public void SetPermission_Unrestricted ()
{
SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted);
PermissionSet ps = new PermissionSet (PermissionState.Unrestricted);
Assert.AreEqual (0, ps.Count, "Empty");
Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted");
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
ZoneIdentityPermission zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone");
#if NET_2_0
// Adding a non unrestricted identity permission now results in
// a permission set loosing it's unrestricted status
Assert.IsTrue (!ps.IsUnrestricted (), "State-Unrestricted-2");
#else
Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted-2");
#endif
zip = new ZoneIdentityPermission (SecurityZone.Intranet);
zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission-2");
Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone-2");
SecurityPermission result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (2, ps.Count, "SecurityPermission");
Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None");
sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain);
result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (2, ps.Count, "SecurityPermission-2");
Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags-2");
}
public void Correctly_determines_permissions()
{
// Execution has to be always granted. Otherwise this code wouldn't run in the first place.
var securityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
Assert.IsTrue(securityPermission.IsGranted());
}
public void ReflectionFormatterReadSecurityExceptionPropertiesWithoutPermissionTest()
{
SecurityPermission denyPermission
= new SecurityPermission(SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlEvidence);
PermissionSet permissions = new PermissionSet(PermissionState.None);
permissions.AddPermission(denyPermission);
permissions.Deny();
StringBuilder sb = new StringBuilder();
StringWriter writer = new StringWriter(sb);
SecurityException exception = null;
try
{
DemandException(denyPermission);
}
catch (SecurityException e)
{
exception = e;
}
MockTextExceptionFormatter formatter = new MockTextExceptionFormatter(writer, exception, Guid.Empty);
formatter.Format();
CodeAccessPermission.RevertDeny();
formatter = new MockTextExceptionFormatter(writer, exception, Guid.Empty);
formatter.Format();
Assert.AreEqual(exception.Demanded.ToString(), formatter.properties["Demanded"]);
}
// static default constructor. This will be called before any of the static members are accessed.
static CodeAccessSecurityEngine()
{
#pragma warning disable 618
AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion);
#pragma warning restore 618
AssertPermissionToken = PermissionToken.GetToken(AssertPermission);
}
static BaseCredentialsPrompt()
{
lock (_lockObject)
{
_unmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
}
}
public void RunApp(string FileName, string arg)
{
SecurityPermission SP = new SecurityPermission(SecurityPermissionFlag.AllFlags);
SP.Assert();
//ProcessStartInfo process = new ProcessStartInfo("cmd", "/c " + FileName ));
System.Diagnostics.Process process = new System.Diagnostics.Process();
process.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
//process.StartInfo.UseShellExecute = false;
//process.StartInfo.RedirectStandardOutput = true;
//process.StartInfo.RedirectStandardError = true;
//process.StartInfo.CreateNoWindow = true;
process.StartInfo.FileName = FileName;
process.StartInfo.Arguments = arg;
process.StartInfo.WorkingDirectory = System.IO.Path.GetDirectoryName(FileName);
//Vista or higher check
if (System.Environment.OSVersion.Version.Major >= 6)
process.StartInfo.Verb = "runas";
try
{
process.Start();
process.WaitForExit();
process.Close();
}
catch (InvalidOperationException)
{
//e.ExceptionObject.ToString();
}
}
public void CanReflectOnSecurityExceptionWithoutPermission()
{
SecurityPermission denyPermission
= new SecurityPermission(SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlEvidence);
PermissionSet permissions = new PermissionSet(PermissionState.None);
permissions.AddPermission(denyPermission);
permissions.Deny();
SecurityException exception = null;
try
{
DemandException(denyPermission);
}
catch (SecurityException e)
{
exception = e;
}
ExceptionFormatter formatter = new ExceptionFormatter();
String message = formatter.GetMessage(exception);
Match demandedMatch = DemandedEntryRegex.Match(message);
Assert.IsNotNull(demandedMatch);
Assert.AreEqual(Resources.PropertyAccessFailed, demandedMatch.Groups[1].Value);
CodeAccessPermission.RevertDeny();
message = formatter.GetMessage(exception);
demandedMatch = DemandedEntryRegex.Match(message);
Assert.IsNotNull(demandedMatch);
Assert.AreNotEqual(Resources.PropertyAccessFailed, demandedMatch.Groups[1].Value);
}
public static void SetAppDomainData()
{
SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.ControlAppDomain);
sp.Assert();
AppDomain.CurrentDomain.SetData("SQLServerCompactEditionUnderWebHosting", true);
}
public Clerk(string compensator, string description, CompensatorOptions flags)
{
SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
permission.Demand();
permission.Assert();
this.Init(compensator, description, flags);
}
public override void Install(IDictionary stateSaver)
{
try
{
SecurityPermission permission =
new SecurityPermission(PermissionState.Unrestricted);
permission.Demand();
}
catch (SecurityException)
{
throw new InstallException(
"You have insufficient privileges to " +
"register a trust relationship. Start Excel " +
"and confirm the trust dialog to run the addin.");
}
Uri deploymentManifestLocation = null;
// NodeXLModification
//
// "deploymentManifestLocation" parameter name changed to
// "deploymentLocation" to make it consistent with
// ClickOnceInstaller.cs.
if (Uri.TryCreate(Context.Parameters["deploymentLocation"],
UriKind.RelativeOrAbsolute, out deploymentManifestLocation) == false)
{
throw new InstallException(
"The location of the deployment manifest is missing or invalid.");
}
AddInSecurityEntry entry = new AddInSecurityEntry(
deploymentManifestLocation, RSA_PublicKey);
UserInclusionList.Add(entry);
stateSaver.Add("entryKey", deploymentManifestLocation);
base.Install(stateSaver);
}
/// <summary>
/// Initializes UnmanagedCodePermission for the <see cref="Credential" /> class.
/// </summary>
static Credential()
{
lock (LockObject)
{
UnmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
}
}
public ClerkMonitor()
{
SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
permission.Demand();
permission.Assert();
this._monitor = new CrmMonitor();
this._version = 0;
}
public Clerk(Type compensator, string description, CompensatorOptions flags)
{
SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
permission.Demand();
permission.Assert();
this.ValidateCompensator(compensator);
string str = "{" + Marshal.GenerateGuidForType(compensator) + "}";
this.Init(str, description, flags);
}
internal static void AnimateWindow(Control control, int time, AnimationFlags flags)
{
try
{
SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
sp.Demand();
AnimateWindow(new HandleRef(control, control.Handle), time, flags);
}
catch (SecurityException) { }
}
public void Assert()
{
// We must have the "Assertion" security flag for this to work.
SecurityPermission perm;
perm = new SecurityPermission(SecurityPermissionFlag.Assertion);
perm.Demand();
// Assert this permission.
Assert(2);
}
internal static PermissionSet _UnsafeGetAssertPermSet()
{
PermissionSet set = new PermissionSet(PermissionState.None);
RegistryPermission perm = new RegistryPermission(PermissionState.Unrestricted);
set.AddPermission(perm);
EnvironmentPermission permission2 = new EnvironmentPermission(PermissionState.Unrestricted);
set.AddPermission(permission2);
SecurityPermission permission3 = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
set.AddPermission(permission3);
return set;
}
internal static void SetTopMost(Control control)
{
try
{
System.Security.Permissions.SecurityPermission securityPermission = new System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityPermissionFlag.UnmanagedCode);
securityPermission.Demand();
NativeMethods.SetWindowPos(new System.Runtime.InteropServices.HandleRef(control, control.Handle), NativeMethods.HWND_TOPMOST, 0, 0, 0, 0, 19);
}
catch (System.Security.SecurityException)
{
}
}
internal static void AnimateWindow(Control control, int time, NativeMethods.AnimationFlags flags)
{
try
{
System.Security.Permissions.SecurityPermission securityPermission = new System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityPermissionFlag.UnmanagedCode);
securityPermission.Demand();
NativeMethods.AnimateWindow(new System.Runtime.InteropServices.HandleRef(control, control.Handle), time, flags);
}
catch (System.Security.SecurityException)
{
}
}
public void DoWork()
{
// Note that because DoDangerousThing is public, this
// security check does not resolve the violation.
// This only checks callers that go through DoWork().
SecurityPermission secPerm = new SecurityPermission(
SecurityPermissionFlag.ControlPolicy |
SecurityPermissionFlag.ControlEvidence
);
secPerm.Demand();
DoDangerousThing();
}
internal static void AnimateWindow(Control control, int time, AnimationFlags flags)
{
Contract.Requires<ArgumentNullException>(control != null);
try
{
SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
sp.Demand();
AnimateWindow(new HandleRef(control, control.Handle), time, flags);
}
catch (SecurityException) { }
}
[System.Security.SecuritySafeCritical] // auto-generated
static RemotingServices()
{
System.Security.CodeAccessPermission.Assert(true);
s_RemotingInfrastructurePermission= new SecurityPermission(SecurityPermissionFlag.Infrastructure);
s_MscorlibAssembly = typeof(RemotingServices).Assembly;
s_FieldGetterMB = null;
s_FieldSetterMB = null;
s_bRemoteActivationConfigured = false;
s_bRegisteredWellKnownChannels = false;
s_bInProcessOfRegisteringWellKnownChannels = false;
s_delayLoadChannelLock = new Object();
}
/// <summary>
/// Static Constructor is used to set the CanBinarySerialize value only once for the given security policy
/// </summary>
static Serializer()
{
SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.SerializationFormatter);
try
{
sp.Demand();
CanBinarySerialize = true;
}
catch(SecurityException)
{
CanBinarySerialize = false;
}
}
/// <summary>
/// Creates a new TRACKMOUSEEVENT struct with default settings
/// </summary>
public TRACKMOUSEEVENT()
{
// Marshal.SizeOf() uses SecurityAction.LinkDemand to prevent
// it from being called from untrusted code, so make sure we
// have permission to call it
SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
permission.Demand();
this.cbSize = Marshal.SizeOf(typeof(TRACKMOUSEEVENT));
this.dwFlags = 0;
this.hwndTrack = IntPtr.Zero;
this.dwHoverTime = 100;
}
public override void RemoveEventHandler(object target, Delegate handler) {
if (Marshal.IsComObject(target)) {
// retrieve sourceIid and dispid
Guid sourceIid;
int dispid;
GetDataForComInvocation(_innerEventInfo, out sourceIid, out dispid);
// now validate the caller can call into native and redirect to ComEventHelpers.Combine
SecurityPermission perm = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
perm.Demand();
System.Runtime.InteropServices.ComEventsHelper.Remove(target, sourceIid, dispid, handler);
} else {
// we are dealing with a managed object - just add the delegate through relection
_innerEventInfo.RemoveEventHandler(target, handler);
}
}
/// <summary>
///
/// </summary>
/// <param name="stream"></param>
/// <param name="evidence"></param>
/// <returns></returns>
public static Assembly ReadAssembly(Stream stream, Evidence evidence)
{
SecurityPermission securityPermission = new SecurityPermission(SecurityPermissionFlag.ControlEvidence);
securityPermission.Assert();
int num = (int)stream.Length;
byte[] array = new byte[num];
stream.Read(array, 0, num);
try
{
return Assembly.Load(array, null, evidence);
}
finally
{
CodeAccessPermission.RevertAssert();
}
}
public override void Install(System.Collections.IDictionary stateSaver)
{
try
{
SecurityPermission permission =
new SecurityPermission(PermissionState.Unrestricted);
permission.Demand();
}
catch (SecurityException)
{
throw new InstallException(
"You have insufficient privileges to " +
"install the add-in into the ClickOnce cache. " +
"Please contact your system administrator.");
}
string deploymentLocation = Context.Parameters["deploymentLocation"];
if (String.IsNullOrEmpty(deploymentLocation))
{
throw new InstallException("Deployment location not configured. Setup unable to continue");
}
string arguments = String.Format(
"/S /I \"{0}\"", deploymentLocation);
int exitCode = ExecuteVSTOInstaller(arguments);
if (exitCode != 0)
{
string message = null;
switch (exitCode)
{
case -300:
message = String.Format(
"The Visual Studio Tools for Office solution was signed by an untrusted publisher and as such cannot be installed automatically. Please use your browser to navigate to {0} in order to install the solution manually. You will be prompted if the solution is trusted for execution.",
deploymentLocation);
break;
default:
message = String.Format(
"The installation of the ClickOnce solution failed with exit code {0}",
exitCode);
break;
}
throw new InstallException(message);
}
stateSaver.Add("deploymentLocation", deploymentLocation);
base.Install(stateSaver);
}
internal static Win32Exception CreateSafeWin32Exception(int error) {
Win32Exception newException = null;
// Need to assert SecurtiyPermission, otherwise Win32Exception
// will not be able to get the error message. At this point the right
// permissions have already been demanded.
SecurityPermission securityPermission = new SecurityPermission(PermissionState.Unrestricted);
securityPermission.Assert();
try {
if (error == 0)
newException = new Win32Exception();
else
newException = new Win32Exception(error);
}
finally {
SecurityPermission.RevertAssert();
}
return newException;
}
internal static PermissionSet _UnsafeGetAssertPermSet() {
// SEC_NOTE: All callers should already be guarded by EventLogPermission demand.
PermissionSet permissionSet = new PermissionSet(PermissionState.None);
// We need RegistryPermission
RegistryPermission registryPermission = new RegistryPermission(PermissionState.Unrestricted);
permissionSet.AddPermission(registryPermission);
// It is not enough to just assert RegistryPermission, for some regkeys
// we need to assert EnvironmentPermission too
EnvironmentPermission environmentPermission = new EnvironmentPermission(PermissionState.Unrestricted);
permissionSet.AddPermission(environmentPermission);
// For remote machine registry access UnmanagdCodePermission is required.
SecurityPermission securityPermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
permissionSet.AddPermission(securityPermission);
return permissionSet;
}
static private bool CheckExecution()
{
if (checkExecution == -1)
{
checkExecution = (GetGlobalFlags() & CheckExecutionRightsDisabledFlag) != 0 ? 0 : 1;
}
if (checkExecution == 1)
{
if (securityPermissionType == null)
{
securityPermissionType = typeof(System.Security.Permissions.SecurityPermission);
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
DEBUG_OUT("Execution checking ON");
return(true);
}
else
{
DEBUG_OUT("Execution checking OFF");
return(false);
}
}
[System.Security.SecurityCritical] // auto-generated
internal virtual String InternalToString()
{
try
{
#pragma warning disable 618
SecurityPermission sp= new SecurityPermission(SecurityPermissionFlag.ControlEvidence | SecurityPermissionFlag.ControlPolicy);
#pragma warning restore 618
sp.Assert();
}
catch
{
//under normal conditions there should be no exceptions
//however if something wrong happens we still can call the usual ToString
}
// Get the current stack trace string.
return ToString(true, true);
}
public void SetPermission_None ()
{
PermissionSet ps = new PermissionSet (PermissionState.None);
Assert.AreEqual (0, ps.Count, "Empty");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None");
SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted);
SecurityPermission result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (1, ps.Count, "SecurityPermission");
Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags");
Assert.IsTrue (!ps.IsUnrestricted (), "State-None-2");
sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain);
result = (SecurityPermission)ps.SetPermission (sp);
Assert.AreEqual (1, ps.Count, "SecurityPermission-2");
Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags");
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
ZoneIdentityPermission zipr = (ZoneIdentityPermission) ps.SetPermission (zip);
Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone");
zip = new ZoneIdentityPermission (SecurityZone.Intranet);
zipr = (ZoneIdentityPermission)ps.SetPermission (zip);
Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission");
Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone");
}
public void RemovePermission_Unrestricted ()
{
PermissionSet ps = new PermissionSet (PermissionState.Unrestricted);
Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty");
SecurityPermission sp = new SecurityPermission (SecurityPermissionFlag.Assertion);
ps.AddPermission (sp);
Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "SecurityPermissionn");
ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer);
ps.AddPermission (zip);
ZoneIdentityPermission removed = (ZoneIdentityPermission)ps.RemovePermission (typeof (ZoneIdentityPermission));
#if NET_2_0
// identity permissions aren't added to unrestricted permission sets
// so they cannot be removed later (hence the null)
Assert.IsNull (removed, "ZoneIdentityPermission");
#else
Assert.IsNotNull (removed, "ZoneIdentityPermission");
#endif
}
public void RemovePermission_None ()
{
PermissionSet ps = new PermissionSet (PermissionState.None);
Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty");
SecurityPermission sp = new SecurityPermission (SecurityPermissionFlag.Assertion);
ps.AddPermission (sp);
SecurityPermission removed = (SecurityPermission) ps.RemovePermission (typeof (SecurityPermission));
Assert.IsNotNull (removed, "SecurityPermission");
Assert.AreEqual (sp.Flags, removed.Flags, "Flags");
Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty-Again");
}
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
PermissionSet requested;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
{
requested = optional;
}
else
{
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
}
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted() && CheckExecution())
{
requested.AddPermission(executionSecurityPermission);
}
if (InitPolicy())
{
// If we aren't passed any evidence, just make an empty object
// If we are passed evidence, copy it before passing it
// to the policy manager.
// Note: this is not a deep copy, the pieces of evidence within the
// Evidence object can still be altered and affect the originals.
if (evidence == null)
{
evidence = new Evidence();
}
else
{
evidence = evidence.ShallowCopy();
}
evidence.AddHost(new PermissionRequestEvidence(reqdPset, optPset, denyPset));
// We need to make sure that no stray exceptions come out of Resolve so
// we wrap it in a try block.
try
{
allowed = polmgr.Resolve(evidence, requested);
}
catch (Exception e)
{
#if _DEBUG
if (debug)
{
DEBUG_OUT("Exception during resolve");
DEBUG_OUT(e.GetType().FullName);
DEBUG_OUT(e.Message);
DEBUG_OUT(e.StackTrace);
}
#endif
// If we get a policy exception, we are done are we are going to fail to
// load no matter what.
if (e is PolicyException)
{
throw e;
}
// If we get any other kid of exception, we set the allowed set to the
// empty set and continue processing as normal. This allows assemblies
// that make no request to be loaded but blocks any assembly that
// makes a request from being loaded. This seems like a valid design to
// me -- gregfee 6/19/2000
savedException = e;
allowed = new PermissionSet();
}
}
else
{
denied = null;
return(null);
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("ResolvePolicy:");
IEnumerator enumerator = evidence.GetEnumerator();
DEBUG_OUT("Evidence:");
while (enumerator.MoveNext())
{
Object obj = enumerator.Current;
if (obj is Site)
{
DEBUG_OUT(((Site)obj).ToXml().ToString());
}
else if (obj is Zone)
{
DEBUG_OUT(((Zone)obj).ToXml().ToString());
}
else if (obj is Url)
{
DEBUG_OUT(((Url)obj).ToXml().ToString());
}
else if (obj is Publisher)
{
DEBUG_OUT(((Publisher)obj).ToXml().ToString());
}
else if (obj is StrongName)
{
DEBUG_OUT(((StrongName)obj).ToXml().ToString());
}
else if (obj is PermissionRequestEvidence)
{
DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString());
}
}
DEBUG_OUT("Required permissions:");
DEBUG_OUT(reqdPset != null ? reqdPset.ToString() : "<null>");
DEBUG_OUT("Optional permissions:");
DEBUG_OUT(optPset != null ? optPset.ToString() : "<null>");
DEBUG_OUT("Denied permissions:");
DEBUG_OUT(denyPset != null ? denyPset.ToString() : "<null>");
DEBUG_OUT("Requested permissions:");
DEBUG_OUT(requested != null ? requested.ToString() : "<null>");
DEBUG_OUT("Granted permissions:");
DEBUG_OUT(allowed != null ? allowed.ToString() : "<null>");
}
#endif
// Check that we were granted the right to execute.
if (!allowed.IsUnrestricted() && checkExecutionPermission && CheckExecution())
{
SecurityPermission secPerm = (SecurityPermission)allowed.GetPermission(securityPermissionType);
if (secPerm == null || !executionSecurityPermission.IsSubsetOf(secPerm))
{
#if _DEBUG
DEBUG_OUT("No execute permission");
#endif
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
#if _DEBUG
DEBUG_OUT("Didn't get required permissions");
#endif
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException);
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
#if _DEBUG
if (debug)
{
DEBUG_OUT("Final denied permissions:");
DEBUG_OUT(denied != null ? denied.ToString() : "<null>");
}
#endif
return(allowed);
}
