private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet other = null;
Exception exception = null;
PermissionSet set2 = optPset;
if (reqdPset == null)
{
other = set2;
}
else
{
other = (set2 == null) ? null : reqdPset.Union(set2);
}
if ((other != null) && !other.IsUnrestricted())
{
other.AddPermission(executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = polmgr.Resolve(evidence);
if (other != null)
{
target.InplaceIntersect(other);
}
if (checkExecutionPermission && (!target.Contains(executionSecurityPermission) || ((denyPset != null) && denyPset.Contains(executionSecurityPermission))))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if ((reqdPset != null) && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
target.IgnoreTypeLoadFailures = true;
return(target);
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (SecurityManager.executionSecurityPermission == null)
{
SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
Exception exception = null;
PermissionSet permissionSet;
if (reqdPset == null)
{
permissionSet = optPset;
}
else
{
permissionSet = ((optPset == null) ? null : reqdPset.Union(optPset));
}
if (permissionSet != null && !permissionSet.IsUnrestricted())
{
permissionSet.AddPermission(SecurityManager.executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet permissionSet2 = SecurityManager.polmgr.Resolve(evidence);
if (permissionSet != null)
{
permissionSet2.InplaceIntersect(permissionSet);
}
if (checkExecutionPermission && (!permissionSet2.Contains(SecurityManager.executionSecurityPermission) || (denyPset != null && denyPset.Contains(SecurityManager.executionSecurityPermission))))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if (reqdPset != null && !reqdPset.IsSubsetOf(permissionSet2))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
permissionSet2.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
permissionSet2.IgnoreTypeLoadFailures = true;
return(permissionSet2);
}
public static bool IsGranted(IPermission perm)
{
if (perm == null)
{
return(true);
}
PermissionSet permissionSet = null;
PermissionSet permissionSet2 = null;
StackCrawlMark stackCrawlMark = StackCrawlMark.LookForMyCaller;
SecurityManager.GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref permissionSet), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref permissionSet2), JitHelpers.GetStackCrawlMarkHandle(ref stackCrawlMark));
return(permissionSet.Contains(perm) && (permissionSet2 == null || !permissionSet2.Contains(perm)));
}
public static bool IsGranted(IPermission perm)
{
if (perm == null)
{
return(true);
}
PermissionSet granted = null, denied = null;
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack(ref granted),
JitHelpers.GetObjectHandleOnStack(ref denied),
JitHelpers.GetStackCrawlMarkHandle(ref stackMark));
return(granted.Contains(perm) && (denied == null || !denied.Contains(perm)));
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (SecurityManager.executionSecurityPermission == null)
{
SecurityManager.executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
Exception exception = (Exception)null;
PermissionSet other1 = optPset;
PermissionSet other2 = reqdPset != null ? (other1 == null ? (PermissionSet)null : reqdPset.Union(other1)) : other1;
if (other2 != null && !other2.IsUnrestricted())
{
other2.AddPermission((IPermission)SecurityManager.executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = SecurityManager.polmgr.Resolve(evidence);
if (other2 != null)
{
target.InplaceIntersect(other2);
}
if (checkExecutionPermission && (!target.Contains((IPermission)SecurityManager.executionSecurityPermission) || denyPset != null && denyPset.Contains((IPermission)SecurityManager.executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if (reqdPset != null && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = (PermissionSet)null;
}
}
else
{
denied = (PermissionSet)null;
}
target.IgnoreTypeLoadFailures = true;
return(target);
}
public static bool IsGranted(IPermission perm)
{
if (perm != null)
{
PermissionSet o = null;
PermissionSet set2 = null;
StackCrawlMark lookForMyCaller = StackCrawlMark.LookForMyCaller;
GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref set2), JitHelpers.GetStackCrawlMarkHandle(ref lookForMyCaller));
if (!o.Contains(perm))
{
return(false);
}
if (set2 != null)
{
return(!set2.Contains(perm));
}
}
return(true);
}
public static bool IsGranted(IPermission perm)
{
if (perm == null)
{
return(true);
}
PermissionSet o1 = (PermissionSet)null;
PermissionSet o2 = (PermissionSet)null;
StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller;
SecurityManager.GetGrantedPermissions(JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o1), JitHelpers.GetObjectHandleOnStack <PermissionSet>(ref o2), JitHelpers.GetStackCrawlMarkHandle(ref stackMark));
if (!o1.Contains(perm))
{
return(false);
}
if (o2 != null)
{
return(!o2.Contains(perm));
}
return(true);
}
[System.Security.SecurityCritical] // auto-generated
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet requested = null;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
{
requested = optional;
}
else
{
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
}
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted())
{
requested.AddPermission(executionSecurityPermission);
}
// If we aren't passed any evidence, just make an empty object
if (evidence == null)
{
evidence = new Evidence();
}
allowed = polmgr.Resolve(evidence);
// Intersect the grant with the RequestOptional
if (requested != null)
{
allowed.InplaceIntersect(requested);
}
// Check that we were granted the right to execute.
if (checkExecutionPermission)
{
if (!allowed.Contains(executionSecurityPermission) ||
(denyPset != null && denyPset.Contains(executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException);
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
allowed.IgnoreTypeLoadFailures = true;
return(allowed);
}
[System.Security.SecurityCritical] // auto-generated
static private PermissionSet ResolvePolicy(Evidence evidence,
PermissionSet reqdPset,
PermissionSet optPset,
PermissionSet denyPset,
out PermissionSet denied,
bool checkExecutionPermission)
{
Contract.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled);
if (executionSecurityPermission == null)
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
PermissionSet requested = null;
PermissionSet optional;
PermissionSet allowed;
Exception savedException = null;
// We don't want to recurse back into here as a result of a
// stackwalk during resolution. So simply assert full trust (this
// implies that custom permissions cannot use any permissions that
// don't implement IUnrestrictedPermission.
// PermissionSet.s_fullTrust.Assert();
// The requested set is the union of the minimal request and the
// optional request. Minimal request defaults to empty, optional
// is "AllPossible" (includes any permission that can be defined)
// which is symbolized by null.
optional = optPset;
if (reqdPset == null)
requested = optional;
else
// If optional is null, the requested set becomes null/"AllPossible".
requested = optional == null ? null : reqdPset.Union(optional);
// Make sure that the right to execute is requested (if this feature is
// enabled).
if (requested != null && !requested.IsUnrestricted())
requested.AddPermission( executionSecurityPermission );
// If we aren't passed any evidence, just make an empty object
if (evidence == null)
{
evidence = new Evidence();
}
allowed = polmgr.Resolve(evidence);
// Intersect the grant with the RequestOptional
if (requested != null)
allowed.InplaceIntersect(requested);
// Check that we were granted the right to execute.
if (checkExecutionPermission)
{
if (!allowed.Contains(executionSecurityPermission) ||
(denyPset != null && denyPset.Contains(executionSecurityPermission)))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"),
System.__HResults.CORSEC_E_NO_EXEC_PERM,
savedException);
}
}
// Check that we were granted at least the minimal set we asked for. Do
// this before pruning away any overlap with the refused set so that
// users have the flexability of defining minimal permissions that are
// only expressable as set differences (e.g. allow access to "C:\" but
// disallow "C:\Windows").
if (reqdPset != null && !reqdPset.IsSubsetOf(allowed))
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
throw new PolicyException(Environment.GetResourceString( "Policy_NoRequiredPermission" ),
System.__HResults.CORSEC_E_MIN_GRANT_FAIL,
savedException );
}
// Remove any granted permissions that are safe subsets of some denied
// permission. The remaining denied permissions (if any) are returned
// along with the modified grant set for use in checks.
if (denyPset != null)
{
BCLDebug.Assert(AppDomain.CurrentDomain.IsLegacyCasPolicyEnabled, "Evaluating assembly level declarative security without legacy CAS policy enabled");
denied = denyPset.Copy();
allowed.MergeDeniedSet(denied);
if (denied.IsEmpty())
denied = null;
}
else
denied = null;
allowed.IgnoreTypeLoadFailures = true;
return allowed;
}
private static PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission)
{
if (executionSecurityPermission == null)
{
executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution);
}
PermissionSet other = null;
Exception exception = null;
PermissionSet set2 = optPset;
if (reqdPset == null)
{
other = set2;
}
else
{
other = (set2 == null) ? null : reqdPset.Union(set2);
}
if ((other != null) && !other.IsUnrestricted())
{
other.AddPermission(executionSecurityPermission);
}
if (evidence == null)
{
evidence = new Evidence();
}
PermissionSet target = polmgr.Resolve(evidence);
if (other != null)
{
target.InplaceIntersect(other);
}
if (checkExecutionPermission && (!target.Contains(executionSecurityPermission) || ((denyPset != null) && denyPset.Contains(executionSecurityPermission))))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), -2146233320, exception);
}
if ((reqdPset != null) && !reqdPset.IsSubsetOf(target))
{
throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), -2146233321, exception);
}
if (denyPset != null)
{
denied = denyPset.Copy();
target.MergeDeniedSet(denied);
if (denied.IsEmpty())
{
denied = null;
}
}
else
{
denied = null;
}
target.IgnoreTypeLoadFailures = true;
return target;
}
internal static QuickCacheEntryType GenerateQuickCache(PolicyLevel level)
{
QuickCacheEntryType[] ExecutionMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.ExecutionZoneMyComputer,
QuickCacheEntryType.ExecutionZoneIntranet,
QuickCacheEntryType.ExecutionZoneInternet,
QuickCacheEntryType.ExecutionZoneTrusted,
QuickCacheEntryType.ExecutionZoneUntrusted };
QuickCacheEntryType[] UnmanagedMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.UnmanagedZoneMyComputer,
QuickCacheEntryType.UnmanagedZoneIntranet,
QuickCacheEntryType.UnmanagedZoneInternet,
QuickCacheEntryType.UnmanagedZoneTrusted,
QuickCacheEntryType.UnmanagedZoneUntrusted };
QuickCacheEntryType[] RequestSkipVerificationMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.RequestSkipVerificationZoneMyComputer,
QuickCacheEntryType.RequestSkipVerificationZoneIntranet,
QuickCacheEntryType.RequestSkipVerificationZoneInternet,
QuickCacheEntryType.RequestSkipVerificationZoneTrusted,
QuickCacheEntryType.RequestSkipVerificationZoneUntrusted };
QuickCacheEntryType[] SkipVerificationMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.SkipVerificationZoneMyComputer,
QuickCacheEntryType.SkipVerificationZoneIntranet,
QuickCacheEntryType.SkipVerificationZoneInternet,
QuickCacheEntryType.SkipVerificationZoneTrusted,
QuickCacheEntryType.SkipVerificationZoneUntrusted };
QuickCacheEntryType[] FullTrustMap = new QuickCacheEntryType[]
{ QuickCacheEntryType.FullTrustZoneMyComputer,
QuickCacheEntryType.FullTrustZoneIntranet,
QuickCacheEntryType.FullTrustZoneInternet,
QuickCacheEntryType.FullTrustZoneTrusted,
QuickCacheEntryType.FullTrustZoneUntrusted };
QuickCacheEntryType accumulator = (QuickCacheEntryType)0;
SecurityPermission execPerm = new SecurityPermission(SecurityPermissionFlag.Execution);
SecurityPermission unmanagedPerm = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode);
SecurityPermission skipVerifPerm = new SecurityPermission(SecurityPermissionFlag.SkipVerification);
Evidence noEvidence = new Evidence();
PermissionSet policy = null;
try
{
policy = level.Resolve(noEvidence).PermissionSet;
if (policy.Contains(execPerm))
{
accumulator |= QuickCacheEntryType.ExecutionAll;
}
if (policy.Contains(unmanagedPerm))
{
accumulator |= QuickCacheEntryType.UnmanagedAll;
}
if (policy.Contains(skipVerifPerm))
{
accumulator |= QuickCacheEntryType.SkipVerificationAll;
}
if (policy.IsUnrestricted())
{
accumulator |= QuickCacheEntryType.FullTrustAll;
}
}
catch (PolicyException)
{
}
PermissionSet permSet = new PermissionSet(PermissionState.None);
permSet.AddPermission(skipVerifPerm);
PermissionRequestEvidence permRequest = new PermissionRequestEvidence(permSet, null, null);
try
{
noEvidence.AddHost(permRequest);
policy = level.Resolve(noEvidence).PermissionSet;
if (policy.Contains(skipVerifPerm))
{
accumulator |= QuickCacheEntryType.RequestSkipVerificationAll;
}
}
catch (PolicyException)
{
}
Array zones = Enum.GetValues(typeof(SecurityZone));
for (int i = 0; i < zones.Length; ++i)
{
if (((SecurityZone)zones.GetValue(i)) == SecurityZone.NoZone)
{
continue;
}
Evidence zoneEvidence = new Evidence();
zoneEvidence.AddHost(new Zone((SecurityZone)zones.GetValue(i)));
PermissionSet zonePolicy = null;
try
{
zonePolicy = level.Resolve(zoneEvidence).PermissionSet;
if (zonePolicy.Contains(execPerm))
{
accumulator |= ExecutionMap[i];
}
if (zonePolicy.Contains(unmanagedPerm))
{
accumulator |= UnmanagedMap[i];
}
if (zonePolicy.Contains(skipVerifPerm))
{
accumulator |= SkipVerificationMap[i];
}
if (zonePolicy.IsUnrestricted())
{
accumulator |= FullTrustMap[i];
}
}
catch (PolicyException)
{
}
zoneEvidence.AddHost(permRequest);
try
{
zonePolicy = level.Resolve(zoneEvidence).PermissionSet;
if (zonePolicy.Contains(skipVerifPerm))
{
accumulator |= RequestSkipVerificationMap[i];
}
}
catch (PolicyException)
{
}
}
return(accumulator);
}
