//
// API for PermissionSets
//
public virtual void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
{
// Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
// you need to change the fourth parameter to a zero.
FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO(
CodeAccessSecurityEngine.AssertPermissionToken,
CodeAccessSecurityEngine.AssertPermission,
ref stackMark,
1,
1);
BCLDebug.Assert(secObj != null || !SecurityManager.SecurityEnabled, "Failure in SecurityRuntime.Assert() - secObj != null");
if (secObj == null)
{
if (SecurityManager.SecurityEnabled)
{
// Security: REQ_SQ flag is missing. Bad compiler ?
throw new ExecutionEngineException(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
}
}
else
{
if (secObj.GetAssertions() != null)
{
throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
}
secObj.SetAssert(permSet);
}
}
[System.Security.SecurityCritical] // auto-generated
internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
{
// Note: if the "AssertPermission" is not a permission that implements IUnrestrictedPermission
// you need to change the fourth parameter to a zero.
FrameSecurityDescriptor secObj = CodeAccessSecurityEngine.CheckNReturnSO(
CodeAccessSecurityEngine.AssertPermissionToken,
CodeAccessSecurityEngine.AssertPermission,
ref stackMark,
1);
Contract.Assert(secObj != null, "Failure in SecurityRuntime.Assert() - secObj != null");
if (secObj == null)
{
// Security: REQ_SQ flag is missing. Bad compiler ?
System.Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
}
else
{
if (secObj.HasImperativeAsserts())
{
throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
}
secObj.SetAssert(permSet);
}
}
internal static void DemandInternal(PermissionType permissionType)
{
CodeAccessSecurityEngine codeAccessSE =
(CodeAccessSecurityEngine)SecurityManager.GetCodeAccessSecurityEngine();
if (commonSecObj == null)
{
// These correspond to SharedPermissionObjects in security.h, that is instances of commonly needed
// permissions. From managed code, we regularly need Serialization and reflection emit permission.
// The enum which acts as index into this array is same in EE and BCL. Thats why first 5 entries are null.
// There is no synchronization on this call since the worse thing
// that happens is that we create it multiple times (assuming that
// assignment is atomic).
commonSecObj =
new CodeAccessPermission[] {
null, // Unmanaged code access permission
null, // Skip verification permission
null, // Reflection type info permission
null, // Assert permission
null, // Reflection member access permission
new SecurityPermission(SecurityPermissionFlag.SerializationFormatter),
new ReflectionPermission(ReflectionPermissionFlag.ReflectionEmit)
};
}
BCLDebug.Assert(commonSecObj[(int)permissionType] != null, "Uninitialized commonSecObj in CodeAccessPermission");
if (codeAccessSE != null)
{
StackCrawlMark stackMark = StackCrawlMark.LookForMyCallersCaller;
codeAccessSE.Check(commonSecObj[(int)permissionType], ref stackMark, permissionType);
}
}
private static void ReflectionTargetDemandHelper(int permission, PermissionSet targetGrant)
{
StackCrawlMark stackCrawlMark = StackCrawlMark.LookForMyCaller;
CompressedStack compressedStack = CompressedStack.GetCompressedStack(ref stackCrawlMark);
CodeAccessSecurityEngine.ReflectionTargetDemandHelper(permission, targetGrant, compressedStack);
}
static private void DoInitSecurity()
{
s_ftPermSet = new PermissionSet(true);
isr = new SecurityRuntime();
icase = new CodeAccessSecurityEngine();
}
private static void ThrowSecurityException(object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandleInternal rmh, SecurityAction action, object demand, IPermission permThatFailed)
{
if (assemblyOrString != null && !(assemblyOrString is RuntimeAssembly))
{
throw SecurityException.MakeSecurityException(new AssemblyName((string)assemblyOrString), (Evidence)null, granted, refused, rmh, action, demand, permThatFailed);
}
CodeAccessSecurityEngine.ThrowSecurityException((RuntimeAssembly)assemblyOrString, granted, refused, rmh, action, demand, permThatFailed);
}
internal static void CheckAssembly(RuntimeAssembly asm, CodeAccessPermission demand)
{
PermissionSet newGrant;
PermissionSet newDenied;
asm.GetGrantSet(out newGrant, out newDenied);
CodeAccessSecurityEngine.CheckHelper(newGrant, newDenied, demand, PermissionToken.GetToken((IPermission)demand), RuntimeMethodHandleInternal.EmptyHandle, (object)asm, SecurityAction.Demand, true);
}
internal bool CheckDemandNoThrow(CodeAccessPermission demand, PermissionToken permToken)
{
Debug.Assert(AssertSet == null, "AssertSet not null");
#pragma warning disable 618
return(CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, RuntimeMethodHandleInternal.EmptyHandle, null, SecurityAction.Demand, false));
#pragma warning restore 618
}
public void Demand()
{
if (!this.CheckDemand(null))
{
StackCrawlMark stackMark = StackCrawlMark.LookForMyCallersCaller;
CodeAccessSecurityEngine.Check(this, ref stackMark);
}
}
internal static void CheckAssembly(RuntimeAssembly asm, CodeAccessPermission demand)
{
PermissionSet grantedSet;
PermissionSet refusedSet;
asm.GetGrantSet(out grantedSet, out refusedSet);
CodeAccessSecurityEngine.CheckHelper(grantedSet, refusedSet, demand, PermissionToken.GetToken(demand), RuntimeMethodHandleInternal.EmptyHandle, asm, SecurityAction.Demand, true);
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh)
{
if (!PermissionSetTriple.CheckAssert(this.AssertSet, demand, permToken))
{
return(false);
}
CodeAccessSecurityEngine.CheckHelper(this.GrantSet, this.RefusedSet, demand, permToken, rmh, (object)null, SecurityAction.Demand, true);
return(true);
}
[System.Security.SecurityCritical] // auto-generated
internal bool CheckSetDemandNoThrow(PermissionSet demandSet)
{
Contract.Assert(AssertSet == null, "AssertSet not null");
#pragma warning disable 618
return(CodeAccessSecurityEngine.CheckSetHelper(GrantSet, RefusedSet, demandSet, RuntimeMethodHandleInternal.EmptyHandle, null, SecurityAction.Demand, false));
#pragma warning restore 618
}
internal static void CheckSetHelper(CompressedStack cs, PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action)
{
if (cs != null)
{
cs.CheckSetDemand(demands, rmh);
return;
}
CodeAccessSecurityEngine.CheckSetHelper(grants, refused, demands, rmh, asm, action, true);
}
internal PermissionSet Resolve(Evidence evidence)
{
PermissionSet grantSet = null;
if (CodeAccessSecurityEngine.TryResolveGrantSet(evidence, out grantSet))
{
return(grantSet);
}
return(this.CodeGroupResolve(evidence, false));
}
public void PermitOnly()
{
CodeAccessSecurityEngine icase = SecurityManager.GetCodeAccessSecurityEngine();
if (icase != null)
{
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
icase.PermitOnly(this, ref stackMark);
}
}
public void Demand()
{
if (this.CheckDemand((CodeAccessPermission)null))
{
return;
}
StackCrawlMark stackMark = StackCrawlMark.LookForMyCallersCaller;
CodeAccessSecurityEngine.Check(this, ref stackMark);
}
public void Demand()
{
CodeAccessSecurityEngine icase =
SecurityManager.GetCodeAccessSecurityEngine();
if (icase != null && !this.IsSubsetOf(null))
{
StackCrawlMark stackMark = StackCrawlMark.LookForMyCallersCaller;
icase.Check(this, ref stackMark);
}
}
internal static void CheckHelper(CompressedStack cs, PermissionSet grantedSet, PermissionSet refusedSet, CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandleInternal rmh, RuntimeAssembly asm, SecurityAction action)
{
if (cs != null)
{
cs.CheckDemand(demand, permToken, rmh);
}
else
{
CodeAccessSecurityEngine.CheckHelper(grantedSet, refusedSet, demand, permToken, rmh, (object)asm, action, true);
}
}
internal static bool CheckSetHelper(PermissionSet grants, PermissionSet refused, PermissionSet demands, RuntimeMethodHandleInternal rmh, object assemblyOrString, SecurityAction action, bool throwException)
{
IPermission permThatFailed = null;
if (grants != null)
{
grants.CheckDecoded(demands);
}
if (refused != null)
{
refused.CheckDecoded(demands);
}
bool flag = SecurityManager._SetThreadSecurity(false);
try
{
if (!demands.CheckDemand(grants, out permThatFailed))
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grants, refused, rmh, action, demands, permThatFailed);
}
if (!demands.CheckDeny(refused, out permThatFailed))
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grants, refused, rmh, action, demands, permThatFailed);
}
}
catch (SecurityException)
{
throw;
}
catch (Exception)
{
if (!throwException)
{
return(false);
}
CodeAccessSecurityEngine.ThrowSecurityException(assemblyOrString, grants, refused, rmh, action, demands, permThatFailed);
}
finally
{
if (flag)
{
SecurityManager._SetThreadSecurity(true);
}
}
return(true);
}
internal bool CheckDemand(CodeAccessPermission demand, PermissionToken permToken, RuntimeMethodHandle rmh)
{
if (CheckAssert(AssertSet, demand, permToken) == SecurityRuntime.StackHalt)
{
return(SecurityRuntime.StackHalt);
}
CodeAccessSecurityEngine.CheckHelper(GrantSet, RefusedSet, demand, permToken, rmh, null, SecurityAction.Demand, true);
return(SecurityRuntime.StackContinue);
}
private static void ThrowSecurityException(object assemblyOrString, PermissionSet granted, PermissionSet refused, RuntimeMethodHandleInternal rmh, SecurityAction action, object demand, IPermission permThatFailed)
{
if (assemblyOrString == null || assemblyOrString is RuntimeAssembly)
{
CodeAccessSecurityEngine.ThrowSecurityException((RuntimeAssembly)assemblyOrString, granted, refused, rmh, action, demand, permThatFailed);
return;
}
AssemblyName asmName = new AssemblyName((string)assemblyOrString);
throw SecurityException.MakeSecurityException(asmName, null, granted, refused, rmh, action, demand, permThatFailed);
}
internal static bool CanUnrestrictedOverride(IPermission ip)
{
if (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust())
{
return(true);
}
if (ip is IUnrestrictedPermission)
{
return(true);
}
return(false);
}
[MethodImplAttribute(MethodImplOptions.NoInlining)] // Methods containing StackCrawlMark local var has to be marked non-inlineable
internal static void Demand(PermissionType permissionType)
{
// The intent of the method is to be an internal mscorlib helper that Demands a specific permissiontype
// without having to create objects.
// The security annotation fxcop rule that flags all methods with a Demand() has logic
// which checks for methods named Demand in types that implement IPermission or IStackWalk.
Debug.Assert(new StackFrame().GetMethod().Name.Equals("Demand"), "This method needs to be named Demand");
StackCrawlMark stackMark = StackCrawlMark.LookForMyCallersCaller;
CodeAccessSecurityEngine.SpecialDemand(permissionType, ref stackMark);
}
internal bool CheckSetDemand(PermissionSet demandSet, out PermissionSet alteredDemandset, RuntimeMethodHandleInternal rmh)
{
alteredDemandset = (PermissionSet)null;
if (!PermissionSetTriple.CheckAssert(this.AssertSet, demandSet, out alteredDemandset))
{
return(false);
}
if (alteredDemandset != null)
{
demandSet = alteredDemandset;
}
CodeAccessSecurityEngine.CheckSetHelper(this.GrantSet, this.RefusedSet, demandSet, rmh, (object)null, SecurityAction.Demand, true);
return(true);
}
static public void GetZoneAndOrigin(out ArrayList zone, out ArrayList origin)
{
StackCrawlMark mark = StackCrawlMark.LookForMyCaller;
if (_IsSecurityOn())
{
CodeAccessSecurityEngine.GetZoneAndOrigin(ref mark, out zone, out origin);
}
else
{
zone = null;
origin = null;
}
}
internal static void Assert(PermissionSet permSet, ref StackCrawlMark stackMark)
{
FrameSecurityDescriptor frameSecurityDescriptor = CodeAccessSecurityEngine.CheckNReturnSO(CodeAccessSecurityEngine.AssertPermissionToken, CodeAccessSecurityEngine.AssertPermission, ref stackMark, 1);
if (frameSecurityDescriptor == null)
{
Environment.FailFast(Environment.GetResourceString("ExecutionEngine_MissingSecurityDescriptor"));
return;
}
if (frameSecurityDescriptor.HasImperativeAsserts())
{
throw new SecurityException(Environment.GetResourceString("Security_MustRevertOverride"));
}
frameSecurityDescriptor.SetAssert(permSet);
}
[System.Security.SecurityCritical] // auto-generated
internal PermissionSet Resolve(Evidence evidence)
{
// If we can resolve the grant set for the evidence via the host or the current AppDomain state,
// then return that. Otherwise, call back out to code group resolution.
PermissionSet grantSet = null;
if (CodeAccessSecurityEngine.TryResolveGrantSet(evidence, out grantSet))
{
return grantSet;
}
else
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "We're about to apply policy in a policy disabled app");
return CodeGroupResolve(evidence, false);
}
}
internal bool CheckSetDemand(PermissionSet demandSet, out PermissionSet alteredDemandset, RuntimeMethodHandle rmh)
{
alteredDemandset = null;
if (CheckAssert(AssertSet, demandSet, out alteredDemandset) == SecurityRuntime.StackHalt)
{
return(SecurityRuntime.StackHalt);
}
if (alteredDemandset != null)
{
demandSet = alteredDemandset; // note that this does not modify demandSet external to this function.
}
CodeAccessSecurityEngine.CheckSetHelper(GrantSet, RefusedSet, demandSet, rmh, null, SecurityAction.Demand, true);
return(SecurityRuntime.StackContinue);
}
//-----------------------------------------------------------+
// R E V E R T
//-----------------------------------------------------------+
internal void RevertAssert()
{
if (m_assertions != null)
{
m_assertions = null;
DecrementAssertCount();
}
if (m_DeclarativeAssertions != null)
{
m_AssertFT = (CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() && m_DeclarativeAssertions.IsUnrestricted());;
}
else
{
m_AssertFT = false;
}
}
// Token: 0x06001C6C RID: 7276 RVA: 0x0006188C File Offset: 0x0005FA8C
private static PermissionSet ResolveGrantSet(Evidence evidence, out int specialFlags, bool checkExecutionPermission)
{
PermissionSet permissionSet = null;
if (!CodeAccessSecurityEngine.TryResolveGrantSet(evidence, out permissionSet))
{
permissionSet = new PermissionSet(PermissionState.Unrestricted);
}
if (checkExecutionPermission)
{
SecurityPermission perm = new SecurityPermission(SecurityPermissionFlag.Execution);
if (!permissionSet.Contains(perm))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320);
}
}
specialFlags = SecurityManager.GetSpecialFlags(permissionSet, null);
return(permissionSet);
}
static private void DoInitSecurity()
{
s_ftPermSet = new PermissionSet(true);
isr = new SecurityRuntime();
icase = new CodeAccessSecurityEngine();
}
