/// <summary>
/// Gets lockdown policy as applied to a file.
/// </summary>
/// <returns>An EnforcementMode that describes policy.</returns>
public static SystemEnforcementMode GetLockdownPolicy(string path, SafeHandle handle)
{
// Check the WLDP File policy via API
var wldpFilePolicy = GetWldpPolicy(path, handle);
if (wldpFilePolicy == SystemEnforcementMode.Enforce)
{
return(wldpFilePolicy);
}
// Check the AppLocker File policy via API
// This needs to be checked before WLDP audit policy
// So, that we don't end up in Audit mode,
// when we should be enforce mode.
var appLockerFilePolicy = GetAppLockerPolicy(path, handle);
if (appLockerFilePolicy == SystemEnforcementMode.Enforce)
{
return(appLockerFilePolicy);
}
// At this point, LockdownPolicy = Audit or Allowed.
// If there was a WLDP policy, but WLDP didn't block it,
// then it was explicitly allowed. Therefore, return the result for the file.
SystemEnforcementMode systemWldpPolicy = s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None);
if ((systemWldpPolicy == SystemEnforcementMode.Audit) ||
(systemWldpPolicy == SystemEnforcementMode.Enforce))
{
return(wldpFilePolicy);
}
// If there was a system-wide AppLocker policy, but AppLocker didn't block it,
// then return AppLocker's status.
if (s_cachedSaferSystemPolicy.GetValueOrDefault(SaferPolicy.Allowed) ==
SaferPolicy.Disallowed)
{
return(appLockerFilePolicy);
}
// If it's not set to 'Enforce' by the platform, allow debug overrides
return(GetDebugLockdownPolicy(path));
}
/// <summary>
/// Common initialization for all constructors.
/// </summary>
private void CommonInitialization()
{
// Assume external scripts are untrusted by default (for Get-Command, etc)
// until we've actually parsed their script block.
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.None)
{
// Get the lock down policy with no handle. This only impacts command discovery,
// as the real language mode assignment will be done when we read the script
// contents.
SystemEnforcementMode scriptSpecificPolicy = SystemPolicy.GetLockdownPolicy(_path, null);
if (scriptSpecificPolicy != SystemEnforcementMode.Enforce)
{
this.DefiningLanguageMode = PSLanguageMode.FullLanguage;
}
else
{
this.DefiningLanguageMode = PSLanguageMode.ConstrainedLanguage;
}
}
}
/// <summary>
/// Gets lockdown policy as applied to a file
/// </summary>
/// <returns>An EnforcementMode that describes policy</returns>
public static SystemEnforcementMode GetLockdownPolicy(string path, SafeHandle handle)
{
// Check the WLDP API
SystemEnforcementMode lockdownPolicy = GetWldpPolicy(path, handle);
if (lockdownPolicy == SystemEnforcementMode.Enforce)
{
return(lockdownPolicy);
}
// At this point, LockdownPolicy = Audit or Allowed.
// If there was a WLDP policy, but WLDP didn't block it,
// then it was explicitly allowed. Therefore, return the result for the file.
SystemEnforcementMode systemWldpPolicy = s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None);
if ((systemWldpPolicy == SystemEnforcementMode.Enforce) ||
(systemWldpPolicy == SystemEnforcementMode.Audit))
{
return(lockdownPolicy);
}
// Check the AppLocker API
lockdownPolicy = GetAppLockerPolicy(path, handle);
if (lockdownPolicy == SystemEnforcementMode.Enforce)
{
return(lockdownPolicy);
}
// If there was a system-wide AppLocker policy, but AppLocker didn't block it,
// then return AppLocker's status.
if (s_cachedSaferSystemPolicy.GetValueOrDefault(SaferPolicy.Allowed) ==
SaferPolicy.Disallowed)
{
return(lockdownPolicy);
}
// If it's not set to 'Enforce' by the platform, allow debug overrides
return(GetDebugLockdownPolicy(path));
}
private void ReadScriptContents()
{
if (_scriptContents == null)
{
// make sure we can actually load the script and that it's non-empty
// before we call it.
// Note, although we are passing ASCII as the encoding, the StreamReader
// class still obeys the byte order marks at the beginning of the file
// if present. If not present, then ASCII is used as the default encoding.
try
{
using (FileStream readerStream = new FileStream(_path, FileMode.Open, FileAccess.Read))
{
Encoding defaultEncoding = ClrFacade.GetDefaultEncoding();
Microsoft.Win32.SafeHandles.SafeFileHandle safeFileHandle = readerStream.SafeFileHandle;
using (StreamReader scriptReader = new StreamReader(readerStream, defaultEncoding))
{
_scriptContents = scriptReader.ReadToEnd();
_originalEncoding = scriptReader.CurrentEncoding;
// Check if this came from a trusted path. If so, set its language mode to FullLanguage.
if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.None)
{
SystemEnforcementMode scriptSpecificPolicy = SystemPolicy.GetLockdownPolicy(_path, safeFileHandle);
if (scriptSpecificPolicy != SystemEnforcementMode.Enforce)
{
this.DefiningLanguageMode = PSLanguageMode.FullLanguage;
}
else
{
this.DefiningLanguageMode = PSLanguageMode.ConstrainedLanguage;
}
}
else
{
if (this.Context != null)
{
this.DefiningLanguageMode = this.Context.LanguageMode;
}
}
}
}
}
catch (ArgumentException e)
{
// This catches PSArgumentException as well.
ThrowCommandNotFoundException(e);
}
catch (IOException e)
{
ThrowCommandNotFoundException(e);
}
catch (NotSupportedException e)
{
ThrowCommandNotFoundException(e);
}
catch (UnauthorizedAccessException e)
{
// this is unadvertised exception thrown by the StreamReader ctor when
// no permission to read the script file
ThrowCommandNotFoundException(e);
}
}
}
private static SystemEnforcementMode GetWldpPolicy(string path, SafeHandle handle)
{
// If the WLDP assembly is missing (such as windows 7 or down OS), return default/None to skip WLDP valification
if (s_hadMissingWldpAssembly || !IO.File.Exists(IO.Path.Combine(Environment.SystemDirectory, "wldp.dll")))
{
s_hadMissingWldpAssembly = true;
return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None));
}
// If path is NULL, see if we have the cached system-wide lockdown policy.
if (String.IsNullOrEmpty(path))
{
if ((s_cachedWldpSystemPolicy != null) && (!InternalTestHooks.BypassAppLockerPolicyCaching))
{
return(s_cachedWldpSystemPolicy.Value);
}
}
try
{
WLDP_HOST_INFORMATION hostInformation = new WLDP_HOST_INFORMATION();
hostInformation.dwRevision = WldpNativeConstants.WLDP_HOST_INFORMATION_REVISION;
hostInformation.dwHostId = WLDP_HOST_ID.WLDP_HOST_ID_POWERSHELL;
if (!String.IsNullOrEmpty(path))
{
hostInformation.szSource = path;
if (handle != null)
{
IntPtr fileHandle = IntPtr.Zero;
fileHandle = handle.DangerousGetHandle();
hostInformation.hSource = fileHandle;
}
}
uint pdwLockdownState = 0;
int result = WldpNativeMethods.WldpGetLockdownPolicy(ref hostInformation, ref pdwLockdownState, 0);
if (result >= 0)
{
SystemEnforcementMode resultingLockdownPolicy = GetLockdownPolicyForResult(pdwLockdownState);
// If this is a query for the system-wide lockdown policy, cache it.
if (String.IsNullOrEmpty(path))
{
s_cachedWldpSystemPolicy = resultingLockdownPolicy;
}
return(resultingLockdownPolicy);
}
else
{
// API failure?
return(SystemEnforcementMode.Enforce);
}
}
catch (DllNotFoundException)
{
s_hadMissingWldpAssembly = true;
return(s_cachedWldpSystemPolicy.GetValueOrDefault(SystemEnforcementMode.None));
}
}
