[System.Security.SecurityCritical] // auto-generated internal PolicyStatement Resolve (Evidence evidence, int count, byte[] serializedEvidence) { if (evidence == null) throw new ArgumentNullException("evidence"); Contract.EndContractBlock(); PolicyStatement policy = null; if (serializedEvidence != null) policy = CheckCache(count, serializedEvidence); if (policy == null) { CheckLoaded(); bool allConst; bool isFullTrust = m_fullTrustAssemblies != null && IsFullTrustAssembly(m_fullTrustAssemblies, evidence); if (isFullTrust) { policy = new PolicyStatement(new PermissionSet(true), PolicyStatementAttribute.Nothing); allConst = true; } else { ArrayList list = GenericResolve(evidence, out allConst); policy = new PolicyStatement(); // This will set the permission set to the empty set. policy.PermissionSet = null; IEnumerator enumerator = list.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement ps = ((CodeGroupStackFrame)enumerator.Current).policy; if (ps != null) { policy.GetPermissionSetNoCopy().InplaceUnion(ps.GetPermissionSetNoCopy()); policy.Attributes |= ps.Attributes; // If we find a policy statement that's dependent upon unverified evidence, we // need to mark that as used so that the VM can potentially force verification on // the evidence. if (ps.HasDependentEvidence) { foreach (IDelayEvaluatedEvidence delayEvidence in ps.DependentEvidence) { delayEvidence.MarkUsed(); } } } } } if (allConst) { // We want to store in the cache the evidence that was touched during policy evaluation // rather than the input serialized evidence, since that evidence is optimized for the // standard policy and is not all-inclusive. We need to make sure that any evidence // used to determine the grant set is added to the cache key. Cache(count, evidence.RawSerialize(), policy); } } return policy; }
internal PermissionSet CodeGroupResolve (Evidence evidence, bool systemPolicy) { Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled); PermissionSet grant = null; PolicyStatement policy; PolicyLevel currentLevel = null; IEnumerator levelEnumerator = PolicyLevels.GetEnumerator(); // We're optimized for standard policy, where the only evidence that is generally evaluated are // Zone, StrongName and Url. Since all of these are relatively inexpensive, we'll force them to // generate, then use that as a key into the cache. evidence.GetHostEvidence<Zone>(); evidence.GetHostEvidence<StrongName>(); evidence.GetHostEvidence<Url>(); byte[] serializedEvidence = evidence.RawSerialize(); int count = evidence.RawCount; bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null); bool testApplicationLevels = false; while (levelEnumerator.MoveNext()) { currentLevel = (PolicyLevel)levelEnumerator.Current; if (systemPolicy) { if (currentLevel.Type == PolicyLevelType.AppDomain) continue; } else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain) continue; policy = currentLevel.Resolve(evidence, count, serializedEvidence); // If the grant is "AllPossible", the intersection is just the other permission set. // Otherwise, do an inplace intersection (since we know we can alter the grant set since // it is a copy of the first policy statement's permission set). if (grant == null) grant = policy.PermissionSet; else grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); if (grant == null || grant.FastIsEmpty()) { break; } else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (currentLevel.Type != PolicyLevelType.AppDomain) { testApplicationLevels = true; } break; } } if (grant != null && testApplicationLevels) { PolicyLevel appDomainLevel = null; for (int i = PolicyLevels.Count - 1; i >= 0; --i) { currentLevel = (PolicyLevel) PolicyLevels[i]; if (currentLevel.Type == PolicyLevelType.AppDomain) { appDomainLevel = currentLevel; break; } } if (appDomainLevel != null) { policy = appDomainLevel.Resolve(evidence, count, serializedEvidence); grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } } if (grant == null) grant = new PermissionSet(PermissionState.None); // Each piece of evidence can possibly create an identity permission that we // need to add to our grant set. Therefore, for all pieces of evidence that // implement the IIdentityPermissionFactory interface, ask it for its // adjoining identity permission and add it to the grant. if (!grant.IsUnrestricted()) { IEnumerator enumerator = evidence.GetHostEnumerator(); while (enumerator.MoveNext()) { Object obj = enumerator.Current; IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission( evidence ); if (perm != null) grant.AddPermission( perm ); } } } grant.IgnoreTypeLoadFailures = true; return grant; }
internal PolicyStatement Resolve(Evidence evidence, int count, byte[] serializedEvidence) { if (evidence == null) { throw new ArgumentNullException("evidence"); } PolicyStatement policy = null; if (serializedEvidence != null) { policy = this.CheckCache(count, serializedEvidence); } if (policy == null) { bool flag; this.CheckLoaded(); if ((this.m_fullTrustAssemblies != null) && IsFullTrustAssembly(this.m_fullTrustAssemblies, evidence)) { policy = new PolicyStatement(new PermissionSet(true), PolicyStatementAttribute.Nothing); flag = true; } else { ArrayList list = this.GenericResolve(evidence, out flag); policy = new PolicyStatement { PermissionSet = null }; IEnumerator enumerator = list.GetEnumerator(); while (enumerator.MoveNext()) { PolicyStatement statement2 = ((CodeGroupStackFrame) enumerator.Current).policy; if (statement2 != null) { policy.GetPermissionSetNoCopy().InplaceUnion(statement2.GetPermissionSetNoCopy()); policy.Attributes |= statement2.Attributes; if (statement2.HasDependentEvidence) { foreach (IDelayEvaluatedEvidence evidence2 in statement2.DependentEvidence) { evidence2.MarkUsed(); } } } } } if (flag) { this.Cache(count, evidence.RawSerialize(), policy); } } return policy; }
internal PermissionSet CodeGroupResolve(Evidence evidence, bool systemPolicy) { PermissionSet permissionSet = null; PolicyLevel current = null; IEnumerator enumerator = this.PolicyLevels.GetEnumerator(); evidence.GetHostEvidence<Zone>(); evidence.GetHostEvidence<StrongName>(); evidence.GetHostEvidence<Url>(); byte[] serializedEvidence = evidence.RawSerialize(); int rawCount = evidence.RawCount; bool flag = AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null; bool flag2 = false; while (enumerator.MoveNext()) { PolicyStatement statement; current = (PolicyLevel) enumerator.Current; if (systemPolicy) { if (current.Type != PolicyLevelType.AppDomain) { goto Label_0078; } continue; } if (flag && (current.Type != PolicyLevelType.AppDomain)) { continue; } Label_0078: statement = current.Resolve(evidence, rawCount, serializedEvidence); if (permissionSet == null) { permissionSet = statement.PermissionSet; } else { permissionSet.InplaceIntersect(statement.GetPermissionSetNoCopy()); } if ((permissionSet == null) || permissionSet.FastIsEmpty()) { break; } if ((statement.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (current.Type != PolicyLevelType.AppDomain) { flag2 = true; } break; } } if ((permissionSet != null) && flag2) { PolicyLevel level2 = null; for (int i = this.PolicyLevels.Count - 1; i >= 0; i--) { current = (PolicyLevel) this.PolicyLevels[i]; if (current.Type == PolicyLevelType.AppDomain) { level2 = current; break; } } if (level2 != null) { permissionSet.InplaceIntersect(level2.Resolve(evidence, rawCount, serializedEvidence).GetPermissionSetNoCopy()); } } if (permissionSet == null) { permissionSet = new PermissionSet(PermissionState.None); } if (!permissionSet.IsUnrestricted()) { IEnumerator hostEnumerator = evidence.GetHostEnumerator(); while (hostEnumerator.MoveNext()) { object obj2 = hostEnumerator.Current; IIdentityPermissionFactory factory = obj2 as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission(evidence); if (perm != null) { permissionSet.AddPermission(perm); } } } } permissionSet.IgnoreTypeLoadFailures = true; return permissionSet; }