemandInternal(demand, createException, out exception); // We don't record modifiers for the unrestricted permission set in the // individual lists. Therefore, permList.CheckDemandInternal may say // that we have to continue the stackwalk, but we know better. if (cont && permToken.m_isUnrestricted) { if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0) { if (createException) { exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName)); } else { exception = GetStaticException(); } return(false); } else { cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0); } } return(cont); } #if _DEBUG // Let's check to make sure we always pass demands for empty permissions. else if (demand.IsSubsetOf(null)) { BCLDebug.Assert(false, "We should pick of empty demands before this point"); exception = null; return(true); } #endif // If the permission is not unrestricted, the lack of a permission list // denotes that no frame on the stack granted this permission, and therefore // we pass back the failure condition. else if (!permToken.m_isUnrestricted) { if (createException) { exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName)); } else { exception = GetStaticException(); } return(false); } // If this permission list set is not unrestricted and there is no unrestricted assert // then the lack of a permission list denotes that no frame on the stack granted // this permission, and therefore we pass back the failure condition. If there is // an unrestricted assert, then we pass back success and terminate the stack walk. else if (!this.IsUnrestricted()) { if (createException) { exception = new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName)); } else { exception = GetStaticException(); } return(false); } // If we made it all the way through, that means that we are in the unrestricted // state and that this permission is encompassed in that. If we have an unrestricted // assert, we are done with the state walk (return false), otherwise keep going. exception = null; return((m_state & PermissionListSetState.UnrestrictedAssert) == 0); }
[System.Security.SecurityCritical] // auto-generated internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken) { Contract.Assert(AssertSet == null, "AssertSet not null"); #pragma warning disable 618 return CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, RuntimeMethodHandleInternal.EmptyHandle, null, SecurityAction.Demand, false); #pragma warning restore 618 }
internal bool CheckDemandInternal(CodeAccessPermission demand, PermissionToken permToken, out Exception exception) { BCLDebug.Assert(demand != null, "demand != null"); BCLDebug.Assert(permToken != null, "permToken != null"); // First, find if there is a permission list of this type. PermissionList permList = FindPermissionList(permToken); if (permList != null) { // If so, check against it to determine our action. bool cont = permList.CheckDemandInternal(demand, out exception); // We don't record modifiers for the unrestricted permission set in the // individual lists. Therefore, permList.CheckDemandInternal may say // that we have to continue the stackwalk, but we know better. if (cont && permToken.m_isUnrestricted) { if ((m_state & PermissionListSetState.UnrestrictedDeny) != 0) { exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) ); return false; } else { cont = cont && ((m_state & PermissionListSetState.UnrestrictedAssert) == 0); } } return cont; } #if _DEBUG // Let's check to make sure we always pass demands for empty permissions. else if (demand.IsSubsetOf( null )) { BCLDebug.Assert( false, "We should pick of empty demands before this point" ); exception = null; return true; } #endif // If the permission is not unrestricted, the lack of a permission list // denotes that no frame on the stack granted this permission, and therefore // we pass back the failure condition. else if (!permToken.m_isUnrestricted) { exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) ); return false; } // If this permission list set is not unrestricted and there is no unrestricted assert // then the lack of a permission list denotes that no frame on the stack granted // this permission, and therefore we pass back the failure condition. If there is // an unrestricted assert, then we pass back success and terminate the stack walk. else if (!this.IsUnrestricted()) { exception = new SecurityException(String.Format( Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName ) ); return false; } // If we made it all the way through, that means that we are in the unrestricted // state and that this permission is encompassed in that. If we have an unrestricted // assert, we are done with the state walk (return false), otherwise keep going. exception = null; return (m_state & PermissionListSetState.UnrestrictedAssert) == 0; }
private static bool CheckDynamicMethodHelper(System.Reflection.Emit.DynamicResolver dynamicResolver, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { System.Threading.CompressedStack creationStack = dynamicResolver.GetSecurityContext(); bool result; try { result = creationStack.CheckDemandNoHalt((CodeAccessPermission)demandIn, permToken, rmh); } catch (SecurityException ex) { throw new SecurityException(Environment.GetResourceString("Security_AnonymouslyHostedDynamicMethodCheckFailed"), ex); } return result; }
// Returns true to continue, or false to halt private static bool FrameDescHelper(FrameSecurityDescriptor secDesc, IPermission demand, PermissionToken permToken) { PermissionSet permSet; // If the demand is null, there is no need to continue if (demand == null || demand.IsSubsetOf(null)) { return(StackHalt); } // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper // Check Reduction try { permSet = secDesc.GetPermitOnly(); if (permSet != null) { IPermission perm = permSet.GetPermission(demand); #if _DEBUG if (debug) { DEBUG_OUT("Checking PermitOnly"); DEBUG_OUT("permit only set =\n" + permSet.ToXml().ToString()); DEBUG_OUT("demand =\n" + ((CodeAccessPermission)demand).ToXml().ToString()); } #endif // If the permit only set does not contain the demanded permission, throw a security exception if (perm == null) { if (!(demand is IUnrestrictedPermission && permSet.IsUnrestricted())) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } else { if (!demand.IsSubsetOf(perm)) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } } catch (Exception) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } // Check Denials try { permSet = secDesc.GetDenials(); if (permSet != null) { #if _DEBUG if (debug) { DEBUG_OUT("Checking Denials"); DEBUG_OUT("denied set =\n" + permSet.ToXml().ToString()); } #endif IPermission perm = permSet.GetPermission(demand); // If the deny set does contain the demanded permission, throw a security exception if ((perm != null && perm.Intersect(demand) != null) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted())) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } } } catch (Exception) { throw new SecurityException(String.Format(Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), demand.GetType(), demand.ToXml().ToString()); } if (secDesc.GetAssertAllPossible()) { return(StackHalt); } try { permSet = secDesc.GetAssertions(); // Check Assertions if (permSet != null) { #if _DEBUG if (debug) { DEBUG_OUT("Checking Assertions"); } #endif IPermission perm = permSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk if ((perm != null && (demand.IsSubsetOf(perm)) || (demand is IUnrestrictedPermission && permSet.IsUnrestricted()))) { #if _DEBUG if (debug) { DEBUG_OUT("Assert halting stackwalk"); } #endif return(StackHalt); } } } catch (Exception) { } return(StackContinue); }
[System.Security.SecurityCritical] // auto-generated internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { bool bRet = SecurityRuntime.StackContinue; if (m_permSetTriples != null) { for (int i=0; (i < m_permSetTriples.Count && bRet != SecurityRuntime.StackHalt) ; i++) { PermissionSetTriple psTriple = (PermissionSetTriple)m_permSetTriples[i]; bRet = psTriple.CheckDemand(demand, permToken, rmh); } } else if (m_firstPermSetTriple != null) { bRet = m_firstPermSetTriple.CheckDemand(demand, permToken, rmh); } return SecurityRuntime.StackHalt; // CS demand check always terminates the stackwalk }
[System.Security.SecurityCritical] // auto-generated private static Object Deserialize(byte[] blob) { if (blob == null) return null; if (blob[0] == 0) { Parser parser = new Parser( blob, Tokenizer.ByteTokenEncoding.UTF8Tokens, 1 ); SecurityElement root = parser.GetTopElement(); if (root.Tag.Equals( "IPermission" ) || root.Tag.Equals( "Permission" )) { IPermission ip = System.Security.Util.XMLUtil.CreatePermission( root, PermissionState.None, false ); if (ip == null) { return null; } ip.FromXml( root ); return ip; } else if (root.Tag.Equals( "PermissionSet" )) { PermissionSet permissionSet = new PermissionSet(); permissionSet.FromXml( root, false, false ); return permissionSet; } else if (root.Tag.Equals( "PermissionToken" )) { PermissionToken pToken = new PermissionToken(); pToken.FromXml( root ); return pToken; } else { return null; } } else { Object obj = null; using(MemoryStream stream = new MemoryStream( blob, 1, blob.Length - 1 )) { obj = CrossAppDomainSerializer.DeserializeObject(stream); } Contract.Assert( !(obj is IPermission), "IPermission should be xml deserialized" ); Contract.Assert( !(obj is PermissionSet), "PermissionSet should be xml deserialized" ); return obj; } }
internal PermissionList RemovePermissionList(PermissionToken permToken) { if (permToken.m_isUnrestricted) return (PermissionList)m_unrestrictedPermSet.RemoveItem(permToken.m_index); else return (PermissionList)m_normalPermSet.RemoveItem(permToken.m_index); }
private static bool CheckAssert(PermissionSet pSet, CodeAccessPermission demand, PermissionToken permToken) { if (pSet != null) { pSet.CheckDecoded(demand, permToken); CodeAccessPermission asserted = (CodeAccessPermission)pSet.GetPermission((IPermission)demand); try { if (!pSet.IsUnrestricted()) { if (!demand.CheckAssert(asserted)) { goto label_6; } } return(false); } catch (ArgumentException ex) { } } label_6: return(true); }
internal PermissionToken BuiltInGetToken( int index, IPermission perm, Type cls ) { PermissionToken token = Volatile.Read(ref m_builtIn[index]); if (token == null) { lock (this) { token = m_builtIn[index]; if (token == null) { PermissionTokenType permType = PermissionTokenType.DontKnow; if (perm != null) { permType = PermissionTokenType.IUnrestricted; } else if (cls != null) { permType = PermissionTokenType.IUnrestricted; } token = new PermissionToken( index, permType | PermissionTokenType.BuiltIn, null ); Volatile.Write(ref m_builtIn[index], token); PermissionToken.s_tokenSet.SetItem( token.m_index, token ); } } } if ((token.m_type & PermissionTokenType.DontKnow) != 0) { token.m_type = PermissionTokenType.BuiltIn; if (perm != null) { token.m_type |= PermissionTokenType.IUnrestricted; } else if (cls != null) { token.m_type |= PermissionTokenType.IUnrestricted; } else { token.m_type |= PermissionTokenType.DontKnow; } } return token; }
[System.Security.SecurityCritical] // auto-generated internal static void CheckHelper(CompressedStack cs, PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action) { if (cs != null) cs.CheckDemand(demand, permToken, rmh); else CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, (Object)asm, action, true); }
internal PermissionToken GetToken(Type cls, IPermission perm) { Contract.Assert( cls != null, "Must pass in valid type" ); IntPtr typePtr = cls.TypeHandle.Value; object tok = m_handleTable[typePtr]; if (tok == null) { String typeStr = cls.AssemblyQualifiedName; tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe if (tok == null) { lock (this) { if (m_tokenTable != null) { tok = m_tokenTable[typeStr]; // Make sure it wasn't just added } else m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer()); if (tok == null) { if (perm != null) { tok = new PermissionToken( m_index++, PermissionTokenType.IUnrestricted, typeStr ); } else { if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null) tok = new PermissionToken( m_index++, PermissionTokenType.IUnrestricted, typeStr ); else tok = new PermissionToken( m_index++, PermissionTokenType.Normal, typeStr ); } m_tokenTable.Add(typeStr, tok); m_indexTable.Add(m_index - 1, tok); PermissionToken.s_tokenSet.SetItem( ((PermissionToken)tok).m_index, tok ); } if (!m_handleTable.Contains(typePtr)) m_handleTable.Add( typePtr, tok ); } } else { lock (this) { if (!m_handleTable.Contains(typePtr)) m_handleTable.Add( typePtr, tok ); } } } if ((((PermissionToken)tok).m_type & PermissionTokenType.DontKnow) != 0) { if (perm != null) { Contract.Assert( !(perm is IBuiltInPermission), "This should not be called for built-ins" ); ((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted; #if FEATURE_CAS_POLICY ((PermissionToken)tok).m_strTypeName = perm.GetType().AssemblyQualifiedName; #endif // FEATURE_CAS_POLICY } else { Contract.Assert( cls.GetInterface( "System.Security.Permissions.IBuiltInPermission" ) == null, "This shoudl not be called for built-ins" ); if (cls.GetInterface(s_unrestrictedPermissionInferfaceName) != null) ((PermissionToken)tok).m_type = PermissionTokenType.IUnrestricted; else ((PermissionToken)tok).m_type = PermissionTokenType.Normal; #if FEATURE_CAS_POLICY ((PermissionToken)tok).m_strTypeName = cls.AssemblyQualifiedName; #endif // FEATURE_CAS_POLICY } } return (PermissionToken)tok; }
internal PermissionToken GetToken(String typeStr) { Object tok = null; tok = m_tokenTable != null ? m_tokenTable[typeStr] : null; // Assumes asynchronous lookups are safe if (tok == null) { lock (this) { if (m_tokenTable != null) { tok = m_tokenTable[typeStr]; // Make sure it wasn't just added } else m_tokenTable = new Hashtable(m_size, 1.0f, new PermissionTokenKeyComparer()); if (tok == null) { tok = new PermissionToken( m_index++, PermissionTokenType.DontKnow, typeStr ); m_tokenTable.Add(typeStr, tok); m_indexTable.Add(m_index - 1, tok); PermissionToken.s_tokenSet.SetItem(((PermissionToken)tok).m_index, tok); } } } return (PermissionToken)tok; }
public static bool IsTokenProperlyAssigned( IPermission perm, PermissionToken token ) { PermissionToken heldToken = GetToken( perm ); if (heldToken.m_index != token.m_index) return false; if (token.m_type != heldToken.m_type) return false; if (perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly() && heldToken.m_index >= BuiltInPermissionIndex.NUM_BUILTIN_NORMAL + BuiltInPermissionIndex.NUM_BUILTIN_UNRESTRICTED) return false; return true; }
[System.Security.SecurityCritical] // auto-generated internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { PermissionSet permSet; // If the demand is null, there is no need to continue Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point"); // decode imperative if (GetPermitOnly(fDeclarative) != null) GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); if (GetDenials(fDeclarative) != null) GetDenials(fDeclarative).CheckDecoded(demand, permToken); if (GetAssertions(fDeclarative) != null) GetAssertions(fDeclarative).CheckDecoded(demand, permToken); // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); // Check Reduction try { permSet = GetPermitOnly(fDeclarative); if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If the permit only set does not contain the demanded permission, throw a security exception if (perm == null) { if (!permSet.IsUnrestricted()) throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } else { bool bNeedToThrow = true; try { bNeedToThrow = !demand.CheckPermitOnly(perm); } catch (ArgumentException) { } if (bNeedToThrow) throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } // Check Denials permSet = GetDenials(fDeclarative); if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If an unrestricted set was denied and the demand implements IUnrestricted if (permSet.IsUnrestricted()) throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); // If the deny set does contain the demanded permission, throw a security exception bool bNeedToThrow = true; try { bNeedToThrow = !demand.CheckDeny(perm); } catch (ArgumentException) { } if (bNeedToThrow) throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } if (GetAssertAllPossible()) { return SecurityRuntime.StackHalt; } permSet = GetAssertions(fDeclarative); // Check Assertions if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk try { if (permSet.IsUnrestricted() || demand.CheckAssert(perm)) { return SecurityRuntime.StackHalt; } } catch (ArgumentException) { } } } finally { if (bThreadSecurity) SecurityManager._SetThreadSecurity(true); } return SecurityRuntime.StackContinue; }
[System.Security.SecurityCritical] // auto-generated internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { // imperative security bool fContinue = CheckDemand2(demand, permToken, rmh, false); if (fContinue == SecurityRuntime.StackContinue) { // declarative security fContinue = CheckDemand2(demand, permToken, rmh, true); } return fContinue; }
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken) { Exception exception; bool cont = CheckDemandInternal( demand, permToken, out exception ); if (exception != null) { throw exception; } return cont; }
[System.Security.SecurityCritical] // auto-generated #endif #pragma warning disable 618 internal static void CheckHelper(Object notUsed, #pragma warning restore 618 PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action) { // To reduce the amount of ifdef-code-churn, a dummy arg is used for the first parameter - instead of a CompressedStack object, // we use a System.Object that should always be null. If we tried to change the signature of the function, there will need to be // corresponding changes in VM (metasig.h, mscorlib.h, securitystackwalk.cpp, number of elements in the arg array, etc.) Contract.Assert(notUsed == null, "Should not reach here with a non-null first arg which is the CompressedStack"); CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, (Object)asm, action, true); }
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken) { Exception exception; CheckDemandInternal( demand, permToken, out exception ); return (exception == null); }
[System.Security.SecurityCritical] // auto-generated #pragma warning disable 618 internal static bool CheckHelper(PermissionSet grantedSet, #pragma warning restore 618 PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, Object assemblyOrString, SecurityAction action, bool throwException) { // We should never get here with a null demand Contract.Assert(demand != null, "Should not reach here with a null demand"); #if _DEBUG && FEATURE_CAS_POLICY if (debug) { DEBUG_OUT("Granted: "); DEBUG_OUT(grantedSet.ToXml().ToString()); DEBUG_OUT("Refused: "); DEBUG_OUT(refusedSet != null ? refusedSet.ToXml().ToString() : "<null>"); DEBUG_OUT("Demanded: "); DEBUG_OUT(demand.ToString()); } #endif // _DEBUG && FEATURE_CAS_POLICY if (permToken == null) permToken = PermissionToken.GetToken(demand); if (grantedSet != null) grantedSet.CheckDecoded(permToken.m_index); if (refusedSet != null) refusedSet.CheckDecoded(permToken.m_index); // If PermissionSet is null, then module does not have Permissions... Fail check. bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); try { if (grantedSet == null) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } else if (!grantedSet.IsUnrestricted()) { // If we aren't unrestricted, there is a refused set, or our permission is not of the unrestricted // variety, we need to do the proper callback. Contract.Assert(demand != null,"demand != null"); // Find the permission of matching type in the permission set. CodeAccessPermission grantedPerm = (CodeAccessPermission)grantedSet.GetPermission(permToken); // Make sure the demand has been granted if (!demand.CheckDemand( grantedPerm )) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } // Make the sure the permission is not refused. if (refusedSet != null) { CodeAccessPermission refusedPerm = (CodeAccessPermission)refusedSet.GetPermission(permToken); if (refusedPerm != null) { if (!refusedPerm.CheckDeny(demand)) { #if _DEBUG if (debug) DEBUG_OUT( "Permission found in refused set" ); #endif if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } if (refusedSet.IsUnrestricted()) { if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } } } catch (SecurityException) { throw; } catch (Exception) { // Any exception besides a security exception in this code means that // a permission was unable to properly handle what we asked of it. // We will define this to mean that the demand failed. if (throwException) ThrowSecurityException(assemblyOrString, grantedSet, refusedSet, rmh, action, demand, demand); else return false; } finally { if (bThreadSecurity) SecurityManager._SetThreadSecurity(true); } DEBUG_OUT( "Check passed" ); return true; }
private static object Deserialize(byte[] blob) { if (blob == null) { return null; } if (blob[0] == 0) { SecurityElement topElement = new Parser(blob, Tokenizer.ByteTokenEncoding.UTF8Tokens, 1).GetTopElement(); if (topElement.Tag.Equals("IPermission") || topElement.Tag.Equals("Permission")) { IPermission permission = XMLUtil.CreatePermission(topElement, PermissionState.None, false); if (permission == null) { return null; } permission.FromXml(topElement); return permission; } if (topElement.Tag.Equals("PermissionSet")) { PermissionSet set = new PermissionSet(); set.FromXml(topElement, false, false); return set; } if (topElement.Tag.Equals("PermissionToken")) { PermissionToken token = new PermissionToken(); token.FromXml(topElement); return token; } return null; } using (MemoryStream stream = new MemoryStream(blob, 1, blob.Length - 1)) { return CrossAppDomainSerializer.DeserializeObject(stream); } }
internal static extern FrameSecurityDescriptor CheckNReturnSO(PermissionToken permToken, CodeAccessPermission demand, ref StackCrawlMark stackMark, int create );
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken) { return(CodeAccessSecurityEngine.CheckHelper(this.GrantSet, this.RefusedSet, demand, permToken, RuntimeMethodHandleInternal.EmptyHandle, (object)null, SecurityAction.Demand, false)); }
public static bool IsTokenProperlyAssigned(IPermission perm, PermissionToken token) { PermissionToken token2 = GetToken(perm); if (token2.m_index != token.m_index) { return false; } if (token.m_type != token2.m_type) { return false; } if ((perm.GetType().Module.Assembly == Assembly.GetExecutingAssembly()) && (token2.m_index >= 0x11)) { return false; } return true; }
internal void GetZoneAndOrigin(ArrayList zoneList, ArrayList originList, PermissionToken zoneToken, PermissionToken originToken) { if (m_zoneList != null) zoneList.AddRange(m_zoneList); if (m_originList != null) originList.AddRange(m_originList); }
internal PermissionList FindPermissionList(PermissionToken permToken) { BCLDebug.Assert(permToken != null, "permToken != null"); return FindPermissionList(permToken.m_index, permToken.m_isUnrestricted); }
[System.Security.SecurityCritical] // auto-generated internal bool CheckDemand2(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, bool fDeclarative) { PermissionSet permSet; // If the demand is null, there is no need to continue Contract.Assert(demand != null && !demand.CheckDemand(null), "Empty demands should have been filtered out by this point"); // decode imperative if (GetPermitOnly(fDeclarative) != null) { GetPermitOnly(fDeclarative).CheckDecoded(demand, permToken); } if (GetDenials(fDeclarative) != null) { GetDenials(fDeclarative).CheckDecoded(demand, permToken); } if (GetAssertions(fDeclarative) != null) { GetAssertions(fDeclarative).CheckDecoded(demand, permToken); } // NOTE: See notes about exceptions and exception handling in FrameDescSetHelper bool bThreadSecurity = SecurityManager._SetThreadSecurity(false); // Check Reduction try { permSet = GetPermitOnly(fDeclarative); if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If the permit only set does not contain the demanded permission, throw a security exception if (perm == null) { if (!permSet.IsUnrestricted()) { throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } else { bool bNeedToThrow = true; try { bNeedToThrow = !demand.CheckPermitOnly(perm); } catch (ArgumentException) { } if (bNeedToThrow) { throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), null, permSet, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } } // Check Denials permSet = GetDenials(fDeclarative); if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If an unrestricted set was denied and the demand implements IUnrestricted if (permSet.IsUnrestricted()) { throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } // If the deny set does contain the demanded permission, throw a security exception bool bNeedToThrow = true; try { bNeedToThrow = !demand.CheckDeny(perm); } catch (ArgumentException) { } if (bNeedToThrow) { throw new SecurityException(String.Format(CultureInfo.InvariantCulture, Environment.GetResourceString("Security_Generic"), demand.GetType().AssemblyQualifiedName), permSet, null, SecurityRuntime.GetMethodInfo(rmh), demand, demand); } } if (GetAssertAllPossible()) { return(SecurityRuntime.StackHalt); } permSet = GetAssertions(fDeclarative); // Check Assertions if (permSet != null) { CodeAccessPermission perm = (CodeAccessPermission)permSet.GetPermission(demand); // If the assert set does contain the demanded permission, halt the stackwalk try { if (permSet.IsUnrestricted() || demand.CheckAssert(perm)) { return(SecurityRuntime.StackHalt); } } catch (ArgumentException) { } } } finally { if (bThreadSecurity) { SecurityManager._SetThreadSecurity(true); } } return(SecurityRuntime.StackContinue); }
private PermissionList GetListForToken(PermissionToken permToken, bool create) { TokenBasedSet permSet; BCLDebug.Assert(permToken != null, "permToken != null"); if (permToken.m_isUnrestricted) permSet = m_unrestrictedPermSet; else permSet = m_normalPermSet; PermissionList plist = (PermissionList)permSet.GetItem(permToken.m_index); if (plist == null && create) { plist = new PermissionList(); permSet.SetItem(permToken.m_index, plist); } return plist; }
// static default constructor. This will be called before any of the static members are accessed. static CodeAccessSecurityEngine() { AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion); AssertPermissionToken = PermissionToken.GetToken(AssertPermission); }
private static bool CheckDynamicMethodHelper(DynamicResolver dynamicResolver, IPermission demandIn, PermissionToken permToken, RuntimeMethodHandleInternal rmh) { CompressedStack securityContext = dynamicResolver.GetSecurityContext(); try { return(securityContext.CheckDemandNoHalt((CodeAccessPermission)demandIn, permToken, rmh)); } catch (SecurityException ex) { throw new SecurityException(Environment.GetResourceString("Security_AnonymouslyHostedDynamicMethodCheckFailed"), (Exception)ex); } }