diff options
author | Jan Kotas <jkotas@microsoft.com> | 2017-05-17 18:25:05 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-17 18:25:05 -0700 |
commit | 13e7c4368da664a8b50228b1a5ef01a660fbb2dd (patch) | |
tree | f3f36157c201fab5bc4558beceb9f8e83fbab3f6 /src | |
parent | c290deb3bd5331a5d70470e6203f2b4b2059bd90 (diff) | |
download | coreclr-13e7c4368da664a8b50228b1a5ef01a660fbb2dd.tar.gz coreclr-13e7c4368da664a8b50228b1a5ef01a660fbb2dd.tar.bz2 coreclr-13e7c4368da664a8b50228b1a5ef01a660fbb2dd.zip |
Finish deleting dead CAS code from CoreLib (#11436)
Fixes #9321 and deletes CleanupToDoList.cs
Delete unmanaged security implementation
Diffstat (limited to 'src')
156 files changed, 280 insertions, 19936 deletions
diff --git a/src/classlibnative/bcltype/arraynative.cpp b/src/classlibnative/bcltype/arraynative.cpp index 232f59dfca..7933d3a469 100644 --- a/src/classlibnative/bcltype/arraynative.cpp +++ b/src/classlibnative/bcltype/arraynative.cpp @@ -1121,22 +1121,6 @@ void ArrayNative::CheckElementType(TypeHandle elementType) { MethodTable *pMT = elementType.AsMethodTable(); - // TODO: We also should check for type/member visibility here. To do that we can replace - // the following chunk of code with a simple InvokeUtil::CanAccessClass call. - // But it's too late to make this change in Dev10 and we want SL4 to be compatible with Dev10. - if (Security::TypeRequiresTransparencyCheck(pMT)) - { - // The AccessCheckOptions flag doesn't matter because we just need to get the caller. - RefSecContext sCtx(AccessCheckOptions::kMemberAccess); - - AccessCheckOptions accessCheckOptions(InvokeUtil::GetInvocationAccessCheckType(), - NULL /*pAccessContext*/, - TRUE /*throwIfTargetIsInaccessible*/, - pMT /*pTargetMT*/); - - accessCheckOptions.DemandMemberAccessOrFail(&sCtx, pMT, FALSE /*visibilityCheck*/); - } - // Check for byref-like types. if (pMT->IsByRefLike()) COMPlusThrow(kNotSupportedException, W("NotSupported_ByRefLikeArray")); diff --git a/src/classlibnative/bcltype/system.cpp b/src/classlibnative/bcltype/system.cpp index c36d2e1066..f6a19f97d1 100644 --- a/src/classlibnative/bcltype/system.cpp +++ b/src/classlibnative/bcltype/system.cpp @@ -316,12 +316,6 @@ FCIMPL0(StringObject*, SystemNative::_GetModuleFileName) } FCIMPLEND -FCIMPL0(StringObject*, SystemNative::GetDeveloperPath) -{ - return NULL; -} -FCIMPLEND - FCIMPL0(StringObject*, SystemNative::GetRuntimeDirectory) { FCALL_CONTRACT; @@ -349,24 +343,6 @@ FCIMPL0(StringObject*, SystemNative::GetRuntimeDirectory) } FCIMPLEND -FCIMPL0(StringObject*, SystemNative::GetHostBindingFile); -{ - FCALL_CONTRACT; - - STRINGREF refRetVal = NULL; - - HELPER_METHOD_FRAME_BEGIN_RET_1(refRetVal); - - LPCWSTR wszFile = g_pConfig->GetProcessBindingFile(); - if(wszFile) - refRetVal = StringObject::NewString(wszFile); - - HELPER_METHOD_FRAME_END(); - return (StringObject*)OBJECTREFToObject(refRetVal); -} -FCIMPLEND - - INT32 QCALLTYPE SystemNative::GetProcessorCount() { QCALL_CONTRACT; @@ -398,27 +374,6 @@ INT32 QCALLTYPE SystemNative::GetProcessorCount() return processorCount; } -#ifdef FEATURE_CLASSIC_COMINTEROP - -LPVOID QCALLTYPE SystemNative::GetRuntimeInterfaceImpl( - /*in*/ REFCLSID clsid, - /*in*/ REFIID riid) -{ - QCALL_CONTRACT; - - LPVOID pUnk = NULL; - - BEGIN_QCALL; - - IfFailThrow(E_NOINTERFACE); - - END_QCALL; - - return pUnk; -} - -#endif - FCIMPL0(FC_BOOL_RET, SystemNative::HasShutdownStarted) { FCALL_CONTRACT; diff --git a/src/classlibnative/bcltype/system.h b/src/classlibnative/bcltype/system.h index 986c55b31e..da5674f4f1 100644 --- a/src/classlibnative/bcltype/system.h +++ b/src/classlibnative/bcltype/system.h @@ -9,45 +9,12 @@ // Purpose: Native methods on System.System // -// - #ifndef _SYSTEM_H_ #define _SYSTEM_H_ #include "fcall.h" #include "qcall.h" -// Corresponding to managed class Microsoft.Win32.OSVERSIONINFO -class OSVERSIONINFOObject : public Object -{ - public: - STRINGREF szCSDVersion; - DWORD dwOSVersionInfoSize; - DWORD dwMajorVersion; - DWORD dwMinorVersion; - DWORD dwBuildNumber; - DWORD dwPlatformId; -}; - -//Corresponding to managed class Microsoft.Win32.OSVERSIONINFOEX -class OSVERSIONINFOEXObject : public Object -{ - public: - STRINGREF szCSDVersion; - DWORD dwOSVersionInfoSize; - DWORD dwMajorVersion; - DWORD dwMinorVersion; - DWORD dwBuildNumber; - DWORD dwPlatformId; - WORD wServicePackMajor; - WORD wServicePackMinor; - WORD wSuiteMask; - BYTE wProductType; - BYTE wReserved; -}; - - - class SystemNative { friend class DebugStackTrace; @@ -90,13 +57,9 @@ public: static FCDECL2(VOID, FailFastWithExitCode, StringObject* refMessageUNSAFE, UINT exitCode); static FCDECL2(VOID, FailFastWithException, StringObject* refMessageUNSAFE, ExceptionObject* refExceptionUNSAFE); - static FCDECL0(StringObject*, GetDeveloperPath); static FCDECL1(Object*, _GetEnvironmentVariable, StringObject* strVar); static FCDECL0(StringObject*, _GetModuleFileName); static FCDECL0(StringObject*, GetRuntimeDirectory); - static FCDECL0(StringObject*, GetHostBindingFile); - static LPVOID QCALLTYPE GetRuntimeInterfaceImpl(REFCLSID clsid, REFIID riid); - static void QCALLTYPE _GetSystemVersion(QCall::StringHandleOnStack retVer); // Returns the number of logical processors that can be used by managed code static INT32 QCALLTYPE GetProcessorCount(); @@ -112,11 +75,6 @@ public: // Return a method info for the method were the exception was thrown static FCDECL1(ReflectMethodObject*, GetMethodFromStackTrace, ArrayBase* pStackTraceUNSAFE); - - -// Move this into a separate CLRConfigQCallWrapper class once CLRConfif has been refactored: - - private: // Common processing code for FailFast static void GenericFailFast(STRINGREF refMesgString, EXCEPTIONREF refExceptionForWatsonBucketing, UINT_PTR retAddress, UINT exitCode); diff --git a/src/debug/daccess/dacdbiimpl.cpp b/src/debug/daccess/dacdbiimpl.cpp index 605d5c7cee..f48ecc0bd0 100644 --- a/src/debug/daccess/dacdbiimpl.cpp +++ b/src/debug/daccess/dacdbiimpl.cpp @@ -3918,9 +3918,7 @@ BOOL DacDbiInterfaceImpl::IsAssemblyFullyTrusted(VMPTR_DomainAssembly vmDomainAs { DD_ENTER_MAY_THROW; - DomainAssembly * pAssembly = vmDomainAssembly.GetDacPtr(); - IAssemblySecurityDescriptor * pSecDisc = pAssembly->GetSecurityDescriptor(); - return pSecDisc->IsFullyTrusted(); + return TRUE; } // Get the full path and file name to the assembly's manifest module. diff --git a/src/debug/daccess/nidump.cpp b/src/debug/daccess/nidump.cpp index 77c05b5801..ebce7b4aa0 100644 --- a/src/debug/daccess/nidump.cpp +++ b/src/debug/daccess/nidump.cpp @@ -3721,18 +3721,6 @@ const WCHAR * g_sectionNames[] = #pragma warning(disable:21000) // Suppress PREFast warning about overly large function #endif -const NativeImageDumper::EnumMnemonics s_MSDFlags[] = -{ -#define MSD_ENTRY(f) NativeImageDumper::EnumMnemonics(ModuleSecurityDescriptorFlags_ ## f, W(#f)) - MSD_ENTRY(IsComputed), - MSD_ENTRY(IsAllCritical), - MSD_ENTRY(IsAllTransparent), - MSD_ENTRY(IsTreatAsSafe), - MSD_ENTRY(IsOpportunisticallyCritical), - MSD_ENTRY(SkipFullTrustVerification) -#undef MSD_ENTRY -}; - void NativeImageDumper::DumpModule( PTR_Module module ) { @@ -4063,16 +4051,6 @@ void NativeImageDumper::DumpModule( PTR_Module module ) Module, MODULE ); - _ASSERTE(module->m_pModuleSecurityDescriptor); - PTR_ModuleSecurityDescriptor msd(TO_TADDR(module->m_pModuleSecurityDescriptor)); - DisplayStartStructureWithOffset( m_pModuleSecurityDescriptor, - DPtrToPreferredAddr(msd), sizeof(*msd), - Module, MODULE ); - DisplayWriteElementEnumerated("Flags", msd->GetRawFlags(), s_MSDFlags, W(", "), MODULE ); - - _ASSERTE(msd->GetModule() == module); - DisplayEndStructure(MODULE); //ModuleSecurityDescriptor - /* REVISIT_TODO Wed 09/21/2005 * Get me in the debugger and look at the activations and module/class * dependencies. @@ -5627,7 +5605,6 @@ NativeImageDumper::EnumMnemonics s_MTFlags2[] = MTFLAG2_ENTRY(IsZapped), MTFLAG2_ENTRY(IsPreRestored), MTFLAG2_ENTRY(HasModuleDependencies), - MTFLAG2_ENTRY(NoSecurityProperties), MTFLAG2_ENTRY(RequiresDispatchTokenFat), MTFLAG2_ENTRY(HasCctor), MTFLAG2_ENTRY(HasCCWTemplate), @@ -5817,25 +5794,6 @@ static NativeImageDumper::EnumMnemonics s_VMFlags[] = #endif #undef VMF_ENTRY }; -static NativeImageDumper::EnumMnemonics s_SecurityProperties[] = -{ -#define SP_ENTRY(x) NativeImageDumper::EnumMnemonics(DECLSEC_ ## x, W(#x)) - SP_ENTRY(DEMANDS), - SP_ENTRY(ASSERTIONS), - SP_ENTRY(DENIALS), - SP_ENTRY(INHERIT_CHECKS), - SP_ENTRY(LINK_CHECKS), - SP_ENTRY(PERMITONLY), - SP_ENTRY(REQUESTS), - SP_ENTRY(UNMNGD_ACCESS_DEMAND), - SP_ENTRY(NONCAS_DEMANDS), - SP_ENTRY(NONCAS_LINK_DEMANDS), - SP_ENTRY(NONCAS_INHERITANCE), - - SP_ENTRY(NULL_INHERIT_CHECKS), - SP_ENTRY(NULL_LINK_CHECKS), -#undef SP_ENTRY -}; static NativeImageDumper::EnumMnemonics s_CorFieldAttr[] = { #define CFA_ENTRY(x) NativeImageDumper::EnumMnemonics( x, W(#x) ) @@ -8741,11 +8699,6 @@ NativeImageDumper::DumpEEClassForMethodTable( PTR_MethodTable mt ) DisplayWriteFieldInt( m_cbModuleDynamicID, pClassOptional->m_cbModuleDynamicID, EEClassOptionalFields, EECLASSES ); - - DisplayWriteFieldEnumerated( m_SecProps, clazz->GetSecurityProperties()->dwFlags, - EEClassOptionalFields, s_SecurityProperties, W("|"), - EECLASSES ); - DisplayEndStructure( EECLASSES ); // EEClassOptionalFields } } // NativeImageDumper::DumpEEClassForMethodTable diff --git a/src/debug/daccess/nidump.h b/src/debug/daccess/nidump.h index d14eb89f24..fc57e4bf7f 100644 --- a/src/debug/daccess/nidump.h +++ b/src/debug/daccess/nidump.h @@ -16,7 +16,6 @@ typedef DPTR(IMAGE_SECTION_HEADER) PTR_IMAGE_SECTION_HEADER; typedef DPTR(CerNgenRootTable) PTR_CerNgenRootTable; typedef DPTR(struct CerRoot) PTR_CerRoot; typedef DPTR(MethodContextElement) PTR_MethodContextElement; -typedef DPTR(ModuleSecurityDescriptor) PTR_ModuleSecurityDescriptor; typedef DPTR(DictionaryEntry) PTR_DictionaryEntry; typedef DPTR(GuidInfo) PTR_GuidInfo; #if defined(FEATURE_COMINTEROP) diff --git a/src/debug/daccess/request.cpp b/src/debug/daccess/request.cpp index 78ac831cd9..ebaa1f833f 100644 --- a/src/debug/daccess/request.cpp +++ b/src/debug/daccess/request.cpp @@ -2240,23 +2240,6 @@ ClrDataAccess::GetAppDomainData(CLRDATA_ADDRESS addr, struct DacpAppDomainData * appdomainData->FailedAssemblyCount++; } } -#ifndef FEATURE_PAL - // MiniDumpNormal doesn't guarantee to dump the SecurityDescriptor, let it fail. - EX_TRY - { - appdomainData->AppSecDesc = HOST_CDADDR(pAppDomain->GetSecurityDescriptor()); - } - EX_CATCH - { - HRESULT hrExc = GET_EXCEPTION()->GetHR(); - if (hrExc != HRESULT_FROM_WIN32(ERROR_READ_FAULT) - && hrExc != CORDBG_E_READVIRTUAL_FAILURE) - { - EX_RETHROW; - } - } - EX_END_CATCH(SwallowAllExceptions) -#endif // FEATURE_PAL } } @@ -2653,8 +2636,6 @@ ClrDataAccess::GetAssemblyData(CLRDATA_ADDRESS cdBaseDomainPtr, CLRDATA_ADDRESS assemblyData->AssemblyPtr = HOST_CDADDR(pAssembly); assemblyData->ClassLoader = HOST_CDADDR(pAssembly->GetLoader()); assemblyData->ParentDomain = HOST_CDADDR(pAssembly->GetDomain()); - if (pDomain != NULL) - assemblyData->AssemblySecDesc = HOST_CDADDR(pAssembly->GetSecurityDescriptor(pDomain)); assemblyData->isDynamic = pAssembly->IsDynamic(); assemblyData->ModuleCount = 0; assemblyData->isDomainNeutral = pAssembly->IsDomainNeutral(); diff --git a/src/inc/corhost.h b/src/inc/corhost.h index 59ab23cd27..6d1d5772af 100644 --- a/src/inc/corhost.h +++ b/src/inc/corhost.h @@ -391,24 +391,12 @@ public: static STARTUP_FLAGS GetStartupFlags(); - static LPCWSTR GetAppDomainManagerAsm(); - - static LPCWSTR GetAppDomainManagerType(); - static EInitializeNewDomainFlags GetAppDomainManagerInitializeNewDomainFlags(); - static BOOL HasAppDomainManagerInfo() - { - LIMITED_METHOD_CONTRACT; - return GetAppDomainManagerAsm() != NULL && GetAppDomainManagerType() != NULL; - } - static BOOL HasStarted() { return m_RefCount != 0; } - - static BOOL IsLoadFromBlocked(); // LoadFrom, LoadFile and Load(byte[]) are blocked in certain hosting scenarios private: // This flag indicates if this instance was the first to load and start CoreCLR @@ -443,11 +431,6 @@ private: static IHostControl *m_HostControl; - static LPCWSTR s_wszAppDomainManagerAsm; - static LPCWSTR s_wszAppDomainManagerType; - static EInitializeNewDomainFlags s_dwDomainManagerInitFlags; - - SVAL_DECL(STARTUP_FLAGS, m_dwStartupFlags); }; diff --git a/src/inc/vptr_list.h b/src/inc/vptr_list.h index a0333c3239..ce38156af6 100644 --- a/src/inc/vptr_list.h +++ b/src/inc/vptr_list.h @@ -78,7 +78,6 @@ VPTR_CLASS(HijackFrame) #endif VPTR_CLASS(InlinedCallFrame) VPTR_CLASS(SecureDelegateFrame) -VPTR_CLASS(SecurityContextFrame) VPTR_CLASS(MulticastFrame) VPTR_CLASS(PInvokeCalliFrame) VPTR_CLASS(PrestubMethodFrame) @@ -121,6 +120,3 @@ VPTR_CLASS(HostCodeHeap) VPTR_CLASS(GlobalLoaderAllocator) VPTR_CLASS(AppDomainLoaderAllocator) VPTR_CLASS(AssemblyLoaderAllocator) - -VPTR_CLASS(AssemblySecurityDescriptor) -VPTR_CLASS(ApplicationSecurityDescriptor) diff --git a/src/md/compiler/regmeta_vm.cpp b/src/md/compiler/regmeta_vm.cpp index a4d9397b0e..5948d2aa88 100644 --- a/src/md/compiler/regmeta_vm.cpp +++ b/src/md/compiler/regmeta_vm.cpp @@ -121,144 +121,7 @@ HRESULT RegMeta::DefineSecurityAttributeSet(// Return code. ULONG cSecAttrs, // [IN] Count of elements in above array. ULONG *pulErrorAttr) // [OUT] On error, index of attribute causing problem. { -#ifdef FEATURE_METADATA_EMIT_ALL - HRESULT hr = S_OK; - - BEGIN_ENTRYPOINT_NOTHROW; - - NewArrayHolder <CORSEC_ATTRSET> rAttrSets; - DWORD i; - mdPermission ps; - DWORD dwAction; - bool fProcessDeclarativeSecurityAtRuntime; - - LOG((LOGMD, "RegMeta::DefineSecurityAttributeSet(0x%08x, 0x%08x, 0x%08x, 0x%08x)\n", - tkObj, rSecAttrs, cSecAttrs, pulErrorAttr)); - START_MD_PERF(); - LOCKWRITE(); - - IfFailGo(m_pStgdb->m_MiniMd.PreUpdate()); - - rAttrSets = new (nothrow) CORSEC_ATTRSET[dclMaximumValue + 1]; - if (rAttrSets == NULL) - { - hr = E_OUTOFMEMORY; - goto ErrExit; - } - - memset(rAttrSets, 0, sizeof(CORSEC_ATTRSET) * (dclMaximumValue + 1)); - - // Initialize error index to indicate a general error. - if (pulErrorAttr) - *pulErrorAttr = cSecAttrs; - - fProcessDeclarativeSecurityAtRuntime = true; - - // See if we should default to old v1.0/v1.1 serialization behavior - if (m_OptionValue.m_MetadataVersion < MDVersion2) - fProcessDeclarativeSecurityAtRuntime = false; - - // Startup the EE just once, no matter how many times we're called (this is - // better on performance and the EE falls over if we try a start-stop-start - // cycle anyway). - if (!m_fStartedEE && !fProcessDeclarativeSecurityAtRuntime) - { - IfFailGo(StartupEE()); - } - - // Group the security attributes by SecurityAction (thus creating an array of CORSEC_PERM's) - IfFailGo(GroupSecurityAttributesByAction(/*OUT*/rAttrSets, rSecAttrs, cSecAttrs, tkObj, pulErrorAttr, &m_pStgdb->m_MiniMd, NULL)); - - // Put appropriate data in the metadata - for (i = 0; i <= dclMaximumValue; i++) - { - NewArrayHolder <BYTE> pbBlob(NULL); - NewArrayHolder <BYTE> pbNonCasBlob(NULL); - DWORD cbBlob = 0; - DWORD cbNonCasBlob = 0; - - rAttrSets[i].pImport = this; - rAttrSets[i].pAppDomain = m_pAppDomain; - if (rAttrSets[i].dwAttrCount == 0) - continue; - if (pulErrorAttr) - *pulErrorAttr = i; - - if(fProcessDeclarativeSecurityAtRuntime) - { - // Put a serialized CORSEC_ATTRSET in the metadata - SIZE_T cbAttrSet = 0; - IfFailGo(AttributeSetToBlob(&rAttrSets[i], NULL, &cbAttrSet, this, i)); // count size required for buffer - if (!FitsIn<DWORD>(cbAttrSet)) - { - hr = COR_E_OVERFLOW; - goto ErrExit; - } - cbBlob = static_cast<DWORD>(cbAttrSet); - - pbBlob = new (nothrow) BYTE[cbBlob]; // allocate buffer - if (pbBlob == NULL) - { - hr = E_OUTOFMEMORY; - goto ErrExit; - } - - IfFailGo(AttributeSetToBlob(&rAttrSets[i], pbBlob, NULL, this, i)); // serialize into the buffer - IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj, rAttrSets[i].dwAction, pbBlob, cbBlob, &ps)); // put it in metadata - } - else - { - // Now translate the sets of security attributes into a real permission - // set and convert this to a serialized Xml blob. We may possibly end up - // with two sets as the result of splitting CAS and non-CAS permissions - // into separate sets. - hr = TranslateSecurityAttributes(&rAttrSets[i], &pbBlob, &cbBlob, &pbNonCasBlob, &cbNonCasBlob, pulErrorAttr); - IfFailGo(hr); - - // Persist the permission set blob into the metadata. For empty CAS - // blobs this is only done if the corresponding non-CAS blob is empty - if (cbBlob || !cbNonCasBlob) - IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj, rAttrSets[i].dwAction, pbBlob, cbBlob, &ps)); - - if (pbNonCasBlob) - { - // Map the SecurityAction to a special non-CAS action so this - // blob will have its own entry in the metadata - switch (rAttrSets[i].dwAction) - { - case dclDemand: - dwAction = dclNonCasDemand; - break; - case dclLinktimeCheck: - dwAction = dclNonCasLinkDemand; - break; - case dclInheritanceCheck: - dwAction = dclNonCasInheritance; - break; - default: - PostError(CORSECATTR_E_BAD_NONCAS); - IfFailGo(CORSECATTR_E_BAD_NONCAS); - } - - // Persist to metadata - IfFailGo(_DefinePermissionSet(rAttrSets[i].tkObj, - dwAction, - pbNonCasBlob, - cbNonCasBlob, - &ps)); - } - } - } - -ErrExit: - STOP_MD_PERF(DefineSecurityAttributeSet); - - END_ENTRYPOINT_NOTHROW; - - return (hr); -#else //!FEATURE_METADATA_EMIT_ALL return E_NOTIMPL; -#endif //!FEATURE_METADATA_EMIT_ALL } // RegMeta::DefineSecurityAttributeSet #endif //FEATURE_METADATA_EMIT diff --git a/src/mscorlib/System.Private.CoreLib.csproj b/src/mscorlib/System.Private.CoreLib.csproj index 7cb3244567..b17b1becb1 100644 --- a/src/mscorlib/System.Private.CoreLib.csproj +++ b/src/mscorlib/System.Private.CoreLib.csproj @@ -311,8 +311,6 @@ <Compile Include="$(BclSourcesRoot)\System\AppDomain.cs" /> <Compile Include="$(BclSourcesRoot)\System\AppDomainSetup.cs" /> <Compile Include="$(BclSourcesRoot)\System\AppDomainManager.cs" /> - <Compile Include="$(BclSourcesRoot)\System\IAppDomainPauseManager.cs" /> - <Compile Include="$(BclSourcesRoot)\System\AppDomainAttributes.cs" /> <Compile Include="$(BclSourcesRoot)\System\AppDomainUnloadedException.cs" /> <Compile Include="$(BclSourcesRoot)\System\ArgIterator.cs" /> <Compile Include="$(BclSourcesRoot)\System\Attribute.cs" /> @@ -693,8 +691,6 @@ <Compile Include="$(CommonPath)\System\SR.cs" /> <!-- Include Internals visible to file in the compilation --> <Compile Include="$(BclSourcesRoot)\mscorlib.Friends.cs" /> - <!-- TODO list of types to be cleaned up from CoreLib --> - <Compile Include="$(BclSourcesRoot)\CleanupToDoList.cs" /> </ItemGroup> <ItemGroup> <Compile Include="src\System\Runtime\RuntimeImports.cs" /> diff --git a/src/mscorlib/src/CleanupToDoList.cs b/src/mscorlib/src/CleanupToDoList.cs deleted file mode 100644 index f07d23f8ae..0000000000 --- a/src/mscorlib/src/CleanupToDoList.cs +++ /dev/null @@ -1,27 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. - -// -// Stubbed out types to be cleanup from CoreLib -// - -namespace System.Security -{ - internal enum SecurityContextSource - { - CurrentAppDomain = 0, - CurrentAssembly - } -} - -namespace System.Security.Policy -{ - internal sealed class Evidence - { - } - - internal sealed class ApplicationTrust - { - } -} diff --git a/src/mscorlib/src/GlobalSuppressions.cs b/src/mscorlib/src/GlobalSuppressions.cs deleted file mode 100644 index f1006dc647..0000000000 --- a/src/mscorlib/src/GlobalSuppressions.cs +++ /dev/null @@ -1,105 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -using System.Diagnostics.CodeAnalysis; - -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lpfuncdesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lptcomp", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.BINDPTR.#lpvardesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.CriticalHandle.#handle", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.DISPPARAMS.#rgdispidNamedArgs", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.DISPPARAMS.#rgvarg", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.EXCEPINFO.#pfnDeferredFillIn", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.EXCEPINFO.#pvReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.FUNCDESC.#lprgelemdescParam", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.FUNCDESC.#lprgscode", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.PARAMDESC.#lpVarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.SafeHandle.#handle", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.TYPEATTR.#lpstrSchema", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.TYPEDESC.#lpValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.VARDESC+DESCUNION.#lpvarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lpfuncdesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lptcomp", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.BINDPTR.#lpvardesc", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.DISPPARAMS.#rgdispidNamedArgs", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.DISPPARAMS.#rgvarg", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.EXCEPINFO.#pfnDeferredFillIn", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.EXCEPINFO.#pvReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.FUNCDESC.#lprgelemdescParam", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.FUNCDESC.#lprgscode", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.IDLDESC.#dwReserved", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.PARAMDESC.#lpVarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.TYPEATTR.#lpstrSchema", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.TYPEDESC.#lpValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Runtime.InteropServices.ComTypes.VARDESC+DESCUNION.#lpvarValue", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#EventHandle", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#InternalHigh", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2111:PointersShouldNotBeVisible", Scope="member", Target="System.Threading.NativeOverlapped.#InternalLow", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2105:ArrayFieldsShouldNotBeReadOnly", Scope="member", Target="System.IO.Path.#InvalidPathChars", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2105:ArrayFieldsShouldNotBeReadOnly", Scope="member", Target="System.Type.#EmptyTypes", Justification="matell: We already shipped this and it would be a breaking change to fix it")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.BinaryWriter.#Null", Justification="matell: Underlying type is actually immutable")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.Stream.#Null", Justification="matell: Underlying type is actually immutable")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.StreamReader.#Null", Justification="matell: Underlying type is actually immutable")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.StreamWriter.#Null", Justification="matell: Underlying type is actually Immutable")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.TextReader.#Null", Justification="matell: Underlying type is actually immutable")] -[module: SuppressMessage("Microsoft.Security","CA2104:DoNotDeclareReadOnlyMutableReferenceTypes", Scope="member", Target="System.IO.TextWriter.#Null", Justification="matell: Underlying type is actually immutable")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Diagnostics.Tracing.EventSource.#GenerateGuidFromName(System.String)", Justification="matell: Existing code that needs to interop with other components using SHA-1")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.IO.IsolatedStorage.IsolatedStorage.#GetHash(System.IO.Stream)", Justification="matell: Existing code that needs to interop with other components using SHA-1")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.IO.IsolatedStorage.IsolatedStorageFile.#GetStrongHashSuitableForObjectName(System.String)", Justification="matell: Existing code that needs to interop with other components using SHA-1")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Policy.HashMembershipCondition.#ParseHashAlgorithm()", Justification="matell: Existing code that needs to interop with other components using SHA-1")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Policy.HashMembershipCondition.#.ctor(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext)", Justification="matell: Existing code that needs to interop with other components using SHA-1")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#IsSemiWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#IsWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#get_Key()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DES.#set_Key(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5351:DESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.DESCryptoServiceProvider.#GenerateKey()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.DSACryptoServiceProvider.#.ctor(System.Int32,System.Security.Cryptography.CspParameters)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5356:DSACannotBeUsed", Scope="member", Target="System.Security.Cryptography.DSASignatureFormatter.#CreateSignature(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACMD5.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACMD5.#.ctor(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.HMACRIPEMD160.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.HMACRIPEMD160.#.ctor(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.HMACSHA1.#.ctor(System.Byte[],System.Boolean)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.MACTripleDES.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.MACTripleDES.#.ctor(System.String,System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.MD5.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5350:MD5CannotBeUsed", Scope="member", Target="System.Security.Cryptography.MD5CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5352:RC2CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RC2CryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#HashCore(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#HashFinal()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#Initialize()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#MDTransform(System.UInt32*,System.UInt32*,System.Byte*)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#_EndHash()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5355:RIPEMD160IsNotRecommended", Scope="member", Target="System.Security.Cryptography.RIPEMD160Managed.#_HashData(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter.#DecryptKeyExchange(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.RSAOAEPKeyExchangeFormatter.#CreateKeyExchange(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.Rijndael.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5357:RijndaelCannotBeUsed", Scope="member", Target="System.Security.Cryptography.RijndaelManaged.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1CryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#HashCore(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#HashFinal()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#Initialize()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#SHATransform(System.UInt32*,System.UInt32*,System.Byte*)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#_EndHash()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5354:SHA1CannotBeUsed", Scope="member", Target="System.Security.Cryptography.SHA1Managed.#_HashData(System.Byte[],System.Int32,System.Int32)", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#Create()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#IsWeakKey(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#get_Key()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDES.#set_Key(System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#.ctor()", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#CreateDecryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#CreateEncryptor(System.Byte[],System.Byte[])", Justification="matell: By design. Needed for implementation of security algorithms")] -[module: SuppressMessage("Microsoft.Cryptographic.Standard","CA5353:TripleDESCannotBeUsed", Scope="member", Target="System.Security.Cryptography.TripleDESCryptoServiceProvider.#GenerateKey()", Justification="matell: By design. Needed for implementation of security algorithms")] diff --git a/src/mscorlib/src/Microsoft/Win32/Win32Native.cs b/src/mscorlib/src/Microsoft/Win32/Win32Native.cs index ff2c512f17..08178c8bf3 100644 --- a/src/mscorlib/src/Microsoft/Win32/Win32Native.cs +++ b/src/mscorlib/src/Microsoft/Win32/Win32Native.cs @@ -764,15 +764,9 @@ namespace Microsoft.Win32 [DllImport(KERNEL32)] internal static extern bool FindClose(IntPtr handle); - [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)] - internal static extern uint GetCurrentDirectoryW(uint nBufferLength, char[] lpBuffer); - [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)] internal static extern bool GetFileAttributesEx(String name, int fileInfoLevel, ref WIN32_FILE_ATTRIBUTE_DATA lpFileInformation); - [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)] - internal static extern bool SetCurrentDirectory(String path); - internal const int LCID_SUPPORTED = 0x00000002; // supported locale ids [DllImport(KERNEL32)] diff --git a/src/mscorlib/src/System/Activator.cs b/src/mscorlib/src/System/Activator.cs index d11739b826..50c517339b 100644 --- a/src/mscorlib/src/System/Activator.cs +++ b/src/mscorlib/src/System/Activator.cs @@ -18,7 +18,6 @@ namespace System using System.Reflection; using System.Security; using CultureInfo = System.Globalization.CultureInfo; - using Evidence = System.Security.Policy.Evidence; using StackCrawlMark = System.Threading.StackCrawlMark; using System.Runtime.InteropServices; using System.Runtime.CompilerServices; diff --git a/src/mscorlib/src/System/AppDomain.cs b/src/mscorlib/src/System/AppDomain.cs index 24c6765026..553b83feee 100644 --- a/src/mscorlib/src/System/AppDomain.cs +++ b/src/mscorlib/src/System/AppDomain.cs @@ -20,7 +20,6 @@ namespace System using System.Runtime; using System.Runtime.CompilerServices; using System.Security; - using System.Security.Policy; using System.Collections; using System.Collections.Generic; using System.Threading; @@ -36,81 +35,6 @@ namespace System using System.Diagnostics.Contracts; using System.Runtime.ExceptionServices; - internal delegate void AppDomainInitializer(string[] args); - - internal class AppDomainInitializerInfo - { - internal class ItemInfo - { - public string TargetTypeAssembly; - public string TargetTypeName; - public string MethodName; - } - - internal ItemInfo[] Info; - - internal AppDomainInitializerInfo(AppDomainInitializer init) - { - Info = null; - if (init == null) - return; - List<ItemInfo> itemInfo = new List<ItemInfo>(); - List<AppDomainInitializer> nestedDelegates = new List<AppDomainInitializer>(); - nestedDelegates.Add(init); - int idx = 0; - - while (nestedDelegates.Count > idx) - { - AppDomainInitializer curr = nestedDelegates[idx++]; - Delegate[] list = curr.GetInvocationList(); - for (int i = 0; i < list.Length; i++) - { - if (!list[i].Method.IsStatic) - { - if (list[i].Target == null) - continue; - - AppDomainInitializer nested = list[i].Target as AppDomainInitializer; - if (nested != null) - nestedDelegates.Add(nested); - else - throw new ArgumentException(SR.Arg_MustBeStatic, - list[i].Method.ReflectedType.FullName + "::" + list[i].Method.Name); - } - else - { - ItemInfo info = new ItemInfo(); - info.TargetTypeAssembly = list[i].Method.ReflectedType.Module.Assembly.FullName; - info.TargetTypeName = list[i].Method.ReflectedType.FullName; - info.MethodName = list[i].Method.Name; - itemInfo.Add(info); - } - } - } - - Info = itemInfo.ToArray(); - } - - internal AppDomainInitializer Unwrap() - { - if (Info == null) - return null; - AppDomainInitializer retVal = null; - for (int i = 0; i < Info.Length; i++) - { - Assembly assembly = Assembly.Load(Info[i].TargetTypeAssembly); - AppDomainInitializer newVal = (AppDomainInitializer)Delegate.CreateDelegate(typeof(AppDomainInitializer), - assembly.GetType(Info[i].TargetTypeName), - Info[i].MethodName); - if (retVal == null) - retVal = newVal; - else - retVal += newVal; - } - return retVal; - } - } - internal sealed class AppDomain { // Domain security information @@ -121,10 +45,6 @@ namespace System private AppDomainManager _domainManager; private Dictionary<String, Object> _LocalStore; private AppDomainSetup _FusionStore; - private Evidence _SecurityIdentity; -#pragma warning disable 169 - private Object[] _Policies; // Called from the VM. -#pragma warning restore 169 public event AssemblyLoadEventHandler AssemblyLoad; private ResolveEventHandler _TypeResolve; @@ -191,7 +111,6 @@ namespace System } - private ApplicationTrust _applicationTrust; private EventHandler _processExit; private EventHandler _domainUnload; @@ -208,8 +127,6 @@ namespace System private IntPtr _pDomain; // this is an unmanaged pointer (AppDomain * m_pDomain)` used from the VM. - private bool _HasSetPolicy; - private bool _IsFastFullTrustDomain; // quick check to see if the AppDomain is fully trusted and homogenous private bool _compatFlagsInitialized; internal const String TargetFrameworkNameAppCompatSetting = "TargetFrameworkName"; @@ -244,11 +161,6 @@ namespace System } #endif // FEATURE_APPX - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool DisableFusionUpdatesFromADManager(AppDomainHandle domain); - #if FEATURE_APPX [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] [SuppressUnmanagedCodeSecurity] @@ -256,11 +168,6 @@ namespace System private static extern APPX_FLAGS nGetAppXFlags(); #endif - [SuppressUnmanagedCodeSecurity] - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - private static extern void SetSecurityHomogeneousFlag(AppDomainHandle domain, - [MarshalAs(UnmanagedType.Bool)] bool runtimeSuppliedHomogenousGrantSet); - /// <summary> /// Get a handle used to make a call into the VM pointing to this domain /// </summary> @@ -341,14 +248,6 @@ namespace System } /// <summary> - /// Returns the setting of the corresponding compatibility config switch (see CreateAppDomainManager for the impact). - /// </summary> - internal bool DisableFusionUpdatesFromADManager() - { - return DisableFusionUpdatesFromADManager(GetNativeHandle()); - } - - /// <summary> /// Returns whether the current AppDomain follows the AppX rules. /// </summary> [Pure] @@ -399,18 +298,6 @@ namespace System } /// <summary> - /// Checks (and throws on failure) if the domain supports Assembly.ReflectionOnlyLoad. - /// </summary> - [Pure] - internal static void CheckReflectionOnlyLoadSupported() - { -#if FEATURE_APPX - if (IsAppXModel()) - throw new NotSupportedException(SR.Format(SR.NotSupported_AppX, "Assembly.ReflectionOnlyLoad")); -#endif - } - - /// <summary> /// Checks (and throws on failure) if the domain supports Assembly.Load(byte[] ...). /// </summary> [Pure] @@ -422,70 +309,6 @@ namespace System #endif } - /// <summary> - /// Called for every AppDomain (including the default domain) to initialize the security of the AppDomain) - /// </summary> - private void InitializeDomainSecurity(Evidence providedSecurityInfo, - Evidence creatorsSecurityInfo, - bool generateDefaultEvidence, - IntPtr parentSecurityDescriptor, - bool publishAppDomain) - { - AppDomainSetup adSetup = FusionStore; - - bool runtimeSuppliedHomogenousGrant = false; - ApplicationTrust appTrust = adSetup.ApplicationTrust; - - if (appTrust != null) - { - SetupDomainSecurityForHomogeneousDomain(appTrust, runtimeSuppliedHomogenousGrant); - } - else if (_IsFastFullTrustDomain) - { - SetSecurityHomogeneousFlag(GetNativeHandle(), runtimeSuppliedHomogenousGrant); - } - - // Get the evidence supplied for the domain. If no evidence was supplied, it means that we want - // to use the default evidence creation strategy for this domain - Evidence newAppDomainEvidence = (providedSecurityInfo != null ? providedSecurityInfo : creatorsSecurityInfo); - if (newAppDomainEvidence == null && generateDefaultEvidence) - { - newAppDomainEvidence = new Evidence(); - } - - // Set the evidence on the managed side - _SecurityIdentity = newAppDomainEvidence; - - // Set the evidence of the AppDomain in the VM. - // Also, now that the initialization is complete, signal that to the security system. - // Finish the AppDomain initialization and resolve the policy for the AppDomain evidence. - SetupDomainSecurity(newAppDomainEvidence, - parentSecurityDescriptor, - publishAppDomain); - } - - private void SetupDomainSecurityForHomogeneousDomain(ApplicationTrust appTrust, - bool runtimeSuppliedHomogenousGrantSet) - { - // If the CLR has supplied the homogenous grant set (that is, this domain would have been - // heterogenous in v2.0), then we need to strip the ApplicationTrust from the AppDomainSetup of - // the current domain. This prevents code which does: - // AppDomain.CreateDomain(..., AppDomain.CurrentDomain.SetupInformation); - // - // From looking like it is trying to create a homogenous domain intentionally, and therefore - // having its evidence check bypassed. - if (runtimeSuppliedHomogenousGrantSet) - { - BCLDebug.Assert(_FusionStore.ApplicationTrust != null, "Expected to find runtime supplied ApplicationTrust"); - } - - _applicationTrust = appTrust; - - // Set the homogeneous bit in the VM's ApplicationSecurityDescriptor. - SetSecurityHomogeneousFlag(GetNativeHandle(), - runtimeSuppliedHomogenousGrantSet); - } - public AppDomainManager DomainManager { get @@ -522,20 +345,6 @@ namespace System sb.Append(Environment.NewLine); } - if (_Policies == null || _Policies.Length == 0) - sb.Append(SR.Loader_NoContextPolicies - + Environment.NewLine); - else - { - sb.Append(SR.Loader_ContextPolicies - + Environment.NewLine); - for (int i = 0; i < _Policies.Length; i++) - { - sb.Append(_Policies[i]); - sb.Append(Environment.NewLine); - } - } - return StringBuilderCache.GetStringAndRelease(sb); } @@ -832,23 +641,10 @@ namespace System nCreateContext(); - if (info.LoaderOptimization != LoaderOptimization.NotSpecified || (oldInfo != null && info.LoaderOptimization != oldInfo.LoaderOptimization)) - UpdateLoaderOptimization(info.LoaderOptimization); // This must be the last action taken _FusionStore = info; } - private static void RunInitializer(AppDomainSetup setup) - { - if (setup.AppDomainInitializer != null) - { - string[] args = null; - if (setup.AppDomainInitializerArguments != null) - args = (string[])setup.AppDomainInitializerArguments.Clone(); - setup.AppDomainInitializer(args); - } - } - // Used to switch into other AppDomain and call SetupRemoteDomain. // We cannot simply call through the proxy, because if there // are any remoting sinks registered, they can add non-mscorlib @@ -856,21 +652,9 @@ namespace System // we try to deserialize it on the other side) private static object PrepareDataForSetup(String friendlyName, AppDomainSetup setup, - Evidence providedSecurityInfo, - Evidence creatorsSecurityInfo, - IntPtr parentSecurityDescriptor, - string sandboxName, string[] propertyNames, string[] propertyValues) { - byte[] serializedEvidence = null; - bool generateDefaultEvidence = false; - - AppDomainInitializerInfo initializerInfo = null; - if (setup != null && setup.AppDomainInitializer != null) - initializerInfo = new AppDomainInitializerInfo(setup.AppDomainInitializer); - - // will travel x-Ad, drop non-agile data AppDomainSetup newSetup = new AppDomainSetup(setup, false); // Remove the special AppDomainCompatSwitch entries from the set of name value pairs @@ -903,11 +687,6 @@ namespace System { friendlyName, newSetup, - parentSecurityDescriptor, - generateDefaultEvidence, - serializedEvidence, - initializerInfo, - sandboxName, propertyNames, propertyValues }; @@ -921,16 +700,8 @@ namespace System Object[] args = (Object[])arg; String friendlyName = (String)args[0]; AppDomainSetup setup = (AppDomainSetup)args[1]; - IntPtr parentSecurityDescriptor = (IntPtr)args[2]; - bool generateDefaultEvidence = (bool)args[3]; - byte[] serializedEvidence = (byte[])args[4]; - AppDomainInitializerInfo initializerInfo = (AppDomainInitializerInfo)args[5]; - string sandboxName = (string)args[6]; - string[] propertyNames = (string[])args[7]; // can contain null elements - string[] propertyValues = (string[])args[8]; // can contain null elements - // extract evidence - Evidence providedSecurityInfo = null; - Evidence creatorsSecurityInfo = null; + string[] propertyNames = (string[])args[2]; // can contain null elements + string[] propertyValues = (string[])args[3]; // can contain null elements AppDomain ad = AppDomain.CurrentDomain; AppDomainSetup newSetup = new AppDomainSetup(setup, false); @@ -966,20 +737,6 @@ namespace System newSetup.ApplicationBase = NormalizePath(propertyValues[i], fullCheck: true); } - else if (propertyNames[i] == "LOADER_OPTIMIZATION") - { - if (propertyValues[i] == null) - throw new ArgumentNullException("LOADER_OPTIMIZATION"); - - switch (propertyValues[i]) - { - case "SingleDomain": newSetup.LoaderOptimization = LoaderOptimization.SingleDomain; break; - case "MultiDomain": newSetup.LoaderOptimization = LoaderOptimization.MultiDomain; break; - case "MultiDomainHost": newSetup.LoaderOptimization = LoaderOptimization.MultiDomainHost; break; - case "NotSpecified": newSetup.LoaderOptimization = LoaderOptimization.NotSpecified; break; - default: throw new ArgumentException(SR.Argument_UnrecognizedLoaderOptimization, "LOADER_OPTIMIZATION"); - } - } else if (propertyNames[i] == "TRUSTED_PLATFORM_ASSEMBLIES" || propertyNames[i] == "PLATFORM_RESOURCE_ROOTS" || propertyNames[i] == "APP_PATHS" || @@ -1004,29 +761,10 @@ namespace System // but it's confusing since it isn't immediately obvious whether we have a ref or a copy AppDomainSetup adSetup = ad.FusionStore; - adSetup.InternalSetApplicationTrust(sandboxName); - // set up the friendly name ad.nSetupFriendlyName(friendlyName); -#if FEATURE_COMINTEROP - if (setup != null && setup.SandboxInterop) - { - ad.nSetDisableInterfaceCache(); - } -#endif // FEATURE_COMINTEROP - ad.CreateAppDomainManager(); // could modify FusionStore's object - ad.InitializeDomainSecurity(providedSecurityInfo, - creatorsSecurityInfo, - generateDefaultEvidence, - parentSecurityDescriptor, - true); - - // can load user code now - if (initializerInfo != null) - adSetup.AppDomainInitializer = initializerInfo.Unwrap(); - RunInitializer(adSetup); return null; } @@ -1092,41 +830,14 @@ namespace System AppDomainSetup setup = new AppDomainSetup(); // always use internet permission set - setup.InternalSetApplicationTrust("Internet"); SetupFusionStore(setup, null); } } } - private void SetupDomainSecurity(Evidence appDomainEvidence, - IntPtr creatorsSecurityDescriptor, - bool publishAppDomain) - { - Evidence stackEvidence = appDomainEvidence; - SetupDomainSecurity(GetNativeHandle(), - JitHelpers.GetObjectHandleOnStack(ref stackEvidence), - creatorsSecurityDescriptor, - publishAppDomain); - } - - [SuppressUnmanagedCodeSecurity] - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - private static extern void SetupDomainSecurity(AppDomainHandle appDomain, - ObjectHandleOnStack appDomainEvidence, - IntPtr creatorsSecurityDescriptor, - [MarshalAs(UnmanagedType.Bool)] bool publishAppDomain); - [MethodImplAttribute(MethodImplOptions.InternalCall)] private extern void nSetupFriendlyName(string friendlyName); -#if FEATURE_COMINTEROP - [MethodImplAttribute(MethodImplOptions.InternalCall)] - private extern void nSetDisableInterfaceCache(); -#endif // FEATURE_COMINTEROP - - [MethodImplAttribute(MethodImplOptions.InternalCall)] - internal extern void UpdateLoaderOptimization(LoaderOptimization optimization); - public AppDomainSetup SetupInformation { get @@ -1141,10 +852,6 @@ namespace System [MethodImplAttribute(MethodImplOptions.InternalCall)] internal extern String GetOrInternString(String str); - [SuppressUnmanagedCodeSecurity] - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - private static extern void GetGrantSet(AppDomainHandle domain, ObjectHandleOnStack retGrantSet); - public bool IsFullyTrusted { get diff --git a/src/mscorlib/src/System/AppDomainAttributes.cs b/src/mscorlib/src/System/AppDomainAttributes.cs deleted file mode 100644 index 92d6d8bbb2..0000000000 --- a/src/mscorlib/src/System/AppDomainAttributes.cs +++ /dev/null @@ -1,28 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. - -/*============================================================================= -** -** -** -** Purpose: For AppDomain-related custom attributes. -** -** -=============================================================================*/ - -namespace System -{ - internal enum LoaderOptimization - { - NotSpecified = 0, - SingleDomain = 1, - MultiDomain = 2, - MultiDomainHost = 3, - [Obsolete("This method has been deprecated. Please use Assembly.Load() instead. http://go.microsoft.com/fwlink/?linkid=14202")] - DomainMask = 3, - [Obsolete("This method has been deprecated. Please use Assembly.Load() instead. http://go.microsoft.com/fwlink/?linkid=14202")] - DisallowBindings = 4 - } -} - diff --git a/src/mscorlib/src/System/AppDomainSetup.cs b/src/mscorlib/src/System/AppDomainSetup.cs index 83d3ac80da..06e91f8443 100644 --- a/src/mscorlib/src/System/AppDomainSetup.cs +++ b/src/mscorlib/src/System/AppDomainSetup.cs @@ -16,7 +16,6 @@ namespace System using System.Runtime.InteropServices; using System.Runtime.Serialization; using System.Security; - using System.Security.Policy; using Path = System.IO.Path; using System.Diagnostics; using System.Diagnostics.Contracts; @@ -58,29 +57,9 @@ namespace System // of these fields or add new ones. private string[] _Entries; - private LoaderOptimization _LoaderOptimization; #pragma warning disable 169 private String _AppBase; // for compat with v1.1 #pragma warning restore 169 - [OptionalField(VersionAdded = 2)] - private AppDomainInitializer _AppDomainInitializer; - [OptionalField(VersionAdded = 2)] - private string[] _AppDomainInitializerArguments; - - // On the CoreCLR, this contains just the name of the permission set that we install in the new appdomain. - // Not the ToXml().ToString() of an ApplicationTrust object. - [OptionalField(VersionAdded = 2)] - private string _ApplicationTrust; - [OptionalField(VersionAdded = 2)] - private byte[] _ConfigurationBytes; -#if FEATURE_COMINTEROP - [OptionalField(VersionAdded = 3)] - private bool _DisableInterfaceCache = false; -#endif // FEATURE_COMINTEROP - [OptionalField(VersionAdded = 4)] - private string _AppDomainManagerAssembly; - [OptionalField(VersionAdded = 4)] - private string _AppDomainManagerType; // A collection of strings used to indicate which breaking changes shouldn't be applied // to an AppDomain. We only use the keys, the values are ignored. @@ -119,23 +98,6 @@ namespace System mine[i] = null; } - _LoaderOptimization = copy._LoaderOptimization; - - _AppDomainInitializerArguments = copy.AppDomainInitializerArguments; - _ApplicationTrust = copy._ApplicationTrust; - - if (copyDomainBoundData) - _AppDomainInitializer = copy.AppDomainInitializer; - else - _AppDomainInitializer = null; - - _ConfigurationBytes = null; -#if FEATURE_COMINTEROP - _DisableInterfaceCache = copy._DisableInterfaceCache; -#endif // FEATURE_COMINTEROP - _AppDomainManagerAssembly = copy.AppDomainManagerAssembly; - _AppDomainManagerType = copy.AppDomainManagerType; - if (copy._CompatFlags != null) { SetCompatibilitySwitches(copy._CompatFlags.Keys); @@ -148,13 +110,10 @@ namespace System #endif } - else - _LoaderOptimization = LoaderOptimization.NotSpecified; } public AppDomainSetup() { - _LoaderOptimization = LoaderOptimization.NotSpecified; } internal void SetupDefaults(string imageLocation, bool imageLocationAlreadyNormalized = false) @@ -188,18 +147,6 @@ namespace System } } - public string AppDomainManagerAssembly - { - get { return _AppDomainManagerAssembly; } - set { _AppDomainManagerAssembly = value; } - } - - public string AppDomainManagerType - { - get { return _AppDomainManagerType; } - set { _AppDomainManagerType = value; } - } - public String ApplicationBase { [Pure] @@ -270,85 +217,5 @@ namespace System Value[(int)LoaderInformation.ApplicationNameValue] = value; } } - - public AppDomainInitializer AppDomainInitializer - { - get - { - return _AppDomainInitializer; - } - - set - { - _AppDomainInitializer = value; - } - } - public string[] AppDomainInitializerArguments - { - get - { - return _AppDomainInitializerArguments; - } - - set - { - _AppDomainInitializerArguments = value; - } - } - - internal ApplicationTrust InternalGetApplicationTrust() - { - if (_ApplicationTrust == null) return null; - ApplicationTrust grantSet = new ApplicationTrust(); - return grantSet; - } - - internal void InternalSetApplicationTrust(String permissionSetName) - { - _ApplicationTrust = permissionSetName; - } - - internal ApplicationTrust ApplicationTrust - { - get - { - return InternalGetApplicationTrust(); - } - } - - public LoaderOptimization LoaderOptimization - { - get - { - return _LoaderOptimization; - } - - set - { - _LoaderOptimization = value; - } - } - - internal static string LoaderOptimizationKey - { - get - { - return LOADER_OPTIMIZATION; - } - } - -#if FEATURE_COMINTEROP - public bool SandboxInterop - { - get - { - return _DisableInterfaceCache; - } - set - { - _DisableInterfaceCache = value; - } - } -#endif // FEATURE_COMINTEROP } } diff --git a/src/mscorlib/src/System/Environment.cs b/src/mscorlib/src/System/Environment.cs index 257deb27eb..e906fa2017 100644 --- a/src/mscorlib/src/System/Environment.cs +++ b/src/mscorlib/src/System/Environment.cs @@ -131,26 +131,6 @@ namespace System [MethodImplAttribute(MethodImplOptions.InternalCall)] public static extern void FailFast(String message, Exception exception); - /*===============================CurrentDirectory=============================== - **Action: Provides a getter and setter for the current directory. The original - ** current directory is the one from which the process was started. - **Returns: The current directory (from the getter). Void from the setter. - **Arguments: The current directory to which to switch to the setter. - **Exceptions: - ==============================================================================*/ - internal static String CurrentDirectory - { - get - { - return Directory.GetCurrentDirectory(); - } - - set - { - Directory.SetCurrentDirectory(value); - } - } - // Returns the system directory (ie, C:\WinNT\System32). internal static String SystemDirectory { diff --git a/src/mscorlib/src/System/IAppDomainPauseManager.cs b/src/mscorlib/src/System/IAppDomainPauseManager.cs deleted file mode 100644 index 8696e48664..0000000000 --- a/src/mscorlib/src/System/IAppDomainPauseManager.cs +++ /dev/null @@ -1,49 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. - -/*============================================================================= -** -** -** Purpose: Interface meant for CLR to participate in framework rundown. -** AppDomainPauseManager is the class that encapsulates all Fx rundown work. -** -** -=============================================================================*/ - -using System; -using System.Threading; -using System.Security; -using System.Diagnostics.Contracts; -using System.Runtime.Versioning; -using System.Runtime.CompilerServices; - -namespace System -{ - internal class AppDomainPauseManager - { - public AppDomainPauseManager() - { - isPaused = false; - } - - static AppDomainPauseManager() - { - } - - private static readonly AppDomainPauseManager instance = new AppDomainPauseManager(); - - private static volatile bool isPaused; - - internal static bool IsPaused - { - get { return isPaused; } - } - - internal static ManualResetEvent ResumeEvent - { - get; - set; - } - } -} diff --git a/src/mscorlib/src/System/IO/Directory.cs b/src/mscorlib/src/System/IO/Directory.cs index 6417207d38..6541e44e7d 100644 --- a/src/mscorlib/src/System/IO/Directory.cs +++ b/src/mscorlib/src/System/IO/Directory.cs @@ -90,68 +90,6 @@ namespace System.IO if (path == null) return null; return path.Substring(0, PathInternal.GetRootLength(path)); } - - /*===============================CurrentDirectory=============================== - **Action: Provides a getter and setter for the current directory. The original - ** current DirectoryInfo is the one from which the process was started. - **Returns: The current DirectoryInfo (from the getter). Void from the setter. - **Arguments: The current DirectoryInfo to which to switch to the setter. - **Exceptions: - ==============================================================================*/ - public static String GetCurrentDirectory() - { - // Start with a buffer the size of MAX_PATH - StringBuffer buffer = new StringBuffer(260); - try - { - uint result = 0; - while ((result = Win32Native.GetCurrentDirectoryW((uint)buffer.Capacity, buffer.UnderlyingArray)) > buffer.Capacity) - { - // Reported size is greater than the buffer size. Increase the capacity. - // The size returned includes the null only if more space is needed (this case). - buffer.EnsureCapacity(checked((int)result)); - } - - if (result == 0) - __Error.WinIOError(); - - buffer.Length = (int)result; - -#if PLATFORM_WINDOWS - if (buffer.Contains('~')) - return Path.GetFullPath(buffer.ToString()); -#endif // PLATFORM_WINDOWS - - return buffer.ToString(); - } - finally - { - buffer.Free(); - } - } - - public static void SetCurrentDirectory(String path) - { - if (path == null) - throw new ArgumentNullException(nameof(path)); - if (path.Length == 0) - throw new ArgumentException(SR.Argument_PathEmpty); - if (path.Length >= Path.MaxPath) - throw new PathTooLongException(SR.IO_PathTooLong); - - String fulldestDirName = Path.GetFullPath(path); - - if (!Win32Native.SetCurrentDirectory(fulldestDirName)) - { - // If path doesn't exist, this sets last error to 2 (File - // not Found). LEGACY: This may potentially have worked correctly - // on Win9x, maybe. - int errorCode = Marshal.GetLastWin32Error(); - if (errorCode == Win32Native.ERROR_FILE_NOT_FOUND) - errorCode = Win32Native.ERROR_PATH_NOT_FOUND; - __Error.WinIOError(errorCode, fulldestDirName); - } - } } } diff --git a/src/mscorlib/src/System/Reflection/Assembly.CoreCLR.cs b/src/mscorlib/src/System/Reflection/Assembly.CoreCLR.cs index 9d34b48177..68a4aa0f27 100644 --- a/src/mscorlib/src/System/Reflection/Assembly.CoreCLR.cs +++ b/src/mscorlib/src/System/Reflection/Assembly.CoreCLR.cs @@ -3,7 +3,6 @@ // See the LICENSE file in the project root for more information. using System.Collections.Generic; -using System.Security.Policy; using System.IO; using System.Configuration.Assemblies; using StackCrawlMark = System.Threading.StackCrawlMark; @@ -103,7 +102,7 @@ namespace System.Reflection Contract.Ensures(!Contract.Result<Assembly>().ReflectionOnly); StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; - return RuntimeAssembly.InternalLoad(assemblyString, null, ref stackMark, false /*forIntrospection*/); + return RuntimeAssembly.InternalLoad(assemblyString, ref stackMark); } // Returns type from the assembly while keeping compatibility with Assembly.Load(assemblyString).GetType(typeName) for managed types. @@ -121,7 +120,6 @@ namespace System.Reflection RuntimeAssembly assembly; AssemblyName assemblyName = RuntimeAssembly.CreateAssemblyName( assemblyString, - false /*forIntrospection*/, out assembly); if (assembly == null) @@ -132,8 +130,8 @@ namespace System.Reflection } assembly = RuntimeAssembly.InternalLoadAssemblyName( - assemblyName, null, null, ref stackMark, - true /*thrownOnFileNotFound*/, false /*forIntrospection*/); + assemblyName, null, ref stackMark, + true /*thrownOnFileNotFound*/); } return assembly.GetType(typeName, true /*throwOnError*/, false /*ignoreCase*/); } @@ -158,7 +156,7 @@ namespace System.Reflection } StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; - return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, null, ref stackMark, true /*thrownOnFileNotFound*/, false /*forIntrospection*/); + return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, ref stackMark, true /*thrownOnFileNotFound*/); } // Locate an assembly by its name. The name can be strong or @@ -181,7 +179,7 @@ namespace System.Reflection } StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; - return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, null, ref stackMark, true /*thrownOnFileNotFound*/, false /*forIntrospection*/, ptrLoadContextBinder); + return RuntimeAssembly.InternalLoadAssemblyName(modifiedAssemblyRef, null, ref stackMark, true /*thrownOnFileNotFound*/, ptrLoadContextBinder); } // Loads the assembly with a COFF based IMAGE containing diff --git a/src/mscorlib/src/System/Reflection/AssemblyName.cs b/src/mscorlib/src/System/Reflection/AssemblyName.cs index 996a206083..4bc7882838 100644 --- a/src/mscorlib/src/System/Reflection/AssemblyName.cs +++ b/src/mscorlib/src/System/Reflection/AssemblyName.cs @@ -398,12 +398,12 @@ namespace System.Reflection } [MethodImplAttribute(MethodImplOptions.InternalCall)] - internal extern void nInit(out RuntimeAssembly assembly, bool forIntrospection, bool raiseResolveEvent); + internal extern void nInit(out RuntimeAssembly assembly, bool raiseResolveEvent); internal void nInit() { RuntimeAssembly dummy = null; - nInit(out dummy, false, false); + nInit(out dummy, false); } internal void SetProcArchIndex(PortableExecutableKinds pek, ImageFileMachine ifm) diff --git a/src/mscorlib/src/System/Reflection/CustomAttribute.cs b/src/mscorlib/src/System/Reflection/CustomAttribute.cs index 031b4f4509..7f4bcbfcff 100644 --- a/src/mscorlib/src/System/Reflection/CustomAttribute.cs +++ b/src/mscorlib/src/System/Reflection/CustomAttribute.cs @@ -1291,7 +1291,7 @@ namespace System.Reflection // ... however if the attribute is sealed we can rely on the attribute usage if (!inherit || (caType.IsSealed && !CustomAttribute.GetAttributeUsage(caType).Inherited)) { - object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(type)); + object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1306,7 +1306,7 @@ namespace System.Reflection while (type != (RuntimeType)typeof(object) && type != null) { - object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, 0, caType, mustBeInheritable, result, !AllowCriticalCustomAttributes(type)); + object[] attributes = GetCustomAttributes(type.GetRuntimeModule(), type.MetadataToken, 0, caType, mustBeInheritable, result); mustBeInheritable = true; for (int i = 0; i < attributes.Length; i++) result.Add(attributes[i]); @@ -1319,53 +1319,6 @@ namespace System.Reflection return typedResult; } - private static bool AllowCriticalCustomAttributes(RuntimeType type) - { - if (type.IsGenericParameter) - { - // Generic parameters don't have transparency state, so look at the - // declaring method/type. One of declaringMethod or declaringType - // must be set. - MethodBase declaringMethod = type.DeclaringMethod; - if (declaringMethod != null) - { - return AllowCriticalCustomAttributes(declaringMethod); - } - else - { - type = type.DeclaringType as RuntimeType; - Debug.Assert(type != null); - } - } - - return !type.IsSecurityTransparent || SpecialAllowCriticalAttributes(type); - } - - private static bool SpecialAllowCriticalAttributes(RuntimeType type) - { - return false; - } - - private static bool AllowCriticalCustomAttributes(MethodBase method) - { - Contract.Requires(method is RuntimeMethodInfo || method is RuntimeConstructorInfo); - - return !method.IsSecurityTransparent || - SpecialAllowCriticalAttributes((RuntimeType)method.DeclaringType); - } - - private static bool AllowCriticalCustomAttributes(RuntimeFieldInfo field) - { - return !field.IsSecurityTransparent || - SpecialAllowCriticalAttributes((RuntimeType)field.DeclaringType); - } - - private static bool AllowCriticalCustomAttributes(RuntimeParameterInfo parameter) - { - // Since parameters have no transparency state, we look at the defining method instead. - return AllowCriticalCustomAttributes(parameter.DefiningMethod); - } - internal static Object[] GetCustomAttributes(RuntimeMethodInfo method, RuntimeType caType, bool inherit) { Contract.Requires(method != null); @@ -1382,7 +1335,7 @@ namespace System.Reflection // ... however if the attribute is sealed we can rely on the attribute usage if (!inherit || (caType.IsSealed && !CustomAttribute.GetAttributeUsage(caType).Inherited)) { - object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(method)); + object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1397,7 +1350,7 @@ namespace System.Reflection while (method != null) { - object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, 0, caType, mustBeInheritable, result, !AllowCriticalCustomAttributes(method)); + object[] attributes = GetCustomAttributes(method.GetRuntimeModule(), method.MetadataToken, 0, caType, mustBeInheritable, result); mustBeInheritable = true; for (int i = 0; i < attributes.Length; i++) result.Add(attributes[i]); @@ -1417,7 +1370,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(ctor, caType, true, out pcaCount); - object[] attributes = GetCustomAttributes(ctor.GetRuntimeModule(), ctor.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(ctor)); + object[] attributes = GetCustomAttributes(ctor.GetRuntimeModule(), ctor.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1429,13 +1382,8 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(property, caType, out pcaCount); - // Since properties and events have no transparency state, logically we should check the declaring types. - // But then if someone wanted to apply critical attributes on a property/event he would need to make the type critical, - // which would also implicitly made all the members critical. - // So we check the containing assembly instead. If the assembly can contain critical code we allow critical attributes on properties/events. - bool disallowCriticalCustomAttributes = property.GetRuntimeModule().GetRuntimeAssembly().IsAllSecurityTransparent(); - object[] attributes = GetCustomAttributes(property.GetRuntimeModule(), property.MetadataToken, pcaCount, caType, disallowCriticalCustomAttributes); + object[] attributes = GetCustomAttributes(property.GetRuntimeModule(), property.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1447,12 +1395,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(e, caType, out pcaCount); - // Since properties and events have no transparency state, logically we should check the declaring types. - // But then if someone wanted to apply critical attributes on a property/event he would need to make the type critical, - // which would also implicitly made all the members critical. - // So we check the containing assembly instead. If the assembly can contain critical code we allow critical attributes on properties/events. - bool disallowCriticalCustomAttributes = e.GetRuntimeModule().GetRuntimeAssembly().IsAllSecurityTransparent(); - object[] attributes = GetCustomAttributes(e.GetRuntimeModule(), e.MetadataToken, pcaCount, caType, disallowCriticalCustomAttributes); + object[] attributes = GetCustomAttributes(e.GetRuntimeModule(), e.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1464,7 +1407,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(field, caType, out pcaCount); - object[] attributes = GetCustomAttributes(field.GetRuntimeModule(), field.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(field)); + object[] attributes = GetCustomAttributes(field.GetRuntimeModule(), field.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1476,7 +1419,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(parameter, caType, out pcaCount); - object[] attributes = GetCustomAttributes(parameter.GetRuntimeModule(), parameter.MetadataToken, pcaCount, caType, !AllowCriticalCustomAttributes(parameter)); + object[] attributes = GetCustomAttributes(parameter.GetRuntimeModule(), parameter.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1489,8 +1432,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(assembly, caType, true, out pcaCount); int assemblyToken = RuntimeAssembly.GetToken(assembly.GetNativeHandle()); - bool isAssemblySecurityTransparent = assembly.IsAllSecurityTransparent(); - object[] attributes = GetCustomAttributes(assembly.ManifestModule as RuntimeModule, assemblyToken, pcaCount, caType, isAssemblySecurityTransparent); + object[] attributes = GetCustomAttributes(assembly.ManifestModule as RuntimeModule, assemblyToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1502,8 +1444,7 @@ namespace System.Reflection int pcaCount = 0; Attribute[] pca = PseudoCustomAttribute.GetCustomAttributes(module, caType, out pcaCount); - bool isModuleSecurityTransparent = module.GetRuntimeAssembly().IsAllSecurityTransparent(); - object[] attributes = GetCustomAttributes(module, module.MetadataToken, pcaCount, caType, isModuleSecurityTransparent); + object[] attributes = GetCustomAttributes(module, module.MetadataToken, pcaCount, caType); if (pcaCount > 0) Array.Copy(pca, 0, attributes, attributes.Length - pcaCount, pcaCount); return attributes; } @@ -1569,14 +1510,14 @@ namespace System.Reflection } private unsafe static object[] GetCustomAttributes( - RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount, RuntimeType attributeFilterType, bool isDecoratedTargetSecurityTransparent) + RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount, RuntimeType attributeFilterType) { - return GetCustomAttributes(decoratedModule, decoratedMetadataToken, pcaCount, attributeFilterType, false, null, isDecoratedTargetSecurityTransparent); + return GetCustomAttributes(decoratedModule, decoratedMetadataToken, pcaCount, attributeFilterType, false, null); } private unsafe static object[] GetCustomAttributes( RuntimeModule decoratedModule, int decoratedMetadataToken, int pcaCount, - RuntimeType attributeFilterType, bool mustBeInheritable, IList derivedAttributes, bool isDecoratedTargetSecurityTransparent) + RuntimeType attributeFilterType, bool mustBeInheritable, IList derivedAttributes) { if (decoratedModule.Assembly.ReflectionOnly) throw new InvalidOperationException(SR.Arg_ReflectionOnlyCA); @@ -1618,16 +1559,6 @@ namespace System.Reflection out attributeType, out ctor, out ctorHasParameters, out isVarArg)) continue; - if (ctor != null) - { - // Linktime demand checks - // decoratedMetadataToken needed as it may be "transparent" in which case we do a full stack walk - RuntimeMethodHandle.CheckLinktimeDemands(ctor, decoratedModule, isDecoratedTargetSecurityTransparent); - } - else - { - } - // Leverage RuntimeConstructorInfo standard .ctor verfication RuntimeConstructorInfo.CheckCanCreateInstance(attributeType, isVarArg); @@ -1709,8 +1640,6 @@ namespace System.Reflection if (!setMethod.IsPublic) continue; - RuntimeMethodHandle.CheckLinktimeDemands(setMethod, decoratedModule, isDecoratedTargetSecurityTransparent); - setMethod.UnsafeInvoke(attribute, BindingFlags.Default, null, new object[] { value }, null); #endregion } @@ -1718,11 +1647,6 @@ namespace System.Reflection { RtFieldInfo field = attributeType.GetField(name) as RtFieldInfo; - if (isDecoratedTargetSecurityTransparent) - { - RuntimeFieldHandle.CheckAttributeAccess(field.FieldHandle, decoratedModule.GetNativeHandle()); - } - field.CheckConsistency(attribute); field.UnsafeSetValue(attribute, value, BindingFlags.Default, Type.DefaultBinder, null); } diff --git a/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilder.cs b/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilder.cs index 6d9cb0db2f..7b190df6c2 100644 --- a/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilder.cs +++ b/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilder.cs @@ -38,23 +38,8 @@ namespace System.Reflection.Emit using System.Runtime.Serialization; using System.Runtime.Versioning; using System.Security; - using System.Security.Policy; using System.Threading; - // These must match the definitions in Assembly.hpp - [Flags] - internal enum DynamicAssemblyFlags - { - None = 0x00000000, - - // Security attributes which affect the module security descriptor - AllCritical = 0x00000001, - Aptca = 0x00000002, - Critical = 0x00000004, - Transparent = 0x00000008, - TreatAsSafe = 0x00000010, - } - // When the user calls AppDomain.DefineDynamicAssembly the loader creates a new InternalAssemblyBuilder. // This InternalAssemblyBuilder can be retrieved via a call to Assembly.GetAssemblies() by untrusted code. // In the past, when InternalAssemblyBuilder was AssemblyBuilder, the untrusted user could down cast the @@ -218,11 +203,8 @@ namespace System.Reflection.Emit internal AssemblyBuilder(AppDomain domain, AssemblyName name, AssemblyBuilderAccess access, - String dir, - Evidence evidence, ref StackCrawlMark stackMark, - IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes, - SecurityContextSource securityContextSource) + IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes) { if (name == null) throw new ArgumentNullException(nameof(name)); @@ -234,12 +216,6 @@ namespace System.Reflection.Emit throw new ArgumentException(SR.Format(SR.Arg_EnumIllegalVal, (int)access), nameof(access)); } - if (securityContextSource < SecurityContextSource.CurrentAppDomain || - securityContextSource > SecurityContextSource.CurrentAssembly) - { - throw new ArgumentOutOfRangeException(nameof(securityContextSource)); - } - // Clone the name in case the caller modifies it underneath us. name = (AssemblyName)name.Clone(); @@ -247,46 +223,21 @@ namespace System.Reflection.Emit // assembly. Currently, we look for any attribute which modifies the security transparency // of the assembly. List<CustomAttributeBuilder> assemblyAttributes = null; - DynamicAssemblyFlags assemblyFlags = DynamicAssemblyFlags.None; - byte[] securityRulesBlob = null; - byte[] aptcaBlob = null; if (unsafeAssemblyAttributes != null) { // Create a copy to ensure that it cannot be modified from another thread // as it is used further below. assemblyAttributes = new List<CustomAttributeBuilder>(unsafeAssemblyAttributes); - -#pragma warning disable 618 // We deal with legacy attributes here as well for compat - foreach (CustomAttributeBuilder attribute in assemblyAttributes) - { - if (attribute.m_con.DeclaringType == typeof(SecurityTransparentAttribute)) - { - assemblyFlags |= DynamicAssemblyFlags.Transparent; - } - else if (attribute.m_con.DeclaringType == typeof(SecurityCriticalAttribute)) - { - { - assemblyFlags |= DynamicAssemblyFlags.AllCritical; - } - } - } -#pragma warning restore 618 } m_internalAssemblyBuilder = (InternalAssemblyBuilder)nCreateDynamicAssembly(domain, name, - evidence, ref stackMark, - securityRulesBlob, - aptcaBlob, - access, - assemblyFlags, - securityContextSource); + access); m_assemblyData = new AssemblyBuilderData(m_internalAssemblyBuilder, name.Name, - access, - dir); + access); // Make sure that ManifestModule is properly initialized // We need to do this before setting any CustomAttribute @@ -335,8 +286,8 @@ namespace System.Reflection.Emit Contract.Ensures(Contract.Result<AssemblyBuilder>() != null); StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; - return InternalDefineDynamicAssembly(name, access, null, - null, ref stackMark, null, SecurityContextSource.CurrentAssembly); + return InternalDefineDynamicAssembly(name, access, + ref stackMark, null); } [System.Security.DynamicSecurityMethod] // Methods containing StackCrawlMark local var has to be marked DynamicSecurityMethod @@ -350,33 +301,24 @@ namespace System.Reflection.Emit StackCrawlMark stackMark = StackCrawlMark.LookForMyCaller; return InternalDefineDynamicAssembly(name, access, - null, null, ref stackMark, - assemblyAttributes, SecurityContextSource.CurrentAssembly); + assemblyAttributes); } [MethodImplAttribute(MethodImplOptions.InternalCall)] private static extern Assembly nCreateDynamicAssembly(AppDomain domain, AssemblyName name, - Evidence identity, ref StackCrawlMark stackMark, - byte[] securityRulesBlob, - byte[] aptcaBlob, - AssemblyBuilderAccess access, - DynamicAssemblyFlags flags, - SecurityContextSource securityContextSource); + AssemblyBuilderAccess access); private class AssemblyBuilderLock { } internal static AssemblyBuilder InternalDefineDynamicAssembly( AssemblyName name, AssemblyBuilderAccess access, - String dir, - Evidence evidence, ref StackCrawlMark stackMark, - IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes, - SecurityContextSource securityContextSource) + IEnumerable<CustomAttributeBuilder> unsafeAssemblyAttributes) { lock (typeof(AssemblyBuilderLock)) { @@ -384,11 +326,8 @@ namespace System.Reflection.Emit return new AssemblyBuilder(AppDomain.CurrentDomain, name, access, - dir, - evidence, ref stackMark, - unsafeAssemblyAttributes, - securityContextSource); + unsafeAssemblyAttributes); } //lock(typeof(AssemblyBuilderLock)) } #endregion diff --git a/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilderData.cs b/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilderData.cs index 529ba54514..901588079a 100644 --- a/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilderData.cs +++ b/src/mscorlib/src/System/Reflection/Emit/AssemblyBuilderData.cs @@ -28,8 +28,7 @@ namespace System.Reflection.Emit internal AssemblyBuilderData( InternalAssemblyBuilder assembly, String strAssemblyName, - AssemblyBuilderAccess access, - String dir) + AssemblyBuilderAccess access) { m_assembly = assembly; m_strAssemblyName = strAssemblyName; @@ -37,13 +36,6 @@ namespace System.Reflection.Emit m_moduleBuilderList = new List<ModuleBuilder>(); m_resWriterList = new List<ResWriterData>(); - //Init to null/0 done for you by the CLR. FXCop has spoken - - if (dir == null && access != AssemblyBuilderAccess.Run) - m_strDir = Environment.CurrentDirectory; - else - m_strDir = dir; - m_peFileKind = PEFileKinds.Dll; } @@ -135,7 +127,6 @@ namespace System.Reflection.Emit internal bool m_isSaved; internal const int m_iInitialSize = 16; - internal String m_strDir; // hard coding the assembly def token internal const int m_tkAssembly = 0x20000001; diff --git a/src/mscorlib/src/System/Reflection/Emit/DynamicMethod.cs b/src/mscorlib/src/System/Reflection/Emit/DynamicMethod.cs index 2d2d3097a1..15792d2d68 100644 --- a/src/mscorlib/src/System/Reflection/Emit/DynamicMethod.cs +++ b/src/mscorlib/src/System/Reflection/Emit/DynamicMethod.cs @@ -255,10 +255,8 @@ namespace System.Reflection.Emit AssemblyBuilder assembly = AssemblyBuilder.InternalDefineDynamicAssembly( assemblyName, AssemblyBuilderAccess.Run, - null, null, ref stackMark, - assemblyAttributes, - SecurityContextSource.CurrentAssembly); + assemblyAttributes); AppDomain.PublishAnonymouslyHostedDynamicMethodsAssembly(assembly.GetNativeHandle()); diff --git a/src/mscorlib/src/System/Reflection/Emit/ModuleBuilder.cs b/src/mscorlib/src/System/Reflection/Emit/ModuleBuilder.cs index d92d8220b8..362b13657f 100644 --- a/src/mscorlib/src/System/Reflection/Emit/ModuleBuilder.cs +++ b/src/mscorlib/src/System/Reflection/Emit/ModuleBuilder.cs @@ -716,16 +716,7 @@ namespace System.Reflection.Emit { get { - String fullyQualifiedName = m_moduleData.m_strFileName; - if (fullyQualifiedName == null) - return null; - if (ContainingAssemblyBuilder.m_assemblyData.m_strDir != null) - { - fullyQualifiedName = Path.Combine(ContainingAssemblyBuilder.m_assemblyData.m_strDir, fullyQualifiedName); - fullyQualifiedName = Path.GetFullPath(fullyQualifiedName); - } - - return fullyQualifiedName; + return m_moduleData.m_strFileName; } } diff --git a/src/mscorlib/src/System/Reflection/RuntimeAssembly.cs b/src/mscorlib/src/System/Reflection/RuntimeAssembly.cs index cb2d156521..b3e7a4dfff 100644 --- a/src/mscorlib/src/System/Reflection/RuntimeAssembly.cs +++ b/src/mscorlib/src/System/Reflection/RuntimeAssembly.cs @@ -5,7 +5,6 @@ using System.Collections.Generic; using CultureInfo = System.Globalization.CultureInfo; using System.Security; -using System.Security.Policy; using System.IO; using StringBuilder = System.Text.StringBuilder; using System.Configuration.Assemblies; @@ -322,22 +321,18 @@ namespace System.Reflection // Wrapper function to wrap the typical use of InternalLoad. internal static RuntimeAssembly InternalLoad(String assemblyString, - Evidence assemblySecurity, - ref StackCrawlMark stackMark, - bool forIntrospection) + ref StackCrawlMark stackMark) { - return InternalLoad(assemblyString, assemblySecurity, ref stackMark, IntPtr.Zero, forIntrospection); + return InternalLoad(assemblyString, ref stackMark, IntPtr.Zero); } [System.Security.DynamicSecurityMethod] // Methods containing StackCrawlMark local var has to be marked DynamicSecurityMethod internal static RuntimeAssembly InternalLoad(String assemblyString, - Evidence assemblySecurity, ref StackCrawlMark stackMark, - IntPtr pPrivHostBinder, - bool forIntrospection) + IntPtr pPrivHostBinder) { RuntimeAssembly assembly; - AssemblyName an = CreateAssemblyName(assemblyString, forIntrospection, out assembly); + AssemblyName an = CreateAssemblyName(assemblyString, out assembly); if (assembly != null) { @@ -345,15 +340,14 @@ namespace System.Reflection return assembly; } - return InternalLoadAssemblyName(an, assemblySecurity, null, ref stackMark, + return InternalLoadAssemblyName(an, null, ref stackMark, pPrivHostBinder, - true /*thrownOnFileNotFound*/, forIntrospection); + true /*thrownOnFileNotFound*/); } // Creates AssemblyName. Fills assembly if AssemblyResolve event has been raised. internal static AssemblyName CreateAssemblyName( String assemblyString, - bool forIntrospection, out RuntimeAssembly assemblyFromResolveEvent) { if (assemblyString == null) @@ -364,13 +358,10 @@ namespace System.Reflection (assemblyString[0] == '\0')) throw new ArgumentException(SR.Format_StringZeroLength); - if (forIntrospection) - AppDomain.CheckReflectionOnlyLoadSupported(); - AssemblyName an = new AssemblyName(); an.Name = assemblyString; - an.nInit(out assemblyFromResolveEvent, forIntrospection, true); + an.nInit(out assemblyFromResolveEvent, true); return an; } @@ -378,24 +369,20 @@ namespace System.Reflection // Wrapper function to wrap the typical use of InternalLoadAssemblyName. internal static RuntimeAssembly InternalLoadAssemblyName( AssemblyName assemblyRef, - Evidence assemblySecurity, RuntimeAssembly reqAssembly, ref StackCrawlMark stackMark, bool throwOnFileNotFound, - bool forIntrospection, IntPtr ptrLoadContextBinder = default(IntPtr)) { - return InternalLoadAssemblyName(assemblyRef, assemblySecurity, reqAssembly, ref stackMark, IntPtr.Zero, true /*throwOnError*/, forIntrospection, ptrLoadContextBinder); + return InternalLoadAssemblyName(assemblyRef, reqAssembly, ref stackMark, IntPtr.Zero, true /*throwOnError*/, ptrLoadContextBinder); } internal static RuntimeAssembly InternalLoadAssemblyName( AssemblyName assemblyRef, - Evidence assemblySecurity, RuntimeAssembly reqAssembly, ref StackCrawlMark stackMark, IntPtr pPrivHostBinder, bool throwOnFileNotFound, - bool forIntrospection, IntPtr ptrLoadContextBinder = default(IntPtr)) { if (assemblyRef == null) @@ -408,8 +395,7 @@ namespace System.Reflection } assemblyRef = (AssemblyName)assemblyRef.Clone(); - if (!forIntrospection && - (assemblyRef.ProcessorArchitecture != ProcessorArchitecture.None)) + if (assemblyRef.ProcessorArchitecture != ProcessorArchitecture.None) { // PA does not have a semantics for by-name binds for execution assemblyRef.ProcessorArchitecture = ProcessorArchitecture.None; @@ -417,20 +403,11 @@ namespace System.Reflection String codeBase = VerifyCodeBase(assemblyRef.CodeBase); - return nLoad(assemblyRef, codeBase, assemblySecurity, reqAssembly, ref stackMark, + return nLoad(assemblyRef, codeBase, reqAssembly, ref stackMark, pPrivHostBinder, - throwOnFileNotFound, forIntrospection, ptrLoadContextBinder); + throwOnFileNotFound, ptrLoadContextBinder); } - // These are the framework assemblies that does reflection invocation - // on behalf of user code. We allow framework code to invoke non-W8P - // framework APIs but don't want user code to gain that privilege - // through these assemblies. So we blaklist them. - private static string[] s_unsafeFrameworkAssemblyNames = new string[] { - "System.Reflection.Context", - "Microsoft.VisualBasic" - }; - #if FEATURE_APPX internal bool IsFrameworkAssembly() { @@ -440,40 +417,19 @@ namespace System.Reflection #endif [MethodImplAttribute(MethodImplOptions.InternalCall)] - private static extern RuntimeAssembly _nLoad(AssemblyName fileName, - String codeBase, - Evidence assemblySecurity, - RuntimeAssembly locationHint, - ref StackCrawlMark stackMark, - IntPtr pPrivHostBinder, - bool throwOnFileNotFound, - bool forIntrospection, - bool suppressSecurityChecks, - IntPtr ptrLoadContextBinder); - - private static RuntimeAssembly nLoad(AssemblyName fileName, - String codeBase, - Evidence assemblySecurity, - RuntimeAssembly locationHint, - ref StackCrawlMark stackMark, - IntPtr pPrivHostBinder, - bool throwOnFileNotFound, - bool forIntrospection, - IntPtr ptrLoadContextBinder = default(IntPtr)) - { - return _nLoad(fileName, codeBase, assemblySecurity, locationHint, ref stackMark, - pPrivHostBinder, - throwOnFileNotFound, forIntrospection, true /* suppressSecurityChecks */, ptrLoadContextBinder); - } - - [MethodImplAttribute(MethodImplOptions.InternalCall)] - private static extern bool IsReflectionOnly(RuntimeAssembly assembly); + private static extern RuntimeAssembly nLoad(AssemblyName fileName, + String codeBase, + RuntimeAssembly locationHint, + ref StackCrawlMark stackMark, + IntPtr pPrivHostBinder, + bool throwOnFileNotFound, + IntPtr ptrLoadContextBinder = default(IntPtr)); public override bool ReflectionOnly { get { - return IsReflectionOnly(GetNativeHandle()); + return false; } } @@ -786,17 +742,6 @@ namespace System.Reflection return publicKey; } - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private extern static bool IsAllSecurityTransparent(RuntimeAssembly assembly); - - // Is everything introduced by this assembly transparent - internal bool IsAllSecurityTransparent() - { - return IsAllSecurityTransparent(GetNativeHandle()); - } - // This method is called by the VM. private RuntimeModule OnModuleResolveEvent(String moduleName) { @@ -865,9 +810,9 @@ namespace System.Reflection an.CultureInfo = culture; an.Name = name; - RuntimeAssembly retAssembly = nLoad(an, null, null, this, ref stackMark, + RuntimeAssembly retAssembly = nLoad(an, null, this, ref stackMark, IntPtr.Zero, - throwOnFileNotFound, false); + throwOnFileNotFound); if (retAssembly == this || (retAssembly == null && throwOnFileNotFound)) { diff --git a/src/mscorlib/src/System/RtType.cs b/src/mscorlib/src/System/RtType.cs index b64f95bb6a..e49894f345 100644 --- a/src/mscorlib/src/System/RtType.cs +++ b/src/mscorlib/src/System/RtType.cs @@ -3507,15 +3507,15 @@ namespace System public override bool IsSecurityCritical { - get { return new RuntimeTypeHandle(this).IsSecurityCritical(); } + get { return true; } } public override bool IsSecuritySafeCritical { - get { return new RuntimeTypeHandle(this).IsSecuritySafeCritical(); } + get { return false; } } public override bool IsSecurityTransparent { - get { return new RuntimeTypeHandle(this).IsSecurityTransparent(); } + get { return false; } } #endregion diff --git a/src/mscorlib/src/System/RuntimeHandles.cs b/src/mscorlib/src/System/RuntimeHandles.cs index fd32547af7..4387783ba2 100644 --- a/src/mscorlib/src/System/RuntimeHandles.cs +++ b/src/mscorlib/src/System/RuntimeHandles.cs @@ -388,37 +388,6 @@ namespace System return _IsVisible(new RuntimeTypeHandle(type)); } - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecurityCritical(RuntimeTypeHandle typeHandle); - - internal bool IsSecurityCritical() - { - return IsSecurityCritical(GetNativeHandle()); - } - - - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecuritySafeCritical(RuntimeTypeHandle typeHandle); - - internal bool IsSecuritySafeCritical() - { - return IsSecuritySafeCritical(GetNativeHandle()); - } - - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecurityTransparent(RuntimeTypeHandle typeHandle); - - internal bool IsSecurityTransparent() - { - return IsSecurityTransparent(GetNativeHandle()); - } - [MethodImplAttribute(MethodImplOptions.InternalCall)] internal extern static bool IsValueType(RuntimeType type); @@ -898,9 +867,6 @@ namespace System return ptr; } - [MethodImplAttribute(MethodImplOptions.InternalCall)] - internal unsafe extern static void CheckLinktimeDemands(IRuntimeMethodInfo method, RuntimeModule module, bool isDecoratedTargetSecurityTransparent); - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] [SuppressUnmanagedCodeSecurity] internal extern static bool IsCAVisibleFromDecoratedType( @@ -1280,40 +1246,6 @@ namespace System [MethodImplAttribute(MethodImplOptions.InternalCall)] internal static extern bool AcquiresContextFromThis(RuntimeFieldHandleInternal field); - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecurityCritical(RuntimeFieldHandle fieldHandle); - - internal bool IsSecurityCritical() - { - return IsSecurityCritical(GetNativeHandle()); - } - - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecuritySafeCritical(RuntimeFieldHandle fieldHandle); - - internal bool IsSecuritySafeCritical() - { - return IsSecuritySafeCritical(GetNativeHandle()); - } - - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - [return: MarshalAs(UnmanagedType.Bool)] - private static extern bool IsSecurityTransparent(RuntimeFieldHandle fieldHandle); - - internal bool IsSecurityTransparent() - { - return IsSecurityTransparent(GetNativeHandle()); - } - - [DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)] - [SuppressUnmanagedCodeSecurity] - internal static extern void CheckAttributeAccess(RuntimeFieldHandle fieldHandle, RuntimeModule decoratedTarget); - // ISerializable interface private RuntimeFieldHandle(SerializationInfo info, StreamingContext context) { diff --git a/src/mscorlib/src/System/Threading/Thread.cs b/src/mscorlib/src/System/Threading/Thread.cs index fab6c9e187..84c5ebb552 100644 --- a/src/mscorlib/src/System/Threading/Thread.cs +++ b/src/mscorlib/src/System/Threading/Thread.cs @@ -313,9 +313,6 @@ namespace System.Threading public static new void Sleep(int millisecondsTimeout) { SleepInternal(millisecondsTimeout); - // Ensure we don't return to app code when the pause is underway - if (AppDomainPauseManager.IsPaused) - AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS(); } public static void Sleep(TimeSpan timeout) diff --git a/src/mscorlib/src/System/Threading/WaitHandle.cs b/src/mscorlib/src/System/Threading/WaitHandle.cs index da4856ee96..d91b488265 100644 --- a/src/mscorlib/src/System/Threading/WaitHandle.cs +++ b/src/mscorlib/src/System/Threading/WaitHandle.cs @@ -199,9 +199,6 @@ namespace System.Threading Contract.EndContractBlock(); int ret = WaitOneNative(waitableSafeHandle, (uint)millisecondsTimeout, hasThreadAffinity, exitContext); - if (AppDomainPauseManager.IsPaused) - AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS(); - if (ret == WAIT_ABANDONED) { ThrowAbandonedMutexException(); @@ -288,9 +285,6 @@ namespace System.Threading int ret = WaitMultiple(internalWaitHandles, millisecondsTimeout, exitContext, true /* waitall*/ ); - if (AppDomainPauseManager.IsPaused) - AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS(); - if ((WAIT_ABANDONED <= ret) && (WAIT_ABANDONED + internalWaitHandles.Length > ret)) { //In the case of WaitAll the OS will only provide the @@ -380,9 +374,6 @@ namespace System.Threading #endif int ret = WaitMultiple(internalWaitHandles, millisecondsTimeout, exitContext, false /* waitany*/ ); - if (AppDomainPauseManager.IsPaused) - AppDomainPauseManager.ResumeEvent.WaitOneWithoutFAS(); - if ((WAIT_ABANDONED <= ret) && (WAIT_ABANDONED + internalWaitHandles.Length > ret)) { int mutexIndex = ret - WAIT_ABANDONED; diff --git a/src/mscorlib/src/System/TypeNameParser.cs b/src/mscorlib/src/System/TypeNameParser.cs index f9d608968f..58bbe6f092 100644 --- a/src/mscorlib/src/System/TypeNameParser.cs +++ b/src/mscorlib/src/System/TypeNameParser.cs @@ -200,7 +200,7 @@ namespace System { if (throwOnError) { - assembly = RuntimeAssembly.InternalLoad(asmName, null, ref stackMark, false /*forIntrospection*/); + assembly = RuntimeAssembly.InternalLoad(asmName, ref stackMark); } else { @@ -208,7 +208,7 @@ namespace System // Other exceptions like BadImangeFormatException should still fly. try { - assembly = RuntimeAssembly.InternalLoad(asmName, null, ref stackMark, false /*forIntrospection*/); + assembly = RuntimeAssembly.InternalLoad(asmName, ref stackMark); } catch (FileNotFoundException) { diff --git a/src/vm/CMakeLists.txt b/src/vm/CMakeLists.txt index c610d3c7a8..3895f710b0 100644 --- a/src/vm/CMakeLists.txt +++ b/src/vm/CMakeLists.txt @@ -93,8 +93,7 @@ set(VM_SOURCES_DAC_AND_WKS_COMMON precode.cpp prestub.cpp rejit.cpp - securitydescriptor.cpp - securitydescriptorassembly.cpp + security.cpp sigformat.cpp siginfo.cpp spinlock.cpp @@ -133,7 +132,6 @@ set(VM_SOURCES_DAC set(VM_SOURCES_WKS ${VM_SOURCES_DAC_AND_WKS_COMMON} appdomainnative.cpp - appdomainstack.cpp assemblyname.cpp assemblynative.cpp assemblyspec.cpp @@ -221,14 +219,6 @@ set(VM_SOURCES_WKS runtimehandles.cpp safehandle.cpp sampleprofiler.cpp - security.cpp - securityattributes.cpp - securitydeclarative.cpp - securitydeclarativecache.cpp - securitydescriptorappdomain.cpp - securitymeta.cpp - securitypolicy.cpp - securitytransparentassembly.cpp sha1.cpp simplerwlock.cpp sourceline.cpp @@ -245,7 +235,6 @@ set(VM_SOURCES_WKS threaddebugblockinginfo.cpp threadsuspend.cpp typeparse.cpp - verifier.cpp weakreferencenative.cpp ${VM_SOURCES_GDBJIT} ) diff --git a/src/vm/appdomain.cpp b/src/vm/appdomain.cpp index bd05991ea2..7468f0b4e2 100644 --- a/src/vm/appdomain.cpp +++ b/src/vm/appdomain.cpp @@ -2706,7 +2706,7 @@ void SystemDomain::LoadBaseSystemClasses() } // Only partially load the system assembly. Other parts of the code will want to access // the globals in this function before finishing the load. - m_pSystemAssembly = DefaultDomain()->LoadDomainAssembly(NULL, m_pSystemFile, FILE_LOAD_POST_LOADLIBRARY, NULL)->GetCurrentAssembly(); + m_pSystemAssembly = DefaultDomain()->LoadDomainAssembly(NULL, m_pSystemFile, FILE_LOAD_POST_LOADLIBRARY)->GetCurrentAssembly(); // Set up binder for mscorlib MscorlibBinder::AttachModule(m_pSystemAssembly->GetManifestModule()); @@ -3263,12 +3263,6 @@ void SystemDomain::InitializeDefaultDomain( { GCX_COOP(); -#ifndef CROSSGEN_COMPILE - if (!NingenEnabled()) - { - } -#endif // CROSSGEN_COMPILE - pDefaultDomain->InitializeDomainContext(allowRedirects, pwsPath, pwsConfig); #ifndef CROSSGEN_COMPILE @@ -3278,7 +3272,6 @@ void SystemDomain::InitializeDefaultDomain( if (!IsSingleAppDomain()) { pDefaultDomain->InitializeDefaultDomainManager(); - pDefaultDomain->InitializeDefaultDomainSecurity(); } } #endif // CROSSGEN_COMPILE @@ -3397,7 +3390,8 @@ bool SystemDomain::IsReflectionInvocationMethod(MethodDesc* pMeth) CLASS__LAZY_INITIALIZER, CLASS__DYNAMICMETHOD, CLASS__DELEGATE, - CLASS__MULTICAST_DELEGATE + CLASS__MULTICAST_DELEGATE, + CLASS__APP_DOMAIN }; static const BinderClassID genericReflectionInvocationTypes[] = { @@ -3445,19 +3439,6 @@ bool SystemDomain::IsReflectionInvocationMethod(MethodDesc* pMeth) if (MscorlibBinder::GetExistingClass(reflectionInvocationTypes[i]) == pCaller) return true; } - - // AppDomain is an example of a type that is both used in the implementation of - // reflection, and also a type that contains methods that are clients of reflection - // (i.e., they instigate their own CreateInstance). Skip all AppDomain frames that - // are NOT known clients of reflection. NOTE: The ever-increasing complexity of this - // exclusion list is a sign that we need a better way--this is error-prone and - // unmaintainable as more changes are made to BCL types. - if ((pCaller == MscorlibBinder::GetExistingClass(CLASS__APP_DOMAIN)) - && (pMeth != MscorlibBinder::GetMethod(METHOD__APP_DOMAIN__CREATE_APP_DOMAIN_MANAGER)) // This uses reflection to create an AppDomainManager - ) - { - return true; - } } return false; @@ -3795,8 +3776,6 @@ void SystemDomain::CreateDefaultDomain() SystemDomain::LockHolder lh; pDomain->Init(); - Security::SetDefaultAppDomainProperty(pDomain->GetSecurityDescriptor()); - // need to make this assignment here since we'll be releasing // the lock before calling AddDomain. So any other thread // grabbing this lock after we release it will find that @@ -4011,7 +3990,6 @@ AppDomain::AppDomain() m_cRef=1; m_pNextInDelayedUnloadList = NULL; - m_pSecContext = NULL; m_fRudeUnload = FALSE; m_pUnloadRequestThread = NULL; m_ADUnloadSink=NULL; @@ -4028,7 +4006,6 @@ AppDomain::AppDomain() m_pwDynamicDir = NULL; m_dwFlags = 0; - m_pSecDesc = NULL; m_pDefaultContext = NULL; #ifdef FEATURE_COMINTEROP m_pComCallWrapperCache = NULL; @@ -4093,9 +4070,6 @@ AppDomain::AppDomain() m_pWinRTFactoryCache = NULL; #endif // FEATURE_COMINTEROP - m_fAppDomainManagerSetInConfig = FALSE; - m_dwAppDomainManagerInitializeDomainFlags = eInitializeNewDomainFlags_None; - #ifdef FEATURE_PREJIT m_pDomainFileWithNativeImageList = NULL; #endif @@ -4131,9 +4105,6 @@ AppDomain::~AppDomain() if (m_ADUnloadSink) m_ADUnloadSink->Release(); - if (m_pSecContext) - delete m_pSecContext; - if(!g_fEEInit) Terminate(); @@ -4236,8 +4207,6 @@ void AppDomain::Init() // Set up the IL stub cache m_ILStubCache.Init(GetLoaderAllocator()->GetHighFrequencyHeap()); - m_pSecContext = new SecurityContext (GetLowFrequencyHeap()); - // Set up the binding caches m_AssemblyCache.Init(&m_DomainCacheCrst, GetHighFrequencyHeap()); m_UnmanagedCache.InitializeTable(this, &m_DomainCacheCrst); @@ -4299,7 +4268,6 @@ void AppDomain::Init() m_clsidHash.Init(0,&CompareCLSID,true, &lock); // init hash table } - CreateSecurityDescriptor(); SetStage(STAGE_READYFORMANAGEDCODE); #ifndef CROSSGEN_COMPILE @@ -4444,12 +4412,6 @@ void AppDomain::Stop() m_pRootAssembly = NULL; // This assembly is in the assembly list; - if (m_pSecDesc != NULL) - { - delete m_pSecDesc; - m_pSecDesc = NULL; - } - #ifdef DEBUGGING_SUPPORTED if (NULL != g_pDebugInterface) { @@ -4896,15 +4858,6 @@ MethodTable* AppDomain::LoadRedirectedType(WinMDAdapter::RedirectedTypeIndex ind #ifndef DACCESS_COMPILE -void AppDomain::CreateSecurityDescriptor() -{ - STANDARD_VM_CONTRACT; - - _ASSERTE(m_pSecDesc == NULL); - - m_pSecDesc = Security::CreateApplicationSecurityDescriptor(this); -} - bool IsPlatformAssembly(LPCSTR szName, DomainAssembly *pDomainAssembly) { CONTRACTL @@ -5006,26 +4959,6 @@ BOOL AppDomain::ContainsAssembly(Assembly * assem) return FALSE; } -BOOL AppDomain::HasSetSecurityPolicy() -{ - CONTRACT(BOOL) - { - THROWS; - GC_TRIGGERS; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACT_END; - - GCX_COOP(); - - if (NingenEnabled()) - { - return FALSE; - } - RETURN ((APPDOMAINREF)GetExposedObject())->HasSetPolicy(); -} - - EEClassFactoryInfoHashTable* AppDomain::SetupClassFactHash() { CONTRACTL @@ -5575,8 +5508,7 @@ FileLoadLevel AppDomain::GetThreadFileLoadLevel() Assembly *AppDomain::LoadAssembly(AssemblySpec* pIdentity, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity /* = NULL */) + FileLoadLevel targetLevel) { CONTRACT(Assembly *) { @@ -5589,7 +5521,7 @@ Assembly *AppDomain::LoadAssembly(AssemblySpec* pIdentity, } CONTRACT_END; - DomainAssembly *pAssembly = LoadDomainAssembly(pIdentity, pFile, targetLevel, pLoadSecurity); + DomainAssembly *pAssembly = LoadDomainAssembly(pIdentity, pFile, targetLevel); PREFIX_ASSUME(pAssembly != NULL); RETURN pAssembly->GetAssembly(); @@ -5603,18 +5535,17 @@ public: AppDomain *pThis; AssemblySpec* pSpec; PEAssembly *pFile; - AssemblyLoadSecurity *pLoadSecurity; FileLoadLevel targetLevel; - LoadDomainAssemblyStress(AppDomain *pThis, AssemblySpec* pSpec, PEAssembly *pFile, FileLoadLevel targetLevel, AssemblyLoadSecurity *pLoadSecurity) - : pThis(pThis), pSpec(pSpec), pFile(pFile), pLoadSecurity(pLoadSecurity), targetLevel(targetLevel) {LIMITED_METHOD_CONTRACT;} + LoadDomainAssemblyStress(AppDomain *pThis, AssemblySpec* pSpec, PEAssembly *pFile, FileLoadLevel targetLevel) + : pThis(pThis), pSpec(pSpec), pFile(pFile), targetLevel(targetLevel) {LIMITED_METHOD_CONTRACT;} void Invoke() { WRAPPER_NO_CONTRACT; STATIC_CONTRACT_SO_INTOLERANT; SetupThread(); - pThis->LoadDomainAssembly(pSpec, pFile, targetLevel, pLoadSecurity); + pThis->LoadDomainAssembly(pSpec, pFile, targetLevel); } }; #endif // CROSSGEN_COMPILE @@ -5623,21 +5554,20 @@ extern BOOL AreSameBinderInstance(ICLRPrivBinder *pBinderA, ICLRPrivBinder *pBin DomainAssembly* AppDomain::LoadDomainAssembly( AssemblySpec* pSpec, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity /* = NULL */) + FileLoadLevel targetLevel) { STATIC_CONTRACT_THROWS; if (pSpec == nullptr) { // skip caching, since we don't have anything to base it on - return LoadDomainAssemblyInternal(pSpec, pFile, targetLevel, pLoadSecurity); + return LoadDomainAssemblyInternal(pSpec, pFile, targetLevel); } DomainAssembly* pRetVal = NULL; EX_TRY { - pRetVal = LoadDomainAssemblyInternal(pSpec, pFile, targetLevel, pLoadSecurity); + pRetVal = LoadDomainAssemblyInternal(pSpec, pFile, targetLevel); } EX_HOOK { @@ -5683,8 +5613,7 @@ DomainAssembly* AppDomain::LoadDomainAssembly( AssemblySpec* pSpec, DomainAssembly *AppDomain::LoadDomainAssemblyInternal(AssemblySpec* pIdentity, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity /* = NULL */) + FileLoadLevel targetLevel) { CONTRACT(DomainAssembly *) { @@ -5692,7 +5621,6 @@ DomainAssembly *AppDomain::LoadDomainAssemblyInternal(AssemblySpec* pIdentity, THROWS; MODE_ANY; PRECONDITION(CheckPointer(pFile)); - PRECONDITION(CheckPointer(pLoadSecurity, NULL_OK)); PRECONDITION(pFile->IsSystem() || ::GetAppDomain()==this); POSTCONDITION(CheckPointer(RETVAL)); POSTCONDITION(RETVAL->GetLoadLevel() >= GetThreadFileLoadLevel() @@ -5706,7 +5634,7 @@ DomainAssembly *AppDomain::LoadDomainAssemblyInternal(AssemblySpec* pIdentity, DomainAssembly * result; #ifndef CROSSGEN_COMPILE - LoadDomainAssemblyStress ts (this, pIdentity, pFile, targetLevel, pLoadSecurity); + LoadDomainAssemblyStress ts (this, pIdentity, pFile, targetLevel); #endif // Go into preemptive mode since this may take a while. @@ -5721,7 +5649,7 @@ DomainAssembly *AppDomain::LoadDomainAssemblyInternal(AssemblySpec* pIdentity, // a rare redundant allocation by moving this closer to FileLoadLock::Create, but it's not worth it. NewHolder<DomainAssembly> pDomainAssembly; - pDomainAssembly = new DomainAssembly(this, pFile, pLoadSecurity, this->GetLoaderAllocator()); + pDomainAssembly = new DomainAssembly(this, pFile, this->GetLoaderAllocator()); LoadLockHolder lock(this); @@ -6150,74 +6078,11 @@ DomainFile *AppDomain::LoadDomainNeutralModuleDependency(Module *pModule, FileLo RETURN pDomainFile; } -void AppDomain::SetSharePolicy(SharePolicy policy) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - if ((int)policy > SHARE_POLICY_COUNT) - COMPlusThrow(kArgumentException,W("Argument_InvalidValue")); - - // We cannot make all code domain neutral and still provide complete compatibility with regard - // to using custom security policy and assembly evidence. - // - // In particular, if you try to do either of the above AFTER loading a domain neutral assembly - // out of the GAC, we will now throw an exception. The remedy would be to either not use SHARE_POLICY_ALWAYS - // (change LoaderOptimizationMultiDomain to LoaderOptimizationMultiDomainHost), or change the loading order - // in the app domain to do the policy set or evidence load earlier (which BTW will have the effect of - // automatically using MDH rather than MD, for the same result.) - // - // We include a compatibility flag here to preserve old functionality if necessary - this has the effect - // of never using SHARE_POLICY_ALWAYS. - if (policy == SHARE_POLICY_ALWAYS && - (HasSetSecurityPolicy() - || GetCompatibilityFlag(compatOnlyGACDomainNeutral))) - { - // Never share assemblies not in the GAC - policy = SHARE_POLICY_GAC; - } - - if (policy != m_SharePolicy) - { - -#ifdef FEATURE_PREJIT - - -#endif // FEATURE_PREJIT - - m_SharePolicy = policy; - } - - return; -} - - AppDomain::SharePolicy AppDomain::GetSharePolicy() { LIMITED_METHOD_CONTRACT; - // If the policy has been explicitly set for - // the domain, use that. - SharePolicy policy = m_SharePolicy; - - // Pick up the a specified config policy - if (policy == SHARE_POLICY_UNSPECIFIED) - policy = (SharePolicy) g_pConfig->DefaultSharePolicy(); - - // Next, honor a host's request for global policy. - if (policy == SHARE_POLICY_UNSPECIFIED) - policy = (SharePolicy) g_dwGlobalSharePolicy; - // If all else fails, use the hardwired default policy. - if (policy == SHARE_POLICY_UNSPECIFIED) - policy = SHARE_POLICY_DEFAULT; - - return policy; + return SHARE_POLICY_NEVER; } #endif // FEATURE_LOADER_OPTIMIZATION @@ -7077,7 +6942,6 @@ PEAssembly * AppDomain::BindAssemblySpec( BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark * pCallerStackMark, - AssemblyLoadSecurity * pLoadSecurity, BOOL fUseHostBinderIfAvailable) { STATIC_CONTRACT_THROWS; @@ -10234,104 +10098,19 @@ void AppDomain::InitializeDefaultDomainManager() THROWS; INJECT_FAULT(COMPlusThrowOM();); PRECONDITION(GetId().m_dwId == DefaultADID); - PRECONDITION(!HasAppDomainManagerInfo()); - } - CONTRACTL_END; - - // - // The AppDomainManager for the default domain can be specified by: - // 1. Native hosting API - // 2. Application config file if the application is fully trusted - // 3. Environment variables - // - - - if (CorHost2::HasAppDomainManagerInfo()) - { - SetAppDomainManagerInfo(CorHost2::GetAppDomainManagerAsm(), - CorHost2::GetAppDomainManagerType(), - CorHost2::GetAppDomainManagerInitializeNewDomainFlags()); - m_fAppDomainManagerSetInConfig = FALSE; - - LOG((LF_APPDOMAIN, LL_INFO10, "Setting default AppDomainManager '%S', '%S' from hosting API.\n", GetAppDomainManagerAsm(), GetAppDomainManagerType())); - } - - // If we found an AppDomain manager to use, create and initialize it - // Otherwise, initialize the config flags. - if (HasAppDomainManagerInfo()) - { - // If the initialization flags promise that the domain manager isn't going to modify security, then do a - // pre-resolution of the domain now so that we can do some basic verification of the state later. We - // don't care about the actual result now, just that the resolution took place to compare against later. - if (GetAppDomainManagerInitializeNewDomainFlags() & eInitializeNewDomainFlags_NoSecurityChanges) - { - BOOL fIsFullyTrusted; - BOOL fIsHomogeneous; - GetSecurityDescriptor()->PreResolve(&fIsFullyTrusted, &fIsHomogeneous); - } - - OBJECTREF orThis = GetExposedObject(); - GCPROTECT_BEGIN(orThis); - - MethodDescCallSite createDomainManager(METHOD__APP_DOMAIN__CREATE_APP_DOMAIN_MANAGER); - ARG_SLOT args[] = - { - ObjToArgSlot(orThis) - }; - - createDomainManager.Call(args); - - GCPROTECT_END(); - } - else - { - OBJECTREF orThis = GetExposedObject(); - GCPROTECT_BEGIN(orThis); - - MethodDescCallSite initCompatFlags(METHOD__APP_DOMAIN__INITIALIZE_COMPATIBILITY_FLAGS); - ARG_SLOT args[] = - { - ObjToArgSlot(orThis) - }; - - initCompatFlags.Call(args); - - GCPROTECT_END(); - } -} - - -//--------------------------------------------------------------------------------------- -// -// Intialize the security settings in the default AppDomain. -// - -void AppDomain::InitializeDefaultDomainSecurity() -{ - CONTRACTL - { - MODE_COOPERATIVE; - GC_TRIGGERS; - THROWS; - PRECONDITION(GetId().m_dwId == DefaultADID); } CONTRACTL_END; OBJECTREF orThis = GetExposedObject(); GCPROTECT_BEGIN(orThis); - MethodDescCallSite initializeSecurity(METHOD__APP_DOMAIN__INITIALIZE_DOMAIN_SECURITY); + MethodDescCallSite initCompatFlags(METHOD__APP_DOMAIN__INITIALIZE_COMPATIBILITY_FLAGS); ARG_SLOT args[] = { - ObjToArgSlot(orThis), - ObjToArgSlot(NULL), - ObjToArgSlot(NULL), - static_cast<ARG_SLOT>(FALSE), - ObjToArgSlot(NULL), - static_cast<ARG_SLOT>(FALSE) + ObjToArgSlot(orThis) }; - initializeSecurity.Call(args); + initCompatFlags.Call(args); GCPROTECT_END(); } @@ -11403,30 +11182,11 @@ BOOL AppDomain::IsImageFromTrustedPath(PEImage* pPEImage) } CONTRACTL_END; - BOOL fIsInGAC = FALSE; const SString &sImagePath = pPEImage->GetPath(); - if (!sImagePath.IsEmpty()) - { - // If we're not in a sandboxed domain, everything is full trust all the time - if (GetSecurityDescriptor()->IsFullyTrusted()) - { - return TRUE; - } - - fIsInGAC = GetTPABinderContext()->IsInTpaList(sImagePath); - } - - return fIsInGAC; -} - -BOOL AppDomain::IsImageFullyTrusted(PEImage* pPEImage) -{ - WRAPPER_NO_CONTRACT; - return IsImageFromTrustedPath(pPEImage); + return !sImagePath.IsEmpty(); } - #endif //!DACCESS_COMPILE #if !defined(DACCESS_COMPILE) && !defined(CROSSGEN_COMPILE) diff --git a/src/vm/appdomain.hpp b/src/vm/appdomain.hpp index a5bd00d36b..adf668413c 100644 --- a/src/vm/appdomain.hpp +++ b/src/vm/appdomain.hpp @@ -60,7 +60,6 @@ class EEMarshalingData; class Context; class GlobalStringLiteralMap; class StringLiteralMap; -struct SecurityContext; class MngStdInterfacesInfo; class DomainModule; class DomainAssembly; @@ -68,11 +67,8 @@ struct InteropMethodTableData; class LoadLevelLimiter; class UMEntryThunkCache; class TypeEquivalenceHashTable; -class IApplicationSecurityDescriptor; class StringArrayList; -typedef VPTR(IApplicationSecurityDescriptor) PTR_IApplicationSecurityDescriptor; - extern INT64 g_PauseTime; // Total time in millisecond the CLR has been paused #ifdef FEATURE_COMINTEROP @@ -1983,11 +1979,6 @@ public: // creates only unamaged part static void CreateUnmanagedObject(AppDomainCreationHolder<AppDomain>& result); - inline void SetAppDomainManagerInfo(LPCWSTR szAssemblyName, LPCWSTR szTypeName, EInitializeNewDomainFlags dwInitializeDomainFlags); - inline BOOL HasAppDomainManagerInfo(); - inline LPCWSTR GetAppDomainManagerAsm(); - inline LPCWSTR GetAppDomainManagerType(); - inline EInitializeNewDomainFlags GetAppDomainManagerInitializeNewDomainFlags(); #if defined(FEATURE_COMINTEROP) @@ -2367,8 +2358,7 @@ public: Assembly *LoadAssembly(AssemblySpec* pIdentity, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity = NULL); + FileLoadLevel targetLevel); // this function does not provide caching, you must use LoadDomainAssembly // unless the call is guaranteed to succeed or you don't need the caching @@ -2378,13 +2368,11 @@ public: //which is violating our internal assumptions DomainAssembly *LoadDomainAssemblyInternal( AssemblySpec* pIdentity, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity = NULL); + FileLoadLevel targetLevel); DomainAssembly *LoadDomainAssembly( AssemblySpec* pIdentity, PEAssembly *pFile, - FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity = NULL); + FileLoadLevel targetLevel); CHECK CheckValidModule(Module *pModule); @@ -2451,26 +2439,9 @@ public: SHARE_POLICY_DEFAULT = SHARE_POLICY_NEVER, }; - void SetSharePolicy(SharePolicy policy); SharePolicy GetSharePolicy(); - BOOL ReduceSharePolicyFromAlways(); - - //**************************************************************************************** - // Determines if the image is to be loaded into the shared assembly or an individual - // appdomains. #endif // FEATURE_LOADER_OPTIMIZATION - BOOL HasSetSecurityPolicy(); - - FORCEINLINE IApplicationSecurityDescriptor* GetSecurityDescriptor() - { - LIMITED_METHOD_CONTRACT; - STATIC_CONTRACT_SO_TOLERANT; - return static_cast<IApplicationSecurityDescriptor*>(m_pSecDesc); - } - - void CreateSecurityDescriptor(); - //**************************************************************************************** // // Reference count. When an appdomain is first created the reference is bump @@ -2499,7 +2470,6 @@ public: BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark = NULL, - AssemblyLoadSecurity *pLoadSecurity = NULL, BOOL fUseHostBinderIfAvailable = TRUE) DAC_EMPTY_RET(NULL); HRESULT BindAssemblySpecForHostedBinder( @@ -3365,8 +3335,6 @@ private: void InitializeDefaultDomainManager (); - - void InitializeDefaultDomainSecurity(); public: protected: @@ -3589,8 +3557,6 @@ private: // by one. For it to hit zero an explicit close must have happened. LONG m_cRef; // Ref count. - PTR_IApplicationSecurityDescriptor m_pSecDesc; // Application Security Descriptor - OBJECTHANDLE m_ExposedObject; #ifdef FEATURE_LOADER_OPTIMIZATION @@ -3778,17 +3744,10 @@ public: DISABLE_TRANSPARENCY_ENFORCEMENT= 0x800000, // Disable enforcement of security transparency rules }; - SecurityContext *m_pSecContext; - AssemblySpecBindingCache m_AssemblyCache; DomainAssemblyCache m_UnmanagedCache; size_t m_MemoryPressure; - SString m_AppDomainManagerAssembly; - SString m_AppDomainManagerType; - BOOL m_fAppDomainManagerSetInConfig; - EInitializeNewDomainFlags m_dwAppDomainManagerInitializeDomainFlags; - ArrayList m_NativeDllSearchDirectories; BOOL m_ReversePInvokeCanEnter; bool m_ForceTrivialWaitOperations; @@ -3818,7 +3777,6 @@ public: } BOOL IsImageFromTrustedPath(PEImage* pImage); - BOOL IsImageFullyTrusted(PEImage* pImage); #ifdef FEATURE_TYPEEQUIVALENCE private: @@ -5209,4 +5167,7 @@ public: }; #endif // !DACCESS_COMPILE && !CROSSGEN_COMPILE +#define INVALID_APPDOMAIN_ID ((DWORD)-1) +#define CURRENT_APPDOMAIN_ID ((ADID)(DWORD)0) + #endif diff --git a/src/vm/appdomain.inl b/src/vm/appdomain.inl index 2986588ddc..7fb4a9593d 100644 --- a/src/vm/appdomain.inl +++ b/src/vm/appdomain.inl @@ -198,46 +198,6 @@ inline void AppDomain::RemoveMemoryPressure() #endif // DACCESS_COMPILE -inline void AppDomain::SetAppDomainManagerInfo(LPCWSTR szAssemblyName, LPCWSTR szTypeName, EInitializeNewDomainFlags dwInitializeDomainFlags) -{ - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - m_AppDomainManagerAssembly=szAssemblyName; - m_AppDomainManagerType=szTypeName; - m_dwAppDomainManagerInitializeDomainFlags = dwInitializeDomainFlags; -} - -inline BOOL AppDomain::HasAppDomainManagerInfo() -{ - WRAPPER_NO_CONTRACT; - return !m_AppDomainManagerAssembly.IsEmpty() && !m_AppDomainManagerType.IsEmpty(); -} - -inline LPCWSTR AppDomain::GetAppDomainManagerAsm() -{ - WRAPPER_NO_CONTRACT; - return m_AppDomainManagerAssembly; -} - - -inline LPCWSTR AppDomain::GetAppDomainManagerType() -{ - WRAPPER_NO_CONTRACT; - return m_AppDomainManagerType; -} - - -inline EInitializeNewDomainFlags AppDomain::GetAppDomainManagerInitializeNewDomainFlags() -{ - LIMITED_METHOD_CONTRACT; - return m_dwAppDomainManagerInitializeDomainFlags; -} - inline AppDomain::PathIterator AppDomain::IterateNativeDllSearchDirectories() { WRAPPER_NO_CONTRACT; diff --git a/src/vm/appdomainnative.cpp b/src/vm/appdomainnative.cpp index de97fc5bb7..41259897c0 100644 --- a/src/vm/appdomainnative.cpp +++ b/src/vm/appdomainnative.cpp @@ -55,91 +55,6 @@ inline AppDomain *AppDomainNative::ValidateArg(APPDOMAINREF pThis) return pDomain; } - - -void QCALLTYPE AppDomainNative::SetupDomainSecurity(QCall::AppDomainHandle pDomain, - QCall::ObjectHandleOnStack ohEvidence, - IApplicationSecurityDescriptor *pParentSecurityDescriptor, - BOOL fPublishAppDomain) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - struct - { - OBJECTREF orEvidence; - } - gc; - ZeroMemory(&gc, sizeof(gc)); - - GCX_COOP(); - GCPROTECT_BEGIN(gc) - if (ohEvidence.m_ppObject != NULL) - { - gc.orEvidence = ObjectToOBJECTREF(*ohEvidence.m_ppObject); - } - - - // Set up the default AppDomain property. - IApplicationSecurityDescriptor *pSecDesc = pDomain->GetSecurityDescriptor(); - - if (!pSecDesc->IsHomogeneous() && pDomain->IsDefaultDomain()) - { - Security::SetDefaultAppDomainProperty(pSecDesc); - } - // Set up the evidence property in the VM side. - else - { - // If there is no provided evidence then this new appdomain gets the same evidence as the creator. - // - // If there is no provided evidence and this AppDomain is not homogeneous, then it automatically - // is also a default appdomain (for security grant set purposes) - // - // - // If evidence is provided, the new appdomain is not a default appdomain and - // we simply use the provided evidence. - - if (gc.orEvidence == NULL) - { - _ASSERTE(pParentSecurityDescriptor == NULL || pParentSecurityDescriptor->IsDefaultAppDomainEvidence()); - - if (pSecDesc->IsHomogeneous()) - { - // New domain gets default AD evidence - Security::SetDefaultAppDomainEvidenceProperty(pSecDesc); - } - else - { - // New domain gets to be a default AD - Security::SetDefaultAppDomainProperty(pSecDesc); - } - } - } - - - // We need to downgrade sharing level if the AppDomain is homogeneous and not fully trusted, or the - // AppDomain is in legacy mode. Effectively, we need to be sure that all assemblies loaded into the - // domain must be fully trusted in order to allow non-GAC sharing. - - // Now finish the initialization. - pSecDesc->FinishInitialization(); - - // once domain is loaded it is publically available so if you have anything - // that a list interrogator might need access to if it gets a hold of the - // appdomain, then do it above the LoadDomain. - if (fPublishAppDomain) - SystemDomain::LoadDomain(pDomain); - -#ifdef _DEBUG - LOG((LF_APPDOMAIN, LL_INFO100, "AppDomainNative::CreateDomain domain [%d] %p %S\n", pDomain->GetIndex().m_dwIndex, (AppDomain*)pDomain, pDomain->GetFriendlyName())); -#endif - - GCPROTECT_END(); - - END_QCALL; -} - FCIMPL2(void, AppDomainNative::SetupFriendlyName, AppDomainBaseObject* refThisUNSAFE, StringObject* strFriendlyNameUNSAFE) { FCALL_CONTRACT; @@ -188,74 +103,6 @@ FCIMPL2(void, AppDomainNative::SetupFriendlyName, AppDomainBaseObject* refThisUN } FCIMPLEND -#if FEATURE_COMINTEROP - -FCIMPL1(void, AppDomainNative::SetDisableInterfaceCache, AppDomainBaseObject* refThisUNSAFE) -{ - CONTRACTL - { - MODE_COOPERATIVE; - DISABLED(GC_TRIGGERS); // can't use this in an FCALL because we're in forbid gc mode until we setup a H_M_F. - SO_TOLERANT; - THROWS; - } - CONTRACTL_END; - - struct _gc - { - APPDOMAINREF refThis; - } gc; - - gc.refThis = (APPDOMAINREF) refThisUNSAFE; - - HELPER_METHOD_FRAME_BEGIN_PROTECT(gc) - - AppDomainRefHolder pDomain(ValidateArg(gc.refThis)); - pDomain->AddRef(); - - pDomain->SetDisableInterfaceCache(); - - HELPER_METHOD_FRAME_END(); -} -FCIMPLEND - -#endif // FEATURE_COMINTEROP - - -FCIMPL1(void*, AppDomainNative::GetSecurityDescriptor, AppDomainBaseObject* refThisUNSAFE) -{ - FCALL_CONTRACT; - - void* pvRetVal = NULL; - APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE; - - HELPER_METHOD_FRAME_BEGIN_RET_1(refThis); - - - pvRetVal = ValidateArg(refThis)->GetSecurityDescriptor(); - - HELPER_METHOD_FRAME_END(); - return pvRetVal; -} -FCIMPLEND - -#ifdef FEATURE_LOADER_OPTIMIZATION -FCIMPL2(void, AppDomainNative::UpdateLoaderOptimization, AppDomainBaseObject* refThisUNSAFE, DWORD optimization) -{ - FCALL_CONTRACT; - - APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE; - - HELPER_METHOD_FRAME_BEGIN_1(refThis); - - ValidateArg(refThis)->SetSharePolicy((AppDomain::SharePolicy) (optimization & AppDomain::SHARE_POLICY_MASK)); - - HELPER_METHOD_FRAME_END(); -} -FCIMPLEND -#endif // FEATURE_LOADER_OPTIMIZATION - - FCIMPL1(void, AppDomainNative::CreateContext, AppDomainBaseObject *refThisUNSAFE) @@ -316,7 +163,7 @@ void QCALLTYPE AppDomainNative::SetupBindingPaths(__in_z LPCWSTR wszTrustedPlatf } -FCIMPL9(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, Object* identityUNSAFE, StackCrawlMark* stackMark, U1Array *securityRulesBlobUNSAFE, U1Array *aptcaBlobUNSAFE, INT32 access, INT32 dwFlags, SecurityContextSource securityContextSource) +FCIMPL4(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, StackCrawlMark* stackMark, INT32 access) { FCALL_CONTRACT; @@ -329,15 +176,10 @@ FCIMPL9(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* re args.refThis = (APPDOMAINREF) refThisUNSAFE; args.assemblyName = (ASSEMBLYNAMEREF) assemblyNameUNSAFE; - args.identity = (OBJECTREF) identityUNSAFE; - args.securityRulesBlob = (U1ARRAYREF) securityRulesBlobUNSAFE; - args.aptcaBlob = (U1ARRAYREF) aptcaBlobUNSAFE; args.loaderAllocator = NULL; args.access = access; - args.flags = static_cast<DynamicAssemblyFlags>(dwFlags); args.stackMark = stackMark; - args.securityContextSource = securityContextSource; HELPER_METHOD_FRAME_BEGIN_RET_PROTECT((CreateDynamicAssemblyArgsGC&)args); @@ -352,30 +194,6 @@ FCIMPL9(Object*, AppDomainNative::CreateDynamicAssembly, AppDomainBaseObject* re } FCIMPLEND -//--------------------------------------------------------------------------------------- -// -// Returns true if the DisableFusionUpdatesFromADManager config switch is turned on. -// -// Arguments: -// adhTarget - AppDomain to get domain manager information about -// - -// static -BOOL QCALLTYPE AppDomainNative::DisableFusionUpdatesFromADManager(QCall::AppDomainHandle adhTarget) -{ - QCALL_CONTRACT; - - BOOL bUpdatesDisabled = FALSE; - - BEGIN_QCALL; - - bUpdatesDisabled = !!(g_pConfig->DisableFusionUpdatesFromADManager()); - - END_QCALL; - - return bUpdatesDisabled; -} - #ifdef FEATURE_APPX // @@ -415,124 +233,6 @@ INT32 QCALLTYPE AppDomainNative::GetAppXFlags() #endif // FEATURE_APPX -//--------------------------------------------------------------------------------------- -// -// Get the assembly and type containing the AppDomainManager used for the current domain -// -// Arguments: -// adhTarget - AppDomain to get domain manager information about -// retAssembly - [out] assembly which contains the AppDomainManager -// retType - [out] AppDomainManger for the domain -// -// Notes: -// If the AppDomain does not have an AppDomainManager, retAssembly and retType will be null on return. -// - -// static -void QCALLTYPE AppDomainNative::GetAppDomainManagerType(QCall::AppDomainHandle adhTarget, - QCall::StringHandleOnStack shRetAssembly, - QCall::StringHandleOnStack shRetType) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - if (adhTarget->HasAppDomainManagerInfo()) - { - shRetAssembly.Set(adhTarget->GetAppDomainManagerAsm()); - shRetType.Set(adhTarget->GetAppDomainManagerType()); - } - else - { - shRetAssembly.Set(static_cast<LPCWSTR>(NULL)); - shRetType.Set(static_cast<LPCWSTR>(NULL)); - } - - END_QCALL; -} - -//--------------------------------------------------------------------------------------- -// -// Set the assembly and type containing the AppDomainManager to be used for the current domain -// -// Arguments: -// adhTarget - AppDomain to set domain manager information for -// wszAssembly - assembly which contains the AppDomainManager -// wszType - AppDomainManger for the domain -// - -// static -void QCALLTYPE AppDomainNative::SetAppDomainManagerType(QCall::AppDomainHandle adhTarget, - __in_z LPCWSTR wszAssembly, - __in_z LPCWSTR wszType) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(wszAssembly)); - PRECONDITION(CheckPointer(wszType)); - PRECONDITION(!GetAppDomain()->HasAppDomainManagerInfo()); - } - CONTRACTL_END; - - BEGIN_QCALL; - - // If the AppDomainManager type is the same as the domain manager setup by the CLR host, then we can - // propagate the host's initialization flags to the new domain as well; - EInitializeNewDomainFlags initializationFlags = eInitializeNewDomainFlags_None; - if (CorHost2::HasAppDomainManagerInfo()) - { - if (wcscmp(CorHost2::GetAppDomainManagerAsm(), wszAssembly) == 0 && - wcscmp(CorHost2::GetAppDomainManagerType(), wszType) == 0) - { - initializationFlags = CorHost2::GetAppDomainManagerInitializeNewDomainFlags(); - } - } - - adhTarget->SetAppDomainManagerInfo(wszAssembly, wszType, initializationFlags); - - // If the initialization flags promise that the domain manager isn't going to modify security, then do a - // pre-resolution of the domain now so that we can do some basic verification of the state later. We - // don't care about the actual result now, just that the resolution took place to compare against later. - if (initializationFlags & eInitializeNewDomainFlags_NoSecurityChanges) - { - BOOL fIsFullyTrusted; - BOOL fIsHomogeneous; - adhTarget->GetSecurityDescriptor()->PreResolve(&fIsFullyTrusted, &fIsHomogeneous); - } - - END_QCALL; -} - - -FCIMPL1(void, AppDomainNative::SetHostSecurityManagerFlags, DWORD dwFlags); -{ - FCALL_CONTRACT; - - HELPER_METHOD_FRAME_BEGIN_0(); - - GetThread()->GetDomain()->GetSecurityDescriptor()->SetHostSecurityManagerFlags(dwFlags); - - HELPER_METHOD_FRAME_END(); -} -FCIMPLEND - -// static -void QCALLTYPE AppDomainNative::SetSecurityHomogeneousFlag(QCall::AppDomainHandle adhTarget, - BOOL fRuntimeSuppliedHomogenousGrantSet) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - IApplicationSecurityDescriptor *pAppSecDesc = adhTarget->GetSecurityDescriptor(); - pAppSecDesc->SetHomogeneousFlag(fRuntimeSuppliedHomogenousGrantSet); - - END_QCALL; -} - - - FCIMPL1(Object*, AppDomainNative::GetFriendlyName, AppDomainBaseObject* refThisUNSAFE) { FCALL_CONTRACT; @@ -553,23 +253,6 @@ FCIMPL1(Object*, AppDomainNative::GetFriendlyName, AppDomainBaseObject* refThisU } FCIMPLEND -FCIMPL1(FC_BOOL_RET, AppDomainNative::IsDefaultAppDomainForEvidence, AppDomainBaseObject* refThisUNSAFE) -{ - FCALL_CONTRACT; - - BOOL retVal = FALSE; - APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE; - - HELPER_METHOD_FRAME_BEGIN_RET_1(refThis); - - AppDomain* pApp = ValidateArg((APPDOMAINREF) refThisUNSAFE); - retVal = pApp->GetSecurityDescriptor()->IsDefaultAppDomainEvidence(); - - HELPER_METHOD_FRAME_END(); - FC_RETURN_BOOL(retVal); -} -FCIMPLEND - FCIMPL2(Object*, AppDomainNative::GetAssemblies, AppDomainBaseObject* refThisUNSAFE, CLR_BOOL forIntrospection); { FCALL_CONTRACT; @@ -695,21 +378,6 @@ FCIMPL1(INT32, AppDomainNative::GetId, AppDomainBaseObject* refThisUNSAFE) } FCIMPLEND -FCIMPL1(void, AppDomainNative::ChangeSecurityPolicy, AppDomainBaseObject* refThisUNSAFE) -{ - FCALL_CONTRACT; - - APPDOMAINREF refThis = (APPDOMAINREF) refThisUNSAFE; - HELPER_METHOD_FRAME_BEGIN_1(refThis); - AppDomain* pApp = ValidateArg(refThis); - - pApp->GetSecurityDescriptor()->SetPolicyLevelFlag(); - - HELPER_METHOD_FRAME_END(); -} -FCIMPLEND - - FCIMPL2(Object*, AppDomainNative::IsStringInterned, AppDomainBaseObject* refThisUNSAFE, StringObject* pStringUNSAFE) { FCALL_CONTRACT; @@ -772,23 +440,6 @@ FCIMPL1(Object*, AppDomainNative::GetDynamicDir, AppDomainBaseObject* refThisUNS } FCIMPLEND -// static -void QCALLTYPE AppDomainNative::GetGrantSet(QCall::AppDomainHandle adhTarget, - QCall::ObjectHandleOnStack retGrantSet) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - IApplicationSecurityDescriptor *pSecDesc = adhTarget->GetSecurityDescriptor(); - - GCX_COOP(); - pSecDesc->Resolve(); - retGrantSet.Set(pSecDesc->GetGrantedPermissionSet()); - - END_QCALL; -} - FCIMPL1(FC_BOOL_RET, AppDomainNative::IsUnloadingForcedFinalize, AppDomainBaseObject* refThisUNSAFE) { diff --git a/src/vm/appdomainnative.hpp b/src/vm/appdomainnative.hpp index 7693e6019a..6e60382031 100644 --- a/src/vm/appdomainnative.hpp +++ b/src/vm/appdomainnative.hpp @@ -22,18 +22,9 @@ class AppDomainNative public: static AppDomain *ValidateArg(APPDOMAINREF pThis); static FCDECL2(void, SetupFriendlyName, AppDomainBaseObject* refThisUNSAFE, StringObject* strFriendlyNameUNSAFE); -#if FEATURE_COMINTEROP - static FCDECL1(void, SetDisableInterfaceCache, AppDomainBaseObject* refThisUNSAFE); -#endif // FEATURE_COMINTEROP - static FCDECL1(void*, GetSecurityDescriptor, AppDomainBaseObject* refThisUNSAFE); -#ifdef FEATURE_LOADER_OPTIMIZATION - static FCDECL2(void, UpdateLoaderOptimization, AppDomainBaseObject* refThisUNSAFE, DWORD optimization); -#endif // FEATURE_LOADER_OPTIMIZATION - static FCDECL9(Object*, CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, Object* identityUNSAFE, StackCrawlMark* stackMark, U1Array* securityRulesBlobUNSAFE, U1Array* aptcaBlobUNSAFE, INT32 access, INT32 flags, SecurityContextSource securityContextSource); - static FCDECL1(void, SetHostSecurityManagerFlags, DWORD dwFlags); + static FCDECL4(Object*, CreateDynamicAssembly, AppDomainBaseObject* refThisUNSAFE, AssemblyNameBaseObject* assemblyNameUNSAFE, StackCrawlMark* stackMark, INT32 access); static FCDECL1(Object*, GetFriendlyName, AppDomainBaseObject* refThisUNSAFE); - static FCDECL1(FC_BOOL_RET, IsDefaultAppDomainForEvidence, AppDomainBaseObject* refThisUNSAFE); static FCDECL2(Object*, GetAssemblies, AppDomainBaseObject* refThisUNSAFE, CLR_BOOL fForIntrospection); static FCDECL2(Object*, GetOrInternString, AppDomainBaseObject* refThisUNSAFE, StringObject* pStringUNSAFE); static FCDECL1(void, CreateContext, AppDomainBaseObject *refThisUNSAFE); @@ -45,7 +36,6 @@ public: static FCDECL1(FC_BOOL_RET, IsDomainIdValid, INT32 dwId); static FCDECL1(FC_BOOL_RET, IsFinalizingForUnload, AppDomainBaseObject* refThisUNSAFE); static FCDECL1(void, ForceToSharedDomain, Object* pObjectUNSAFE); - static FCDECL1(void, ChangeSecurityPolicy, AppDomainBaseObject* refThisUNSAFE); static FCDECL1(LPVOID, GetFusionContext, AppDomainBaseObject* refThis); static FCDECL2(Object*, IsStringInterned, AppDomainBaseObject* refThis, StringObject* pString); static FCDECL1(FC_BOOL_RET, IsUnloadingForcedFinalize, AppDomainBaseObject* refThis); @@ -71,42 +61,10 @@ private: PTRARRAYREF *pStringArgs); public: - static - void QCALLTYPE SetupDomainSecurity(QCall::AppDomainHandle pDomain, - QCall::ObjectHandleOnStack ohEvidence, - IApplicationSecurityDescriptor *pParentSecurityDescriptor, - BOOL fPublishAppDomain); - - static - void QCALLTYPE GetGrantSet(QCall::AppDomainHandle adhTarget, - QCall::ObjectHandleOnStack retGrantSet); - - - static - BOOL QCALLTYPE DisableFusionUpdatesFromADManager(QCall::AppDomainHandle adhTarget); - #ifdef FEATURE_APPX static INT32 QCALLTYPE GetAppXFlags(); #endif - - static - void QCALLTYPE GetAppDomainManagerType(QCall::AppDomainHandle adhTarget, - QCall::StringHandleOnStack shRetAssembly, - QCall::StringHandleOnStack shRetType); - - static - void QCALLTYPE SetAppDomainManagerType(QCall::AppDomainHandle adhTarget, - __in_z LPCWSTR wszAssembly, - __in_z LPCWSTR wszType); - - static - void QCALLTYPE SetSecurityHomogeneousFlag(QCall::AppDomainHandle adhTarget, - BOOL fRuntimeSuppliedHomgenousGrantSet); - - - - }; #endif diff --git a/src/vm/appdomainstack.cpp b/src/vm/appdomainstack.cpp deleted file mode 100644 index 5561b7d22c..0000000000 --- a/src/vm/appdomainstack.cpp +++ /dev/null @@ -1,106 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - - -// - - -#include "common.h" - -#include "appdomainstack.h" -#include "appdomainstack.inl" -#include "security.h" -#include "securitypolicy.h" -#include "appdomain.inl" -#include "callhelpers.h" - -#ifdef _DEBUG -void AppDomainStack::CheckOverridesAssertCounts() -{ - LIMITED_METHOD_CONTRACT; - DWORD dwAppDomainIndex = 0; - DWORD dwOverrides = 0; - DWORD dwAsserts = 0; - AppDomainStackEntry *pEntry = NULL; - for(dwAppDomainIndex=0;dwAppDomainIndex<m_numEntries;dwAppDomainIndex++) - { - pEntry = __GetEntryPtr(dwAppDomainIndex); - dwOverrides += pEntry->m_dwOverridesCount; - dwAsserts += pEntry->m_dwAsserts; - } - _ASSERTE(dwOverrides == m_dwOverridesCount); - _ASSERTE(dwAsserts == m_dwAsserts); -} -#endif - -BOOL AppDomainStackEntry::IsFullyTrustedWithNoStackModifiers(void) -{ - LIMITED_METHOD_CONTRACT; - if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0) - return FALSE; - - AppDomainFromIDHolder pDomain(m_domainID, FALSE); - if (pDomain.IsUnloaded()) - return FALSE; - IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor(); - if (currAppSecDesc == NULL) - return FALSE; - return Security::CheckDomainWideSpecialFlag(currAppSecDesc, 1 << SECURITY_FULL_TRUST); -} -BOOL AppDomainStackEntry::IsHomogeneousWithNoStackModifiers(void) -{ - LIMITED_METHOD_CONTRACT; - if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0) - return FALSE; - - AppDomainFromIDHolder pDomain(m_domainID, FALSE); - if (pDomain.IsUnloaded()) - return FALSE; - IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor(); - if (currAppSecDesc == NULL) - return FALSE; - return (currAppSecDesc->IsHomogeneous() && !currAppSecDesc->ContainsAnyRefusedPermissions()); -} - -BOOL AppDomainStackEntry::HasFlagsOrFullyTrustedWithNoStackModifiers(DWORD flags) -{ - LIMITED_METHOD_CONTRACT; - if (m_domainID.m_dwId == INVALID_APPDOMAIN_ID || m_dwOverridesCount != 0 || m_dwAsserts != 0) - return FALSE; - - AppDomainFromIDHolder pDomain(m_domainID, FALSE); - if (pDomain.IsUnloaded()) - return FALSE; - IApplicationSecurityDescriptor *currAppSecDesc = pDomain->GetSecurityDescriptor(); - if (currAppSecDesc == NULL) - return FALSE; - - // either the desired flag (often 0) or fully trusted will do - flags |= (1<<SECURITY_FULL_TRUST); - return Security::CheckDomainWideSpecialFlag(currAppSecDesc, flags); -} - -BOOL AppDomainStack::AllDomainsHomogeneousWithNoStackModifiers() -{ - WRAPPER_NO_CONTRACT; - - // Used primarily by CompressedStack code to decide if a CS has to be constructed - - DWORD dwAppDomainIndex = 0; - - - InitDomainIteration(&dwAppDomainIndex); - while (dwAppDomainIndex != 0) - { - AppDomainStackEntry* pEntry = GetNextDomainEntryOnStack(&dwAppDomainIndex); - _ASSERTE(pEntry != NULL); - - if (!pEntry->IsHomogeneousWithNoStackModifiers() && !pEntry->IsFullyTrustedWithNoStackModifiers()) - return FALSE; - } - - return TRUE; -} - diff --git a/src/vm/appdomainstack.h b/src/vm/appdomainstack.h deleted file mode 100644 index fffabf97e4..0000000000 --- a/src/vm/appdomainstack.h +++ /dev/null @@ -1,228 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// Appdomainstack.h - -// - - -// - - -#ifndef __appdomainstack_h__ -#define __appdomainstack_h__ - -#include "vars.hpp" -#include "util.hpp" - - -// Stack of AppDomains executing on the current thread. Used in security optimization to avoid stackwalks -#define ADSTACK_BLOCK_SIZE 16 -#define INVALID_APPDOMAIN_ID ((DWORD)-1) -#define CURRENT_APPDOMAIN_ID ((ADID)(DWORD)0) -#define __GetADID(index) ((index)<ADSTACK_BLOCK_SIZE?m_pStack[(index)].m_domainID:m_pExtraStack[((index)-ADSTACK_BLOCK_SIZE)].m_domainID) -#define __GetEntryPtr(index) ((index)<ADSTACK_BLOCK_SIZE?&(m_pStack[(index)]):&(m_pExtraStack[((index)-ADSTACK_BLOCK_SIZE)])) - -struct AppDomainStackEntry -{ - ADID m_domainID; - DWORD m_dwOverridesCount; - DWORD m_dwAsserts; - DWORD m_dwPreviousThreadWideSpecialFlags; - - FORCEINLINE bool operator==(const AppDomainStackEntry& entry) const - { - return (m_domainID == entry.m_domainID && - m_dwOverridesCount == entry.m_dwOverridesCount && - m_dwAsserts == entry.m_dwAsserts); - } - FORCEINLINE bool operator!=(const AppDomainStackEntry& entry) const - { - return (m_domainID != entry.m_domainID || - m_dwOverridesCount != entry.m_dwOverridesCount || - m_dwAsserts != entry.m_dwAsserts); - - } - BOOL IsFullyTrustedWithNoStackModifiers(void); - BOOL IsHomogeneousWithNoStackModifiers(void); - BOOL HasFlagsOrFullyTrustedWithNoStackModifiers(DWORD flags); -}; - -class AppDomainStack -{ -public: - AppDomainStack() : m_numEntries(0), m_pExtraStack(NULL), m_ExtraStackSize(0), m_dwOverridesCount(0), m_dwAsserts(0), m_dwThreadWideSpecialFlags(0xFFFFFFFF) - { - LIMITED_METHOD_CONTRACT; - FillEntries(m_pStack, ADSTACK_BLOCK_SIZE); - } - - AppDomainStack(const AppDomainStack& stack):m_numEntries(0), m_pExtraStack(NULL), m_ExtraStackSize(0), m_dwOverridesCount(0), m_dwAsserts(0) - { - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - - m_dwThreadWideSpecialFlags = stack.m_dwThreadWideSpecialFlags; - m_numEntries = stack.m_numEntries; - m_dwOverridesCount = stack.m_dwOverridesCount; - m_dwAsserts = stack.m_dwAsserts; - LOG((LF_APPDOMAIN, LL_INFO100, "copy ctor: m_dwAsserts:%d stack.m_dwAsserts:%d\n",m_dwAsserts, stack.m_dwAsserts)); - memcpy(m_pStack, stack.m_pStack, sizeof( AppDomainStackEntry) * ADSTACK_BLOCK_SIZE); - // If there is anything stored in the extra allocated space, copy that over - if (m_numEntries > ADSTACK_BLOCK_SIZE) - { - // #blocks to allocate = ceil(numDomains/blocksize) - 1 = ceil ((numdomains - blocksize)/blocksize) = numdomains/blocksize - DWORD numBlocks = m_numEntries/ADSTACK_BLOCK_SIZE; - m_ExtraStackSize = numBlocks*ADSTACK_BLOCK_SIZE; - m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize]; - memcpy(m_pExtraStack, stack.m_pExtraStack, sizeof(AppDomainStackEntry)*(m_numEntries-ADSTACK_BLOCK_SIZE)); - FillEntries((m_pExtraStack+m_numEntries-ADSTACK_BLOCK_SIZE), (m_ExtraStackSize -(m_numEntries-ADSTACK_BLOCK_SIZE))); - } - } - - ~AppDomainStack() - { - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - } CONTRACTL_END; - if (m_pExtraStack != NULL) - delete[] m_pExtraStack; - m_pExtraStack = NULL; - m_ExtraStackSize = 0; - } - - bool operator!= (const AppDomainStack& stack) const - { - return !(*this == stack); - } - - bool operator== (const AppDomainStack& stack) const - { - LIMITED_METHOD_CONTRACT; - if (this == &stack) // degenerate case: comparing with self - return true; - if (this->m_numEntries != stack.m_numEntries || - this->m_dwAsserts != stack.m_dwAsserts || - this->m_dwOverridesCount != stack.m_dwOverridesCount) - return false; - for (unsigned i =0; i < stack.m_numEntries; i++) - { - if (i < ADSTACK_BLOCK_SIZE) - { - if (this->m_pStack[i] != stack.m_pStack[i]) - return false; - } - else - { - if (this->m_pExtraStack[i-ADSTACK_BLOCK_SIZE] != stack.m_pExtraStack[i-ADSTACK_BLOCK_SIZE]) - return false; - } - } - return true; - } - inline AppDomainStack& operator =(const AppDomainStack& stack) - { - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - - // Degenerate case (assigning x = x) - if (this == &stack) - return *this; - - m_dwThreadWideSpecialFlags = stack.m_dwThreadWideSpecialFlags; - m_numEntries = stack.m_numEntries; - m_dwOverridesCount = stack.m_dwOverridesCount; - m_dwAsserts = stack.m_dwAsserts; - LOG((LF_APPDOMAIN, LL_INFO100, "= operator : m_dwAsserts:%d stack.m_dwAsserts:%d\n",m_dwAsserts, stack.m_dwAsserts)); - memcpy(m_pStack, stack.m_pStack, sizeof( AppDomainStackEntry) * ADSTACK_BLOCK_SIZE); - // If there is anything stored in the extra allocated space, copy that over - if (m_numEntries > ADSTACK_BLOCK_SIZE) - { - // #blocks to allocate = ceil(numDomains/blocksize) - 1 = ceil ((numdomains - blocksize)/blocksize) = numdomains/blocksize - DWORD numBlocks = m_numEntries/ADSTACK_BLOCK_SIZE; - if (m_ExtraStackSize < numBlocks*ADSTACK_BLOCK_SIZE) - { - // free ptr if it exists - if (m_pExtraStack != NULL) - delete[] m_pExtraStack; - m_pExtraStack = NULL; - - m_ExtraStackSize = numBlocks*ADSTACK_BLOCK_SIZE; - m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize]; - } - - memset(m_pExtraStack, 0xFF, sizeof(ADID) * numBlocks); - memcpy(m_pExtraStack, stack.m_pExtraStack, sizeof(AppDomainStackEntry)*(m_numEntries-ADSTACK_BLOCK_SIZE)); - FillEntries((m_pExtraStack+m_numEntries-ADSTACK_BLOCK_SIZE), (m_ExtraStackSize -(m_numEntries-ADSTACK_BLOCK_SIZE))); - } - - return *this; - } - - inline void PushDomain(ADID pDomain); - inline ADID PopDomain(); - - inline void InitDomainIteration(DWORD *pIndex) const; - // Gets the next AD on the stack - inline ADID GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts) const; - inline AppDomainStackEntry* GetNextDomainEntryOnStack(DWORD *pIndex); - inline AppDomainStackEntry* GetCurrentDomainEntryOnStack(DWORD pIndex); - // Updates the asserts/overrides on the next AD on the stack - inline void UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides); - inline DWORD GetNumDomains() const; - inline void ClearDomainStack(); - inline DWORD GetThreadWideSpecialFlag() const; - inline DWORD IncrementOverridesCount(); - inline DWORD DecrementOverridesCount(); - inline DWORD GetOverridesCount(); - inline DWORD GetInnerAppDomainOverridesCount(); - inline DWORD IncrementAssertCount(); - inline DWORD DecrementAssertCount(); - inline DWORD GetAssertCount(); - inline DWORD GetInnerAppDomainAssertCount(); - bool IsDefaultSecurityInfo() const; - BOOL AllDomainsHomogeneousWithNoStackModifiers(); - -private: - inline void AddMoreDomains(void); - inline AppDomainStackEntry* ReadTopOfStack(); - void UpdateStackFromEntries(); - static void FillEntries(AppDomainStackEntry ptr[], DWORD size) - { - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - }CONTRACTL_END; - _ASSERTE(ptr != NULL); - DWORD i; - const AppDomainStackEntry tmp_entry = {ADID(INVALID_APPDOMAIN_ID), 0, 0}; - for(i=0;i<size;i++) - ptr[i]=tmp_entry; - } - -#ifdef _DEBUG - inline void LogADStackUpdate(void); - void CheckOverridesAssertCounts(); // Debug only code to check that assert count/overrides count are always in sync across adstack -#endif - - DWORD m_numEntries; - AppDomainStackEntry m_pStack[ADSTACK_BLOCK_SIZE]; - AppDomainStackEntry *m_pExtraStack; - DWORD m_ExtraStackSize; - DWORD m_dwOverridesCount; // across all entries - DWORD m_dwAsserts; // across all entries - DWORD m_dwThreadWideSpecialFlags; // this flag records the last evaluated thread wide security state -}; -#endif diff --git a/src/vm/appdomainstack.inl b/src/vm/appdomainstack.inl deleted file mode 100644 index badcb91a89..0000000000 --- a/src/vm/appdomainstack.inl +++ /dev/null @@ -1,443 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -/*============================================================ -** -** Header: AppDomainStack.inl -** -** Purpose: Implements ADStack inline functions -** - - -** -===========================================================*/ -#ifndef _APPDOMAINSTACK_INL -#define _APPDOMAINSTACK_INL - -#include "threads.h" -#include "appdomain.hpp" -#include "appdomainstack.h" -#include "security.h" - - -#ifndef DACCESS_COMPILE - -#ifdef _DEBUG -#define LogADStackUpdateIfDebug LogADStackUpdate() -inline void AppDomainStack::LogADStackUpdate(void) -{ - LIMITED_METHOD_CONTRACT; - for (int i=m_numEntries-1; i >= 0; i--) { - AppDomainStackEntry* pEntry = __GetEntryPtr(i); - - LOG((LF_APPDOMAIN, LL_INFO100, " stack[%d]: AppDomain id[%d] Overrides[%d] Asserts[%d] \n", i, - pEntry->m_domainID.m_dwId, pEntry->m_dwOverridesCount, pEntry->m_dwAsserts)); - } -} - -#else -#define LogADStackUpdateIfDebug -#endif - -inline void AppDomainStack::AddMoreDomains(void) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - // Need to allocate a bigger block for pMoreDomains - AppDomainStackEntry *tmp = m_pExtraStack; - m_pExtraStack = new AppDomainStackEntry[m_ExtraStackSize + ADSTACK_BLOCK_SIZE]; - memcpy(m_pExtraStack, tmp, sizeof(AppDomainStackEntry)*(m_ExtraStackSize)); - FillEntries((m_pExtraStack+m_ExtraStackSize), ADSTACK_BLOCK_SIZE); - m_ExtraStackSize+= ADSTACK_BLOCK_SIZE; - delete[] tmp; // free the old block - -} -inline void AppDomainStack::PushDomain(ADID pDomain) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PushDomain (%d), count now %d\n", pDomain.m_dwId, m_numEntries+1)); - - // - // When entering a new AppDomain, we need to update the thread wide - // state with the intersection of the current and the new AppDomains flags. - // This is because the old AppDomain could have loaded new assemblies - // that are not yet reflected in the thread wide state, and the thread - // could then execute code in that new Assembly. - // We save the old thread wide state in the AppDomainStackEntry so we - // can restore it when we pop the stack entry. - // - - // The pushed domain could be the default AppDomain (which is the starting - // AppDomain for all threads), in which case we don't need to intersect - // with the flags from the previous AppDomain. - Thread* pThread = GetThread(); - if (pThread) - m_dwThreadWideSpecialFlags &= pThread->GetDomain()->GetSecurityDescriptor()->GetDomainWideSpecialFlag(); - - if (m_numEntries == ADSTACK_BLOCK_SIZE + m_ExtraStackSize) - { - AddMoreDomains(); - } - - _ASSERTE(m_numEntries < ADSTACK_BLOCK_SIZE + m_ExtraStackSize); - if (m_numEntries < ADSTACK_BLOCK_SIZE) - { - m_pStack[m_numEntries].m_domainID = pDomain; - m_pStack[m_numEntries].m_dwAsserts = 0; - m_pStack[m_numEntries].m_dwOverridesCount = 0; - m_pStack[m_numEntries].m_dwPreviousThreadWideSpecialFlags = m_dwThreadWideSpecialFlags; - } - else - { - m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_domainID = pDomain ; - m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwAsserts = 0; - m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwOverridesCount = 0; - m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE].m_dwPreviousThreadWideSpecialFlags = m_dwThreadWideSpecialFlags; - } - - if (pThread) { - AppDomainFromIDHolder pAppDomain(pDomain, TRUE); - if (!pAppDomain.IsUnloaded()) - m_dwThreadWideSpecialFlags &= pAppDomain->GetSecurityDescriptor()->GetDomainWideSpecialFlag(); - } - - m_numEntries++; - - LogADStackUpdateIfDebug; -} - -inline ADID AppDomainStack::PopDomain() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - } - CONTRACTL_END; - - ADID pRet = (ADID)INVALID_APPDOMAIN_ID; - _ASSERTE(m_numEntries > 0); - if (m_numEntries > 0) - { - m_numEntries--; - AppDomainStackEntry ret_entry; - const AppDomainStackEntry reset_entry = {ADID(INVALID_APPDOMAIN_ID), 0, 0}; - - if (m_numEntries < ADSTACK_BLOCK_SIZE) - { - ret_entry = m_pStack[m_numEntries]; - m_pStack[m_numEntries] = reset_entry; - } - else - { - ret_entry = m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE]; - m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE] = reset_entry; - } - pRet=ret_entry.m_domainID; - - LOG((LF_APPDOMAIN, LL_INFO100, "PopDomain: Popping pRet.m_dwId [%d] m_dwAsserts:%d ret_entry.m_dwAsserts:%d. New m_dwAsserts:%d\n", - pRet.m_dwId, m_dwAsserts,ret_entry.m_dwAsserts, (m_dwAsserts-ret_entry.m_dwAsserts))); - - m_dwAsserts -= ret_entry.m_dwAsserts; - m_dwOverridesCount -= ret_entry.m_dwOverridesCount; -#ifdef _DEBUG - CheckOverridesAssertCounts(); -#endif - - // - // When leaving an AppDomain, we need to update the thread wide state by - // restoring to the state we were in before entering the AppDomain - // - - m_dwThreadWideSpecialFlags = ret_entry.m_dwPreviousThreadWideSpecialFlags; - - LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PopDomain popping [%d] count now %d\n", - pRet.m_dwId , m_numEntries)); - } - else - { - LOG((LF_APPDOMAIN, LL_INFO100, "Thread::PopDomain count now %d (error pop)\n", m_numEntries)); - } - - LogADStackUpdateIfDebug; - return pRet; -} -#endif // DACCESS_COMPILE - -inline DWORD AppDomainStack::GetNumDomains() const -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(m_numEntries >= 1); - return m_numEntries; -} - -inline DWORD AppDomainStack::GetThreadWideSpecialFlag() const -{ - LIMITED_METHOD_CONTRACT; - return m_dwThreadWideSpecialFlags; -} - -inline DWORD AppDomainStack::IncrementOverridesCount() -{ - - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - SO_TOLERANT;// Yes, we update global state here, but at worst we have an incorrect overrides count that will be updated the next - }CONTRACTL_END; // time we run any code that leads to UpdateOverrides. And I don't see even how that can happen: it doesn't look possible - // for use to take an SO between the update and when we return to managed code. - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - ++(pEntry->m_dwOverridesCount); - return ++m_dwOverridesCount; -} -inline DWORD AppDomainStack::DecrementOverridesCount() -{ - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - SO_TOLERANT; - }CONTRACTL_END; - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - _ASSERTE(pEntry->m_dwOverridesCount > 0); - _ASSERTE(m_dwOverridesCount > 0); - if (pEntry->m_dwOverridesCount > 0 && m_dwOverridesCount > 0) - { - --(pEntry->m_dwOverridesCount); - return --m_dwOverridesCount; - } - - return 0; -} -inline DWORD AppDomainStack::GetOverridesCount() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; -#ifdef _DEBUG - CheckOverridesAssertCounts(); -#endif - return m_dwOverridesCount; -} - -inline DWORD AppDomainStack::GetInnerAppDomainOverridesCount() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; -#ifdef _DEBUG - CheckOverridesAssertCounts(); -#endif - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - - return pEntry->m_dwOverridesCount; -} - -inline DWORD AppDomainStack::IncrementAssertCount() -{ - LIMITED_METHOD_CONTRACT; - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - LOG((LF_APPDOMAIN, LL_INFO100, "IncrementAssertCount: m_dwAsserts:%d ADID:%d pEntry:%p pEntry->m_dwAsserts:%d.\n", - m_dwAsserts, pEntry->m_domainID.m_dwId, pEntry, pEntry->m_dwAsserts)); - ++(pEntry->m_dwAsserts); - return ++m_dwAsserts; -} -inline DWORD AppDomainStack::DecrementAssertCount() -{ - LIMITED_METHOD_CONTRACT; - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - _ASSERTE(pEntry->m_dwAsserts > 0); - _ASSERTE(m_dwAsserts > 0); - LOG((LF_APPDOMAIN, LL_INFO100, "DecrementAssertCount: m_dwAsserts:%d ADID:%d pEntry:%p pEntry->m_dwAsserts:%d.\n", - m_dwAsserts, pEntry->m_domainID.m_dwId, pEntry, pEntry->m_dwAsserts)); - --(pEntry->m_dwAsserts); - return --m_dwAsserts; -} - -inline DWORD AppDomainStack::GetAssertCount() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; -#ifdef _DEBUG - CheckOverridesAssertCounts(); -#endif - - return m_dwAsserts; -} - -inline DWORD AppDomainStack::GetInnerAppDomainAssertCount() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; -#ifdef _DEBUG - CheckOverridesAssertCounts(); -#endif - AppDomainStackEntry *pEntry = ReadTopOfStack(); - _ASSERTE(pEntry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - - return pEntry->m_dwAsserts; -} - -inline void AppDomainStack::InitDomainIteration(DWORD *pIndex) const -{ - LIMITED_METHOD_CONTRACT; - *pIndex = m_numEntries; -} - -inline ADID AppDomainStack::GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts) const -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; - - _ASSERTE(*pIndex > 0 && *pIndex <= m_numEntries); - (*pIndex) --; - const AppDomainStackEntry *pEntry = __GetEntryPtr(*pIndex); - if (pOverrides != NULL) - *pOverrides = pEntry->m_dwOverridesCount; - if (pAsserts != NULL) - *pAsserts = pEntry->m_dwAsserts; - return (ADID)pEntry->m_domainID.m_dwId; -} - -inline AppDomainStackEntry* AppDomainStack::GetCurrentDomainEntryOnStack(DWORD pIndex) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - } - CONTRACTL_END; - - _ASSERTE(pIndex >=0 && pIndex < m_numEntries); - return __GetEntryPtr(pIndex); -} - -inline AppDomainStackEntry* AppDomainStack::GetNextDomainEntryOnStack(DWORD *pIndex) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END; - - _ASSERTE(*pIndex >0 && *pIndex <= m_numEntries); - (*pIndex) --; - return __GetEntryPtr(*pIndex); -} - -inline void AppDomainStack::UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - } - CONTRACTL_END; - AppDomainStackEntry* entry; - _ASSERTE(pIndex >=0 && pIndex < m_numEntries); - entry = __GetEntryPtr(pIndex); - _ASSERTE(entry->m_domainID.m_dwId != INVALID_APPDOMAIN_ID); - entry->m_dwAsserts = asserts; - entry->m_dwOverridesCount = overrides; - UpdateStackFromEntries(); - -} - - -inline void AppDomainStack::UpdateStackFromEntries() -{ - LIMITED_METHOD_CONTRACT; - DWORD dwAppDomainIndex = 0; - DWORD dwOverrides = 0; - DWORD dwAsserts = 0; - AppDomainStackEntry *pEntry = NULL; - for(dwAppDomainIndex=0;dwAppDomainIndex<m_numEntries;dwAppDomainIndex++) - { - pEntry = __GetEntryPtr(dwAppDomainIndex); - dwOverrides += pEntry->m_dwOverridesCount; - dwAsserts += pEntry->m_dwAsserts; - } - LOG((LF_APPDOMAIN, LL_INFO100, "UpdateStackFromEntries: m_dwAsserts:%d Calculated dwAsserts:%d.\n",m_dwAsserts,dwAsserts)); - - m_dwAsserts = dwAsserts; - m_dwOverridesCount = dwOverrides; - return; -} - -inline AppDomainStackEntry* AppDomainStack::ReadTopOfStack() -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(m_numEntries > 0); - AppDomainStackEntry* pEntry = NULL; - if (m_numEntries <= ADSTACK_BLOCK_SIZE) - { - pEntry = &(m_pStack[m_numEntries-1]); - } - else - { - pEntry = &(m_pExtraStack[m_numEntries-ADSTACK_BLOCK_SIZE-1]); - } - return pEntry; -} - -inline bool AppDomainStack::IsDefaultSecurityInfo() const -{ - LIMITED_METHOD_CONTRACT; - return (m_numEntries == 1 && m_pStack[0].m_domainID == ADID(DefaultADID) && - m_pStack[0].m_dwAsserts == 0 && m_pStack[0].m_dwOverridesCount == 0); -} -inline void AppDomainStack::ClearDomainStack() -{ - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - }CONTRACTL_END; - m_dwThreadWideSpecialFlags = 0xFFFFFFFF; - m_numEntries = 1; - FillEntries(m_pStack, ADSTACK_BLOCK_SIZE); - if (m_pExtraStack != NULL) - delete[] m_pExtraStack; - m_pExtraStack = NULL; - m_ExtraStackSize = 0; - m_dwOverridesCount = 0; - LOG((LF_APPDOMAIN, LL_INFO100, "ClearDomainStack: m_dwAsserts:%d setting to 0\n",m_dwAsserts)); - m_dwAsserts = 0; - m_pStack[0].m_domainID = ADID(DefaultADID); -} - -#endif diff --git a/src/vm/arm/stubs.cpp b/src/vm/arm/stubs.cpp index 3088761f0b..7cc937e99a 100644 --- a/src/vm/arm/stubs.cpp +++ b/src/vm/arm/stubs.cpp @@ -20,7 +20,6 @@ #include "cgensys.h" #include "asmconstants.h" #include "security.h" -#include "securitydescriptor.h" #include "virtualcallstub.h" #include "gcdump.h" #include "rtlfunctions.h" diff --git a/src/vm/assembly.cpp b/src/vm/assembly.cpp index 92c1ebd817..c9a995452c 100644 --- a/src/vm/assembly.cpp +++ b/src/vm/assembly.cpp @@ -129,8 +129,6 @@ Assembly::Assembly(BaseDomain *pDomain, PEAssembly* pFile, DebuggerAssemblyContr m_winMDStatus(WinMDStatus_Unknown), m_pManifestWinMDImport(NULL), #endif // FEATURE_COMINTEROP - m_pSharedSecurityDesc(NULL), - m_pTransparencyBehavior(NULL), m_fIsDomainNeutral(pDomain == SharedDomain::GetDomain()), #ifdef FEATURE_LOADER_OPTIMIZATION m_bMissingDependenciesCheckDone(FALSE), @@ -196,9 +194,6 @@ void Assembly::Init(AllocMemTracker *pamTracker, LoaderAllocator *pLoaderAllocat m_pClassLoader = new ClassLoader(this); m_pClassLoader->Init(pamTracker); - m_pSharedSecurityDesc = Security::CreateSharedSecurityDescriptor(this); - - COUNTER_ONLY(GetPerfCounters().m_Loading.cAssemblies++); #ifndef CROSSGEN_COMPILE @@ -400,9 +395,6 @@ void Assembly::Terminate( BOOL signalProfiler ) if (this->m_fTerminated) return; - - Security::DeleteSharedSecurityDescriptor(m_pSharedSecurityDesc); - m_pSharedSecurityDesc = NULL; if (m_pClassLoader != NULL) { @@ -610,8 +602,6 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs struct _gc { - OBJECTREF granted; - OBJECTREF denied; OBJECTREF cultureinfo; STRINGREF pString; OBJECTREF orArrayOrContainer; @@ -709,25 +699,6 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs // Set it as the fallback load context binder for the dynamic assembly being created pFile->SetFallbackLoadContextBinder(pFallbackLoadContextBinder); - - } - - AssemblyLoadSecurity loadSecurity; - // In SilverLight all dynamic assemblies should be transparent and partially trusted, even if they are - // created by platform assemblies. Thus they should inherit the grant sets from the appdomain not the - // parent assembly. - IApplicationSecurityDescriptor *pCurrentDomainSecDesc = ::GetAppDomain()->GetSecurityDescriptor(); - gc.granted = pCurrentDomainSecDesc->GetGrantedPermissionSet(); - DWORD dwSpecialFlags = pCurrentDomainSecDesc->GetSpecialFlags(); - - // If the dynamic assembly creator did not specify evidence for the newly created assembly, then it - // should inherit the grant set of the creation assembly. - if (loadSecurity.m_pAdditionalEvidence == NULL) - { - - loadSecurity.m_pGrantSet = &gc.granted; - loadSecurity.m_pRefusedSet = &gc.denied; - loadSecurity.m_dwSpecialFlags = dwSpecialFlags; } NewHolder<DomainAssembly> pDomainAssembly; @@ -757,7 +728,7 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs } // Create a domain assembly - pDomainAssembly = new DomainAssembly(pDomain, pFile, &loadSecurity, pLoaderAllocator); + pDomainAssembly = new DomainAssembly(pDomain, pFile, pLoaderAllocator); } // Start loading process @@ -787,30 +758,6 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs pAssem->m_dwDynamicAssemblyAccess = args->access; - // Making the dynamic assembly opportunistically critical in full trust CoreCLR and transparent otherwise. - if (!GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - { - args->flags = kTransparentAssembly; - } - - // Fake up a module security descriptor for the assembly. - TokenSecurityDescriptorFlags tokenFlags = TokenSecurityDescriptorFlags_None; - if (args->flags & kAllCriticalAssembly) - tokenFlags |= TokenSecurityDescriptorFlags_AllCritical; - if (args->flags & kAptcaAssembly) - tokenFlags |= TokenSecurityDescriptorFlags_APTCA; - if (args->flags & kCriticalAssembly) - tokenFlags |= TokenSecurityDescriptorFlags_Critical; - if (args->flags & kTransparentAssembly) - tokenFlags |= TokenSecurityDescriptorFlags_Transparent; - if (args->flags & kTreatAsSafeAssembly) - tokenFlags |= TokenSecurityDescriptorFlags_TreatAsSafe; - - - - _ASSERTE(pAssem->GetManifestModule()->m_pModuleSecurityDescriptor != NULL); - pAssem->GetManifestModule()->m_pModuleSecurityDescriptor->OverrideTokenFlags(tokenFlags); - // Set the additional strong name information pAssem->SetStrongNameLevel(Assembly::SN_NONE); @@ -825,8 +772,7 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs // but we allow a couple of exceptions to reduce the compat risk: full trust, caller's own key. // As usual we treat anonymously hosted dynamic methods as partial trust code. DomainAssembly* pCallerDomainAssembly = pCallerAssembly->GetDomainAssembly(pCallersDomain); - if (!pCallerDomainAssembly->GetSecurityDescriptor()->IsFullyTrusted() || - pCallerDomainAssembly == pCallersDomain->GetAnonymouslyHostedDynamicMethodsAssembly()) + if (pCallerDomainAssembly == pCallersDomain->GetAnonymouslyHostedDynamicMethodsAssembly()) { DWORD cbKey = 0; const void* pKey = pCallerAssembly->GetPublicKey(&cbKey); @@ -855,11 +801,6 @@ Assembly *Assembly::CreateDynamic(AppDomain *pDomain, CreateDynamicAssemblyArgs pDomainAssembly->m_level = FILE_ACTIVE; } - // Force the transparency of the module to be computed now, so that we can catch any errors due to - // inconsistent assembly level attributes during the assembly creation call, rather than at some - // later point. - pAssem->GetManifestModule()->m_pModuleSecurityDescriptor->VerifyDataComputed(); - { CANNOTTHROWCOMPLUSEXCEPTION(); FAULT_FORBID(); @@ -902,11 +843,6 @@ void Assembly::SetDomainAssembly(DomainAssembly *pDomainAssembly) GetManifestModule()->SetDomainFile(pDomainAssembly); - IAssemblySecurityDescriptor *pSec = pDomainAssembly->GetSecurityDescriptor(); - - GCX_COOP(); - pSec->ResolvePolicy(GetSharedSecurityDescriptor(), pDomainAssembly->ShouldSkipPolicyResolution()); - } // Assembly::SetDomainAssembly #endif // #ifndef DACCESS_COMPILE @@ -980,81 +916,9 @@ PTR_BaseDomain Assembly::GetDomain() _ASSERTE(m_pDomain); return (m_pDomain); } -IAssemblySecurityDescriptor *Assembly::GetSecurityDescriptor(AppDomain *pDomain) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - } - CONTRACTL_END - - IAssemblySecurityDescriptor* pSecDesc; - - if (pDomain == NULL) - { -#ifndef DACCESS_COMPILE - pDomain = ::GetAppDomain(); -#else //DACCESS_COMPILE - DacNotImpl(); -#endif //DACCESS_COMPILE - } - - PREFIX_ASSUME(FindDomainAssembly(pDomain) != NULL); - pSecDesc = FindDomainAssembly(pDomain)->GetSecurityDescriptor(); - - CONSISTENCY_CHECK(pSecDesc != NULL); - - return pSecDesc; -} #ifndef DACCESS_COMPILE -const SecurityTransparencyBehavior *Assembly::GetSecurityTransparencyBehavior() -{ - CONTRACT(const SecurityTransparencyBehavior *) - { - THROWS; - GC_TRIGGERS; - POSTCONDITION(CheckPointer(RETVAL)); - } - CONTRACT_END; - - if (m_pTransparencyBehavior == NULL) - { - ModuleSecurityDescriptor *pModuleSecurityDescriptor = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(this); - SetSecurityTransparencyBehavior(SecurityTransparencyBehavior::GetTransparencyBehavior(pModuleSecurityDescriptor->GetSecurityRuleSet())); - } - - RETURN(m_pTransparencyBehavior); -} - -// This method is like GetTransparencyBehavior, but will not attempt to get the transparency behavior if we -// don't already know it, and therefore may return NULL -const SecurityTransparencyBehavior *Assembly::TryGetSecurityTransparencyBehavior() -{ - LIMITED_METHOD_CONTRACT; - return m_pTransparencyBehavior; -} - - -// The transparency behavior object passed to this method must have a lifetime of at least as long -// as the assembly itself. -void Assembly::SetSecurityTransparencyBehavior(const SecurityTransparencyBehavior *pTransparencyBehavior) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - PRECONDITION(CheckPointer(pTransparencyBehavior)); - PRECONDITION(m_pTransparencyBehavior == NULL || m_pTransparencyBehavior == pTransparencyBehavior); - } - CONTRACTL_END; - - m_pTransparencyBehavior = pTransparencyBehavior; -} - void Assembly::SetParent(BaseDomain* pParent) { LIMITED_METHOD_CONTRACT; @@ -1647,11 +1511,6 @@ bool Assembly::IgnoresAccessChecksTo(Assembly *pAccessedAssembly) return false; } - if (!m_fIsDomainNeutral && !GetSecurityDescriptor(GetDomain()->AsAppDomain())->IsFullyTrusted()) - { - return false; - } - return m_pFriendAssemblyDescriptor->IgnoresAccessChecksTo(pAccessedAssembly); } @@ -2389,21 +2248,6 @@ BOOL Assembly::CanBeShared(DomainAssembly *pDomainAssembly) #endif // FEATURE_LOADER_OPTIMIZATION -#if defined(FEATURE_CORESYSTEM) -BOOL Assembly::AllowUntrustedCaller() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END - - return ModuleSecurityDescriptor::GetModuleSecurityDescriptor(this)->IsAPTCA(); -} -#endif // defined(FEATURE_CORESYSTEM) - void DECLSPEC_NORETURN Assembly::ThrowTypeLoadException(LPCUTF8 pszFullName, UINT resIDWhy) { WRAPPER_NO_CONTRACT; diff --git a/src/vm/assembly.hpp b/src/vm/assembly.hpp index 0fdb9a248a..fdb885494c 100644 --- a/src/vm/assembly.hpp +++ b/src/vm/assembly.hpp @@ -56,40 +56,17 @@ class FriendAssemblyDescriptor; #define ASSEMBLY_ACCESS_REFLECTION_ONLY 0x04 #define ASSEMBLY_ACCESS_COLLECT 0x8 -// This must match System.Reflection.Emit.DynamicAssemblyFlags in AssemblyBuilder.cs -enum DynamicAssemblyFlags -{ - kAllCriticalAssembly = 0x00000001, - kAptcaAssembly = 0x00000002, - kCriticalAssembly = 0x00000004, - kTransparentAssembly = 0x00000008, - kTreatAsSafeAssembly = 0x00000010 -}; - struct CreateDynamicAssemblyArgsGC { APPDOMAINREF refThis; - OBJECTREF identity; ASSEMBLYNAMEREF assemblyName; - U1ARRAYREF securityRulesBlob; - U1ARRAYREF aptcaBlob; LOADERALLOCATORREF loaderAllocator; }; -// This enumeration must be kept in sync with the managed enum System.Security.SecurityContextSource -typedef enum -{ - kCurrentAppDomain = 0, - kCurrentAssembly -} -SecurityContextSource; - struct CreateDynamicAssemblyArgs : CreateDynamicAssemblyArgsGC { INT32 access; - DynamicAssemblyFlags flags; StackCrawlMark* stackMark; - SecurityContextSource securityContextSource; }; // An assembly is the unit of deployment for managed code. Typically Assemblies are one to one with files @@ -270,10 +247,6 @@ public: BOOL GetModuleZapFile(LPCWSTR name, SString &path); -#if defined(FEATURE_CORESYSTEM) - BOOL AllowUntrustedCaller(); -#endif // defined(FEATURE_CORESYSTEM) - #ifdef LOGGING LPCWSTR GetDebugName() { @@ -529,16 +502,6 @@ public: OBJECTHANDLE GetLoaderAllocatorObjectHandle() { WRAPPER_NO_CONTRACT; return GetLoaderAllocator()->GetLoaderAllocatorObjectHandle(); } #endif // FEATURE_COLLECTIBLE_TYPES - IAssemblySecurityDescriptor *GetSecurityDescriptor(AppDomain *pDomain = NULL); - ISharedSecurityDescriptor *GetSharedSecurityDescriptor() { LIMITED_METHOD_CONTRACT; return m_pSharedSecurityDesc; } - -#ifndef DACCESS_COMPILE - const SecurityTransparencyBehavior *GetSecurityTransparencyBehavior(); - const SecurityTransparencyBehavior *TryGetSecurityTransparencyBehavior(); - void SetSecurityTransparencyBehavior(const SecurityTransparencyBehavior *pTransparencyBehavior); -#endif // !DACCESS_COMPILE - - BOOL CanBeShared(DomainAssembly *pAsAssembly); #ifdef FEATURE_LOADER_OPTIMIZATION @@ -757,9 +720,6 @@ private: IWinMDImport *m_pManifestWinMDImport; #endif // FEATURE_COMINTEROP - ISharedSecurityDescriptor* m_pSharedSecurityDesc; // Security descriptor (permission requests, signature etc) - const SecurityTransparencyBehavior *m_pTransparencyBehavior; // Transparency implementation the assembly uses - BOOL m_fIsDomainNeutral; #ifdef FEATURE_LOADER_OPTIMIZATION BOOL m_bMissingDependenciesCheckDone; diff --git a/src/vm/assemblyname.cpp b/src/vm/assemblyname.cpp index 6c8367e506..bc6034ae63 100644 --- a/src/vm/assemblyname.cpp +++ b/src/vm/assemblyname.cpp @@ -146,7 +146,7 @@ FCIMPL1(Object*, AssemblyNameNative::GetPublicKeyToken, Object* refThisUNSAFE) FCIMPLEND -FCIMPL4(void, AssemblyNameNative::Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fForIntrospection, CLR_BOOL fRaiseResolveEvent) +FCIMPL3(void, AssemblyNameNative::Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fRaiseResolveEvent) { FCALL_CONTRACT; @@ -173,7 +173,7 @@ FCIMPL4(void, AssemblyNameNative::Init, Object * refThisUNSAFE, OBJECTREF * pAss } else if ((hr == FUSION_E_INVALID_NAME) && fRaiseResolveEvent) { - Assembly * pAssembly = GetAppDomain()->RaiseAssemblyResolveEvent(&spec, fForIntrospection, FALSE); + Assembly * pAssembly = GetAppDomain()->RaiseAssemblyResolveEvent(&spec, FALSE, FALSE); if (pAssembly == NULL) { diff --git a/src/vm/assemblyname.hpp b/src/vm/assemblyname.hpp index 41e085cb24..0bfb0b5d37 100644 --- a/src/vm/assemblyname.hpp +++ b/src/vm/assemblyname.hpp @@ -23,7 +23,7 @@ public: static FCDECL1(Object*, ToString, Object* refThisUNSAFE); static FCDECL1(Object*, GetPublicKeyToken, Object* refThisUNSAFE); static FCDECL1(Object*, EscapeCodeBase, StringObject* filenameUNSAFE); - static FCDECL4(void, Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fForIntrospection, CLR_BOOL fRaiseResolveEvent); + static FCDECL3(void, Init, Object * refThisUNSAFE, OBJECTREF * pAssemblyRef, CLR_BOOL fRaiseResolveEvent); }; #endif // _AssemblyName_H diff --git a/src/vm/assemblynative.cpp b/src/vm/assemblynative.cpp index e9bcc2366b..e4f148a712 100644 --- a/src/vm/assemblynative.cpp +++ b/src/vm/assemblynative.cpp @@ -35,15 +35,12 @@ -FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSAFE, +FCIMPL7(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSAFE, StringObject* codeBaseUNSAFE, - Object* securityUNSAFE, AssemblyBaseObject* requestingAssemblyUNSAFE, StackCrawlMark* stackMark, ICLRPrivBinder * pPrivHostBinder, CLR_BOOL fThrowOnFileNotFound, - CLR_BOOL fForIntrospection, - CLR_BOOL fSuppressSecurityChecks, INT_PTR ptrLoadContextBinder) { FCALL_CONTRACT; @@ -53,14 +50,12 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA ASSEMBLYNAMEREF assemblyName; STRINGREF codeBase; ASSEMBLYREF requestingAssembly; - OBJECTREF security; ASSEMBLYREF rv; } gc; gc.assemblyName = (ASSEMBLYNAMEREF) assemblyNameUNSAFE; gc.codeBase = (STRINGREF) codeBaseUNSAFE; gc.requestingAssembly = (ASSEMBLYREF) requestingAssemblyUNSAFE; - gc.security = (OBJECTREF) securityUNSAFE; gc.rv = NULL; HELPER_METHOD_FRAME_BEGIN_RET_PROTECT(gc); @@ -68,12 +63,6 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA if (gc.assemblyName == NULL) COMPlusThrow(kArgumentNullException, W("ArgumentNull_AssemblyName")); - if (fForIntrospection) - { - if (!GetThread()->GetDomain()->IsVerificationDomain()) - GetThread()->GetDomain()->SetIllegalVerificationDomain(); - } - Thread * pThread = GetThread(); CheckPointHolder cph(pThread->m_MarshalAlloc.GetCheckpoint()); //hold checkpoint for autorelease @@ -84,10 +73,8 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA { if (gc.codeBase == NULL) COMPlusThrow(kArgumentException, W("Format_StringZeroLength")); - if ((!fForIntrospection) && CorHost2::IsLoadFromBlocked()) - COMPlusThrow(kFileLoadException, FUSION_E_LOADFROM_BLOCKED); } - else if (!fForIntrospection) + else { // name specified, if immersive ignore the codebase if (GetThread()->GetDomain()->HasLoadContextHostBinder()) @@ -122,7 +109,7 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA spec.InitializeSpec(&(pThread->m_MarshalAlloc), &gc.assemblyName, FALSE, - fForIntrospection); + FALSE); if (!spec.HasUniqueIdentity()) { // Insuficient assembly name for binding (e.g. ContentType=WindowsRuntime cannot bind by assembly name) @@ -156,25 +143,11 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA spec.SetFallbackLoadContextBinderForRequestingAssembly(pRefAssemblyManifestFile->GetFallbackLoadContextBinder()); } - AssemblyLoadSecurity loadSecurity; - loadSecurity.m_pAdditionalEvidence = &gc.security; - loadSecurity.m_fCheckLoadFromRemoteSource = !!(gc.codeBase != NULL); - loadSecurity.m_fSuppressSecurityChecks = !!fSuppressSecurityChecks; - - // If we're in an APPX domain, then all loads from the application will find themselves within the APPX package - // graph or from a trusted location. However, assemblies within the package may have been marked by Windows as - // not being from the MyComputer zone, which can trip the LoadFromRemoteSources check. Since we do not need to - // defend against accidental loads from HTTP for APPX applications, we simply suppress the remote load check. - if (AppX::IsAppXProcess()) - { - loadSecurity.m_fCheckLoadFromRemoteSource = false; - } - Assembly *pAssembly; { GCX_PREEMP(); - pAssembly = spec.LoadAssembly(FILE_LOADED, &loadSecurity, fThrowOnFileNotFound, FALSE /*fRaisePrebindEvents*/, stackMark); + pAssembly = spec.LoadAssembly(FILE_LOADED, fThrowOnFileNotFound, FALSE /*fRaisePrebindEvents*/, stackMark); } if (pAssembly != NULL) @@ -186,146 +159,6 @@ FCIMPL10(Object*, AssemblyNative::Load, AssemblyNameBaseObject* assemblyNameUNSA } FCIMPLEND -Assembly* AssemblyNative::LoadFromBuffer(BOOL fForIntrospection, const BYTE* pAssemblyData, UINT64 uAssemblyLength, const BYTE* pPDBData, UINT64 uPDBLength, StackCrawlMark* stackMark, Object * securityUNSAFE, SecurityContextSource securityContextSource) -{ - CONTRACTL - { - GC_TRIGGERS; - THROWS; - MODE_ANY; - } - CONTRACTL_END; - - Assembly *pAssembly; - - struct _gc { - OBJECTREF orefSecurity; - OBJECTREF granted; - OBJECTREF denied; - } gc; - - ZeroMemory(&gc, sizeof(gc)); - - GCPROTECT_BEGIN(gc); - - gc.orefSecurity = (OBJECTREF) securityUNSAFE; - - if((!fForIntrospection) && CorHost2::IsLoadFromBlocked()) - COMPlusThrow(kFileLoadException, FUSION_E_LOADFROM_BLOCKED); - - if (pAssemblyData == NULL) - COMPlusThrow(kArgumentNullException, W("ArgumentNull_Array")); - - if (fForIntrospection) { - if (!GetThread()->GetDomain()->IsVerificationDomain()) - GetThread()->GetDomain()->SetIllegalVerificationDomain(); - } - - // Get caller's assembly so we can extract their codebase and propagate it - // into the new assembly (which obviously doesn't have one of its own). - - AppDomain *pCallersDomain = NULL; - MethodDesc* pCallerMD = SystemDomain::GetCallersMethod (stackMark, &pCallersDomain); - Assembly *pCallersAssembly = (pCallerMD ? pCallerMD->GetAssembly() : NULL); - BOOL fPropagateIdentity = ((!fForIntrospection) && (gc.orefSecurity == NULL)); - - // Callers assembly can be null if caller is interop - // @todo: we really don't want to call this assembly "mscorlib" to anyone who asks - // for its code base. But the required effect here is that it recieves full trust - // as far as its codebase goes so this should be OK. We really need to allow a - // "no code base" condition to avoid confusion - if (pCallersAssembly == NULL) { - pCallersAssembly = SystemDomain::System()->SystemAssembly(); - } else { - } - - if ((COUNT_T)uAssemblyLength !=uAssemblyLength) // overflow - ThrowOutOfMemory(); - - PEAssemblyHolder pFile; - - { - GCX_PREEMP(); - - CLRPrivBinderLoadFile* pBinderToUse = NULL; - - pFile = PEAssembly::OpenMemory(pCallersAssembly->GetManifestFile(), - pAssemblyData, (COUNT_T)uAssemblyLength, - fForIntrospection, - pBinderToUse); - } - - fPropagateIdentity = (fPropagateIdentity && pCallersDomain && pCallersAssembly); - - AssemblyLoadSecurity loadSecurity; - loadSecurity.m_pEvidence = &gc.orefSecurity; - if (fPropagateIdentity) - { - DWORD dwSpecialFlags = 0; - - { - IApplicationSecurityDescriptor *pDomainSecDesc = pCallersDomain->GetSecurityDescriptor(); - - - - gc.granted = pDomainSecDesc->GetGrantedPermissionSet(); - dwSpecialFlags = pDomainSecDesc->GetSpecialFlags(); - } - - - // Instead of resolving policy, the loader should use an inherited grant set - loadSecurity.m_pGrantSet = &gc.granted; - loadSecurity.m_pRefusedSet = &gc.denied; - loadSecurity.m_dwSpecialFlags = dwSpecialFlags; - - // if the caller is from another appdomain we wil not be able to get the ssembly's security descriptor - // but that is ok, since getting a pointer to our AppDomain required full trust - if (!pCallersDomain->GetSecurityDescriptor()->IsFullyTrusted() || - ( pCallersAssembly->FindDomainAssembly(::GetAppDomain()) != NULL && !pCallersAssembly->GetSecurityDescriptor()->IsFullyTrusted()) ) - pFile->VerifyStrongName(); - } - pAssembly = GetPostPolicyAssembly(pFile, fForIntrospection, &loadSecurity, TRUE); - - // perform necessary Transparency checks for this Load(byte[]) call (based on the calling method). - if (pCallerMD) - { - Security::PerformTransparencyChecksForLoadByteArray(pCallerMD, pAssembly->GetSecurityDescriptor()); - } - - // In order to assign the PDB image (if present), - // the resulting assembly's image needs to be exactly the one - // we created above. We need pointer comparison instead of pe image equivalence - // to avoid mixed binaries/PDB pairs of other images. - // This applies to both Desktop CLR and CoreCLR, with or without fusion. - BOOL fIsSameAssembly = (pAssembly->GetManifestFile()->GetILimage() == pFile->GetILimage()); - - - LOG((LF_CLASSLOADER, - LL_INFO100, - "\tLoaded in-memory module\n")); - - // Setting the PDB info is only applicable for our original assembly. - // This applies to both Desktop CLR and CoreCLR, with or without fusion. - if (fIsSameAssembly) - { -#ifdef DEBUGGING_SUPPORTED - // If we were given symbols, save a copy of them. - // the debugger, load them now). - if (pPDBData != NULL) - { - GCX_PREEMP(); - if ((DWORD)uPDBLength != uPDBLength) // overflow - ThrowOutOfMemory(); - pAssembly->GetManifestModule()->SetSymbolBytes(pPDBData, (DWORD)uPDBLength); - } -#endif // DEBUGGING_SUPPORTED - } - - GCPROTECT_END(); - - return pAssembly; -} - /* static */ Assembly* AssemblyNative::LoadFromPEImage(ICLRPrivBinder* pBinderContext, PEImage *pILImage, PEImage *pNIImage) { @@ -409,27 +242,8 @@ Assembly* AssemblyNative::LoadFromPEImage(ICLRPrivBinder* pBinderContext, PEImag PEAssemblyHolder pPEAssembly(PEAssembly::Open(pParentAssembly, assem->GetPEImage(), assem->GetNativePEImage(), pAssembly, FALSE)); - GCX_COOP(); - - IApplicationSecurityDescriptor *pDomainSecDesc = pCurDomain->GetSecurityDescriptor(); - - OBJECTREF refGrantedPermissionSet = NULL; - AssemblyLoadSecurity loadSecurity; - DomainAssembly *pDomainAssembly = NULL; - - // Setup the AssemblyLoadSecurity to perform the assembly load - GCPROTECT_BEGIN(refGrantedPermissionSet); - - loadSecurity.m_dwSpecialFlags = pDomainSecDesc->GetSpecialFlags(); - refGrantedPermissionSet = pDomainSecDesc->GetGrantedPermissionSet(); - loadSecurity.m_pGrantSet = &refGrantedPermissionSet; - - pDomainAssembly = pCurDomain->LoadDomainAssembly(&spec, pPEAssembly, FILE_LOADED, &loadSecurity); - pLoadedAssembly = pDomainAssembly->GetAssembly(); - - GCPROTECT_END(); - - RETURN pLoadedAssembly; + DomainAssembly *pDomainAssembly = pCurDomain->LoadDomainAssembly(&spec, pPEAssembly, FILE_LOADED); + RETURN pDomainAssembly->GetAssembly(); } /* static */ @@ -571,55 +385,6 @@ void QCALLTYPE AssemblyNative::LoadFromStream(INT_PTR ptrNativeAssemblyLoadConte END_QCALL; } - -/* static */ -Assembly* AssemblyNative::GetPostPolicyAssembly(PEAssembly *pFile, - BOOL fForIntrospection, - AssemblyLoadSecurity *pLoadSecurity, - BOOL fIsLoadByteArray /* = FALSE */) -{ - CONTRACT(Assembly*) - { - MODE_ANY; - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pFile)); - PRECONDITION(CheckPointer(pLoadSecurity)); - POSTCONDITION(CheckPointer(RETVAL)); - } - CONTRACT_END; - - GCX_PREEMP(); - - if (fIsLoadByteArray) - { - PEImage *pPEImage = pFile->GetILimage(); - HRESULT hr = S_OK; - PTR_AppDomain pCurDomain = GetAppDomain(); - CLRPrivBinderCoreCLR *pTPABinder = pCurDomain->GetTPABinderContext(); - - _ASSERTE(pCurDomain->GetFusionContext() == pTPABinder); - hr = pTPABinder->PreBindByteArray(pPEImage, fForIntrospection); - if (hr == S_OK) - { - AssemblySpec spec; - spec.InitializeSpec(pFile); - - // Set the binder associated with the AssemblySpec - spec.SetBindingContext(pTPABinder); - RETURN spec.LoadAssembly(FILE_LOADED, pLoadSecurity); - } - else - { - _ASSERTE(hr != S_FALSE); - ThrowHR(hr); - } - } - - RETURN GetAppDomain()->LoadAssembly(NULL, pFile, FILE_LOADED, pLoadSecurity); -} - - void QCALLTYPE AssemblyNative::GetLocation(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString) { QCALL_CONTRACT; @@ -633,19 +398,6 @@ void QCALLTYPE AssemblyNative::GetLocation(QCall::AssemblyHandle pAssembly, QCal END_QCALL; } -FCIMPL1(FC_BOOL_RET, AssemblyNative::IsReflectionOnly, AssemblyBaseObject *pAssemblyUNSAFE) -{ - FCALL_CONTRACT; - - ASSEMBLYREF refAssembly = (ASSEMBLYREF)ObjectToOBJECTREF(pAssemblyUNSAFE); - - if (refAssembly == NULL) - FCThrowRes(kArgumentNullException, W("Arg_InvalidHandle")); - - FC_RETURN_BOOL(refAssembly->GetDomainAssembly()->IsIntrospectionOnly()); -} -FCIMPLEND - void QCALLTYPE AssemblyNative::GetType(QCall::AssemblyHandle pAssembly, LPCWSTR wszName, BOOL bThrowOnError, BOOL bIgnoreCase, QCall::ObjectHandleOnStack retType, QCall::ObjectHandleOnStack keepAlive) { CONTRACTL @@ -1420,99 +1172,6 @@ void QCALLTYPE AssemblyNative::GetEntryAssembly(QCall::ObjectHandleOnStack retAs return; } - -void QCALLTYPE AssemblyNative::GetGrantSet(QCall::AssemblyHandle pAssembly, QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - IAssemblySecurityDescriptor *pSecDesc = pAssembly->GetSecurityDescriptor(); - - { - GCX_COOP(); - - pSecDesc->Resolve(); - - OBJECTREF granted, denied; - - granted = pSecDesc->GetGrantedPermissionSet(&denied); - - retGranted.Set(granted); - retDenied.Set(denied); - } - - END_QCALL; -} - -// -// QCalls to determine if everything introduced by the assembly is either security critical or safe critical -// - -// static -BOOL QCALLTYPE AssemblyNative::IsAllSecurityCritical(QCall::AssemblyHandle pAssembly) -{ - QCALL_CONTRACT; - - BOOL fIsCritical = FALSE; - - BEGIN_QCALL; - - fIsCritical = pAssembly->GetSecurityDescriptor()->IsAllCritical(); - - END_QCALL; - - return fIsCritical; -} - -// static -BOOL QCALLTYPE AssemblyNative::IsAllSecuritySafeCritical(QCall::AssemblyHandle pAssembly) -{ - QCALL_CONTRACT; - - BOOL fIsSafeCritical = FALSE; - - BEGIN_QCALL; - - fIsSafeCritical = pAssembly->GetSecurityDescriptor()->IsAllSafeCritical(); - - END_QCALL; - - return fIsSafeCritical; -} - -// static -BOOL QCALLTYPE AssemblyNative::IsAllPublicAreaSecuritySafeCritical(QCall::AssemblyHandle pAssembly) -{ - QCALL_CONTRACT; - - BOOL fIsAllPublicAreaSafeCritical = FALSE; - - BEGIN_QCALL; - - fIsAllPublicAreaSafeCritical = pAssembly->GetSecurityDescriptor()->IsAllPublicAreaSafeCritical(); - - END_QCALL; - - return fIsAllPublicAreaSafeCritical; -} - -// static -BOOL QCALLTYPE AssemblyNative::IsAllSecurityTransparent(QCall::AssemblyHandle pAssembly) -{ - QCALL_CONTRACT; - - BOOL fIsTransparent = FALSE; - - BEGIN_QCALL; - - fIsTransparent = pAssembly->GetSecurityDescriptor()->IsAllTransparent(); - - END_QCALL; - - return fIsTransparent; -} - // return the on disk assembly module for reflection emit. This only works for dynamic assembly. FCIMPL1(ReflectModuleBaseObject *, AssemblyNative::GetOnDiskAssemblyModule, AssemblyBaseObject* pAssemblyUNSAFE) { diff --git a/src/vm/assemblynative.hpp b/src/vm/assemblynative.hpp index 71e8b51181..267231bd99 100644 --- a/src/vm/assemblynative.hpp +++ b/src/vm/assemblynative.hpp @@ -24,20 +24,6 @@ class AssemblyNative friend class BaseDomain; friend class DomainAssembly; -private: - static Assembly* GetPostPolicyAssembly(PEAssembly *pFile, - BOOL fForIntrospection, - AssemblyLoadSecurity *pLoadSecurity, - BOOL fIsLoadByteArray = FALSE); - - static Assembly* LoadFromBuffer(BOOL fForIntrospection, - const BYTE* pAssemblyData, - UINT64 uAssemblyLength, - const BYTE* pPDBData, - UINT64 uPDBLength, - StackCrawlMark* stackMark, - Object * securityUNSAFE, - SecurityContextSource securityContextSource); public: // static FCALLs static @@ -46,15 +32,12 @@ public: static void QCALLTYPE GetExecutingAssembly(QCall::StackCrawlMarkHandle stackMark, QCall::ObjectHandleOnStack retAssembly); - static FCDECL10(Object*, Load, AssemblyNameBaseObject* assemblyNameUNSAFE, + static FCDECL7(Object*, Load, AssemblyNameBaseObject* assemblyNameUNSAFE, StringObject* codeBaseUNSAFE, - Object* securityUNSAFE, AssemblyBaseObject* requestingAssemblyUNSAFE, StackCrawlMark* stackMark, ICLRPrivBinder * pPrivHostBinder, CLR_BOOL fThrowOnFileNotFound, - CLR_BOOL fForIntrospection, - CLR_BOOL fSuppressSecurityChecks, INT_PTR ptrLoadContextBinder); // @@ -84,9 +67,6 @@ public: void QCALLTYPE GetLocation(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString); static - FCDECL1(FC_BOOL_RET, IsReflectionOnly, AssemblyBaseObject * pAssemblyUNSAFE); - - static void QCALLTYPE GetCodeBase(QCall::AssemblyHandle pAssembly, BOOL fCopiedName, QCall::StringHandleOnStack retString); static @@ -138,27 +118,8 @@ public: static FCDECL1(ReflectModuleBaseObject *, GetOnDiskAssemblyModule, AssemblyBaseObject * pAssemblyUNSAFE); static FCDECL1(ReflectModuleBaseObject *, GetInMemoryAssemblyModule, AssemblyBaseObject * pAssemblyUNSAFE); - - static - void QCALLTYPE GetGrantSet(QCall::AssemblyHandle pAssembly, QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied); - - static - BOOL QCALLTYPE IsAllSecurityCritical(QCall::AssemblyHandle pAssembly); - - static - BOOL QCALLTYPE IsAllSecuritySafeCritical(QCall::AssemblyHandle pAssembly); - - static - BOOL QCALLTYPE IsAllPublicAreaSecuritySafeCritical(QCall::AssemblyHandle pAssembly); - - static - BOOL QCALLTYPE IsAllSecurityTransparent(QCall::AssemblyHandle pAssembly); - static void QCALLTYPE GetImageRuntimeVersion(QCall::AssemblyHandle pAssembly, QCall::StringHandleOnStack retString); - - static - INT64 QCALLTYPE GetHostContext(QCall::AssemblyHandle pAssembly); // diff --git a/src/vm/assemblyspec.cpp b/src/vm/assemblyspec.cpp index e5952c24d2..9ec1d97086 100644 --- a/src/vm/assemblyspec.cpp +++ b/src/vm/assemblyspec.cpp @@ -719,7 +719,7 @@ PEAssembly *AssemblySpec::ResolveAssemblyFile(AppDomain *pDomain, BOOL fPreBind) } -Assembly *AssemblySpec::LoadAssembly(FileLoadLevel targetLevel, AssemblyLoadSecurity *pLoadSecurity, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark) +Assembly *AssemblySpec::LoadAssembly(FileLoadLevel targetLevel, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark) { CONTRACTL { @@ -729,7 +729,7 @@ Assembly *AssemblySpec::LoadAssembly(FileLoadLevel targetLevel, AssemblyLoadSecu } CONTRACTL_END; - DomainAssembly * pDomainAssembly = LoadDomainAssembly(targetLevel, pLoadSecurity, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark); + DomainAssembly * pDomainAssembly = LoadDomainAssembly(targetLevel, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark); if (pDomainAssembly == NULL) { _ASSERTE(!fThrowOnFileNotFound); return NULL; @@ -857,7 +857,6 @@ ICLRPrivBinder* AssemblySpec::GetBindingContextFromParentAssembly(AppDomain *pDo } DomainAssembly *AssemblySpec::LoadDomainAssembly(FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark) @@ -912,11 +911,11 @@ DomainAssembly *AssemblySpec::LoadDomainAssembly(FileLoadLevel targetLevel, } - PEAssemblyHolder pFile(pDomain->BindAssemblySpec(this, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark, pLoadSecurity)); + PEAssemblyHolder pFile(pDomain->BindAssemblySpec(this, fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark)); if (pFile == NULL) RETURN NULL; - pAssembly = pDomain->LoadDomainAssembly(this, pFile, targetLevel, pLoadSecurity); + pAssembly = pDomain->LoadDomainAssembly(this, pFile, targetLevel); RETURN pAssembly; } diff --git a/src/vm/assemblyspec.hpp b/src/vm/assemblyspec.hpp index ae02f20ccf..2415aea738 100644 --- a/src/vm/assemblyspec.hpp +++ b/src/vm/assemblyspec.hpp @@ -224,12 +224,10 @@ class AssemblySpec : public BaseAssemblySpec StackCrawlMark *pCallerStackMark = NULL ); Assembly *LoadAssembly(FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity = NULL, BOOL fThrowOnFileNotFound = TRUE, BOOL fRaisePrebindEvents = TRUE, StackCrawlMark *pCallerStackMark = NULL); DomainAssembly *LoadDomainAssembly(FileLoadLevel targetLevel, - AssemblyLoadSecurity *pLoadSecurity = NULL, BOOL fThrowOnFileNotFound = TRUE, BOOL fRaisePrebindEvents = TRUE, StackCrawlMark *pCallerStackMark = NULL); diff --git a/src/vm/ceeload.cpp b/src/vm/ceeload.cpp index 41ea693d03..e989bb059f 100644 --- a/src/vm/ceeload.cpp +++ b/src/vm/ceeload.cpp @@ -501,11 +501,6 @@ void Module::InitializeNativeImage(AllocMemTracker* pamTracker) } CONTRACTL_END; - if(m_pModuleSecurityDescriptor) - { - _ASSERTE(m_pModuleSecurityDescriptor->GetModule() == this); - } - PEImageLayout * pNativeImage = GetNativeImage(); ExecutionManager::AddNativeImageRange(dac_cast<TADDR>(pNativeImage->GetBase()), pNativeImage->GetVirtualSize(), this); @@ -606,9 +601,6 @@ void Module::Initialize(AllocMemTracker *pamTracker, LPCWSTR szName) { FastInterlockOr(&m_dwPersistedFlags, LOW_LEVEL_SYSTEM_ASSEMBLY_BY_NAME); } - - _ASSERT(m_pModuleSecurityDescriptor == NULL); - m_pModuleSecurityDescriptor = new ModuleSecurityDescriptor(this); } m_dwTransientFlags &= ~((DWORD)CLASSES_FREED); // Set flag indicating LookupMaps are now in a consistent and destructable state @@ -1450,9 +1442,6 @@ void Module::Destruct() #endif // FEATURE_PREJIT { m_file->Release(); - - if (m_pModuleSecurityDescriptor) - delete m_pModuleSecurityDescriptor; } // If this module was loaded as domain-specific, then @@ -3554,13 +3543,6 @@ PTR_BaseDomain Module::GetDomain() #ifndef DACCESS_COMPILE -IAssemblySecurityDescriptor *Module::GetSecurityDescriptor() -{ - WRAPPER_NO_CONTRACT; - _ASSERTE(m_pAssembly != NULL); - return m_pAssembly->GetSecurityDescriptor(); -} - #ifndef CROSSGEN_COMPILE void Module::StartUnload() { @@ -3815,7 +3797,6 @@ ISymUnmanagedReader *Module::GetISymUnmanagedReader(void) { INSTANCE_CHECK; POSTCONDITION(CheckPointer(RETVAL, NULL_OK)); - PRECONDITION(Security::IsResolved(GetAssembly())); THROWS; WRAPPER(GC_TRIGGERS); MODE_ANY; @@ -4040,16 +4021,7 @@ BOOL Module::IsSymbolReadingEnabled() #endif // DEBUGGING_SUPPORTED - // Default policy - only read symbols corresponding to full-trust assemblies. - // Note that there is no strong (cryptographic) connection between a symbol file and its assembly. - // The intent here is just to ensure that the common high-risk scenarios (AppLaunch, etc) - // will never be able to load untrusted PDB files. - // - if (GetSecurityDescriptor()->IsFullyTrusted()) - { - return TRUE; - } - return FALSE; + return TRUE; } // At this point, this is only called when we're creating an appdomain @@ -5713,7 +5685,7 @@ DomainAssembly * Module::LoadAssembly( { spec.SetWindowsRuntimeType(szWinRtTypeNamespace, szWinRtTypeClassName); } - pDomainAssembly = GetAppDomain()->LoadDomainAssembly(&spec, pFile, FILE_LOADED, NULL); + pDomainAssembly = GetAppDomain()->LoadDomainAssembly(&spec, pFile, FILE_LOADED); } if (pDomainAssembly != NULL) @@ -6466,10 +6438,6 @@ BOOL Module::CanExecuteCode() // not have been fixed up. if (!pPEAssembly->IsDll() && !pPEAssembly->IsILOnly()) return FALSE; - - // If the assembly does not have FullTrust, we should not execute its code. - if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted()) - return FALSE; #endif // FEATURE_PREJIT return TRUE; @@ -9042,12 +9010,6 @@ void Module::Save(DataImage *image) DataImage::ITEM_DYNAMIC_STATICS_INFO_TABLE); } - // save the module security descriptor - if (m_pModuleSecurityDescriptor) - { - m_pModuleSecurityDescriptor->Save(image); - } - InlineTrackingMap *inlineTrackingMap = image->GetInlineTrackingMap(); if (inlineTrackingMap) { @@ -10030,17 +9992,6 @@ void Module::Fixup(DataImage *image) } } - // fix up module security descriptor - if (m_pModuleSecurityDescriptor) - { - image->FixupPointerField(this, offsetof(Module, m_pModuleSecurityDescriptor)); - m_pModuleSecurityDescriptor->Fixup(image); - } - else - { - image->ZeroPointerField(this, offsetof(Module, m_pModuleSecurityDescriptor)); - } - // If we failed to load some types we need to reset the pointers to the static offset tables so they'll be // rebuilt at runtime. if (m_pRegularStaticOffsets != (PTR_DWORD)NGEN_STATICS_ALLCLASSES_WERE_LOADED) diff --git a/src/vm/ceeload.h b/src/vm/ceeload.h index 2f3fe90a08..41c88e37cb 100644 --- a/src/vm/ceeload.h +++ b/src/vm/ceeload.h @@ -52,7 +52,6 @@ class Stub; class MethodDesc; class FieldDesc; class Crst; -class IAssemblySecurityDescriptor; class ClassConverter; class RefClassWriter; class ReflectionModule; @@ -73,7 +72,6 @@ class MethodTable; class AppDomain; class DynamicMethodTable; struct CerPrepInfo; -class ModuleSecurityDescriptor; #ifdef FEATURE_PREJIT class CerNgenRootTable; struct MethodContextElement; @@ -1884,7 +1882,6 @@ protected: ClassLoader *GetClassLoader(); PTR_BaseDomain GetDomain(); ReJitManager * GetReJitManager(); - IAssemblySecurityDescriptor* GetSecurityDescriptor(); mdFile GetModuleRef() { @@ -3420,8 +3417,6 @@ private: #endif // defined(FEATURE_PREJIT) public: - ModuleSecurityDescriptor* m_pModuleSecurityDescriptor; - #if !defined(DACCESS_COMPILE) && defined(FEATURE_PREJIT) PTR_Assembly GetNativeMetadataAssemblyRefFromCache(DWORD rid) { diff --git a/src/vm/ceemain.cpp b/src/vm/ceemain.cpp index c82f7d4ee5..cbba6f69f0 100644 --- a/src/vm/ceemain.cpp +++ b/src/vm/ceemain.cpp @@ -486,10 +486,6 @@ void InitializeStartupFlags() InitializeHeapType((flags & STARTUP_SERVER_GC) != 0); g_heap_type = (flags & STARTUP_SERVER_GC) == 0 ? GC_HEAP_WKS : GC_HEAP_SVR; - -#ifdef FEATURE_LOADER_OPTIMIZATION - g_dwGlobalSharePolicy = (flags&STARTUP_LOADER_OPTIMIZATION_MASK)>>1; -#endif } #endif // CROSSGEN_COMPILE @@ -1006,9 +1002,6 @@ void EEStartupHelper(COINITIEE fFlags) StackwalkCache::Init(); - // Start up security - Security::Start(); - AppDomain::CreateADUnloadStartEvent(); // In coreclr, clrjit is compiled into it, but SO work in clrjit has not been done. @@ -1104,10 +1097,6 @@ void EEStartupHelper(COINITIEE fFlags) g_MiniMetaDataBuffMaxSize, MEM_COMMIT, PAGE_READWRITE); #endif // FEATURE_MINIMETADATA_IN_TRIAGEDUMPS - // Load mscorsn.dll if the app requested the legacy mode in its configuration file. - if (g_pConfig->LegacyLoadMscorsnOnStartup()) - IfFailGo(LoadMscorsn()); - #endif // CROSSGEN_COMPILE g_fEEStarted = TRUE; diff --git a/src/vm/class.h b/src/vm/class.h index e3ec0ba166..8395834ca3 100644 --- a/src/vm/class.h +++ b/src/vm/class.h @@ -703,9 +703,6 @@ class EEClassOptionalFields #define MODULE_NON_DYNAMIC_STATICS ((DWORD)-1) DWORD m_cbModuleDynamicID; - - SecurityProperties m_SecProps; - #if defined(UNIX_AMD64_ABI) && defined(FEATURE_UNIX_AMD64_STRUCT_PASSING) // Number of eightBytes in the following arrays int m_numberEightBytes; @@ -881,46 +878,6 @@ public: // class is blittable BOOL IsBlittable(); - // - // Security properties accessor methods - // - - inline BOOL RequiresLinktimeCheck() - { - WRAPPER_NO_CONTRACT; - PSecurityProperties psp = GetSecurityProperties(); - return psp && psp->RequiresLinktimeCheck(); - } - - inline BOOL RequiresLinkTimeCheckHostProtectionOnly() - { - WRAPPER_NO_CONTRACT; - PSecurityProperties psp = GetSecurityProperties(); - return psp && psp->RequiresLinkTimeCheckHostProtectionOnly(); - } - - inline BOOL RequiresInheritanceCheck() - { - WRAPPER_NO_CONTRACT; - PSecurityProperties psp = GetSecurityProperties(); - return psp && psp->RequiresInheritanceCheck(); - } - - inline BOOL RequiresCasInheritanceCheck() - { - WRAPPER_NO_CONTRACT; - PSecurityProperties psp = GetSecurityProperties(); - return psp && psp->RequiresCasInheritanceCheck(); - } - - inline BOOL RequiresNonCasInheritanceCheck() - { - WRAPPER_NO_CONTRACT; - PSecurityProperties psp = GetSecurityProperties(); - return psp && psp->RequiresNonCasInheritanceCheck(); - } - - #ifndef DACCESS_COMPILE void *operator new(size_t size, LoaderHeap* pHeap, AllocMemTracker *pamTracker); void Destruct(MethodTable * pMT); @@ -1662,18 +1619,6 @@ public: static void GetBestFitMapping(MethodTable * pMT, BOOL *pfBestFitMapping, BOOL *pfThrowOnUnmappableChar); /* - * Security attributes for the class are stored here. Do not update this field after the - * class is constructed without also updating the enum_flag_NoSecurityProperties on the - * methodtable. - */ - inline SecurityProperties* GetSecurityProperties() - { - LIMITED_METHOD_CONTRACT; - return HasOptionalFields() ? &GetOptionalFields()->m_SecProps : NULL; - } - - - /* * The CorElementType for this class (most classes = ELEMENT_TYPE_CLASS) */ public: diff --git a/src/vm/class.inl b/src/vm/class.inl index 1a7e169ed7..bc86e84101 100644 --- a/src/vm/class.inl +++ b/src/vm/class.inl @@ -49,7 +49,6 @@ inline void EEClassOptionalFields::Init() m_WinRTRedirectedTypeIndex = WinMDAdapter::RedirectedTypeIndex_Invalid; #endif // FEATURE_COMINTEROP m_cbModuleDynamicID = MODULE_NON_DYNAMIC_STATICS; - m_SecProps = 0; #if defined(UNIX_AMD64_ABI) && defined(FEATURE_UNIX_AMD64_STRUCT_PASSING) m_numberEightBytes = 0; #endif // UNIX_AMD64_ABI && FEATURE_UNIX_AMD64_STRUCT_PASSING diff --git a/src/vm/classcompat.cpp b/src/vm/classcompat.cpp index 0bd1c2da06..91004cdbc7 100644 --- a/src/vm/classcompat.cpp +++ b/src/vm/classcompat.cpp @@ -25,7 +25,6 @@ #include "threads.h" #include "stublink.h" #include "dllimport.h" -#include "verifier.hpp" #include "jitinterface.h" #include "eeconfig.h" #include "log.h" @@ -2822,32 +2821,6 @@ VOID MethodTableBuilder::EnumerateClassMethods() Classification = mcIL; } - -#ifdef _DEBUG - // We don't allow stack based declarative security on ecalls, fcalls and - // other special purpose methods implemented by the EE (the interceptor - // we use doesn't play well with non-jitted stubs). - if ((Classification == mcFCall || Classification == mcEEImpl) && - (IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass()))) - { - DWORD dwSecFlags; - DWORD dwNullDeclFlags; - - if (IsTdHasSecurity(GetAttrClass()) && - SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, GetCl(), &dwSecFlags, &dwNullDeclFlags))) - { - CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS), - "Cannot add stack based declarative security to a class containing an ecall/fcall/special method."); - } - if (IsMdHasSecurity(dwMemberAttrs) && - SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, tok, &dwSecFlags, &dwNullDeclFlags))) - { - CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS), - "Cannot add stack based declarative security to an ecall/fcall/special method."); - } - } -#endif // _DEBUG - // Generic methods should always be mcInstantiated if (!((numGenericMethodArgs == 0) || ((Classification & mdcClassification) == mcInstantiated))) { diff --git a/src/vm/clrprivtypecachewinrt.cpp b/src/vm/clrprivtypecachewinrt.cpp index 004d14e88c..31253921cb 100644 --- a/src/vm/clrprivtypecachewinrt.cpp +++ b/src/vm/clrprivtypecachewinrt.cpp @@ -36,9 +36,8 @@ CLRPrivTypeCacheWinRT::ContainsType( // Find DomainAssembly * (can be cached if this is too slow to call always) DomainAssembly * pDomainAssembly = pAppDomain->LoadDomainAssembly( nullptr, // pIdentity - pPEAssembly, - FILE_LOAD_DELIVER_EVENTS, - nullptr); // pLoadSecurity + pPEAssembly, + FILE_LOAD_DELIVER_EVENTS); // Convert the type name into namespace and class name in UTF8 StackSString ssTypeNameWCHAR(wszTypeName); diff --git a/src/vm/clsload.cpp b/src/vm/clsload.cpp index d1931479c3..e0d8d73351 100644 --- a/src/vm/clsload.cpp +++ b/src/vm/clsload.cpp @@ -2071,8 +2071,7 @@ ClassLoader::LoadTypeHandleThrowing( BOOL fTrustTD = TRUE; #ifndef DACCESS_COMPILE CONTRACT_VIOLATION(ThrowsViolation); - BOOL fVerifyTD = (FoundExportedType != mdTokenNil) && - !pClsLdr->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted(); + BOOL fVerifyTD = FALSE; // If this is an exported type with a mdTokenNil class token, then then // exported type did not give a typedefID hint. We won't be able to trust the typedef @@ -4970,10 +4969,6 @@ BOOL AccessCheckOptions::DemandMemberAccess(AccessCheckContext *pContext, Method // classes/members in app code. if (m_accessCheckType != kMemberAccess && pTargetMT) { - // m_accessCheckType must be kRestrictedMemberAccess if we are running in PT. - _ASSERTE(GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted() || - m_accessCheckType == kRestrictedMemberAccess); - if (visibilityCheck && Security::IsTransparencyEnforcementEnabled()) { // In CoreCLR RMA means visibility checks always succeed if the target is user code. @@ -5486,12 +5481,6 @@ static BOOL CheckTransparentAccessToCriticalCode( pOptionalTargetField, pOptionalTargetType)) { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pContext->GetCallerMethod(), "Transparent code accessing a critical type, method, or field", pOptionalTargetMethod); - } -#endif // _DEBUG return accessCheckOptions.DemandMemberAccessOrFail(pContext, pTargetMT, FALSE /*visibilityCheck*/); } diff --git a/src/vm/clsload.hpp b/src/vm/clsload.hpp index 2ee6524a7b..656f260e01 100644 --- a/src/vm/clsload.hpp +++ b/src/vm/clsload.hpp @@ -36,7 +36,6 @@ class PendingTypeLoadTable; class EEClass; class Thread; class EETypeHashTable; -class IAssemblySecurityDescriptor; class DynamicResolver; class SigPointer; diff --git a/src/vm/comcallablewrapper.cpp b/src/vm/comcallablewrapper.cpp index 540c708f16..156db505f7 100644 --- a/src/vm/comcallablewrapper.cpp +++ b/src/vm/comcallablewrapper.cpp @@ -48,6 +48,7 @@ #include "rcwwalker.h" #include "windowsruntimebufferhelper.h" #include "winrttypenameconverter.h" +#include "typestring.h" #ifdef MDA_SUPPORTED const int DEBUG_AssertSlots = 50; @@ -1933,28 +1934,6 @@ IUnknown* SimpleComCallWrapper::QIStandardInterface(REFIID riid) } break; - CASE_IID_INLINE( enum_IObjectSafety ,0xCB5BDC81,0x93C1,0x11cf,0x8F,0x20,0x00,0x80,0x5F,0x2C,0xD0,0x64) - { - // Don't implement IObjectSafety by default. - // Use IObjectSafety only for IE Hosting or similar hosts - // which create sandboxed AppDomains. - // Unconditionally implementing IObjectSafety would allow - // Untrusted scripts to use managed components. - // Managed components could implement their own IObjectSafety to - // override this. - BOOL bShouldProvideIObjectSafety=FALSE; - { - GCX_COOP(); - AppDomainFromIDHolder pDomain(GetDomainID(), FALSE); - if (!pDomain.IsUnloaded()) - bShouldProvideIObjectSafety=!pDomain->GetSecurityDescriptor()->IsFullyTrusted(); - } - - if(bShouldProvideIObjectSafety) - RETURN QIStandardInterface(enum_IObjectSafety); - } - break; - CASE_IID_INLINE( enum_IAgileObject ,0x94ea2b94,0xe9cc,0x49e0,0xc0,0xff,0xee,0x64,0xca,0x8f,0x5b,0x90) { // Don't implement IAgileObject if we are aggregated, if we are in a non AppX process, if the object explicitly implements IMarshal, @@ -2665,32 +2644,6 @@ void ComCallWrapper::FreeWrapper(ComCallWrapperCache *pWrapperCache) pWrapperCache->Release(); } -void ComCallWrapper::DoScriptingSecurityCheck() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // If the object is shared or agile, and the current domain doesn't have - // UmgdCodePermission, we fail the call. - AppDomain* pCurrDomain = GetThread()->GetDomain(); - ADID currID = pCurrDomain->GetId(); - - ADID ccwID = m_pSimpleWrapper->GetRawDomainID(); - - if (currID != ccwID) - { - IApplicationSecurityDescriptor* pASD = pCurrDomain->GetSecurityDescriptor(); - - if (!pASD->CanCallUnmanagedCode()) - Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE); - } -} - //-------------------------------------------------------------------------- //ComCallWrapper* ComCallWrapper::CreateWrapper(OBJECTREF* ppObj, ComCallWrapperTemplate *pTemplate, ComCallWrapper *pClassCCW) // this function should be called only with pre-emptive GC disabled diff --git a/src/vm/comcallablewrapper.h b/src/vm/comcallablewrapper.h index 165179bf8d..dc0cf4f8aa 100644 --- a/src/vm/comcallablewrapper.h +++ b/src/vm/comcallablewrapper.h @@ -1100,9 +1100,6 @@ protected: RETURN (LinkedWrapperTerminator == pWrap->m_pNext ? NULL : pWrap->m_pNext); } - // Helper to perform a security check for passing out CCWs late-bound to scripting code. - void DoScriptingSecurityCheck(); - // Helper to create a wrapper, pClassCCW must be specified if pTemplate->RepresentsVariantInterface() static ComCallWrapper* CreateWrapper(OBJECTREF* pObj, ComCallWrapperTemplate *pTemplate, ComCallWrapper *pClassCCW); @@ -2329,13 +2326,8 @@ inline ComCallWrapper* __stdcall ComCallWrapper::InlineGetWrapper(OBJECTREF* ppO pMainWrap = pClassCCW; else pMainWrap = pWrap; - + pMainWrap->CheckMakeAgile(*ppObj); - - // If the object is agile, and this domain doesn't have UmgdCodePermission - // fail the call. - if (pMainWrap->GetSimpleWrapper()->IsAgile()) - pMainWrap->DoScriptingSecurityCheck(); pWrap->AddRef(); diff --git a/src/vm/comdelegate.cpp b/src/vm/comdelegate.cpp index aef9adb290..b55e798453 100644 --- a/src/vm/comdelegate.cpp +++ b/src/vm/comdelegate.cpp @@ -26,6 +26,7 @@ #include "virtualcallstub.h" #include "callingconvention.h" #include "customattribute.h" +#include "typestring.h" #include "../md/compiler/custattr.h" #ifdef FEATURE_COMINTEROP #include "comcallablewrapper.h" @@ -774,12 +775,6 @@ FCIMPL5(FC_BOOL_RET, COMDelegate::BindToMethodName, continue; } - if (!COMDelegate::ValidateSecurityTransparency(pCurMethod, gc.refThis->GetTypeHandle().AsMethodTable())) - { - // violates security transparency rules, skip. - continue; - } - // Found the target that matches the signature and satisfies security transparency rules // Initialize the delegate to point to the target method. BindToMethod(&gc.refThis, @@ -862,8 +857,7 @@ FCIMPL5(FC_BOOL_RET, COMDelegate::BindToMethodInfo, Object* refThisUNSAFE, Objec gc.refThis->GetTypeHandle(), pInvokeMeth, flags, - &fIsOpenDelegate) && - COMDelegate::ValidateSecurityTransparency(method, gc.refThis->GetTypeHandle().AsMethodTable()) ) + &fIsOpenDelegate)) { // Initialize the delegate to point to the target method. BindToMethod(&gc.refThis, @@ -940,10 +934,6 @@ void COMDelegate::BindToMethod(DELEGATEREF *pRefThis, pTargetMethod->IsStatic() ? NULL : pInstanceMT, pTargetMethod); - // Trip any link demands the target method requires. - InvokeUtil::CheckLinktimeDemand(&sCtx, - pTargetMethod); - // Ask for skip verification if a delegate over a .ctor or .cctor is requested. if (pTargetMethod->IsClassConstructorOrCtor()) Security::SpecialDemand(SSWT_LATEBOUND_LINKDEMAND, SECURITY_SKIP_VER); @@ -1181,7 +1171,7 @@ BOOL COMDelegate::IsFullTrustDelegate(DELEGATEREF pDelegate) // The target must be decorated with AllowReversePInvokeCallsAttribute if (!IsMethodAllowedToSinkReversePInvoke(pMD)) return FALSE; - return pMD->GetModule()->GetSecurityDescriptor()->IsFullyTrusted(); + return TRUE; } } // Default: @@ -3673,40 +3663,6 @@ BOOL COMDelegate::ValidateCtor(TypeHandle instHnd, return IsMethodDescCompatible(instHnd, ftnParentHnd, pFtn, dlgtHnd, pDlgtInvoke, DBF_RelaxedSignature, pfIsOpenDelegate); } - -// This method checks the delegate type transparency rules. -// It returns TRUE if the transparency rules are obeyed and FALSE otherwise -// -// The Partial Trust Silverlight (SL2, SL4, and PT SL5) rule is: -// 1. Critical delegates can only be bound to critical target methods -// 2. Transparent/SafeCritical delegates can only be bound to Transparent/SafeCritical target methods -// -// The Full Trust Silverlight rule FOR NOW is: anything is allowed -// The Desktop rule FOR NOW is: anything is allowed -// -// This is called by JIT in early bound delegate creation to determine whether the delegate transparency -// check is POSSIBLY needed. If the code is shared between appdomains of different trust levels, it is -// possible that the check is needed in some domains but not the others. So we need to made that distinction -// at run time in JIT_DelegateSecurityCheck. - -/* static */ -BOOL COMDelegate::ValidateSecurityTransparency(MethodDesc *pFtn, MethodTable *pdlgMT) -{ - WRAPPER_NO_CONTRACT; - - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - return TRUE; - - BOOL fCriticalDelegate = Security::IsTypeCritical(pdlgMT) && !Security::IsTypeSafeCritical(pdlgMT); - BOOL fCriticalTarget = Security::IsMethodCritical(pFtn) && !Security::IsMethodSafeCritical(pFtn); - - // returns true if: - // 1. the delegate is critical and the target method is critical, or - // 2. the delegate is transparent/safecritical and the target method is transparent/safecritical - return (fCriticalDelegate == fCriticalTarget); -} - - BOOL COMDelegate::ValidateBeginInvoke(DelegateEEClass* pClass) { CONTRACTL diff --git a/src/vm/comdelegate.h b/src/vm/comdelegate.h index f1bed43db6..8fe421d174 100644 --- a/src/vm/comdelegate.h +++ b/src/vm/comdelegate.h @@ -152,7 +152,6 @@ public: //@GENERICSVER: new (suitable for generics) // Method to do static validation of delegate .ctor static BOOL ValidateCtor(TypeHandle objHnd, TypeHandle ftnParentHnd, MethodDesc *pFtn, TypeHandle dlgtHnd, BOOL *pfIsOpenDelegate); - static BOOL ValidateSecurityTransparency(MethodDesc *pFtn, MethodTable *pdlgMT); // enforce the transparency rules private: static BOOL ValidateBeginInvoke(DelegateEEClass* pClass); // make certain the BeginInvoke method is consistant with the Invoke Method diff --git a/src/vm/compile.cpp b/src/vm/compile.cpp index 76a4147b13..1a3e66a86e 100644 --- a/src/vm/compile.cpp +++ b/src/vm/compile.cpp @@ -173,49 +173,9 @@ HRESULT CEECompileInfo::CreateDomain(ICorCompilationDomain **ppDomain, ENTER_DOMAIN_PTR(pCompilationDomain,ADV_COMPILATION) { - if (fForceFulltrustDomain) - ((ApplicationSecurityDescriptor *)pCompilationDomain->GetSecurityDescriptor())->SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF); - -#ifndef CROSSGEN_COMPILE -#endif pCompilationDomain->InitializeDomainContext(TRUE, NULL, NULL); -#ifndef CROSSGEN_COMPILE - - if (!NingenEnabled()) - { - APPDOMAINREF adRef = (APPDOMAINREF)pCompilationDomain->GetExposedObject(); - GCPROTECT_BEGIN(adRef); - MethodDescCallSite initializeSecurity(METHOD__APP_DOMAIN__INITIALIZE_DOMAIN_SECURITY); - ARG_SLOT args[] = - { - ObjToArgSlot(adRef), - ObjToArgSlot(NULL), - ObjToArgSlot(NULL), - ObjToArgSlot(NULL), - static_cast<ARG_SLOT>(FALSE) - }; - initializeSecurity.Call(args); - GCPROTECT_END(); - } -#endif - - { - GCX_PREEMP(); - - // We load assemblies as domain-bound (However, they're compiled as domain neutral) -#ifdef FEATURE_LOADER_OPTIMIZATION - pCompilationDomain->SetSharePolicy(AppDomain::SHARE_POLICY_NEVER); -#endif // FEATURE_LOADER_OPTIMIZATION - - } - pCompilationDomain->SetFriendlyName(W("Compilation Domain")); - if (!NingenEnabled()) - { - Security::SetDefaultAppDomainProperty(pCompilationDomain->GetSecurityDescriptor()); - pCompilationDomain->GetSecurityDescriptor()->FinishInitialization(); - } SystemDomain::System()->LoadDomain(pCompilationDomain); #ifndef CROSSGEN_COMPILE @@ -355,8 +315,7 @@ HRESULT CEECompileInfo::LoadAssemblyByPath( wzPath, // If we're explicitly binding to an NGEN image, we do not want the cache - // this PEImage for use later, as pointers that need fixup (e.g., - // Module::m_pModuleSecurityDescriptor) will not be valid for use later. + // this PEImage for use later, as pointers that need fixup // Normal caching is done when we open it "for real" further down when we // call LoadDomainAssembly(). fExplicitBindToNativeImage ? MDInternalImport_NoCache : MDInternalImport_Default); @@ -6666,6 +6625,41 @@ CORINFO_METHOD_HANDLE CEEPreloader::LookupMethodDef(mdMethodDef token) return CORINFO_METHOD_HANDLE(pMD); } +static BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr) +{ + LIMITED_METHOD_CONTRACT; + return (IsMdPublic(dwMethodAttr) || + IsMdFamORAssem(dwMethodAttr) || + IsMdFamily(dwMethodAttr)); +} + +static BOOL ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass) +{ + LIMITED_METHOD_CONTRACT; + + if (fIsGlobalClass) + { + return TRUE; + } + + return (IsTdPublic(dwClassAttr) || + IsTdNestedPublic(dwClassAttr) || + IsTdNestedFamily(dwClassAttr) || + IsTdNestedFamORAssem(dwClassAttr)); +} + +static BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD) +{ + LIMITED_METHOD_CONTRACT; + + MethodTable * pMT = pMD->GetMethodTable(); + + if (!ClassIsVisibleOutsideItsAssembly(pMT->GetAttrClass(), pMT->IsGlobalClass())) + return FALSE; + + return MethodIsVisibleOutsideItsAssembly(pMD->GetAttrs()); +} + CorCompileILRegion CEEPreloader::GetILRegion(mdMethodDef token) { STANDARD_VM_CONTRACT; @@ -6702,7 +6696,7 @@ CorCompileILRegion CEEPreloader::GetILRegion(mdMethodDef token) } } else - if (Security::MethodIsVisibleOutsideItsAssembly(pMD)) + if (MethodIsVisibleOutsideItsAssembly(pMD)) { // We are inlining only leaf methods, except for mscorlib. Thus we can assume that only methods // visible outside its assembly are likely to be inlined. @@ -6981,7 +6975,6 @@ void CompilationDomain::Init() InitVSD(); #endif - Security::SetDefaultAppDomainProperty(GetSecurityDescriptor()); SetCompilationDomain(); @@ -7049,7 +7042,7 @@ HRESULT CompilationDomain::AddDependencyEntry(PEAssembly *pFile, if (pFile) { - DomainAssembly *pAssembly = GetAppDomain()->LoadDomainAssembly(NULL, pFile, FILE_LOAD_CREATE, NULL); + DomainAssembly *pAssembly = GetAppDomain()->LoadDomainAssembly(NULL, pFile, FILE_LOAD_CREATE); // Note that this can trigger an assembly load (of mscorlib) pAssembly->GetOptimizedIdentitySignature(&pDependency->signAssemblyDef); @@ -7302,7 +7295,6 @@ PEAssembly *CompilationDomain::BindAssemblySpec( BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark, - AssemblyLoadSecurity *pLoadSecurity, BOOL fUseHostBinderIfAvailable) { PEAssembly *pFile = NULL; @@ -7321,7 +7313,6 @@ PEAssembly *CompilationDomain::BindAssemblySpec( fThrowOnFileNotFound, fRaisePrebindEvents, pCallerStackMark, - pLoadSecurity, fUseHostBinderIfAvailable); } EX_HOOK diff --git a/src/vm/compile.h b/src/vm/compile.h index 8fdd383dfe..5d4aff755f 100644 --- a/src/vm/compile.h +++ b/src/vm/compile.h @@ -789,7 +789,6 @@ class CompilationDomain : public AppDomain, BOOL fThrowOnFileNotFound, BOOL fRaisePrebindEvents, StackCrawlMark *pCallerStackMark = NULL, - AssemblyLoadSecurity *pLoadSecurity = NULL, BOOL fUseHostBinderIfAvailable = TRUE) DAC_EMPTY_RET(NULL); BOOL CanEagerBindToZapFile(Module *targetModule, BOOL limitToHardBindList = TRUE); diff --git a/src/vm/comthreadpool.cpp b/src/vm/comthreadpool.cpp index 554e836e6c..a9fad74cee 100644 --- a/src/vm/comthreadpool.cpp +++ b/src/vm/comthreadpool.cpp @@ -340,25 +340,6 @@ RegisterWaitForSingleObjectCallback_Worker(LPVOID ptr) GCPROTECT_END(); } - -void ResetThreadSecurityState(Thread* pThread) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } CONTRACTL_END; - - if (pThread) - { - pThread->ResetSecurityInfo(); - } -} - -// this holder resets our thread's security state -typedef Holder<Thread*, DoNothing<Thread*>, ResetThreadSecurityState> ThreadSecurityStateHolder; - VOID NTAPI RegisterWaitForSingleObjectCallback(PVOID delegateInfo, BOOLEAN TimerOrWaitFired) { Thread* pThread = GetThread(); @@ -386,9 +367,6 @@ VOID NTAPI RegisterWaitForSingleObjectCallback(PVOID delegateInfo, BOOLEAN Timer GCX_COOP(); - // this holder resets our thread's security state when exiting this scope - ThreadSecurityStateHolder secState(pThread); - RegisterWaitForSingleObjectCallback_Args args = { ((DelegateInfo*) delegateInfo), TimerOrWaitFired }; ManagedThreadBase::ThreadPool(((DelegateInfo*) delegateInfo)->m_appDomainId, RegisterWaitForSingleObjectCallback_Worker, &args); @@ -719,8 +697,6 @@ void __stdcall BindIoCompletionCallbackStubEx(DWORD ErrorCode, pHolderThread = pThread; } - ThreadSecurityStateHolder secState(pHolderThread); - BindIoCompletion_Args args = {ErrorCode, numBytesTransferred, lpOverlapped, &fProcessed}; appDomain.Release(); ManagedThreadBase::ThreadPool(ADID(overlapped->GetAppDomainId()), BindIoCompletionCallBack_Worker, &args); @@ -875,11 +851,8 @@ VOID WINAPI AppDomainTimerCallback(PVOID delegateInfo, BOOLEAN timerOrWaitFired) GCX_COOP(); - { - ThreadSecurityStateHolder secState(pThread); - ManagedThreadBase::ThreadPool(((DelegateInfo*)delegateInfo)->m_appDomainId, AppDomainTimerCallback_Worker, NULL); - } - + ManagedThreadBase::ThreadPool(((DelegateInfo*)delegateInfo)->m_appDomainId, AppDomainTimerCallback_Worker, NULL); + // We should have released all locks. _ASSERTE(g_fEEShutDown || pThread->m_dwLockCount == 0 || pThread->m_fRudeAborted); } diff --git a/src/vm/comthreadpool.h b/src/vm/comthreadpool.h index 6fd250f0ba..b949885eab 100644 --- a/src/vm/comthreadpool.h +++ b/src/vm/comthreadpool.h @@ -65,7 +65,6 @@ public: static BOOL QCALLTYPE DeleteAppDomainTimer(HANDLE hTimer); }; -void ResetThreadSecurityState(Thread* pThread); VOID QueueUserWorkItemManagedCallback(PVOID pArg); void WINAPI BindIoCompletionCallbackStub(DWORD ErrorCode, DWORD numBytesTransferred, @@ -75,7 +74,4 @@ void SetAsyncResultProperties( DWORD dwErrorCode, DWORD dwNumBytes); -// this holder resets our thread's security state -typedef Holder<Thread*, DoNothing<Thread*>, ResetThreadSecurityState> ThreadSecurityStateHolder; - #endif diff --git a/src/vm/corhost.cpp b/src/vm/corhost.cpp index 3f53de2acb..9eb895e86d 100644 --- a/src/vm/corhost.cpp +++ b/src/vm/corhost.cpp @@ -689,8 +689,6 @@ HRESULT CorHost2::_CreateAppDomain( EX_TRY #endif { - pDomain->SetAppDomainManagerInfo(wszAppDomainManagerAssemblyName,wszAppDomainManagerTypeName,eInitializeNewDomainFlags_None); - GCX_COOP(); struct @@ -698,7 +696,6 @@ HRESULT CorHost2::_CreateAppDomain( STRINGREF friendlyName; PTRARRAYREF propertyNames; PTRARRAYREF propertyValues; - STRINGREF sandboxName; OBJECTREF setupInfo; OBJECTREF adSetup; } _gc; @@ -722,27 +719,13 @@ HRESULT CorHost2::_CreateAppDomain( } } - if (dwFlags & APPDOMAIN_SECURITY_SANDBOXED) - { - _gc.sandboxName = StringObject::NewString(W("Internet")); - } - else - { - _gc.sandboxName = StringObject::NewString(W("FullTrust")); - } - MethodDescCallSite prepareDataForSetup(METHOD__APP_DOMAIN__PREPARE_DATA_FOR_SETUP); - ARG_SLOT args[8]; + ARG_SLOT args[4]; args[0]=ObjToArgSlot(_gc.friendlyName); args[1]=ObjToArgSlot(NULL); - args[2]=ObjToArgSlot(NULL); - args[3]=ObjToArgSlot(NULL); - //CoreCLR shouldn't have dependencies on parent app domain. - args[4]=ObjToArgSlot(NULL); - args[5]=ObjToArgSlot(_gc.sandboxName); - args[6]=ObjToArgSlot(_gc.propertyNames); - args[7]=ObjToArgSlot(_gc.propertyValues); + args[2]=ObjToArgSlot(_gc.propertyNames); + args[3]=ObjToArgSlot(_gc.propertyValues); _gc.setupInfo=prepareDataForSetup.Call_RetOBJECTREF(args); @@ -865,11 +848,6 @@ HRESULT CorHost2::_CreateDelegate( spec.Init(szAssemblyName); Assembly* pAsm=spec.LoadAssembly(FILE_ACTIVE); - // we have no signature to check so allowing calling partially trusted code - // can result in an exploit - if (!pAsm->GetSecurityDescriptor()->IsFullyTrusted()) - ThrowHR(COR_E_SECURITY); - TypeHandle th=pAsm->GetLoader()->LoadTypeByNameThrowing(pAsm,NULL,szClassName); MethodDesc* pMD=NULL; @@ -1572,24 +1550,10 @@ LONG CorHost2::m_RefCount = 0; IHostControl *CorHost2::m_HostControl = NULL; -LPCWSTR CorHost2::s_wszAppDomainManagerAsm = NULL; -LPCWSTR CorHost2::s_wszAppDomainManagerType = NULL; -EInitializeNewDomainFlags CorHost2::s_dwDomainManagerInitFlags = eInitializeNewDomainFlags_None; - - #ifdef _DEBUG extern void ValidateHostInterface(); #endif -// fusion's global copy of host assembly manager stuff -BOOL g_bFusionHosted = FALSE; - -/*static*/ BOOL CorHost2::IsLoadFromBlocked() // LoadFrom, LoadFile and Load(byte[]) are blocked in certain hosting scenarios -{ - LIMITED_METHOD_CONTRACT; - return FALSE; // as g_pHostAsmList is not defined for CoreCLR; hence above expression will be FALSE. -} - static Volatile<BOOL> fOneOnly = 0; /////////////////////////////////////////////////////////////////////////////// @@ -2325,19 +2289,6 @@ HRESULT CorHost2::GetCLRControl(ICLRControl** pCLRControl) return hr; } - -LPCWSTR CorHost2::GetAppDomainManagerAsm() -{ - LIMITED_METHOD_CONTRACT; - return NULL; -} - -LPCWSTR CorHost2::GetAppDomainManagerType() -{ - LIMITED_METHOD_CONTRACT; - return NULL; -} - // static EInitializeNewDomainFlags CorHost2::GetAppDomainManagerInitializeNewDomainFlags() { diff --git a/src/vm/crossgen/CMakeLists.txt b/src/vm/crossgen/CMakeLists.txt index bef9f62d85..805e932dda 100644 --- a/src/vm/crossgen/CMakeLists.txt +++ b/src/vm/crossgen/CMakeLists.txt @@ -64,16 +64,6 @@ set(VM_CROSSGEN_SOURCES ../pendingload.cpp ../precode.cpp ../olevariant.cpp - ../security.cpp - ../securitypolicy.cpp - ../securityattributes.cpp - ../securitydeclarative.cpp - ../securitydeclarativecache.cpp - ../securitydescriptor.cpp - ../securitydescriptorappdomain.cpp - ../securitydescriptorassembly.cpp - ../securitymeta.cpp - ../securitytransparentassembly.cpp ../siginfo.cpp ../sigformat.cpp ../simplerwlock.cpp diff --git a/src/vm/crossgencompile.cpp b/src/vm/crossgencompile.cpp index b106ecc918..367112e285 100644 --- a/src/vm/crossgencompile.cpp +++ b/src/vm/crossgencompile.cpp @@ -400,29 +400,6 @@ LONG ComCallWrapperTemplate::Release() } #endif -//--------------------------------------------------------------------------------------- -// -// Security-related functions. They are reachable in theory for legacy security attributes. The legacy security -// attributes should not be used in code running on CoreCLR. We fail fast for number of these just in case somebody -// tries to use the legacy security attributes. -// - -void SecurityDeclarative::FullTrustInheritanceDemand(Assembly *pTargetAssembly) -{ - CrossGenNotSupported("FullTrustInheritanceDemand"); -} - -void SecurityDeclarative::InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand) -{ - CrossGenNotSupported("InheritanceLinkDemandCheck"); -} - -void ApplicationSecurityDescriptor::PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) -{ - // virtual method unreachable in crossgen - UNREACHABLE(); -} - extern "C" UINT_PTR STDCALL GetCurrentIP() { return 0; diff --git a/src/vm/customattribute.cpp b/src/vm/customattribute.cpp index 5b679548db..60e002eb71 100644 --- a/src/vm/customattribute.cpp +++ b/src/vm/customattribute.cpp @@ -15,9 +15,9 @@ #include "fcall.h" #include "assemblynative.hpp" #include "typeparse.h" -#include "securityattributes.h" #include "reflectioninvocation.h" #include "runtimehandles.h" +#include "typestring.h" typedef InlineFactory<InlineSString<64>, 16> SStringFactory; @@ -1567,40 +1567,3 @@ ARG_SLOT COMCustomAttribute::GetDataFromBlob(Assembly *pCtorAssembly, return retValue; } - -FCIMPL2(VOID, COMCustomAttribute::PushSecurityContextFrame, SecurityContextFrame *pFrame, AssemblyBaseObject *pAssemblyObjectUNSAFE) -{ - FCALL_CONTRACT; - - BEGIN_SO_INTOLERANT_CODE_NOTHROW(GetThread(), FCThrowVoid(kStackOverflowException)); - - // Adjust frame pointer for the presence of the GSCookie at a negative - // offset (it's hard for us to express neginfo in the managed definition of - // the frame). - pFrame = (SecurityContextFrame*)((BYTE*)pFrame + sizeof(GSCookie)); - - *((TADDR*)pFrame) = SecurityContextFrame::GetMethodFrameVPtr(); - pFrame->SetAssembly(pAssemblyObjectUNSAFE->GetAssembly()); - *pFrame->GetGSCookiePtr() = GetProcessGSCookie(); - pFrame->Push(); - - END_SO_INTOLERANT_CODE; -} -FCIMPLEND - -FCIMPL1(VOID, COMCustomAttribute::PopSecurityContextFrame, SecurityContextFrame *pFrame) -{ - FCALL_CONTRACT; - - BEGIN_SO_INTOLERANT_CODE_NOTHROW(GetThread(), FCThrowVoid(kStackOverflowException)); - - // Adjust frame pointer for the presence of the GSCookie at a negative - // offset (it's hard for us to express neginfo in the managed definition of - // the frame). - pFrame = (SecurityContextFrame*)((BYTE*)pFrame + sizeof(GSCookie)); - - pFrame->Pop(); - - END_SO_INTOLERANT_CODE; -} -FCIMPLEND diff --git a/src/vm/customattribute.h b/src/vm/customattribute.h index 69c57332a2..1333373fca 100644 --- a/src/vm/customattribute.h +++ b/src/vm/customattribute.h @@ -192,8 +192,6 @@ public: static FCDECL5(LPVOID, CreateCaObject, ReflectModuleBaseObject* pAttributedModuleUNSAFE, ReflectMethodObject *pMethodUNSAFE, BYTE** ppBlob, BYTE* pEndBlob, INT32* pcNamedArgs); static FCDECL7(void, GetPropertyOrFieldData, ReflectModuleBaseObject *pModuleUNSAFE, BYTE** ppBlobStart, BYTE* pBlobEnd, STRINGREF* pName, CLR_BOOL* pbIsProperty, OBJECTREF* pType, OBJECTREF* value); static FCDECL4(VOID, GetSecurityAttributes, ReflectModuleBaseObject *pModuleUNSAFE, DWORD tkToken, CLR_BOOL fAssembly, PTRARRAYREF* ppArray); - static FCDECL2(VOID, PushSecurityContextFrame, SecurityContextFrame *pFrame, AssemblyBaseObject *pAssemblyObjectUNSAFE); - static FCDECL1(VOID, PopSecurityContextFrame, SecurityContextFrame *pFrame); private: diff --git a/src/vm/dllimport.cpp b/src/vm/dllimport.cpp index b58ac56b29..a40754aeb4 100644 --- a/src/vm/dllimport.cpp +++ b/src/vm/dllimport.cpp @@ -6419,9 +6419,6 @@ EXTERN_C LPVOID STDCALL NDirectImportWorker(NDirectMethodDesc* pMD) // With IL stubs, we don't have to do anything but ensure the DLL is loaded. // - if (!pMD->GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode()) - Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE); - if (!pMD->IsZapped()) { PInvokeStaticSigInfo sigInfo; diff --git a/src/vm/domainfile.cpp b/src/vm/domainfile.cpp index 2193c5a28d..32f35fd39a 100644 --- a/src/vm/domainfile.cpp +++ b/src/vm/domainfile.cpp @@ -17,7 +17,6 @@ #include <shlwapi.h> #include "security.h" -#include "securitymeta.h" #include "invokeutil.h" #include "eeconfig.h" #include "dynamicmethod.h" @@ -973,73 +972,6 @@ void DomainFile::PreLoadLibrary() } CONTRACTL_END; - // Check skip verification for loading if required - if (!GetFile()->CanLoadLibrary()) - { - DomainAssembly* pDomainAssembly = GetDomainAssembly(); - if (pDomainAssembly->GetSecurityDescriptor()->IsResolved()) - { - if (Security::CanSkipVerification(pDomainAssembly)) - GetFile()->SetSkipVerification(); - } - else - { - AppDomain *pAppDomain = this->GetAppDomain(); - PEFile *pFile = GetFile(); - _ASSERTE(pFile != NULL); - PEImage *pImage = pFile->GetILimage(); - _ASSERTE(pImage != NULL); - _ASSERTE(!pImage->IsFile()); - if (pImage->HasV1Metadata()) - { - // In V1 case, try to derive SkipVerification status from parents - do - { - PEAssembly * pAssembly = pFile->GetAssembly(); - if (pAssembly == NULL) - break; - pFile = pAssembly->GetCreator(); - if (pFile != NULL) - { - pAssembly = pFile->GetAssembly(); - // Find matching DomainAssembly for the given PEAsssembly - // Perf: This does not scale - AssemblyIterationFlags flags = - (AssemblyIterationFlags) (kIncludeLoaded | kIncludeLoading | kIncludeExecution); - AppDomain::AssemblyIterator i = pAppDomain->IterateAssembliesEx(flags); - CollectibleAssemblyHolder<DomainAssembly *> pDomainAssembly; - - while (i.Next(pDomainAssembly.This())) - { - if ((pDomainAssembly != NULL) && (pDomainAssembly->GetFile() == pAssembly)) - { - break; - } - } - if (pDomainAssembly != NULL) - { - if (pDomainAssembly->GetSecurityDescriptor()->IsResolved()) - { - if (Security::CanSkipVerification(pDomainAssembly)) - { - GetFile()->SetSkipVerification(); - break; - } - } - } - else - { - // Potential Bug: Unable to find DomainAssembly for given PEAssembly - // In retail build gracefully exit loop - _ASSERTE(pDomainAssembly != NULL); - break; - } - } - } - while (pFile != NULL); - } - } - } } // DomainFile::PreLoadLibrary // Note that this is the sole loading function which must be called OUTSIDE THE LOCK, since @@ -1266,12 +1198,6 @@ void DomainFile::VerifyExecution() COMPlusThrow(kInvalidOperationException, IDS_EE_CODEEXECUTION_IN_INTROSPECTIVE_ASSEMBLY); } - if (GetModule()->GetAssembly()->IsSIMDVectorAssembly() && - !GetModule()->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted()) - { - COMPlusThrow(kFileLoadException, IDS_EE_SIMD_PARTIAL_TRUST_DISALLOWED); - } - if(GetFile()->PassiveDomainOnly()) { // Remove path - location must be hidden for security purposes @@ -1559,12 +1485,11 @@ void DomainFile::InsertIntoDomainFileWithNativeImageList() // DomainAssembly //-------------------------------------------------------------------------------- -DomainAssembly::DomainAssembly(AppDomain *pDomain, PEFile *pFile, AssemblyLoadSecurity *pLoadSecurity, LoaderAllocator *pLoaderAllocator) +DomainAssembly::DomainAssembly(AppDomain *pDomain, PEFile *pFile, LoaderAllocator *pLoaderAllocator) : DomainFile(pDomain, pFile), m_pAssembly(NULL), m_debuggerFlags(DACF_NONE), m_MissingDependenciesCheckStatus(CMD_Unknown), - m_fSkipPolicyResolution(pLoadSecurity != NULL && !pLoadSecurity->ShouldResolvePolicy()), m_fDebuggerUnloadStarted(FALSE), m_fCollectible(pLoaderAllocator->IsCollectible()), m_fHostAssemblyPublished(false), @@ -1592,47 +1517,10 @@ DomainAssembly::DomainAssembly(AppDomain *pDomain, PEFile *pFile, AssemblyLoadSe m_hExposedAssemblyObject = NULL; - NewHolder<IAssemblySecurityDescriptor> pSecurityDescriptorHolder(Security::CreateAssemblySecurityDescriptor(pDomain, this, pLoaderAllocator)); - - if (pLoadSecurity != NULL) - { - - if (GetFile()->IsSourceGAC()) - { - // Assemblies in the GAC are not allowed to - // specify additional evidence. They must always follow default machine policy rules. - - // So, we just ignore the evidence. (Ideally we would throw an error, but it would introduce app - // compat issues.) - } - else - { - { - GCX_COOP(); - - - // If the assembly being loaded already knows its grant set (for instnace, it's being pushed - // from the loading assembly), then we can set that up now as well - if (!pLoadSecurity->ShouldResolvePolicy()) - { - _ASSERTE(pLoadSecurity->m_pGrantSet != NULL); - - - pSecurityDescriptorHolder->PropagatePermissionSet( - *pLoadSecurity->m_pGrantSet, - pLoadSecurity->m_pRefusedSet == NULL ? NULL : *pLoadSecurity->m_pRefusedSet, - pLoadSecurity->m_dwSpecialFlags); - } - } - } - } - SetupDebuggingConfig(); // Add a Module iterator entry for this assembly. IfFailThrow(m_Modules.Append(this)); - - m_pSecurityDescriptor = pSecurityDescriptorHolder.Extract(); } DomainAssembly::~DomainAssembly() @@ -1664,8 +1552,6 @@ DomainAssembly::~DomainAssembly() { delete m_pAssembly; } - - delete m_pSecurityDescriptor; } void DomainAssembly::ReleaseFiles() @@ -2083,14 +1969,6 @@ BOOL DomainAssembly::ShouldLoadDomainNeutralHelper() #endif // FEATURE_LOADER_OPTIMIZATION } -BOOL DomainAssembly::ShouldSkipPolicyResolution() -{ - LIMITED_METHOD_CONTRACT; - return m_fSkipPolicyResolution; -} - - - // This is where the decision whether an assembly is DomainNeutral (shared) nor not is made. void DomainAssembly::Allocate() { @@ -2102,9 +1980,6 @@ void DomainAssembly::Allocate() } CONTRACTL_END; - // Make sure the security system is happy with this assembly being loaded into the domain - GetSecurityDescriptor()->CheckAllowAssemblyLoad(); - AllocMemTracker amTracker; AllocMemTracker * pamTracker = &amTracker; diff --git a/src/vm/domainfile.h b/src/vm/domainfile.h index a0ebbca481..15811e2b3f 100644 --- a/src/vm/domainfile.h +++ b/src/vm/domainfile.h @@ -24,9 +24,6 @@ class DomainModule; class Assembly; class Module; class DynamicMethodTable; -struct AssemblyLoadSecurity; - -typedef VPTR(class IAssemblySecurityDescriptor) PTR_IAssemblySecurityDescriptor; enum FileLoadLevel { @@ -518,15 +515,6 @@ public: return PTR_PEAssembly(m_pFile); } - - // Returns security information for the assembly based on the codebase - void GetSecurityIdentity(SString &codebase, SecZone *pdwZone, DWORD dwFlags, BYTE *pbUniqueID, DWORD *pcbUniqueID); - - IAssemblySecurityDescriptor* GetSecurityDescriptor() - { - LIMITED_METHOD_CONTRACT; - return static_cast<IAssemblySecurityDescriptor*>(m_pSecurityDescriptor); - } #ifdef FEATURE_LOADER_OPTIMIZATION public: @@ -740,7 +728,7 @@ public: public: ~DomainAssembly(); private: - DomainAssembly(AppDomain *pDomain, PEFile *pFile, AssemblyLoadSecurity *pLoadSecurity, LoaderAllocator *pLoaderAllocator); + DomainAssembly(AppDomain *pDomain, PEFile *pFile, LoaderAllocator *pLoaderAllocator); #endif // ------------------------------------------------------------ @@ -774,7 +762,6 @@ private: BOOL ShouldLoadDomainNeutral(); BOOL ShouldLoadDomainNeutralHelper(); - BOOL ShouldSkipPolicyResolution(); // ------------------------------------------------------------ // Instance data @@ -782,12 +769,10 @@ private: private: LOADERHANDLE m_hExposedAssemblyObject; - PTR_IAssemblySecurityDescriptor m_pSecurityDescriptor; PTR_Assembly m_pAssembly; DebuggerAssemblyControlFlags m_debuggerFlags; CMD_State m_MissingDependenciesCheckStatus; ArrayList m_Modules; - BOOL m_fSkipPolicyResolution; BOOL m_fDebuggerUnloadStarted; BOOL m_fCollectible; Volatile<bool> m_fHostAssemblyPublished; diff --git a/src/vm/ecalllist.h b/src/vm/ecalllist.h index a98396af4a..39ba874b5a 100644 --- a/src/vm/ecalllist.h +++ b/src/vm/ecalllist.h @@ -296,9 +296,6 @@ FCFuncStart(gCOMTypeHandleFuncs) FCFuncElement("IsComObject", RuntimeTypeHandle::IsComObject) FCFuncElement("IsValueType", RuntimeTypeHandle::IsValueType) FCFuncElement("IsInterface", RuntimeTypeHandle::IsInterface) - QCFuncElement("IsSecurityCritical", RuntimeTypeHandle::IsSecurityCritical) - QCFuncElement("IsSecuritySafeCritical", RuntimeTypeHandle::IsSecuritySafeCritical) - QCFuncElement("IsSecurityTransparent", RuntimeTypeHandle::IsSecurityTransparent) QCFuncElement("_IsVisible", RuntimeTypeHandle::IsVisible) QCFuncElement("ConstructName", RuntimeTypeHandle::ConstructName) FCFuncElement("CanCastTo", RuntimeTypeHandle::CanCastTo) @@ -379,8 +376,6 @@ FCFuncStart(gRuntimeMethodHandle) FCFuncElement("GetMethodFromCanonical", RuntimeMethodHandle::GetMethodFromCanonical) FCFuncElement("IsDynamicMethod", RuntimeMethodHandle::IsDynamicMethod) FCFuncElement("GetMethodBody", RuntimeMethodHandle::GetMethodBody) - QCFuncElement("_IsSecurityTransparent", RuntimeMethodHandle::IsSecurityTransparent) - FCFuncElement("CheckLinktimeDemands", RuntimeMethodHandle::CheckLinktimeDemands) QCFuncElement("IsCAVisibleFromDecoratedType", RuntimeMethodHandle::IsCAVisibleFromDecoratedType) FCFuncElement("IsConstructor", RuntimeMethodHandle::IsConstructor) QCFuncElement("Destroy", RuntimeMethodHandle::Destroy) @@ -407,11 +402,7 @@ FCFuncStart(gCOMFieldHandleNewFuncs) FCFuncElement("GetApproxDeclaringType", RuntimeFieldHandle::GetApproxDeclaringType) FCFuncElement("GetToken", RuntimeFieldHandle::GetToken) FCFuncElement("GetStaticFieldForGenericType", RuntimeFieldHandle::GetStaticFieldForGenericType) - QCFuncElement("IsSecurityCritical", RuntimeFieldHandle::IsSecurityCritical) - QCFuncElement("IsSecuritySafeCritical", RuntimeFieldHandle::IsSecuritySafeCritical) - QCFuncElement("IsSecurityTransparent", RuntimeFieldHandle::IsSecurityTransparent) FCFuncElement("AcquiresContextFromThis", RuntimeFieldHandle::AcquiresContextFromThis) - QCFuncElement("CheckAttributeAccess", RuntimeFieldHandle::CheckAttributeAccess) FCFuncEnd() @@ -497,33 +488,19 @@ FCFuncStart(gAppDomainManagerFuncs) QCFuncElement("GetEntryAssembly", AssemblyNative::GetEntryAssembly) FCFuncEnd() - - FCFuncStart(gAppDomainFuncs) FCFuncElement("IsStringInterned", AppDomainNative::IsStringInterned) FCFuncElement("IsUnloadingForcedFinalize", AppDomainNative::IsUnloadingForcedFinalize) -#ifdef FEATURE_LOADER_OPTIMIZATION - FCFuncElement("UpdateLoaderOptimization", AppDomainNative::UpdateLoaderOptimization) -#endif // FEATURE_LOADER_OPTIMIZATION - QCFuncElement("DisableFusionUpdatesFromADManager", AppDomainNative::DisableFusionUpdatesFromADManager) #ifdef FEATURE_APPX QCFuncElement("nGetAppXFlags", AppDomainNative::GetAppXFlags) #endif - QCFuncElement("GetAppDomainManagerType", AppDomainNative::GetAppDomainManagerType) - QCFuncElement("SetAppDomainManagerType", AppDomainNative::SetAppDomainManagerType) FCFuncElement("nGetFriendlyName", AppDomainNative::GetFriendlyName) - QCFuncElement("SetSecurityHomogeneousFlag", AppDomainNative::SetSecurityHomogeneousFlag) - QCFuncElement("SetupDomainSecurity", AppDomainNative::SetupDomainSecurity) FCFuncElement("nSetupFriendlyName", AppDomainNative::SetupFriendlyName) -#if FEATURE_COMINTEROP - FCFuncElement("nSetDisableInterfaceCache", AppDomainNative::SetDisableInterfaceCache) -#endif // FEATURE_COMINTEROP FCFuncElement("nGetAssemblies", AppDomainNative::GetAssemblies) FCFuncElement("nCreateContext", AppDomainNative::CreateContext) FCFuncElement("GetId", AppDomainNative::GetId) FCFuncElement("GetOrInternString", AppDomainNative::GetOrInternString) - QCFuncElement("GetGrantSet", AppDomainNative::GetGrantSet) QCFuncElement("nSetupBindingPaths", AppDomainNative::SetupBindingPaths) QCFuncElement("nSetNativeDllSearchDirectories", AppDomainNative::SetNativeDllSearchDirectories) FCFuncElement("IsFinalizingForUnload", AppDomainNative::IsFinalizingForUnload) @@ -593,7 +570,7 @@ FCFuncStart(gAssemblyFuncs) QCFuncElement("GetSimpleName", AssemblyNative::GetSimpleName) QCFuncElement("GetVersion", AssemblyNative::GetVersion) FCFuncElement("FCallIsDynamic", AssemblyNative::IsDynamic) - FCFuncElement("_nLoad", AssemblyNative::Load) + FCFuncElement("nLoad", AssemblyNative::Load) QCFuncElement("GetType", AssemblyNative::GetType) QCFuncElement("GetManifestResourceInfo", AssemblyNative::GetManifestResourceInfo) QCFuncElement("GetModules", AssemblyNative::GetModules) @@ -602,10 +579,7 @@ FCFuncStart(gAssemblyFuncs) QCFuncElement("GetExportedTypes", AssemblyNative::GetExportedTypes) FCFuncElement("GetManifestResourceNames", AssemblyNative::GetManifestResourceNames) QCFuncElement("GetEntryPoint", AssemblyNative::GetEntryPoint) - QCFuncElement("IsAllSecurityTransparent", AssemblyNative::IsAllSecurityTransparent) - QCFuncElement("IsAllSecurityCritical", AssemblyNative::IsAllSecurityCritical) QCFuncElement("GetImageRuntimeVersion", AssemblyNative::GetImageRuntimeVersion) - FCFuncElement("IsReflectionOnly", AssemblyNative::IsReflectionOnly) FCFuncElement("GetManifestModule", AssemblyHandle::GetManifestModule) FCFuncElement("GetToken", AssemblyHandle::GetToken) FCFuncEnd() @@ -1080,8 +1054,6 @@ FCFuncStart(gCompilerFuncs) FCFuncElement("_RunClassConstructor", ReflectionInvocation::RunClassConstructor) FCFuncElement("_RunModuleConstructor", ReflectionInvocation::RunModuleConstructor) QCFuncElement("_CompileMethod", ReflectionInvocation::CompileMethod) - FCFuncElement("PrepareContractedDelegate", ReflectionInvocation::PrepareContractedDelegate) - FCFuncElement("ProbeForSufficientStack", ReflectionInvocation::ProbeForSufficientStack) FCFuncElement("ExecuteCodeWithGuaranteedCleanup", ReflectionInvocation::ExecuteCodeWithGuaranteedCleanup) FCFuncElement("GetHashCode", ObjectNative::GetHashCode) FCFuncElement("Equals", ObjectNative::Equals) @@ -1243,14 +1215,9 @@ FCFuncStart(gGCHandleFuncs) FCFuncElement("InternalSet", MarshalNative::GCHandleInternalSet) FCFuncElement("InternalCompareExchange", MarshalNative::GCHandleInternalCompareExchange) FCFuncElement("InternalAddrOfPinnedObject", MarshalNative::GCHandleInternalAddrOfPinnedObject) - FCFuncElement("InternalCheckDomain", MarshalNative::GCHandleInternalCheckDomain) FCFuncEnd() -FCFuncStart(gVersioningHelperFuncs) - FCFuncElement("GetRuntimeId", GetRuntimeId_Wrapper) -FCFuncEnd() - FCFuncStart(gStreamFuncs) FCFuncElement("HasOverriddenBeginEndRead", StreamNative::HasOverriddenBeginEndRead) FCFuncElement("HasOverriddenBeginEndWrite", StreamNative::HasOverriddenBeginEndWrite) @@ -1488,7 +1455,6 @@ FCClassElement("ValueType", "System", gValueTypeFuncs) #ifdef FEATURE_COMINTEROP FCClassElement("Variant", "System", gVariantFuncs) #endif -FCClassElement("VersioningHelper", "System.Runtime.Versioning", gVersioningHelperFuncs) FCClassElement("WaitHandle", "System.Threading", gWaitHandleFuncs) FCClassElement("WeakReference", "System", gWeakReferenceFuncs) FCClassElement("WeakReference`1", "System", gWeakReferenceOfTFuncs) diff --git a/src/vm/eeconfig.cpp b/src/vm/eeconfig.cpp index 81f3957951..2ec6d39cdd 100644 --- a/src/vm/eeconfig.cpp +++ b/src/vm/eeconfig.cpp @@ -235,25 +235,15 @@ HRESULT EEConfig::Init() fLegacyComVTableLayout = false; fLegacyVirtualMethodCallVerification = false; fNewComVTableLayout = false; - iImpersonationPolicy = IMP_DEFAULT; #ifdef FEATURE_CORRUPTING_EXCEPTIONS // By default, there is not pre-V4 CSE policy fLegacyCorruptedStateExceptionsPolicy = false; #endif // FEATURE_CORRUPTING_EXCEPTIONS -#ifdef _DEBUG - fLogTransparencyErrors = false; -#endif // _DEBUG - fLegacyLoadMscorsnOnStartup = false; - fBypassStrongNameVerification = true; - fGeneratePublisherEvidence = true; - fEnforceFIPSPolicy = true; - fLegacyHMACMode = false; fNgenBindOptimizeNonGac = false; fStressLog = false; fCacheBindingFailures = true; - fDisableFusionUpdatesFromADManager = false; fDisableCommitThreadStack = false; fProbeForStackOverflow = true; @@ -293,9 +283,6 @@ HRESULT EEConfig::Init() // LS in DAC builds. Initialized via the environment variable TestDataConsistency fTestDataConsistency = false; #endif - - // TlbImp Stuff - fTlbImpSkipLoading = false; // In Thread::SuspendThread(), default the timeout to 2 seconds. If the suspension // takes longer, assert (but keep trying). @@ -1105,11 +1092,6 @@ HRESULT EEConfig::sync() fJitVerificationDisable = (GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_JitVerificationDisable, fJitVerificationDisable) != 0); - fLogTransparencyErrors = CLRConfig::GetConfigValue(CLRConfig::UNSUPPORTED_Security_LogTransparencyErrors) != 0; - - // TlbImp stuff - fTlbImpSkipLoading = (GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_TlbImpSkipLoading, fTlbImpSkipLoading) != 0); - iExposeExceptionsInCOM = GetConfigDWORD_DontUse_(CLRConfig::INTERNAL_ExposeExceptionsInCOM, iExposeExceptionsInCOM); #endif @@ -1381,19 +1363,6 @@ HRESULT EEConfig::GetConfiguration_DontUse_(__in_z LPCWSTR pKey, ConfigSearch di } } -LPCWSTR EEConfig::GetProcessBindingFile() -{ - LIMITED_METHOD_CONTRACT; - return g_pszHostConfigFile; -} - -SIZE_T EEConfig::GetSizeOfProcessBindingFile() -{ - LIMITED_METHOD_CONTRACT; - return g_dwHostConfigFile; -} - - bool EEConfig::RequireZap(LPCUTF8 assemblyName) const { LIMITED_METHOD_CONTRACT; diff --git a/src/vm/eeconfig.h b/src/vm/eeconfig.h index ae23f74755..1ec4460fd8 100644 --- a/src/vm/eeconfig.h +++ b/src/vm/eeconfig.h @@ -243,19 +243,6 @@ enum { OPT_BLENDED, OPT_RANDOM, OPT_DEFAULT = OPT_BLENDED }; -/* Control of impersonation flow: - FASTFLOW means that impersonation is flowed only if it has been achieved through managed means. This is the default and avoids a kernel call. - NOFLOW is the Everett default where we don't flow the impersonation at all - ALWAYSFLOW is the (potentially) slow mode where we will always flow the impersonation, regardless of how it was achieved (managed or p/invoke). Includes - a kernel call. - Keep in sync with values in SecurityContext.cs - */ -enum { - IMP_FASTFLOW = 0, - IMP_NOFLOW = 1, - IMP_ALWAYSFLOW = 2, - IMP_DEFAULT = IMP_FASTFLOW }; - enum ParseCtl { parseAll, // parse entire config file stopAfterRuntimeSection // stop after <runtime>...</runtime> section @@ -324,33 +311,6 @@ public: // Returns a bool to indicate if the legacy CSE (pre-v4) behaviour is enabled or not bool LegacyCorruptedStateExceptionsPolicy(void) const {LIMITED_METHOD_CONTRACT; return fLegacyCorruptedStateExceptionsPolicy; } #endif // FEATURE_CORRUPTING_EXCEPTIONS - - // SECURITY - unsigned ImpersonationMode(void) const - { - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - // MODE_ANY; - SO_TOLERANT; - } CONTRACTL_END; - return iImpersonationPolicy ; - } - void SetLegacyImpersonationPolicy() { LIMITED_METHOD_CONTRACT; iImpersonationPolicy = IMP_NOFLOW; } - void SetAlwaysFlowImpersonationPolicy() { LIMITED_METHOD_CONTRACT; iImpersonationPolicy = IMP_ALWAYSFLOW; } - -#ifdef _DEBUG - bool LogTransparencyErrors() const { LIMITED_METHOD_CONTRACT; return fLogTransparencyErrors; } - bool DisableTransparencyEnforcement() const { LIMITED_METHOD_CONTRACT; return fLogTransparencyErrors; } -#endif // _DEBUG - - void SetLegacyLoadMscorsnOnStartup(bool val) { LIMITED_METHOD_CONTRACT; fLegacyLoadMscorsnOnStartup = val; } - bool LegacyLoadMscorsnOnStartup(void) const { LIMITED_METHOD_CONTRACT; return fLegacyLoadMscorsnOnStartup; } - bool BypassTrustedAppStrongNames() const { LIMITED_METHOD_CONTRACT; return fBypassStrongNameVerification; } // See code:AssemblySecurityDescriptor::ResolveWorker#StrongNameBypass - bool GeneratePublisherEvidence(void) const { LIMITED_METHOD_CONTRACT; return fGeneratePublisherEvidence; } - bool EnforceFIPSPolicy() const { LIMITED_METHOD_CONTRACT; return fEnforceFIPSPolicy; } - bool LegacyHMACMode() const { LIMITED_METHOD_CONTRACT; return fLegacyHMACMode; } #ifdef FEATURE_COMINTEROP bool ComInsteadOfManagedRemoting() const {LIMITED_METHOD_CONTRACT; return m_fComInsteadOfManagedRemoting; } @@ -362,7 +322,6 @@ public: bool GenDebuggableCode(void) const {LIMITED_METHOD_CONTRACT; return fDebuggable; } bool IsStressOn(void) const {LIMITED_METHOD_CONTRACT; return fStressOn; } int GetAPIThreadStressCount(void) const {LIMITED_METHOD_CONTRACT; return apiThreadStressCount; } - bool TlbImpSkipLoading() const {LIMITED_METHOD_CONTRACT; return fTlbImpSkipLoading; } bool ShouldExposeExceptionsInCOMToConsole() const {LIMITED_METHOD_CONTRACT; return (iExposeExceptionsInCOM & 1) != 0; } bool ShouldExposeExceptionsInCOMToMsgBox() const {LIMITED_METHOD_CONTRACT; return (iExposeExceptionsInCOM & 2) != 0; } @@ -548,12 +507,6 @@ public: return fUseLegacyIdentityFormat; } - inline bool DisableFusionUpdatesFromADManager() const - { - LIMITED_METHOD_CONTRACT; - return fDisableFusionUpdatesFromADManager; - } - inline void SetDisableCommitThreadStack(bool val) { LIMITED_METHOD_CONTRACT; @@ -884,7 +837,6 @@ private: //---------------------------------------------------------------- // will come as a result won't matter. bool fCacheBindingFailures; bool fUseLegacyIdentityFormat; - bool fDisableFusionUpdatesFromADManager; bool fInited; // have we synced to the registry at least once? // Jit-config @@ -910,17 +862,6 @@ private: //---------------------------------------------------------------- bool fLegacyComHierarchyVisibility; // Old behavior allowing QIs for classes with invisible parents bool fLegacyComVTableLayout; // Old behavior passing out IClassX interface for IUnknown and IDispatch. bool fNewComVTableLayout; // New behavior passing out Basic interface for IUnknown and IDispatch. - - // SECURITY - unsigned iImpersonationPolicy; //control flow of impersonation in the SecurityContext. 0=FASTFLOW 1= -#ifdef _DEBUG - bool fLogTransparencyErrors; // don't throw on transparency errors, instead log to the CLR log file -#endif // _DEBUG - bool fLegacyLoadMscorsnOnStartup; // load mscorsn.dll when starting up the runtime. - bool fBypassStrongNameVerification; // bypass strong name verification of trusted app assemblies - bool fGeneratePublisherEvidence; // verify Authenticode signatures of assemblies during load, generating publisher evidence for them - bool fEnforceFIPSPolicy; // enforce that only FIPS certified crypto algorithms are created if the FIPS machine settting is enabled - bool fLegacyHMACMode; // HMACSHA384 and HMACSHA512 should default to the Whidbey block size LPUTF8 pszBreakOnClassLoad; // Halt just before loading this class @@ -971,9 +912,6 @@ private: //---------------------------------------------------------------- DWORD iExposeExceptionsInCOM; // Should we exposed exceptions that will be transformed into HRs? - // Tlb Tools - bool fTlbImpSkipLoading; - unsigned m_SuspendThreadDeadlockTimeoutMs; // Used in Thread::SuspendThread() unsigned m_SuspendDeadlockTimeout; // Used in Thread::SuspendRuntime. @@ -1179,8 +1117,6 @@ private: //---------------------------------------------------------------- public: HRESULT GetConfiguration_DontUse_(__in_z LPCWSTR pKey, ConfigSearch direction, __deref_out_opt LPCWSTR* value); - LPCWSTR GetProcessBindingFile(); // All flavors must support this method - SIZE_T GetSizeOfProcessBindingFile(); // All flavors must support this method DWORD GetConfigDWORDInternal_DontUse_ (__in_z LPCWSTR name, DWORD defValue, //for getting data in the constructor of EEConfig DWORD level=(DWORD) REGUTIL::COR_CONFIG_ALL, diff --git a/src/vm/eehash.cpp b/src/vm/eehash.cpp index e5d3c0bdeb..694fab7d2b 100644 --- a/src/vm/eehash.cpp +++ b/src/vm/eehash.cpp @@ -11,8 +11,6 @@ #include "common.h" #include "excep.h" #include "eehash.h" -#include "securityattributes.h" -#include "securitydeclarativecache.h" #include "stringliteralmap.h" #include "clsload.hpp" #include "typectxt.h" @@ -291,87 +289,6 @@ DWORD EEUnicodeStringLiteralHashTableHelper::Hash(EEStringData *pKey) return (HashBytes((const BYTE *) pKey->GetStringBuffer(), pKey->GetCharCount() * sizeof(WCHAR))); } -// ============================================================================ -// Permission set hash table helper. -// ============================================================================ - -EEHashEntry_t * EEPsetHashTableHelper::AllocateEntry(PsetCacheKey *pKey, BOOL bDeepCopy, void *pHeap) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - INJECT_FAULT(return NULL;); - } - CONTRACTL_END - - _ASSERTE(!bDeepCopy); - - EEHashEntry_t *pEntry; - - if (pHeap) { - - S_SIZE_T sizeEntry; - LoaderHeap *pLHeap; - - sizeEntry = S_SIZE_T(sizeof (BYTE)) * (S_SIZE_T)SIZEOF_EEHASH_ENTRY + - (S_SIZE_T)sizeof (PPsetCacheKey); - - pLHeap = (LoaderHeap*) pHeap; - - pEntry = (EEHashEntry_t *) - ((void*) pLHeap->AllocMem_NoThrow (sizeEntry)); - - } else { - pEntry = (EEHashEntry_t *) new (nothrow) - BYTE [SIZEOF_EEHASH_ENTRY + sizeof(PPsetCacheKey)]; - } - - if (pEntry) { - *((PPsetCacheKey*)pEntry->Key) = pKey; - } - - return pEntry; -} - -void EEPsetHashTableHelper::DeleteEntry(EEHashEntry_t *pEntry, void *pHeap) -{ - LIMITED_METHOD_CONTRACT; - - // - // If a heap is present, memory will be reclaimed as part of appdomain - // unload. - // - - if (pHeap == NULL) { - delete [] (BYTE*)pEntry; - } - -} - -BOOL EEPsetHashTableHelper::CompareKeys(EEHashEntry_t *pEntry, PsetCacheKey *pKey) -{ - LIMITED_METHOD_CONTRACT; - - PsetCacheKey *pThis = *((PPsetCacheKey*)pEntry->Key); - return pKey->IsEquiv(pThis); -} - -DWORD EEPsetHashTableHelper::Hash(PsetCacheKey *pKey) -{ - LIMITED_METHOD_CONTRACT; - - return pKey->Hash(); -} - -PsetCacheKey * EEPsetHashTableHelper::GetKey(EEHashEntry_t *pEntry) -{ - LIMITED_METHOD_CONTRACT; - - PsetCacheKey *pThis = *((PPsetCacheKey*)pEntry->Key); - return pThis; -} - // ============================================================================ // Instantiation hash table helper. diff --git a/src/vm/eehash.h b/src/vm/eehash.h index 8e92ad35d9..21b651c063 100644 --- a/src/vm/eehash.h +++ b/src/vm/eehash.h @@ -38,11 +38,8 @@ class AllocMemTracker; class ClassLoader; struct LockOwner; class NameHandle; -struct PsetCacheKey; class SigTypeContext; -typedef PsetCacheKey* PPsetCacheKey; - // The "blob" you get to store in the hash table typedef PTR_VOID HashDatum; @@ -481,20 +478,6 @@ public: typedef EEHashTable<EEStringData *, EEUnicodeStringLiteralHashTableHelper, TRUE> EEUnicodeStringLiteralHashTable; -// Permission set hash table. - -class EEPsetHashTableHelper -{ -public: - static EEHashEntry_t * AllocateEntry(PsetCacheKey *pKey, BOOL bDeepCopy, AllocationHeap Heap); - static void DeleteEntry(EEHashEntry_t *pEntry, AllocationHeap Heap); - static BOOL CompareKeys(EEHashEntry_t *pEntry, PsetCacheKey *pKey); - static DWORD Hash(PsetCacheKey *pKey); - static PsetCacheKey *GetKey(EEHashEntry_t *pEntry); -}; - -typedef EEHashTable<PsetCacheKey *, EEPsetHashTableHelper, FALSE> EEPsetHashTable; - // Generic pointer hash table helper. diff --git a/src/vm/eepolicy.cpp b/src/vm/eepolicy.cpp index 6bd389f579..db47e3fa27 100644 --- a/src/vm/eepolicy.cpp +++ b/src/vm/eepolicy.cpp @@ -19,6 +19,8 @@ #include "finalizerthread.h" #include "threadsuspend.h" +#include "typestring.h" + #ifndef FEATURE_PAL #include "dwreport.h" #endif // !FEATURE_PAL diff --git a/src/vm/eventpipejsonfile.cpp b/src/vm/eventpipejsonfile.cpp index f76959053c..2edd6f4366 100644 --- a/src/vm/eventpipejsonfile.cpp +++ b/src/vm/eventpipejsonfile.cpp @@ -4,6 +4,7 @@ #include "common.h" #include "eventpipejsonfile.h" +#include "typestring.h" #ifdef _DEBUG #ifdef FEATURE_PERFTRACING diff --git a/src/vm/excep.cpp b/src/vm/excep.cpp index 630d3f5f37..99ebe6d8ea 100644 --- a/src/vm/excep.cpp +++ b/src/vm/excep.cpp @@ -11451,38 +11451,24 @@ BOOL CEHelper::CanMethodHandleCE(PTR_MethodDesc pMethodDesc, CorruptionSeverity return TRUE; } - // Only SecurityCritical code can handle CE since only they can generate it. - // Even in full trusted assembly, transparent code cannot generate CE and thus, - // will not know how to handle it properly. - // - // Check if the method in question is SecurityCritical or not. - MethodSecurityDescriptor mdSec(pMethodDesc); - fCanMethodHandleSeverity = mdSec.IsCritical(); - - if (fCanMethodHandleSeverity) - { - // Reset the flag to FALSE - fCanMethodHandleSeverity = FALSE; - - // Since the method is Security Critical, now check if it is - // attributed to handle the CE or not. - IMDInternalImport *pImport = pMethodDesc->GetMDImport(); - if (pImport != NULL) - { - mdMethodDef methodDef = pMethodDesc->GetMemberDef(); - switch(severity) - { - case ProcessCorrupting: - fCanMethodHandleSeverity = (S_OK == pImport->GetCustomAttributeByName( - methodDef, - HANDLE_PROCESS_CORRUPTED_STATE_EXCEPTION_ATTRIBUTE, - NULL, - NULL)); - break; - default: - _ASSERTE(!"Unknown Exception Corruption Severity!"); - break; - } + // Since the method is Security Critical, now check if it is + // attributed to handle the CE or not. + IMDInternalImport *pImport = pMethodDesc->GetMDImport(); + if (pImport != NULL) + { + mdMethodDef methodDef = pMethodDesc->GetMemberDef(); + switch(severity) + { + case ProcessCorrupting: + fCanMethodHandleSeverity = (S_OK == pImport->GetCustomAttributeByName( + methodDef, + HANDLE_PROCESS_CORRUPTED_STATE_EXCEPTION_ATTRIBUTE, + NULL, + NULL)); + break; + default: + _ASSERTE(!"Unknown Exception Corruption Severity!"); + break; } } #endif // !DACCESS_COMPILE diff --git a/src/vm/frames.h b/src/vm/frames.h index d7daa7649b..108f9f792c 100644 --- a/src/vm/frames.h +++ b/src/vm/frames.h @@ -137,8 +137,6 @@ // | // | // +-ExceptionFilterFrame - this frame wraps call to exception filter -// | -// +-SecurityContextFrame - place the security context of an assembly on the stack to ensure it will be included in security demands // //------------------------------------------------------------------------ #if 0 @@ -260,7 +258,6 @@ FRAME_TYPE_NAME(ExceptionFilterFrame) #if defined(_DEBUG) FRAME_TYPE_NAME(AssumeByrefFromJITStack) #endif // _DEBUG -FRAME_TYPE_NAME(SecurityContextFrame) #undef FRAME_ABSTRACT_TYPE_NAME #undef FRAME_TYPE_NAME @@ -3495,29 +3492,6 @@ public: GSCookie * GetGSCookiePtr() { LIMITED_METHOD_CONTRACT; return &m_gsCookie; } }; - -// The frame doesn't represent a transition of any sort, it's simply placed on the stack to represent an assembly that will be found -// and checked by stackwalking security demands. This can be used in scenarios where an assembly is implicitly controlling a -// security sensitive operation without being explicitly represented on the stack. For example, an assembly decorating one of its -// classes or methods with a custom attribute can implicitly cause the ctor or property setters for that attribute to be executed by -// a third party if they happen to browse the attributes on the assembly. -// Note: This frame is pushed from managed code, so be sure to keep the layout synchronized with that in -// bcl\system\reflection\customattribute.cs. -class SecurityContextFrame : public Frame -{ - VPTR_VTABLE_CLASS(SecurityContextFrame, Frame) - - Assembly *m_pAssembly; - -public: - virtual Assembly *GetAssembly() { LIMITED_METHOD_CONTRACT; return m_pAssembly; } - - void SetAssembly(Assembly *pAssembly) { LIMITED_METHOD_CONTRACT; m_pAssembly = pAssembly; } - - // Keep as last entry in class - DEFINE_VTABLE_GETTER_AND_CTOR_AND_DTOR(SecurityContextFrame) -}; - //------------------------------------------------------------------------ // These macros GC-protect OBJECTREF pointers on the EE's behalf. // In between these macros, the GC can move but not discard the protected diff --git a/src/vm/frameworkexceptionloader.cpp b/src/vm/frameworkexceptionloader.cpp index a33010e163..5885060676 100644 --- a/src/vm/frameworkexceptionloader.cpp +++ b/src/vm/frameworkexceptionloader.cpp @@ -8,6 +8,7 @@ #include "common.h" #include "frameworkexceptionloader.h" +#include "typeparse.h" struct ExceptionLocationData diff --git a/src/vm/i386/stublinkerx86.cpp b/src/vm/i386/stublinkerx86.cpp index 9742f9647f..195dd45a18 100644 --- a/src/vm/i386/stublinkerx86.cpp +++ b/src/vm/i386/stublinkerx86.cpp @@ -29,7 +29,6 @@ #include "dbginterface.h" #include "eeprofinterfaces.h" #include "eeconfig.h" -#include "securitydeclarative.h" #ifdef _TARGET_X86_ #include "asmconstants.h" #endif // _TARGET_X86_ diff --git a/src/vm/interpreter.cpp b/src/vm/interpreter.cpp index 010fee674b..ee10de7a3f 100644 --- a/src/vm/interpreter.cpp +++ b/src/vm/interpreter.cpp @@ -9868,7 +9868,6 @@ void Interpreter::DoCallWork(bool virtualCall, void* thisArg, CORINFO_RESOLVED_T GCX_FORBID(); // Some managed methods, believe it or not, can push capital-F Frames on the Frame chain. - // The example I've found involves SecurityContextFrame.Push/Pop. // If this happens, executing the EX_CATCH below will pop it, which is bad. // So detect that case, pop the explicitly-pushed frame, and push it again after the EX_CATCH. // (Asserting that there is only 1 such frame!) diff --git a/src/vm/invokeutil.cpp b/src/vm/invokeutil.cpp index 1c7173a12b..9efc84d711 100644 --- a/src/vm/invokeutil.cpp +++ b/src/vm/invokeutil.cpp @@ -1430,64 +1430,6 @@ bool RefSecContext::IsCalledFromInterop() return (pCaller == NULL); } -BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(MethodTable* pMT) -{ - WRAPPER_NO_CONTRACT; - - return Security::TypeRequiresTransparencyCheck(pMT, true); -} - -BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(MethodDesc* pMD, MethodTable* pInstanceMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (Security::IsMethodCritical(pMD) && !Security::IsMethodSafeCritical(pMD) - && pMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand()) - return TRUE; - - if (pMD->HasMethodInstantiation()) - { - Instantiation inst = pMD->GetMethodInstantiation(); - for (DWORD i = 0; i < inst.GetNumArgs(); i++) - { - TypeHandle th = inst[i]; - if (InvokeUtil::IsCriticalWithConversionToFullDemand(th.GetMethodTableOfElementType())) - return TRUE; - } - } - - if (pInstanceMT && InvokeUtil::IsCriticalWithConversionToFullDemand(pInstanceMT)) - return TRUE; - - return FALSE; -} - -BOOL InvokeUtil::IsCriticalWithConversionToFullDemand(FieldDesc* pFD, MethodTable* pInstanceMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (Security::IsFieldCritical(pFD) && !Security::IsFieldSafeCritical(pFD) - && pFD->GetModule()->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand()) - return TRUE; - - if (pInstanceMT && InvokeUtil::IsCriticalWithConversionToFullDemand(pInstanceMT)) - return TRUE; - - return FALSE; -} - void InvokeUtil::CanAccessClass(RefSecContext* pCtx, MethodTable* pClass, BOOL checkAccessForImplicitValueTypeCtor /*= FALSE*/) @@ -1522,100 +1464,10 @@ void InvokeUtil::CanAccessMethod(MethodDesc* pMeth, } CONTRACTL_END; - InvokeUtil::CheckAccessMethod(pSCtx, pParentMT, pInstanceMT, pMeth); - - - if (pMeth->RequiresLinktimeCheck()) - { - // The following logic turns link demands on the target method into full - // stack walks in order to close security holes in poorly written - // reflection users. - - - struct _gc - { - OBJECTREF refClassNonCasDemands; - OBJECTREF refClassCasDemands; - OBJECTREF refMethodNonCasDemands; - OBJECTREF refMethodCasDemands; - } gc; - ZeroMemory(&gc, sizeof(gc)); - - GCPROTECT_BEGIN(gc); - - // Fetch link demand sets from all the places in metadata where we might - // find them (class and method). These might be split into CAS and non-CAS - // sets as well. - Security::RetrieveLinktimeDemands(pMeth, - &gc.refClassCasDemands, - &gc.refClassNonCasDemands, - &gc.refMethodCasDemands, - &gc.refMethodNonCasDemands); - - // CAS Link Demands - if (gc.refClassCasDemands != NULL) - Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refClassCasDemands); - - if (gc.refMethodCasDemands != NULL) - Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refMethodCasDemands); - - // Non-CAS demands are not applied against a grant - // set, they're standalone. - if (gc.refClassNonCasDemands != NULL) - Security::CheckNonCasDemand(&gc.refClassNonCasDemands); - - if (gc.refMethodNonCasDemands != NULL) - Security::CheckNonCasDemand(&gc.refMethodNonCasDemands); - - GCPROTECT_END(); - - if (pMeth->IsNDirect() || - (pMeth->IsComPlusCall() && !pMeth->IsInterface())) - { - if (Security::IsTransparencyEnforcementEnabled()) - { - MethodDesc* pmdCaller = pSCtx->GetCallerMethod(); - - if (pmdCaller != NULL && - Security::IsMethodTransparent(pmdCaller)) - { - ThrowMethodAccessException(pSCtx, pMeth, IDS_E_TRANSPARENT_CALL_NATIVE); - } - } - } - - } - - // @todo: - //if (checkSkipVer && !Security::CanSkipVerification(pSCtx->GetCallerMethod()->GetModule())) - //Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSSKIPVERIFICATION); - //checkSkipVer is set only when the user tries to invoke a constructor on a existing object. - if (checkSkipVer) - { - if (Security::IsTransparencyEnforcementEnabled()) - { - MethodDesc *pCallerMD = pSCtx->GetCallerMethod(); - - // Interop (NULL) caller should be able to skip verification - if (pCallerMD != NULL && - Security::IsMethodTransparent(pCallerMD) && - !pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification()) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pMeth, "Attempt by a transparent method to use unverifiable code"); - } -#endif // _DEBUG - ThrowMethodAccessException(pCallerMD, pMeth, FALSE, IDS_E_TRANSPARENT_REFLECTION); - } - } - - } } #endif // #ifndef DACCESS_COMPILE @@ -1842,36 +1694,6 @@ void InvokeUtil::CheckAccess(RefSecContext *pCtx, _ASSERTE(canAccess); } -// If a method has a linktime demand attached, perform it. - -// static -void InvokeUtil::CheckLinktimeDemand(RefSecContext *pCtx, MethodDesc *pCalleeMD) { - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END - - if (pCalleeMD->RequiresLinktimeCheck()) - { - MethodDesc* pCallerMD = pCtx->GetCallerMethod(); - - if (pCallerMD) - { - Security::LinktimeCheckMethod(pCallerMD->GetAssembly(), pCalleeMD); - - // perform transparency checks as well - if (Security::RequiresTransparentAssemblyChecks(pCallerMD, pCalleeMD, NULL)) - { - Security::EnforceTransparentAssemblyChecks(pCallerMD, pCalleeMD); - } - } - } -} - /*static*/ AccessCheckOptions::AccessCheckType InvokeUtil::GetInvocationAccessCheckType(BOOL targetRemoted /*= FALSE*/) { @@ -1880,16 +1702,9 @@ AccessCheckOptions::AccessCheckType InvokeUtil::GetInvocationAccessCheckType(BOO if (targetRemoted) return AccessCheckOptions::kMemberAccess; - AppDomain * pAppDomain = GetAppDomain(); - - - if (pAppDomain->GetSecurityDescriptor()->IsFullyTrusted()) - // Ignore transparency so that reflection invocation is consistenct with LCG. - // There is no security concern because we are in Full Trust. - return AccessCheckOptions::kRestrictedMemberAccessNoTransparency; - - return AccessCheckOptions::kMemberAccess; - + // Ignore transparency so that reflection invocation is consistenct with LCG. + // There is no security concern because we are in Full Trust. + return AccessCheckOptions::kRestrictedMemberAccessNoTransparency; } #endif // CROSSGEN_COMPILE diff --git a/src/vm/invokeutil.h b/src/vm/invokeutil.h index 06aac9aaa3..cfa1a0e96b 100644 --- a/src/vm/invokeutil.h +++ b/src/vm/invokeutil.h @@ -237,9 +237,6 @@ public: MethodTable* pInstanceMT, FieldDesc* pTargetField); - // If a method has a linktime demand attached, perform it. - static void CheckLinktimeDemand(RefSecContext *pCtx, MethodDesc *pMeth); - // // Check to see if the target of a reflection operation is on a remote object // @@ -268,10 +265,6 @@ public: return FALSE; } - static BOOL IsCriticalWithConversionToFullDemand(MethodTable* pMT); - static BOOL IsCriticalWithConversionToFullDemand(MethodDesc* pMD, MethodTable* pInstanceMT); - static BOOL IsCriticalWithConversionToFullDemand(FieldDesc* pFD, MethodTable* pInstanceMT); - static AccessCheckOptions::AccessCheckType GetInvocationAccessCheckType(BOOL targetRemoted = FALSE); static bool IsDangerousMethod(MethodDesc *pMD); diff --git a/src/vm/jithelpers.cpp b/src/vm/jithelpers.cpp index aaab58963b..d93331d74e 100644 --- a/src/vm/jithelpers.cpp +++ b/src/vm/jithelpers.cpp @@ -21,7 +21,6 @@ #include "float.h" // for isnan #include "dbginterface.h" #include "security.h" -#include "securitymeta.h" #include "dllimport.h" #include "gcheaputilities.h" #include "comdelegate.h" @@ -5460,7 +5459,7 @@ HCIMPL1(void, JIT_SecurityUnmanagedCodeException, CORINFO_CLASS_HANDLE typeHnd_) HELPER_METHOD_FRAME_BEGIN_ATTRIB_NOPOLL(Frame::FRAME_ATTR_EXCEPTION); // Set up a frame - Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE); + COMPlusThrow(kSecurityException); HELPER_METHOD_FRAME_END(); } @@ -5654,328 +5653,47 @@ HCIMPLEND; // //======================================================================== -NOINLINE HCIMPL2(void, JIT_DelegateSecurityCheck_Internal, CORINFO_CLASS_HANDLE delegateHnd, CORINFO_METHOD_HANDLE calleeMethodHnd) -{ - FCALL_CONTRACT; - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - - TypeHandle delegateType(delegateHnd); - MethodDesc* pCallee = GetMethod(calleeMethodHnd); - - Security::EnforceTransparentDelegateChecks(delegateType.AsMethodTable(), pCallee); - - HELPER_METHOD_FRAME_END_POLL(); -} -HCIMPLEND - -#include <optsmallperfcritical.h> -/*************************************************************/ HCIMPL2(void, JIT_DelegateSecurityCheck, CORINFO_CLASS_HANDLE delegateHnd, CORINFO_METHOD_HANDLE calleeMethodHnd) { FCALL_CONTRACT; - - // If we're in full trust, then we don't enforce the delegate binding rules - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - { - return; - } - - // Tailcall to the real implementation - ENDFORBIDGC(); - HCCALL2(JIT_DelegateSecurityCheck_Internal, delegateHnd, calleeMethodHnd); } HCIMPLEND -#include <optdefault.h> - -/*************************************************************/ -//Make sure to allow check of 0 for COMPlus_Security_AlwaysInsertCallout -NOINLINE HCIMPL4(void, JIT_MethodAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_METHOD_HANDLE calleeMethodHnd, CORINFO_CLASS_HANDLE calleeTypeHnd, CorInfoSecurityRuntimeChecks check) -{ - FCALL_CONTRACT; - - // - // Verify with the security at runtime whether call is allowed. - // Throws an exception if the call is not allowed, returns if it is allowed. - // - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - - MethodDesc *pCaller = GetMethod(callerMethodHnd); - MethodDesc *pCallee = GetMethod(calleeMethodHnd); - // If we're being called because of a transparency violation (either a standard violation, or an attempt - // to call a conditional APTCA protected method from transparent code), process that now. - if (check & CORINFO_ACCESS_SECURITY_TRANSPARENCY) - { - Security::EnforceTransparentAssemblyChecks(pCaller, pCallee); - } - - // Also make sure that we have access to the type that the method lives on - TypeHandle calleeTH(calleeTypeHnd); - Security::DoSecurityClassAccessChecks(pCaller, calleeTH, check); - - // If the method has a generic instantiation, then we also need to do checks on its generic parameters - if (pCallee->HasMethodInstantiation()) - { - Instantiation instantiation = pCallee->GetMethodInstantiation(); - for (DWORD i = 0; i < instantiation.GetNumArgs(); i++) - { - TypeHandle argTH = instantiation[i]; - if (!argTH.IsGenericVariable()) - { - Security::DoSecurityClassAccessChecks(pCaller, argTH, check); - } - } - } - - HELPER_METHOD_FRAME_END_POLL(); -} -HCIMPLEND - - -#include <optsmallperfcritical.h> -/*************************************************************/ -//Make sure to allow check of 0 for COMPlus_Security_AlwaysInsertCallout HCIMPL4(void, JIT_MethodAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_METHOD_HANDLE calleeMethodHnd, CORINFO_CLASS_HANDLE calleeTypeHnd, CorInfoSecurityRuntimeChecks check) { FCALL_CONTRACT; - - MethodDesc *pCallerMD = GetMethod(callerMethodHnd); - _ASSERTE(GetMethod(callerMethodHnd)->IsRestored()); - _ASSERTE(GetMethod(calleeMethodHnd)->IsRestored()); - - - // If we don't need to process this callout, then exit early - if (Security::SecurityCalloutQuickCheck(pCallerMD)) - { - return; - } - - // Tailcall to the slow helper - ENDFORBIDGC(); - HCCALL4(JIT_MethodAccessCheck_Internal, callerMethodHnd, calleeMethodHnd, calleeTypeHnd, check); } HCIMPLEND -#include <optdefault.h> - -// Slower checks (including failure paths) for determining if a method has runtime access to a field -NOINLINE HCIMPL3(void, JIT_FieldAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_FIELD_HANDLE calleeFieldHnd, CorInfoSecurityRuntimeChecks check) -{ - FCALL_CONTRACT; - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - - MethodDesc *pCallerMD = GetMethod(callerMethodHnd); - FieldDesc *pFD = reinterpret_cast<FieldDesc *>(calleeFieldHnd); - - // We can get caller checks of 0 if we're in AlwaysInsertCallout mode, so make sure to do all of our - // work under checks for specific flags - - if (check & CORINFO_ACCESS_SECURITY_TRANSPARENCY) - { - _ASSERTE(pCallerMD != NULL); - StaticAccessCheckContext accessContext(pCallerMD); - - if (!Security::CheckCriticalAccess(&accessContext, NULL, pFD, NULL)) - { - ThrowFieldAccessException(pCallerMD, pFD, TRUE, IDS_E_CRITICAL_FIELD_ACCESS_DENIED); - } - } - - // Also make sure that we have access to the type that the field lives on - TypeHandle fieldTH(pFD->GetApproxEnclosingMethodTable()); - Security::DoSecurityClassAccessChecks(pCallerMD, fieldTH, check); - - HELPER_METHOD_FRAME_END_POLL(); -} -HCIMPLEND - -#include <optsmallperfcritical.h> -// Check to see if a method has runtime access to a field HCIMPL3(void, JIT_FieldAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_FIELD_HANDLE calleeFieldHnd, CorInfoSecurityRuntimeChecks check) { FCALL_CONTRACT; - _ASSERTE(GetMethod(callerMethodHnd)->IsRestored()); - _ASSERTE(((FieldDesc*)calleeFieldHnd)->GetEnclosingMethodTable()->IsRestored_NoLogging()); - - // We want to try to exit JIT_FieldAccessCheck as soon as possible, preferably without - // entering JIT_FieldAccessCheck_Internal. This method contains only quick checks to see if - // the access is definately allowed. More complete checks are done in the Internal method. - - MethodDesc *pCallerMD = GetMethod(callerMethodHnd); - - // If we don't need to process this callout at all, exit early - if (Security::SecurityCalloutQuickCheck(pCallerMD)) - { - return; - } - - // If the callout is for conditional APTCA only and we know the target is enabled, then we can also exit - // early - - // We couldn't quickly determine that this access is legal, so tailcall to the slower helper to do some - // more work to process the access. - ENDFORBIDGC(); - HCCALL3(JIT_FieldAccessCheck_Internal, callerMethodHnd, calleeFieldHnd, check); -} -HCIMPLEND -#include <optdefault.h> - -// Slower checks (including failure paths) for determining if a method has runtime access to a type -NOINLINE HCIMPL3(void, JIT_ClassAccessCheck_Internal, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_CLASS_HANDLE calleeClassHnd, CorInfoSecurityRuntimeChecks check) -{ - FCALL_CONTRACT; - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - - MethodDesc *pCallerMD = GetMethod(callerMethodHnd); - TypeHandle calleeClassTH(calleeClassHnd); - - Security::DoSecurityClassAccessChecks(pCallerMD, calleeClassTH, check); - - HELPER_METHOD_FRAME_END_POLL(); } HCIMPLEND -#include <optsmallperfcritical.h> -// Check to see if a method has runtime access to a type HCIMPL3(void, JIT_ClassAccessCheck, CORINFO_METHOD_HANDLE callerMethodHnd, CORINFO_CLASS_HANDLE calleeClassHnd, CorInfoSecurityRuntimeChecks check) { FCALL_CONTRACT; - _ASSERTE(GetMethod(callerMethodHnd)->IsRestored()); - _ASSERTE(TypeHandle(calleeClassHnd).IsRestored()); - - // We want to try to exit JIT_ClassAccessCheck as soon as possible, preferably without - // entering JIT_ClassAccessCheck_Internal. This method contains only quick checks to see if - // the access is definately allowed. More complete checks are done in the Internal method. - - MethodDesc *pCallerMD = GetMethod(callerMethodHnd); - - // If we don't need to prrocess the callout at all, exit early - if (Security::SecurityCalloutQuickCheck(pCallerMD)) - { - return; - } - - // If the callout is for conditional APTCA only, and we know the target is enabled, then we can also - // exit early - - // We couldn't quickly determine that this access is legal, so tailcall to the slower helper to do some - // more work processing the access. - ENDFORBIDGC(); - HCCALL3(JIT_ClassAccessCheck_Internal, callerMethodHnd, calleeClassHnd, check); } HCIMPLEND -#include <optdefault.h> - -NOINLINE HCIMPL2(void, JIT_Security_Prolog_Framed, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc) -{ - FCALL_CONTRACT; - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - { - ASSUME_BYREF_FROM_JIT_STACK_BEGIN(ppFrameSecDesc); - - MethodDesc *pCurrent = GetMethod(methHnd_); - - g_IBCLogger.LogMethodDescAccess(pCurrent); - - // Note: This check is replicated in JIT_Security_Prolog - if ((pCurrent->IsInterceptedForDeclSecurity() && - !(pCurrent->IsInterceptedForDeclSecurityCASDemandsOnly() && - SecurityStackWalk::HasFlagsOrFullyTrusted(0))) - ) - { - MethodSecurityDescriptor MDSecDesc(pCurrent); - MethodSecurityDescriptor::LookupOrCreateMethodSecurityDescriptor(&MDSecDesc); - // Do the Declarative CAS actions check - DeclActionInfo* pRuntimeDeclActionInfo = MDSecDesc.GetRuntimeDeclActionInfo(); - if (pRuntimeDeclActionInfo != NULL || pCurrent->IsLCGMethod()) - { - // Tell the debugger not to start on any managed code that we call in this method - FrameWithCookie<DebuggerSecurityCodeMarkFrame> __dbgSecFrame; - - Security::DoDeclarativeActions(pCurrent, pRuntimeDeclActionInfo, ppFrameSecDesc, &MDSecDesc); - - // Pop the debugger frame - __dbgSecFrame.Pop(); - } - } - - ASSUME_BYREF_FROM_JIT_STACK_END(); - } - HELPER_METHOD_FRAME_END_POLL(); -} -HCIMPLEND - -/*************************************************************/ -#include <optsmallperfcritical.h> HCIMPL2(void, JIT_Security_Prolog, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc) { FCALL_CONTRACT; - - // - // do the security prolog work - // - - MethodDesc *pCurrent = GetMethod(methHnd_); - - // Note: This check is replicated in JIT_Security_Prolog_Framed - if ((pCurrent->IsInterceptedForDeclSecurity() && - !(pCurrent->IsInterceptedForDeclSecurityCASDemandsOnly() && - SecurityStackWalk::HasFlagsOrFullyTrusted(0))) - // We don't necessarily need to do work for LCG methods, but we need a frame - // to find out for sure - || pCurrent->IsLCGMethod()) - { - // Tailcall to the slow helper - ENDFORBIDGC(); - HCCALL2(JIT_Security_Prolog_Framed, methHnd_, ppFrameSecDesc); - } } HCIMPLEND -#include <optdefault.h> -/*************************************************************/ -NOINLINE HCIMPL1(void, JIT_VerificationRuntimeCheck_Internal, CORINFO_METHOD_HANDLE methHnd_) +HCIMPL2(void, JIT_Security_Prolog_Framed, CORINFO_METHOD_HANDLE methHnd_, OBJECTREF* ppFrameSecDesc) { FCALL_CONTRACT; - - - HELPER_METHOD_FRAME_BEGIN_NOPOLL(); - { - // Transparent methods that contains unverifiable code is not allowed. - MethodDesc *pMethod = GetMethod(methHnd_); - SecurityTransparent::ThrowMethodAccessException(pMethod); - } - HELPER_METHOD_FRAME_END_POLL(); } HCIMPLEND -#include <optsmallperfcritical.h> -/*************************************************************/ HCIMPL1(void, JIT_VerificationRuntimeCheck, CORINFO_METHOD_HANDLE methHnd_) { FCALL_CONTRACT; - - if (SecurityStackWalk::HasFlagsOrFullyTrustedIgnoreMode(0)) - return; - // - // inject a full-demand for unmanaged code permission at runtime - // around methods in transparent assembly that contains unverifiable code - { - // Tailcall to the slow helper - ENDFORBIDGC(); - HCCALL1(JIT_VerificationRuntimeCheck_Internal, methHnd_); - } - } HCIMPLEND -#include <optdefault.h> - //======================================================================== diff --git a/src/vm/jitinterface.cpp b/src/vm/jitinterface.cpp index 6de4163c69..ef0e87fb3a 100644 --- a/src/vm/jitinterface.cpp +++ b/src/vm/jitinterface.cpp @@ -25,7 +25,6 @@ #include "float.h" // for isnan #include "dbginterface.h" #include "security.h" -#include "securitymeta.h" #include "dllimport.h" #include "gcheaputilities.h" #include "comdelegate.h" @@ -154,18 +153,11 @@ BOOL ModifyCheckForDynamicMethod(DynamicResolver *pResolver, } else if (dwSecurityFlags & DynamicResolver::RestrictedSkipVisibilityChecks) { - *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccess; - - // For compatibility, don't do transparency checks from dynamic methods in FT CoreCLR. - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccessNoTransparency; - + *pAccessCheckType = AccessCheckOptions::kRestrictedMemberAccessNoTransparency; } else { - // For compatibility, don't do transparency checks from dynamic methods in FT CoreCLR. - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - *pAccessCheckType = AccessCheckOptions::kNormalAccessNoTransparency; + *pAccessCheckType = AccessCheckOptions::kNormalAccessNoTransparency; } return doAccessCheck; @@ -674,28 +666,7 @@ CorInfoCanSkipVerificationResult CEEInfo::canSkipMethodVerification(CORINFO_METH MODE_PREEMPTIVE; } CONTRACTL_END; - CorInfoCanSkipVerificationResult canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP; - - JIT_TO_EE_TRANSITION(); - - MethodDesc* pMD = GetMethod(ftnHnd); - - -#ifdef _DEBUG - if (g_pConfig->IsVerifierOff()) - { - canSkipVerif = CORINFO_VERIFICATION_CAN_SKIP; - } - else -#endif // _DEBUG - { - canSkipVerif = Security::JITCanSkipVerification(pMD); - } - - EE_TO_JIT_TRANSITION(); - - return canSkipVerif; - + return CORINFO_VERIFICATION_CAN_SKIP; } /*********************************************************************/ @@ -789,39 +760,7 @@ CorInfoCanSkipVerificationResult CEEInfo::canSkipVerification( MODE_PREEMPTIVE; } CONTRACTL_END; - CorInfoCanSkipVerificationResult canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP; - - JIT_TO_EE_TRANSITION(); - - Assembly * pAssem = GetModule(moduleHnd)->GetAssembly(); - -#ifdef _DEBUG - if (g_pConfig->IsVerifierOff()) - { - canSkipVerif = CORINFO_VERIFICATION_CAN_SKIP; - } - else -#endif // _DEBUG - { - // - // fQuickCheckOnly is set only by calls from Zapper::CompileAssembly - // because that allows us make a determination for the most - // common full trust scenarios (local machine) without actually - // resolving policy and bringing in a whole list of assembly - // dependencies. - // - // The scenario of interest here is determing whether or not an - // assembly MVID comparison is enough when loading an NGEN'd - // assembly or if a full binary hash comparison must be done. - // - - DomainAssembly * pAssembly = pAssem->GetDomainAssembly(); - canSkipVerif = Security::JITCanSkipVerification(pAssembly); - } - - EE_TO_JIT_TRANSITION(); - - return canSkipVerif; + return CORINFO_VERIFICATION_CAN_SKIP; } /*********************************************************************/ @@ -5557,15 +5496,6 @@ void CEEInfo::getCallInfo( TypeHandle callerTypeForSecurity = TypeHandle(pCallerForSecurity->GetMethodTable()); - //This just throws. - if (pCalleeForSecurity->RequiresLinktimeCheck()) - { - //hostProtectionAttribute(HPA) can be removed for coreclr mscorlib.dll - //So if the call to LinktimeCheckMethod() is only b'coz of HPA then skip it - if (!pCalleeForSecurity->RequiresLinkTimeCheckHostProtectionOnly()) - Security::LinktimeCheckMethod(pCallerForSecurity->GetAssembly(), pCalleeForSecurity); - } - //Passed various link-time checks. Now do access checks. BOOL doAccessCheck = TRUE; @@ -5651,69 +5581,7 @@ void CEEInfo::getCallInfo( } } } - - //Only do this if we're allowed to access the method under any circumstance. - if (canAccessMethod) - { - BOOL fNeedsTransparencyCheck = TRUE; - - // All LCG methods are transparent in CoreCLR. When we switch from PT - // to FT most user assemblies will become opportunistically critical. - // If a LCG method calls a method in such an assembly it will stop working. - // To avoid this we allow LCG methods to call user critical code in FT. - // There is no security concern because the domain is fully trusted anyway. - // There is nothing the LCG method can do that user code cannot do directly. - // This is also consistent with the desktop where a transparent->critical - // access will be converted to a demand and succeed in FT if the caller is - // level1 and the target is level2. - // See also AccessCheckOptions::DemandMemberAccess. - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted() && pCallerForSecurity->IsLCGMethod()) - fNeedsTransparencyCheck = FALSE; - - if (fNeedsTransparencyCheck) - { - CorInfoSecurityRuntimeChecks runtimeChecks = CORINFO_ACCESS_SECURITY_NONE; - - // See if transparency requires the runtime check too - CorInfoIsAccessAllowedResult isCallAllowedResult = - Security::RequiresTransparentAssemblyChecks(pCallerForSecurity, pCalleeForSecurity, NULL); - - if (isCallAllowedResult != CORINFO_ACCESS_ALLOWED) - runtimeChecks = CORINFO_ACCESS_SECURITY_TRANSPARENCY; - - DebugSecurityCalloutStress(getMethodBeingCompiled(), isCallAllowedResult, runtimeChecks); - - if (isCallAllowedResult == CORINFO_ACCESS_RUNTIME_CHECK) - { - pResult->accessAllowed = CORINFO_ACCESS_RUNTIME_CHECK; - //Explain the callback to the JIT. - pResult->callsiteCalloutHelper.helperNum = CORINFO_HELP_METHOD_ACCESS_CHECK; - pResult->callsiteCalloutHelper.numArgs = 4; - - pResult->callsiteCalloutHelper.args[0].Set(CORINFO_METHOD_HANDLE(pCallerForSecurity)); - pResult->callsiteCalloutHelper.args[1].Set(CORINFO_METHOD_HANDLE(pCalleeForSecurity)); - pResult->callsiteCalloutHelper.args[2].Set(CORINFO_CLASS_HANDLE(calleeTypeForSecurity.AsPtr())); - pResult->callsiteCalloutHelper.args[3].Set(runtimeChecks); - - if (IsCompilingForNGen()) - { - //see code:CEEInfo::getCallInfo for more information. - if (pCallerForSecurity->ContainsGenericVariables() - || pCalleeForSecurity->ContainsGenericVariables()) - { - COMPlusThrowNonLocalized(kNotSupportedException, W("Cannot embed generic MethodDesc")); - } - } - } - else - { - _ASSERTE(pResult->accessAllowed == CORINFO_ACCESS_ALLOWED); - _ASSERTE(isCallAllowedResult == CORINFO_ACCESS_ALLOWED); - } - } - } } - } //We're pretty much done at this point. Let's grab the rest of the information that the jit is going to @@ -5967,18 +5835,7 @@ CorInfoHelpFunc CEEInfo::getNewHelper(CORINFO_RESOLVED_TOKEN * pResolvedToken, C } MethodTable* pMT = VMClsHnd.AsMethodTable(); -#ifdef FEATURE_COMINTEROP - if (pMT->IsComObjectType() && !GetMethod(callerHandle)->GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode()) - { - // Caller does not have permission to make interop calls. Generate a - // special helper that will throw a security exception when called. - result = CORINFO_HELP_SEC_UNMGDCODE_EXCPT; - } - else -#endif // FEATURE_COMINTEROP - { - result = getNewHelperStatic(pMT); - } + result = getNewHelperStatic(pMT); _ASSERTE(result != CORINFO_HELP_UNDEF); @@ -9734,18 +9591,7 @@ BOOL CEEInfo::isDelegateCreationAllowed ( MODE_PREEMPTIVE; } CONTRACTL_END; - BOOL isCallAllowed = FALSE; - - JIT_TO_EE_TRANSITION(); - - TypeHandle delegateType(delegateHnd); - MethodDesc* pCallee = GetMethod(calleeHnd); - - isCallAllowed = COMDelegate::ValidateSecurityTransparency(pCallee, delegateType.AsMethodTable()); - - EE_TO_JIT_TRANSITION(); - - return isCallAllowed; + return TRUE; } /*********************************************************************/ diff --git a/src/vm/marshalnative.cpp b/src/vm/marshalnative.cpp index 7e1d63b7c1..17f39457b7 100644 --- a/src/vm/marshalnative.cpp +++ b/src/vm/marshalnative.cpp @@ -760,21 +760,6 @@ FCIMPL1(LPVOID, MarshalNative::GCHandleInternalAddrOfPinnedObject, OBJECTHANDLE FCIMPLEND // Make sure the handle is accessible from the current domain. (Throw if not.) -FCIMPL1(VOID, MarshalNative::GCHandleInternalCheckDomain, OBJECTHANDLE handle) -{ - FCALL_CONTRACT; - - if (handle == NULL) - FCThrowArgumentVoid(W("handle"), W("Argument_ArgumentZero")); - - ADIndex index = HndGetHandleTableADIndex(HndGetHandleTable(handle)); - - if (index.m_dwIndex != 1 && index != GetAppDomain()->GetIndex()) - FCThrowArgumentVoid(W("handle"), W("Argument_HandleLeak")); -} -FCIMPLEND - -// Make sure the handle is accessible from the current domain. (Throw if not.) FCIMPL1(INT32, MarshalNative::GCHandleInternalGetHandleType, OBJECTHANDLE handle) { FCALL_CONTRACT; diff --git a/src/vm/marshalnative.h b/src/vm/marshalnative.h index cff3f7eb63..872f784146 100644 --- a/src/vm/marshalnative.h +++ b/src/vm/marshalnative.h @@ -80,7 +80,6 @@ public: static FCDECL3(VOID, GCHandleInternalSet, OBJECTHANDLE handle, Object *obj, CLR_BOOL isPinned); static FCDECL4(Object*, GCHandleInternalCompareExchange, OBJECTHANDLE handle, Object *obj, Object* oldObj, CLR_BOOL isPinned); static FCDECL1(LPVOID, GCHandleInternalAddrOfPinnedObject, OBJECTHANDLE handle); - static FCDECL1(VOID, GCHandleInternalCheckDomain, OBJECTHANDLE handle); static FCDECL1(INT32, GCHandleInternalGetHandleType, OBJECTHANDLE handle); static FCDECL2(Object*, GetDelegateForFunctionPointerInternal, LPVOID FPtr, ReflectClassBaseObject* refTypeUNSAFE); diff --git a/src/vm/memberload.cpp b/src/vm/memberload.cpp index d19a4f6d61..aa5667dd21 100644 --- a/src/vm/memberload.cpp +++ b/src/vm/memberload.cpp @@ -24,7 +24,6 @@ #include "stublink.h" #include "ecall.h" #include "dllimport.h" -#include "verifier.hpp" #include "jitinterface.h" #include "eeconfig.h" #include "log.h" diff --git a/src/vm/metasig.h b/src/vm/metasig.h index 8e0ea0a773..c2dc42fb9d 100644 --- a/src/vm/metasig.h +++ b/src/vm/metasig.h @@ -343,9 +343,6 @@ DEFINE_METASIG(SM(ArrByte_RetObj, a(b), j)) DEFINE_METASIG(SM(ArrByte_Bool_RetObj, a(b) F, j)) DEFINE_METASIG(SM(ArrByte_ArrByte_RefObj_RetObj, a(b) a(b) r(j), j)) DEFINE_METASIG_T(SM(PtrSByt_Int_Int_Encoding_RetStr, P(B) i i C(ENCODING), s)) -DEFINE_METASIG_T(SM(Evidence_RetEvidence, C(EVIDENCE), C(EVIDENCE))) -DEFINE_METASIG_T(SM(Evidence_Asm_RetEvidence, C(EVIDENCE) C(ASSEMBLY), C(EVIDENCE))) -DEFINE_METASIG_T(IM(Evidence_RetVoid, C(EVIDENCE), v)) DEFINE_METASIG_T(SM(Void_RetRuntimeTypeHandle, _, g(RT_TYPE_HANDLE))) DEFINE_METASIG(SM(Void_RetIntPtr, _, I)) @@ -516,12 +513,8 @@ DEFINE_METASIG_T(IM(LicenseInteropHelper_GetLicInfo, g(RT_TYPE_HANDLE) r(i) r(i) // App Domain related defines DEFINE_METASIG(IM(Bool_Str_Str_ArrStr_ArrStr_RetVoid, F s s a(s) a(s), v)) -DEFINE_METASIG_T(IM(LoaderOptimization_RetVoid, g(LOADER_OPTIMIZATION), v)) -DEFINE_METASIG_T(IM(Evidence_Evidence_Bool_IntPtr_Bool_RetVoid, C(EVIDENCE) C(EVIDENCE) F I F, v)) -DEFINE_METASIG_T(SM(Str_Evidence_AppDomainSetup_RetAppDomain, s C(EVIDENCE) C(APPDOMAIN_SETUP), C(APP_DOMAIN))) -DEFINE_METASIG_T(SM(Str_Evidence_Str_Str_Bool_RetAppDomain, s C(EVIDENCE) s s F, C(APP_DOMAIN))) DEFINE_METASIG_T(SM(Str_RetAppDomain, s, C(APP_DOMAIN))) -DEFINE_METASIG_T(SM(Str_AppDomainSetup_Evidence_Evidence_IntPtr_Str_ArrStr_ArrStr_RetObj, s C(APPDOMAIN_SETUP) C(EVIDENCE) C(EVIDENCE) I s a(s) a(s), j)) +DEFINE_METASIG_T(SM(Str_AppDomainSetup_ArrStr_ArrStr_RetObj, s C(APPDOMAIN_SETUP) a(s) a(s), j)) #ifdef FEATURE_COMINTEROP // System.AppDomain.OnReflectionOnlyNamespaceResolveEvent DEFINE_METASIG_T(IM(Assembly_Str_RetArrAssembly, C(ASSEMBLY) s, a(C(ASSEMBLY)))) diff --git a/src/vm/method.cpp b/src/vm/method.cpp index 34ae6d9489..f770a09ddb 100644 --- a/src/vm/method.cpp +++ b/src/vm/method.cpp @@ -13,7 +13,6 @@ #include "common.h" #include "security.h" -#include "verifier.hpp" #include "excep.h" #include "dbginterface.h" #include "ecall.h" @@ -2498,160 +2497,6 @@ void MethodDesc::Reset() } //******************************************************************************* -DWORD MethodDesc::GetSecurityFlagsDuringPreStub() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - - DWORD dwMethDeclFlags = 0; - DWORD dwMethNullDeclFlags = 0; - DWORD dwClassDeclFlags = 0; - DWORD dwClassNullDeclFlags = 0; - - if (IsInterceptedForDeclSecurity()) - { - HRESULT hr; - - BOOL fHasSuppressUnmanagedCodeAccessAttr = HasSuppressUnmanagedCodeAccessAttr();; - - hr = Security::GetDeclarationFlags(GetMDImport(), - GetMemberDef(), - &dwMethDeclFlags, - &dwMethNullDeclFlags, - &fHasSuppressUnmanagedCodeAccessAttr); - if (FAILED(hr)) - COMPlusThrowHR(hr); - - // We only care about runtime actions, here. - // Don't add security interceptors for anything else! - dwMethDeclFlags &= DECLSEC_RUNTIME_ACTIONS; - dwMethNullDeclFlags &= DECLSEC_RUNTIME_ACTIONS; - } - - MethodTable *pMT = GetMethodTable(); - if (!pMT->IsNoSecurityProperties()) - { - PSecurityProperties pSecurityProperties = pMT->GetClass()->GetSecurityProperties(); - _ASSERTE(pSecurityProperties); - - dwClassDeclFlags = pSecurityProperties->GetRuntimeActions(); - dwClassNullDeclFlags= pSecurityProperties->GetNullRuntimeActions(); - } - else - { - _ASSERTE( pMT->GetClass()->GetSecurityProperties() == NULL || - ( pMT->GetClass()->GetSecurityProperties()->GetRuntimeActions() == 0 - && pMT->GetClass()->GetSecurityProperties()->GetNullRuntimeActions() == 0 ) ); - } - - - // Build up a set of flags to indicate the actions, if any, - // for which we will need to set up an interceptor. - - // Add up the total runtime declarative actions so far. - DWORD dwSecurityFlags = dwMethDeclFlags | dwClassDeclFlags; - - // Add in a declarative demand for NDirect. - // If this demand has been overridden by a declarative check - // on a class or method, then the bit won't change. If it's - // overridden by an empty check, then it will be reset by the - // subtraction logic below. - if (IsNDirect()) - { - dwSecurityFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND; - } - - if (dwSecurityFlags) - { - // If we've found any declarative actions at this point, - // try to subtract any actions that are empty. - - // Subtract out any empty declarative actions on the method. - dwSecurityFlags &= ~dwMethNullDeclFlags; - - // Finally subtract out any empty declarative actions on the class, - // but only those actions that are not also declared by the method. - dwSecurityFlags &= ~(dwClassNullDeclFlags & ~dwMethDeclFlags); - } - - return dwSecurityFlags; -} - -//******************************************************************************* -DWORD MethodDesc::GetSecurityFlagsDuringClassLoad(IMDInternalImport *pInternalImport, - mdToken tkMethod, - mdToken tkClass, - DWORD *pdwClassDeclFlags, - DWORD *pdwClassNullDeclFlags, - DWORD *pdwMethDeclFlags, - DWORD *pdwMethNullDeclFlags) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - HRESULT hr; - - hr = Security::GetDeclarationFlags(pInternalImport, - tkMethod, - pdwMethDeclFlags, - pdwMethNullDeclFlags); - if (FAILED(hr)) - COMPlusThrowHR(hr); - - - if (!IsNilToken(tkClass) && (*pdwClassDeclFlags == 0xffffffff || *pdwClassNullDeclFlags == 0xffffffff)) - { - hr = Security::GetDeclarationFlags(pInternalImport, - tkClass, - pdwClassDeclFlags, - pdwClassNullDeclFlags); - if (FAILED(hr)) - COMPlusThrowHR(hr); - - } - - // Build up a set of flags to indicate the actions, if any, - // for which we will need to set up an interceptor. - - // Add up the total runtime declarative actions so far. - DWORD dwSecurityFlags = *pdwMethDeclFlags | *pdwClassDeclFlags; - - // Add in a declarative demand for NDirect. - // If this demand has been overridden by a declarative check - // on a class or method, then the bit won't change. If it's - // overridden by an empty check, then it will be reset by the - // subtraction logic below. - if (IsNDirect()) - { - dwSecurityFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND; - } - - if (dwSecurityFlags) - { - // If we've found any declarative actions at this point, - // try to subtract any actions that are empty. - - // Subtract out any empty declarative actions on the method. - dwSecurityFlags &= ~*pdwMethNullDeclFlags; - - // Finally subtract out any empty declarative actions on the class, - // but only those actions that are not also declared by the method. - dwSecurityFlags &= ~(*pdwClassNullDeclFlags & ~*pdwMethDeclFlags); - } - - return dwSecurityFlags; -} - -//******************************************************************************* Dictionary* MethodDesc::GetMethodDictionary() { WRAPPER_NO_CONTRACT; diff --git a/src/vm/method.hpp b/src/vm/method.hpp index f65bea5773..cdadba48c2 100644 --- a/src/vm/method.hpp +++ b/src/vm/method.hpp @@ -1224,12 +1224,6 @@ public: //================================================================== // Security... - DWORD GetSecurityFlagsDuringPreStub(); - DWORD GetSecurityFlagsDuringClassLoad(IMDInternalImport *pInternalImport, - mdToken tkMethod, mdToken tkClass, - DWORD *dwClassDeclFlags, DWORD *dwClassNullDeclFlags, - DWORD *dwMethDeclFlags, DWORD *dwMethNullDeclFlags); - inline DWORD RequiresLinktimeCheck() { LIMITED_METHOD_CONTRACT; diff --git a/src/vm/methodtable.cpp b/src/vm/methodtable.cpp index 21fab720f2..191efb83e9 100644 --- a/src/vm/methodtable.cpp +++ b/src/vm/methodtable.cpp @@ -27,7 +27,6 @@ #include "ecall.h" #include "dllimport.h" #include "gcdesc.h" -#include "verifier.hpp" #include "jitinterface.h" #include "eeconfig.h" #include "log.h" diff --git a/src/vm/methodtable.h b/src/vm/methodtable.h index 2ce9f2a883..2f77b27298 100644 --- a/src/vm/methodtable.h +++ b/src/vm/methodtable.h @@ -3077,19 +3077,6 @@ public: // SECURITY SEMANTICS // - - BOOL IsNoSecurityProperties() - { - LIMITED_METHOD_CONTRACT; - return GetFlag(enum_flag_NoSecurityProperties); - } - - void SetNoSecurityProperties() - { - LIMITED_METHOD_CONTRACT; - SetFlag(enum_flag_NoSecurityProperties); - } - void SetIsAsyncPinType() { LIMITED_METHOD_CONTRACT; @@ -3935,8 +3922,7 @@ private: enum_flag_HasModuleDependencies = 0x0080, - enum_flag_NoSecurityProperties = 0x0100, // Class does not have security properties (that is, - // GetClass()->GetSecurityProperties will return 0). + // enum_Unused = 0x0100, enum_flag_RequiresDispatchTokenFat = 0x0200, diff --git a/src/vm/methodtablebuilder.cpp b/src/vm/methodtablebuilder.cpp index 503c13af5b..5700a69f7f 100644 --- a/src/vm/methodtablebuilder.cpp +++ b/src/vm/methodtablebuilder.cpp @@ -23,10 +23,7 @@ #include "ecmakey.h" #include "security.h" #include "customattribute.h" - - -#ifdef FEATURE_COMINTEROP -#endif +#include "typestring.h" //******************************************************************************* // Helper functions to sort GCdescs by offset (decending order) @@ -164,27 +161,6 @@ MethodTableBuilder::CreateClass( Module *pModule, COMPlusThrowHR(COR_E_TYPELOAD); } - // - // Initialize SecurityProperties structure - // - - if (IsTdHasSecurity(dwAttrClass)) - { - DWORD dwSecFlags; - DWORD dwNullDeclFlags; - - hrToThrow = Security::GetDeclarationFlags(pInternalImport, cl, &dwSecFlags, &dwNullDeclFlags); - if (FAILED(hrToThrow)) - COMPlusThrowHR(hrToThrow); - - // Security properties is an optional field. If we have a non-default value we need to ensure the - // optional field descriptor has been allocated. - EnsureOptionalFieldsAreAllocated(pEEClass, pamTracker, pAllocator->GetLowFrequencyHeap()); - - pEEClass->GetSecurityProperties()->SetFlags(dwSecFlags, dwNullDeclFlags); - } - - if (fHasLayout) pEEClass->SetHasLayout(); @@ -1927,20 +1903,6 @@ MethodTableBuilder::BuildMethodTableThrowing( // if there are context or thread static set the info in the method table optional members // - if (!bmtProp->fNoSanityChecks) - { - // If we have a non-interface class, then do inheritance security - // checks on it. The check starts by checking for inheritance - // permission demands on the current class. If these first checks - // succeeded, then the cached declared method list is scanned for - // methods that have inheritance permission demands. - VerifyInheritanceSecurity(); - - // If this is a type equivalent class, then check to see that security - // rules have been properly followed - VerifyEquivalenceSecurity(); - } - // Check for the RemotingProxy Attribute // structs with GC pointers MUST be pointer sized aligned because the GC assumes it if (IsValueClass() && pMT->ContainsPointers() && (bmtFP->NumInstanceFieldBytes % sizeof(void*) != 0)) @@ -3182,32 +3144,6 @@ MethodTableBuilder::EnumerateClassMethods() type = METHOD_TYPE_NORMAL; } - -#ifdef _DEBUG - // We don't allow stack based declarative security on ecalls, fcalls and - // other special purpose methods implemented by the EE (the interceptor - // we use doesn't play well with non-jitted stubs). - if ((type == METHOD_TYPE_FCALL || type == METHOD_TYPE_EEIMPL) && - (IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass()))) - { - DWORD dwSecFlags; - DWORD dwNullDeclFlags; - - if (IsTdHasSecurity(GetAttrClass()) && - SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, GetCl(), &dwSecFlags, &dwNullDeclFlags))) - { - CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS), - "Cannot add stack based declarative security to a class containing an ecall/fcall/special method."); - } - if (IsMdHasSecurity(dwMemberAttrs) && - SUCCEEDED(Security::GetDeclarationFlags(pMDInternalImport, tok, &dwSecFlags, &dwNullDeclFlags))) - { - CONSISTENCY_CHECK_MSG(!(dwSecFlags & ~dwNullDeclFlags & DECLSEC_RUNTIME_ACTIONS), - "Cannot add stack based declarative security to an ecall/fcall/special method."); - } - } -#endif // _DEBUG - // PInvoke methods are not permitted on collectible types if ((type == METHOD_TYPE_NDIRECT) && GetAssembly()->IsCollectible()) { @@ -4905,146 +4841,6 @@ VOID MethodTableBuilder::TestMethodImpl( return; } -//******************************************************************************* -void MethodTableBuilder::SetSecurityFlagsOnMethod(bmtRTMethod* pParentMethod, - MethodDesc* pNewMD, - mdToken tokMethod, - DWORD dwMemberAttrs, - bmtInternalInfo* bmtInternal, - bmtMetaDataInfo* bmtMetaData) -{ - STANDARD_VM_CONTRACT; - - DWORD dwMethDeclFlags = 0; - DWORD dwMethNullDeclFlags = 0; - DWORD dwClassDeclFlags = 0xffffffff; - DWORD dwClassNullDeclFlags = 0xffffffff; - - if ( IsMdHasSecurity(dwMemberAttrs) || IsTdHasSecurity(GetAttrClass()) || pNewMD->IsNDirect() ) - { - // Disable inlining for any function which does runtime declarative - // security actions. - DWORD dwRuntimeSecurityFlags = (pNewMD->GetSecurityFlagsDuringClassLoad(GetMDImport(), - tokMethod, - GetCl(), - &dwClassDeclFlags, - &dwClassNullDeclFlags, - &dwMethDeclFlags, - &dwMethNullDeclFlags) & DECLSEC_RUNTIME_ACTIONS); - if (dwRuntimeSecurityFlags) - { - // If we get here it means - // - We have some "runtime" actions on this method. We dont care about "linktime" demands - // - If this is a pinvoke method, then the unmanaged code access demand has not been suppressed - pNewMD->SetNotInline(true); - - pNewMD->SetInterceptedForDeclSecurity(); - - if (MethodSecurityDescriptor::IsDeclSecurityCASDemandsOnly(dwRuntimeSecurityFlags, tokMethod, GetMDImport())) - { - pNewMD->SetInterceptedForDeclSecurityCASDemandsOnly(); - } - } - } - - if ( IsMdHasSecurity(dwMemberAttrs) ) - { - // We only care about checks that are not empty... - dwMethDeclFlags &= ~dwMethNullDeclFlags; - - if ( dwMethDeclFlags & (DECLSEC_LINK_CHECKS|DECLSEC_NONCAS_LINK_DEMANDS) ) - { - pNewMD->SetRequiresLinktimeCheck(); - // if the link check is due to HP and nothing else, capture that in the flags too - if (dwMethDeclFlags & DECLSEC_LINK_CHECKS_HPONLY) - { - pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly(); - } - } - - if ( dwMethDeclFlags & (DECLSEC_INHERIT_CHECKS|DECLSEC_NONCAS_INHERITANCE) ) - { - pNewMD->SetRequiresInheritanceCheck(); - if (IsInterface()) - { - GetHalfBakedClass()->SetSomeMethodsRequireInheritanceCheck(); - } - } - } - - // Linktime checks on a method override those on a class. - // If the method has an empty set of linktime checks, - // then don't require linktime checking for this method. - if (!pNewMD->RequiresLinktimeCheck() && RequiresLinktimeCheck() && !(dwMethNullDeclFlags & DECLSEC_LINK_CHECKS) ) - { - - pNewMD->SetRequiresLinktimeCheck(); - if (RequiresLinktimeCheckHostProtectionOnly()) - { - pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly(); - } - } - - if ( pParentMethod != NULL && - (pParentMethod->GetMethodDesc()->RequiresInheritanceCheck() || - pParentMethod->GetMethodDesc()->ParentRequiresInheritanceCheck()) ) - { - pNewMD->SetParentRequiresInheritanceCheck(); - } - - // Methods on an interface that includes an UnmanagedCode check - // suppression attribute are assumed to be interop methods. We ask - // for linktime checks on these. - // Also place linktime checks on all P/Invoke calls. - if ( - pNewMD->IsNDirect() || - (pNewMD->IsComPlusCall() && !IsInterface())) - { - pNewMD->SetRequiresLinktimeCheck(); - } - -#if defined(FEATURE_CORESYSTEM) - // All public methods on public types will do a link demand of - // full trust, unless AllowUntrustedCaller attribute is set - if ( -#ifdef _DEBUG - g_pConfig->Do_AllowUntrustedCaller_Checks() && -#endif - !pNewMD->RequiresLinktimeCheck()) - { - // If the method is public (visible outside it's assembly), - // and the type is public and the assembly - // is not marked with AllowUntrustedCaller attribute, do - // a link demand for full trust on all callers note that - // this won't be effective on virtual overrides. The caller - // can allways do a virtual call on the base type / interface - - if (Security::MethodIsVisibleOutsideItsAssembly(dwMemberAttrs, GetAttrClass(), IsGlobalClass())) - { - _ASSERTE(GetClassLoader()); - _ASSERTE(GetAssembly()); - - // See if the Assembly has AllowUntrustedCallerChecks CA - // Pull this page in last - - if (!GetAssembly()->AllowUntrustedCaller()) - pNewMD->SetRequiresLinktimeCheck(); - } - } -#endif // defined(FEATURE_CORESYSTEM) - - // If it's a delegate BeginInvoke, we need to do a HostProtection check for synchronization - if(!pNewMD->RequiresLinktimeCheck() && IsDelegate()) - { - DelegateEEClass* pDelegateClass = (DelegateEEClass*)GetHalfBakedClass(); - if(pNewMD == pDelegateClass->m_pBeginInvokeMethod) - { - pNewMD->SetRequiresLinktimeCheck(); - pNewMD->SetRequiresLinkTimeCheckHostProtectionOnly(); // this link check is due to HP only - } - - } -} //******************************************************************************* // @@ -5326,10 +5122,6 @@ MethodTableBuilder::InitNewMethodDesc( } } - - // Declarative Security - SetSecurityFlagsOnMethod(pParentMethod, pNewMD, pMethod->GetMethodSignature().GetToken(), pMethod->GetDeclAttrs(), bmtInternal, bmtMetaData); - // Turn off inlining for any calls // that are marked in the metadata as not being inlineable. if(IsMiNoInlining(pMethod->GetImplAttrs())) @@ -10405,12 +10197,6 @@ MethodTableBuilder::SetupMethodTable2( SetNonGCRegularStaticFieldBytes (bmtProp->dwNonGCRegularStaticFieldBytes); SetNonGCThreadStaticFieldBytes (bmtProp->dwNonGCThreadStaticFieldBytes); - PSecurityProperties psp = GetSecurityProperties(); - // Check whether we have any runtime actions such as Demand, Assert etc - // that can result in methods needing the security stub. We dont care about Linkdemands etc - if ( !psp || (!psp->GetRuntimeActions() && !psp->GetNullRuntimeActions())) - pMT->SetNoSecurityProperties(); - #ifdef FEATURE_TYPEEQUIVALENCE if (bmtProp->fHasTypeEquivalence) { @@ -11554,49 +11340,6 @@ VOID MethodTableBuilder::HandleGCForValueClasses(MethodTable ** pByValueClassCac //******************************************************************************* // -// Helper method for VerifyInheritanceSecurity -// -VOID MethodTableBuilder::VerifyClassInheritanceSecurityHelper( - MethodTable *pParentMT, - MethodTable *pChildMT) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pParentMT)); - PRECONDITION(CheckPointer(pChildMT)); - } - CONTRACTL_END; - - //@ASSUMPTION: The current class has been resolved to the point that - // we can construct a reflection object on the class or its methods. - // This is required for the security checks. - - // This method throws on failure. - Security::ClassInheritanceCheck(pChildMT, pParentMT); - -} - -//******************************************************************************* -// -// Helper method for VerifyInheritanceSecurity -// -VOID MethodTableBuilder::VerifyMethodInheritanceSecurityHelper( - MethodDesc *pParentMD, - MethodDesc *pChildMD) -{ - CONTRACTL { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pParentMD)); - PRECONDITION(CheckPointer(pChildMD)); - } CONTRACTL_END; - - Security::MethodInheritanceCheck(pChildMD, pParentMD); - -} - -//******************************************************************************* -// // Used by BuildMethodTable // // Check for the presence of type equivalence. If present, make sure @@ -11616,17 +11359,11 @@ void MethodTableBuilder::CheckForTypeEquivalence( { BOOL fTypeEquivalentNotPermittedDueToType = !(((IsComImport() || bmtProp->fComEventItfType) && IsInterface()) || IsValueClass() || IsDelegate()); BOOL fTypeEquivalentNotPermittedDueToGenerics = bmtGenerics->HasInstantiation(); - BOOL fTypeEquivalentNotPermittedDueToSecurity = !GetModule()->GetSecurityDescriptor()->IsFullyTrusted(); if (fTypeEquivalentNotPermittedDueToType || fTypeEquivalentNotPermittedDueToGenerics) { BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTBADTYPE); } - else - if (fTypeEquivalentNotPermittedDueToSecurity) - { - BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTNOTTRUSTED); - } GetHalfBakedClass()->SetIsEquivalentType(); } @@ -11668,378 +11405,6 @@ void MethodTableBuilder::CheckForTypeEquivalence( #endif //FEATURE_TYPEEQUIVALENCE } -// Convert linktime security (including link demands and security critical checks) into inheritance security -// in order to prevent partial trust code from bypassing linktime checks via clever inheritance hierarchies. -// -// Arguments: -// pMDLinkDemand - The method containing the linktime security check that needs to be converted into an -// inheritance check -// -// Notes: -// #PartialTrustInterfaceMappingCheck -// -// Partial trust code can bypass the enforcement of link time security on any public virtual method of a -// base type by mapping an unprotected interface back to the base method. For instance: -// -// Full trust APTCA assembly A: -// class AptcaClass -// { -// [SecurityCritical] -// public virtual void CriticalMethod() { } -// -// [PermissionSet(SecurityAction.LinkDemand, Unrestricted = true)] -// public virtual void LinkDemandMethod() { } -// } -// -// Partial trust assembly B: -// interface IBypass -// { -// void CriticalMethod(); -// void LinkDemandMethod(); -// } -// -// class Bypass : AptcaClass, IBypass { } -// -// IBypass o = new Bypass(); -// o.CriticalMethod(); -// o.LinkDemandMethod(); -// -// Since the static type seen by the JIT is IBypass, and there is no link time security on IBypass, the -// partial trust code has stepped around the link time security checks. -// -// In order to prevent this, types which: -// 1. Are partially trusted AND -// 2. Cause an interface to be added to the type WHICH -// 3. Has a method implemented by a base type in a different assembly AND -// 4. The base type method has a link time check on it -// -// Convert the link time checks into inheritance checks. This effectively says that in order for partially -// trusted code to turn off link time security, it needs to have the right to directly satisfy that -// security itself. Since the partial trust code can call the protected method directly, it can also -// easily wrap the method in an unprotected new method and call through that there is no escalation of -// privilege. -// -// This method is only responsible for doing the actual inheritance demand conversion. -// VerifyInheritanceSecurity checks for the above set of conditions to know when such a conversion is -// necessary. -// -void MethodTableBuilder::ConvertLinkDemandToInheritanceDemand(MethodDesc *pMDLinkDemand) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pMDLinkDemand)); - } - CONTRACTL_END; - - const bool fNeedTransparencyCheck = Security::IsMethodCritical(pMDLinkDemand) && - !Security::IsMethodSafeCritical(pMDLinkDemand); - const bool fNeedLinkDemandCheck = pMDLinkDemand->RequiresLinktimeCheck() && - !pMDLinkDemand->RequiresLinkTimeCheckHostProtectionOnly(); - - if (fNeedTransparencyCheck) - { - // The method being mapped to is security critical, so it effectively has a link time check for full - // trust on it. Therefore we need to convert to a full trust inheritance check - Security::FullTrustInheritanceDemand(GetAssembly()); - } - else if (fNeedLinkDemandCheck) - { - // The method being mapped to is protected with a legacy link demand. We need to retrieve the - // permission set that is being used to protect the code and then use it to issue an inheritance - // demand. - Security::InheritanceLinkDemandCheck(GetAssembly(), pMDLinkDemand); - } -} - -//******************************************************************************* -// -// Used by BuildMethodTable -// -// If we have a type equivalent class, then do equivalent security -// checks on it. The check starts by checking for that the class is -// transparent or treat as safe, and then does the same for any fields. -// - -void MethodTableBuilder::VerifyEquivalenceSecurity() -{ - STANDARD_VM_CONTRACT; - -#ifdef FEATURE_TYPEEQUIVALENCE - if (!bmtProp->fIsTypeEquivalent) - return; - - if (!GetHalfBakedMethodTable()->IsExternallyVisible()) - { - BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTNOTPUBLIC); - } - - if (Security::IsTypeCritical(GetHalfBakedMethodTable()) && - !Security::IsTypeSafeCritical(GetHalfBakedMethodTable())) - { - BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY); - } - - // Iterate through every field - FieldDesc *pFieldDescList = GetApproxFieldDescListRaw(); - for (UINT i = 0; i < bmtEnumFields->dwNumInstanceFields; i++) - { - FieldDesc *pFD = &pFieldDescList[i]; - - FieldSecurityDescriptor fieldSecDesc(pFD); - if (fieldSecDesc.IsCritical() && !fieldSecDesc.IsTreatAsSafe()) - { - BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY); - } - } - - // Iterate through every method - DeclaredMethodIterator methIt(*this); - while (methIt.Next()) - { - MethodDesc *pMD = methIt->GetMethodDesc(); - _ASSERTE(pMD != NULL); - if (pMD == NULL) - continue; - - MethodSecurityDescriptor methodSecDesc(pMD, FALSE); - if (Security::IsMethodCritical(pMD) && !Security::IsMethodSafeCritical(pMD)) - { - BuildMethodTableThrowException(IDS_CLASSLOAD_EQUIVALENTTRANSPARENCY); - } - } -#endif //FEATURE_TYPEEQUIVALENCE -} - -//******************************************************************************* -// -// Used by BuildMethodTable -// -// If we have a non-interface class, then do inheritance security -// checks on it. The check starts by checking for inheritance -// permission demands on the current class. If these first checks -// succeeded, then the cached declared method list is scanned for -// methods that have inheritance permission demands. -// - -void MethodTableBuilder::VerifyInheritanceSecurity() -{ - STANDARD_VM_CONTRACT; - - if (IsInterface()) - return; - - if (!Security::IsTransparencyEnforcementEnabled()) - return; - - // If we have a non-interface class, then do inheritance security - // checks on it. The check starts by checking for inheritance - // permission demands on the current class. If these first checks - // succeeded, then the cached declared method list is scanned for - // methods that have inheritance permission demands. - // - // If we are transparent, and every class up the inheritence chain is also entirely transparent, - // that means that no inheritence rules could be broken. If that's the case, we don't need to check - // each individual method. We special case System.Object since it is not entirely transparent, but - // every member which can be overriden is. - // - // This optimization does not currently apply for nested classes, since we may need to evaluate the - // outer class in the TypeSecurityDescriptor, and that could end up with a type loading recursion. - // - - const BOOL fCurrentTypeAllTransparent = GetHalfBakedClass()->IsNested() ? FALSE : Security::IsTypeAllTransparent(GetHalfBakedMethodTable()); - BOOL fInheritenceChainTransparent = FALSE; - - if (fCurrentTypeAllTransparent) - { - fInheritenceChainTransparent = TRUE; - MethodTable *pParentMT = GetParentMethodTable(); - while (fInheritenceChainTransparent && - pParentMT != NULL && - pParentMT != g_pObjectClass) - { - fInheritenceChainTransparent &= Security::IsTypeAllTransparent(pParentMT); - pParentMT = pParentMT->GetParentMethodTable(); - if (pParentMT != NULL && pParentMT->GetClass()->IsNested()) - { - fInheritenceChainTransparent = FALSE; - } - - } - } - - if (GetParentMethodTable() != NULL - && !fInheritenceChainTransparent - ) - { - // Check the parent for inheritance permission demands. - VerifyClassInheritanceSecurityHelper(GetParentMethodTable(), GetHalfBakedMethodTable()); - - // Iterate all the declared methods and check each of them for inheritance demands - DeclaredMethodIterator mIt(*this); - while (mIt.Next()) - { - MethodDesc * pMD = mIt.GetMDMethod()->GetMethodDesc(); - CONSISTENCY_CHECK(CheckPointer(pMD)); - - MethodDesc * pIntroducingMD = mIt.GetIntroducingMethodDesc(); - if (pIntroducingMD != NULL) - { - VerifyMethodInheritanceSecurityHelper(pIntroducingMD, pMD); - } - - // Make sure that we don't have a transparent method in a critical class; that will lead - // to situations where the method doesn't have access to the this pointer, so we want to - // fail now, rather than with a strange method access exception at invoke time - if (Security::IsTypeCritical(GetHalfBakedMethodTable()) && - !Security::IsTypeSafeCritical(GetHalfBakedMethodTable())) - { - if (!Security::IsMethodCritical(pMD) && !pMD->IsStatic()) - { - SecurityTransparent::ThrowTypeLoadException(pMD, IDS_E_TRANSPARENT_METHOD_CRITICAL_TYPE); - } - } - - // If this method is a MethodImpl, we need to verify that all - // decls are allowed to be overridden. - if (pMD->IsMethodImpl()) - { - // Iterate through each decl that this method is an impl for and - // test that inheritance demands are met. - MethodImpl *pMethodImpl = pMD->GetMethodImpl(); - for (DWORD iCurImpl = 0; iCurImpl < pMethodImpl->GetSize(); iCurImpl++) - { - MethodDesc *pDeclMD = pMethodImpl->GetImplementedMDs()[iCurImpl]; - _ASSERTE(pDeclMD != NULL); - // We deal with interfaces below, so don't duplicate work - if (!pDeclMD->IsInterface()) - { - VerifyMethodInheritanceSecurityHelper(pDeclMD, pMD); - } - } - } - } - } - - // Now we need to verify that we are meeting all inheritance demands - // that were placed on interfaces and their methods. The logic is as - // follows: for each method contributing an implementation to this type, - // if a method it could contribute to any interface described in the - // interface map, check that both method-level and type-level inheritance - // demands are met (only need to check type-level once per interface). - { - // We need to do a transparency check if the current type enforces the transparency inheritance - // rules. As an optimizaiton, we don't bother to do the check if the module is opportunistically - // critical because the transparency setup for opportunitically critical assemblies by definition - // statisfies the inheritance rules. - const SecurityTransparencyBehavior *pTransparencyBehavior = - GetAssembly()->GetSecurityTransparencyBehavior(); - ModuleSecurityDescriptor *pMSD = - ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - - const bool fNeedTransparencyInheritanceCheck = pTransparencyBehavior->AreInheritanceRulesEnforced() && - !pMSD->IsOpportunisticallyCritical(); - - - // See code:PartialTrustInterfaceMappingCheck - IAssemblySecurityDescriptor *pASD = GetAssembly()->GetSecurityDescriptor(); - const BOOL fNeedPartialTrustInterfaceMappingCheck = !pASD->IsFullyTrusted(); - - // Iterate through each interface - MethodTable *pMT = GetHalfBakedMethodTable(); - MethodTable::InterfaceMapIterator itfIt = pMT->IterateInterfaceMap(); - while (itfIt.Next()) - { - // Get current interface details - MethodTable *pCurItfMT = itfIt.GetInterface(); - CONSISTENCY_CHECK(CheckPointer(pCurItfMT)); - - if (fNeedTransparencyInheritanceCheck && - !(Security::IsTypeAllTransparent(itfIt.GetInterface()) && - fCurrentTypeAllTransparent) - ) - { - // An interface is introduced by this type either if it is explicitly declared on the - // type's interface list or if one of the type's explicit interfaces requires the - // interface. This is detected by seeing an interface which is not declared on this - // type, but also wasn't implemented by our parent. - // - // For instance: - // - // interface I1 { void M(); } - // interface I2 : I1 { } - // class B { public void M(); } - // class D : B, I2 { } - // - // In this case, when we see D pulls in I2 explictly (IsDeclaredOnType) but I1 only - // because I2 requires I2 (!IsDeclaredOnType and !IsImplementedByParent). - bmtInterfaceEntry interfaceEntry = bmtInterface->pInterfaceMap[itfIt.GetIndex()]; - BOOL fDeclaredOnType = interfaceEntry.IsDeclaredOnType() || - !interfaceEntry.IsImplementedByParent(); - - // Now iterate through every method contributing any implementation - // and if it lies within the interface vtable, then we must evaluate demands - // NOTE: Avoid caching the MethodData object for the type being built. - BOOL fImplementedOnCurrentType = FALSE; - MethodTable::MethodDataWrapper - hItfImplData(MethodTable::GetMethodData(itfIt.GetInterface(), pMT, FALSE)); - MethodTable::MethodIterator methIt(hItfImplData); - for (;methIt.IsValid(); methIt.Next()) - { - // Check the security only if valid method implementation exists! - if (methIt.GetTarget().IsNull() == FALSE) - { - MethodDesc *pMDImpl = methIt.GetMethodDesc(); - MethodDesc *pMDInterface = methIt.GetDeclMethodDesc(); - - // - // Check the security method helper if either: - // 1. The interface was explicitly declared by the current type (even if the - // interface implementation is found on a parent type) OR - // 2. The interface implementation method is on the current type - // - // For instance, we want to catch patterns such as: - // - // interface I { void M(); } - // class B { public void M(); } - // class D : B, I { } - // - // In which D causes I::M to map to B::M because D brought in the interface - // declaration. - // - - if (fDeclaredOnType || pMDImpl->GetMethodTable() == pMT) - { - // Check security on the interface for this method in its default slot placement - VerifyMethodInheritanceSecurityHelper(pMDInterface, pMDImpl); - - fImplementedOnCurrentType = TRUE; - } - - // See code:PartialTrustInterfaceMappingCheck - we need to see if we're mapping - // an interface to another type cross-assembly that might have requested link - // time protection. - if (fDeclaredOnType && fNeedPartialTrustInterfaceMappingCheck) - { - if (pMDImpl->GetAssembly() != GetAssembly()) - { - ConvertLinkDemandToInheritanceDemand(pMDImpl); - } - } - } - } - - // If any previous methods contributed to this interface's implementation, that means we - // need to check the type-level inheritance for the interface. - if (fDeclaredOnType || fImplementedOnCurrentType) - { - VerifyClassInheritanceSecurityHelper(pCurItfMT, pMT); - } - } - } - } -} - //******************************************************************************* // // Used by BuildMethodTable diff --git a/src/vm/methodtablebuilder.h b/src/vm/methodtablebuilder.h index 2aa36836e7..d1c99286aa 100644 --- a/src/vm/methodtablebuilder.h +++ b/src/vm/methodtablebuilder.h @@ -229,10 +229,7 @@ private: BOOL HasExplicitFieldOffsetLayout() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->HasExplicitFieldOffsetLayout(); } BOOL IsManagedSequential() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->IsManagedSequential(); } BOOL HasExplicitSize() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->HasExplicitSize(); } - BOOL RequiresLinktimeCheck() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->RequiresLinktimeCheck(); } - BOOL RequiresLinktimeCheckHostProtectionOnly() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->RequiresLinkTimeCheckHostProtectionOnly(); } - - SecurityProperties* GetSecurityProperties() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->GetSecurityProperties(); } + #ifdef _DEBUG BOOL IsAppDomainAgilityDone() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->IsAppDomainAgilityDone(); } LPCUTF8 GetDebugClassName() { WRAPPER_NO_CONTRACT; return GetHalfBakedClass()->GetDebugClassName(); } @@ -2636,18 +2633,6 @@ private: GetMethodClassification(METHOD_TYPE type); // -------------------------------------------------------------------------------------------- - // Will determine if a method requires or inherits any security settings and will set the - // appropriate flags on the MethodDesc. - VOID - SetSecurityFlagsOnMethod( - bmtRTMethod * pParentMethod, - MethodDesc* pNewMD, - mdToken tokMethod, - DWORD dwMemberAttrs, - bmtInternalInfo* bmtInternal, - bmtMetaDataInfo* bmtMetaData); - - // -------------------------------------------------------------------------------------------- // Essentially, this is a helper method that combines calls to InitMethodDesc and // SetSecurityFlagsOnMethod. It then assigns the newly initialized MethodDesc to // the bmtMDMethod. @@ -2861,22 +2846,6 @@ private: VOID HandleGCForValueClasses( MethodTable **); - // These methods deal with inheritance security. They're executed - // after the type has been constructed, but before it is published. - VOID VerifyMethodInheritanceSecurityHelper( - MethodDesc *pParentMD, - MethodDesc *pChildMD); - - VOID VerifyClassInheritanceSecurityHelper( - MethodTable *pParentMT, - MethodTable *pChildMT); - - VOID ConvertLinkDemandToInheritanceDemand(MethodDesc *pMDLinkDemand); - - VOID VerifyInheritanceSecurity(); - - VOID VerifyEquivalenceSecurity(); - VOID VerifyVirtualMethodsImplemented(MethodTable::MethodData * hMTData); VOID CheckForTypeEquivalence( diff --git a/src/vm/mscorlib.h b/src/vm/mscorlib.h index 909b8a6870..24c87f3f64 100644 --- a/src/vm/mscorlib.h +++ b/src/vm/mscorlib.h @@ -70,25 +70,20 @@ DEFINE_CLASS_U(System, AppDomain, AppDomainBaseObject) DEFINE_FIELD_U(_domainManager, AppDomainBaseObject, m_pDomainManager) DEFINE_FIELD_U(_LocalStore, AppDomainBaseObject, m_LocalStore) DEFINE_FIELD_U(_FusionStore, AppDomainBaseObject, m_FusionTable) -DEFINE_FIELD_U(_SecurityIdentity, AppDomainBaseObject, m_pSecurityIdentity) -DEFINE_FIELD_U(_Policies, AppDomainBaseObject, m_pPolicies) DEFINE_FIELD_U(AssemblyLoad, AppDomainBaseObject, m_pAssemblyEventHandler) DEFINE_FIELD_U(_TypeResolve, AppDomainBaseObject, m_pTypeEventHandler) DEFINE_FIELD_U(_ResourceResolve, AppDomainBaseObject, m_pResourceEventHandler) DEFINE_FIELD_U(_AssemblyResolve, AppDomainBaseObject, m_pAsmResolveEventHandler) -DEFINE_FIELD_U(_applicationTrust, AppDomainBaseObject, m_pApplicationTrust) DEFINE_FIELD_U(_processExit, AppDomainBaseObject, m_pProcessExitEventHandler) DEFINE_FIELD_U(_domainUnload, AppDomainBaseObject, m_pDomainUnloadEventHandler) DEFINE_FIELD_U(_unhandledException, AppDomainBaseObject, m_pUnhandledExceptionEventHandler) DEFINE_FIELD_U(_compatFlags, AppDomainBaseObject, m_compatFlags) DEFINE_FIELD_U(_firstChanceException, AppDomainBaseObject, m_pFirstChanceExceptionHandler) DEFINE_FIELD_U(_pDomain, AppDomainBaseObject, m_pDomain) -DEFINE_FIELD_U(_HasSetPolicy, AppDomainBaseObject, m_bHasSetPolicy) -DEFINE_FIELD_U(_IsFastFullTrustDomain, AppDomainBaseObject, m_bIsFastFullTrustDomain) DEFINE_FIELD_U(_compatFlagsInitialized, AppDomainBaseObject, m_compatFlagsInitialized) DEFINE_CLASS(APP_DOMAIN, System, AppDomain) -DEFINE_METHOD(APP_DOMAIN, PREPARE_DATA_FOR_SETUP,PrepareDataForSetup,SM_Str_AppDomainSetup_Evidence_Evidence_IntPtr_Str_ArrStr_ArrStr_RetObj) +DEFINE_METHOD(APP_DOMAIN, PREPARE_DATA_FOR_SETUP,PrepareDataForSetup,SM_Str_AppDomainSetup_ArrStr_ArrStr_RetObj) DEFINE_METHOD(APP_DOMAIN, SETUP,Setup,SM_Obj_RetObj) DEFINE_METHOD(APP_DOMAIN, ON_ASSEMBLY_LOAD, OnAssemblyLoadEvent, IM_Assembly_RetVoid) DEFINE_METHOD(APP_DOMAIN, ON_RESOURCE_RESOLVE, OnResourceResolveEvent, IM_Assembly_Str_RetAssembly) @@ -98,9 +93,7 @@ DEFINE_METHOD(APP_DOMAIN, ON_ASSEMBLY_RESOLVE, OnAssemblyResolveEve DEFINE_METHOD(APP_DOMAIN, ON_DESIGNER_NAMESPACE_RESOLVE, OnDesignerNamespaceResolveEvent, IM_Str_RetArrStr) #endif //FEATURE_COMINTEROP DEFINE_METHOD(APP_DOMAIN, SETUP_DOMAIN, SetupDomain, IM_Bool_Str_Str_ArrStr_ArrStr_RetVoid) -DEFINE_METHOD(APP_DOMAIN, CREATE_APP_DOMAIN_MANAGER, CreateAppDomainManager, IM_RetVoid) DEFINE_METHOD(APP_DOMAIN, INITIALIZE_COMPATIBILITY_FLAGS, InitializeCompatibilityFlags, IM_RetVoid) -DEFINE_METHOD(APP_DOMAIN, INITIALIZE_DOMAIN_SECURITY, InitializeDomainSecurity, IM_Evidence_Evidence_Bool_IntPtr_Bool_RetVoid) DEFINE_CLASS(CLEANUP_WORK_LIST, StubHelpers, CleanupWorkList) @@ -119,18 +112,8 @@ DEFINE_CLASS(APPDOMAIN_SETUP, System, AppDomainSetup) DEFINE_CLASS_U(System, AppDomainSetup, AppDomainSetupObject) DEFINE_FIELD_U(_Entries, AppDomainSetupObject, m_Entries) DEFINE_FIELD_U(_AppBase, AppDomainSetupObject, m_AppBase) -DEFINE_FIELD_U(_AppDomainInitializer, AppDomainSetupObject, m_AppDomainInitializer) -DEFINE_FIELD_U(_AppDomainInitializerArguments, AppDomainSetupObject, m_AppDomainInitializerArguments) -DEFINE_FIELD_U(_ApplicationTrust, AppDomainSetupObject, m_ApplicationTrust) -DEFINE_FIELD_U(_ConfigurationBytes, AppDomainSetupObject, m_ConfigurationBytes) -DEFINE_FIELD_U(_AppDomainManagerAssembly, AppDomainSetupObject, m_AppDomainManagerAssembly) -DEFINE_FIELD_U(_AppDomainManagerType, AppDomainSetupObject, m_AppDomainManagerType) DEFINE_FIELD_U(_CompatFlags, AppDomainSetupObject, m_CompatFlags) DEFINE_FIELD_U(_TargetFrameworkName, AppDomainSetupObject, m_TargetFrameworkName) -DEFINE_FIELD_U(_LoaderOptimization, AppDomainSetupObject, m_LoaderOptimization) -#ifdef FEATURE_COMINTEROP -DEFINE_FIELD_U(_DisableInterfaceCache, AppDomainSetupObject, m_DisableInterfaceCache) -#endif // FEATURE_COMINTEROP DEFINE_FIELD_U(_CheckedForTargetFrameworkName, AppDomainSetupObject, m_CheckedForTargetFrameworkName) #ifdef FEATURE_RANDOMIZED_STRING_HASHING DEFINE_FIELD_U(_UseRandomizedStringHashing, AppDomainSetupObject, m_UseRandomizedStringHashing) @@ -382,8 +365,6 @@ DEFINE_CLASS(EVENT_HANDLERGENERIC, System, EventHandler`1) DEFINE_CLASS(EVENT_INFO, Reflection, EventInfo) -DEFINE_CLASS(EVIDENCE, Policy, Evidence) - DEFINE_CLASS_U(System, Exception, ExceptionObject) DEFINE_FIELD_U(_className, ExceptionObject, _className) DEFINE_FIELD_U(_exceptionMethod, ExceptionObject, _exceptionMethod) @@ -541,8 +522,6 @@ DEFINE_METHOD(IREFLECT, INVOKE_MEMBER, InvokeMember, DEFINE_CLASS(LCID_CONVERSION_TYPE, Interop, LCIDConversionAttribute) #endif // FEATURE_COMINTEROP -DEFINE_CLASS(LOADER_OPTIMIZATION, System, LoaderOptimization) - DEFINE_CLASS(MARSHAL, Interop, Marshal) #ifdef FEATURE_COMINTEROP diff --git a/src/vm/multicorejitplayer.cpp b/src/vm/multicorejitplayer.cpp index 69868578d9..d7c2cec8a1 100644 --- a/src/vm/multicorejitplayer.cpp +++ b/src/vm/multicorejitplayer.cpp @@ -936,32 +936,10 @@ DomainAssembly * MulticoreJitProfilePlayer::LoadAssembly(SString & assemblyName) spec.SetBindingContext(m_pBinderContext); } - DomainAssembly *pDomainAssembly = NULL; - - // Setup the AssemblyLoadSecurity to perform the assembly load - GCX_COOP(); - - PTR_AppDomain pCurDomain = GetAppDomain(); - IApplicationSecurityDescriptor *pDomainSecDesc = pCurDomain->GetSecurityDescriptor(); - - OBJECTREF refGrantedPermissionSet = NULL; - AssemblyLoadSecurity loadSecurity; - - GCPROTECT_BEGIN(refGrantedPermissionSet); - - loadSecurity.m_dwSpecialFlags = pDomainSecDesc->GetSpecialFlags(); - refGrantedPermissionSet = pDomainSecDesc->GetGrantedPermissionSet(); - loadSecurity.m_pGrantSet = &refGrantedPermissionSet; - // Bind and load the assembly. - pDomainAssembly = spec.LoadDomainAssembly( + return spec.LoadDomainAssembly( FILE_LOADED, - &loadSecurity, FALSE); // Don't throw on FileNotFound. - - GCPROTECT_END(); - - return pDomainAssembly; } diff --git a/src/vm/object.h b/src/vm/object.h index cb3743cdb9..84834107e2 100644 --- a/src/vm/object.h +++ b/src/vm/object.h @@ -1489,30 +1489,7 @@ typedef SafeHandle * SAFEHANDLE; typedef SafeHandle * SAFEHANDLEREF; #endif // USE_CHECKED_OBJECTREFS -class PermissionListSetObject: public Object -{ - friend class MscorlibBinder; - -private: - OBJECTREF _firstPermSetTriple; - OBJECTREF _permSetTriples; - -public: - BOOL IsEmpty() - { - LIMITED_METHOD_CONTRACT; - return (_firstPermSetTriple == NULL && - _permSetTriples == NULL - ); - } -}; -#ifdef USE_CHECKED_OBJECTREFS -typedef REF<PermissionListSetObject> PERMISSIONLISTSETREF; -#else -typedef PermissionListSetObject* PERMISSIONLISTSETREF; -#endif - #define SYNCCTXPROPS_REQUIRESWAITNOTIFICATION 0x1 // Keep in sync with SynchronizationContext.cs SynchronizationContextFlags class ThreadBaseObject; @@ -1828,13 +1805,10 @@ class AppDomainBaseObject : public MarshalByRefObjectBaseObject OBJECTREF m_pDomainManager; // AppDomainManager for host settings. OBJECTREF m_LocalStore; OBJECTREF m_FusionTable; - OBJECTREF m_pSecurityIdentity; // Evidence associated with this domain - OBJECTREF m_pPolicies; // Array of context policies associated with this domain OBJECTREF m_pAssemblyEventHandler; // Delegate for 'loading assembly' event OBJECTREF m_pTypeEventHandler; // Delegate for 'resolve type' event OBJECTREF m_pResourceEventHandler; // Delegate for 'resolve resource' event OBJECTREF m_pAsmResolveEventHandler; // Delegate for 'resolve assembly' event - OBJECTREF m_pApplicationTrust; // App ApplicationTrust. OBJECTREF m_pProcessExitEventHandler; // Delegate for 'process exit' event. Only used in Default appdomain. OBJECTREF m_pDomainUnloadEventHandler; // Delegate for 'about to unload domain' event OBJECTREF m_pUnhandledExceptionEventHandler; // Delegate for 'unhandled exception' event @@ -1844,8 +1818,6 @@ class AppDomainBaseObject : public MarshalByRefObjectBaseObject OBJECTREF m_pFirstChanceExceptionHandler; // Delegate for 'FirstChance Exception' event AppDomain* m_pDomain; // Pointer to the BaseDomain Structure - CLR_BOOL m_bHasSetPolicy; // SetDomainPolicy has been called for this domain - CLR_BOOL m_bIsFastFullTrustDomain; // We know for sure that this is a homogeneous full trust domain. CLR_BOOL m_compatFlagsInitialized; protected: @@ -1865,44 +1837,12 @@ class AppDomainBaseObject : public MarshalByRefObjectBaseObject return m_pDomain; } - OBJECTREF GetSecurityIdentity() - { - LIMITED_METHOD_CONTRACT; - return m_pSecurityIdentity; - } - OBJECTREF GetAppDomainManager() { LIMITED_METHOD_CONTRACT; return m_pDomainManager; } - OBJECTREF GetApplicationTrust() - { - LIMITED_METHOD_CONTRACT; - return m_pApplicationTrust; - } - - BOOL GetIsFastFullTrustDomain() - { - LIMITED_METHOD_CONTRACT; - return !!m_bIsFastFullTrustDomain; - } - - - // Ref needs to be a PTRARRAYREF - void SetPolicies(OBJECTREF ref) - { - WRAPPER_NO_CONTRACT; - SetObjectReference(&m_pPolicies, ref, m_pDomain ); - } - BOOL HasSetPolicy() - { - LIMITED_METHOD_CONTRACT; - return m_bHasSetPolicy; - } - - // Returns the reference to the delegate of the first chance exception notification handler OBJECTREF GetFirstChanceExceptionNotificationHandler() { @@ -1921,18 +1861,8 @@ class AppDomainSetupObject : public Object protected: PTRARRAYREF m_Entries; STRINGREF m_AppBase; - OBJECTREF m_AppDomainInitializer; - PTRARRAYREF m_AppDomainInitializerArguments; - STRINGREF m_ApplicationTrust; - I1ARRAYREF m_ConfigurationBytes; - STRINGREF m_AppDomainManagerAssembly; - STRINGREF m_AppDomainManagerType; OBJECTREF m_CompatFlags; STRINGREF m_TargetFrameworkName; - INT32 m_LoaderOptimization; -#ifdef FEATURE_COMINTEROP - CLR_BOOL m_DisableInterfaceCache; -#endif // FEATURE_COMINTEROP CLR_BOOL m_CheckedForTargetFrameworkName; #ifdef FEATURE_RANDOMIZED_STRING_HASHING CLR_BOOL m_UseRandomizedStringHashing; @@ -1942,11 +1872,6 @@ class AppDomainSetupObject : public Object protected: AppDomainSetupObject() { LIMITED_METHOD_CONTRACT; } ~AppDomainSetupObject() { LIMITED_METHOD_CONTRACT; } - - public: -#ifdef FEATURE_RANDOMIZED_STRING_HASHING - BOOL UseRandomizedStringHashing() { LIMITED_METHOD_CONTRACT; return (BOOL) m_UseRandomizedStringHashing; } -#endif // FEATURE_RANDOMIZED_STRING_HASHING }; typedef DPTR(AppDomainSetupObject) PTR_AppDomainSetupObject; #ifdef USE_CHECKED_OBJECTREFS diff --git a/src/vm/pefile.cpp b/src/vm/pefile.cpp index c7870e6366..b54301f80a 100644 --- a/src/vm/pefile.cpp +++ b/src/vm/pefile.cpp @@ -207,23 +207,6 @@ template<class T> void CoTaskFree(T *p) NEW_WRAPPER_TEMPLATE1(CoTaskNewHolder, CoTaskFree<_TYPE>); -BOOL PEFile::CanLoadLibrary() -{ - WRAPPER_NO_CONTRACT; - - // Dynamic and resource modules don't need LoadLibrary. - if (IsDynamic() || IsResource()||IsLoaded()) - return TRUE; - - // If we're been granted skip verification, OK - if (HasSkipVerification()) - return TRUE; - - // Otherwise, we can only load if IL only. - return IsILOnly(); -} - - //----------------------------------------------------------------------------------------------------- // Catch attempts to load x64 assemblies on x86, etc. @@ -312,11 +295,6 @@ void PEFile::LoadLibrary(BOOL allowNativeSkip/*=TRUE*/) // if allowNativeSkip==F } #endif - // Don't do this if we are unverifiable - if (!CanLoadLibrary()) - ThrowHR(SECURITY_E_UNVERIFIABLE); - - // We need contents now if (!HasNativeImage()) { @@ -392,7 +370,6 @@ void PEFile::SetLoadedHMODULE(HMODULE hMod) { INSTANCE_CHECK; PRECONDITION(CheckPointer(hMod)); - PRECONDITION(CanLoadLibrary()); POSTCONDITION(CheckLoaded()); THROWS; GC_TRIGGERS; diff --git a/src/vm/pefile.h b/src/vm/pefile.h index 2856083123..dcdb80a1ad 100644 --- a/src/vm/pefile.h +++ b/src/vm/pefile.h @@ -130,9 +130,6 @@ private: friend class NativeImageDumper; #endif - // Load actually triggers loading side effects of the module. This should ONLY - // be done after validation has been passed - BOOL CanLoadLibrary(); public: void LoadLibrary(BOOL allowNativeSkip = TRUE); @@ -148,9 +145,6 @@ private: BOOL fFromThunk); void SetLoadedHMODULE(HMODULE hMod); - BOOL HasSkipVerification(); - void SetSkipVerification(); - // DO NOT USE !!! this is to be removed when we move to new fusion binding API friend class DomainAssembly; @@ -198,10 +192,6 @@ public: // Full name is the most descriptive name available (path, codebase, or name as appropriate) void GetCodeBaseOrName(SString &result); - - // Returns security information for the assembly based on the codebase - void GetSecurityIdentity(SString &codebase, SecZone *pdwZone, DWORD dwFlags, BYTE *pbUniqueID, DWORD *pcbUniqueID); - void InitializeSecurityManager(); #ifdef LOGGING // This is useful for log messages @@ -353,11 +343,6 @@ public: #endif // DACCESS_COMPILE PTR_CVOID GetLoadedImageContents(COUNT_T *pSize = NULL); - - // SetInProcSxSLoadVerified can run concurrently as we don't hold locks during LoadLibrary but - // it is the only flag that can be set during this phase so no mutual exclusion is necessary. - void SetInProcSxSLoadVerified() { LIMITED_METHOD_CONTRACT; m_flags |= PEFILE_SXS_LOAD_VERIFIED; } - BOOL IsInProcSxSLoadVerified() { LIMITED_METHOD_CONTRACT; return m_flags & PEFILE_SXS_LOAD_VERIFIED; } // ------------------------------------------------------------ // Native image access @@ -463,7 +448,7 @@ protected: PEFILE_SYSTEM = 0x01, PEFILE_ASSEMBLY = 0x02, PEFILE_MODULE = 0x04, - PEFILE_SKIP_VERIFICATION = 0x08, + // = 0x08, PEFILE_SKIP_MODULE_HASH_CHECKS= 0x10, PEFILE_ISTREAM = 0x100, #ifdef FEATURE_PREJIT @@ -472,7 +457,6 @@ protected: PEFILE_SAFE_TO_HARDBINDTO = 0x4000, // NGEN-only flag #endif PEFILE_INTROSPECTIONONLY = 0x400, - PEFILE_SXS_LOAD_VERIFIED = 0x2000 }; // ------------------------------------------------------------ diff --git a/src/vm/pefile.inl b/src/vm/pefile.inl index 44192ae3e7..47c921634d 100644 --- a/src/vm/pefile.inl +++ b/src/vm/pefile.inl @@ -186,24 +186,6 @@ inline BOOL PEFile::PassiveDomainOnly() } // ------------------------------------------------------------ -// Loader support routines -// ------------------------------------------------------------ - -inline void PEFile::SetSkipVerification() -{ - LIMITED_METHOD_CONTRACT; - - m_flags |= PEFILE_SKIP_VERIFICATION; -} - -inline BOOL PEFile::HasSkipVerification() -{ - LIMITED_METHOD_CONTRACT; - - return (m_flags & (PEFILE_SKIP_VERIFICATION | PEFILE_SYSTEM)) != 0; -} - -// ------------------------------------------------------------ // Descriptive strings // ------------------------------------------------------------ diff --git a/src/vm/prestub.cpp b/src/vm/prestub.cpp index fccec51bb3..921d376978 100644 --- a/src/vm/prestub.cpp +++ b/src/vm/prestub.cpp @@ -1571,9 +1571,6 @@ PCODE MethodDesc::DoPrestub(MethodTable *pDispatchingMT) } // end else if (IsIL() || IsNoMetadata()) else if (IsNDirect()) { - if (!GetModule()->GetSecurityDescriptor()->CanCallUnmanagedCode()) - Security::ThrowSecurityException(g_SecurityPermissionClassName, SPFLAGSUNMANAGEDCODE); - pCode = GetStubForInteropMethod(this); GetOrCreatePrecode(); } diff --git a/src/vm/reflectioninvocation.cpp b/src/vm/reflectioninvocation.cpp index 626e872255..05c4adf3d3 100644 --- a/src/vm/reflectioninvocation.cpp +++ b/src/vm/reflectioninvocation.cpp @@ -2081,33 +2081,6 @@ FCIMPL1(void, ReflectionInvocation::RunModuleConstructor, ReflectModuleBaseObjec } FCIMPLEND - -FCIMPL1(void, ReflectionInvocation::PrepareContractedDelegate, Object * delegateUNSAFE) -{ - CONTRACTL { - FCALL_CHECK; - PRECONDITION(CheckPointer(delegateUNSAFE, NULL_OK)); - } - CONTRACTL_END; - -} -FCIMPLEND - - -FCIMPL0(void, ReflectionInvocation::ProbeForSufficientStack) -{ - FCALL_CONTRACT; - -#ifdef FEATURE_STACK_PROBE - // probe for our entry point amount and throw if not enough stack - RetailStackProbe(ADJUST_PROBE(DEFAULT_ENTRY_PROBE_AMOUNT)); -#else - FCUnique(0x69); -#endif - -} -FCIMPLEND - // This method checks to see if there is sufficient stack to execute the average Framework method. // If there is not, then it throws System.InsufficientExecutionStackException. The limit for each // thread is precomputed when the thread is created. diff --git a/src/vm/runtimehandles.cpp b/src/vm/runtimehandles.cpp index 7e08dadc10..fa0feb8bc4 100644 --- a/src/vm/runtimehandles.cpp +++ b/src/vm/runtimehandles.cpp @@ -129,8 +129,6 @@ static BOOL CheckCAVisibilityFromDecoratedType(MethodTable* pCAMT, MethodDesc* p StaticAccessCheckContext accessContext(NULL, pDecoratedMT, pDecoratedModule->GetAssembly()); - // Don't do transparency check here. Custom attributes have different transparency rules. - // The checks are done by AllowCriticalCustomAttributes and CheckLinktimeDemands in CustomAttribute.cs. return ClassLoader::CanAccess( &accessContext, pCAMT, @@ -173,190 +171,6 @@ BOOL QCALLTYPE RuntimeMethodHandle::IsCAVisibleFromDecoratedType( } // static -BOOL QCALLTYPE RuntimeMethodHandle::IsSecurityCritical(MethodDesc *pMD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - BOOL fIsCritical = TRUE; - - BEGIN_QCALL; - - if (pMD == NULL) - COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle")); - - fIsCritical = Security::IsMethodCritical(pMD); - - END_QCALL; - - return fIsCritical; -} - -// static -BOOL QCALLTYPE RuntimeMethodHandle::IsSecuritySafeCritical(MethodDesc *pMD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - BOOL fIsSafeCritical = TRUE; - - BEGIN_QCALL; - - if (pMD == NULL) - COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle")); - - fIsSafeCritical = Security::IsMethodSafeCritical(pMD); - - END_QCALL; - - return fIsSafeCritical; -} - -// static -BOOL QCALLTYPE RuntimeMethodHandle::IsSecurityTransparent(MethodDesc *pMD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - BOOL fIsTransparent = TRUE; - - BEGIN_QCALL; - - if (pMD == NULL) - COMPlusThrowArgumentNull(NULL, W("Arg_InvalidHandle")); - - fIsTransparent = Security::IsMethodTransparent(pMD); - - END_QCALL; - - return fIsTransparent; -} - -FCIMPL2(FC_BOOL_RET, RuntimeMethodHandle::IsTokenSecurityTransparent, ReflectModuleBaseObject *pModuleUNSAFE, INT32 tkToken) { - CONTRACTL { - FCALL_CHECK; - } - CONTRACTL_END; - - REFLECTMODULEBASEREF refModule = (REFLECTMODULEBASEREF)ObjectToOBJECTREF(pModuleUNSAFE); - - if(refModule == NULL) - FCThrowRes(kArgumentNullException, W("Arg_InvalidHandle")); - - Module *pModule = refModule->GetModule(); - - BOOL bIsSecurityTransparent = TRUE; - - HELPER_METHOD_FRAME_BEGIN_RET_1(refModule); - { - bIsSecurityTransparent = Security::IsTokenTransparent(pModule, tkToken); - } - HELPER_METHOD_FRAME_END(); - - FC_RETURN_BOOL(bIsSecurityTransparent ); - -} -FCIMPLEND - -static bool DoAttributeTransparencyChecks(Assembly *pAttributeAssembly, Assembly *pDecoratedAssembly) -{ - CONTRACTL - { - THROWS; - MODE_COOPERATIVE; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pAttributeAssembly)); - PRECONDITION(CheckPointer(pDecoratedAssembly)); - } - CONTRACTL_END; - - // Do transparency checks - if both the decorated assembly and attribute use the v4 security model, - // then we can do a direct transparency check. However, if the decorated assembly uses the v2 - // security model, then we need to convert the security critical attribute to looking as though it - // has a LinkDemand for full trust. - const SecurityTransparencyBehavior *pTargetTransparency = pDecoratedAssembly->GetSecurityTransparencyBehavior(); - const SecurityTransparencyBehavior *pAttributeTransparency = pAttributeAssembly->GetSecurityTransparencyBehavior(); - - // v2 transparency did not impose checks for using its custom attributes, so if the attribute is - // defined in an assembly using the v2 transparency model then we don't need to do any - // additional checks. - if (pAttributeTransparency->DoAttributesRequireTransparencyChecks()) - { - if (pTargetTransparency->CanTransparentCodeCallLinkDemandMethods() && - pAttributeTransparency->CanCriticalMembersBeConvertedToLinkDemand()) - { - // We have a v4 critical attribute being applied to a v2 transparent target. Since v2 - // transparency doesn't understand externally visible critical attributes, we convert the - // attribute to a LinkDemand for full trust. v2 transparency did not convert - // LinkDemands on its attributes into full demands so we do not do that second level of - // conversion here either. - Security::FullTrustLinkDemand(pDecoratedAssembly); - return true; - } - else - { - // If we are here either the target of the attribute uses the v4 security model, or the - // attribute itself uses the v2 model. In these cases, we cannot perform a conversion of - // the critical attribute into a LinkDemand, and we have an error condition. - return false; - } - } - - return true; -} - -FCIMPL3(void, RuntimeMethodHandle::CheckLinktimeDemands, ReflectMethodObject *pMethodUNSAFE, ReflectModuleBaseObject *pModuleUNSAFE, CLR_BOOL isDecoratedTargetSecurityTransparent) -{ - CONTRACTL - { - FCALL_CHECK; - PRECONDITION(CheckPointer(pModuleUNSAFE)); - PRECONDITION(CheckPointer(pMethodUNSAFE)); - } - CONTRACTL_END; - - if(!Security::IsTransparencyEnforcementEnabled()) - { - FCUnique(0xb0); - return; - } - - REFLECTMETHODREF refMethod = (REFLECTMETHODREF)ObjectToOBJECTREF(pMethodUNSAFE); - REFLECTMODULEBASEREF refModule = (REFLECTMODULEBASEREF)ObjectToOBJECTREF(pModuleUNSAFE); - - HELPER_METHOD_FRAME_BEGIN_2(refMethod, refModule); - { - MethodDesc *pCallee = refMethod->GetMethod(); // pCallee is the CA ctor or CA setter method - Module *pDecoratedModule = refModule->GetModule(); - - bool isAttributeSecurityCritical = Security::IsMethodCritical(pCallee) && - !Security::IsMethodSafeCritical(pCallee); - - if (isDecoratedTargetSecurityTransparent && isAttributeSecurityCritical) - { - if (!DoAttributeTransparencyChecks(pCallee->GetAssembly(), pDecoratedModule->GetAssembly())) - { - SecurityTransparent::ThrowMethodAccessException(pCallee); - } - } - - } - HELPER_METHOD_FRAME_END(); -} -FCIMPLEND - NOINLINE static ReflectClassBaseObject* GetRuntimeTypeHelper(LPVOID __me, TypeHandle typeHandle, OBJECTREF keepAlive) { FC_INNER_PROLOG_NO_ME_SETUP(); @@ -730,101 +544,6 @@ FCIMPL1(FC_BOOL_RET, RuntimeFieldHandle::AcquiresContextFromThis, FieldDesc *pFi } FCIMPLEND -// static -BOOL QCALLTYPE RuntimeFieldHandle::IsSecurityCritical(FieldDesc *pFD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - BOOL fIsCritical = FALSE; - - BEGIN_QCALL; - - fIsCritical = Security::IsFieldCritical(pFD); - - END_QCALL; - - return fIsCritical; -} - -// static -BOOL QCALLTYPE RuntimeFieldHandle::IsSecuritySafeCritical(FieldDesc *pFD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - BOOL fIsSafeCritical = FALSE; - - BEGIN_QCALL; - - fIsSafeCritical = Security::IsFieldSafeCritical(pFD); - - END_QCALL; - - return fIsSafeCritical; -} - -// static -BOOL QCALLTYPE RuntimeFieldHandle::IsSecurityTransparent(FieldDesc *pFD) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - BOOL fIsTransparent = FALSE; - - BEGIN_QCALL; - - fIsTransparent = Security::IsFieldTransparent(pFD); - - END_QCALL; - - return fIsTransparent; -} - -// static -void QCALLTYPE RuntimeFieldHandle::CheckAttributeAccess(FieldDesc *pFD, QCall::ModuleHandle pModule) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pFD)); - PRECONDITION(CheckPointer(pModule.m_pModule)); - } - CONTRACTL_END; - - if(!Security::IsTransparencyEnforcementEnabled()) - { - FCUnique(0xb1); - return; - } - - BEGIN_QCALL; - - if (Security::IsFieldCritical(pFD) && !Security::IsFieldSafeCritical(pFD)) - { - GCX_COOP(); - - if (!DoAttributeTransparencyChecks(pFD->GetModule()->GetAssembly(), pModule->GetAssembly())) - { - ThrowFieldAccessException(NULL, pFD, TRUE, IDS_E_CRITICAL_FIELD_ACCESS_DENIED); - } - } - - END_QCALL; -} - FCIMPL1(ReflectModuleBaseObject*, RuntimeTypeHandle::GetModule, ReflectClassBaseObject *pTypeUNSAFE) { CONTRACTL { FCALL_CHECK; @@ -1278,81 +997,6 @@ RuntimeTypeHandle::IsVisible( return fIsExternallyVisible; } // RuntimeTypeHandle::IsVisible -// static -BOOL QCALLTYPE RuntimeTypeHandle::IsSecurityCritical(EnregisteredTypeHandle pTypeHandle) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pTypeHandle)); - } - CONTRACTL_END; - - BOOL fIsCritical = FALSE; - - BEGIN_QCALL; - - MethodTable *pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable(); - if (pMT != NULL) - { - fIsCritical = Security::IsTypeCritical(pMT); - } - - END_QCALL; - - return fIsCritical; -} - -// static -BOOL QCALLTYPE RuntimeTypeHandle::IsSecuritySafeCritical(EnregisteredTypeHandle pTypeHandle) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pTypeHandle)); - } - CONTRACTL_END; - - BOOL fIsSafeCritical = FALSE; - - BEGIN_QCALL; - - MethodTable *pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable(); - if (pMT != NULL) - { - fIsSafeCritical = Security::IsTypeSafeCritical(pMT); - } - - END_QCALL; - - return fIsSafeCritical; -} - -// static -BOOL QCALLTYPE RuntimeTypeHandle::IsSecurityTransparent(EnregisteredTypeHandle pTypeHandle) -{ - CONTRACTL - { - QCALL_CHECK; - PRECONDITION(CheckPointer(pTypeHandle)); - } - CONTRACTL_END; - - BOOL fIsTransparent = TRUE; - - BEGIN_QCALL; - - MethodTable * pMT = TypeHandle::FromPtr(pTypeHandle).GetMethodTable(); - if (pMT != NULL) - { - fIsTransparent = Security::IsTypeTransparent(pMT); - } - - END_QCALL; - - return fIsTransparent; -} - FCIMPL1(FC_BOOL_RET, RuntimeTypeHandle::HasProxyAttribute, ReflectClassBaseObject *pTypeUNSAFE) { CONTRACTL { FCALL_CHECK; diff --git a/src/vm/runtimehandles.h b/src/vm/runtimehandles.h index 2963fbe84f..fc18d6f65c 100644 --- a/src/vm/runtimehandles.h +++ b/src/vm/runtimehandles.h @@ -196,15 +196,6 @@ public: static BOOL QCALLTYPE IsVisible(EnregisteredTypeHandle pTypeHandle); - - static - BOOL QCALLTYPE IsSecurityCritical(EnregisteredTypeHandle pTypeHandle); - - static - BOOL QCALLTYPE IsSecuritySafeCritical(EnregisteredTypeHandle pTypeHandle); - - static - BOOL QCALLTYPE IsSecurityTransparent(EnregisteredTypeHandle pTypeHandle); static FCDECL1(FC_BOOL_RET, HasProxyAttribute, ReflectClassBaseObject *pType); static FCDECL2(FC_BOOL_RET, IsComObject, ReflectClassBaseObject *pType, CLR_BOOL isGenericCOM); @@ -305,24 +296,12 @@ public: BOOL isBinderDefault, Assembly *caller, Assembly *reflectedClassAssembly, TypeHandle declaringType, SignatureNative* pSig, BOOL verifyAccess); static - BOOL QCALLTYPE IsSecurityCritical(MethodDesc *pMD); - - static - BOOL QCALLTYPE IsSecuritySafeCritical(MethodDesc *pMD); - - static - BOOL QCALLTYPE IsSecurityTransparent(MethodDesc *pMD); - - static FCDECL2(FC_BOOL_RET, IsTokenSecurityTransparent, ReflectModuleBaseObject *pModuleUNSAFE, INT32 tkToken); - - static BOOL QCALLTYPE IsCAVisibleFromDecoratedType( EnregisteredTypeHandle targetTypeHandle, MethodDesc * pTargetCtor, EnregisteredTypeHandle sourceTypeHandle, QCall::ModuleHandle sourceModuleHandle); - static FCDECL3(void, CheckLinktimeDemands, ReflectMethodObject *pMethodUNSAFE, ReflectModuleBaseObject *pModuleUNSAFE, CLR_BOOL isDecoratedTargetSecurityTransparent); static FCDECL4(void, SerializationInvoke, ReflectMethodObject *pMethodUNSAFE, Object* targetUNSAFE, Object* serializationInfoUNSAFE, struct StreamingContextData * pContext); @@ -398,18 +377,6 @@ public: static FCDECL1(INT32, GetToken, ReflectFieldObject *pFieldUNSAFE); static FCDECL2(FieldDesc*, GetStaticFieldForGenericType, FieldDesc *pField, ReflectClassBaseObject *pDeclaringType); static FCDECL1(FC_BOOL_RET, AcquiresContextFromThis, FieldDesc *pField); - - static - BOOL QCALLTYPE IsSecurityCritical(FieldDesc *pFD); - - static - BOOL QCALLTYPE IsSecuritySafeCritical(FieldDesc *pFD); - - static - BOOL QCALLTYPE IsSecurityTransparent(FieldDesc *pFD); - - static - void QCALLTYPE CheckAttributeAccess(FieldDesc *pFD, QCall::ModuleHandle pModule); }; class ModuleHandle { diff --git a/src/vm/security.cpp b/src/vm/security.cpp index 2afb946467..7a6c8b82ea 100644 --- a/src/vm/security.cpp +++ b/src/vm/security.cpp @@ -3,82 +3,46 @@ // See the LICENSE file in the project root for more information. // -// - - #include "common.h" #include "security.h" -#include "securitydescriptor.h" -#include "securitydescriptorappdomain.h" -#include "securitydescriptorassembly.h" - -IApplicationSecurityDescriptor * Security::CreateApplicationSecurityDescriptor(AppDomain * pDomain) -{ - WRAPPER_NO_CONTRACT; - - return static_cast<IApplicationSecurityDescriptor*>(new ApplicationSecurityDescriptor(pDomain)); -} - -IAssemblySecurityDescriptor* Security::CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator) -{ - WRAPPER_NO_CONTRACT; - - return static_cast<IAssemblySecurityDescriptor*>(new AssemblySecurityDescriptor(pDomain, pAssembly, pLoaderAllocator)); -} - -ISharedSecurityDescriptor* Security::CreateSharedSecurityDescriptor(Assembly* pAssembly) -{ - WRAPPER_NO_CONTRACT; - - return static_cast<ISharedSecurityDescriptor*>(new SharedSecurityDescriptor(pAssembly)); -} -void Security::DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor) -{ - WRAPPER_NO_CONTRACT; - - delete static_cast<SharedSecurityDescriptor *>(descriptor); -} - - -BOOL Security::IsTransparencyEnforcementEnabled() -{ - LIMITED_METHOD_CONTRACT; - - // No transparency enforcement in .NET Core - return FALSE; -} - -//--------------------------------------------------------------------------------------- -// -// Determine if security checks should be bypassed for a method because the method is -// being used by a profiler. // -// Profilers often do things like inject unverifiable IL or P/Invoke which won't be allowed -// if they're working with a transparent method. This hook allows those checks to be -// suppressed if we're currently profiling. -// -// Arguments: -// pMD - Method we're checking to see if security checks may be bypassed for +// The method in this file have nothing to do with security. They historically lived in security subsystem. +// TODO: Move them to move appropriate place. // -BOOL Security::BypassSecurityChecksForProfiler(MethodDesc *pMD) +void Security::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* ppbData, OUT DWORD* pcbData) { - CONTRACTL - { - NOTHROW; + CONTRACTL { + THROWS; GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; + MODE_COOPERATIVE; + PRECONDITION(CheckPointer(pArray)); + PRECONDITION(CheckPointer(ppbData)); + PRECONDITION(CheckPointer(pcbData)); + PRECONDITION(*pArray != NULL); + } CONTRACTL_END; + + DWORD size = (DWORD) (*pArray)->GetNumComponents(); + *ppbData = new BYTE[size]; + *pcbData = size; + + CopyMemory(*ppbData, (*pArray)->GetDirectPointerToNonObjectElements(), size); +} -#if defined(PROFILING_SUPPORTED) && !defined(CROSSGEN_COMPILE) - return CORProfilerPresent() && - CORProfilerBypassSecurityChecks() && - pMD->GetAssembly()->GetSecurityDescriptor()->IsFullyTrusted(); -#else - return FALSE; -#endif +void Security::CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray) +{ + CONTRACTL { + THROWS; + GC_TRIGGERS; + MODE_COOPERATIVE; + } CONTRACTL_END; + + U1ARRAYREF pObj; + _ASSERTE(pArray); + + pObj = (U1ARRAYREF)AllocatePrimitiveArray(ELEMENT_TYPE_U1,cbData); + memcpyNoGCRefs(pObj->m_Array, pbData, cbData); + *pArray = (OBJECTREF) pObj; } diff --git a/src/vm/security.h b/src/vm/security.h index 7f42c4b10b..fa4840998e 100644 --- a/src/vm/security.h +++ b/src/vm/security.h @@ -3,23 +3,13 @@ // See the LICENSE file in the project root for more information. // - -// - - #ifndef __security_h__ #define __security_h__ -#include "securitypolicy.h" -#include "securityattributes.h" -#include "securitydeclarativecache.h" -#include "securitydeclarative.h" -#include "securitytransparentassembly.h" - - -class IAssemblySecurityDescriptor; -class IApplicationSecurityDescriptor; -class IPEFileSecurityDescriptor; +// +// Stubbed out implementation of security subsystem +// TODO: Eliminate this file +// enum SecurityStackWalkType { @@ -33,280 +23,71 @@ enum SecurityStackWalkType SSWT_GET_ZONE_AND_URL = 8, }; -// AssemblyLoadSecurity is used to describe to the loader security information to apply to an assembly at -// load time. This includes information such as the assembly's evidence, as well as if we should resolve -// policy on the assembly or push a grant set to its security descriptor. -struct AssemblyLoadSecurity -{ - OBJECTREF *m_pEvidence; - OBJECTREF *m_pAdditionalEvidence; - OBJECTREF *m_pGrantSet; - OBJECTREF *m_pRefusedSet; - DWORD m_dwSpecialFlags; - bool m_fCheckLoadFromRemoteSource; - bool m_fSuppressSecurityChecks; - bool m_fPropagatingAnonymouslyHostedDynamicMethodGrant; - - inline AssemblyLoadSecurity(); - - // Should the assembly have policy resolved on it, or should it use a pre-determined grant set - inline bool ShouldResolvePolicy(); -}; +// special flags +#define SECURITY_UNMANAGED_CODE 0 +#define SECURITY_SKIP_VER 1 +#define REFLECTION_TYPE_INFO 2 +#define SECURITY_ASSERT 3 +#define REFLECTION_MEMBER_ACCESS 4 +#define SECURITY_SERIALIZATION 5 +#define REFLECTION_RESTRICTED_MEMBER_ACCESS 6 +#define SECURITY_FULL_TRUST 7 +#define SECURITY_BINDING_REDIRECTS 8 // Ultimately this will become the only interface through // which the VM will access security code. namespace Security { - // ---------------------------------------- - // SecurityPolicy - // ---------------------------------------- - - // Init - inline void Start(); - inline void Stop(); - inline void SaveCache(); - - // Policy - - BOOL IsTransparencyEnforcementEnabled(); + inline BOOL IsTransparencyEnforcementEnabled() { return false; } - BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD); - inline BOOL CanCallUnmanagedCode(Module *pModule); - inline BOOL CanAssert(Module *pModule); - inline DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags); + inline BOOL CanCallUnmanagedCode(Module *pModule) { return true; } #ifndef DACCESS_COMPILE - inline BOOL CanTailCall(MethodDesc* pMD); - inline BOOL CanHaveRVA(Assembly * pAssembly); - inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD); - inline BOOL CanSkipVerification(MethodDesc * pMethod); + inline BOOL CanTailCall(MethodDesc* pMD) { return true; } + inline BOOL CanHaveRVA(Assembly * pAssembly) { return true; } + inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD) { return true; } + inline BOOL CanSkipVerification(MethodDesc * pMethod) { return true; } #endif - inline BOOL CanSkipVerification(DomainAssembly * pAssembly); - inline CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly); - inline CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD); + inline BOOL CanSkipVerification(DomainAssembly * pAssembly) { return true; } // ---------------------------------------- // SecurityAttributes // ---------------------------------------- - inline OBJECTREF CreatePermissionSet(BOOL fTrusted); - inline void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData); - inline void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray); + void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData); + void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray); - // ---------------------------------------- - // SecurityDeclarative - // ---------------------------------------- - inline HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL); - inline void RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas); - inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) ; - - inline LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD, - OBJECTREF *pClassCasDemands, - OBJECTREF *pClassNonCasDemands, - OBJECTREF *pMethodCasDemands, - OBJECTREF *pMethodNonCasDemands); - - inline void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee); - inline void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent); - inline void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent); - inline void GetPermissionInstance(OBJECTREF *perm, int index); - inline void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL); -#ifndef DACCESS_COMPILE - inline void CheckNonCasDemand(OBJECTREF *prefDemand); -#endif // #ifndef DACCESS_COMPILE - inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD); - inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass); - - // ---------------------------------------- - // SecurityStackWalk - // ---------------------------------------- - - // other CAS Actions - inline void Demand(SecurityStackWalkType eType, OBJECTREF demand) ; - inline void DemandSet(SecurityStackWalkType eType, OBJECTREF demand) ; - inline void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) ; - inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) ; - - inline void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand); - - inline void FullTrustInheritanceDemand(Assembly *pTargetAssembly); - inline void FullTrustLinkDemand(Assembly *pTargetAssembly); - - // Compressed Stack - - // Misc - todo: put these in better categories - - inline BOOL AllDomainsOnStackFullyTrusted(); - IApplicationSecurityDescriptor* CreateApplicationSecurityDescriptor(AppDomain * pDomain); - IAssemblySecurityDescriptor* CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator); - ISharedSecurityDescriptor* CreateSharedSecurityDescriptor(Assembly* pAssembly); - void DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor); - inline void SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD); - inline void SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD); - - - // Checks for one of the special domain wide flags - // such as if we are currently in a "fully trusted" environment - // or if unmanaged code access is allowed at this time - // Note: This is an inline method instead of a virtual method on IApplicationSecurityDescriptor - // for stackwalk perf. - inline BOOL CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags); - - inline BOOL IsResolved(Assembly *pAssembly); - - FORCEINLINE VOID IncrementSecurityPerfCounter() ; - inline BOOL IsSpecialRunFrame(MethodDesc *pMeth) ; - inline BOOL SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL); - inline BOOL SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL); + inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) { } // Transparency checks - inline BOOL IsMethodTransparent(MethodDesc * pMD); - inline BOOL IsMethodCritical(MethodDesc * pMD); - inline BOOL IsMethodSafeCritical(MethodDesc * pMD); - - inline BOOL IsTypeCritical(MethodTable *pMT); - inline BOOL IsTypeSafeCritical(MethodTable *pMT); - inline BOOL IsTypeTransparent(MethodTable * pMT); - inline BOOL IsTypeAllTransparent(MethodTable * pMT); - - inline BOOL IsFieldTransparent(FieldDesc * pFD); - inline BOOL IsFieldCritical(FieldDesc * pFD); - inline BOOL IsFieldSafeCritical(FieldDesc * pFD); + inline BOOL IsMethodTransparent(MethodDesc * pMD) { return false; } + inline BOOL IsMethodCritical(MethodDesc * pMD) { return true; } + inline BOOL IsMethodSafeCritical(MethodDesc * pMD) { return false; } - inline BOOL IsTokenTransparent(Module* pModule, mdToken token); - - inline void DoSecurityClassAccessChecks(MethodDesc *pCallerMD, - const TypeHandle &calleeTH, - CorInfoSecurityRuntimeChecks check); + inline BOOL IsTypeCritical(MethodTable *pMT) { return true; } + inline BOOL IsTypeSafeCritical(MethodTable *pMT) { return false; } + inline BOOL IsTypeTransparent(MethodTable * pMT) { return false; } + inline BOOL IsTypeAllTransparent(MethodTable * pMT) { return false; } - inline CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller, - MethodDesc* pCallee, - SecurityTransparencyError *pError); - inline VOID EnforceTransparentAssemblyChecks(MethodDesc* pCallee, MethodDesc* pCaller); - inline VOID EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller); - inline VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc); + inline BOOL IsFieldTransparent(FieldDesc * pFD) { return false; } + inline BOOL IsFieldCritical(FieldDesc * pFD) { return true; } + inline BOOL IsFieldSafeCritical(FieldDesc * pFD) { return false; } - inline bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands = false); + inline BOOL IsTokenTransparent(Module* pModule, mdToken token) { return false; } inline BOOL CheckCriticalAccess(AccessCheckContext* pContext, MethodDesc* pOptionalTargetMethod = NULL, FieldDesc* pOptionalTargetField = NULL, - MethodTable * pOptionalTargetType = NULL); - - // declarative security - inline HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry = NULL) ; - - // security enforcement - inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet); - - - inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD); - - inline bool CanShareAssembly(DomainAssembly *pAssembly); -}; - -class ISecurityDescriptor -{ -public: - VPTR_BASE_VTABLE_CLASS_AND_CTOR(ISecurityDescriptor) - - virtual ~ISecurityDescriptor() { LIMITED_METHOD_CONTRACT; } - - virtual BOOL IsFullyTrusted() = 0; - - virtual BOOL CanCallUnmanagedCode() const = 0; - -#ifndef DACCESS_COMPILE - virtual DWORD GetSpecialFlags() const = 0; - - virtual AppDomain* GetDomain() const = 0; - - virtual void Resolve() = 0; - virtual BOOL IsResolved() const = 0; - - - virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) = 0; -#endif // !DACCESS_COMPILE -}; - -class IApplicationSecurityDescriptor : public ISecurityDescriptor -{ -public: - VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IApplicationSecurityDescriptor, ISecurityDescriptor) - -#ifndef DACCESS_COMPILE -public: - virtual BOOL IsHomogeneous() const = 0; - virtual void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) = 0; - virtual BOOL ContainsAnyRefusedPermissions() = 0; - - virtual BOOL IsDefaultAppDomain() const = 0; - virtual BOOL IsDefaultAppDomainEvidence() = 0; - virtual BOOL DomainMayContainPartialTrustCode() = 0; - - virtual BOOL CallHostSecurityManager() = 0; - virtual void SetHostSecurityManagerFlags(DWORD dwFlags) = 0; - virtual void SetPolicyLevelFlag() = 0; - - virtual void FinishInitialization() = 0; - virtual BOOL IsInitializationInProgress() = 0; - - // Determine the security state that an AppDomain will arrive in if nothing changes during domain - // initialization. (ie, get the input security state of the domain) - virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) = 0; - - // Gets special domain wide flags that specify things - // such as whether we are currently in a "fully trusted" environment - // or if unmanaged code access is allowed at this time - virtual DWORD GetDomainWideSpecialFlag() const = 0; - - -#endif // !DACCESS_COMPILE -}; - -class IAssemblySecurityDescriptor : public ISecurityDescriptor -{ -public: - VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IAssemblySecurityDescriptor, ISecurityDescriptor) - -#ifndef DACCESS_COMPILE - virtual SharedSecurityDescriptor *GetSharedSecDesc() = 0; - - virtual BOOL CanAssert() = 0; - virtual BOOL HasUnrestrictedUIPermission() = 0; - virtual BOOL IsAllCritical() = 0; - virtual BOOL IsAllSafeCritical() = 0; - virtual BOOL IsAllPublicAreaSafeCritical() = 0; - virtual BOOL IsAllTransparent() = 0; - virtual BOOL IsSystem() = 0; - virtual BOOL AllowSkipVerificationInFullTrust() = 0; - - virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution) = 0; - - - virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) = 0; - - - // Check to make sure that security will allow this assembly to load. Throw an exception if the - // assembly should be forbidden from loading for security related purposes - virtual void CheckAllowAssemblyLoad() = 0; -#endif // #ifndef DACCESS_COMPILE + MethodTable * pOptionalTargetType = NULL) + { + return true; + } + + inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) + { + } }; -class ISharedSecurityDescriptor -{ -public: - virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL) = 0; - virtual BOOL IsResolved() const = 0; - virtual BOOL IsSystem() = 0; - virtual Assembly* GetAssembly() = 0; -}; - - -#include "security.inl" -#include "securitydeclarative.inl" -#include "securityattributes.inl" - #endif diff --git a/src/vm/security.inl b/src/vm/security.inl deleted file mode 100644 index f2d7d7d683..0000000000 --- a/src/vm/security.inl +++ /dev/null @@ -1,552 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - - -// - -#ifndef _INL_SECURITY_ -#define _INL_SECURITY_ - -#include "securitydescriptorassembly.h" -#include "securitydescriptorappdomain.h" -#include "securitystackwalk.h" - -// Init -inline void Security::Start() -{ - WRAPPER_NO_CONTRACT; - SecurityPolicy::Start(); -} - -inline void Security::Stop() -{ - WRAPPER_NO_CONTRACT; - SecurityPolicy::Stop(); -} -// ---------------------------------------- -// SecurityPolicy -// ---------------------------------------- - - -inline BOOL Security::CanCallUnmanagedCode(Module *pModule) -{ - WRAPPER_NO_CONTRACT; - return SecurityPolicy::CanCallUnmanagedCode(pModule); -} - -#ifndef DACCESS_COMPILE -inline BOOL Security::CanAssert(Module *pModule) -{ - WRAPPER_NO_CONTRACT; - SharedSecurityDescriptor *pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pModule->GetAssembly()->GetSharedSecurityDescriptor()); - if (pSharedSecDesc) - return pSharedSecDesc->CanAssert(); - - AssemblySecurityDescriptor *pSec = static_cast<AssemblySecurityDescriptor*>(pModule->GetSecurityDescriptor()); - _ASSERTE(pSec); - return pSec->CanAssert(); -} - -inline DECLSPEC_NORETURN void Security::ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags) -{ - WRAPPER_NO_CONTRACT; - SecurityPolicy::ThrowSecurityException(szDemandClass, dwFlags); -} - -inline BOOL Security::CanTailCall(MethodDesc* pMD) -{ - WRAPPER_NO_CONTRACT; - return Security::CanSkipVerification(pMD); -} - -inline BOOL Security::CanAccessNonVerifiableExplicitField(MethodDesc* pMD) -{ - WRAPPER_NO_CONTRACT - // just check if the method can have unverifiable code - return Security::CanSkipVerification(pMD); -} -#endif - -// ---------------------------------------- -// SecurityAttributes -// ---------------------------------------- - -inline OBJECTREF Security::CreatePermissionSet(BOOL fTrusted) -{ - WRAPPER_NO_CONTRACT; - return SecurityAttributes::CreatePermissionSet(fTrusted); -} - -inline void Security::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData) -{ - WRAPPER_NO_CONTRACT; - SecurityAttributes::CopyByteArrayToEncoding(pArray, pbData, cbData); -} - -inline void Security::CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray) -{ - WRAPPER_NO_CONTRACT; - SecurityAttributes::CopyEncodingToByteArray(pbData, cbData, pArray); -} - -// ---------------------------------------- -// SecurityDeclarative -// ---------------------------------------- - -inline HRESULT Security::GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr) -{ - WRAPPER_NO_CONTRACT; - return SecurityDeclarative::GetDeclarationFlags(pInternalImport, token, pdwFlags, pdwNullFlags, fHasSuppressUnmanagedCodeAccessAttr); -} - -inline void Security::RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas) -{ - WRAPPER_NO_CONTRACT; - SecurityDeclarative::RetrieveLinktimeDemands(pMD, pClassCas, pClassNonCas, pMethodCas, pMethodNonCas); -} - -inline LinktimeCheckReason Security::GetLinktimeCheckReason(MethodDesc *pMD, - OBJECTREF *pClassCasDemands, - OBJECTREF *pClassNonCasDemands, - OBJECTREF *pMethodCasDemands, - OBJECTREF *pMethodNonCasDemands) -{ - WRAPPER_NO_CONTRACT; - return SecurityDeclarative::GetLinktimeCheckReason(pMD, - pClassCasDemands, - pClassNonCasDemands, - pMethodCasDemands, - pMethodNonCasDemands); -} - -inline void Security::CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) -{ - WRAPPER_NO_CONTRACT; -} - -inline void Security::LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee) -{ - WRAPPER_NO_CONTRACT; -} - -inline void Security::ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent) -{ - WRAPPER_NO_CONTRACT; - SecurityDeclarative::ClassInheritanceCheck(pClass, pParent); -} - -inline void Security::MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent) -{ - WRAPPER_NO_CONTRACT; - SecurityDeclarative::MethodInheritanceCheck(pMethod, pParent); -} - -inline void Security::DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD) -{ - WRAPPER_NO_CONTRACT; -} - -#ifndef DACCESS_COMPILE -inline void Security::CheckNonCasDemand(OBJECTREF *prefDemand) -{ - WRAPPER_NO_CONTRACT; -} -#endif // #ifndef DACCESS_COMPILE - -inline BOOL Security::MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(pMD); -} - -inline BOOL Security::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass) -{ - WRAPPER_NO_CONTRACT; - return SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(dwMethodAttr, dwClassAttr, fIsGlobalClass); -} - -// ---------------------------------------- -// SecurityStackWalk -// ---------------------------------------- - -// other CAS Actions -inline void Security::Demand(SecurityStackWalkType eType, OBJECTREF demand) -{ - WRAPPER_NO_CONTRACT; -} - - -inline void Security::DemandSet(SecurityStackWalkType eType, OBJECTREF demand) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; -} - -inline void Security::DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) -{ - WRAPPER_NO_CONTRACT; -} - - -inline void Security::SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) -{ - WRAPPER_NO_CONTRACT; -} - -inline void Security::InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand) -{ - WRAPPER_NO_CONTRACT; -} - -inline void Security::FullTrustInheritanceDemand(Assembly *pTargetAssembly) -{ - WRAPPER_NO_CONTRACT; -} - -inline void Security::FullTrustLinkDemand(Assembly *pTargetAssembly) -{ - WRAPPER_NO_CONTRACT; -} - -// Misc - todo: put these in better categories - -FORCEINLINE VOID Security::IncrementSecurityPerfCounter() -{ - WRAPPER_NO_CONTRACT; - SecurityStackWalk::IncrementSecurityPerfCounter(); -} - -inline BOOL Security::IsSpecialRunFrame(MethodDesc *pMeth) -{ - WRAPPER_NO_CONTRACT; - return SecurityStackWalk::IsSpecialRunFrame(pMeth); -} - -inline BOOL Security::SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain ) -{ - WRAPPER_NO_CONTRACT; - return SecurityStackWalk::SkipAndFindFunctionInfo(i, ppMD, ppOR, ppAppDomain); -} - -inline BOOL Security::SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain ) -{ - WRAPPER_NO_CONTRACT; - return SecurityStackWalk::SkipAndFindFunctionInfo(pSCM, ppMD, ppOR, ppAppDomain); -} - -#ifndef DACCESS_COMPILE -inline BOOL Security::AllDomainsOnStackFullyTrusted() -{ - WRAPPER_NO_CONTRACT; - return (SecurityStackWalk::HasFlagsOrFullyTrusted(0)); -} - -inline void Security::SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD) - {WRAPPER_NO_CONTRACT; static_cast<ApplicationSecurityDescriptor*>(pASD)->SetDefaultAppDomain();} - -inline void Security::SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD) - {WRAPPER_NO_CONTRACT; static_cast<ApplicationSecurityDescriptor*>(pASD)->SetDefaultAppDomainEvidence();} - -inline BOOL Security::CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags) -{ - WRAPPER_NO_CONTRACT; - return static_cast<ApplicationSecurityDescriptor*>(pASD)->CheckDomainWideSpecialFlag(flags); -} - -inline BOOL Security::IsResolved(Assembly *pAssembly) -{ - WRAPPER_NO_CONTRACT; - - ISharedSecurityDescriptor *pSSD = pAssembly->GetSharedSecurityDescriptor(); - if (pSSD != NULL) - { - return pSSD->IsResolved(); - } - else - { - IAssemblySecurityDescriptor *pSD = pAssembly->GetSecurityDescriptor(); - return pSD->IsResolved(); - } -} -#endif //! DACCESS_COMPILE - -inline BOOL Security::IsMethodTransparent(MethodDesc * pMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsMethodTransparent(pMD); -} - -inline BOOL Security::IsMethodCritical(MethodDesc * pMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsMethodCritical(pMD); -} - -inline BOOL Security::IsMethodSafeCritical(MethodDesc * pMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsMethodSafeCritical(pMD); -} - -inline BOOL Security::IsTypeCritical(MethodTable *pMT) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsTypeCritical(pMT); -} - -inline BOOL Security::IsTypeSafeCritical(MethodTable *pMT) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsTypeSafeCritical(pMT); -} - -inline BOOL Security::IsTypeTransparent(MethodTable * pMT) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsTypeTransparent(pMT); -} - -inline BOOL Security::IsTypeAllTransparent(MethodTable * pMT) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsTypeAllTransparent(pMT); -} - -inline BOOL Security::IsFieldTransparent(FieldDesc * pFD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsFieldTransparent(pFD); -} - -inline BOOL Security::IsFieldCritical(FieldDesc * pFD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsFieldCritical(pFD); -} - -inline BOOL Security::IsFieldSafeCritical(FieldDesc * pFD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsFieldSafeCritical(pFD); -} - -inline BOOL Security::IsTokenTransparent(Module* pModule, mdToken token) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::IsTokenTransparent(pModule, token); -} - -inline void Security::DoSecurityClassAccessChecks(MethodDesc *pCallerMD, - const TypeHandle &calleeTH, - CorInfoSecurityRuntimeChecks checks) -{ - WRAPPER_NO_CONTRACT; - SecurityTransparent::DoSecurityClassAccessChecks(pCallerMD, calleeTH, checks); -} - -// Transparency checks -inline CorInfoIsAccessAllowedResult Security::RequiresTransparentAssemblyChecks(MethodDesc* pCaller, - MethodDesc* pCallee, - SecurityTransparencyError *pError) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::RequiresTransparentAssemblyChecks(pCaller, pCallee, pError); -} - -inline VOID Security::EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller) -{ - WRAPPER_NO_CONTRACT; - SecurityTransparent::EnforceTransparentDelegateChecks(pDelegateMT, pCaller); -} - -inline VOID Security::EnforceTransparentAssemblyChecks( MethodDesc* pCallee, MethodDesc* pCaller) -{ - WRAPPER_NO_CONTRACT; - SecurityTransparent::EnforceTransparentAssemblyChecks( pCallee, pCaller); -} - -inline VOID Security::PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc) -{ - WRAPPER_NO_CONTRACT; - SecurityTransparent::PerformTransparencyChecksForLoadByteArray(pCallersMD, static_cast<AssemblySecurityDescriptor*>(pLoadedSecDesc)); -} - -inline bool Security::TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands /*= false*/) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::TypeRequiresTransparencyCheck(type, checkForLinkDemands); -} - -inline BOOL Security::CheckCriticalAccess(AccessCheckContext* pContext, - MethodDesc* pOptionalTargetMethod, - FieldDesc* pOptionalTargetField, - MethodTable * pOptionalTargetType) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::CheckCriticalAccess(pContext, - pOptionalTargetMethod, - pOptionalTargetField, - pOptionalTargetType); -} - -#ifndef DACCESS_COMPILE -inline BOOL Security::CanHaveRVA(Assembly * pAssembly) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - return Security::CanSkipVerification(pAssembly->GetDomainAssembly()); -} - -inline BOOL Security::CanSkipVerification(MethodDesc * pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // Always skip verification on CoreCLR - return TRUE; -} -#endif //!DACCESS_COMPILE - - -inline BOOL Security::CanSkipVerification(DomainAssembly * pAssembly) -{ - WRAPPER_NO_CONTRACT; - return SecurityPolicy::CanSkipVerification(pAssembly); -} - -inline CorInfoCanSkipVerificationResult Security::JITCanSkipVerification(DomainAssembly * pAssembly) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::JITCanSkipVerification(pAssembly); -} - -inline CorInfoCanSkipVerificationResult Security::JITCanSkipVerification(MethodDesc * pMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::JITCanSkipVerification(pMD); -} - -inline BOOL Security::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet) -{ - WRAPPER_NO_CONTRACT; - return SecurityAttributes::ContainsBuiltinCASPermsOnly(pAttrSet); -} - - -inline bool Security::SecurityCalloutQuickCheck(MethodDesc *pCallerMD) -{ - WRAPPER_NO_CONTRACT; - return SecurityTransparent::SecurityCalloutQuickCheck(pCallerMD); -} - -inline bool Security::CanShareAssembly(DomainAssembly *pAssembly) -{ - WRAPPER_NO_CONTRACT; - - - return true; -} - -inline HRESULT Security::GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry ) -{ - WRAPPER_NO_CONTRACT; - return SecurityAttributes::GetDeclaredPermissions(pInternalImport, token, action, pDeclaredPermissions, pPSCacheEntry); -} - -#ifndef DACCESS_COMPILE - // Returns true if everyone is fully trusted or has the indicated flags -FORCEINLINE BOOL SecurityStackWalk::HasFlagsOrFullyTrustedIgnoreMode (DWORD flags) { - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - SO_TOLERANT; - } - CONTRACTL_END; - - return TRUE; -} - -// Returns true if everyone is fully trusted or has the indicated flags AND we're not in legacy CAS mode -FORCEINLINE BOOL SecurityStackWalk::HasFlagsOrFullyTrusted (DWORD flags) { - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - SO_TOLERANT; - } - CONTRACTL_END; - return (HasFlagsOrFullyTrustedIgnoreMode(flags)); - -} - -FORCEINLINE BOOL SecurityStackWalk::QuickCheckForAllDemands(DWORD flags) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - SO_TOLERANT; - } CONTRACTL_END; - - return (SecurityStackWalk::HasFlagsOrFullyTrusted(flags)); -} - -inline void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (handle == NULL) - { - // Storing NULL doesn't require us to allocate a handle - if (ref != NULL) - { - GCPROTECT_BEGIN(ref); - // Atomically create a handle and store it - LOADERHANDLE tmpHandle = la->AllocateHandle(NULL); - if (FastInterlockCompareExchangePointer(&handle, tmpHandle, static_cast<LOADERHANDLE>(NULL)) != NULL) - { - // Another thread snuck in and created the handle - this should be unusual and acceptable to leak here. (Only leaks till end of AppDomain or Assembly lifetime) - } - else - { - la->SetHandleValue(handle, ref); - } - GCPROTECT_END(); - } - } - else - { - la->SetHandleValue(handle, ref); - } -} -#endif // #ifndef DACCESS_COMPILE - - -#endif - diff --git a/src/vm/securityattributes.cpp b/src/vm/securityattributes.cpp deleted file mode 100644 index 798d8099a5..0000000000 --- a/src/vm/securityattributes.cpp +++ /dev/null @@ -1,1379 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" - -#include "security.h" -#include "field.h" -#include "comcallablewrapper.h" -#include "typeparse.h" -#include "appdomain.inl" -#include "mdaassistants.h" -#include "fstring.h" - - -HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction); - -#ifndef CROSSGEN_COMPILE - -// -// Determine if a security action allows an optimization where an empty permission set can be represented as -// NULL. Some VM optimizations kick in if an empty permission set can be represented as NULL; however since -// some security actions have a semantic difference between not being specified at all and having an explicit -// empty permission set specified, permission sets associated with those actions must be represented as an -// empty object rather than as NULL. -// -// Arguments: -// action - security action to check -// -// Return Value: -// true if the security action may have an empty permission set optimized to NULL, false otherwise -// -// Notes: -// The security actions which cannot have NULL represent an empty permission set are: -// -// * PermitOnly - a PermitOnly set containing no permissions means that all demands should fail, as -// opposed to not having a PermitOnly set on a method. -// * RequestOptional - not specifying a RequestOptional set is equivilent to having a RequestOptional set -// of FullTrust, rather than having an empty RequestOptional set. -// - -// static -bool SecurityAttributes::ActionAllowsNullPermissionSet(CorDeclSecurity action) -{ - LIMITED_METHOD_CONTRACT; - return action != dclPermitOnly && action != dclRequestOptional; -} - -void SecurityAttributes::CopyEncodingToByteArray(IN PBYTE pbData, - IN DWORD cbData, - OUT OBJECTREF* pArray) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - U1ARRAYREF pObj; - _ASSERTE(pArray); - - pObj = (U1ARRAYREF)AllocatePrimitiveArray(ELEMENT_TYPE_U1,cbData); - memcpyNoGCRefs(pObj->m_Array, pbData, cbData); - *pArray = (OBJECTREF) pObj; -} - -void SecurityAttributes::CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, - OUT PBYTE* ppbData, - OUT DWORD* pcbData) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pArray)); - PRECONDITION(CheckPointer(ppbData)); - PRECONDITION(CheckPointer(pcbData)); - PRECONDITION(*pArray != NULL); - } CONTRACTL_END; - - DWORD size = (DWORD) (*pArray)->GetNumComponents(); - *ppbData = new BYTE[size]; - *pcbData = size; - - CopyMemory(*ppbData, (*pArray)->GetDirectPointerToNonObjectElements(), size); -} - -// -// This is a public exported method -// - -// Translate a set of security custom attributes into a serialized permission set blob. -HRESULT STDMETHODCALLTYPE TranslateSecurityAttributes(CORSEC_ATTRSET *pAttrSet, - BYTE **ppbOutput, - DWORD *pcbOutput, - BYTE **ppbNonCasOutput, - DWORD *pcbNonCasOutput, - DWORD *pdwErrorIndex) -{ - return E_NOTIMPL; -} - - -// -// This is a public exported method -// - -// Reads permission requests (if any) from the manifest of an assembly. -HRESULT STDMETHODCALLTYPE GetPermissionRequests(LPCWSTR pwszFileName, - BYTE **ppbMinimal, - DWORD *pcbMinimal, - BYTE **ppbOptional, - DWORD *pcbOptional, - BYTE **ppbRefused, - DWORD *pcbRefused) -{ - CONTRACTL { - NOTHROW; - GC_TRIGGERS; - MODE_PREEMPTIVE; - ENTRY_POINT; - } CONTRACTL_END; - - HRESULT hr = S_OK; - - BEGIN_EXTERNAL_ENTRYPOINT(&hr) - { - IMetaDataDispenser *pMD = NULL; - IMetaDataAssemblyImport *pMDAsmImport = NULL; - IMetaDataImport *pMDImport = NULL; - mdAssembly mdAssembly; - BYTE *pbMinimal = NULL; - DWORD cbMinimal = 0; - BYTE *pbOptional = NULL; - DWORD cbOptional = 0; - BYTE *pbRefused = NULL; - DWORD cbRefused = 0; - HCORENUM hEnumDcl = NULL; - mdPermission rPSets[dclMaximumValue + 1]; - DWORD dwSets; - DWORD i; - - *ppbMinimal = NULL; - *pcbMinimal = 0; - *ppbOptional = NULL; - *pcbOptional = 0; - *ppbRefused = NULL; - *pcbRefused = 0; - - // Get the meta data interface dispenser. - hr = MetaDataGetDispenser(CLSID_CorMetaDataDispenser, - IID_IMetaDataDispenserEx, - (void **)&pMD); - if (FAILED(hr)) - goto Error; - - // Open a scope on the assembly file. - hr = pMD->OpenScope(pwszFileName, - 0, - IID_IMetaDataAssemblyImport, - (IUnknown**)&pMDAsmImport); - if (FAILED(hr)) - goto Error; - - // Determine the assembly token. - hr = pMDAsmImport->GetAssemblyFromScope(&mdAssembly); - if (FAILED(hr)) - goto Error; - - // QI for a normal import interface. - hr = pMDAsmImport->QueryInterface(IID_IMetaDataImport, (void**)&pMDImport); - if (FAILED(hr)) - goto Error; - - // Look for permission request sets hung off the assembly token. - hr = pMDImport->EnumPermissionSets(&hEnumDcl, - mdAssembly, - dclActionNil, - rPSets, - dclMaximumValue + 1, - &dwSets); - if (FAILED(hr)) - goto Error; - - for (i = 0; i < dwSets; i++) { - BYTE *pbData; - DWORD cbData; - DWORD dwAction; - - pMDImport->GetPermissionSetProps(rPSets[i], - &dwAction, - (void const **)&pbData, - &cbData); - - switch (dwAction) { - case dclRequestMinimum: - _ASSERTE(pbMinimal == NULL); - pbMinimal = pbData; - cbMinimal = cbData; - break; - case dclRequestOptional: - _ASSERTE(pbOptional == NULL); - pbOptional = pbData; - cbOptional = cbData; - break; - case dclRequestRefuse: - _ASSERTE(pbRefused == NULL); - pbRefused = pbData; - cbRefused = cbData; - break; - default: - _ASSERTE(FALSE); - } - } - - pMDImport->CloseEnum(hEnumDcl); - - // Buffer the results (since we're about to close the metadata scope and - // lose the original data). - if (pbMinimal) { - *ppbMinimal = new (nothrow) BYTE[cbMinimal]; - if (*ppbMinimal == NULL) { - hr = E_OUTOFMEMORY; - goto Error; - } - memcpy(*ppbMinimal, pbMinimal, cbMinimal); - *pcbMinimal = cbMinimal; - } - - if (pbOptional) { - *ppbOptional = new (nothrow) BYTE[cbOptional]; - if (*ppbOptional == NULL) { - hr = E_OUTOFMEMORY; - goto Error; - } - memcpy(*ppbOptional, pbOptional, cbOptional); - *pcbOptional = cbOptional; - } - - if (pbRefused) { - *ppbRefused = new (nothrow) BYTE[cbRefused]; - if (*ppbRefused == NULL) { - hr = E_OUTOFMEMORY; - goto Error; - } - memcpy(*ppbRefused, pbRefused, cbRefused); - *pcbRefused = cbRefused; - } - - Error: - if (pMDImport) - pMDImport->Release(); - if (pMDAsmImport) - pMDAsmImport->Release(); - if (pMD) - pMD->Release(); - } - END_EXTERNAL_ENTRYPOINT; - - return hr; -} - -// Load permission requests in their serialized form from assembly metadata. -// This consists of a required permissions set and optionally an optional and -// deny permission set. -void SecurityAttributes::LoadPermissionRequestsFromAssembly(IN IMDInternalImport* pImport, - OUT OBJECTREF* pReqdPermissions, - OUT OBJECTREF* pOptPermissions, - OUT OBJECTREF* pDenyPermissions) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pReqdPermissions)); - PRECONDITION(CheckPointer(pOptPermissions)); - PRECONDITION(CheckPointer(pDenyPermissions)); - } CONTRACTL_END; - - mdAssembly mdAssembly; - HRESULT hr; - - *pReqdPermissions = NULL; - *pOptPermissions = NULL; - *pDenyPermissions = NULL; - - // It's OK to be called with a NULL assembly. This can happen in the code - // path where we're just checking for a signature, nothing else. So just - // return without doing anything. - if (pImport == NULL) - return; - - // Locate assembly metadata token since the various permission sets are - // written as custom values against this token. - if (pImport->GetAssemblyFromScope(&mdAssembly) != S_OK) { - _ASSERT(FALSE); - return; - } - - struct _gc - { - OBJECTREF reqdPset; - OBJECTREF optPset; - OBJECTREF denyPset; - } gc; - ZeroMemory(&gc, sizeof(gc)); - - { - GCX_COOP(); // because GetDeclaredPermissions may call into managed code - GCPROTECT_BEGIN(gc); - - // Read and translate required permission set. - hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestMinimum, &gc.reqdPset, NULL); - _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND)); - - // Now the optional permission set. - PsetCacheEntry *pOptPSCacheEntry = NULL; - hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestOptional, &gc.optPset, &pOptPSCacheEntry); - _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND)); - - // An empty permission set has semantic meaning if it is an assembly's optional permission set. - // If we have an optional set, then we need to make sure it is created. - if (SUCCEEDED(hr) && gc.optPset == NULL && pOptPSCacheEntry != NULL) - { - gc.optPset = pOptPSCacheEntry->CreateManagedPsetObject(dclRequestOptional, /* createEmptySet */ true); - } - - // And finally the refused permission set. - hr = Security::GetDeclaredPermissions(pImport, mdAssembly, dclRequestRefuse, &gc.denyPset, NULL); - _ASSERT(SUCCEEDED(hr) || (hr == CLDB_E_RECORD_NOTFOUND)); - - *pReqdPermissions = gc.reqdPset; - *pOptPermissions = gc.optPset; - *pDenyPermissions = gc.denyPset; - - GCPROTECT_END(); - } -} - -// Determine whether a RequestOptional or RequestRefused are made in the assembly manifest. -BOOL SecurityAttributes::RestrictiveRequestsInAssembly(IMDInternalImport* pImport) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - mdAssembly mdAssembly; - HRESULT hr; - HENUMInternal hEnumDcl; - - // Locate assembly metadata token since the various permission sets are - // written as custom values against this token. - hr = pImport->GetAssemblyFromScope(&mdAssembly); - if (FAILED(hr)) - return TRUE; - - hr = pImport->EnumPermissionSetsInit(mdAssembly, - dclRequestRefuse, - &hEnumDcl); - - BOOL bFoundRequestRefuse = (hr != CLDB_E_RECORD_NOTFOUND); - pImport->EnumClose(&hEnumDcl); - - if (bFoundRequestRefuse) - return TRUE; - - hr = pImport->EnumPermissionSetsInit(mdAssembly, - dclRequestOptional, - &hEnumDcl); - BOOL bFoundRequestOptional = (hr != CLDB_E_RECORD_NOTFOUND); - pImport->EnumClose(&hEnumDcl); - - return bFoundRequestOptional; -} -#endif // CROSSGEN_COMPILE - -HRESULT SecurityAttributes::GetPermissionsFromMetaData(IN IMDInternalImport *pInternalImport, - IN mdToken token, - IN CorDeclSecurity action, - OUT PBYTE* ppbPerm, - OUT ULONG* pcbPerm) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - HRESULT hr = S_OK; - mdPermission tkPerm; - void const ** ppData = const_cast<void const**> (reinterpret_cast<void**> (ppbPerm)); - DWORD dwActionDummy; - // Get the blob for the CAS action from the security action table in metadata - HENUMInternalHolder hEnumDcl(pInternalImport); - if (hEnumDcl.EnumPermissionSetsInit(token,action)) - { - _ASSERTE(pInternalImport->EnumGetCount(&hEnumDcl) == 1 && "Multiple permissions sets for the same declaration aren't currently supported."); - if (pInternalImport->EnumNext(&hEnumDcl, &tkPerm)) - { - hr = pInternalImport->GetPermissionSetProps( - tkPerm, - &dwActionDummy, - ppData, - pcbPerm); - - if (FAILED(hr) ) - { - COMPlusThrowHR(hr); - } - } - else - { - _ASSERTE(!"At least one enumeration expected"); - } - } - else - { - hr = CLDB_E_RECORD_NOTFOUND; - } - return hr; -} - -void SecurityAttributes::CreateAndCachePermissions( - IN PBYTE pbPerm, - IN ULONG cbPerm, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPSCacheEntry) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - SecurityDeclarativeCache *pSDC; - PsetCacheEntry* pPCE; - - pSDC = &(GetAppDomain()->m_pSecContext->m_pSecurityDeclarativeCache); - - - pPCE = pSDC->CreateAndCachePset (pbPerm, cbPerm); - if (pDeclaredPermissions) { -#ifdef CROSSGEN_COMPILE - _ASSERTE(!"This codepath should be unreachable during crossgen"); - *pDeclaredPermissions = NULL; -#else - *pDeclaredPermissions = pPCE->CreateManagedPsetObject (action); -#endif - } - if (pPSCacheEntry) { - *pPSCacheEntry = pPCE; - } -} - -// Returns the declared PermissionSet for the specified action type. -HRESULT SecurityAttributes::GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, - IN mdToken token, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPSCacheEntry) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - HRESULT hr = S_FALSE; - PBYTE pbPerm = NULL; - ULONG cbPerm = 0; - - - - _ASSERTE(action > dclActionNil && action <= dclMaximumValue); - - // Initialize the output parameters. - if (pDeclaredPermissions) - *pDeclaredPermissions = NULL; - if(pPSCacheEntry) - *pPSCacheEntry = NULL; - - bool bCas = !(action == dclNonCasDemand || action == dclNonCasLinkDemand || action == dclNonCasInheritance); - - hr = GetPermissionsFromMetaData(pInternalImport, token, action, &pbPerm, &cbPerm); - if(pbPerm && cbPerm > 0) - { - CreateAndCachePermissions(pbPerm, cbPerm, action, pDeclaredPermissions, pPSCacheEntry); - } - else if(!bCas) - { - // We're looking for a non-CAS action which may be encoded with the corresponding CAS action - // Pre-Whidbey, we used to encode CAS and non-CAS actions separately because we used to do - // declarative security processing at build time (we used to create a - // permset object corresponding to a declarative action, convert it into XML and then store the serialized - // XML in the assembly). - // - // In Whidbey the default is what we call LAZY declarative security (LAZY_DECL_SEC_FLAG below) - to not do any - // declarative security processing at build time (we just take the declarative annotiation and store it as a - // serialzied blob - no permsets created/converted to XML). And at runtime, we do the actual processing (create permsets etc.) - // - // What does this mean? It means that in Whidbey (and beyond), we cannot tell at build time if it is a declarative CAS action - // or non-CAS action. So at runtime, we need to check the permset stored under the cas action for a non-CAS action. - // Of course, we need to do this only if LAZY_DECL_SEC_FLAG is in effect. - - // Determine the corresponding CAS action - CorDeclSecurity casAction = dclDemand; - if(action == dclNonCasLinkDemand) - casAction = dclLinktimeCheck; - else if(action == dclNonCasInheritance) - casAction = dclInheritanceCheck; - - // Get the blob for the CAS action from the security action table in metadata - hr = GetPermissionsFromMetaData(pInternalImport, token, casAction, &pbPerm, &cbPerm); - - if(pbPerm && cbPerm > 0 && pbPerm[0] == LAZY_DECL_SEC_FLAG) // if it's a serialized CORSEC_ATTRSET - { - CreateAndCachePermissions(pbPerm, cbPerm, casAction, pDeclaredPermissions, pPSCacheEntry); - } - - } - - return hr; -} - -bool SecurityAttributes::IsHostProtectionAttribute(CORSEC_ATTRIBUTE* pAttr) -{ - static const char s_HostProtectionAttributeName[] = "System.Security.Permissions.HostProtectionAttribute, mscorlib"; - - return (strncmp(pAttr->pName, s_HostProtectionAttributeName, sizeof(s_HostProtectionAttributeName)-1) == 0); -} - -bool SecurityAttributes::IsBuiltInCASPermissionAttribute(CORSEC_ATTRIBUTE* pAttr) -{ - WRAPPER_NO_CONTRACT; - static const char s_permissionsNamespace[] = "System.Security.Permissions."; - if(strncmp(pAttr->pName, s_permissionsNamespace, sizeof(s_permissionsNamespace) - 1) != 0) - return false; // not built-in permission - static const char s_principalPermissionName[] = "System.Security.Permissions.PrincipalPermissionAttribute, mscorlib"; - - // ASSERT: at this point we know we are in builtin namespace...so compare with PrincipalPermissionAttribute - if (strncmp(pAttr->pName, s_principalPermissionName, sizeof(s_principalPermissionName)-1) == 0) - return false; // found a principal permission => Not a built-in CAS permission - - // special-case the unrestricted permission set attribute. - static const char s_PermissionSetName[] = "System.Security.Permissions.PermissionSetAttribute, mscorlib"; - if (strncmp(pAttr->pName, s_PermissionSetName, sizeof(s_PermissionSetName)-1) == 0) - return IsUnrestrictedPermissionSetAttribute(pAttr); - - return true; //built-in perm, but not principal perm => IsBuiltInCASPermissionAttribute -} - -bool SecurityAttributes::IsUnrestrictedPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - - BYTE const * pbBuffer = pPerm->pbValues; - SIZE_T cbBuffer = pPerm->cbValues; - BYTE const * pbBufferEnd = pbBuffer + cbBuffer; - - if (cbBuffer < 2 * sizeof(BYTE)) - return false; - - // Get the field/property specifier - if (*(BYTE*)pbBuffer == SERIALIZATION_TYPE_FIELD) - return false; - - _ASSERTE(*(BYTE*)pbBuffer == SERIALIZATION_TYPE_PROPERTY); - pbBuffer += sizeof(BYTE); - cbBuffer -= sizeof(BYTE); - - // Get the value type - DWORD dwType = *(BYTE*)pbBuffer; - pbBuffer += sizeof(BYTE); - cbBuffer -= sizeof(BYTE); - if (dwType != SERIALIZATION_TYPE_BOOLEAN) - return false; - - // Grab the field/property name and length. - DWORD cbName; - BYTE const * pbName; - if (FAILED(CPackedLen::SafeGetData(pbBuffer, - pbBufferEnd, - &cbName, - &pbName))) - { - return false; - } - - PREFIX_ASSUME(pbName != NULL); - - // SafeGetData will ensure the name is within the buffer - SIZE_T cbNameOffset = pbName - pbBuffer; - _ASSERTE(FitsIn<DWORD>(cbNameOffset)); - DWORD dwLength = static_cast<DWORD>(cbNameOffset + cbName); - pbBuffer += dwLength; - cbBuffer -= dwLength; - - // Buffer the name of the property and null terminate it. - DWORD allocLen = cbName + 1; - if (allocLen < cbName) - return false; - - LPSTR szName = (LPSTR)_alloca(allocLen); - memcpy(szName, pbName, cbName); - szName[cbName] = '\0'; - - if (strcmp(szName, "Unrestricted") != 0) - return false; - - // Make sure the value isn't "false" - return (*pbBuffer != 0); -} - -// This takes a PermissionSetAttribute blob and looks to see if it uses the "FILE" property. If it -// does, then it loads the file now and modifies the attribute to use the XML property instead -// (because the file may not be available at runtime.) -HRESULT SecurityAttributes::FixUpPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm) -{ - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - - _ASSERTE(pPerm->wValues == 1 && strcmp(pPerm->pName, "System.Security.Permissions.PermissionSetAttribute") == 0); - BYTE const * pbBuffer = pPerm->pbValues; - SIZE_T cbBuffer = pPerm->cbValues; - BYTE const * pbBufferEnd = pbBuffer + cbBuffer; - HRESULT hr; - - // Check we've got at least the field/property specifier and the - // type code. - _ASSERTE(cbBuffer >= (sizeof(BYTE) + sizeof(BYTE))); - - // Grab the field/property specifier. - bool bIsField = *(BYTE*)pbBuffer == SERIALIZATION_TYPE_FIELD; - _ASSERTE(bIsField || (*(BYTE*)pbBuffer == SERIALIZATION_TYPE_PROPERTY)); - pbBuffer += sizeof(BYTE); - cbBuffer -= sizeof(BYTE); - - // Grab the value type. - DWORD dwType = *(BYTE*)pbBuffer; - pbBuffer += sizeof(BYTE); - cbBuffer -= sizeof(BYTE); - - if(bIsField) - return S_OK; - if(dwType != SERIALIZATION_TYPE_STRING) - return S_OK; - - // Grab the field/property name and length. - ULONG cbName; - BYTE const * pbName; - IfFailRet(CPackedLen::SafeGetData(pbBuffer, pbBufferEnd, &cbName, &pbName)); - PREFIX_ASSUME(pbName != NULL); - - // SafeGetData ensures name is within buffer - SIZE_T cbNameOffset = pbName - pbBuffer; - _ASSERTE(FitsIn<DWORD>(cbNameOffset)); - DWORD dwLength = static_cast<DWORD>(cbNameOffset + cbName); - pbBuffer += dwLength; - cbBuffer -= dwLength; - - // Buffer the name of the property and null terminate it. - DWORD allocLen = cbName + 1; - LPSTR szName = (LPSTR)_alloca(allocLen); - memcpy(szName, pbName, cbName); - szName[cbName] = '\0'; - - if(strcmp(szName, "File") != 0) - return S_OK; - if(*pbBuffer == 0xFF) // special case that represents NULL string - return S_OK; - - IfFailRet(CPackedLen::SafeGetData(pbBuffer, pbBufferEnd, &cbName, &pbName)); - PREFIX_ASSUME(pbName != NULL); - - // SafeGetData ensures name is within buffer - cbNameOffset = pbName - pbBuffer; - _ASSERTE(FitsIn<DWORD>(cbNameOffset)); - dwLength = static_cast<DWORD>(cbNameOffset + cbName); - _ASSERTE(cbBuffer >= dwLength); - - // Open the file - MAKE_WIDEPTR_FROMUTF8N(wszFileName, (LPCSTR)pbName, cbName); - HandleHolder hFile(WszCreateFile (wszFileName, - GENERIC_READ, - FILE_SHARE_READ, - NULL, - OPEN_EXISTING, - FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN, - NULL)); - if (hFile == INVALID_HANDLE_VALUE) - return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); - DWORD dwFileLen = SafeGetFileSize(hFile, 0); - if (dwFileLen == 0xFFFFFFFF) - return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND); - - // Read the file - BYTE* pFileBuffer = new (nothrow) BYTE[(dwFileLen + 4) * sizeof(BYTE)]; - if(!pFileBuffer) - return E_OUTOFMEMORY; - DWORD dwBytesRead; - if ((SetFilePointer(hFile, 0, NULL, FILE_BEGIN) == 0xFFFFFFFF) || - (!ReadFile(hFile, pFileBuffer, dwFileLen, &dwBytesRead, NULL))) - { - delete [] pFileBuffer; - return E_FAIL; - } - if(dwBytesRead < dwFileLen) - { - delete [] pFileBuffer; - return E_FAIL; - } - - // Make the new attribute blob - BYTE* pNewAttrBuffer = new (nothrow) BYTE[(dwFileLen + 10) * 2 * sizeof(BYTE)]; - if(!pNewAttrBuffer) - return E_OUTOFMEMORY; - BYTE* pCurBuf = pNewAttrBuffer; - *pCurBuf = (BYTE)SERIALIZATION_TYPE_PROPERTY; - pCurBuf++; - *pCurBuf = (BYTE)SERIALIZATION_TYPE_STRING; - pCurBuf++; - pCurBuf = (BYTE*)CPackedLen::PutLength(pCurBuf, 3); - memcpy(pCurBuf, "Hex", 3); - pCurBuf += 3; - pCurBuf = (BYTE*)CPackedLen::PutLength(pCurBuf, dwFileLen * 2); - DWORD n; - BYTE b; - for(n = 0; n < dwFileLen; n++) - { - b = (pFileBuffer[n] >> 4) & 0xf; - *pCurBuf = (b < 10 ? '0' + b : 'a' + b - 10); - pCurBuf++; - b = pFileBuffer[n] & 0xf; - *pCurBuf = (b < 10 ? '0' + b : 'a' + b - 10); - pCurBuf++; - } - delete [] pFileBuffer; - - // We shouldn't have a serialized permission set that can be this large, but to be safe we'll ensure - // that we fit in the output DWORD size. - SIZE_T cbNewAttrSize = pCurBuf - pNewAttrBuffer; - - // Set the new values - delete(pPerm->pbValues); - pPerm->pbValues = pNewAttrBuffer; - pPerm->cbValues = cbNewAttrSize; - return S_OK; -} - -// if tkAssemblyRef is NULL, this assumes the type is in this assembly -// uszClassName should be a UTF8 string including both namespace and class -HRESULT GetFullyQualifiedTypeName(SString* pString, mdAssemblyRef tkAssemblyRef, __in_z CHAR* uszClassName, IMetaDataAssemblyImport *pImport, mdToken tkCtor) -{ - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - // Add class name - MAKE_WIDEPTR_FROMUTF8(wszClassName, uszClassName); - (*pString) += (LPCWSTR) wszClassName; - if(IsNilToken(tkAssemblyRef)) - tkAssemblyRef = TokenFromRid(1, mdtAssembly); - - // Add a comma separator - (*pString) += W(", "); - - DWORD dwDisplayFlags = ASM_DISPLAYF_VERSION | ASM_DISPLAYF_PUBLIC_KEY_TOKEN | ASM_DISPLAYF_CULTURE; - HRESULT hr; - AssemblySpec spec; - StackSString name; - - IfFailRet(spec.Init((mdToken)tkAssemblyRef,pImport)); - spec.GetFileOrDisplayName(dwDisplayFlags,name); - _ASSERTE(!name.IsEmpty() && "the assembly name should not be empty here"); - - (*pString) += name; - return S_OK; -} - -HRESULT SecurityAttributes::SerializeAttribute(CORSEC_ATTRIBUTE* pAttr, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport) -{ - // pBuffer can be NULL if the caller is only trying to determine the size of the serialized blob. In that case, let's make a little temp buffer to facilitate CPackedLen::PutLength - SIZE_T cbPos = *pCount; - BYTE* pTempBuf = pBuffer; - SIZE_T const* pTempPos = &cbPos; - BYTE tempBuf[8]; - const SIZE_T zero = 0; - if(!pTempBuf) - { - pTempBuf = tempBuf; - pTempPos = &zero; - } - BYTE* pOldPos; - - // Get the fully qualified type name - SString sType; - HRESULT hr = GetFullyQualifiedTypeName(&sType, pAttr->tkAssemblyRef, pAttr->pName, pImport, pAttr->tkCtor); - if(FAILED(hr)) - return hr; - - // Convert assembly name to UTF8. - const WCHAR* wszTypeName = sType.GetUnicode(); - MAKE_UTF8PTR_FROMWIDE(uszTypeName, wszTypeName); - DWORD dwUTF8TypeNameLen = (DWORD)strlen(uszTypeName); - - // Serialize the type name length - pOldPos = &pTempBuf[*pTempPos]; - cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], dwUTF8TypeNameLen) - pOldPos; - - // Serialize the type name - if(pBuffer) - memcpy(&pBuffer[cbPos], uszTypeName, dwUTF8TypeNameLen); - cbPos += dwUTF8TypeNameLen; - - // Serialize the size of the properties blob - BYTE temp[32]; - SIZE_T cbSizeOfCompressedPropertiesCount = (BYTE*)CPackedLen::PutLength(temp, pAttr->wValues) - temp; - pOldPos = &pTempBuf[*pTempPos]; - - _ASSERTE(FitsIn<ULONG>(pAttr->cbValues + cbSizeOfCompressedPropertiesCount)); - ULONG propertiesLength = static_cast<ULONG>(pAttr->cbValues + cbSizeOfCompressedPropertiesCount); - cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], propertiesLength) - pOldPos; - - // Serialize the count of properties - pOldPos = &pTempBuf[*pTempPos]; - cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], pAttr->wValues) - pOldPos; - - // Serialize the properties blob - if(pBuffer) - memcpy(&pBuffer[cbPos], pAttr->pbValues, pAttr->cbValues); - cbPos += pAttr->cbValues; - - *pCount = cbPos; - return hr; -} - -HRESULT SecurityAttributes::DeserializeAttribute(CORSEC_ATTRIBUTE *pAttr, BYTE* pBuffer, ULONG cbBuffer, SIZE_T* pPos) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - HRESULT hr; - - // Deserialize the size of the type name - BYTE* pClassName; - ULONG dwClassNameSize; - BYTE* pBufferEnd = pBuffer + cbBuffer; - IfFailRet(CPackedLen::SafeGetData((BYTE const *)&pBuffer[*pPos], - (BYTE const *)pBufferEnd, - &dwClassNameSize, - (BYTE const **)&pClassName)); - (*pPos) += pClassName - &pBuffer[*pPos]; - - // Deserialize the type name - (*pPos) += dwClassNameSize; - pAttr->pName = new (nothrow) CHAR[dwClassNameSize + 1]; - if(!pAttr->pName) - return E_OUTOFMEMORY; - memcpy(pAttr->pName, pClassName, dwClassNameSize); - pAttr->pName[dwClassNameSize] = '\0'; - - // Deserialize the CA blob size - BYTE* pCABlob; - ULONG cbCABlob; - IfFailRet(CPackedLen::SafeGetData((BYTE const *)&pBuffer[*pPos], - (BYTE const *)pBufferEnd, - &cbCABlob, - (BYTE const **)&pCABlob)); - - (*pPos) += pCABlob - &pBuffer[*pPos]; - - // Deserialize the CA blob value count - BYTE* pCABlobValues; - ULONG cCABlobValues; - IfFailRet(CPackedLen::SafeGetLength((BYTE const *)&pBuffer[*pPos], - (BYTE const *)pBufferEnd, - &cCABlobValues, - (BYTE const **)&pCABlobValues)); - - (*pPos) += pCABlobValues - &pBuffer[*pPos]; - if (!FitsIn<WORD>(cCABlobValues)) - return COR_E_OVERFLOW; - pAttr->wValues = static_cast<WORD>(cCABlobValues); - - // We know that pCABlobValues - pCABlob will be a positive result. - if (cbCABlob < (ULONG)(pCABlobValues - pCABlob)) - return COR_E_OVERFLOW; - - pAttr->cbValues = cbCABlob - (pCABlobValues - pCABlob); - - // Deserialize the CA blob - pAttr->pbValues = new (nothrow) BYTE[pAttr->cbValues]; - if(!pAttr->pbValues) - return E_OUTOFMEMORY; - memcpy(pAttr->pbValues, pCABlobValues, pAttr->cbValues); - - (*pPos) += pAttr->cbValues; - - return S_OK; -} - -HRESULT AttributeSetToBlob(CORSEC_ATTRSET* pAttrSet, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport, DWORD dwAction) -{ - STANDARD_VM_CONTRACT; - - // pBuffer can be NULL if the caller is only trying to determine the size of the serialized blob. In that case, let's make a little temp buffer to facilitate CPackedLen::PutLength - SIZE_T cbPos = 0; - BYTE* pTempBuf = pBuffer; - SIZE_T const *pTempPos = &cbPos; - BYTE tempBuf[8]; - const SIZE_T zero = 0; - if(!pTempBuf) - { - pTempBuf = tempBuf; - pTempPos = &zero; - } - BYTE* pOldPos; - HRESULT hr = S_OK; - - // Serialize a LAZY_DECL_SEC_FLAG to identify the blob format (as opposed to '<' which would indicate the older XML format) - if(pBuffer) - pBuffer[cbPos] = LAZY_DECL_SEC_FLAG; - cbPos++; - - // Serialize the attribute count - pOldPos = &pTempBuf[*pTempPos]; - cbPos += (BYTE*)CPackedLen::PutLength(&pTempBuf[*pTempPos], pAttrSet->dwAttrCount) - pOldPos; - - // Serialize the attributes - DWORD i; - for(i = 0; i < pAttrSet->dwAttrCount; i++) - { - // Get the attribute - CORSEC_ATTRIBUTE *pAttr = &pAttrSet->pAttrs[i]; - - // Perform any necessary fix-ups on it - if(pAttr->wValues == 1 && strcmp(pAttr->pName, "System.Security.Permissions.PermissionSetAttribute") == 0) - IfFailGo(SecurityAttributes::FixUpPermissionSetAttribute(pAttr)); - else if((dwAction == dclLinktimeCheck || - dwAction == dclInheritanceCheck) && - strcmp(pAttr->pName, "System.Security.Permissions.PrincipalPermissionAttribute") == 0) - { - VMPostError(CORSECATTR_E_BAD_NONCAS); - return CORSECATTR_E_BAD_NONCAS; - } - - // Serialize it - SIZE_T dwAttrSize = 0; - IfFailGo(SecurityAttributes::SerializeAttribute(pAttr, pBuffer ? pBuffer + cbPos : NULL, &dwAttrSize, pImport)); - cbPos += dwAttrSize; - } - if(pCount != NULL) - *pCount = cbPos; - -ErrExit: - if (FAILED(hr)) - VMPostError(CORSECATTR_E_FAILED_TO_CREATE_PERM); // Allows for the correct message to be printed by the compiler - - return hr; -} - -HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - HRESULT hr = S_OK; - SIZE_T cbPos = 0; - BYTE* pBufferEnd = pBuffer + cbBuffer; - memset(pAttrSet, '\0', sizeof(CORSEC_ATTRSET)); - if (dwAction >= dclDemand && dwAction <= dclRequestRefuse) - pAttrSet->dwAction = dwAction; // Already lies in the publicly visible range ( values that managed enum SecurityAction can take) - else - { - // Map the action to a publicly visible value - if (dwAction == dclNonCasDemand) - pAttrSet->dwAction = dclDemand; - else if (dwAction == dclNonCasInheritance) - pAttrSet->dwAction = dclInheritanceCheck; - else if (dwAction == dclNonCasLinkDemand) - pAttrSet->dwAction = dclLinktimeCheck; - else - { - // We have an unexpected security action here. It would be nice to fail, but for compatibility we need to simply - // reset the action to Nil. - pAttrSet->dwAction = dclActionNil; - } - } - - // Deserialize the LAZY_DECL_SEC_FLAG to identify serialization of CORSEC_ATTRSET (as opposed to '<' which would indicate a serialized permission as Xml) - BYTE firstChar = pBuffer[cbPos]; - cbPos++; - if(firstChar != LAZY_DECL_SEC_FLAG) - return S_FALSE; - - // Deserialize the attribute count - BYTE* pBufferNext; - IfFailRet(CPackedLen::SafeGetLength((BYTE const *)&pBuffer[cbPos], - (BYTE const *)pBufferEnd, - &pAttrSet->dwAttrCount, - (BYTE const **)&pBufferNext)); - - cbPos += pBufferNext - &pBuffer[cbPos]; - if(pAttrSet->dwAttrCount > 0) - { - pAttrSet->pAttrs = new (nothrow) CORSEC_ATTRIBUTE[pAttrSet->dwAttrCount]; - if(!pAttrSet->pAttrs) - return E_OUTOFMEMORY; - pAttrSet->dwAllocated = pAttrSet->dwAttrCount; - } - - // Deserialize the attributes - DWORD i; - for(i = 0; i < pAttrSet->dwAttrCount; i++) - { - CORSEC_ATTRIBUTE *pAttr = &pAttrSet->pAttrs[i]; - hr = SecurityAttributes::DeserializeAttribute(pAttr, pBuffer, cbBuffer, &cbPos); - if(FAILED(hr)) - return hr; - } - - return S_OK; -} - -// This function takes an array of COR_SECATTR (which wrap custom security attribute blobs) and -// converts it to an array of CORSEC_ATTRSET (which contains partially-parsed custom security attribute -// blobs grouped by SecurityAction). Note that you must delete all the pPermissions that this allocates -// for each COR_SECATTR -HRESULT STDMETHODCALLTYPE GroupSecurityAttributesByAction( - CORSEC_ATTRSET /*OUT*/rPermSets[], - COR_SECATTR rSecAttrs[], - ULONG cSecAttrs, - mdToken tkObj, - ULONG *pulErrorAttr, - CMiniMdRW* pMiniMd, - IMDInternalImport* pInternalImport) -{ - CONTRACTL - { - NOTHROW; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - HRESULT hr = S_OK; - DWORD i, j, k; - DWORD dwAction; - BYTE* pData = NULL; - CORSEC_ATTRIBUTE* pPerm; - mdTypeDef tkParent; - TypeDefRec* pTypeDefRec; - MemberRefRec* pMemberRefRec; - TypeRefRec* pTypeRefRec; - SIZE_T cbAllocationSize; - - // If you are calling this at compile-time, you should pass in pMiniMd, and pInternalImport should be NULL - // If you are calling this at run-time, you should pass in pInternalImport, and pMiniMd should be NULL - _ASSERTE((pMiniMd && !pInternalImport) || (!pMiniMd && pInternalImport)); - - // Calculate number and sizes of permission sets to produce. This depends on - // the security action code encoded as the single parameter to the - // constructor for each security custom attribute. - for (i = 0; i < cSecAttrs; i++) - { - if (pulErrorAttr) - *pulErrorAttr = i; - - // Perform basic validation of the header of each security custom - // attribute constructor call. - pData = (BYTE*)rSecAttrs[i].pCustomAttribute; - - // Check minimum length. - if (rSecAttrs[i].cbCustomAttribute < (sizeof(WORD) + sizeof(DWORD) + sizeof(WORD))) - { - VMPostError(CORSECATTR_E_TRUNCATED); - IfFailGo(CORSECATTR_E_TRUNCATED); - } - - // Check version. - if (GET_UNALIGNED_VAL16(pData) != 1) - { - VMPostError(CORSECATTR_E_BAD_VERSION); - IfFailGo(CORSECATTR_E_BAD_VERSION); - } - pData += sizeof(WORD); - - // Extract and check security action. - if(pData[2] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action - dwAction = dclLinktimeCheck; - else - dwAction = GET_UNALIGNED_VAL32(pData); - if (dwAction == dclActionNil || dwAction > dclMaximumValue) - { - VMPostError(CORSECATTR_E_BAD_ACTION); - IfFailGo(CORSECATTR_E_BAD_ACTION); - } - - // All other declarative security only valid on types and methods. - if (TypeFromToken(tkObj) == mdtAssembly) - { - // Assemblies can only take permission requests. - if (dwAction != dclRequestMinimum && - dwAction != dclRequestOptional && - dwAction != dclRequestRefuse) - { - VMPostError(CORSECATTR_E_BAD_ACTION_ASM); - IfFailGo(CORSECATTR_E_BAD_ACTION_ASM); - } - } - else if (TypeFromToken(tkObj) == mdtTypeDef || TypeFromToken(tkObj) == mdtMethodDef) - { - // Types and methods can only take declarative security. - if (dwAction != dclRequest && - dwAction != dclDemand && - dwAction != dclAssert && - dwAction != dclDeny && - dwAction != dclPermitOnly && - dwAction != dclLinktimeCheck && - dwAction != dclInheritanceCheck) - { - VMPostError(CORSECATTR_E_BAD_ACTION_OTHER); - IfFailGo(CORSECATTR_E_BAD_ACTION_OTHER); - } - } - else - { - // Permission sets can't be attached to anything else. - VMPostError(CORSECATTR_E_BAD_PARENT); - IfFailGo(CORSECATTR_E_BAD_PARENT); - } - - rPermSets[dwAction].dwAttrCount++; - } - - // Initialize the descriptor for each type of permission set we are going to - // produce. - for (i = 0; i <= dclMaximumValue; i++) - { - if (rPermSets[i].dwAttrCount == 0) - continue; - - rPermSets[i].tkObj = tkObj; - rPermSets[i].dwAction = i; - rPermSets[i].pImport = NULL; - rPermSets[i].pAppDomain = NULL; - rPermSets[i].pAttrs = new (nothrow) CORSEC_ATTRIBUTE[rPermSets[i].dwAttrCount]; - IfNullGo(rPermSets[i].pAttrs); - - // Initialize a descriptor for each permission within the permission set. - for (j = 0, k = 0; j < rPermSets[i].dwAttrCount; j++, k++) - { - // Locate the next security attribute that contributes to this - // permission set. - for (; k < cSecAttrs; k++) - { - pData = (BYTE*)rSecAttrs[k].pCustomAttribute; - if(pData[4] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action - dwAction = dclLinktimeCheck; - else - dwAction = GET_UNALIGNED_VAL32(pData + sizeof(WORD)); - if (dwAction == i) - break; - } - _ASSERTE(k < cSecAttrs); - - if (pulErrorAttr) - *pulErrorAttr = k; - - // Initialize the permission. - pPerm = &rPermSets[i].pAttrs[j]; - pPerm->tkCtor = rSecAttrs[k].tkCtor; - pPerm->dwIndex = k; - if(pData[4] == SERIALIZATION_TYPE_PROPERTY) // check to see if it's a HostProtection attribute w/o an action - { - _ASSERTE(!pPerm->pbValues); - //pPerm->pbValues = pData + (sizeof (WORD) + sizeof(WORD)); - if (!ClrSafeInt<SIZE_T>::subtraction(rSecAttrs[k].cbCustomAttribute, (sizeof (WORD) + sizeof(WORD)), pPerm->cbValues)) - return COR_E_OVERFLOW; - pPerm->wValues = GET_UNALIGNED_VAL16(pData + sizeof (WORD)); - // Prefast overflow sanity check the addition. - if (!ClrSafeInt<SIZE_T>::addition(pPerm->cbValues, sizeof(WORD), cbAllocationSize)) - return COR_E_OVERFLOW; - pPerm->pbValues = new (nothrow) BYTE[cbAllocationSize]; - if(!pPerm->pbValues) - return E_OUTOFMEMORY; - memcpy(pPerm->pbValues, pData + (sizeof (WORD) + sizeof(WORD)), pPerm->cbValues); - } - else - { - _ASSERTE(!pPerm->pbValues); - //pPerm->pbValues = pData + (sizeof (WORD) + sizeof(DWORD) + sizeof(WORD)); - if (!ClrSafeInt<SIZE_T>::subtraction(rSecAttrs[k].cbCustomAttribute, (sizeof (WORD) + sizeof (DWORD) + sizeof(WORD)), pPerm->cbValues)) - return COR_E_OVERFLOW; - pPerm->wValues = GET_UNALIGNED_VAL16(pData + sizeof (WORD) + sizeof(DWORD)); - // Prefast overflow sanity check the addition. - if (!ClrSafeInt<SIZE_T>::addition(pPerm->cbValues, sizeof(WORD), cbAllocationSize)) - return COR_E_OVERFLOW; - pPerm->pbValues = new (nothrow) BYTE[cbAllocationSize]; - if(!pPerm->pbValues) - return E_OUTOFMEMORY; - memcpy(pPerm->pbValues, pData + (sizeof (WORD) + sizeof(DWORD) + sizeof(WORD)), pPerm->cbValues); - } - - CQuickBytes qbFullName; - CHAR* szFullName = NULL; - - LPCSTR szTypeName; - LPCSTR szTypeNamespace; - - // Follow the security custom attribute constructor back up to its - // defining assembly (so we know how to load its definition). If the - // token resolution scope is not defined, it's assumed to be - // mscorlib. - if (TypeFromToken(rSecAttrs[k].tkCtor) == mdtMethodDef) - { - if (pMiniMd != NULL) - { - // scratch buffer for full type name - szFullName = (CHAR*) qbFullName.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR)); - if(szFullName == NULL) - return E_OUTOFMEMORY; - - // grab the type that contains the security attribute constructor - IfFailGo(pMiniMd->FindParentOfMethodHelper(rSecAttrs[k].tkCtor, &tkParent)); - - // scratch buffer for nested type names - CQuickBytes qbBuffer; - CHAR* szBuffer; - - CHAR* szName = NULL; - BOOL fFirstLoop = TRUE; - pTypeDefRec = NULL; - do - { - // get outer type name - IfFailGo(pMiniMd->GetTypeDefRecord(RidFromToken(tkParent), &pTypeDefRec)); - IfFailGo(pMiniMd->getNameOfTypeDef(pTypeDefRec, (LPCSTR *)&szName)); - - // If this is the first time through the loop, just assign values, otherwise build nested type name. - if (!fFirstLoop) - { - szBuffer = (CHAR*) qbBuffer.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR)); - if(szBuffer == NULL) - return E_OUTOFMEMORY; - - ns::MakeNestedTypeName(szBuffer, (MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR), szName, szFullName); - szName = szBuffer; - } - else - { - fFirstLoop = FALSE; - } - - // copy into buffer - size_t localLen = strlen(szName) + 1; - strcpy_s(szFullName, localLen, szName); - - // move to next parent - DWORD dwFlags = pMiniMd->getFlagsOfTypeDef(pTypeDefRec); - if (IsTdNested(dwFlags)) - { - RID ridNestedRec; - IfFailGo(pMiniMd->FindNestedClassHelper(tkParent, &ridNestedRec)); - _ASSERTE(!InvalidRid(ridNestedRec)); - NestedClassRec *pNestedRec; - IfFailGo(pMiniMd->GetNestedClassRecord(ridNestedRec, &pNestedRec)); - tkParent = pMiniMd->getEnclosingClassOfNestedClass(pNestedRec); - } - else - { - tkParent = NULL; - } - } while (tkParent != NULL); - - IfFailGo(pMiniMd->getNamespaceOfTypeDef(pTypeDefRec, &szTypeNamespace)); - szTypeName = szFullName; - } - else - { - IfFailGo(pInternalImport->GetParentToken(rSecAttrs[k].tkCtor, &tkParent)); - IfFailGo(pInternalImport->GetNameOfTypeDef(tkParent, &szTypeName, &szTypeNamespace)); - } - pPerm->tkTypeRef = mdTokenNil; - pPerm->tkAssemblyRef = mdTokenNil; - } - else - { - _ASSERTE(TypeFromToken(rSecAttrs[k].tkCtor) == mdtMemberRef); - - // Get the type ref - if (pMiniMd != NULL) - { - IfFailGo(pMiniMd->GetMemberRefRecord(RidFromToken(rSecAttrs[k].tkCtor), &pMemberRefRec)); - pPerm->tkTypeRef = pMiniMd->getClassOfMemberRef(pMemberRefRec); - } - else - { - IfFailGo(pInternalImport->GetParentOfMemberRef(rSecAttrs[k].tkCtor, &pPerm->tkTypeRef)); - } - - _ASSERTE(TypeFromToken(pPerm->tkTypeRef) == mdtTypeRef); - - // Get an assembly ref - pPerm->tkAssemblyRef = pPerm->tkTypeRef; - pTypeRefRec = NULL; - do - { - if (pMiniMd != NULL) - { - IfFailGo(pMiniMd->GetTypeRefRecord(RidFromToken(pPerm->tkAssemblyRef), &pTypeRefRec)); - pPerm->tkAssemblyRef = pMiniMd->getResolutionScopeOfTypeRef(pTypeRefRec); - } - else - { - IfFailGo(pInternalImport->GetResolutionScopeOfTypeRef(pPerm->tkAssemblyRef, &pPerm->tkAssemblyRef)); - } - // loop because nested types have a resolution scope of the parent type rather than an assembly - } while(TypeFromToken(pPerm->tkAssemblyRef) == mdtTypeRef); - - // Figure out the fully qualified type name - if (pMiniMd != NULL) - { - IfFailGo(pMiniMd->getNamespaceOfTypeRef(pTypeRefRec, &szTypeNamespace)); - IfFailGo(pMiniMd->getNameOfTypeRef(pTypeRefRec, &szTypeName)); - } - else - { - IfFailGo(pInternalImport->GetNameOfTypeRef(pPerm->tkTypeRef, &szTypeNamespace, &szTypeName)); - } - } - - CQuickBytes qb; - CHAR* szTmp = (CHAR*) qb.AllocNoThrow((MAX_CLASSNAME_LENGTH+1) * sizeof(CHAR)); - if(szTmp == NULL) - return E_OUTOFMEMORY; - - ns::MakePath(szTmp, MAX_CLASSNAME_LENGTH, szTypeNamespace, szTypeName); - - size_t len = strlen(szTmp) + 1; - pPerm->pName = new (nothrow) CHAR[len]; - if(!pPerm->pName) - return E_OUTOFMEMORY; - strcpy_s(pPerm->pName, len, szTmp); - } - } - -ErrExit: - return hr; -} diff --git a/src/vm/securityattributes.h b/src/vm/securityattributes.h deleted file mode 100644 index 8408309b0a..0000000000 --- a/src/vm/securityattributes.h +++ /dev/null @@ -1,126 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYATTRIBUTES_H__ -#define __SECURITYATTRIBUTES_H__ - -#include "vars.hpp" -#include "eehash.h" -#include "corperm.h" - -class SecurityDescriptor; -class AssemblySecurityDescriptor; -class SecurityStackWalk; -class COMCustomAttribute; -class PsetCacheEntry; -struct TokenDeclActionInfo; - -extern HRESULT BlobToAttributeSet(BYTE* pBuffer, ULONG cbBuffer, CORSEC_ATTRSET* pAttrSet, DWORD dwAction); - -namespace SecurityAttributes -{ - // Retrieves a previously loaded PermissionSet - // object index (this will work even if the permission set was loaded in - // a different appdomain). - OBJECTREF GetPermissionSet(DWORD dwIndex, DWORD dwAction); - - // Locate the index of a permission set in the cache (returns false if the - // permission set has not yet been seen and decoded). - BOOL LookupPermissionSet(IN PBYTE pbPset, - IN DWORD cbPset, - OUT DWORD *pdwSetIndex); - - // Creates a new permission set - OBJECTREF CreatePermissionSet(BOOL fTrusted); - - - // Uses new to create the byte array that is returned. - void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, - OUT PBYTE* pbData, - OUT DWORD* cbData); - - - // Generic routine, use with encoding calls that - // use the EncodePermission client data - // Uses new to create the byte array that is returned. - void CopyEncodingToByteArray(IN PBYTE pbData, - IN DWORD cbData, - IN OBJECTREF* pArray); - - BOOL RestrictiveRequestsInAssembly(IMDInternalImport* pImport); - - // Returns the declared PermissionSet or PermissionSetCollection for the - // specified action type. - HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, - IN mdToken token, // token for method, class, or assembly - IN CorDeclSecurity action, // SecurityAction - OUT OBJECTREF *pDeclaredPermissions, // The returned PermissionSet for that SecurityAction - OUT PsetCacheEntry **pPSCacheEntry = NULL); // The cache entry for the PermissionSet blob. - - - HRESULT TranslateSecurityAttributesHelper( - CORSEC_ATTRSET *pAttrSet, - BYTE **ppbOutput, - DWORD *pcbOutput, - BYTE **ppbNonCasOutput, - DWORD *pcbNonCasOutput, - DWORD *pdwErrorIndex); - - HRESULT FixUpPermissionSetAttribute(CORSEC_ATTRIBUTE* pPerm); - HRESULT SerializeAttribute(CORSEC_ATTRIBUTE* pAttr, BYTE* pBuffer, SIZE_T* pCount, IMetaDataAssemblyImport *pImport); - HRESULT DeserializeAttribute(CORSEC_ATTRIBUTE *pAttr, BYTE* pBuffer, ULONG cbBuffer, SIZE_T* pPos); - - inline bool ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet); - - inline bool ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet, bool* pHostProtectionOnly); - - void CreateAndCachePermissions(IN PBYTE pbPerm, - IN ULONG cbPerm, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPSCacheEntry); - - HRESULT GetPermissionsFromMetaData(IN IMDInternalImport *pInternalImport, - IN mdToken token, - IN CorDeclSecurity action, - OUT PBYTE* ppbPerm, - OUT ULONG* pcbPerm); - - bool IsUnrestrictedPermissionSetAttribute(CORSEC_ATTRIBUTE* pAttr); - bool IsBuiltInCASPermissionAttribute(CORSEC_ATTRIBUTE* pAttr); - bool IsHostProtectionAttribute(CORSEC_ATTRIBUTE* pAttr); - - void LoadPermissionRequestsFromAssembly(IN IMDInternalImport *pImport, - OUT OBJECTREF* pReqdPermissions, - OUT OBJECTREF* pOptPermissions, - OUT OBJECTREF* pDenyPermissions); - - // Insert a decoded permission set into the cache. Duplicates are discarded. - void InsertPermissionSet(IN PBYTE pbPset, - IN DWORD cbPset, - IN OBJECTREF orPset, - OUT DWORD *pdwSetIndex); - - Assembly* LoadAssemblyFromToken(IMetaDataAssemblyImport *pImport, mdAssemblyRef tkAssemblyRef); - Assembly* LoadAssemblyFromNameString(__in_z WCHAR* pAssemblyName); - HRESULT AttributeSetToManaged(OBJECTREF* /*OUT*/obj, CORSEC_ATTRSET* pAttrSet, OBJECTREF* pThrowable, DWORD* pdwErrorIndex, bool bLazy); - HRESULT SetAttrFieldsAndProperties(CORSEC_ATTRIBUTE *pAttr, OBJECTREF* pThrowable, MethodTable* pMT, OBJECTREF* pObj); - HRESULT SetAttrField(BYTE** ppbBuffer, SIZE_T* pcbBuffer, DWORD dwType, TypeHandle hEnum, MethodTable* pMT, __in_z LPSTR szName, OBJECTREF* pObj, DWORD dwLength, BYTE* pbName, DWORD cbName, CorElementType eEnumType); - HRESULT SetAttrProperty(BYTE** ppbBuffer, SIZE_T* pcbBuffer, MethodTable* pMT, DWORD dwType, __in_z LPSTR szName, OBJECTREF* pObj, DWORD dwLength, BYTE* pbName, DWORD cbName, CorElementType eEnumType); - void AttrArrayToPermissionSet(OBJECTREF* attrArray, bool fSerialize, DWORD attrCount, BYTE **ppbOutput, DWORD *pcbOutput, BYTE **ppbNonCasOutput, DWORD *pcbNonCasOutput, bool fAllowEmptyPermissionSet, OBJECTREF* pPermSet); - void AttrSetBlobToPermissionSets(IN BYTE* pbRawPermissions, IN DWORD cbRawPermissions, OUT OBJECTREF* pObj, IN DWORD dwAction); - - - - bool ActionAllowsNullPermissionSet(CorDeclSecurity action); -} - -#define LAZY_DECL_SEC_FLAG '.' - -#endif // __SECURITYATTRIBUTES_H__ - diff --git a/src/vm/securityattributes.inl b/src/vm/securityattributes.inl deleted file mode 100644 index a5f809120f..0000000000 --- a/src/vm/securityattributes.inl +++ /dev/null @@ -1,44 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYATTRIBUTES_INL__ -#define __SECURITYATTRIBUTES_INL__ - -#include "securityattributes.h" - - -inline bool SecurityAttributes::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet) -{ - bool hostProtectiononly; - return ContainsBuiltinCASPermsOnly(pAttrSet, &hostProtectiononly); -} - - -inline bool SecurityAttributes::ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet, bool* pHostProtectionOnly) -{ - DWORD n; - *pHostProtectionOnly = true; // Assume that it's all HostProtection only - for(n = 0; n < pAttrSet->dwAttrCount; n++) - { - CORSEC_ATTRIBUTE* pAttr = &pAttrSet->pAttrs[n]; - if(!IsBuiltInCASPermissionAttribute(pAttr)) - { - *pHostProtectionOnly = false; - return false; - } - if (*pHostProtectionOnly && !IsHostProtectionAttribute(pAttr)) - { - *pHostProtectionOnly = false; - } - } - - return true; -} - -#endif // __SECURITYATTRIBUTES_INL__ - diff --git a/src/vm/securitydeclarative.cpp b/src/vm/securitydeclarative.cpp deleted file mode 100644 index 5771138b7d..0000000000 --- a/src/vm/securitydeclarative.cpp +++ /dev/null @@ -1,754 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" - -#include "security.h" -#include "securitydeclarative.inl" -#include "eventtrace.h" - - - -//----------------------------------------------------------------------------- -// -// -// CODE FOR MAKING THE SECURITY STUB AT JIT-TIME -// -// -//----------------------------------------------------------------------------- - - -enum DeclSecMergeMethod -{ - DS_METHOD_OVERRIDE, - DS_CLASS_OVERRIDE, - DS_UNION, - DS_INTERSECT, - DS_APPLY_METHOD_THEN_CLASS, // not supported with stack modifier actions - DS_APPLY_CLASS_THEN_METHOD, // not supported with stack modifier actions - DS_NOT_APPLICABLE, // action not supported on both method and class -}; - -// (Note: The values that are DS_NOT_APPLICABLE are not hooked up to -// this table, so changing one of those values will have no effect) -const DeclSecMergeMethod g_DeclSecClassAndMethodMergeTable[] = -{ - DS_NOT_APPLICABLE, // dclActionNil = 0 - DS_NOT_APPLICABLE, // dclRequest = 1 - DS_UNION, // dclDemand = 2 - DS_METHOD_OVERRIDE, // dclAssert = 3 - DS_UNION, // dclDeny = 4 - DS_INTERSECT, // dclPermitOnly = 5 - DS_NOT_APPLICABLE, // dclLinktimeCheck = 6 - DS_NOT_APPLICABLE, // dclInheritanceCheck = 7 - DS_NOT_APPLICABLE, // dclRequestMinimum = 8 - DS_NOT_APPLICABLE, // dclRequestOptional = 9 - DS_NOT_APPLICABLE, // dclRequestRefuse = 10 - DS_NOT_APPLICABLE, // dclPrejitGrant = 11 - DS_NOT_APPLICABLE, // dclPrejitDenied = 12 - DS_UNION, // dclNonCasDemand = 13 - DS_NOT_APPLICABLE, // dclNonCasLinkDemand = 14 - DS_NOT_APPLICABLE, // dclNonCasInheritance = 15 -}; - -// This table specifies the order in which runtime declarative actions will be performed -// (Note that for stack-modifying actions, this means the order in which they are applied to the -// frame descriptor, not the order in which they are evaluated when a demand is performed. -// That order is determined by the code in System.Security.FrameSecurityDescriptor.) -const CorDeclSecurity g_RuntimeDeclSecOrderTable[] = -{ - dclPermitOnly, // 5 - dclDeny, // 4 - dclAssert, // 3 - dclDemand, // 2 - dclNonCasDemand, // 13 -}; - -#define DECLSEC_RUNTIME_ACTION_COUNT (sizeof(g_RuntimeDeclSecOrderTable) / sizeof(CorDeclSecurity)) - - -TokenDeclActionInfo* TokenDeclActionInfo::Init(DWORD dwAction, PsetCacheEntry *pPCE) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - AppDomain *pDomain = GetAppDomain(); - - TokenDeclActionInfo *pTemp = - static_cast<TokenDeclActionInfo*>((void*)pDomain->GetLowFrequencyHeap() - ->AllocMem(S_SIZE_T(sizeof(TokenDeclActionInfo)))); - - pTemp->dwDeclAction = dwAction; - pTemp->pPCE = pPCE; - pTemp->pNext = NULL; - - return pTemp; -} - -void TokenDeclActionInfo::LinkNewDeclAction(TokenDeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - TokenDeclActionInfo *temp = Init(DclToFlag(action), pPCE); - if (!(*ppActionList)) - *ppActionList = temp; - else - { - temp->pNext = *ppActionList; - *ppActionList = temp; - } -} - -DeclActionInfo *DeclActionInfo::Init(MethodDesc *pMD, DWORD dwAction, PsetCacheEntry *pPCE) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - DeclActionInfo *pTemp = (DeclActionInfo *)(void*)pMD->GetDomainSpecificLoaderAllocator()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(DeclActionInfo))); - - pTemp->dwDeclAction = dwAction; - pTemp->pPCE = pPCE; - pTemp->pNext = NULL; - - return pTemp; -} - -void LinkNewDeclAction(DeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE, MethodDesc *pMeth) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - DeclActionInfo *temp = DeclActionInfo::Init(pMeth, DclToFlag(action), pPCE); - if (!(*ppActionList)) - *ppActionList = temp; - else - { - // Add overrides to the end of the list, all others to the front - if (IsDclActionAnyStackModifier(action)) - { - DeclActionInfo *w = *ppActionList; - while (w->pNext != NULL) - w = w->pNext; - w->pNext = temp; - } - else - { - temp->pNext = *ppActionList; - *ppActionList = temp; - } - } -} - -void SecurityDeclarative::AddDeclAction(CorDeclSecurity action, PsetCacheEntry *pClassPCE, PsetCacheEntry *pMethodPCE, DeclActionInfo** ppActionList, MethodDesc *pMeth) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - if(pClassPCE == NULL) - { - if(pMethodPCE == NULL) - return; - LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth); - return; - } - else if(pMethodPCE == NULL) - { - LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth); - return; - } - - // Merge class and method declarations - switch(g_DeclSecClassAndMethodMergeTable[action]) - { - case DS_METHOD_OVERRIDE: - LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth); - break; - - case DS_CLASS_OVERRIDE: - LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth); - break; - - case DS_UNION: - _ASSERTE(!"Declarative permission sets may not be unioned together in CoreCLR. Are you attempting to have a declarative demand or deny on both a method and its enclosing class?"); - break; - - case DS_INTERSECT: - _ASSERTE(!"Declarative permission sets may not be intersected in CoreCLR. Are you attempting to have a declarative permit only on both a method and its enclosing class?"); - break; - - case DS_APPLY_METHOD_THEN_CLASS: - LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth); // note: order reversed because LinkNewDeclAction inserts at beginning of list - LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth); - break; - - case DS_APPLY_CLASS_THEN_METHOD: - LinkNewDeclAction(ppActionList, action, pMethodPCE, pMeth); // note: order reversed because LinkNewDeclAction inserts at beginning of list - LinkNewDeclAction(ppActionList, action, pClassPCE, pMeth); - break; - - case DS_NOT_APPLICABLE: - _ASSERTE(!"not a runtime action"); - break; - - default: - _ASSERTE(!"unexpected merge type"); - break; - } -} - - -// Here we see what declarative actions are needed everytime a method is called, -// and create a list of these actions, which will be emitted as an argument to -// DoDeclarativeSecurity -DeclActionInfo* SecurityDeclarative::DetectDeclActions(MethodDesc *pMeth, DWORD dwDeclFlags) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - GCX_COOP(); - - DeclActionInfo *pDeclActions = NULL; - - IMDInternalImport *pInternalImport = pMeth->GetMDImport(); - - // Lets check the Ndirect/Interop cases first - if (dwDeclFlags & DECLSEC_UNMNGD_ACCESS_DEMAND) - { - HRESULT hr = S_FALSE; - if (pMeth->HasSuppressUnmanagedCodeAccessAttr()) - { - dwDeclFlags &= ~DECLSEC_UNMNGD_ACCESS_DEMAND; - } - else - { - MethodTable * pMT = pMeth->GetMethodTable(); - EEClass * pClass = pMT->GetClass(); - - // If speculatively true then check the CA - - if (pClass->HasSuppressUnmanagedCodeAccessAttr()) - { - hr = S_OK; - if (hr != S_OK) - { - g_IBCLogger.LogEEClassCOWTableAccess(pMT); - pClass->SetDoesNotHaveSuppressUnmanagedCodeAccessAttr(); - } - } - _ASSERTE(SUCCEEDED(hr)); - if (hr == S_OK) - dwDeclFlags &= ~DECLSEC_UNMNGD_ACCESS_DEMAND; - } - // Check if now there are no actions left - if (dwDeclFlags == 0) - return NULL; - - if (dwDeclFlags & DECLSEC_UNMNGD_ACCESS_DEMAND) - { - // A NDirect/Interop demand is required. - DeclActionInfo *temp = DeclActionInfo::Init(pMeth, DECLSEC_UNMNGD_ACCESS_DEMAND, NULL); - if (!pDeclActions) - pDeclActions = temp; - else - { - temp->pNext = pDeclActions; - pDeclActions = temp; - } - } - } // if DECLSEC_UNMNGD_ACCESS_DEMAND - - // Find class declarations - PsetCacheEntry* classSetPermissions[dclMaximumValue + 1]; - DetectDeclActionsOnToken(pMeth->GetMethodTable()->GetCl(), dwDeclFlags, classSetPermissions, pInternalImport); - - // Find method declarations - PsetCacheEntry* methodSetPermissions[dclMaximumValue + 1]; - DetectDeclActionsOnToken(pMeth->GetMemberDef(), dwDeclFlags, methodSetPermissions, pInternalImport); - - // Make sure the g_DeclSecClassAndMethodMergeTable is okay - _ASSERTE(sizeof(g_DeclSecClassAndMethodMergeTable) == sizeof(DeclSecMergeMethod) * (dclMaximumValue + 1) && - "g_DeclSecClassAndMethodMergeTable wrong size!"); - - // Merge class and method runtime declarations into a single linked list of set indexes - int i; - for(i = DECLSEC_RUNTIME_ACTION_COUNT - 1; i >= 0; i--) // note: the loop uses reverse order because AddDeclAction inserts at beginning of the list - { - CorDeclSecurity action = g_RuntimeDeclSecOrderTable[i]; - _ASSERTE(action > dclActionNil && action <= dclMaximumValue && "action out of range"); - AddDeclAction(action, classSetPermissions[action], methodSetPermissions[action], &pDeclActions, pMeth); - } - - return pDeclActions; -} - -void SecurityDeclarative::DetectDeclActionsOnToken(mdToken tk, DWORD dwDeclFlags, PsetCacheEntry** pSets, IMDInternalImport *pInternalImport) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - // Make sure the DCL to Flag table is okay - _ASSERTE(DclToFlag(dclDemand) == DECLSEC_DEMANDS && - sizeof(DCL_FLAG_MAP) == sizeof(DWORD) * (dclMaximumValue + 1) && - "DCL_FLAG_MAP out of sync with CorDeclSecurity!"); - - // Initialize the array - int i; - for(i = 0; i < dclMaximumValue + 1; i++) - pSets[i] = NULL; - - // Look up declarations on the token for each SecurityAction - DWORD dwAction; - for (dwAction = 0; dwAction <= dclMaximumValue; dwAction++) - { - // don't bother with actions that are not in the requested mask - CorDeclSecurity action = (CorDeclSecurity)dwAction; - DWORD dwActionFlag = DclToFlag(action); - if ((dwDeclFlags & dwActionFlag) == 0) - continue; - - // Load the PermissionSet or PermissionSetCollection from the security action table in the metadata - PsetCacheEntry *pPCE; - HRESULT hr = SecurityAttributes::GetDeclaredPermissions(pInternalImport, tk, action, NULL, &pPCE); - if (hr != S_OK) // returns S_FALSE if it didn't find anything in the metadata - continue; - - pSets[dwAction] = pPCE; - } -} - -// Returns TRUE if there is a possibility that a token has declarations of the type specified by 'action' -// Returns FALSE if it can determine that the token definately does not. -BOOL SecurityDeclarative::TokenMightHaveDeclarations(IMDInternalImport *pInternalImport, mdToken token, CorDeclSecurity action) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - HRESULT hr = S_OK; - HENUMInternal hEnumDcl; - DWORD cDcl; - - // Check if the token has declarations for - // the action specified. - hr = pInternalImport->EnumPermissionSetsInit( - token, - action, - &hEnumDcl); - - if (FAILED(hr) || hr == S_FALSE) - { - // PermissionSets for non-CAS actions are special cases because they may be mixed with - // the set for the corresponding CAS action in a serialized CORSEC_PSET - if(action == dclNonCasDemand || action == dclNonCasLinkDemand || action == dclNonCasInheritance) - { - // See if the corresponding CAS action has permissions - BOOL fDoCheck = FALSE; - if(action == dclNonCasDemand) - fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclDemand); - else if(action == dclNonCasLinkDemand) - fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclLinktimeCheck); - else if(action == dclNonCasInheritance) - fDoCheck = TokenMightHaveDeclarations(pInternalImport, token, dclInheritanceCheck); - if(fDoCheck) - { - // We can't tell for sure if there are declarations unless we deserializing something - // (which is too expensive), so we'll just return TRUE - return TRUE; - /* - OBJECTREF refPermSet = NULL; - DWORD dwIndex = ~0; - hr = SecurityAttributes::GetDeclaredPermissionsWithCache(pInternalImport, token, action, &refPermSet, &dwIndex); - if(refPermSet != NULL) - { - _ASSERTE(dwIndex != (~0)); - return TRUE; - } - */ - } - } - pInternalImport->EnumClose(&hEnumDcl); - return FALSE; - } - - cDcl = pInternalImport->EnumGetCount(&hEnumDcl); - pInternalImport->EnumClose(&hEnumDcl); - - return (cDcl > 0); -} - - -bool SecurityDeclarative::BlobMightContainNonCasPermission(PBYTE pbAttrSet, ULONG cbAttrSet, DWORD dwAction, bool* pHostProtectionOnly) -{ - CONTRACTL { - THROWS; - } CONTRACTL_END; - - // Deserialize the CORSEC_ATTRSET - CORSEC_ATTRSET attrSet; - HRESULT hr = BlobToAttributeSet(pbAttrSet, cbAttrSet, &attrSet, dwAction); - if(FAILED(hr)) - COMPlusThrowHR(hr); - - // this works because SecurityAttributes::CanUnrestrictedOverride only returns - // true if the attribute set contains only well-known non-CAS permissions - return !SecurityAttributes::ContainsBuiltinCASPermsOnly(&attrSet, pHostProtectionOnly); -} - -// Accumulate status of declarative security. -HRESULT SecurityDeclarative::GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* pfHasSuppressUnmanagedCodeAccessAttr /*[IN:TRUE if Pinvoke/Cominterop][OUT:FALSE if doesn't have attr]*/) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - HENUMInternal hEnumDcl; - HRESULT hr; - DWORD dwFlags = 0; - DWORD dwNullFlags = 0; - - _ASSERTE(pdwFlags); - *pdwFlags = 0; - - if (pdwNullFlags) - *pdwNullFlags = 0; - - hr = pInternalImport->EnumPermissionSetsInit(token, dclActionNil, &hEnumDcl); - if (FAILED(hr)) - goto Exit; - - if (hr == S_OK) - { - //Look through the security action table in the metadata for declared permission sets - mdPermission perms; - DWORD dwAction; - DWORD dwDclFlags; - ULONG cbPerm; - PBYTE pbPerm; - while (pInternalImport->EnumNext(&hEnumDcl, &perms)) - { - hr = pInternalImport->GetPermissionSetProps( - perms, - &dwAction, - (const void**)&pbPerm, - &cbPerm); - if (FAILED(hr)) - { - goto Exit; - } - - dwDclFlags = DclToFlag(dwAction); - - if ((cbPerm > 0) && (pbPerm[0] == LAZY_DECL_SEC_FLAG)) // indicates a serialized CORSEC_PSET - { - bool hostProtectionOnly; // gets initialized in call to BlobMightContainNonCasPermission - if (BlobMightContainNonCasPermission(pbPerm, cbPerm, dwAction, &hostProtectionOnly)) - { - switch (dwAction) - { - case dclDemand: - dwFlags |= DclToFlag(dclNonCasDemand); - break; - case dclLinktimeCheck: - dwFlags |= DclToFlag(dclNonCasLinkDemand); - break; - case dclInheritanceCheck: - dwFlags |= DclToFlag(dclNonCasInheritance); - break; - } - } - else - { - if (hostProtectionOnly) - { - // If this is a linkcheck for HostProtection only, let's capture that in the flags. - // Subsequently, this will be captured in the bit mask on EEClass/MethodDesc - // and used when deciding whether to insert runtime callouts for transparency - dwDclFlags |= DECLSEC_LINK_CHECKS_HPONLY; - } - } - } - - dwFlags |= dwDclFlags; - } - } - pInternalImport->EnumClose(&hEnumDcl); - - // Disable any runtime checking of UnmanagedCode permission if the correct - // custom attribute is present. - // By default, check except when told not to by the passed in BOOL* - - BOOL hasSuppressUnmanagedCodeAccessAttr; - if (pfHasSuppressUnmanagedCodeAccessAttr == NULL) - { - hasSuppressUnmanagedCodeAccessAttr = TRUE; - } - else - hasSuppressUnmanagedCodeAccessAttr = *pfHasSuppressUnmanagedCodeAccessAttr; - - - if (hasSuppressUnmanagedCodeAccessAttr) - { - dwFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND; - dwNullFlags |= DECLSEC_UNMNGD_ACCESS_DEMAND; - } - - *pdwFlags = dwFlags; - if (pdwNullFlags) - *pdwNullFlags = dwNullFlags; - -Exit: - return hr; -} - -void SecurityDeclarative::ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pClass)); - PRECONDITION(CheckPointer(pParent)); - PRECONDITION(!pClass->IsInterface()); - } - CONTRACTL_END; - - // Regular check since Fast path check didn't succeed - TypeSecurityDescriptor typeSecDesc(pParent); - typeSecDesc.InvokeInheritanceChecks(pClass); -} - -void SecurityDeclarative::MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pMethod)); - PRECONDITION(CheckPointer(pParent)); - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - // Regular check since Fast path check didn't succeed - MethodSecurityDescriptor MDSecDesc(pParent); - MDSecDesc.InvokeInheritanceChecks(pMethod); -} - -#ifndef CROSSGEN_COMPILE -//----------------------------------------------------------------------------- -// -// -// CODE FOR PERFORMING JIT-TIME CHECKS -// -// -//----------------------------------------------------------------------------- - - - - - - -// Retrieve all linktime demands sets for a method. This includes both CAS and -// non-CAS sets for LDs at the class and the method level, so we could get up to -// four sets. -void SecurityDeclarative::RetrieveLinktimeDemands(MethodDesc *pMD, - OBJECTREF *pClassCas, - OBJECTREF *pClassNonCas, - OBJECTREF *pMethodCas, - OBJECTREF *pMethodNonCas) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - -} - -// -// Determine the reason why a method has been marked as requiring a link time check -// -// Arguments: -// pMD - the method to figure out what link checks are needed for -// pClassCasDemands - [out, optional] the CAS link demands found on the class containing the method -// pClassNonCasDemands - [out, optional] the non-CAS link demands found on the class containing the method -// pMethodCasDemands - [out, optional] the CAS link demands found on the method itself -// pMethodNonCasDemands - [out, optional] the non-CAS link demands found on the method itself -// -// Return Value: -// Flags indicating why the method has a link time check requirement -// - -// static -LinktimeCheckReason SecurityDeclarative::GetLinktimeCheckReason(MethodDesc *pMD, - OBJECTREF *pClassCasDemands, - OBJECTREF *pClassNonCasDemands, - OBJECTREF *pMethodCasDemands, - OBJECTREF *pMethodNonCasDemands) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pMD)); - PRECONDITION(CheckPointer(pClassCasDemands, NULL_OK)); - PRECONDITION(CheckPointer(pClassNonCasDemands, NULL_OK)); - PRECONDITION(CheckPointer(pMethodCasDemands, NULL_OK)); - PRECONDITION(CheckPointer(pMethodNonCasDemands, NULL_OK)); - PRECONDITION(pMD->RequiresLinktimeCheck()); - } - CONTRACTL_END; - - LinktimeCheckReason reason = LinktimeCheckReason_None; - -#if defined(FEATURE_CORESYSTEM) - ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pMD->GetAssembly()); - - // If the method does not allow partially trusted callers, then the check is because we need to ensure all - // callers are fully trusted. - if (!pMSD->IsAPTCA()) - { - reason |= LinktimeCheckReason_AptcaCheck; - } -#endif // defined(FEATURE_CORESYSTEM) - - // - // If the method has a LinkDemand on it for either CAS or non-CAS permissions, get those and set the - // flags for the appropriate type of permission. - // - - struct gc - { - OBJECTREF refClassCasDemands; - OBJECTREF refClassNonCasDemands; - OBJECTREF refMethodCasDemands; - OBJECTREF refMethodNonCasDemands; - } - gc; - ZeroMemory(&gc, sizeof(gc)); - - GCPROTECT_BEGIN(gc); - - // Fetch link demand sets from all the places in metadata where we might - // find them (class and method). These might be split into CAS and non-CAS - // sets as well. - Security::RetrieveLinktimeDemands(pMD, - &gc.refClassCasDemands, - &gc.refClassNonCasDemands, - &gc.refMethodCasDemands, - &gc.refMethodNonCasDemands); - - if (gc.refClassCasDemands != NULL || gc.refMethodCasDemands != NULL) - { - reason |= LinktimeCheckReason_CasDemand; - - if (pClassCasDemands != NULL) - { - *pClassCasDemands = gc.refClassCasDemands; - } - if (pMethodCasDemands != NULL) - { - *pMethodCasDemands = gc.refMethodCasDemands; - } - } - - if (gc.refClassNonCasDemands != NULL || gc.refMethodNonCasDemands != NULL) - { - reason |= LinktimeCheckReason_NonCasDemand; - - if (pClassNonCasDemands != NULL) - { - *pClassNonCasDemands = gc.refClassNonCasDemands; - } - - if (pMethodNonCasDemands != NULL) - { - *pMethodNonCasDemands = gc.refMethodNonCasDemands; - } - - } - - GCPROTECT_END(); - - // - // Check to see if the target of the method is unmanaged code - // - // We detect linktime checks for UnmanagedCode in three cases: - // o P/Invoke calls. - // o Calls through an interface that have a suppress runtime check attribute on them (these are almost - // certainly interop calls). - // o Interop calls made through method impls. - // - - if (pMD->IsNDirect()) - { - reason |= LinktimeCheckReason_NativeCodeCall; - } -#ifdef FEATURE_COMINTEROP - else if (pMD->IsComPlusCall() && !pMD->IsInterface()) - { - reason |= LinktimeCheckReason_NativeCodeCall; - } - else if (pMD->IsInterface()) - { - // We also consider calls to interfaces that contain the SuppressUnmanagedCodeSecurity attribute to - // be COM calls, so check for those. - bool fSuppressUnmanagedCheck = - pMD->GetMDImport()->GetCustomAttributeByName(pMD->GetMethodTable()->GetCl(), - COR_SUPPRESS_UNMANAGED_CODE_CHECK_ATTRIBUTE_ANSI, - NULL, - NULL) == S_OK || - pMD->GetMDImport()->GetCustomAttributeByName(pMD->GetMemberDef(), - COR_SUPPRESS_UNMANAGED_CODE_CHECK_ATTRIBUTE_ANSI, - NULL, - NULL) == S_OK; - if (fSuppressUnmanagedCheck) - { - reason |= LinktimeCheckReason_NativeCodeCall; - } - } -#endif // FEATURE_COMINTEROP - - return reason; -} - - -#endif // CROSSGEN_COMPILE diff --git a/src/vm/securitydeclarative.h b/src/vm/securitydeclarative.h deleted file mode 100644 index 9874148326..0000000000 --- a/src/vm/securitydeclarative.h +++ /dev/null @@ -1,172 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDECLARATIVE_H__ -#define __SECURITYDECLARATIVE_H__ - -class SecurityStackWalk; -class MethodSecurityDescriptor; -class TokenSecurityDescriptor; -struct TokenDeclActionInfo; -class TypeSecurityDescriptor; -class PsetCacheEntry; - -// Reasons why a method may have been flagged as requiring a LinkDemand -enum LinktimeCheckReason -{ - LinktimeCheckReason_None = 0x00000000, // The method does not require a LinkDemand - LinktimeCheckReason_CasDemand = 0x00000001, // The method has CAS LinkDemands - LinktimeCheckReason_NonCasDemand = 0x00000002, // The method has non-CAS LinkDemands - LinktimeCheckReason_AptcaCheck = 0x00000004, // The method is a member of a non-APTCA assembly that requires its caller to be trusted - LinktimeCheckReason_NativeCodeCall = 0x00000008 // The method may represent a call to native code -}; - -struct DeclActionInfo -{ - DWORD dwDeclAction; // This'll tell InvokeDeclarativeSecurity whats the action needed - PsetCacheEntry *pPCE; // The cached permissionset on which to demand/assert/deny/blah - DeclActionInfo *pNext; // Next declarative action needed on this method, if any. - - static DeclActionInfo *Init(MethodDesc *pMD, DWORD dwAction, PsetCacheEntry *pPCE); -}; - -inline LinktimeCheckReason operator|(LinktimeCheckReason lhs, LinktimeCheckReason rhs); -inline LinktimeCheckReason operator|=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs); -inline LinktimeCheckReason operator&(LinktimeCheckReason lhs, LinktimeCheckReason rhs); -inline LinktimeCheckReason operator&=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs); - -namespace SecurityDeclarative -{ - // Perform the declarative actions - // Callers: - // DoDeclarativeSecurity - void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL); - void DoDeclarativeStackModifiers(MethodDesc *pMeth, AppDomain* pAppDomain, LPVOID pSecObj); - void DoDeclarativeStackModifiersInternal(MethodDesc *pMeth, LPVOID pSecObj); - void EnsureAssertAllowed(MethodDesc *pMeth, MethodSecurityDescriptor* pMSD); // throws exception if assert is not allowed for MethodDesc - // Determine which declarative SecurityActions are used on this type and return a - // DWORD of flags to represent the results - // Callers: - // MethodTableBuilder::CreateClass - // MethodTableBuilder::EnumerateClassMembers - // MethodDesc::GetSecurityFlags - HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL); - - // Query the metadata to get all LinkDemands on this method (and it's class) - // Callers: - // CanAccess (ReflectionInvocation) - // ReflectionInvocation::GetSpecialSecurityFlags - // RuntimeMethodHandle::InvokeMethod_Internal - // Security::CheckLinkDemandAgainstAppDomain - void RetrieveLinktimeDemands(MethodDesc* pMD, - OBJECTREF* pClassCas, - OBJECTREF* pClassNonCas, - OBJECTREF* pMethodCas, - OBJECTREF* pMethodNonCas); - - // Determine why the method is marked as requiring a linktime check, optionally returning the declared - // CAS link demands on the method itself. - LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD, - OBJECTREF *pClassCasDemands, - OBJECTREF *pClassNonCasDemands, - OBJECTREF *pMethodCasDemands, - OBJECTREF *pMethodNonCasDemands); - - // Used by interop to simulate the effect of link demands when the caller is - // in fact script constrained by an appdomain setup by IE. - // Callers: - // DispatchInfo::InvokeMember - // COMToCLRWorkerBody (COMToCLRCall) - void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD); - - // Perform a LinkDemand - // Callers: - // COMCustomAttribute::CreateCAObject - // CheckMethodAccess - // InvokeUtil::CheckLinktimeDemand - // CEEInfo::findMethod - // RuntimeMethodHandle::InvokeMethod_Internal - void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee); - - // Perform inheritance link demand - // Called by: - // MethodTableBuilder::ConvertLinkDemandToInheritanceDemand - void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand); - - // Perform an InheritanceDemand against the target assembly - void InheritanceDemand(Assembly *pTargetAssembly, OBJECTREF refDemand); - - // Perform a FullTrust InheritanceDemand against the target assembly - void FullTrustInheritanceDemand(Assembly *pTargetAssembly); - - // Perform a FullTrust LinkDemand against the target assembly - void FullTrustLinkDemand(Assembly *pTargetAssembly); - - // Do InheritanceDemands on the type - // Called by: - // MethodTableBuilder::VerifyInheritanceSecurity - void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent); - - // Do InheritanceDemands on the Method - // Callers: - // MethodTableBuilder::VerifyInheritanceSecurity - void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent); - - // Returns a managed instance of a well-known PermissionSet - // Callers: - // COMCodeAccessSecurityEngine::SpecialDemand - // ReflectionSerialization::GetSafeUninitializedObject - inline void GetPermissionInstance(OBJECTREF *perm, int index); - - inline BOOL FullTrustCheckForLinkOrInheritanceDemand(Assembly *pAssembly); - - - -#ifndef DACCESS_COMPILE - // Calls PermissionSet.Demand - // Callers: - // CanAccess (ReflectionInvocation) - // Security::CheckLinkDemandAgainstAppDomain - void CheckNonCasDemand(OBJECTREF *prefDemand); -#endif // #ifndef DACCESS_COMPILE - - // Returns TRUE if the method is visible outside its assembly - // Callers: - // MethodTableBuilder::SetSecurityFlagsOnMethod - inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD); - inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass); - - BOOL TokenMightHaveDeclarations(IMDInternalImport *pInternalImport, mdToken token, CorDeclSecurity action); - DeclActionInfo *DetectDeclActions(MethodDesc *pMeth, DWORD dwDeclFlags); - void DetectDeclActionsOnToken(mdToken tk, DWORD dwDeclFlags, PsetCacheEntry** pSets, IMDInternalImport *pInternalImport); - void InvokeLinktimeChecks(Assembly *pCaller, - Module *pModule, - mdToken token); - - inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr); - - inline BOOL ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass); - - - // Add a declarative action and PermissionSet index to the linked list - void AddDeclAction(CorDeclSecurity action, PsetCacheEntry *pClassPCE, PsetCacheEntry *pMethodPCE, DeclActionInfo** ppActionList, MethodDesc *pMeth); - - // Helper for DoDeclarativeActions - void InvokeDeclarativeActions(MethodDesc *pMeth, DeclActionInfo *pActions, MethodSecurityDescriptor *pMSD); - void InvokeDeclarativeStackModifiers (MethodDesc *pMeth, DeclActionInfo *pActions, OBJECTREF * pSecObj); - - bool BlobMightContainNonCasPermission(PBYTE pbPerm, ULONG cbPerm, DWORD dwAction, bool* pHostProtectionOnly); - -// Delayed Declarative Security processing -#ifndef DACCESS_COMPILE - inline void DoDeclarativeSecurityAtStackWalk(MethodDesc* pFunc, AppDomain* pAppDomain, OBJECTREF* pFrameObjectSlot); -#endif -} - -#endif // __SECURITYDECLARATIVE_H__ - diff --git a/src/vm/securitydeclarative.inl b/src/vm/securitydeclarative.inl deleted file mode 100644 index 1d14c9886f..0000000000 --- a/src/vm/securitydeclarative.inl +++ /dev/null @@ -1,128 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDECLARATIVE_INL__ -#define __SECURITYDECLARATIVE_INL__ - -#include "security.h" - -inline LinktimeCheckReason operator|(LinktimeCheckReason lhs, LinktimeCheckReason rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<LinktimeCheckReason>(static_cast<DWORD>(lhs) | static_cast<DWORD>(rhs)); -} - -inline LinktimeCheckReason operator|=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = lhs | rhs; - return lhs; -} - -inline LinktimeCheckReason operator&(LinktimeCheckReason lhs, LinktimeCheckReason rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<LinktimeCheckReason>(static_cast<DWORD>(lhs) & static_cast<DWORD>(rhs)); -} - - -inline LinktimeCheckReason operator&=(LinktimeCheckReason &lhs, LinktimeCheckReason rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = lhs & rhs; - return lhs; -} - -inline BOOL SecurityDeclarative::FullTrustCheckForLinkOrInheritanceDemand(Assembly *pAssembly) -{ - WRAPPER_NO_CONTRACT; -#ifndef DACCESS_COMPILE - IAssemblySecurityDescriptor* pSecDesc = pAssembly->GetSecurityDescriptor(); - if (pSecDesc->IsSystem()) - return TRUE; - - if (pSecDesc->IsFullyTrusted()) - return TRUE; -#endif - return FALSE; - -} - -inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr) -{ - LIMITED_METHOD_CONTRACT; - return ( IsMdPublic(dwMethodAttr) || - IsMdFamORAssem(dwMethodAttr)|| - IsMdFamily(dwMethodAttr) ); -} - -inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly( - MethodDesc * pMD) -{ - LIMITED_METHOD_CONTRACT; - - MethodTable * pMT = pMD->GetMethodTable(); - - if (!ClassIsVisibleOutsideItsAssembly(pMT->GetAttrClass(), pMT->IsGlobalClass())) - return FALSE; - - return MethodIsVisibleOutsideItsAssembly(pMD->GetAttrs()); -} - -inline BOOL SecurityDeclarative::MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass) -{ - LIMITED_METHOD_CONTRACT; - - if (!ClassIsVisibleOutsideItsAssembly(dwClassAttr, fIsGlobalClass)) - return FALSE; - - return MethodIsVisibleOutsideItsAssembly(dwMethodAttr); -} - -inline BOOL SecurityDeclarative::ClassIsVisibleOutsideItsAssembly(DWORD dwClassAttr, BOOL fIsGlobalClass) -{ - LIMITED_METHOD_CONTRACT; - - if (fIsGlobalClass) - { - return TRUE; - } - - return ( IsTdPublic(dwClassAttr) || - IsTdNestedPublic(dwClassAttr)|| - IsTdNestedFamily(dwClassAttr)|| - IsTdNestedFamORAssem(dwClassAttr)); -} - -#ifndef DACCESS_COMPILE -inline void SecurityDeclarative::DoDeclarativeSecurityAtStackWalk(MethodDesc* pFunc, AppDomain* pAppDomain, OBJECTREF* pFrameObjectSlot) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - - BOOL hasDeclarativeStackModifier = (pFunc->IsInterceptedForDeclSecurity() && !pFunc->IsInterceptedForDeclSecurityCASDemandsOnly()); - if (hasDeclarativeStackModifier) - { - - _ASSERTE(pFrameObjectSlot != NULL); - if (*pFrameObjectSlot == NULL || !( ((FRAMESECDESCREF)(*pFrameObjectSlot))->IsDeclSecComputed()) ) - { - // Populate the FSD with declarative assert/deny/PO - SecurityDeclarative::DoDeclarativeStackModifiers(pFunc, pAppDomain, pFrameObjectSlot); - } - } -} -#endif - - - -#endif // __SECURITYDECLARATIVE_INL__ diff --git a/src/vm/securitydeclarativecache.cpp b/src/vm/securitydeclarativecache.cpp deleted file mode 100644 index 202c016459..0000000000 --- a/src/vm/securitydeclarativecache.cpp +++ /dev/null @@ -1,298 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" -#include "appdomain.inl" -#include "security.h" -#include "field.h" -#include "comcallablewrapper.h" -#include "typeparse.h" - - -// -//---------------------------------------------------- -// -//Brief design overview: -// -//Essentially we moved away from the old scheme of a per-process hash table for blob->index mapping, -//and a growable per appdomain array containing the managed objects. The new scheme has a per -//appdomain hash that does memory allocs from the appdomain heap. The hash table maps the metadata -//blob to a data structure called PsetCacheEntry. PsetCacheEntry has the metadata blob and a handle -//to the managed pset object. It is the central place where caching/creation of the managed pset -//objects happen. Essentially whenever we see a new decl security blob, we insert it into the -//appdomain hash (if it's not already there). The object is lazily created as needed (we let -//threads race for object creation). -// -//---------------------------------------------------- -// - -BOOL PsetCacheKey::IsEquiv(PsetCacheKey *pOther) -{ - WRAPPER_NO_CONTRACT; - if (m_cbPset != pOther->m_cbPset || !m_pbPset || !pOther->m_pbPset) - return FALSE; - return memcmp(m_pbPset, pOther->m_pbPset, m_cbPset) == 0; -} - -DWORD PsetCacheKey::Hash() -{ - LIMITED_METHOD_CONTRACT; - DWORD dwHash = 0; - for (DWORD i = 0; i < (m_cbPset / sizeof(DWORD)); i++) - dwHash ^= GET_UNALIGNED_VAL32(&((DWORD*)m_pbPset)[i]); - return dwHash; -} - -void PsetCacheEntry::Init (PsetCacheKey *pKey, AppDomain *pDomain) -{ - CONTRACTL - { - GC_NOTRIGGER; - THROWS; // From CreateHandle() - MODE_COOPERATIVE; - } - CONTRACTL_END; - - m_pKey = pKey; - m_eCanUnrestrictedOverride = CUO_DontKnow; - m_fEmptyPermissionSet = false; -#ifndef CROSSGEN_COMPILE - m_handle = pDomain->CreateHandle(NULL); -#endif // CROSSGEN_COMPILE -} - -#ifndef CROSSGEN_COMPILE -OBJECTREF PsetCacheEntry::CreateManagedPsetObject(DWORD dwAction, bool createEmptySet /* = false */) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } CONTRACTL_END; - - return NULL; -} -#endif // CROSSGEN_COMPILE - -bool PsetCacheEntry::ContainsBuiltinCASPermsOnly (DWORD dwAction) -{ - - if (m_eCanUnrestrictedOverride == CUO_Yes) { - return true; - } - - if (m_eCanUnrestrictedOverride == CUO_No) { - return false; - } - - bool bRet = ContainsBuiltinCASPermsOnlyInternal(dwAction); - - // - // Cache the results. - // - - if(bRet) { - m_eCanUnrestrictedOverride = CUO_Yes; - } else { - m_eCanUnrestrictedOverride = CUO_No; - } - - return bRet; -} - -bool PsetCacheEntry::ContainsBuiltinCASPermsOnlyInternal(DWORD dwAction) -{ - // - // Deserialize the CORSEC_ATTRSET - // - - CORSEC_ATTRSET attrSet; - HRESULT hr = BlobToAttributeSet(m_pKey->m_pbPset, m_pKey->m_cbPset, &attrSet, dwAction); - - if(FAILED(hr)) { - COMPlusThrowHR(hr); - } - - if (hr == S_FALSE) { - // - // BlobToAttributeSet didn't work as expected - bail out early - // - return FALSE; - } - - // Check the attributes - return SecurityAttributes::ContainsBuiltinCASPermsOnly(&attrSet); -} - -void SecurityDeclarativeCache::Init(LoaderHeap *pHeap) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - _ASSERTE (pHeap); - - m_pHeap = pHeap; - - m_pCachedPsetsHash = new EEPsetHashTable; - - m_prCachedPsetsLock = new SimpleRWLock (COOPERATIVE_OR_PREEMPTIVE, - LOCK_TYPE_DEFAULT); - - if (!m_pCachedPsetsHash->Init(19, &g_lockTrustMeIAmThreadSafe, m_pHeap)) { - ThrowOutOfMemory(); - } -} - -PsetCacheEntry* SecurityDeclarativeCache::CreateAndCachePset( - IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - PsetCacheEntry *pPCE; - LoaderHeap *pHeap; - SimpleWriteLockHolder writeLockHolder(m_prCachedPsetsLock); - - // - // Check for Duplicates. - // - - pPCE = GetCachedPsetWithoutLocks (pbAttrBlob, cbAttrBlob); - if (pPCE) { - return pPCE; - } - - AppDomain *pDomain; - PsetCacheKey *pKey; - HashDatum datum; - - // - // Buffer permission set blob (it might go away if the metadata scope it - // came from is closed). - // - - pDomain = GetAppDomain (); - pHeap = pDomain->GetLowFrequencyHeap (); - - pKey = (PsetCacheKey*) ((void*) pHeap->AllocMem ((S_SIZE_T)sizeof(PsetCacheKey))); - - pKey->Init (pbAttrBlob, cbAttrBlob, TRUE, pHeap); - - - - pPCE = (PsetCacheEntry*) - ((void*) pHeap->AllocMem ((S_SIZE_T)sizeof(PsetCacheEntry))); - - pPCE->Init (pKey, pDomain); - - datum = reinterpret_cast<HashDatum>(pPCE); - m_pCachedPsetsHash->InsertValue (pKey, datum); - - return pPCE; -} - -PsetCacheEntry* SecurityDeclarativeCache::GetCachedPset(IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ) -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - PsetCacheEntry *pPCE; - SimpleReadLockHolder readLockHolder(m_prCachedPsetsLock); - - pPCE = GetCachedPsetWithoutLocks(pbAttrBlob, cbAttrBlob); - return pPCE; -} - -PsetCacheEntry* SecurityDeclarativeCache::GetCachedPsetWithoutLocks( - IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ) -{ - CONTRACTL { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - PsetCacheKey sKey; - PsetCacheEntry *pPCE; - BOOL found; - HashDatum datum; - - sKey.Init (pbAttrBlob, cbAttrBlob, FALSE, NULL); - - found = m_pCachedPsetsHash->GetValue(&sKey, &datum); - - if (found) { - pPCE = reinterpret_cast<PsetCacheEntry*>(datum); - return pPCE; - } else { - return NULL; - } -} - -SecurityDeclarativeCache::~SecurityDeclarativeCache() -{ - WRAPPER_NO_CONTRACT; - - // Destroy the hash table even if entries are allocated from - // appdomain heap: the hash table may have used non heap memory for internal data structures - if (m_pCachedPsetsHash) - { - delete m_pCachedPsetsHash; - } - - if (m_prCachedPsetsLock) - { - delete m_prCachedPsetsLock; - } -} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/src/vm/securitydeclarativecache.h b/src/vm/securitydeclarativecache.h deleted file mode 100644 index bbd76c1257..0000000000 --- a/src/vm/securitydeclarativecache.h +++ /dev/null @@ -1,138 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SecurityDecarativeCache_h__ -#define __SecurityDecarativeCache_h__ - -struct PsetCacheKey -{ -public: - PBYTE m_pbPset; - DWORD m_cbPset; - BOOL m_bCopyArray; - - void Init (PBYTE pbPset, DWORD cbPset, BOOL CopyArray, LoaderHeap *pHeap) - { - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - - m_cbPset = cbPset; - - if (CopyArray) { - m_pbPset = (PBYTE) ((void*)pHeap->AllocMem((S_SIZE_T)(cbPset * sizeof(BYTE)))) ; - memcpy (m_pbPset, pbPset, cbPset); - } else { - m_pbPset = pbPset; - } - } - - BOOL IsEquiv(PsetCacheKey *pOther); - DWORD Hash(); -}; - -// -// Records a serialized permission set we've seen and decoded. -// - -enum CanUnrestrictedOverride -{ - CUO_DontKnow = 0, - CUO_Yes = 1, - CUO_No = 2, -}; - -class PsetCacheEntry -{ -private: - PsetCacheKey* m_pKey; - OBJECTHANDLE m_handle; - BYTE m_eCanUnrestrictedOverride; - bool m_fEmptyPermissionSet; - - bool ContainsBuiltinCASPermsOnlyInternal(DWORD dwAction); - -public: - - void Init(PsetCacheKey* pKey, AppDomain* pDomain); - - OBJECTREF CreateManagedPsetObject(DWORD dwAction, bool createEmptySet = false); - - OBJECTREF GetManagedPsetObject() - { - WRAPPER_NO_CONTRACT; - return ObjectFromHandle(m_handle); - } - - bool ContainsBuiltinCASPermsOnly (DWORD dwAction); - PsetCacheEntry() {m_pKey = NULL;} - ~PsetCacheEntry() - { - if (m_pKey) { - delete m_pKey; - } - } -}; - - - -class SecurityDeclarativeCache { - -private: - EEPsetHashTable* m_pCachedPsetsHash; - SimpleRWLock* m_prCachedPsetsLock; - LoaderHeap* m_pHeap; - - PsetCacheEntry* GetCachedPsetWithoutLocks(IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ); - -public: - void Init(LoaderHeap *pHeap); - - SecurityDeclarativeCache() : - m_pCachedPsetsHash(NULL), - m_prCachedPsetsLock(NULL), - m_pHeap(NULL) - { - LIMITED_METHOD_CONTRACT; - } - - ~SecurityDeclarativeCache(); - - PsetCacheEntry* CreateAndCachePset(IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ); - - PsetCacheEntry* GetCachedPset(IN PBYTE pbAttrBlob, - IN DWORD cbAttrBlob - ); - - -}; - -#endif - - - - - - - - - - - - - - - diff --git a/src/vm/securitydescriptor.cpp b/src/vm/securitydescriptor.cpp deleted file mode 100644 index 2ff1823bb5..0000000000 --- a/src/vm/securitydescriptor.cpp +++ /dev/null @@ -1,138 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" - -#include "security.h" -#include "eventtrace.h" - -/////////////////////////////////////////////////////////////////////////////// -// -// [SecurityDescriptor] -// | -// | -// +----[PEFileSecurityDescriptor] -// -/////////////////////////////////////////////////////////////////////////////// - -BOOL SecurityDescriptor::CanCallUnmanagedCode () const -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress()); - } CONTRACTL_END; - - return CheckSpecialFlag(1 << SECURITY_UNMANAGED_CODE); -} - -#ifndef DACCESS_COMPILE - -OBJECTREF SecurityDescriptor::GetGrantedPermissionSet(OBJECTREF* pRefusedPermissions) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress()); - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - -#ifndef CROSSGEN_COMPILE - if (pRefusedPermissions) - *pRefusedPermissions = ObjectFromLazyHandle(m_hGrantDeniedPermissionSet, m_pLoaderAllocator); - return ObjectFromLazyHandle(m_hGrantedPermissionSet, m_pLoaderAllocator); -#else - return NULL; -#endif -} - -// -// Returns TRUE if the given zone has the given special permission. -// - -#endif // DACCESS_COMPILE - - -// -// This method will return TRUE if this object is fully trusted. -// - -BOOL SecurityDescriptor::IsFullyTrusted () -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - SUPPORTS_DAC; - SO_TOLERANT; - PRECONDITION(IsResolved() || m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress()); - } CONTRACTL_END; - - return CheckSpecialFlag(1 << SECURITY_FULL_TRUST); -} - -BOOL SecurityDescriptor::IsResolved() const -{ - LIMITED_METHOD_CONTRACT; - return m_fSDResolved; -} - -DWORD SecurityDescriptor::GetSpecialFlags() const -{ - LIMITED_METHOD_CONTRACT; - return m_dwSpecialFlags; -} - -#ifndef DACCESS_COMPILE -void SecurityDescriptor::SetGrantedPermissionSet(OBJECTREF GrantedPermissionSet, - OBJECTREF DeniedPermissionSet, - DWORD dwSpecialFlags) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - -#ifndef CROSSGEN_COMPILE - GCPROTECT_BEGIN(DeniedPermissionSet); - StoreObjectInLazyHandle(m_hGrantedPermissionSet, GrantedPermissionSet, m_pLoaderAllocator); - StoreObjectInLazyHandle(m_hGrantDeniedPermissionSet, DeniedPermissionSet, m_pLoaderAllocator); - GCPROTECT_END(); -#endif - - if (dwSpecialFlags & (1 << SECURITY_FULL_TRUST)) - { - m_dwSpecialFlags = 0xFFFFFFFF; // Fulltrust means that all possible quick checks should succeed, so we set all flags - } - else - { - m_dwSpecialFlags = dwSpecialFlags; - } - - m_fSDResolved = TRUE; -} - - -#endif // !DACCESS_COMPILE - -AppDomain* SecurityDescriptor::GetDomain() const -{ - LIMITED_METHOD_CONTRACT; - return m_pAppDomain; -} - -#ifndef DACCESS_COMPILE - - - -#endif // !DACCESS_COMPILE diff --git a/src/vm/securitydescriptor.h b/src/vm/securitydescriptor.h deleted file mode 100644 index eb1c287b4b..0000000000 --- a/src/vm/securitydescriptor.h +++ /dev/null @@ -1,153 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDESCRIPTOR_H__ -#define __SECURITYDESCRIPTOR_H__ - -#include "securityattributes.h" -#include "securitypolicy.h" - -class ISecurityDescriptor; -class IPEFileSecurityDescriptor; - -// Security flags for the objects that store security information -#define CORSEC_ASSERTED 0x000020 // Asseted permission set present on frame -#define CORSEC_DENIED 0x000040 // Denied permission set present on frame -#define CORSEC_REDUCED 0x000080 // Reduced permission set present on frame - -// Inline Functions to support lazy handles - read/write to handle that may not have been created yet -// SecurityDescriptor and ApplicationSecurityDescriptor currently use these -inline OBJECTREF ObjectFromLazyHandle(LOADERHANDLE handle, LoaderAllocator* la); - -#ifndef DACCESS_COMPILE - -inline void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la); - - -#endif // #ifndef DACCESS_COMPILE - - -/////////////////////////////////////////////////////////////////////////////// -// -// [SecurityDescriptor] -// | -// +----[PEFileSecurityDescriptor] -// | -// +----[ApplicationSecurityDescriptor] -// | -// +----[AssemblySecurityDescriptor] -// -// [SharedSecurityDescriptor] -// -/////////////////////////////////////////////////////////////////////////////// -// -// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects. -// AppDomain and Assembly could be from different zones. -// Security Descriptor could also be placed on a native frame. -// -/////////////////////////////////////////////////////////////////////////////// - -/////////////////////////////////////////////////////////////////////////////// -// -// SecurityDescriptor is the base class for all security descriptors. -// Extend this class to implement SecurityDescriptors for Assemblies and -// AppDomains. -// -// WARNING : Do not add virtual methods to this class! Doing so results -// in derived classes such as AssemblySecurityDescriptor having two v-table -// pointers, which the DAC doesn't support. -// -/////////////////////////////////////////////////////////////////////////////// - -class SecurityDescriptor -{ -protected: - - // The unmanaged DomainAssembly object - DomainAssembly *m_pAssem; - - // The PEFile associated with the DomainAssembly - PEFile *m_pPEFile; - - // The AppDomain context - AppDomain* m_pAppDomain; - - BOOL m_fSDResolved; - - DWORD m_dwSpecialFlags; - LoaderAllocator *m_pLoaderAllocator; - -private: -#ifndef CROSSGEN_COMPILE - LOADERHANDLE m_hGrantedPermissionSet; // Granted Permission - LOADERHANDLE m_hGrantDeniedPermissionSet;// Specifically Denied Permissions -#endif // CROSSGEN_COMPILE - -public: - BOOL IsFullyTrusted(); - DWORD GetSpecialFlags() const; - - AppDomain* GetDomain() const; - BOOL CanCallUnmanagedCode() const; - - -#ifndef DACCESS_COMPILE - void SetGrantedPermissionSet(OBJECTREF GrantedPermissionSet, - OBJECTREF DeniedPermissionSet, - DWORD dwSpecialFlags); - OBJECTREF GetGrantedPermissionSet(OBJECTREF* pRefusedPermissions = NULL); -#endif // DACCESS_COMPILE - - BOOL IsResolved() const; - - // Checks for one of the special security flags such as FullTrust or UnmanagedCode - FORCEINLINE BOOL CheckSpecialFlag (DWORD flags) const; - - // Used to locate the assembly - inline PEFile *GetPEFile() const; - -protected: - //-------------------- - // Constructor - //-------------------- -#ifndef DACCESS_COMPILE - inline SecurityDescriptor(AppDomain *pAppDomain, DomainAssembly *pAssembly, PEFile* pPEFile, LoaderAllocator *pLoaderAllocator); -#ifdef FEATURE_PAL - SecurityDescriptor() {} -#endif // FEATURE_PAL -#endif // !DACCESS_COMPILE -}; - -template<typename IT> -class SecurityDescriptorBase : public IT, public SecurityDescriptor -{ -public: - VPTR_ABSTRACT_VTABLE_CLASS(SecurityDescriptorBase, IT) // needed for the DAC - - inline SecurityDescriptorBase(AppDomain *pAppDomain, DomainAssembly *pAssembly, PEFile* pPEFile, LoaderAllocator *pLoaderAllocator); - -public: - virtual BOOL IsFullyTrusted() { return SecurityDescriptor::IsFullyTrusted(); } - virtual BOOL CanCallUnmanagedCode() const { return SecurityDescriptor::CanCallUnmanagedCode(); } - virtual DWORD GetSpecialFlags() const { return SecurityDescriptor::GetSpecialFlags(); } - - virtual AppDomain* GetDomain() const { return SecurityDescriptor::GetDomain(); } - - virtual BOOL IsResolved() const { return SecurityDescriptor::IsResolved(); } - - -#ifndef DACCESS_COMPILE - virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) { return SecurityDescriptor::GetGrantedPermissionSet(RefusedPermissions); } -#endif -}; - - -#include "securitydescriptor.inl" - -#endif // #define __SECURITYDESCRIPTOR_H__ - diff --git a/src/vm/securitydescriptor.inl b/src/vm/securitydescriptor.inl deleted file mode 100644 index f894831db6..0000000000 --- a/src/vm/securitydescriptor.inl +++ /dev/null @@ -1,84 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDESCRIPTOR_INL__ -#define __SECURITYDESCRIPTOR_INL__ - -// Inline Functions to support lazy handles - read/write to handle that may not have been created yet -// SecurityDescriptor and ApplicationSecurityDescriptor currently use these -inline OBJECTREF ObjectFromLazyHandle(LOADERHANDLE handle, LoaderAllocator *pLoaderAllocator) -{ - CONTRACTL - { - NOTHROW; - GC_NOTRIGGER; - SO_TOLERANT; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (handle != NULL) - { - return pLoaderAllocator->GetHandleValue(handle); - } - else - { - return NULL; - } -} - -#ifndef DACCESS_COMPILE - -inline SecurityDescriptor::SecurityDescriptor(AppDomain *pAppDomain, - DomainAssembly *pAssembly, - PEFile* pPEFile, - LoaderAllocator *pLoaderAllocator) : - m_pAssem(pAssembly), - m_pPEFile(pPEFile), - m_pAppDomain(pAppDomain), - m_fSDResolved(FALSE), - m_dwSpecialFlags(0), - m_pLoaderAllocator(pLoaderAllocator) -#ifndef CROSSGEN_COMPILE - , m_hGrantedPermissionSet(NULL), - m_hGrantDeniedPermissionSet(NULL) -#endif // CROSSGEN_COMPILE -{ - LIMITED_METHOD_CONTRACT; -} -#endif // !DACCESS_COMPILE - - -// Checks for one of the special security flags such as FullTrust or UnmanagedCode -FORCEINLINE BOOL SecurityDescriptor::CheckSpecialFlag (DWORD flags) const -{ - LIMITED_METHOD_CONTRACT; - SUPPORTS_DAC; - - return (m_dwSpecialFlags & flags); -} - -inline PEFile *SecurityDescriptor::GetPEFile() const -{ - LIMITED_METHOD_CONTRACT; - return m_pPEFile; -} - -#ifndef DACCESS_COMPILE -template<typename IT> -inline SecurityDescriptorBase<IT>::SecurityDescriptorBase(AppDomain *pAppDomain, - DomainAssembly *pAssembly, - PEFile* pPEFile, - LoaderAllocator *pLoaderAllocator) : - SecurityDescriptor(pAppDomain, pAssembly, pPEFile, pLoaderAllocator) -{ -} -#endif // !DACCESS_COMPILE - - -#endif // #define __SECURITYDESCRIPTOR_INL__ diff --git a/src/vm/securitydescriptorappdomain.cpp b/src/vm/securitydescriptorappdomain.cpp deleted file mode 100644 index 173b4c83e1..0000000000 --- a/src/vm/securitydescriptorappdomain.cpp +++ /dev/null @@ -1,219 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" -#include "security.h" -#include "callhelpers.h" - -#ifndef DACCESS_COMPILE - -void ApplicationSecurityDescriptor::Resolve() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - INJECT_FAULT(COMPlusThrowOM();); - SO_TOLERANT; - } CONTRACTL_END; - - if (IsResolved()) - return; - - SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF); -} - -#ifndef CROSSGEN_COMPILE -//--------------------------------------------------------------------------------------- -// -// Determine the security state of an AppDomain before the domain is fully configured. -// This method is used to detect the input configuration of a domain - specifically, if it -// is homogenous and fully trusted before domain setup is completed. -// -// Note that this state may not reflect the final state of the AppDomain when it is -// configured, since components like the AppDomainManager can modify these bits during execution. -// - -void ApplicationSecurityDescriptor::PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) -{ - CONTRACTL - { - GC_TRIGGERS; - THROWS; - MODE_ANY; - PRECONDITION(CheckPointer(pfIsFullyTrusted)); - PRECONDITION(CheckPointer(pfIsHomogeneous)); - PRECONDITION(IsInitializationInProgress()); // We shouldn't be looking at the pre-resolved state if we've already done real resolution - } - CONTRACTL_END; - - if (m_fIsPreResolved) - { - *pfIsFullyTrusted = m_fPreResolutionFullTrust; - *pfIsHomogeneous = m_fPreResolutionHomogeneous; - return; - } - - GCX_COOP(); - - // On CoreCLR all domains are partial trust homogenous - m_fPreResolutionFullTrust = FALSE; - m_fPreResolutionHomogeneous = TRUE; - - *pfIsFullyTrusted = m_fPreResolutionFullTrust; - *pfIsHomogeneous = m_fPreResolutionHomogeneous; - m_fIsPreResolved = TRUE; -} -#endif // CROSSGEN_COMPILE - - -// -// PLS (PermissionListSet) optimization Implementation -// The idea of the PLS optimization is to maintain the intersection -// of the grant sets of all assemblies loaded into the AppDomain (plus -// the grant set of the AppDomain itself) and the union of all denied -// sets. When a demand is evaluated, we first check the permission -// that is being demanded against the combined grant and denied set -// and if that check succeeds, then we know the demand is satisfied -// in the AppDomain without having to perform an entire stack walk. -// - -// Creates the PermissionListSet which holds the AppDomain level intersection of -// granted and denied permission sets of all assemblies in the domain and updates -// the granted and denied set with those of the AppDomain. -void ApplicationSecurityDescriptor::InitializePLS() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(IsResolved()); - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - m_dwDomainWideSpecialFlags = m_dwSpecialFlags; -} - -// Whenever a new assembly is added to the domain, we need to update the PermissionListSet -void ApplicationSecurityDescriptor::AddNewSecDescToPLS(AssemblySecurityDescriptor *pNewSecDescriptor) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(pNewSecDescriptor->IsResolved()); - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - // - // If the assembly is fully trusted, this should be a no-op as the PLS is unaffected. - // Note it's Ok to call this method before the AppDomain is fully initialized (and so - // before the PLS is created for the AppDomain) because we enforce that all assemblies - // loaded during that phase are fully trusted. - // - - if (!pNewSecDescriptor->IsFullyTrusted()) { - - LONG dwNewDomainWideSpecialFlags = 0; - LONG dwOldDomainWideSpecialFlags = 0; - do { - dwOldDomainWideSpecialFlags = m_dwDomainWideSpecialFlags; - dwNewDomainWideSpecialFlags = (dwOldDomainWideSpecialFlags & pNewSecDescriptor->GetSpecialFlags()); - } - while (InterlockedCompareExchange((LONG*)&m_dwDomainWideSpecialFlags, dwNewDomainWideSpecialFlags, dwOldDomainWideSpecialFlags) != dwOldDomainWideSpecialFlags); - } -} - - -DWORD ApplicationSecurityDescriptor::GetDomainWideSpecialFlag() const -{ - LIMITED_METHOD_CONTRACT; - return m_dwDomainWideSpecialFlags; -} - -void ApplicationSecurityDescriptor::FinishInitialization() -{ - WRAPPER_NO_CONTRACT; - // Resolve the AppDomain security descriptor. - this->Resolve(); - - // Reset the initialization in-progress flag. - this->ResetInitializationInProgress(); - - // Initialize the PLS with the grant set of the AppDomain - this->InitializePLS(); -} - -void ApplicationSecurityDescriptor::SetHostSecurityManagerFlags(DWORD dwFlags) -{ - LIMITED_METHOD_CONTRACT; - m_dwHostSecurityManagerFlags |= dwFlags; -} - -void ApplicationSecurityDescriptor::SetPolicyLevelFlag() -{ - LIMITED_METHOD_CONTRACT; - m_dwHostSecurityManagerFlags |= HOST_POLICY_LEVEL; -} - -BOOL ApplicationSecurityDescriptor::IsHomogeneous() const -{ - LIMITED_METHOD_CONTRACT; - return m_fHomogeneous; -} - -// Should the HSM be consulted for security decisions in this AppDomain. -BOOL ApplicationSecurityDescriptor::CallHostSecurityManager() -{ - LIMITED_METHOD_CONTRACT; - return (m_dwHostSecurityManagerFlags & HOST_APP_DOMAIN_EVIDENCE || - m_dwHostSecurityManagerFlags & HOST_POLICY_LEVEL || - m_dwHostSecurityManagerFlags & HOST_ASM_EVIDENCE || - m_dwHostSecurityManagerFlags & HOST_RESOLVE_POLICY); -} - -// The AppDomain is considered a default one (FT) if the property is set and it's not a homogeneous AppDomain -BOOL ApplicationSecurityDescriptor::IsDefaultAppDomain() const -{ - LIMITED_METHOD_CONTRACT; - return m_fIsDefaultAppdomain - ; -} - -BOOL ApplicationSecurityDescriptor::IsDefaultAppDomainEvidence() -{ - LIMITED_METHOD_CONTRACT; - return m_fIsDefaultAppdomainEvidence;// This need not be a default AD, but has no evidence. So we'll use the default AD evidence -} - -// Indicates whether the initialization phase is in progress. -BOOL ApplicationSecurityDescriptor::IsInitializationInProgress() -{ - LIMITED_METHOD_CONTRACT; - return m_fIsInitializationInProgress; -} - -BOOL ApplicationSecurityDescriptor::ContainsAnyRefusedPermissions() -{ - LIMITED_METHOD_CONTRACT; - return m_fContainsAnyRefusedPermissions; -} - -// Is it possible for the AppDomain to contain partial trust code. This method may return true even if the -// domain does not currently have partial trust code in it - a true value simply means that it is possible -// for partial trust code to eventually end up in the domain. -BOOL ApplicationSecurityDescriptor::DomainMayContainPartialTrustCode() -{ - WRAPPER_NO_CONTRACT; - return !m_fHomogeneous || !IsFullyTrusted(); -} - - -#endif // !DACCESS_COMPILE - - diff --git a/src/vm/securitydescriptorappdomain.h b/src/vm/securitydescriptorappdomain.h deleted file mode 100644 index 3e75c4f881..0000000000 --- a/src/vm/securitydescriptorappdomain.h +++ /dev/null @@ -1,151 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDESCRIPTOR_APPDOMAIN_H__ -#define __SECURITYDESCRIPTOR_APPDOMAIN_H__ -#include "security.h" -#include "securitydescriptor.h" -#include "securitymeta.h" - -/////////////////////////////////////////////////////////////////////////////// -// -// [SecurityDescriptor] -// | -// +----[PEFileSecurityDescriptor] -// | -// +----[ApplicationSecurityDescriptor] -// | -// +----[AssemblySecurityDescriptor] -// -// [SharedSecurityDescriptor] -// -/////////////////////////////////////////////////////////////////////////////// - -//------------------------------------------------------------------ -// -// APPDOMAIN SECURITY DESCRIPTOR -// -//------------------------------------------------------------------ - -class ApplicationSecurityDescriptor : public SecurityDescriptorBase<IApplicationSecurityDescriptor> -{ -public: - VPTR_VTABLE_CLASS(ApplicationSecurityDescriptor, SecurityDescriptorBase<IApplicationSecurityDescriptor>) - -private: - // Dependency in managed : System.Security.HostSecurityManager.cs - enum HostSecurityManagerFlags - { - // Flags to control which HostSecurityManager features are provided by the host - HOST_NONE = 0x0000, - HOST_APP_DOMAIN_EVIDENCE = 0x0001, - HOST_POLICY_LEVEL = 0x0002, - HOST_ASM_EVIDENCE = 0x0004, - HOST_DAT = 0x0008, - HOST_RESOLVE_POLICY = 0x0010 - }; - - - // The bits represent the status of security checks on some specific permissions within this domain - Volatile<DWORD> m_dwDomainWideSpecialFlags; - // m_dwDomainWideSpecialFlags bit map - // Bit 0 = Unmanaged Code access permission. Accessed via SECURITY_UNMANAGED_CODE - // Bit 1 = Skip verification permission. SECURITY_SKIP_VER - // Bit 2 = Permission to Reflect over types. REFLECTION_TYPE_INFO - // Bit 3 = Permission to Assert. SECURITY_ASSERT - // Bit 4 = Permission to invoke methods. REFLECTION_MEMBER_ACCESS - // Bit 7 = PermissionSet, fulltrust SECURITY_FULL_TRUST - // Bit 9 = UIPermission (unrestricted) - - BOOL m_fIsInitializationInProgress; // appdomain is in the initialization stage and is considered FullTrust by the security system. - BOOL m_fIsDefaultAppdomain; // appdomain is the default appdomain, or created by the default appdomain without an explicit evidence - BOOL m_fIsDefaultAppdomainEvidence; // Evidence for this AD is the same as the Default AD. - // m_ifIsDefaultAppDomain is TRUE => m_fIsDefaultAppdomainEvidence is TRUE - // m_fIsDefaultAppdomainEvidence can be TRUE when m_fIsDefaultAppdomain is FALSE if a homogeneous AD was - // created without evidence (non-null PermissionSet though). - // m_fIsDefaultAppdomainEvidence and m_fIsDefaultAppdomain are both FALSE when an explicit evidence - // exists on the AppDomain. (In the managed world: AppDomain._SecurityIdentity != null) - BOOL m_fHomogeneous; // This AppDomain has an ApplicationTrust - BOOL m_fRuntimeSuppliedHomogenousGrantSet; // This AppDomain is homogenous only because the v4 CLR defaults to creating homogenous domains, and would not have been homogenous in v2 - DWORD m_dwHostSecurityManagerFlags; // Flags indicating what decisions the host wants to participate in. - BOOL m_fContainsAnyRefusedPermissions; - - BOOL m_fIsPreResolved; // Have we done a pre-resolve on this domain yet - BOOL m_fPreResolutionFullTrust; // Was the domain pre-resolved to be full trust - BOOL m_fPreResolutionHomogeneous; // Was the domain pre-resolved to be homogenous - - -#ifndef DACCESS_COMPILE -public: - //-------------------- - // Constructor - //-------------------- - inline ApplicationSecurityDescriptor(AppDomain *pAppDomain); - - //-------------------- - // Destructor - //-------------------- - -public: - // Indicates whether the initialization phase is in progress. - virtual BOOL IsInitializationInProgress(); - inline void ResetInitializationInProgress(); - - // The AppDomain is considered a default one (FT) if the property is - // set and it's not a homogeneous AppDomain (ClickOnce case for example). - virtual BOOL IsDefaultAppDomain() const; - inline void SetDefaultAppDomain(); - - virtual BOOL IsDefaultAppDomainEvidence(); - inline void SetDefaultAppDomainEvidence(); - - virtual VOID Resolve(); - - void ResolveWorker(); - - virtual void FinishInitialization(); - - virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous); - - virtual void SetHostSecurityManagerFlags(DWORD dwFlags); - virtual void SetPolicyLevelFlag(); - - inline void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet); - virtual BOOL IsHomogeneous() const; - - - virtual BOOL ContainsAnyRefusedPermissions(); - - // Should the HSM be consulted for security decisions in this AppDomain. - virtual BOOL CallHostSecurityManager(); - - - // Initialize the PLS on the AppDomain. - void InitializePLS(); - - // Called everytime an AssemblySecurityDescriptor is resolved. - void AddNewSecDescToPLS(AssemblySecurityDescriptor *pNewSecDescriptor); - - - // Checks for one of the special domain wide flags - // such as if we are currently in a "fully trusted" environment - // or if unmanaged code access is allowed at this time - inline BOOL CheckDomainWideSpecialFlag(DWORD flags) const; - virtual DWORD GetDomainWideSpecialFlag() const; - - - virtual BOOL DomainMayContainPartialTrustCode(); - - BOOL QuickIsFullyTrusted(); - -#endif // #ifndef DACCESS_COMPILE -}; - -#include "securitydescriptorappdomain.inl" - -#endif // #define __SECURITYDESCRIPTOR_APPDOMAIN_H__ diff --git a/src/vm/securitydescriptorappdomain.inl b/src/vm/securitydescriptorappdomain.inl deleted file mode 100644 index 8c66a49fa7..0000000000 --- a/src/vm/securitydescriptorappdomain.inl +++ /dev/null @@ -1,76 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - -#ifndef __SECURITYDESCRIPTORAPPDOMAIN_INL__ -#define __SECURITYDESCRIPTORAPPDOMAIN_INL__ - -#ifndef DACCESS_COMPILE - -inline ApplicationSecurityDescriptor::ApplicationSecurityDescriptor(AppDomain *pAppDomain) : - SecurityDescriptorBase<IApplicationSecurityDescriptor>(pAppDomain, NULL, NULL, pAppDomain->GetLoaderAllocator()), - m_dwDomainWideSpecialFlags(0xFFFFFFFF), - m_fIsInitializationInProgress(TRUE), - m_fIsDefaultAppdomain(FALSE), - m_fIsDefaultAppdomainEvidence(FALSE), - m_fHomogeneous(FALSE), - m_fRuntimeSuppliedHomogenousGrantSet(FALSE), - m_dwHostSecurityManagerFlags(HOST_NONE), - m_fContainsAnyRefusedPermissions(FALSE), - m_fIsPreResolved(FALSE), - m_fPreResolutionFullTrust(FALSE), - m_fPreResolutionHomogeneous(FALSE) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - return; -} - - -inline void ApplicationSecurityDescriptor::ResetInitializationInProgress() -{ - LIMITED_METHOD_CONTRACT; - m_fIsInitializationInProgress = FALSE; -} - -// Checks for one of the special domain wide flags such as if we are currently in a "fully trusted" -// environment or if unmanaged code access is allowed at this time -inline BOOL ApplicationSecurityDescriptor::CheckDomainWideSpecialFlag(DWORD flags) const -{ - LIMITED_METHOD_CONTRACT; - return (m_dwDomainWideSpecialFlags & flags); -} -inline void ApplicationSecurityDescriptor::SetDefaultAppDomain() -{ - LIMITED_METHOD_CONTRACT; - m_fIsDefaultAppdomain = TRUE; - m_fIsDefaultAppdomainEvidence = TRUE; // Follows from the fact that this is a default AppDomain -} - -inline void ApplicationSecurityDescriptor::SetDefaultAppDomainEvidence() -{ - LIMITED_METHOD_CONTRACT; - m_fIsDefaultAppdomainEvidence = TRUE; // This need not be a default AD, but has no evidence. So we'll use the default AD evidence -} - -inline void ApplicationSecurityDescriptor::SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) -{ - LIMITED_METHOD_CONTRACT; - m_fHomogeneous = TRUE; - m_fRuntimeSuppliedHomogenousGrantSet = fRuntimeSuppliedHomogenousGrantSet; -} - - -#endif // #ifndef DACCESS_COMPILE - -#endif // !__SECURITYDESCRIPTORAPPDOMAIN_INL__ diff --git a/src/vm/securitydescriptorassembly.cpp b/src/vm/securitydescriptorassembly.cpp deleted file mode 100644 index 383d62c3e3..0000000000 --- a/src/vm/securitydescriptorassembly.cpp +++ /dev/null @@ -1,445 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#include "common.h" -#include "security.h" - -#ifndef DACCESS_COMPILE -AssemblySecurityDescriptor::AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator) : - SecurityDescriptorBase<IAssemblySecurityDescriptor>(pDomain, pAssembly, pAssembly->GetFile(), pLoaderAllocator), - m_dwNumPassedDemands(0), - m_pSignature(NULL), - m_pSharedSecDesc(NULL), - m_fMicrosoftPlatform(FALSE), - m_fAllowSkipVerificationInFullTrust(TRUE) -{ - CONTRACTL - { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - } CONTRACTL_END; -} - -// -// This method will return TRUE if this assembly is allowed to skip verification. -// - -BOOL AssemblySecurityDescriptor::CanSkipVerification() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(IsResolved()); - } - CONTRACTL_END; - - - // Assemblies loaded into the verification domain never get to skip verification - // unless they are coming from the GAC. - if (m_pAppDomain->IsVerificationDomain()) - { - if (!m_pAssem->GetFile()->IsSourceGAC() && m_pAssem->IsIntrospectionOnly()) - { - return FALSE; - } - } - - return CheckSpecialFlag(1 << SECURITY_SKIP_VER); -} - -BOOL AssemblySecurityDescriptor::AllowSkipVerificationInFullTrust() -{ - LIMITED_METHOD_CONTRACT; - return m_fAllowSkipVerificationInFullTrust; -} - -// -// This method will return TRUE if this assembly has assertion permission. -// - -BOOL AssemblySecurityDescriptor::CanAssert() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved()); - } CONTRACTL_END; - - return CheckSpecialFlag(1 << SECURITY_ASSERT); -} - -// -// This method will return TRUE if this assembly has unrestricted UI permissions. -// - -BOOL AssemblySecurityDescriptor::HasUnrestrictedUIPermission() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved()); - } CONTRACTL_END; - - return CheckSpecialFlag(1 << UI_PERMISSION); -} - -// -// Assembly transparency access methods. These methods what the default transparency level are for methods -// and types introduced by the assembly. -// - -BOOL AssemblySecurityDescriptor::IsAllCritical() -{ - STANDARD_VM_CONTRACT; - - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - return pMsd->IsAllCritical(); -} - -BOOL AssemblySecurityDescriptor::IsAllSafeCritical() -{ - STANDARD_VM_CONTRACT; - - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - return pMsd->IsAllCritical() && pMsd->IsTreatAsSafe(); -} - -BOOL AssemblySecurityDescriptor::IsAllPublicAreaSafeCritical() -{ - STANDARD_VM_CONTRACT; - - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - - bool fIsPublicAreaSafeCritical = SecurityTransparencyBehavior::GetTransparencyBehavior(pMsd->GetSecurityRuleSet())->DoesPublicImplyTreatAsSafe(); - - return pMsd->IsAllCritical() && (pMsd->IsTreatAsSafe() || fIsPublicAreaSafeCritical); -} - -BOOL AssemblySecurityDescriptor::IsAllTransparent() -{ - STANDARD_VM_CONTRACT; - - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - return pMsd->IsAllTransparent(); -} - -BOOL AssemblySecurityDescriptor::QuickIsFullyTrusted() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } CONTRACTL_END; - - if (IsSystem()) - return TRUE; - - // See if we've already determined that the assembly is FT - // in another AppDomain, in case this is a shared assembly. - SharedSecurityDescriptor* pSharedSecDesc = GetSharedSecDesc(); - if (pSharedSecDesc && pSharedSecDesc->IsResolved() && pSharedSecDesc->IsFullyTrusted()) - return TRUE; - - return FALSE; -} - -#ifndef DACCESS_COMPILE - -void AssemblySecurityDescriptor::PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // If we're propagating a permission set, then we don't want to allow an assembly to skip verificaiton in - // full trust. This prevents people leapfrogging from the fully trusted anonymously hosted dynamic methods - // assembly into running unverifiable code. (Note that we already enforce that transaprent code must only load - // other transparent code - so this restriction simply enforces that it is truly transparent.) It would - // be nicer to throw an exception in this case, however that would be a breaking change. Instead, since the - // SkipVerificationInFullTrust feature has always been described as a performance optimization and nothing more, - // we can simply turn off the optimization in these cases. - m_fAllowSkipVerificationInFullTrust = FALSE; - - SetGrantedPermissionSet(GrantedPermissionSet, DeniedPermissionSet, dwSpecialFlags); - - // make sure the shared security descriptor is updated in case this - // is a security descriptor for a shared assembly. - Resolve(); -} - -#endif // !DACCESS_COMPILE - -BOOL AssemblySecurityDescriptor::IsSystem() -{ - WRAPPER_NO_CONTRACT; - return m_pAssem->GetFile()->IsSystem(); -} - -void AssemblySecurityDescriptor::Resolve() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(m_pAssem != NULL); - INJECT_FAULT(COMPlusThrowOM();); - SO_TOLERANT; - } CONTRACTL_END; - - // Always resolve the assembly security descriptor in the new AppDomain - if (!IsResolved()) - ResolveWorker(); - - // Update the info in the shared security descriptor - SharedSecurityDescriptor* pSharedSecDesc = GetSharedSecDesc(); - if (pSharedSecDesc) - pSharedSecDesc->Resolve(this); -} - - -void AssemblySecurityDescriptor::ResolveWorker() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF); -} - -void AssemblySecurityDescriptor::ResolvePolicy(ISharedSecurityDescriptor *pSharedSecDesc, BOOL fShouldSkipPolicyResolution) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - INJECT_FAULT(COMPlusThrowOM();); - PRECONDITION(CheckPointer(pSharedSecDesc)); - } CONTRACTL_END; - - OVERRIDE_TYPE_LOAD_LEVEL_LIMIT(CLASS_LOADED); - - m_pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pSharedSecDesc); - - ETWOnStartup (SecurityCatchCall_V1, SecurityCatchCallEnd_V1); - // - // In V1.x, we used to check whether execution checking is enabled in caspol.exe - // or whether the assembly has assembly requests before resolving the assembly. - // This leads to several unnecessary complications in the code and the way assembly - // resolution is tracked throughout the lifetime of the AssemblySecurityDescriptor. - // - // In Whidbey, we will always resolve the policy eagerly while the assembly is being - // loaded. The perf concern is less of an issue in Whidbey as GAC assemblies are now - // automatically granted FullTrust. - // - - // Push this frame around resolving the assembly for security to ensure the - // debugger can properly recognize any managed code that gets run - // as "class initializaion" code. - FrameWithCookie<DebuggerClassInitMarkFrame> __dcimf; - - Resolve(); - - if (!fShouldSkipPolicyResolution) - { - // update the PLS with the grant/denied sets of the loaded assembly - ApplicationSecurityDescriptor* pAppDomainSecDesc = static_cast<ApplicationSecurityDescriptor*>(GetDomain()->GetSecurityDescriptor()); - pAppDomainSecDesc->AddNewSecDescToPLS(this); - - // Make sure that module transparency information is calculated so that we can verify that if the assembly - // is being loaded in partial trust it is transparent. This check is done in the ModuleSecurityDescriptor, - // so we just need to force it to calculate here. - ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(GetAssembly()); - pMSD->VerifyDataComputed(); - _ASSERTE(IsFullyTrusted() || pMSD->IsAllTransparent()); - } - - __dcimf.Pop(); -} - - -Assembly* AssemblySecurityDescriptor::GetAssembly() -{ - return m_pAssem->GetAssembly(); -} - -BOOL AssemblySecurityDescriptor::CanSkipPolicyResolution() -{ - WRAPPER_NO_CONTRACT; - Assembly* pAssembly = GetAssembly(); - return pAssembly && pAssembly->CanSkipPolicyResolution(); -} - - - - -// Check to make sure that security will allow this assembly to load. Throw an exception if the assembly -// should be forbidden from loading for security related purposes -void AssemblySecurityDescriptor::CheckAllowAssemblyLoad() -{ - STANDARD_VM_CONTRACT; - - if (m_pAssem->IsSystem()) - { - return; - } - - // If we're running PEVerify, then we need to allow the assembly to load in to be verified - if (m_pAppDomain->IsVerificationDomain()) - { - return; - } - - // Similarly, in the NGEN domain we don't want to force policy resolution, and we want - // to allow all assemblies to load - if (m_pAppDomain->IsCompilationDomain()) - { - return; - } - - // Reflection only loads are also always allowed - if (m_pAssem->IsIntrospectionOnly()) - { - return; - } - - if (!IsResolved()) - { - GCX_COOP(); - Resolve(); - } - - if (!IsFullyTrusted() && (!m_pAppDomain->IsCompilationDomain() || !NingenEnabled())) - { - // Only fully trusted assemblies are allowed to be loaded when - // the AppDomain is in the initialization phase. - if (m_pAppDomain->GetSecurityDescriptor()->IsInitializationInProgress()) - { - COMPlusThrow(kApplicationException, W("Policy_CannotLoadSemiTrustAssembliesDuringInit")); - } - -#ifdef FEATURE_COMINTEROP - // WinRT is not supported in partial trust, so block it by throwing if a partially trusted winmd is loaded - if (IsAfContentType_WindowsRuntime(m_pAssem->GetFile()->GetFlags())) - { - COMPlusThrow(kNotSupportedException, W("NotSupported_WinRT_PartialTrust")); - } -#endif // FEATURE_COMINTEROP - } -} - -SharedSecurityDescriptor::SharedSecurityDescriptor(Assembly *pAssembly) : - m_pAssembly(pAssembly), - m_fResolved(FALSE), - m_fFullyTrusted(FALSE), - m_fCanCallUnmanagedCode(FALSE), - m_fCanAssert(FALSE), - m_fMicrosoftPlatform(FALSE) -{ - LIMITED_METHOD_CONTRACT; -} - -void SharedSecurityDescriptor::Resolve(IAssemblySecurityDescriptor *pSecDesc) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(pSecDesc->IsResolved()); - } - CONTRACTL_END; - - if (!m_fResolved) - { - m_fFullyTrusted = pSecDesc->IsFullyTrusted(); - m_fCanCallUnmanagedCode = pSecDesc->CanCallUnmanagedCode(); - m_fCanAssert = pSecDesc->CanAssert(); - - m_fResolved = TRUE; - } - - _ASSERTE(!!m_fFullyTrusted == !!pSecDesc->IsFullyTrusted()); - _ASSERTE(!!m_fCanCallUnmanagedCode == !!pSecDesc->CanCallUnmanagedCode()); - _ASSERTE(!!m_fCanAssert == !!pSecDesc->CanAssert()); -} - -BOOL SharedSecurityDescriptor::IsFullyTrusted() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved()); - } CONTRACTL_END; - - return m_fFullyTrusted; -} - -BOOL SharedSecurityDescriptor::CanCallUnmanagedCode() const -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved()); - } CONTRACTL_END; - - return m_fCanCallUnmanagedCode; -} - -BOOL SharedSecurityDescriptor::IsResolved() const -{ - LIMITED_METHOD_CONTRACT; - return m_fResolved; -} - -BOOL SharedSecurityDescriptor::CanAssert() -{ - CONTRACTL { - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - PRECONDITION(IsResolved()); - } CONTRACTL_END; - - return m_fCanAssert; -} - -BOOL SharedSecurityDescriptor::IsSystem() -{ - WRAPPER_NO_CONTRACT; - return m_pAssembly->IsSystem(); -} - -Assembly* SharedSecurityDescriptor::GetAssembly() -{ - LIMITED_METHOD_CONTRACT; - return m_pAssembly; -} - -SharedSecurityDescriptor *AssemblySecurityDescriptor::GetSharedSecDesc() -{ - LIMITED_METHOD_CONTRACT; - return m_pSharedSecDesc; -} -#endif // #ifndef DACCESS_COMPILE - - diff --git a/src/vm/securitydescriptorassembly.h b/src/vm/securitydescriptorassembly.h deleted file mode 100644 index d414de033d..0000000000 --- a/src/vm/securitydescriptorassembly.h +++ /dev/null @@ -1,155 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_H__ -#define __SECURITYDESCRIPTOR_ASSEMBLY_H__ - -#include "security.h" -#include "securitydescriptor.h" -struct AssemblyLoadSecurity; - -class Assembly; -class DomainAssembly; - -// Security flags for the objects that store security information -#define CORSEC_ASSERTED 0x000020 // Asseted permission set present on frame -#define CORSEC_DENIED 0x000040 // Denied permission set present on frame -#define CORSEC_REDUCED 0x000080 // Reduced permission set present on frame - - -/////////////////////////////////////////////////////////////////////////////// -// -// [SecurityDescriptor] -// | -// +----[PEFileSecurityDescriptor] -// | -// +----[ApplicationSecurityDescriptor] -// | -// +----[AssemblySecurityDescriptor] -// -// [SharedSecurityDescriptor] -// -/////////////////////////////////////////////////////////////////////////////// -// -// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects. -// AppDomain and Assembly could be from different zones. -// Security Descriptor could also be placed on a native frame. -// -/////////////////////////////////////////////////////////////////////////////// - -#define MAX_PASSED_DEMANDS 10 - -//------------------------------------------------------------------ -// -// ASSEMBLY SECURITY DESCRIPTOR -// -//------------------------------------------------------------------ - -#ifndef DACCESS_COMPILE -void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la); -#endif -class AssemblySecurityDescriptor : public SecurityDescriptorBase<IAssemblySecurityDescriptor> -{ -public: - VPTR_VTABLE_CLASS(AssemblySecurityDescriptor, SecurityDescriptorBase<IAssemblySecurityDescriptor>) - -private: - PsetCacheEntry* m_arrPassedLinktimeDemands[MAX_PASSED_DEMANDS]; - DWORD m_dwNumPassedDemands; - - COR_TRUST *m_pSignature; // Contains the publisher, requested permission - SharedSecurityDescriptor *m_pSharedSecDesc; // Shared state for assemblies loaded into multiple appdomains - - - BOOL m_fMicrosoftPlatform; - BOOL m_fAllowSkipVerificationInFullTrust; - -#ifndef DACCESS_COMPILE -public: - virtual SharedSecurityDescriptor *GetSharedSecDesc(); - - virtual BOOL CanAssert(); - virtual BOOL HasUnrestrictedUIPermission(); - virtual BOOL IsAllCritical(); - virtual BOOL IsAllSafeCritical(); - virtual BOOL IsAllPublicAreaSafeCritical(); - virtual BOOL IsAllTransparent(); - virtual BOOL IsSystem(); - BOOL QuickIsFullyTrusted(); - - BOOL CanSkipVerification(); - virtual BOOL AllowSkipVerificationInFullTrust(); - - virtual VOID Resolve(); - - virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution); - - AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator); - - inline BOOL AlreadyPassedDemand(PsetCacheEntry *pCasDemands); - inline void TryCachePassedDemand(PsetCacheEntry *pCasDemands); - Assembly* GetAssembly(); - -#ifndef DACCESS_COMPILE - virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags); -#endif // !DACCESS_COMPILE - - - - virtual void CheckAllowAssemblyLoad(); - -private: - BOOL CanSkipPolicyResolution(); - OBJECTREF UpgradePEFileEvidenceToAssemblyEvidence(const OBJECTREF& objPEFileEvidence); - - void ResolveWorker(); - - - -#endif // #ifndef DACCESS_COMPILE -}; - - -// This really isn't in the SecurityDescriptor hierarchy, per-se. It's attached -// to the unmanaged assembly object and used to store common information when -// the assembly is shared across multiple appdomains. -class SharedSecurityDescriptor : public ISharedSecurityDescriptor -{ -private: - // Unmanaged assembly this descriptor is attached to. - Assembly *m_pAssembly; - - // All policy resolution is funnelled through the shared descriptor so we - // can guarantee everyone's using the same grant/denied sets. - BOOL m_fResolved; - BOOL m_fFullyTrusted; - BOOL m_fCanCallUnmanagedCode; - BOOL m_fCanAssert; - BOOL m_fMicrosoftPlatform; - -public: - SharedSecurityDescriptor(Assembly *pAssembly); - virtual ~SharedSecurityDescriptor() {} - - // All policy resolution is funnelled through the shared descriptor so we - // can guarantee everyone's using the same grant/denied sets. - virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL); - virtual BOOL IsResolved() const; - - // Is this assembly a system assembly? - virtual BOOL IsSystem(); - virtual Assembly* GetAssembly(); - - BOOL IsFullyTrusted(); - BOOL CanCallUnmanagedCode() const; - BOOL CanAssert(); -}; - -#include "securitydescriptorassembly.inl" - -#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_H__ diff --git a/src/vm/securitydescriptorassembly.inl b/src/vm/securitydescriptorassembly.inl deleted file mode 100644 index e12a6c5963..0000000000 --- a/src/vm/securitydescriptorassembly.inl +++ /dev/null @@ -1,63 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - -#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_INL__ -#define __SECURITYDESCRIPTOR_ASSEMBLY_INL__ - -#ifndef DACCESS_COMPILE - -inline BOOL AssemblySecurityDescriptor::AlreadyPassedDemand(PsetCacheEntry *pCasDemands) -{ - LIMITED_METHOD_CONTRACT; - - BOOL result = false; - for (UINT index = 0; index < m_dwNumPassedDemands; index++) - { - if (m_arrPassedLinktimeDemands[index] == pCasDemands) - { - result = true; - break; - } - } - - return result; -} - -inline void AssemblySecurityDescriptor::TryCachePassedDemand(PsetCacheEntry *pCasDemands) -{ - LIMITED_METHOD_CONTRACT; - - if (m_dwNumPassedDemands <= (MAX_PASSED_DEMANDS - 1)) - m_arrPassedLinktimeDemands[m_dwNumPassedDemands++] = pCasDemands; -} - - - -#endif // !DACCESS_COMPILE - -inline AssemblyLoadSecurity::AssemblyLoadSecurity() : - m_pEvidence(NULL), - m_pAdditionalEvidence(NULL), - m_pGrantSet(NULL), - m_pRefusedSet(NULL), - m_dwSpecialFlags(0), - m_fCheckLoadFromRemoteSource(false), - m_fSuppressSecurityChecks(false), - m_fPropagatingAnonymouslyHostedDynamicMethodGrant(false) -{ - LIMITED_METHOD_CONTRACT; - return; -} - -// Should the assembly have policy resolved on it, or should it use a pre-determined grant set -inline bool AssemblyLoadSecurity::ShouldResolvePolicy() -{ - LIMITED_METHOD_CONTRACT; - return m_pGrantSet == NULL; -} - -#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_INL__ diff --git a/src/vm/securitymeta.cpp b/src/vm/securitymeta.cpp deleted file mode 100644 index 1374d9ff55..0000000000 --- a/src/vm/securitymeta.cpp +++ /dev/null @@ -1,1942 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securitymeta.cpp -// -//pre-computes security meta information, from declarative and run-time information -// - - -// -//-------------------------------------------------------------------------- - - - -#include "common.h" - -#include "object.h" -#include "excep.h" -#include "vars.hpp" -#include "security.h" - -#include "perfcounters.h" -#include "frames.h" -#include "dllimport.h" -#include "strongname.h" -#include "eeconfig.h" -#include "field.h" -#include "threads.h" -#include "eventtrace.h" -#include "typestring.h" -#include "securitydeclarative.h" -#include "customattribute.h" -#include "../md/compiler/custattr.h" - -#include "securitymeta.h" -#include "caparser.h" - -void FieldSecurityDescriptor::VerifyDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - if (m_flags & FieldSecurityDescriptorFlags_IsComputed) - { - return; - } - - -#ifdef _DEBUG - // If we've setup a breakpoint when we compute the transparency of this field, then stop in the debugger - // now. - static ConfigMethodSet fieldTransparencyBreak; - fieldTransparencyBreak.ensureInit(CLRConfig::INTERNAL_Security_TransparencyFieldBreak); - if (fieldTransparencyBreak.contains(m_pFD->GetName(), m_pFD->GetApproxEnclosingMethodTable()->GetDebugClassName())) - { - DebugBreak(); - } -#endif // _DEBUG - - FieldSecurityDescriptorFlags fieldFlags = FieldSecurityDescriptorFlags_None; - - // check to see if the class has the critical attribute - MethodTable* pMT = m_pFD->GetApproxEnclosingMethodTable(); - TypeSecurityDescriptor typeSecDesc(pMT); - - const SecurityTransparencyBehavior *pTransparencyBehavior = m_pFD->GetModule()->GetAssembly()->GetSecurityTransparencyBehavior(); - _ASSERTE(pTransparencyBehavior); - - TokenSecurityDescriptor tokenSecDesc(m_pFD->GetModule(), m_pFD->GetMemberDef()); - - // If the containing type is all transparent or all critical / safe critical, then the field must also be - // transparent or critical / safe critical. If the type is mixed, then we need to look at the field's - // token first to see what its transparency level is - if (typeSecDesc.IsAllTransparent()) - { - fieldFlags = FieldSecurityDescriptorFlags_None; - } - else if (typeSecDesc.IsOpportunisticallyCritical()) - { - // Field opportunistically critical rules: - // Level 1 -> safe critical - // Level 2 -> critical - // If the containing type is participating in type equivalence -> transparent - - if (!typeSecDesc.IsTypeEquivalent()) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsCritical; - - if (typeSecDesc.IsTreatAsSafe() || pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods()) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - } - } - else if (typeSecDesc.IsAllCritical()) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsCritical; - - if (typeSecDesc.IsTreatAsSafe()) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - else if (pTransparencyBehavior->CanIntroducedCriticalMembersAddTreatAsSafe() && - (tokenSecDesc.GetMetadataFlags() & (TokenSecurityDescriptorFlags_TreatAsSafe | TokenSecurityDescriptorFlags_SafeCritical))) - { - // If the transparency model allows members introduced into a critical scope to add their own - // TreatAsSafe attributes, then we need to look for a token level TreatAsSafe as well. - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - } - else - { - fieldFlags |= pTransparencyBehavior->MapFieldAttributes(tokenSecDesc.GetMetadataFlags()); - } - - // TreatAsSafe from the type we're contained in always propigates to its fields - if ((fieldFlags & FieldSecurityDescriptorFlags_IsCritical) && - typeSecDesc.IsTreatAsSafe()) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - - // If the field is public and critical, it may additionally need to be marked treat as safe - if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() && - typeSecDesc.IsTypeExternallyVisibleForTransparency() && - (m_pFD->IsPublic() || m_pFD->IsProtected() || IsFdFamORAssem(m_pFD->GetFieldProtection())) && - (fieldFlags & FieldSecurityDescriptorFlags_IsCritical) && - !(fieldFlags & FieldSecurityDescriptorFlags_IsTreatAsSafe)) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - - // mark computed - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), fieldFlags | FieldSecurityDescriptorFlags_IsComputed); -} - - -// All callers to his method will pass in a valid memory location for pMethodSecurityDesc which they are responsible for -// free-ing when done using it. Typically this will be a stack location for perf reasons. -// -// Some details about when we cache MethodSecurityDescriptors and how the linkdemand process works: -// - When we perform the LinkTimeCheck, we follow this order of checks -// : APTCA check -// : Class-level declarative security using TypeSecurityDescriptor -// : Method-level declarative security using MethodSecurityDescriptor -// : Unmanaged-code check (if required) -// -// For APTCA and Unmanaged code checks, we don't have a permissionset entry in the hashtable that we use when performing the demand. Since -// these are well-known demands, we special-case them. What this means is that we may have a MethodSecurityDescriptor that requires a linktime check -// but does not have DeclActionInfo or TokenDeclActionInfo fields inside. -// -// For cases where the Type causes the Link/Inheritance demand, the MethodDesc has the flag set, but the MethodSecurityDescriptor will not have any -// DeclActionInfo or TokenDeclActionInfo. -// -// And the relevance all this has to this method is the following: Don't automatically insert a MethodSecurityDescriptor into the hash table if it has -// linktime or inheritance time check. Only do so if either of the DeclActionInfo or TokenDeclActionInfo fields are non-NULL. -void MethodSecurityDescriptor::LookupOrCreateMethodSecurityDescriptor(MethodSecurityDescriptor* ret_methSecDesc) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(ret_methSecDesc)); - } CONTRACTL_END; - - _ASSERTE(CanMethodSecurityDescriptorBeCached(ret_methSecDesc->m_pMD)); - - MethodSecurityDescriptor* pMethodSecurityDesc = (MethodSecurityDescriptor*)TokenSecurityDescriptor::LookupSecurityDescriptor(ret_methSecDesc->m_pMD); - if (pMethodSecurityDesc == NULL) - { - ret_methSecDesc->VerifyDataComputedInternal();// compute all the data that is needed. - - // cache method security desc using some simple heuristics - // we have some token actions computed, let us cache this method security desc - - if (ret_methSecDesc->GetRuntimeDeclActionInfo() != NULL || - ret_methSecDesc->GetTokenDeclActionInfo() != NULL || - // NGEN accesses MethodSecurityDescriptors frequently to check for security callouts - IsCompilationProcess()) - { - - // Need to insert this methodSecDesc - LPVOID pMem = GetAppDomain()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(MethodSecurityDescriptor))); - - // allocate a method security descriptor, using the appdomain heap memory - pMethodSecurityDesc = new (pMem) MethodSecurityDescriptor(ret_methSecDesc->m_pMD); - - *pMethodSecurityDesc = *ret_methSecDesc; // copy over the fields - - MethodSecurityDescriptor* pExistingMethodSecurityDesc = NULL; - // insert pMethodSecurityDesc into our hash table - pExistingMethodSecurityDesc = reinterpret_cast<MethodSecurityDescriptor*>(TokenSecurityDescriptor::InsertSecurityDescriptor(ret_methSecDesc->m_pMD, (HashDatum) pMethodSecurityDesc)); - if (pExistingMethodSecurityDesc != NULL) - { - // if we found an existing method security desc, use it - // no need to delete the one we had created, as we allocated it in the Appdomain heap - pMethodSecurityDesc = pExistingMethodSecurityDesc; - } - } - } - else - { - *ret_methSecDesc = *pMethodSecurityDesc; - } - - return; -} - -BOOL MethodSecurityDescriptor::CanMethodSecurityDescriptorBeCached(MethodDesc* pMD) -{ - LIMITED_METHOD_CONTRACT; - - return pMD->IsInterceptedForDeclSecurity() || - pMD->RequiresLinktimeCheck() || - pMD->RequiresInheritanceCheck()|| - pMD->IsVirtual()|| - pMD->IsMethodImpl()|| - pMD->IsLCGMethod(); -} - -void MethodSecurityDescriptor::VerifyDataComputedInternal() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - if (m_flags & MethodSecurityDescriptorFlags_IsComputed) - { - return; - } - - // If the method hasn't already cached it's transparency information, then we need to calculate it here. - // It can be cached if we're loading the method from a native image, but are creating the security - // descriptor in order to figure out declarative security. - if (!m_pMD->HasCriticalTransparentInfo()) - { - ComputeCriticalTransparentInfo(); - } - - // compute RUN-TIME DECLARATIVE SECURITY STUFF - // (merges both class and method level run-time declarative security info). - if (HasRuntimeDeclarativeSecurity()) - { - ComputeRuntimeDeclarativeSecurityInfo(); - } - - // compute method specific DECLARATIVE STUFF - if (HasRuntimeDeclarativeSecurity() || HasLinkOrInheritanceDeclarativeSecurity()) - { - ComputeMethodDeclarativeSecurityInfo(); - } - - // mark computed - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_IsComputed); -} - -void MethodSecurityDescriptor::ComputeCriticalTransparentInfo() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - - MethodTable* pMT = m_pMD->GetMethodTable(); - -#ifdef _DEBUG - // If we've setup a breakpoint when we compute the transparency of this method, then stop in the debugger - // now. - static ConfigMethodSet methodTransparencyBreak; - methodTransparencyBreak.ensureInit(CLRConfig::INTERNAL_Security_TransparencyMethodBreak); - if (methodTransparencyBreak.contains(m_pMD->GetName(), pMT->GetDebugClassName())) - { - DebugBreak(); - } -#endif // _DEBUG - - MethodSecurityDescriptorFlags methodFlags = MethodSecurityDescriptorFlags_None; - TypeSecurityDescriptor typeSecDesc(pMT); - - const SecurityTransparencyBehavior *pTransparencyBehavior = m_pMD->GetAssembly()->GetSecurityTransparencyBehavior(); - _ASSERTE(pTransparencyBehavior); - - // If the transparency model used by this method cares about the location of the introduced method, - // then we need to figure out where the method was introduced. This is only important when the type is - // all critical or opportunistically critical, since otherwise we'll look at the method directly anyway. - MethodDesc *pIntroducingMD = NULL; - bool fWasIntroducedLocally = true; - if (pTransparencyBehavior->DoesScopeApplyOnlyToIntroducedMethods() && - (typeSecDesc.IsOpportunisticallyCritical() || typeSecDesc.IsAllCritical())) - { - if (m_pMD->IsVirtual() && - !m_pMD->IsInterface() && - m_pMD->GetSlot() < m_pMD->GetMethodTable()->GetNumVirtuals()) - { - pIntroducingMD = m_pMD->GetMethodTable()->GetIntroducingMethodDesc(m_pMD->GetSlot()); - } - - fWasIntroducedLocally = pIntroducingMD == NULL || pIntroducingMD == m_pMD; - - // - // #OpportunisticallyCriticalMultipleImplement - // - // One method can be the target of multiple interfaces and also an override of a base class. Further, - // there could be conflicting inheritance requirements; for instance overriding a critical method and - // implementing a transparent interface with the same method desc. - // - // For APTCA assemblies, we require that they seperate out to explicit interface implementations to - // solve this problem, however we cannot push this requirement to opportunistically critical - // assemblies. Therefore, in those assemblies we create the following non-introduced method rule: - // - // 1. If both the base override and all of the interfaces that a method desc is implementing have the - // same accessibility, then the method must agree with that accessibility. - // - // 2. If there is a mix of transparent accessibilities, then the method desc will be safe critical. - // This leads to a situation where a safe critical method can implement a critical interface, - // which is not a security hole, but does create some strangeness around the fact that transparent - // code can call the method directly but not via the interface (or base type). - // - // Since there is no way for all inheritance requirements to be satisfied here, we choose to - // violate the overriding critical one because looking directly at the method will indicate that - // it is callable from transparent, whereas allowing a critical implementation of a transparent - // interface would create a worse situation of the method desc saying that it is not callable from - // transparent, while it would be via the interface. - // - // A variation of this problem can also occur with MethodImpls. For example, a virtual method could - // implement both a transparent and a critical virtual. This case follows the same rules laid out - // above for interface implementations. - - // We need to check the interfaces and MethodImpls if we were introduced locally, or if we're - // opportunistically critical and the introducing method was not safe critical. - bool fCheckInterfacesAndMethodImpls = fWasIntroducedLocally; - if (!fCheckInterfacesAndMethodImpls && typeSecDesc.IsOpportunisticallyCritical()) - { - _ASSERTE(pIntroducingMD != NULL); - // Make sure the introducing method has its transparency calculated - if (!pIntroducingMD->HasCriticalTransparentInfo()) - { - MethodSecurityDescriptor introducingMSD(pIntroducingMD); - introducingMSD.ComputeCriticalTransparentInfo(); - } - - // We need to keep looking at the interfaces and MethodImpls if we override a critical method. If - // we're overriding a safe critical or transparent method, then we'll end up being safe critical - // anyway. - fCheckInterfacesAndMethodImpls = pIntroducingMD->IsCritical() && !pIntroducingMD->IsTreatAsSafe(); - } - - if (fCheckInterfacesAndMethodImpls && - !m_pMD->IsCtor() && - !m_pMD->IsStatic()) - { - // Interface implementation or MethodImpl that we choose to use to calculate transparency - for - // opportunistically critical methods, this is the first safe critical / transparent method if one - // is found, otherwise the first critical method. For all other methods, it is the first - // interface / MethodImpl method found. - MethodDesc *pSelectedMD = NULL; - - // Iterate over the implemented methods to see if we're implementing any interfaces or virtuals - MethodImplementationIterator implementationIterator(m_pMD); - bool fFoundTargetMethod = false; - for (; implementationIterator.IsValid() && !fFoundTargetMethod; implementationIterator.Next()) - { - MethodDesc *pImplementedMD = implementationIterator.Current(); - - // If we're opportunistically critical, then we need to figure out if the implemented - // method is critical or not, and continue looking if we only found critical methods - // to this point. - if (typeSecDesc.IsOpportunisticallyCritical()) - { - // We should either have not found a candidate yet, or that candidate should be critical - _ASSERTE(pSelectedMD == NULL || - (pSelectedMD->IsCritical() && !pSelectedMD->IsTreatAsSafe())); - - if (!pImplementedMD->HasCriticalTransparentInfo()) - { - MethodSecurityDescriptor implementedMSD(pImplementedMD); - implementedMSD.ComputeCriticalTransparentInfo(); - } - - // If this is the first interface method or MethodImpl we've seen, save it away. Otherwise, - // we've so far implemented only critical interfaces and methods, so if we see a - // transparent or safe critical interface method, we should note that and stop looking - // further. - if (!pImplementedMD->IsCritical() || pImplementedMD->IsTreatAsSafe()) - { - pSelectedMD = pImplementedMD; - fFoundTargetMethod = true; - } - else if (pSelectedMD == NULL) - { - pSelectedMD = pImplementedMD; - } - } - else - { - // If we're not opportunistically critical, then we only care about the first interface - // implementation or MethodImpl that we see. - _ASSERTE(pSelectedMD == NULL); - pSelectedMD = pImplementedMD; - fFoundTargetMethod = true; - } - } - - // If we found an interface method or MethodImpl, then use that as the introducing method - if (pSelectedMD != NULL) - { - pIntroducingMD = pSelectedMD; - fWasIntroducedLocally = false; - } - } - - // If we're not working with a method that we introduced, make sure it has its transparency calculated - // before we need to use it. - if (!fWasIntroducedLocally && !pIntroducingMD->HasCriticalTransparentInfo()) - { - MethodSecurityDescriptor introducingMSD(pIntroducingMD); - introducingMSD.ComputeCriticalTransparentInfo(); - _ASSERTE(pIntroducingMD->HasCriticalTransparentInfo()); - } - } - - // In a couple of cases we know the transparency of the method directly: - // 1. If our parent type is all transparent, we must also be transparent - // 2. If we're opprotunstically critical, then we can figure out the annotation based upon the override - // 3. If our parent type is all critical, and we were introduced by that type, we must also be critical - // (we could also be safe critical as well). - // - // Otherwise, we need to ask the current transparency implementation what this method is, because it - // will vary depending upon if we're in legacy mode or not. - TokenSecurityDescriptor methodTokenSecDesc(m_pMD->GetModule(), GetToken()); - if (typeSecDesc.IsAllTransparent()) - { - methodFlags = MethodSecurityDescriptorFlags_None; - } - else if (typeSecDesc.IsOpportunisticallyCritical()) - { - // Opportunistically critical methods will always be critical - methodFlags |= MethodSecurityDescriptorFlags_IsCritical; - - // If we're overriding a safe critical or transparent method, we also need to be treat as safe - // - // Virtuals on value types have multiple entries in the method table, so we may not have mapped - // it back to the override that it was implementing. In order to compensate for this, we simply - // allow all virtuals in opportunistically critical value types to be safe critical. This doesn't - // introduce any extra risk, because unless we're overriding one of the Object overloads, there is - // nothing that transparent code can cast the ValueType to in order to access the virtual since the - // value type itself will be critical. - // - // If we're in a transparency model where all opportunistically critical methods are safe critical, we - // need to add the treat as safe bit. - // - // Finally, if we're in a type participating in type equivalence, then we need to add the treat as - // safe bit. This keeps the transparency of methods in type equivalent interfaces consistent across - // security rule sets in opportunistically critical assemblies, which allows types from v2 PIAs to - // be embedded successfully into v4 assemblies for instance. - if (!fWasIntroducedLocally && - (!pIntroducingMD->IsCritical() || pIntroducingMD->IsTreatAsSafe())) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - else if (pMT->IsValueType() && m_pMD->IsVirtual()) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - else if (pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods()) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - else if (typeSecDesc.IsTypeEquivalent()) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - } - else if (typeSecDesc.IsAllCritical() && fWasIntroducedLocally) - { - methodFlags |= MethodSecurityDescriptorFlags_IsCritical; - - if (typeSecDesc.IsTreatAsSafe()) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - else if (pTransparencyBehavior->CanIntroducedCriticalMembersAddTreatAsSafe() && - (methodTokenSecDesc.GetMetadataFlags() & (TokenSecurityDescriptorFlags_TreatAsSafe | TokenSecurityDescriptorFlags_SafeCritical))) - { - // If the transparency model allows members introduced into a critical scope to add their own - // TreatAsSafe attributes, then we need to look for a token level TreatAsSafe as well. - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - } - else - { - // We don't have a larger scope that tells us what to do with the method, so ask the transparency - // implementation to map our attributes to a set of flags - methodFlags |= pTransparencyBehavior->MapMethodAttributes(methodTokenSecDesc.GetMetadataFlags()); - } - - // TreatAsSafe from the type we're contained in always propigates to its methods - if (fWasIntroducedLocally && - (methodFlags & MethodSecurityDescriptorFlags_IsCritical) && - typeSecDesc.IsTreatAsSafe()) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - - // The compiler can introduce default constructors implicitly, and for an explicitly critical type they - // will always be transparent - resulting in a type load exception. If we are a transparent default .ctor - // of an explicitly critical type, then we'll switch to being safe critical to allow the type to load and - // allow us access to our this pointer - if (!typeSecDesc.IsAllCritical() && - typeSecDesc.IsCritical() && - !(methodFlags & MethodSecurityDescriptorFlags_IsCritical) && - m_pMD->IsCtor()) - { - if (pMT->HasDefaultConstructor() && - pMT->GetDefaultConstructor() == m_pMD) - { - methodFlags |= MethodSecurityDescriptorFlags_IsCritical | - MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - // See if we're a public critical method, then we may need to additionally make ourselves treat as safe - if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() && - typeSecDesc.IsTypeExternallyVisibleForTransparency() && - (m_pMD->IsPublic() || m_pMD->IsProtected() || IsMdFamORAssem(m_pMD->GetAttrs())) && - (methodFlags & MethodSecurityDescriptorFlags_IsCritical) && - !(methodFlags & MethodSecurityDescriptorFlags_IsTreatAsSafe)) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - - // Cache our state on the MethodDesc - m_pMD->SetCriticalTransparentInfo(methodFlags & MethodSecurityDescriptorFlags_IsCritical, - methodFlags & MethodSecurityDescriptorFlags_IsTreatAsSafe); -} - -void MethodSecurityDescriptor::ComputeRuntimeDeclarativeSecurityInfo() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - // Load declarative security attributes - _ASSERTE(HasRuntimeDeclarativeSecurity()); - m_declFlagsDuringPreStub = m_pMD->GetSecurityFlagsDuringPreStub(); - _ASSERTE(m_declFlagsDuringPreStub && " Expected some runtime security action"); - m_pRuntimeDeclActionInfo = SecurityDeclarative::DetectDeclActions(m_pMD, m_declFlagsDuringPreStub); -} - -void MethodSecurityDescriptor::ComputeMethodDeclarativeSecurityInfo() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - DWORD flags = 0; - - _ASSERTE(HasRuntimeDeclarativeSecurity()|| HasLinkOrInheritanceDeclarativeSecurity()); - DWORD dwDeclFlags; - HRESULT hr = SecurityDeclarative::GetDeclarationFlags(GetIMDInternalImport(), GetToken(), &dwDeclFlags, NULL, NULL); - - if (SUCCEEDED(hr)) - { - GCX_COOP(); - PsetCacheEntry *tokenSetIndexes[dclMaximumValue + 1]; - SecurityDeclarative::DetectDeclActionsOnToken(GetToken(), dwDeclFlags, tokenSetIndexes, GetIMDInternalImport()); - - // Create single linked list of set indexes - DWORD dwLocalAction; - bool builtInCASPermsOnly = TRUE; - for (dwLocalAction = 0; dwLocalAction <= dclMaximumValue; dwLocalAction++) - { - if (tokenSetIndexes[dwLocalAction] != NULL) - { - TokenDeclActionInfo::LinkNewDeclAction(&m_pTokenDeclActionInfo, (CorDeclSecurity)dwLocalAction, tokenSetIndexes[dwLocalAction]); - builtInCASPermsOnly = builtInCASPermsOnly && (tokenSetIndexes[dwLocalAction]->ContainsBuiltinCASPermsOnly(dwLocalAction)); - } - } - - if (builtInCASPermsOnly) - flags |= MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly; - SecurityProperties sp(dwDeclFlags); - if (sp.FDemandsOnly()) - flags |= MethodSecurityDescriptorFlags_IsDemandsOnly; - if (sp.FAssertionsExist()) - { - // Do a check to see if the assembly has been granted permission to assert and let's cache that value in the MethodSecurityDesriptor - Module* pModule = m_pMD->GetModule(); - PREFIX_ASSUME_MSG(pModule != NULL, "Should be a Module pointer here"); - - if (Security::CanAssert(pModule)) - { - flags |= MethodSecurityDescriptorFlags_AssertAllowed; - } - } - } - - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), flags); -} - -void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pChildMD)); - } - CONTRACTL_END; - - const SecurityTransparencyBehavior *pTransparencyBehavior = pChildMD->GetAssembly()->GetSecurityTransparencyBehavior(); - if (pTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled()) - { - // The profiler may want to suppress these checks if it's currently running on the child type - if (Security::BypassSecurityChecksForProfiler(pChildMD)) - { - return; - } - - /* - Allowed Inheritance Patterns (cannot change accessibility) - ---------------------------- - - Base Class/Method Derived Class/ Method - ----------------- --------------------- - Transparent Transparent - Transparent SafeCritical - SafeCritical SafeCritical - SafeCritical Transparent - Critical Critical - - - Disallowed Inheritance patterns - ------------------------------- - - Base Class/Method Derived Class /Method - ----------------- --------------------- - Transparent Critical - SafeCritical Critical - Critical Transparent - Critical SafeCritical - */ - - MethodSecurityDescriptor methSecurityDescriptor(pChildMD, FALSE); - TokenSecurityDescriptor methTokenSecurityDescriptor(pChildMD->GetModule(), pChildMD->GetMemberDef()); - if (IsCritical()) - { - if (IsTreatAsSafe()) - { - // Base: SafeCritical. Check if Child is Critical - if (methSecurityDescriptor.IsCritical() && !methSecurityDescriptor.IsTreatAsSafe()) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a SafeCritical base method", m_pMD); - } -#endif // _DEBUG - SecurityTransparent::ThrowTypeLoadException(pChildMD); - } - } - else - { - // Base: Critical. - if (!methSecurityDescriptor.IsCritical()) - { - // Child is transparent - // throw -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMD, "Transparent method overriding a critical base method", m_pMD); - } -#endif // _DEBUG - SecurityTransparent::ThrowTypeLoadException(pChildMD); - } - else if (methSecurityDescriptor.IsTreatAsSafe() && !methSecurityDescriptor.IsOpportunisticallyCritical()) - { - // The child is safe critical and not opportunistically critical (see code:#OpportunisticallyCriticalMultipleImplement) - // throw. -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMD, "Safe critical method overriding a SafeCritical base method", m_pMD); - } -#endif // _DEBUG - SecurityTransparent::ThrowTypeLoadException(pChildMD); - } - } - } - else - { - // Base: Transparent. Throw if derived is Critical and not SafeCritical - if (methSecurityDescriptor.IsCritical() && !methSecurityDescriptor.IsTreatAsSafe()) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a transparent base method", m_pMD); - } -#endif // _DEBUG - SecurityTransparent::ThrowTypeLoadException(pChildMD); - } - } - } - -} - -MethodSecurityDescriptor::MethodImplementationIterator::MethodImplementationIterator(MethodDesc *pMD) - : m_interfaceIterator(pMD->GetMethodTable()), - m_pMD(pMD), - m_iMethodImplIndex(0), - m_fInterfaceIterationBegun(false), - m_fMethodImplIterationBegun(false) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(pMD != NULL); - } - CONTRACTL_END; - - Next(); -} - -MethodDesc *MethodSecurityDescriptor::MethodImplementationIterator::Current() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(IsValid()); - } - CONTRACTL_END; - - if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid()) - { - _ASSERTE(m_fInterfaceIterationBegun); - MethodTable *pInterface = m_pMD->GetMethodTable()->LookupDispatchMapType(m_interfaceIterator.Entry()->GetTypeID()); - return pInterface->GetMethodDescForSlot(m_interfaceIterator.Entry()->GetSlotNumber()); - } - else - { - _ASSERTE(m_fMethodImplIterationBegun); - _ASSERTE(m_pMD->IsMethodImpl()); - _ASSERTE(m_iMethodImplIndex < m_pMD->GetMethodImpl()->GetSize()); - return m_pMD->GetMethodImpl()->GetImplementedMDs()[m_iMethodImplIndex]; - } -} - -bool MethodSecurityDescriptor::MethodImplementationIterator::IsValid() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - // We're valid as long as we still have interface maps or method impls to process - if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid()) - { - return true; - } - else if (m_pMD->IsMethodImpl()) - { - return m_iMethodImplIndex < m_pMD->GetMethodImpl()->GetSize(); - } - else - { - return false; - } -} - -void MethodSecurityDescriptor::MethodImplementationIterator::Next() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - bool fFoundImpl = false; - - // First iterate over the interface implementations - if (m_pMD->GetMethodTable()->HasDispatchMap() && m_interfaceIterator.IsValid()) - { - while (m_interfaceIterator.IsValid() && !fFoundImpl) - { - // If we haven't yet begun iterating interfaces then don't call Next right away - otherwise - // we'll potentially skip over the first interface method. - if (m_fInterfaceIterationBegun) - { - m_interfaceIterator.Next(); - } - else - { - m_fInterfaceIterationBegun = true; - } - - if (m_interfaceIterator.IsValid()) - { - _ASSERTE(!m_interfaceIterator.Entry()->GetTypeID().IsThisClass()); - fFoundImpl = (m_interfaceIterator.Entry()->GetTargetSlotNumber() == m_pMD->GetSlot()); - } - } - } - - // Once we're done with the interface implementations, check for a MethodImpl - if (!fFoundImpl && m_pMD->IsMethodImpl()) - { - MethodImpl * pMethodImpl = m_pMD->GetMethodImpl(); - while ((m_iMethodImplIndex < pMethodImpl->GetSize()) && !fFoundImpl) - { - // If we haven't yet begun iterating method impls then don't move to the next element right away - // - otehrwise we'll potentially skip over the first MethodImpl - if (m_fMethodImplIterationBegun) - { - ++m_iMethodImplIndex; - } - else - { - m_fMethodImplIterationBegun = true; - } - - if (m_iMethodImplIndex < pMethodImpl->GetSize()) - { - // Skip over the interface MethodImpls since we already processed those - fFoundImpl = !pMethodImpl->GetImplementedMDs()[m_iMethodImplIndex]->IsInterface(); - } - } - } -} // MethodSecurityDescriptor::MethodImplementationIterator::Next - -TypeSecurityDescriptor* TypeSecurityDescriptor::GetTypeSecurityDescriptor(MethodTable* pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - TypeSecurityDescriptor* pTypeSecurityDesc =NULL; - - - pTypeSecurityDesc = (TypeSecurityDescriptor*)TokenSecurityDescriptor::LookupSecurityDescriptor(pMT); - if (pTypeSecurityDesc == NULL) - { - // didn't find a security descriptor, create one and insert it - LPVOID pMem = GetAppDomain()->GetLowFrequencyHeap()->AllocMem(S_SIZE_T(sizeof(TypeSecurityDescriptor))); - - // allocate a security descriptor, using the appdomain help memory - pTypeSecurityDesc = new (pMem) TypeSecurityDescriptor(pMT); - pTypeSecurityDesc->VerifyDataComputedInternal(); // compute all the data that is needed. - - TypeSecurityDescriptor* pExistingTypeSecurityDesc = NULL; - // insert securitydesc into our hash table - pExistingTypeSecurityDesc = (TypeSecurityDescriptor*)TokenSecurityDescriptor::InsertSecurityDescriptor(pMT, (HashDatum) pTypeSecurityDesc); - if (pExistingTypeSecurityDesc != NULL) - { - // if we found an existing security desc, use it - // no need to delete the one we had created, as we allocated it in the Appdomain help - pTypeSecurityDesc = pExistingTypeSecurityDesc; - } - } - - return pTypeSecurityDesc; -} - - -void TypeSecurityDescriptor::ComputeCriticalTransparentInfo() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - -#ifdef _DEBUG - // If we've setup a breakpoint when we compute the transparency of this type, then stop in the debugger now - SString strTypeTransparencyBreak(CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_TransparencyTypeBreak)); - SString strClassName(SString::Utf8, m_pMT->GetDebugClassName()); - if (strTypeTransparencyBreak.EqualsCaseInsensitive(strClassName)) - { - // Do not break in fuzzed assemblies where class name can be empty - if (!strClassName.IsEmpty()) - { - DebugBreak(); - } - } -#endif // _DEBUG - - // check to see if the assembly has the critical attribute - Assembly* pAssembly = m_pMT->GetAssembly(); - _ASSERTE(pAssembly); - ModuleSecurityDescriptor* pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pAssembly); - pModuleSecDesc->VerifyDataComputed(); - - EEClass *pClass = m_pMT->GetClass(); - TypeSecurityDescriptorFlags typeFlags = TypeSecurityDescriptorFlags_None; - - // If we're contained within another type, then we inherit the transparency of that type. Otherwise we - // check the module to see what type of transparency we have. - if (pClass->IsNested()) - { - // If the type is nested, see if the outer class tells us what our transparency is. Note that we cannot - // use a TypeSecurityDescriptor here since we may still be in the process of loading our outer type. - TokenSecurityDescriptor enclosingTokenSecurityDescriptor(m_pMT->GetModule(), m_pMT->GetEnclosingCl()); - if (enclosingTokenSecurityDescriptor.IsSemanticCritical()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical; - } - - // We want to propigate the TreatAsSafe bit even if the outer class is not critical because in the legacy - // transparency model you could have a TAS but not critical type, and the TAS propigated to all nested - // types. - if (enclosingTokenSecurityDescriptor.IsSemanticTreatAsSafe()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - const SecurityTransparencyBehavior *pTransparencyBehavior = m_pMT->GetAssembly()->GetSecurityTransparencyBehavior(); - _ASSERTE(pTransparencyBehavior); - - // If we're not nested, or if the outer type didn't give us enough information to determine what we were, - // then we need to look at the module to see what we are. - if (typeFlags == TypeSecurityDescriptorFlags_None) - { - if (pModuleSecDesc->IsAllTransparent()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllTransparent; - } - else if (pModuleSecDesc->IsOpportunisticallyCritical()) - { - // In level 1 transparency, opportunistically critical types are transparent, in level 2 they - // are critical. However, this causes problems when doing type equivalence between levels (for - // instance a type from a v2 PIA which was embedded into a v4 assembly). In order to allow type - // equivalence to work across security rule sets, we consider all types participating in - // equivalence to be transparent under the opportunistically critical rules: - // Participating in equivalence -> Transparent - // Level 1 -> Transparent - // Level 2 -> All critical - if (!pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods() && - !IsTypeEquivalent()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical; - } - } - else if (pModuleSecDesc->IsAllCritical()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical; - if (pModuleSecDesc->IsTreatAsSafe()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - } - } - - // We need to look at the type token for more information if we still don't know if we're transparent or - // critical. This can also happen if the type is in an opportunistically critical module, however the - // transparency model requires opportunistically critical types to be transparent. In this case, we need - // to make sure that we do not look at the metadata token. - TokenSecurityDescriptor classTokenSecurityDescriptor(m_pMT->GetModule(), - m_pMT->GetCl()); - - const TypeSecurityDescriptorFlags transparencyMask = TypeSecurityDescriptorFlags_IsCritical | - TypeSecurityDescriptorFlags_IsAllCritical | - TypeSecurityDescriptorFlags_IsAllTransparent; - - if (!(typeFlags & transparencyMask) && - !pModuleSecDesc->IsOpportunisticallyCritical()) - { - // First, ask the transparency behavior implementation to map from the metadata attributes to the real - // behavior that we should be seeing. - typeFlags |= pTransparencyBehavior->MapTypeAttributes(classTokenSecurityDescriptor.GetMetadataFlags()); - - // If we still don't know what the transparency of the type is, then we're transparent, but not all - // transparent. That implies that we're in a mixed assembly. - _ASSERTE((typeFlags & transparencyMask) || pModuleSecDesc->IsMixedTransparency()); - } - - // If the transparency behavior dictates that publics must be safe critical, then also set the treat as safe bit. - if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() && - ((typeFlags & TypeSecurityDescriptorFlags_IsCritical) || (typeFlags & TypeSecurityDescriptorFlags_IsAllCritical)) && - !(typeFlags & TypeSecurityDescriptorFlags_IsTreatAsSafe)) - { - if (IsTypeExternallyVisibleForTransparency()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - // It is common for a v2 assembly to mark a delegate type as explicitly critical rather than all critical, - // since in C# the syntax for creating a delegate type does not make it obvious that a new type is being - // defined. That leads to situations where we commonly have critical types with transparent memebers - - // a nonsense scenario that we reject due to the members not having access to their own this pointer. - // - // For compatibility, we implicitly convert all explicitly critical delegate types into all critical - // types, which is likely what the code intended in the first place, and allows delegate types which - // loaded on v2.0 to continue to load on future runtimes. - // - // Note: While loading BCL classes, we may be running this codepath before it is safe to call MethodTable::IsDelegate. - // That call can only happen after CLASS__MULTICASTDELEGATE has been loaded. However, we should not have any - // explicit critical Delegate types in mscorlib (that can only happen if you're loading v2.0 assembly or have SecurityScope.Explicit). - if ((typeFlags & TypeSecurityDescriptorFlags_IsCritical) && - !(typeFlags & TypeSecurityDescriptorFlags_IsAllCritical) && - m_pMT->IsDelegate()) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical; - } - - // Update the cached values in the EE Class. - g_IBCLogger.LogEEClassCOWTableAccess(m_pMT); - pClass->SetCriticalTransparentInfo( - typeFlags & TypeSecurityDescriptorFlags_IsTreatAsSafe, - typeFlags & TypeSecurityDescriptorFlags_IsAllTransparent, - typeFlags & TypeSecurityDescriptorFlags_IsAllCritical); -} - -void TypeSecurityDescriptor::ComputeTypeDeclarativeSecurityInfo() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // if method doesn't have any security return - if (!IsTdHasSecurity(m_pMT->GetAttrClass())) - { - return; - } - - DWORD dwDeclFlags; - HRESULT hr = SecurityDeclarative::GetDeclarationFlags(GetIMDInternalImport(), GetToken(), &dwDeclFlags, NULL, NULL); - - if (SUCCEEDED(hr)) - { - GCX_COOP(); - PsetCacheEntry *tokenSetIndexes[dclMaximumValue + 1]; - SecurityDeclarative::DetectDeclActionsOnToken(GetToken(), dwDeclFlags, tokenSetIndexes, GetIMDInternalImport()); - - // Create single linked list of set indexes - DWORD dwLocalAction; - for (dwLocalAction = 0; dwLocalAction <= dclMaximumValue; dwLocalAction++) - { - if (tokenSetIndexes[dwLocalAction] != NULL) - { - TokenDeclActionInfo::LinkNewDeclAction(&m_pTokenDeclActionInfo, - (CorDeclSecurity)dwLocalAction, - tokenSetIndexes[dwLocalAction]); - } - } - } -} - -BOOL TypeSecurityDescriptor::CanTypeSecurityDescriptorBeCached(MethodTable* pMT) -{ - LIMITED_METHOD_CONTRACT; - - EEClass *pClass = pMT->GetClass(); - return pClass->RequiresLinktimeCheck() || - pClass->RequiresInheritanceCheck() || - // NGEN accesses security descriptors frequently to check for security callouts - IsCompilationProcess(); -} - -BOOL TypeSecurityDescriptor::IsTypeExternallyVisibleForTransparency() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(m_pMT->GetAssembly()->GetSecurityTransparencyBehavior()->DoesPublicImplyTreatAsSafe()); - } - CONTRACTL_END; - - if (m_pMT->IsExternallyVisible()) - { - // If the type is genuinely externally visible, then it is also visible for transparency - return TRUE; - } - else if (m_pMT->IsGlobalClass()) - { - // Global methods are externally visible - return TRUE; - } - else if (m_pMT->IsSharedByGenericInstantiations()) - { - TokenSecurityDescriptor tokenSecDesc(m_pMT->GetModule(), m_pMT->GetCl()); - - // Canonical method tables for shared generic instantiations will appear to us as - // GenericClass<__Canon>, rather than the actual generic type parameter, and since __Canon is not - // public, these method tables will not appear to be public either. - // - // For these types, we'll look at the metadata directly, and ignore generic parameters to see - // if the type is public. Note that this will under-enforce; for instance G<CriticalRefType> will - // have it's G<__Canon> calls refered to as safe critical (which is necessary, since G<__Canon> - // is also the canonical representation for G<TransparentRefType>. We rely on the checks done by - // CheckTransparentAccessToCriticalCode in the CanAccess code path to reject any attempts to use - // the generic type over a critical parameter. - if (tokenSecDesc.IsSemanticExternallyVisible()) - { - return TRUE; - } - } - - return FALSE; -} - -void TypeSecurityDescriptor::VerifyDataComputedInternal() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - if (m_fIsComputed) - { - return; - } - - // If the type hasn't already cached it's transparency information, then we need to calculate it here. It - // can be cached if we're loading the type from a native image, but are creating the security descriptor - // in order to figure out declarative security. - if (!m_pMT->GetClass()->HasCriticalTransparentInfo()) - { - ComputeCriticalTransparentInfo(); - } - - // COMPUTE Type DECLARATIVE SECURITY INFO - ComputeTypeDeclarativeSecurityInfo(); - - // mark computed - InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_fIsComputed), TRUE, FALSE); -} - -void TypeSecurityDescriptor::InvokeInheritanceChecks(MethodTable* pChildMT) -{ - CONTRACTL - { - STANDARD_VM_CHECK; - PRECONDITION(CheckPointer(pChildMT)); - } - CONTRACTL_END; - - const SecurityTransparencyBehavior *pChildTransparencyBehavior = pChildMT->GetAssembly()->GetSecurityTransparencyBehavior(); - if (pChildTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled()) - { - // We compare the child class with the most critical base class in the type hierarchy. - // - // We can stop walking the inheritance chain if we find a type that also enforces inheritance rules, - // since we know that it must be at least as critical as the most critical of all its base types. - // Similarly, we can stop walking when we find a critical parent, because we know that this is the - // most critical we can get. - bool fFoundCriticalParent = false; - bool fFoundSafeCriticalParent = false; - bool fFoundParentWithEnforcedInheritance = false; - - for (MethodTable *pParentMT = m_pMT; - pParentMT != NULL && !fFoundParentWithEnforcedInheritance && !fFoundCriticalParent; - pParentMT = pParentMT->GetParentMethodTable()) - { - EEClass *pParentClass = pParentMT->GetClass(); - - // Make sure this parent class has its transparency information computed - if (!pParentClass->HasCriticalTransparentInfo()) - { - TypeSecurityDescriptor parentSecurityDescriptor(pParentMT); - parentSecurityDescriptor.ComputeCriticalTransparentInfo(); - } - - // See if it is critical or safe critical - if (pParentClass->IsCritical() && pParentClass->IsTreatAsSafe()) - { - fFoundSafeCriticalParent = true; - } - else if (pParentClass->IsCritical() && !pParentClass->IsTreatAsSafe()) - { - fFoundCriticalParent = true; - } - - // If this parent class enforced transparency, we can stop looking at further parents - const SecurityTransparencyBehavior *pParentTransparencyBehavior = pParentMT->GetAssembly()->GetSecurityTransparencyBehavior(); - fFoundParentWithEnforcedInheritance = pParentTransparencyBehavior->AreInheritanceRulesEnforced(); - } - - /* - Allowed Inheritance Patterns - ---------------------------- - - Base Class/Method Derived Class/ Method - ----------------- --------------------- - Transparent Transparent - Transparent SafeCritical - Transparent Critical - SafeCritical SafeCritical - SafeCritical Critical - Critical Critical - - - Disallowed Inheritance patterns - ------------------------------- - - Base Class/Method Derived Class /Method - ----------------- --------------------- - SafeCritical Transparent - Critical Transparent - Critical SafeCritical - */ - - // Make sure the child class has its transparency calculated - EEClass *pChildClass = pChildMT->GetClass(); - if (!pChildClass->HasCriticalTransparentInfo()) - { - TypeSecurityDescriptor childSecurityDescriptor(pChildMT); - childSecurityDescriptor.ComputeCriticalTransparentInfo(); - } - - if (fFoundCriticalParent) - { - if (!pChildClass->IsCritical() || pChildClass->IsTreatAsSafe()) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMT, "Transparent or safe critical type deriving from a critical base type"); - } -#endif // _DEBUG - // The parent class is critical, but the child class is not - SecurityTransparent::ThrowTypeLoadException(pChildMT); - } - } - else if (fFoundSafeCriticalParent) - { - if (!pChildClass->IsCritical()) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pChildMT, "Transparent type deriving from a safe critical base type"); - } -#endif // _DEBUG - // The parent class is safe critical, but the child class is transparent - SecurityTransparent::ThrowTypeLoadException(pChildMT); - } - } - } - -} - -// Module security descriptor contains static security information about the module -// this information could get persisted in the NGen image -void ModuleSecurityDescriptor::VerifyDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - SO_INTOLERANT; - } - CONTRACTL_END; - - if (m_flags & ModuleSecurityDescriptorFlags_IsComputed) - { - return; - } - - - // Read the security attributes from the assembly - Assembly *pAssembly = m_pModule->GetAssembly(); - - // Get the metadata flags on the assembly. Note that we cannot use a TokenSecurityDescriptor directly - // here because Reflection.Emit may have overriden the metadata flags with different ones of its own - // choosing. - TokenSecurityDescriptorFlags tokenFlags = GetTokenFlags(); - - - - // Get a transparency behavior object for the assembly. - const SecurityTransparencyBehavior *pTransparencyBehavior = - SecurityTransparencyBehavior::GetTransparencyBehavior(GetSecurityRuleSet()); - pAssembly->SetSecurityTransparencyBehavior(pTransparencyBehavior); - - ModuleSecurityDescriptorFlags moduleFlags = pTransparencyBehavior->MapModuleAttributes(tokenFlags); - - AssemblySecurityDescriptor *pAssemSecDesc = static_cast<AssemblySecurityDescriptor*>(pAssembly->GetSecurityDescriptor()); - - // We shouldn't be both all transparent and all critical - const ModuleSecurityDescriptorFlags invalidMask = ModuleSecurityDescriptorFlags_IsAllCritical | - ModuleSecurityDescriptorFlags_IsAllTransparent; - if ((moduleFlags & invalidMask) == invalidMask) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pAssembly, "Found both critical and transparent assembly level annotations"); - } - if (!g_pConfig->DisableTransparencyEnforcement()) -#endif // _DEBUG - { - COMPlusThrow(kInvalidOperationException, W("InvalidOperation_CriticalTransparentAreMutuallyExclusive")); - } - } - - const ModuleSecurityDescriptorFlags transparencyMask = ModuleSecurityDescriptorFlags_IsAllCritical | - ModuleSecurityDescriptorFlags_IsAllTransparent | - ModuleSecurityDescriptorFlags_IsTreatAsSafe | - ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical; - - // See if the assembly becomes implicitly transparent if loaded in partial trust - if (pTransparencyBehavior->DoesPartialTrustImplyAllTransparent()) - { - if (!pAssemSecDesc->IsFullyTrusted()) - { - moduleFlags &= ~transparencyMask; - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent; - - moduleFlags |= ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust; - - SString strAssemblyName; - pAssembly->GetDisplayName(strAssemblyName); - LOG((LF_SECURITY, - LL_INFO10, - "Assembly '%S' was loaded in partial trust and was made implicitly all transparent.\n", - strAssemblyName.GetUnicode())); - } - } - - // If the assembly is not allowed to use the SkipVerificationInFullTrust optimization, then disable that bit - if (!pAssembly->GetSecurityDescriptor()->AllowSkipVerificationInFullTrust()) - { - moduleFlags &= ~ModuleSecurityDescriptorFlags_SkipFullTrustVerification; - } - - // Make sure that if the assembly is being loaded in partial trust that it is all transparent. This is a - // change from v2.0 rules, and for compatibility we use the DoesPartialTrustImplyAllTransparent check to - // ensure that v2 assemblies can load in partial trust unmodified. This change does allow us to follow - // the CoreCLR model of using transparency for security enforcement, rather than the v2.0 model of using - // transparency only for audit. - if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted() && - !(moduleFlags & ModuleSecurityDescriptorFlags_IsAllTransparent)) - { - SString strAssemblyName; - pAssembly->GetDisplayName(strAssemblyName); - -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pAssembly, "Attempt to load an assembly which is not fully transparent in partial trust"); - } - if (g_pConfig->DisableTransparencyEnforcement()) - { - SecurityTransparent::LogTransparencyError(pAssembly, "Forcing partial trust assembly to be fully transparent"); - if (!pAssembly->GetSecurityDescriptor()->IsFullyTrusted()) - { - moduleFlags &= ~transparencyMask; - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent; - - } - } - else -#endif // _DEBUG - { - COMPlusThrow(kFileLoadException, IDS_E_LOAD_CRITICAL_IN_PARTIAL_TRUST, strAssemblyName.GetUnicode()); - } - } - - -#ifdef _DEBUG - // If we're being forced to generate native code for this assembly which can be used in a partial trust - // context, then we need to ensure that the assembly is entirely transparent -- otherwise the code may - // perform a critical operation preventing the ngen image from being loaded into partial trust. - if (CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_NGenForPartialTrust) != 0) - { - moduleFlags &= ~transparencyMask; - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent; - } -#endif // _DEBUG - - // Mark the module as having its security state computed - moduleFlags |= ModuleSecurityDescriptorFlags_IsComputed; - InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_flags), - moduleFlags, - ModuleSecurityDescriptorFlags_None); - - // If this assert fires, we ended up racing to different outcomes - _ASSERTE(m_flags == moduleFlags); -} - - -ModuleSecurityDescriptor* ModuleSecurityDescriptor::GetModuleSecurityDescriptor(Assembly *pAssembly) -{ - WRAPPER_NO_CONTRACT; - - Module* pModule = pAssembly->GetManifestModule(); - _ASSERTE(pModule); - - ModuleSecurityDescriptor* pModuleSecurityDesc = pModule->m_pModuleSecurityDescriptor; - _ASSERTE(pModuleSecurityDesc); - - return pModuleSecurityDesc; -} - -#ifdef FEATURE_NATIVE_IMAGE_GENERATION -VOID ModuleSecurityDescriptor::Save(DataImage *image) -{ - STANDARD_VM_CONTRACT; - VerifyDataComputed(); - image->StoreStructure(this, - sizeof(ModuleSecurityDescriptor), - DataImage::ITEM_MODULE_SECDESC); -} - -VOID ModuleSecurityDescriptor::Fixup(DataImage *image) -{ - STANDARD_VM_CONTRACT; - image->FixupPointerField(this, offsetof(ModuleSecurityDescriptor, m_pModule)); -} -#endif - -#if defined(FEATURE_CORESYSTEM) - -//--------------------------------------------------------------------------------------- -// -// Parse an APTCA blob into its corresponding token security descriptor flags. -// - -TokenSecurityDescriptorFlags ParseAptcaAttribute(const BYTE *pbAptcaBlob, DWORD cbAptcaBlob) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pbAptcaBlob)); - } - CONTRACTL_END; - - TokenSecurityDescriptorFlags aptcaFlags = TokenSecurityDescriptorFlags_None; - - CustomAttributeParser cap(pbAptcaBlob, cbAptcaBlob); - if (SUCCEEDED(cap.SkipProlog())) - { - aptcaFlags |= TokenSecurityDescriptorFlags_APTCA; - - // Look for the PartialTrustVisibilityLevel named argument - CaNamedArg namedArgs[1] = {{0}}; - namedArgs[0].InitI4FieldEnum(g_PartialTrustVisibilityLevel, g_SecurityPartialTrustVisibilityLevel); - - if (SUCCEEDED(ParseKnownCaNamedArgs(cap, namedArgs, _countof(namedArgs)))) - { - // If we have a partial trust visiblity level, then we may additionally be conditionally APTCA. - PartialTrustVisibilityLevel visibilityLevel = static_cast<PartialTrustVisibilityLevel>(namedArgs[0].val.u4); - if (visibilityLevel == PartialTrustVisibilityLevel_NotVisibleByDefault) - { - aptcaFlags |= TokenSecurityDescriptorFlags_ConditionalAPTCA; - } - } - } - - return aptcaFlags; -} - -#endif // defined(FEATURE_CORESYSTEM) - -//--------------------------------------------------------------------------------------- -// -// Parse a security rules attribute blob into its corresponding token security descriptor -// flags. -// - -TokenSecurityDescriptorFlags ParseSecurityRulesAttribute(const BYTE *pbSecurityRulesBlob, - DWORD cbSecurityRulesBlob) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pbSecurityRulesBlob)); - } - CONTRACTL_END; - - TokenSecurityDescriptorFlags rulesFlags = TokenSecurityDescriptorFlags_None; - - CustomAttributeParser cap(pbSecurityRulesBlob, cbSecurityRulesBlob); - if (SUCCEEDED(cap.SkipProlog())) - { - rulesFlags |= TokenSecurityDescriptorFlags_SecurityRules; - - // Read out the version number - UINT8 bRulesLevel = 0; - if (SUCCEEDED(cap.GetU1(&bRulesLevel))) - { - rulesFlags |= EncodeSecurityRuleSet(static_cast<SecurityRuleSet>(bRulesLevel)); - } - - // See if the attribute specified that full trust transparent code should not be verified - CaNamedArg skipVerificationArg; - skipVerificationArg.InitBoolField("SkipVerificationInFullTrust", FALSE); - if (SUCCEEDED(ParseKnownCaNamedArgs(cap, &skipVerificationArg, 1))) - { - if (skipVerificationArg.val.boolean) - { - rulesFlags |= TokenSecurityDescriptorFlags_SkipFullTrustVerification; - } - } - } - - return rulesFlags; -} - -// grok the meta data and compute the necessary attributes -void TokenSecurityDescriptor::VerifyDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(m_pModule)); - } - CONTRACTL_END; - - if (m_flags & TokenSecurityDescriptorFlags_IsComputed) - { - return; - } - - // Loop over the attributes on the token, reading off bits that are interesting for security - TokenSecurityDescriptorFlags flags = ReadSecurityAttributes(m_pModule->GetMDImport(), m_token); - flags |= TokenSecurityDescriptorFlags_IsComputed; - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), flags); -} - -// static -TokenSecurityDescriptorFlags TokenSecurityDescriptor::ReadSecurityAttributes(IMDInternalImport *pmdImport, mdToken token) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pmdImport)); - } - CONTRACTL_END; - - TokenSecurityDescriptorFlags flags = TokenSecurityDescriptorFlags_None; - - HENUMInternalHolder hEnum(pmdImport); - hEnum.EnumInit(mdtCustomAttribute, token); - - mdCustomAttribute currentAttribute; - while (hEnum.EnumNext(¤tAttribute)) - { - LPCSTR szAttributeName; - LPCSTR szAttributeNamespace; - - if (FAILED(pmdImport->GetNameOfCustomAttribute(currentAttribute, &szAttributeNamespace, &szAttributeName))) - { - continue; - } - - // The only attributes we care about are in System.Security, so move on if we found something in a - // different namespace - if (szAttributeName != NULL && - szAttributeNamespace != NULL && - strcmp(g_SecurityNS, szAttributeNamespace) == 0) - { -#if defined(FEATURE_CORESYSTEM) - if (strcmp(g_SecurityAPTCA + sizeof(g_SecurityNS), szAttributeName) == 0) - { - // Check the visibility parameter - const BYTE *pbAttributeBlob; - ULONG cbAttributeBlob; - - if (FAILED(pmdImport->GetCustomAttributeAsBlob(currentAttribute, reinterpret_cast<const void **>(&pbAttributeBlob), &cbAttributeBlob))) - { - continue; - } - - TokenSecurityDescriptorFlags aptcaFlags = ParseAptcaAttribute(pbAttributeBlob, cbAttributeBlob); - flags |= aptcaFlags; - } - else -#endif // defined(FEATURE_CORESYSTEM) - if (strcmp(g_SecurityCriticalAttribute + sizeof(g_SecurityNS), szAttributeName) == 0) - { - flags |= TokenSecurityDescriptorFlags_Critical; - - } - else if (strcmp(g_SecuritySafeCriticalAttribute + sizeof(g_SecurityNS), szAttributeName) == 0) - { - flags |= TokenSecurityDescriptorFlags_SafeCritical; - } - else if (strcmp(g_SecurityTransparentAttribute + sizeof(g_SecurityNS), szAttributeName) == 0) - { - flags |= TokenSecurityDescriptorFlags_Transparent; - } - } - } - - return flags; -} - -//--------------------------------------------------------------------------------------- -// -// Calculate the semantic critical / transparent state for this metadata token. -// See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup -// - -void TokenSecurityDescriptor::VerifySemanticDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - if (m_flags & TokenSecurityDescriptorFlags_IsSemanticComputed) - { - return; - } - - - bool fIsSemanticallyCritical = false; - bool fIsSemanticallyTreatAsSafe = false; - bool fIsSemanticallyExternallyVisible = false; - - // Check the module to see if every type in the module is the same - Assembly *pAssembly = m_pModule->GetAssembly(); - ModuleSecurityDescriptor* pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pAssembly); - if (pModuleSecDesc->IsAllTransparent()) - { - // If the module is explicitly Transparent, then everything in it is Transparent - fIsSemanticallyCritical = false; - fIsSemanticallyTreatAsSafe = false; - } - else if (pModuleSecDesc->IsAllCritical()) - { - // If the module is critical or safe critical, then everything in it matches - fIsSemanticallyCritical = true; - - if (pModuleSecDesc->IsTreatAsSafe()) - { - fIsSemanticallyTreatAsSafe = true; - } - } - else if (pModuleSecDesc->IsOpportunisticallyCritical()) - { - // There are three cases for an opportunistically critical type: - // 1. Level 2 transparency - all types are critical - // 2. Level 1 transparency - all types are transparent - // 3. Types participating in type equivalence (regardless of level) - types are transparent - // - // Therefore, we consider the type critical only if it is level 2, otherwise keep it transparent. - - const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior(); - if (!pTransparencyBehavior->DoesOpportunisticRequireOnlySafeCriticalMethods() && - !IsTypeEquivalent()) - { - // If the module is opportunistically critical, then every type in it is critical - fIsSemanticallyCritical = true; - } - } - // Mixed transparency - else - { - const TypeSecurityDescriptorFlags criticalMask = TypeSecurityDescriptorFlags_IsAllCritical | - TypeSecurityDescriptorFlags_IsCritical; - const TypeSecurityDescriptorFlags treatAsSafeMask = TypeSecurityDescriptorFlags_IsTreatAsSafe; - - const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior(); - _ASSERTE(pTransparencyBehavior != NULL); - - // We don't have full module-level state, so we need to loop over the tokens to figure it out. - IMDInternalImport* pMdImport = m_pModule->GetMDImport(); - mdToken tkCurrent = m_token; - mdToken tkPrev = mdTokenNil; - - // First, we need to walk the chain inside out, building up a stack so that we can pop the stack from - // the outside in, looking for the largest scope with a statement about the transparency of the types. - CStackArray<mdToken> typeTokenStack; - while (tkPrev != tkCurrent) - { - typeTokenStack.Push(tkCurrent); - tkPrev = tkCurrent; - IfFailThrow(pMdImport->GetParentToken(tkPrev, &tkCurrent)); - } - - // - // Walk up the chain of containing types, starting with the current metadata token. At each step on the - // chain, keep track of if we've been marked critical / treat as safe yet. - // - // It's important that we use only metadata tokens here, rather than using EEClass and - // TypeSecurityDescriptors, since this method can be called while loading nested types and using - // TypESecurityDescriptor can lead to recursion during type load. - // - // We also need to walk the chain from the outside in, since we listen to the outermost marking. We - // can stop looking at tokens once we found one that has a transparency marking (we've become either - // critical or safe critical), and we've determined that the inner types are not publicly visible. - // - - // We'll start out by saying all tokens are not public if public doesn't imply treat as safe - that - // way we don't flip over to safe critical even if they are all public - bool fAllTokensPublic = pTransparencyBehavior->DoesPublicImplyTreatAsSafe(); - - while (typeTokenStack.Count() > 0 && !fIsSemanticallyCritical) - { - mdToken *ptkCurrentType = typeTokenStack.Pop(); - TokenSecurityDescriptor currentTokenSD(m_pModule, *ptkCurrentType); - - // Check to see if the current type is critical / treat as safe. We only want to check this if we - // haven't already found an outer type that had a transparency attribute; otherwise we would let - // an inner scope have more priority than its containing scope - TypeSecurityDescriptorFlags currentTypeFlags = pTransparencyBehavior->MapTypeAttributes(currentTokenSD.GetMetadataFlags()); - if (!fIsSemanticallyCritical) - { - fIsSemanticallyCritical = !!(currentTypeFlags & criticalMask); - fIsSemanticallyTreatAsSafe |= !!(currentTypeFlags & treatAsSafeMask); - } - - // If the assembly uses a transparency model where publicly visible items are treat as safe, then - // we need to check to see if all the types in the containment chain are visible - if (fAllTokensPublic) - { - DWORD dwTypeAttrs; - IfFailThrow(pMdImport->GetTypeDefProps(tkCurrent, &dwTypeAttrs, NULL)); - - fAllTokensPublic = IsTdPublic(dwTypeAttrs) || - IsTdNestedPublic(dwTypeAttrs) || - IsTdNestedFamily(dwTypeAttrs) || - IsTdNestedFamORAssem(dwTypeAttrs); - } - } - - // If public implies treat as safe, all the types were visible, and we are semantically critical - // then we're actually semantically safe critical - if (fAllTokensPublic) - { - _ASSERTE(pTransparencyBehavior->DoesPublicImplyTreatAsSafe()); - - fIsSemanticallyExternallyVisible = true; - - if (fIsSemanticallyCritical) - { - fIsSemanticallyTreatAsSafe = true; - } - } - } - - // Further, if we're critical due to the assembly, and public implies treat as safe, - // and the outermost nested type is public, then we are safe critical - if (pModuleSecDesc->IsAllCritical() || - pModuleSecDesc->IsOpportunisticallyCritical()) - { - // We shouldn't have determined if we're externally visible or not yet - _ASSERTE(!fIsSemanticallyExternallyVisible); - - const SecurityTransparencyBehavior *pTransparencyBehavior = pAssembly->GetSecurityTransparencyBehavior(); - - if (pTransparencyBehavior->DoesPublicImplyTreatAsSafe() && - fIsSemanticallyCritical && - !fIsSemanticallyTreatAsSafe) - { - IMDInternalImport* pMdImport = m_pModule->GetMDImport(); - mdToken tkCurrent = m_token; - mdToken tkPrev = mdTokenNil; - HRESULT hrIter = S_OK; - - while (SUCCEEDED(hrIter) && tkCurrent != tkPrev) - { - tkPrev = tkCurrent; - hrIter = pMdImport->GetNestedClassProps(tkPrev, &tkCurrent); - - if (!SUCCEEDED(hrIter)) - { - if (hrIter == CLDB_E_RECORD_NOTFOUND) - { - // We don't have a parent class, so use the previous as our outermost - tkCurrent = tkPrev; - } - else - { - ThrowHR(hrIter); - } - } - - DWORD dwOuterTypeAttrs; - IfFailThrow(pMdImport->GetTypeDefProps(tkCurrent, &dwOuterTypeAttrs, NULL)); - if (IsTdPublic(dwOuterTypeAttrs)) - { - fIsSemanticallyExternallyVisible = true; - fIsSemanticallyTreatAsSafe = true; - } - } - } - } - - // Save away the semantic state that we just computed - TokenSecurityDescriptorFlags semanticFlags = TokenSecurityDescriptorFlags_IsSemanticComputed; - if (fIsSemanticallyCritical) - semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticCritical; - if (fIsSemanticallyTreatAsSafe) - semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe; - if (fIsSemanticallyExternallyVisible) - semanticFlags |= TokenSecurityDescriptorFlags_IsSemanticExternallyVisible; - - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), static_cast<DWORD>(semanticFlags)); -} - -HashDatum TokenSecurityDescriptor::LookupSecurityDescriptor(void* pKey) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - HashDatum datum; - AppDomain* pDomain = GetAppDomain(); - - EEPtrHashTable &rCachedMethodPermissionsHash = pDomain->m_pSecContext->m_pCachedMethodPermissionsHash; - - // We need to switch to cooperative GC here. But using GCX_COOP here - // causes 20% perf degrade in some declarative security assert scenario. - // We should fix this one. - CONTRACT_VIOLATION(ModeViolation); - // Fast attempt, that may fail (and return FALSE): - if (!rCachedMethodPermissionsHash.GetValueSpeculative(pKey, &datum)) - { - // Slow call - datum = LookupSecurityDescriptor_Slow(pDomain, pKey, rCachedMethodPermissionsHash); - } - return datum; -} - -HashDatum TokenSecurityDescriptor::LookupSecurityDescriptor_Slow(AppDomain* pDomain, - void* pKey, - EEPtrHashTable &rCachedMethodPermissionsHash ) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - HashDatum datum; - SimpleRWLock* prGlobalLock = pDomain->m_pSecContext->m_prCachedMethodPermissionsLock; - // look up the cache in the slow mode - // in the false failure case, we'll recheck the cache anyway - SimpleReadLockHolder readLockHolder(prGlobalLock); - if (rCachedMethodPermissionsHash.GetValue(pKey, &datum)) - { - return datum; - } - return NULL; -} - -HashDatum TokenSecurityDescriptor::InsertSecurityDescriptor(void* pKey, HashDatum pHashDatum) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - AppDomain* pDomain = GetAppDomain(); - SimpleRWLock* prGlobalLock = pDomain->m_pSecContext->m_prCachedMethodPermissionsLock; - EEPtrHashTable &rCachedMethodPermissionsHash = pDomain->m_pSecContext->m_pCachedMethodPermissionsHash; - - HashDatum pFoundHashDatum = NULL; - // insert the computed details in our hash table - { - SimpleWriteLockHolder writeLockHolder(prGlobalLock); - // since the hash table doesn't support duplicates by - // default, we need to recheck in case another thread - // added the value during a context switch - if (!rCachedMethodPermissionsHash.GetValue(pKey, &pFoundHashDatum)) - { - // no entry was found - _ASSERTE(pFoundHashDatum == NULL); - // Place the new entry into the hash. - rCachedMethodPermissionsHash.InsertValue(pKey, pHashDatum); - } - } - // return the value found in the lookup, in case there was a duplicate - return pFoundHashDatum; -} diff --git a/src/vm/securitymeta.h b/src/vm/securitymeta.h deleted file mode 100644 index 8247204e56..0000000000 --- a/src/vm/securitymeta.h +++ /dev/null @@ -1,654 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securitymeta.h -// -// pre-computes various security information, declarative and runtime meta-info -// - - -// -//-------------------------------------------------------------------------- - - -#ifndef __SECURITYMETA_H__ -#define __SECURITYMETA_H__ - -class SecurityStackWalk; -class AssertStackWalk; -class PsetCacheEntry; -class SecurityTransparencyBehavior; -struct DeclActionInfo; - -#define INVALID_SET_INDEX ((DWORD)~0) - -// The enum that describes the value of the SecurityCriticalFlags in SecurityCritical attribute. -enum SecurityCriticalFlags -{ - SecurityCriticalFlags_None = 0, - SecurityCriticalFlags_All = 0x1 -}; - -// Security rule sets that can be used - this enum should match the BCL SecurityRuleSet enum -enum SecurityRuleSet -{ - SecurityRuleSet_Level1 = 1, // v2.0 rules - SecurityRuleSet_Level2 = 2, // v4.0 rules - - SecurityRuleSet_Min = SecurityRuleSet_Level1, // Smallest rule set we understand - SecurityRuleSet_Max = SecurityRuleSet_Level2, // Largest rule set we understand - SecurityRuleSet_Default = SecurityRuleSet_Level2 // Rule set to use if unspecified -}; - -// Partial trust visibility level for APTCA assemblies - this enum should match the BCL -// PartialTrustVisibilityLevel enum -enum PartialTrustVisibilityLevel -{ - PartialTrustVisibilityLevel_VisibleToAllHosts = 0, - PartialTrustVisibilityLevel_NotVisibleByDefault = 1 -}; - -SELECTANY const DWORD DCL_FLAG_MAP[] = -{ - 0, // dclActionNil = 0 - DECLSEC_REQUESTS, // dclRequest = 1 - DECLSEC_DEMANDS, // dclDemand = 2 - DECLSEC_ASSERTIONS, // dclAssert = 3 - DECLSEC_DENIALS, // dclDeny = 4 - DECLSEC_PERMITONLY, // dclPermitOnly = 5 - DECLSEC_LINK_CHECKS, // dclLinktimeCheck = 6 - DECLSEC_INHERIT_CHECKS, // dclInheritanceCheck = 7 - DECLSEC_REQUESTS, // dclRequestMinimum = 8 - DECLSEC_REQUESTS, // dclRequestOptional = 9 - DECLSEC_REQUESTS, // dclRequestRefuse = 10 - 0, // dclPrejitGrant = 11 - 0, // dclPrejitDenied = 12 - DECLSEC_NONCAS_DEMANDS, // dclNonCasDemand = 13 - DECLSEC_NONCAS_LINK_DEMANDS, // dclNonCasLinkDemand = 14 - DECLSEC_NONCAS_INHERITANCE, // dclNonCasInheritance = 15 -}; -#define DCL_FLAG_MAP_SIZE (sizeof(DCL_FLAG_MAP)/sizeof(DWORD)) -#define DclToFlag(dcl) (((size_t)dcl < DCL_FLAG_MAP_SIZE) ? DCL_FLAG_MAP[dcl] : 0) - - -struct TokenDeclActionInfo -{ - DWORD dwDeclAction; // This'll tell InvokeDeclarativeSecurity whats the action needed - PsetCacheEntry *pPCE; // The cached permissionset on which to demand/assert/deny/etc - TokenDeclActionInfo* pNext; // pointer to next action link in chain - - static TokenDeclActionInfo *Init(DWORD dwAction, PsetCacheEntry *pPCE); - static void LinkNewDeclAction(TokenDeclActionInfo** ppActionList, CorDeclSecurity action, PsetCacheEntry *pPCE); - - - HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE); - - OBJECTREF GetLinktimePermissions(OBJECTREF *prefNonCasDemands); - void InvokeLinktimeChecks(Assembly* pCaller); -}; - -// Flags about the raw security attributes found on a metadata token, as well as semantic interpretations of -// them in some cases (see code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup). These flags -// are split into several sections: -// -// 32 28 16 12 4 0 -// | Rules version | Rules Bits | Semantic data | Raw attributes | Metabits | -// -// Rules version - the SecurityRuleSet selected by a SecurityRules attribute -// Rules bits - extra flags set on a SecurityRules attribute -// Semantic data - Flags indicating the security state of the item represented by the token taking into -// account parent types and modules - giving the true semantic security state -// (see code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup) -// Raw attributes - Flags for data we read directly out of metadata; these only indicate that the attributes -// are set, and do not indicate the actual security state of the token until they have been -// interpreted by the assembly they are applied within. -// Metabits - Flags about the state of the token security descriptor itself -enum TokenSecurityDescriptorFlags -{ - // Metabits - TokenSecurityDescriptorFlags_None = 0x00000000, - TokenSecurityDescriptorFlags_IsComputed = 0x00000001, - - // Raw attributes - TokenSecurityDescriptorFlags_RawAttributeMask = 0x00000FF0, - TokenSecurityDescriptorFlags_AllCritical = 0x00000010, // [SecurityCritical(SecurityCriticalScope.All)] - TokenSecurityDescriptorFlags_APTCA = 0x00000020, // [AllowPartiallyTrustedCallers] (VisibleByDefault) - TokenSecurityDescriptorFlags_ConditionalAPTCA = 0x00000040, // [AllowPartiallyTrustedCallers] (NotVisibleByDefault) - TokenSecurityDescriptorFlags_Critical = 0x00000080, // [SecurityCritical] (regardless of scope) - TokenSecurityDescriptorFlags_SecurityRules = 0x00000100, // [SecurityRules] - TokenSecurityDescriptorFlags_SafeCritical = 0x00000200, // [SecuritySafeCritical] - TokenSecurityDescriptorFlags_Transparent = 0x00000400, // [SecurityTransparent] - TokenSecurityDescriptorFlags_TreatAsSafe = 0x00000800, // [SecurityTreatAsSafe] - - // Semantic data - TokenSecurityDescriptorFlags_SemanticMask = 0x000FF000, - TokenSecurityDescriptorFlags_IsSemanticComputed = 0x00001000, - TokenSecurityDescriptorFlags_IsSemanticCritical = 0x00002000, - TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe = 0x00004000, - TokenSecurityDescriptorFlags_IsSemanticExternallyVisible= 0x00008000, - - // Rules bits - TokenSecurityDescriptorFlags_RulesMask = 0x0FFF0000, - TokenSecurityDescriptorFlags_SkipFullTrustVerification = 0x00010000, // In full trust do not do IL verificaiton for transparent code - - // Rules version - TokenSecurityDescriptorFlags_RulesVersionMask = 0xF0000000 -}; - -inline TokenSecurityDescriptorFlags operator|(TokenSecurityDescriptorFlags lhs, - TokenSecurityDescriptorFlags rhs); - -inline TokenSecurityDescriptorFlags operator|=(TokenSecurityDescriptorFlags& lhs, - TokenSecurityDescriptorFlags rhs); - -inline TokenSecurityDescriptorFlags operator&(TokenSecurityDescriptorFlags lhs, - TokenSecurityDescriptorFlags rhs); - -inline TokenSecurityDescriptorFlags operator&=(TokenSecurityDescriptorFlags& lhs, - TokenSecurityDescriptorFlags rhs); - -inline TokenSecurityDescriptorFlags operator~(TokenSecurityDescriptorFlags flags); - -// Get the version of the security rules that token security descriptor flags are requesting -inline SecurityRuleSet GetSecurityRuleSet(TokenSecurityDescriptorFlags flags); - -// Encode a security rule set into token flags - this reverses GetSecurityRuleSet -inline TokenSecurityDescriptorFlags EncodeSecurityRuleSet(SecurityRuleSet ruleSet); - - -TokenSecurityDescriptorFlags ParseSecurityRulesAttribute(const BYTE *pbSecurityRulesBlob, - DWORD cbSecurityRulesBlob); - -// -// #TokenSecurityDescriptorSemanticLookup -// -// Token security descriptors are used to get information on the security state of a specific metadata -// token. They have two types of lookup - standard and semantic. Standard lookup is cheaper and only looks at -// the specific metadata token. Semantic lookup will follow the token to its parents, figuring out if the -// token is semanticaly critical or transparent due to a containing item. For instance: -// -// [SecurityCritical] -// class A -// { -// class B { } -// } -// -// A TokenSecurityDescriptor's standard lookup for B will say that it is transparent because B does not -// directly have a critical attribute. However, a semantic lookup will notice that A is critical and -// contains B, therefore B is also critical. -// - -class TokenSecurityDescriptor -{ -private: - PTR_Module m_pModule; - mdToken m_token; - TokenSecurityDescriptorFlags m_flags; - -public: - inline TokenSecurityDescriptor(PTR_Module pModule, mdToken token); - - void VerifyDataComputed(); - void VerifySemanticDataComputed(); - - // Get the raw flags for the token - inline TokenSecurityDescriptorFlags GetFlags(); - - // - // Critical / transparent checks for the specific metadata token only - these methods do not take into - // account the containment of the token and therefore only include information about the token itself - // and cannot be used to determine if the item represented by the token is semantically critical. - // - // See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup - // - - // Get the attributes that were set on the token - inline TokenSecurityDescriptorFlags GetMetadataFlags(); - - // - // Semantic critical / transparent checks for the metadata token - these methods take into account - // containers of the token to get a true semantic security status for the token. - // - // See code:TokenSecurityDescriptor#TokenSecurityDescriptorSemanticLookup - // - - inline BOOL IsSemanticCritical(); - - inline BOOL IsSemanticTreatAsSafe(); - - inline BOOL IsSemanticExternallyVisible(); - - // static helper to find cached security descriptors based on token - static HashDatum LookupSecurityDescriptor(void* pKey); - - static HashDatum LookupSecurityDescriptor_Slow(AppDomain* pDomain, - void* pKey, - EEPtrHashTable &rCachedMethodPermissionsHash ); - - // static helper to insert a security descriptor for a token, dupes not allowed, returns previous entry in hash table - static HashDatum InsertSecurityDescriptor(void* pKey, HashDatum pHashDatum); - - // static helper to parse the security attributes for a token from a given metadata importer - static TokenSecurityDescriptorFlags ReadSecurityAttributes(IMDInternalImport *pmdImport, mdToken token); - -private: - // does the type represented by this TokenSecurityDescriptor particpate in type equivalence - inline BOOL IsTypeEquivalent(); - -private: - // Helper class which fires transparency calculation begin/end ETW events - class TokenSecurityDescriptorTransparencyEtwEvents - { - private: - const TokenSecurityDescriptor *m_pTSD; - - public: - inline TokenSecurityDescriptorTransparencyEtwEvents(const TokenSecurityDescriptor *pTSD); - inline ~TokenSecurityDescriptorTransparencyEtwEvents(); - }; -}; - -enum MethodSecurityDescriptorFlags -{ - MethodSecurityDescriptorFlags_None = 0x0000, - MethodSecurityDescriptorFlags_IsComputed = 0x0001, - - // Method transparency info is cached directly on MethodDesc for performance reasons - // These flags are used only during calculation of transparency information; runtime data - // should be read from the method desc - MethodSecurityDescriptorFlags_IsCritical = 0x0002, - MethodSecurityDescriptorFlags_IsTreatAsSafe = 0x0004, - - MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly = 0x0008, - MethodSecurityDescriptorFlags_IsDemandsOnly = 0x0010, - MethodSecurityDescriptorFlags_AssertAllowed = 0x0020, - MethodSecurityDescriptorFlags_CanCache = 0x0040, -}; - -inline MethodSecurityDescriptorFlags operator|(MethodSecurityDescriptorFlags lhs, - MethodSecurityDescriptorFlags rhs); - -inline MethodSecurityDescriptorFlags operator|=(MethodSecurityDescriptorFlags& lhs, - MethodSecurityDescriptorFlags rhs); - -inline MethodSecurityDescriptorFlags operator&(MethodSecurityDescriptorFlags lhs, - MethodSecurityDescriptorFlags rhs); - -inline MethodSecurityDescriptorFlags operator&=(MethodSecurityDescriptorFlags& lhs, - MethodSecurityDescriptorFlags rhs); - -class MethodSecurityDescriptor -{ -private: - MethodDesc *m_pMD; - DeclActionInfo *m_pRuntimeDeclActionInfo; // run-time declarative actions list - TokenDeclActionInfo *m_pTokenDeclActionInfo; // link-time declarative actions list - MethodSecurityDescriptorFlags m_flags; - DWORD m_declFlagsDuringPreStub; // declarative run-time security flags, - -public: - explicit inline MethodSecurityDescriptor(MethodDesc* pMD, BOOL fCanCache = TRUE); - - inline BOOL CanAssert(); - inline void SetCanAssert(); - - inline BOOL CanCache(); - inline void SetCanCache(); - - inline BOOL HasRuntimeDeclarativeSecurity(); - inline BOOL HasLinkOrInheritanceDeclarativeSecurity(); - inline BOOL HasLinktimeDeclarativeSecurity(); - inline BOOL HasInheritanceDeclarativeSecurity(); - - inline mdToken GetToken(); - inline MethodDesc *GetMethod(); - inline IMDInternalImport *GetIMDInternalImport(); - - inline BOOL ContainsBuiltInCASDemandsOnly(); - inline DeclActionInfo* GetRuntimeDeclActionInfo(); - inline DWORD GetDeclFlagsDuringPreStub(); - inline TokenDeclActionInfo* GetTokenDeclActionInfo(); - - inline BOOL IsCritical(); - inline BOOL IsTreatAsSafe(); - - inline BOOL IsOpportunisticallyCritical(); - - inline HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE); - - static HRESULT GetDeclaredPermissionsWithCache(MethodDesc* pMD, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE); - - static OBJECTREF GetLinktimePermissions(MethodDesc* pMD, OBJECTREF *prefNonCasDemands); - - inline void InvokeLinktimeChecks(Assembly* pCaller); - static inline void InvokeLinktimeChecks(MethodDesc* pMD, Assembly* pCaller); - - void InvokeInheritanceChecks(MethodDesc *pMethod); - - // This method will look for the cached copy of the MethodSecurityDescriptor corresponding to ret_methSecDesc->_pMD - // If the cache lookup succeeds, we get back the cached copy in ret_methSecDesc - // If the cache lookup fails, then the data is computed in ret_methSecDesc. If we find that this is a cache-able MSD, - // a copy is made in AppDomain heap and inserted into the hash table for future lookups. - static void LookupOrCreateMethodSecurityDescriptor(MethodSecurityDescriptor* ret_methSecDesc); - static BOOL IsDeclSecurityCASDemandsOnly(DWORD dwMethDeclFlags, - mdToken _mdToken, - IMDInternalImport *pInternalImport); - -private: - void ComputeRuntimeDeclarativeSecurityInfo(); - void ComputeMethodDeclarativeSecurityInfo(); - - inline void VerifyDataComputed(); - void VerifyDataComputedInternal(); - - // Force the type to figure out if it is transparent or critial. - // NOTE: Generally this is not needed, as the data is cached on the MethodDesc for you. This method should - // only be called if the MethodDesc is returning FALSE from HasCriticalTransparentInfo - void ComputeCriticalTransparentInfo(); - - static BOOL CanMethodSecurityDescriptorBeCached(MethodDesc* pMD); - -private: - // Helper class which fires transparency calculation begin/end ETW events - class MethodSecurityDescriptorTransparencyEtwEvents - { - private: - const MethodSecurityDescriptor *m_pMSD; - - public: - inline MethodSecurityDescriptorTransparencyEtwEvents(const MethodSecurityDescriptor *pMSD); - inline ~MethodSecurityDescriptorTransparencyEtwEvents(); - }; - - // Helper class to iterater over methods that the MethodSecurityDescriptor's MethodDesc may be - // implementing. This type iterates over interface implementations followed by MethodImpls for virtuals - // that the input MethodDesc implements. - class MethodImplementationIterator - { - private: - DispatchMap::Iterator m_interfaceIterator; - MethodDesc *m_pMD; - DWORD m_iMethodImplIndex; - bool m_fInterfaceIterationBegun; - bool m_fMethodImplIterationBegun; - - public: - MethodImplementationIterator(MethodDesc *pMD); - - MethodDesc *Current(); - bool IsValid(); - void Next(); - }; -}; - -enum FieldSecurityDescriptorFlags -{ - FieldSecurityDescriptorFlags_None = 0x0000, - FieldSecurityDescriptorFlags_IsComputed = 0x0001, - FieldSecurityDescriptorFlags_IsCritical = 0x0002, - FieldSecurityDescriptorFlags_IsTreatAsSafe = 0x0004, -}; - -inline FieldSecurityDescriptorFlags operator|(FieldSecurityDescriptorFlags lhs, - FieldSecurityDescriptorFlags rhs); - -inline FieldSecurityDescriptorFlags operator|=(FieldSecurityDescriptorFlags& lhs, - FieldSecurityDescriptorFlags rhs); - -inline FieldSecurityDescriptorFlags operator&(FieldSecurityDescriptorFlags lhs, - FieldSecurityDescriptorFlags rhs); - -inline FieldSecurityDescriptorFlags operator&=(FieldSecurityDescriptorFlags& lhs, - FieldSecurityDescriptorFlags rhs); - -class FieldSecurityDescriptor -{ -private: - FieldDesc *m_pFD; - FieldSecurityDescriptorFlags m_flags; - -public: - explicit inline FieldSecurityDescriptor(FieldDesc* pFD); - - void VerifyDataComputed(); - - inline BOOL IsCritical(); - inline BOOL IsTreatAsSafe(); - -private: - // Helper class which fires transparency calculation begin/end ETW events - class FieldSecurityDescriptorTransparencyEtwEvents - { - private: - const FieldSecurityDescriptor *m_pFSD; - - public: - inline FieldSecurityDescriptorTransparencyEtwEvents(const FieldSecurityDescriptor *pFSD); - inline ~FieldSecurityDescriptorTransparencyEtwEvents(); - }; -}; - -enum TypeSecurityDescriptorFlags -{ - TypeSecurityDescriptorFlags_None = 0x0000, - - // Type transparency info is cached directly on EEClass for performance reasons; these bits are used only - // as intermediate state while calculating the final set of bits to cache on the EEClass - TypeSecurityDescriptorFlags_IsAllCritical = 0x0001, // Everything introduced by this type is critical - TypeSecurityDescriptorFlags_IsAllTransparent = 0x0002, // All code in the type is transparent - TypeSecurityDescriptorFlags_IsCritical = 0x0004, // The type is critical, but its introduced methods may not be - TypeSecurityDescriptorFlags_IsTreatAsSafe = 0x0008, // Combined with IsAllCritical or IsCritical makes the type SafeCritical -}; - -inline TypeSecurityDescriptorFlags operator|(TypeSecurityDescriptorFlags lhs, - TypeSecurityDescriptorFlags rhs); - -inline TypeSecurityDescriptorFlags operator|=(TypeSecurityDescriptorFlags& lhs, - TypeSecurityDescriptorFlags rhs); - -inline TypeSecurityDescriptorFlags operator&(TypeSecurityDescriptorFlags lhs, - TypeSecurityDescriptorFlags rhs); - -inline TypeSecurityDescriptorFlags operator&=(TypeSecurityDescriptorFlags& lhs, - TypeSecurityDescriptorFlags rhs); - -class TypeSecurityDescriptor -{ -private: - MethodTable *m_pMT; - TokenDeclActionInfo *m_pTokenDeclActionInfo; - BOOL m_fIsComputed; - -public: - explicit inline TypeSecurityDescriptor(MethodTable *pMT); - - inline BOOL HasLinkOrInheritanceDeclarativeSecurity(); - inline BOOL HasLinktimeDeclarativeSecurity(); - inline BOOL HasInheritanceDeclarativeSecurity(); - - // Is everything introduced by the type critical - inline BOOL IsAllCritical(); - - // Does the type contain only transparent code - inline BOOL IsAllTransparent(); - - // Combined with IsCritical/IsAllCritical is the type safe critical - inline BOOL IsTreatAsSafe(); - - // Is the type critical, but not necessarially its conatined methods - inline BOOL IsCritical(); - - // Is the type in an assembly that doesn't care about transparency, and therefore wants the CLR to make - // sure that all annotations are correct for it. - inline BOOL IsOpportunisticallyCritical(); - - // Should this type be considered externally visible when calculating the transpraency of the type - // and its members. (For instance, when seeing if public implies treat as safe) - BOOL IsTypeExternallyVisibleForTransparency(); - - inline mdToken GetToken(); - inline IMDInternalImport *GetIMDInternalImport(); - - inline TokenDeclActionInfo* GetTokenDeclActionInfo(); - - inline HRESULT GetDeclaredPermissionsWithCache(IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE); - - static HRESULT GetDeclaredPermissionsWithCache(MethodTable* pTargetMT, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE); - - static OBJECTREF GetLinktimePermissions(MethodTable* pMT, OBJECTREF *prefNonCasDemands); - - // Is the type represented by this TypeSecurityDescripter participating in type equivalence - inline BOOL IsTypeEquivalent(); - - void InvokeInheritanceChecks(MethodTable* pMT); - inline void InvokeLinktimeChecks(Assembly* pCaller); - static inline void InvokeLinktimeChecks(MethodTable* pMT, Assembly* pCaller); - -private: - inline TypeSecurityDescriptor& operator=(const TypeSecurityDescriptor &tsd); - void ComputeTypeDeclarativeSecurityInfo(); - static TypeSecurityDescriptor* GetTypeSecurityDescriptor(MethodTable* pMT); - void VerifyDataComputedInternal(); - inline void VerifyDataComputed(); - // Force the type to figure out if it is transparent or critial. - // NOTE: Generally this is not needed, as the data is cached on the EEClass for you. This method should - // only be called if the EEClass is returning FALSE from HasCriticalTransparentInfo - void ComputeCriticalTransparentInfo(); - static BOOL CanTypeSecurityDescriptorBeCached(MethodTable* pMT); - -private: - // Helper class which fires transparency calculation begin/end ETW events - class TypeSecurityDescriptorTransparencyEtwEvents - { - private: - const TypeSecurityDescriptor *m_pTSD; - - public: - inline TypeSecurityDescriptorTransparencyEtwEvents(const TypeSecurityDescriptor *pTSD); - inline ~TypeSecurityDescriptorTransparencyEtwEvents(); - }; -}; - - -enum ModuleSecurityDescriptorFlags -{ - ModuleSecurityDescriptorFlags_None = 0x0000, - ModuleSecurityDescriptorFlags_IsComputed = 0x0001, - - ModuleSecurityDescriptorFlags_IsAPTCA = 0x0002, // The assembly allows partially trusted callers - ModuleSecurityDescriptorFlags_IsAllCritical = 0x0004, // Every type and method introduced by the assembly is critical - ModuleSecurityDescriptorFlags_IsAllTransparent = 0x0008, // Every type and method in the assembly is transparent - ModuleSecurityDescriptorFlags_IsTreatAsSafe = 0x0010, // Combined with IsAllCritical - every type and method introduced by the assembly is safe critical - ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical = 0x0020, // Ensure that the assembly follows all transparency rules by making all methods critical or safe critical as needed - ModuleSecurityDescriptorFlags_SkipFullTrustVerification = 0x0040, // Fully trusted transparent code does not require verification - ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust = 0x0080, // Whether we made the assembly all transparent because it was partially-trusted -}; - -inline ModuleSecurityDescriptorFlags operator|(ModuleSecurityDescriptorFlags lhs, - ModuleSecurityDescriptorFlags rhs); - -inline ModuleSecurityDescriptorFlags operator|=(ModuleSecurityDescriptorFlags& lhs, - ModuleSecurityDescriptorFlags rhs); - -inline ModuleSecurityDescriptorFlags operator&(ModuleSecurityDescriptorFlags lhs, - ModuleSecurityDescriptorFlags rhs); - -inline ModuleSecurityDescriptorFlags operator&=(ModuleSecurityDescriptorFlags& lhs, - ModuleSecurityDescriptorFlags rhs); - -inline ModuleSecurityDescriptorFlags operator~(ModuleSecurityDescriptorFlags flags); - - -// Module security descriptor, this class contains static security information about the module -// this information will get persisted in the NGen image -class ModuleSecurityDescriptor -{ - friend class Module; - -private: - PTR_Module m_pModule; - ModuleSecurityDescriptorFlags m_flags; - TokenSecurityDescriptorFlags m_tokenFlags; - -private: - explicit inline ModuleSecurityDescriptor(PTR_Module pModule); - -public: - static inline BOOL IsMarkedTransparent(Assembly* pAssembly); - - static ModuleSecurityDescriptor* GetModuleSecurityDescriptor(Assembly* pAssembly); - - void Save(DataImage *image); - void Fixup(DataImage *image); - - void VerifyDataComputed(); - - inline void OverrideTokenFlags(TokenSecurityDescriptorFlags tokenFlags); - inline TokenSecurityDescriptorFlags GetTokenFlags(); - - inline Module *GetModule(); - -#ifdef DACCESS_COMPILE - // Get the value of the module security descriptor flags without forcing them to be computed - inline ModuleSecurityDescriptorFlags GetRawFlags(); -#endif // DACCESS_COMPILE - - // Is every method and type in the assembly transparent - inline BOOL IsAllTransparent(); - - // Is every method and type introduced by the assembly critical - inline BOOL IsAllCritical(); - - // Combined with IsAllCritical - is every method and type introduced by the assembly safe critical - inline BOOL IsTreatAsSafe(); - - // Does the assembly not care about transparency, and wants the CLR to take care of making sure everything - // is annotated properly in the assembly. - inline BOOL IsOpportunisticallyCritical(); - - // Does the assembly contain a mix of critical and transparent code - inline BOOL IsMixedTransparency(); - - // Partial trust assemblies are forced all-transparent under some conditions. This - // tells us whether that is true for this particular assembly. - inline BOOL IsAllTransparentDueToPartialTrust(); - - // Get the rule set the assembly uses - inline SecurityRuleSet GetSecurityRuleSet(); - - -#if defined(FEATURE_CORESYSTEM) - // Does the assembly allow partially trusted callers - inline BOOL IsAPTCA(); -#endif // defined(FEATURE_CORESYSTEM) - - -private: - // Helper class which fires transparency calculation begin/end ETW events - class ModuleSecurityDescriptorTransparencyEtwEvents - { - private: - ModuleSecurityDescriptor *m_pMSD; - - public: - inline ModuleSecurityDescriptorTransparencyEtwEvents(ModuleSecurityDescriptor *pMSD); - inline ~ModuleSecurityDescriptorTransparencyEtwEvents(); - }; -}; - -#include "securitymeta.inl" - -#endif // __SECURITYMETA_H__ diff --git a/src/vm/securitymeta.inl b/src/vm/securitymeta.inl deleted file mode 100644 index 59525d783a..0000000000 --- a/src/vm/securitymeta.inl +++ /dev/null @@ -1,1231 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securitymeta.inl -// -// pre-computes various security information, declarative and runtime meta-info -// - - -// -//-------------------------------------------------------------------------- - - -#include "typestring.h" - -#include "securitypolicy.h" -#include "securitydeclarative.h" - -#ifndef __SECURITYMETA_INL__ -#define __SECURITYMETA_INL__ - -inline TokenSecurityDescriptorFlags operator|(TokenSecurityDescriptorFlags lhs, - TokenSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline TokenSecurityDescriptorFlags operator|=(TokenSecurityDescriptorFlags& lhs, - TokenSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline TokenSecurityDescriptorFlags operator&(TokenSecurityDescriptorFlags lhs, - TokenSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline TokenSecurityDescriptorFlags operator&=(TokenSecurityDescriptorFlags& lhs, - TokenSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -inline TokenSecurityDescriptorFlags operator~(TokenSecurityDescriptorFlags flags) -{ - LIMITED_METHOD_CONTRACT; - - // Invert all the bits which aren't part of the rules version number - DWORD flagBits = flags & ~static_cast<DWORD>(TokenSecurityDescriptorFlags_RulesVersionMask); - return static_cast<TokenSecurityDescriptorFlags>( - (EncodeSecurityRuleSet(GetSecurityRuleSet(flags)) << 24 ) | - (~flagBits)); -} - -// Get the version of the security rules that token security descriptor flags are requesting -inline SecurityRuleSet GetSecurityRuleSet(TokenSecurityDescriptorFlags flags) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<SecurityRuleSet>((flags & TokenSecurityDescriptorFlags_RulesMask) >> 24); -} - -// Encode a security rule set into token flags - this reverses GetSecurityRuleSet -inline TokenSecurityDescriptorFlags EncodeSecurityRuleSet(SecurityRuleSet ruleSet) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<TokenSecurityDescriptorFlags>(static_cast<DWORD>(ruleSet) << 24); -} - -inline TokenSecurityDescriptor::TokenSecurityDescriptor(PTR_Module pModule, mdToken token) - : m_pModule(pModule), - m_token(token), - m_flags(TokenSecurityDescriptorFlags_None) -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(pModule); -} - -inline TokenSecurityDescriptorFlags TokenSecurityDescriptor::GetFlags() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_flags; -} - -// Get the attributes that were set on the token -inline TokenSecurityDescriptorFlags TokenSecurityDescriptor::GetMetadataFlags() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_flags & TokenSecurityDescriptorFlags_RawAttributeMask; -} - -inline BOOL TokenSecurityDescriptor::IsSemanticCritical() -{ - WRAPPER_NO_CONTRACT; - VerifySemanticDataComputed(); - return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticCritical); -} - -inline BOOL TokenSecurityDescriptor::IsSemanticTreatAsSafe() -{ - WRAPPER_NO_CONTRACT; - VerifySemanticDataComputed(); - return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe); -} - -inline BOOL TokenSecurityDescriptor::IsSemanticExternallyVisible() -{ - WRAPPER_NO_CONTRACT; - VerifySemanticDataComputed(); - return !!(m_flags & TokenSecurityDescriptorFlags_IsSemanticExternallyVisible); -} - -// Determine if the type represented by the token in this TokenSecurityDescriptor is participating in type -// equivalence. -inline BOOL TokenSecurityDescriptor::IsTypeEquivalent() -{ - WRAPPER_NO_CONTRACT; - - _ASSERTE(TypeFromToken(m_token) == mdtTypeDef); - return IsTypeDefEquivalent(m_token, m_pModule); -} - -#ifndef DACCESS_COMPILE - -inline TokenSecurityDescriptor::TokenSecurityDescriptorTransparencyEtwEvents::TokenSecurityDescriptorTransparencyEtwEvents(const TokenSecurityDescriptor *pTSD) - : m_pTSD(pTSD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TokenTransparencyComputationStart)) - { - LPCWSTR module = m_pTSD->m_pModule->GetPathForErrorMessages(); - - ETW::SecurityLog::FireTokenTransparencyComputationStart(m_pTSD->m_token, - module, - ::GetAppDomain()->GetId().m_dwId); - } -} - -inline TokenSecurityDescriptor::TokenSecurityDescriptorTransparencyEtwEvents::~TokenSecurityDescriptorTransparencyEtwEvents() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TokenTransparencyComputationEnd)) - { - LPCWSTR module = m_pTSD->m_pModule->GetPathForErrorMessages(); - - ETW::SecurityLog::FireTokenTransparencyComputationEnd(m_pTSD->m_token, - module, - !!(m_pTSD->m_flags & TokenSecurityDescriptorFlags_IsSemanticCritical), - !!(m_pTSD->m_flags & TokenSecurityDescriptorFlags_IsSemanticTreatAsSafe), - ::GetAppDomain()->GetId().m_dwId); - } -} - -#endif //!DACCESS_COMPILE - -inline MethodSecurityDescriptor::MethodSecurityDescriptor(MethodDesc* pMD, BOOL fCanCache /* = TRUE */) : - m_pMD(pMD), - m_pRuntimeDeclActionInfo(NULL), - m_pTokenDeclActionInfo(NULL), - m_flags(MethodSecurityDescriptorFlags_None), - m_declFlagsDuringPreStub(0) -{ - WRAPPER_NO_CONTRACT; - - if (fCanCache) - { - SetCanCache(); - } -} - -inline BOOL MethodSecurityDescriptor::CanAssert() -{ - // No need to do a VerifyDataComputed here -> this value is set by SecurityDeclarative::EnsureAssertAllowed as an optmization - LIMITED_METHOD_CONTRACT; - return !!(m_flags & MethodSecurityDescriptorFlags_AssertAllowed); -} - -inline void MethodSecurityDescriptor::SetCanAssert() -{ - LIMITED_METHOD_CONTRACT; - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_AssertAllowed); -} - -inline BOOL MethodSecurityDescriptor::CanCache() -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & MethodSecurityDescriptorFlags_CanCache); -} - -inline void MethodSecurityDescriptor::SetCanCache() -{ - LIMITED_METHOD_CONTRACT; - FastInterlockOr(reinterpret_cast<DWORD *>(&m_flags), MethodSecurityDescriptorFlags_CanCache); -} - -inline BOOL MethodSecurityDescriptor::HasRuntimeDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return m_pMD->IsInterceptedForDeclSecurity(); -} - -inline BOOL MethodSecurityDescriptor::HasLinkOrInheritanceDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return HasLinktimeDeclarativeSecurity() || HasInheritanceDeclarativeSecurity(); -} - -inline BOOL MethodSecurityDescriptor::HasLinktimeDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return m_pMD->RequiresLinktimeCheck(); -} - -inline BOOL MethodSecurityDescriptor::HasInheritanceDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return m_pMD->RequiresInheritanceCheck(); -} - -inline mdToken MethodSecurityDescriptor::GetToken() -{ - WRAPPER_NO_CONTRACT; - return m_pMD->GetMemberDef(); -} - -inline MethodDesc *MethodSecurityDescriptor::GetMethod() -{ - WRAPPER_NO_CONTRACT; - return m_pMD; -} - -inline IMDInternalImport *MethodSecurityDescriptor::GetIMDInternalImport() -{ - WRAPPER_NO_CONTRACT; - return m_pMD->GetMDImport(); -} - - -inline BOOL MethodSecurityDescriptor::ContainsBuiltInCASDemandsOnly() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return ((m_flags & MethodSecurityDescriptorFlags_IsBuiltInCASPermsOnly) && - (m_flags & MethodSecurityDescriptorFlags_IsDemandsOnly)); -} - -inline DeclActionInfo* MethodSecurityDescriptor::GetRuntimeDeclActionInfo() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_pRuntimeDeclActionInfo; -} - -inline DWORD MethodSecurityDescriptor::GetDeclFlagsDuringPreStub() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_declFlagsDuringPreStub; -} - -inline TokenDeclActionInfo* MethodSecurityDescriptor::GetTokenDeclActionInfo() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_pTokenDeclActionInfo; -} - -inline BOOL MethodSecurityDescriptor::IsCritical() -{ - WRAPPER_NO_CONTRACT; - - if (!m_pMD->HasCriticalTransparentInfo()) - ComputeCriticalTransparentInfo(); - return m_pMD->IsCritical(); -} - -inline BOOL MethodSecurityDescriptor::IsTreatAsSafe() -{ - WRAPPER_NO_CONTRACT; - - if (!m_pMD->HasCriticalTransparentInfo()) - ComputeCriticalTransparentInfo(); - return m_pMD->IsTreatAsSafe(); -} - -inline BOOL MethodSecurityDescriptor::IsOpportunisticallyCritical() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - TypeSecurityDescriptor typeSecDesc(m_pMD->GetMethodTable()); - return typeSecDesc.IsOpportunisticallyCritical(); -} - -inline HRESULT MethodSecurityDescriptor::GetDeclaredPermissionsWithCache(IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE) -{ - WRAPPER_NO_CONTRACT; - return GetTokenDeclActionInfo()->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE); -} - -// static -inline HRESULT MethodSecurityDescriptor::GetDeclaredPermissionsWithCache(MethodDesc* pMD, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE) -{ - WRAPPER_NO_CONTRACT; - MethodSecurityDescriptor methodSecurityDesc(pMD); - LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc); - return methodSecurityDesc.GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE); -} - -// static -inline OBJECTREF MethodSecurityDescriptor::GetLinktimePermissions(MethodDesc* pMD, - OBJECTREF *prefNonCasDemands) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (!pMD->RequiresLinktimeCheck()) - return NULL; - - MethodSecurityDescriptor methodSecurityDesc(pMD); - LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc); - return methodSecurityDesc.GetTokenDeclActionInfo()->GetLinktimePermissions(prefNonCasDemands); -} - -inline void MethodSecurityDescriptor::InvokeLinktimeChecks(Assembly* pCaller) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (!HasLinktimeDeclarativeSecurity()) - return; - - GetTokenDeclActionInfo()->InvokeLinktimeChecks(pCaller); -} - -// staitc -inline void MethodSecurityDescriptor::InvokeLinktimeChecks(MethodDesc* pMD, Assembly* pCaller) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (!pMD->RequiresLinktimeCheck()) - return; - - MethodSecurityDescriptor methodSecurityDesc(pMD); - LookupOrCreateMethodSecurityDescriptor(&methodSecurityDesc); - methodSecurityDesc.InvokeLinktimeChecks(pCaller); -} - -// static -inline BOOL MethodSecurityDescriptor::IsDeclSecurityCASDemandsOnly(DWORD dwMethDeclFlags, - mdToken _mdToken, - IMDInternalImport *pInternalImport) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // Non-CAS demands are not supported in CoreCLR - return TRUE; -} - -#ifndef DACCESS_COMPILE - -inline MethodSecurityDescriptor::MethodSecurityDescriptorTransparencyEtwEvents::MethodSecurityDescriptorTransparencyEtwEvents(const MethodSecurityDescriptor *pMSD) - : m_pMSD(pMSD) -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, MethodTransparencyComputationStart)) - { - LPCWSTR module = m_pMSD->m_pMD->GetModule()->GetPathForErrorMessages(); - - SString method; - m_pMSD->m_pMD->GetFullMethodInfo(method); - - ETW::SecurityLog::FireMethodTransparencyComputationStart(method.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId); - } -} - -inline MethodSecurityDescriptor::MethodSecurityDescriptorTransparencyEtwEvents::~MethodSecurityDescriptorTransparencyEtwEvents() -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, MethodTransparencyComputationEnd)) - { - LPCWSTR module = m_pMSD->m_pMD->GetModule()->GetPathForErrorMessages(); - - SString method; - m_pMSD->m_pMD->GetFullMethodInfo(method); - - BOOL fIsCritical = FALSE; - BOOL fIsTreatAsSafe = FALSE; - - if (m_pMSD->m_pMD->HasCriticalTransparentInfo()) - { - fIsCritical = m_pMSD->m_pMD->IsCritical(); - fIsTreatAsSafe = m_pMSD->m_pMD->IsTreatAsSafe(); - } - - ETW::SecurityLog::FireMethodTransparencyComputationEnd(method.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId, - fIsCritical, - fIsTreatAsSafe); - } -} - -#endif //!DACCESS_COMPILE - -inline FieldSecurityDescriptorFlags operator|(FieldSecurityDescriptorFlags lhs, - FieldSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline FieldSecurityDescriptorFlags operator|=(FieldSecurityDescriptorFlags& lhs, - FieldSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline FieldSecurityDescriptorFlags operator&(FieldSecurityDescriptorFlags lhs, - FieldSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline FieldSecurityDescriptorFlags operator&=(FieldSecurityDescriptorFlags& lhs, - FieldSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<FieldSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -inline FieldSecurityDescriptor::FieldSecurityDescriptor(FieldDesc* pFD) : - m_pFD(pFD), - m_flags(FieldSecurityDescriptorFlags_None) -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(pFD); -} - -inline BOOL FieldSecurityDescriptor::IsCritical() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & FieldSecurityDescriptorFlags_IsCritical); -} - -inline BOOL FieldSecurityDescriptor::IsTreatAsSafe() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & FieldSecurityDescriptorFlags_IsTreatAsSafe); -} - -#ifndef DACCESS_COMPILE - -inline FieldSecurityDescriptor::FieldSecurityDescriptorTransparencyEtwEvents::FieldSecurityDescriptorTransparencyEtwEvents(const FieldSecurityDescriptor *pFSD) - : m_pFSD(pFSD) -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, FieldTransparencyComputationStart)) - { - LPCWSTR module = m_pFSD->m_pFD->GetModule()->GetPathForErrorMessages(); - - SString field; - TypeString::AppendType(field, TypeHandle(m_pFSD->m_pFD->GetApproxEnclosingMethodTable())); - field.AppendUTF8("::"); - field.AppendUTF8(m_pFSD->m_pFD->GetName()); - - ETW::SecurityLog::FireFieldTransparencyComputationStart(field.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId); - } -} - -inline FieldSecurityDescriptor::FieldSecurityDescriptorTransparencyEtwEvents::~FieldSecurityDescriptorTransparencyEtwEvents() -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, FieldTransparencyComputationEnd)) - { - LPCWSTR module = m_pFSD->m_pFD->GetModule()->GetPathForErrorMessages(); - - SString field; - TypeString::AppendType(field, TypeHandle(m_pFSD->m_pFD->GetApproxEnclosingMethodTable())); - field.AppendUTF8("::"); - field.AppendUTF8(m_pFSD->m_pFD->GetName()); - - ETW::SecurityLog::FireFieldTransparencyComputationEnd(field.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId, - !!(m_pFSD->m_flags & FieldSecurityDescriptorFlags_IsCritical), - !!(m_pFSD->m_flags & FieldSecurityDescriptorFlags_IsTreatAsSafe)); - } -} - -#endif //!DACCESS_COMPILE - -inline TypeSecurityDescriptor::TypeSecurityDescriptor(MethodTable *pMT) : - m_pMT(pMT->GetCanonicalMethodTable()), - m_pTokenDeclActionInfo(NULL), - m_fIsComputed(FALSE) -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(pMT); -} - -inline BOOL TypeSecurityDescriptor::HasLinkOrInheritanceDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return HasLinktimeDeclarativeSecurity() || HasInheritanceDeclarativeSecurity(); -} - -inline BOOL TypeSecurityDescriptor::HasLinktimeDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return m_pMT->GetClass()->RequiresLinktimeCheck(); -} - -inline BOOL TypeSecurityDescriptor::HasInheritanceDeclarativeSecurity() -{ - WRAPPER_NO_CONTRACT; - return m_pMT->GetClass()->RequiresInheritanceCheck(); -} - -inline BOOL TypeSecurityDescriptor::IsCritical() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - EEClass *pClass = m_pMT->GetClass(); - if (!pClass->HasCriticalTransparentInfo()) - { - ComputeCriticalTransparentInfo(); - } - - return pClass->IsAllCritical() - ; -} - -inline BOOL TypeSecurityDescriptor::IsOpportunisticallyCritical() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - ModuleSecurityDescriptor *pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(m_pMT->GetAssembly()); - return pModuleSecDesc->IsOpportunisticallyCritical(); -} - -inline BOOL TypeSecurityDescriptor::IsAllCritical() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - EEClass *pClass = m_pMT->GetClass(); - if (!pClass->HasCriticalTransparentInfo()) - ComputeCriticalTransparentInfo(); - return pClass->IsAllCritical(); -} - -inline BOOL TypeSecurityDescriptor::IsAllTransparent() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - EEClass *pClass = m_pMT->GetClass(); - if (!pClass->HasCriticalTransparentInfo()) - ComputeCriticalTransparentInfo(); - return pClass->IsAllTransparent(); -} - -inline BOOL TypeSecurityDescriptor::IsTreatAsSafe() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - EEClass *pClass = m_pMT->GetClass(); - if (!pClass->HasCriticalTransparentInfo()) - ComputeCriticalTransparentInfo(); - return pClass->IsTreatAsSafe(); -} - -inline mdToken TypeSecurityDescriptor::GetToken() -{ - WRAPPER_NO_CONTRACT; - return m_pMT->GetCl(); -} - -inline IMDInternalImport *TypeSecurityDescriptor::GetIMDInternalImport() -{ - WRAPPER_NO_CONTRACT; - return m_pMT->GetMDImport(); -} - -inline TokenDeclActionInfo* TypeSecurityDescriptor::GetTokenDeclActionInfo() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return m_pTokenDeclActionInfo; -} - -inline TypeSecurityDescriptorFlags operator|(TypeSecurityDescriptorFlags lhs, - TypeSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline TypeSecurityDescriptorFlags operator|=(TypeSecurityDescriptorFlags& lhs, - TypeSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline TypeSecurityDescriptorFlags operator&(TypeSecurityDescriptorFlags lhs, - TypeSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline TypeSecurityDescriptorFlags operator&=(TypeSecurityDescriptorFlags& lhs, - TypeSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<TypeSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -inline HRESULT TypeSecurityDescriptor::GetDeclaredPermissionsWithCache(IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE) -{ - WRAPPER_NO_CONTRACT; - return GetTokenDeclActionInfo()->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE); -} - -// static -inline HRESULT TypeSecurityDescriptor::GetDeclaredPermissionsWithCache(MethodTable *pTargetMT, - IN CorDeclSecurity action, - OUT OBJECTREF *pDeclaredPermissions, - OUT PsetCacheEntry **pPCE) -{ - WRAPPER_NO_CONTRACT; - TypeSecurityDescriptor* pTypeSecurityDesc = GetTypeSecurityDescriptor(pTargetMT); - _ASSERTE(pTypeSecurityDesc != NULL); - return pTypeSecurityDesc->GetDeclaredPermissionsWithCache(action, pDeclaredPermissions, pPCE); -} - -// static -inline OBJECTREF TypeSecurityDescriptor::GetLinktimePermissions(MethodTable *pMT, - OBJECTREF *prefNonCasDemands) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - if (!pMT->GetClass()->RequiresLinktimeCheck()) - return NULL; - - TypeSecurityDescriptor* pTypeSecurityDesc = GetTypeSecurityDescriptor(pMT); - _ASSERTE(pTypeSecurityDesc != NULL); - return pTypeSecurityDesc->GetTokenDeclActionInfo()->GetLinktimePermissions(prefNonCasDemands); -} - -inline void TypeSecurityDescriptor::InvokeLinktimeChecks(Assembly* pCaller) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - if (!HasLinktimeDeclarativeSecurity()) - return; - GetTokenDeclActionInfo()->InvokeLinktimeChecks(pCaller); -} - -// Determine if the type by this TypeSecurityDescriptor is participating in type equivalence. Note that this -// is only checking to see if the type would like to participate in equivalence, and not if it is actually -// equivalent to anything - which allows its transparency to be the same regardless of what other types have -// been loaded. -inline BOOL TypeSecurityDescriptor::IsTypeEquivalent() -{ - WRAPPER_NO_CONTRACT; - - return m_pMT->GetClass()->IsEquivalentType(); -} - -// static -inline void TypeSecurityDescriptor::InvokeLinktimeChecks(MethodTable *pMT, Assembly* pCaller) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - if (!pMT->GetClass()->RequiresLinktimeCheck()) - return; - GetTypeSecurityDescriptor(pMT)->InvokeLinktimeChecks(pCaller); -} - -inline void TypeSecurityDescriptor::VerifyDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - if (m_fIsComputed) - { - return; - } - - BOOL canTypeSecDescCached = CanTypeSecurityDescriptorBeCached(m_pMT); - if (!canTypeSecDescCached) - { - VerifyDataComputedInternal(); - } - else - { - TypeSecurityDescriptor* pCachedTypeSecurityDesc = GetTypeSecurityDescriptor(m_pMT); - *this = *pCachedTypeSecurityDesc; // copy the struct - _ASSERTE(m_fIsComputed); - } - - return; -} - -inline TypeSecurityDescriptor& TypeSecurityDescriptor::operator=(const TypeSecurityDescriptor &tsd) -{ - LIMITED_METHOD_CONTRACT; - - m_pMT = tsd.m_pMT; - m_pTokenDeclActionInfo = tsd.m_pTokenDeclActionInfo; - m_fIsComputed = tsd.m_fIsComputed; - - return *this; -} - -#ifndef DACCESS_COMPILE - -inline TypeSecurityDescriptor::TypeSecurityDescriptorTransparencyEtwEvents::TypeSecurityDescriptorTransparencyEtwEvents(const TypeSecurityDescriptor *pTSD) - : m_pTSD(pTSD) -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TypeTransparencyComputationStart)) - { - LPCWSTR module = m_pTSD->m_pMT->GetModule()->GetPathForErrorMessages(); - - SString type; - if (!IsNilToken(m_pTSD->m_pMT->GetCl())) - { - TypeString::AppendType(type, TypeHandle(m_pTSD->m_pMT)); - } - - ETW::SecurityLog::FireTypeTransparencyComputationStart(type.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId); - } - -} - -inline TypeSecurityDescriptor::TypeSecurityDescriptorTransparencyEtwEvents::~TypeSecurityDescriptorTransparencyEtwEvents() -{ - WRAPPER_NO_CONTRACT; - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, TypeTransparencyComputationEnd)) - { - LPCWSTR module = m_pTSD->m_pMT->GetModule()->GetPathForErrorMessages(); - - SString type; - if (!IsNilToken(m_pTSD->m_pMT->GetCl())) - { - TypeString::AppendType(type, TypeHandle(m_pTSD->m_pMT)); - } - - BOOL fIsAllCritical = FALSE; - BOOL fIsAllTransparent = FALSE; - BOOL fIsCritical = FALSE; - BOOL fIsTreatAsSafe = FALSE; - - EEClass *pClass = m_pTSD->m_pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - fIsAllCritical = pClass->IsAllCritical(); - fIsAllTransparent = pClass->IsAllTransparent(); - fIsCritical = pClass->IsCritical(); - fIsTreatAsSafe = pClass->IsTreatAsSafe(); - } - - ETW::SecurityLog::FireTypeTransparencyComputationEnd(type.GetUnicode(), - module, - ::GetAppDomain()->GetId().m_dwId, - fIsAllCritical, - fIsAllTransparent, - fIsCritical, - fIsTreatAsSafe); - } - -} - -#endif //!DACCESS_COMPILE - -inline ModuleSecurityDescriptorFlags operator|(ModuleSecurityDescriptorFlags lhs, - ModuleSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline ModuleSecurityDescriptorFlags operator|=(ModuleSecurityDescriptorFlags& lhs, - ModuleSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline ModuleSecurityDescriptorFlags operator&(ModuleSecurityDescriptorFlags lhs, - ModuleSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline ModuleSecurityDescriptorFlags operator&=(ModuleSecurityDescriptorFlags& lhs, - ModuleSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<ModuleSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -inline ModuleSecurityDescriptorFlags operator~(ModuleSecurityDescriptorFlags flags) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<ModuleSecurityDescriptorFlags>(~static_cast<DWORD>(flags)); -} - -inline ModuleSecurityDescriptor::ModuleSecurityDescriptor(PTR_Module pModule) : - m_pModule(pModule), - m_flags(ModuleSecurityDescriptorFlags_None), - m_tokenFlags(TokenSecurityDescriptorFlags_None) -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(pModule); -} - -// static -inline BOOL ModuleSecurityDescriptor::IsMarkedTransparent(Assembly* pAssembly) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - return GetModuleSecurityDescriptor(pAssembly)->IsAllTransparent(); -} - -//--------------------------------------------------------------------------------------- -// -// Override the token flags that would be read from the metadata directly with a -// precomputed set of flags. This is used by reflection emit to create a dynamic assembly -// with security attributes given at creation time. -// - -inline void ModuleSecurityDescriptor::OverrideTokenFlags(TokenSecurityDescriptorFlags tokenFlags) -{ - CONTRACTL - { - LIMITED_METHOD_CONTRACT; - PRECONDITION(!(m_flags & ModuleSecurityDescriptorFlags_IsComputed)); - PRECONDITION(m_tokenFlags == TokenSecurityDescriptorFlags_None); - PRECONDITION(CheckPointer(m_pModule)); - PRECONDITION(m_pModule->GetAssembly()->IsDynamic()); // Token overrides should only be used by reflection - } - CONTRACTL_END; - - m_tokenFlags = tokenFlags; -} - -inline TokenSecurityDescriptorFlags ModuleSecurityDescriptor::GetTokenFlags() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - SO_INTOLERANT; - } - CONTRACTL_END; - - if (m_tokenFlags == TokenSecurityDescriptorFlags_None) - { - Assembly *pAssembly = m_pModule->GetAssembly(); - TokenSecurityDescriptor tsd(pAssembly->GetManifestModule(), pAssembly->GetManifestToken()); - EnsureWritablePages(&m_tokenFlags); - InterlockedCompareExchange(reinterpret_cast<LONG *>(&m_tokenFlags), - tsd.GetFlags(), - TokenSecurityDescriptorFlags_None); - } - - return m_tokenFlags; -} - -inline Module *ModuleSecurityDescriptor::GetModule() -{ - LIMITED_METHOD_CONTRACT; - return m_pModule; -} - -#ifdef DACCESS_COMPILE -inline ModuleSecurityDescriptorFlags ModuleSecurityDescriptor::GetRawFlags() -{ - LIMITED_METHOD_CONTRACT; - return m_flags; -} -#endif // DACCESS_COMPILE - -inline BOOL ModuleSecurityDescriptor::IsAllTransparent() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_IsAllTransparent); -} - -inline BOOL ModuleSecurityDescriptor::IsAllCritical() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_IsAllCritical); -} - -inline BOOL ModuleSecurityDescriptor::IsTreatAsSafe() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_IsTreatAsSafe); -} - -inline BOOL ModuleSecurityDescriptor::IsOpportunisticallyCritical() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical); -} - -inline BOOL ModuleSecurityDescriptor::IsAllTransparentDueToPartialTrust() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_TransparentDueToPartialTrust); -} - -inline BOOL ModuleSecurityDescriptor::IsMixedTransparency() -{ - WRAPPER_NO_CONTRACT; - return !IsAllCritical() && !IsAllTransparent(); -} - - -#if defined(FEATURE_CORESYSTEM) -inline BOOL ModuleSecurityDescriptor::IsAPTCA() -{ - WRAPPER_NO_CONTRACT; - VerifyDataComputed(); - return !!(m_flags & ModuleSecurityDescriptorFlags_IsAPTCA); -} -#endif // defined(FEATURE_CORESYSTEM) - -// Get the set of security rules that the assembly is using -inline SecurityRuleSet ModuleSecurityDescriptor::GetSecurityRuleSet() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // If the assembly specified a rule set, then use that. If it's a v2 assembly, then use the v2 rules. - // Otherwise, use the default rule set. - TokenSecurityDescriptorFlags tokenFlags = GetTokenFlags(); - if (tokenFlags & TokenSecurityDescriptorFlags_SecurityRules) - { - return ::GetSecurityRuleSet(tokenFlags); - } - else - { - // The assembly hasn't specified the rule set that it needs to use. We'll just use the default rule - // set unless the environment is overriding that with another value. - DWORD dwDefaultRuleSet = CLRConfig::GetConfigValue(CLRConfig::INTERNAL_Security_DefaultSecurityRuleSet); - - if (dwDefaultRuleSet == 0) - { - return SecurityRuleSet_Default; - } - else - { - return static_cast<SecurityRuleSet>(dwDefaultRuleSet); - } - } -} - -#ifndef DACCESS_COMPILE - -inline ModuleSecurityDescriptor::ModuleSecurityDescriptorTransparencyEtwEvents::ModuleSecurityDescriptorTransparencyEtwEvents(ModuleSecurityDescriptor *pMSD) - : m_pMSD(pMSD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, ModuleTransparencyComputationStart)) - { - LPCWSTR module = m_pMSD->m_pModule->GetPathForErrorMessages(); - - ETW::SecurityLog::FireModuleTransparencyComputationStart(module, - ::GetAppDomain()->GetId().m_dwId); - } -} - -inline ModuleSecurityDescriptor::ModuleSecurityDescriptorTransparencyEtwEvents::~ModuleSecurityDescriptorTransparencyEtwEvents() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - } - CONTRACTL_END - - if (ETW_EVENT_ENABLED(MICROSOFT_WINDOWS_DOTNETRUNTIME_PRIVATE_PROVIDER_Context, ModuleTransparencyComputationEnd)) - { - LPCWSTR module = m_pMSD->m_pModule->GetPathForErrorMessages(); - - ETW::SecurityLog::FireModuleTransparencyComputationEnd(module, - ::GetAppDomain()->GetId().m_dwId, - !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsAllCritical), - !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsAllTransparent), - !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsTreatAsSafe), - !!(m_pMSD->m_flags & ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical), - m_pMSD->GetSecurityRuleSet()); - } -} - -#endif //!DACCESS_COMPILE - -inline MethodSecurityDescriptorFlags operator|(MethodSecurityDescriptorFlags lhs, - MethodSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline MethodSecurityDescriptorFlags operator|=(MethodSecurityDescriptorFlags& lhs, - MethodSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline MethodSecurityDescriptorFlags operator&(MethodSecurityDescriptorFlags lhs, - MethodSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline MethodSecurityDescriptorFlags operator&=(MethodSecurityDescriptorFlags& lhs, - MethodSecurityDescriptorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<MethodSecurityDescriptorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -inline void MethodSecurityDescriptor::VerifyDataComputed() -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - if (m_flags & MethodSecurityDescriptorFlags_IsComputed) - return; - - BOOL canMethSecDescCached = (CanCache() && CanMethodSecurityDescriptorBeCached(m_pMD)); - if (!canMethSecDescCached) - { - VerifyDataComputedInternal(); - } - else - { - LookupOrCreateMethodSecurityDescriptor(this); - _ASSERTE(m_flags & MethodSecurityDescriptorFlags_IsComputed); - } - - return; -} - -#endif // __SECURITYMETA_INL__ diff --git a/src/vm/securitypolicy.cpp b/src/vm/securitypolicy.cpp deleted file mode 100644 index a1fb35dbe1..0000000000 --- a/src/vm/securitypolicy.cpp +++ /dev/null @@ -1,429 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -//The .NET Foundation licenses this file to you under the MIT license. -//See the LICENSE file in the project root for more information. - - -#include "common.h" - -#include "security.h" -#include "perfcounters.h" -#include "eventtrace.h" -#include "appdomainstack.inl" - -#ifndef FEATURE_PAL -#include <shlobj.h> -#include <Accctrl.h> -#include <Aclapi.h> -#include "urlmon.h" -#endif // !FEATURE_PAL - -#ifndef CROSSGEN_COMPILE -void *SecurityProperties::operator new(size_t size, LoaderHeap *pHeap) -{ - WRAPPER_NO_CONTRACT; - return pHeap->AllocMem(S_SIZE_T(size)); -} - -void SecurityProperties::operator delete(void *pMem) -{ - LIMITED_METHOD_CONTRACT; - // No action required -} - - -void SecurityPolicy::Start() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - -#ifndef FEATURE_PAL - // Making sure we are in sync with URLMon - _ASSERTE(URLZONE_LOCAL_MACHINE == LocalMachine); - _ASSERTE(URLZONE_INTRANET == Intranet); - _ASSERTE(URLZONE_TRUSTED == Trusted); - _ASSERTE(URLZONE_INTERNET == Internet); - _ASSERTE(URLZONE_UNTRUSTED == Untrusted); -#endif // !FEATURE_PAL - -} - -void SecurityPolicy::Stop() -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - -} - - -void QCALLTYPE SecurityPolicy::GetGrantedPermissions(QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied, QCall::StackCrawlMarkHandle stackmark) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - - AppDomain* pDomain = NULL; - - Assembly* callerAssembly = SystemDomain::GetCallersAssembly( stackmark, &pDomain ); - _ASSERTE( callerAssembly != NULL); - - IAssemblySecurityDescriptor* pSecDesc = callerAssembly->GetSecurityDescriptor(pDomain); - _ASSERTE( pSecDesc != NULL ); - - { - GCX_COOP(); - - OBJECTREF orDenied; - OBJECTREF orGranted = pSecDesc->GetGrantedPermissionSet(&orDenied); - - retGranted.Set(orGranted); - retDenied.Set(orDenied); - } - - END_QCALL; -} - - -void SecurityPolicy::CreateSecurityException(__in_z const char *szDemandClass, DWORD dwFlags, OBJECTREF *pThrowable) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - MAKE_WIDEPTR_FROMUTF8(wszDemandClass, szDemandClass); - - MethodTable * pMT = MscorlibBinder::GetClass(CLASS__SECURITY_EXCEPTION); - - - UNREFERENCED_PARAMETER(szDemandClass); - UNREFERENCED_PARAMETER(dwFlags); - - // Allocate the security exception object - *pThrowable = AllocateObject(pMT); - CallDefaultConstructor(*pThrowable); - -} - -DECLSPEC_NORETURN void SecurityPolicy::ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - GCX_COOP(); - - struct _gc { - OBJECTREF throwable; - } gc; - memset(&gc, 0, sizeof(gc)); - - GCPROTECT_BEGIN(gc); - - CreateSecurityException(szDemandClass, dwFlags, &gc.throwable); - COMPlusThrow(gc.throwable); - - GCPROTECT_END(); -} - - -#endif // CROSSGEN_COMPILE - -BOOL SecurityPolicy::CanSkipVerification(DomainAssembly * pAssembly) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - INJECT_FAULT(COMPlusThrowOM();); - PRECONDITION(CheckPointer(pAssembly)); - } CONTRACTL_END; - - BOOL canSkipVerification = TRUE; - if (!pAssembly->IsSystem()) - { - AssemblySecurityDescriptor *pSec; - { - GCX_COOP(); - pSec = static_cast<AssemblySecurityDescriptor*>(pAssembly->GetSecurityDescriptor()); - } - _ASSERTE(pSec); - if (pSec) - { - canSkipVerification = pSec->CanSkipVerification(); - } - else - { - canSkipVerification = FALSE; - } - } - - return canSkipVerification; -} - -BOOL SecurityPolicy::CanCallUnmanagedCode(Module *pModule) -{ - CONTRACTL { - THROWS; - MODE_ANY; - PRECONDITION(CheckPointer(pModule)); - INJECT_FAULT(COMPlusThrowOM();); - } CONTRACTL_END; - - SharedSecurityDescriptor *pSharedSecDesc = static_cast<SharedSecurityDescriptor*>(pModule->GetAssembly()->GetSharedSecurityDescriptor()); - if (pSharedSecDesc) - return pSharedSecDesc->CanCallUnmanagedCode(); - - AssemblySecurityDescriptor *pSec = static_cast<AssemblySecurityDescriptor*>(pModule->GetSecurityDescriptor()); - _ASSERTE(pSec); - return pSec->CanCallUnmanagedCode(); -} - -#ifndef CROSSGEN_COMPILE - - -BOOL QCALLTYPE SecurityPolicy::IsLocalDrive(LPCWSTR wszPath) -{ - QCALL_CONTRACT; - - BOOL retVal = FALSE; - -#ifndef FEATURE_PAL - BEGIN_QCALL; - - WCHAR rootPath[4]; - ZeroMemory( rootPath, sizeof( rootPath ) ); - - rootPath[0] = wszPath[0]; - wcscat_s( rootPath, COUNTOF(rootPath), W(":\\") ); - - UINT driveType = WszGetDriveType( rootPath ); - retVal = - (driveType == DRIVE_REMOVABLE || - driveType == DRIVE_FIXED || - driveType == DRIVE_CDROM || - driveType == DRIVE_RAMDISK); - - END_QCALL; - -#else // !FEATURE_PAL - retVal = TRUE; -#endif // !FEATURE_PAL - - return retVal; -} - -void QCALLTYPE SecurityPolicy::_GetLongPathName(LPCWSTR wszPath, QCall::StringHandleOnStack retLongPath) -{ - QCALL_CONTRACT; - - BEGIN_QCALL; - -#if !defined(PLATFORM_UNIX) - PathString wszBuffer; - - if (SecurityPolicy::GetLongPathNameHelper( wszPath, wszBuffer ) != 0) - { - retLongPath.Set( wszBuffer.GetUnicode() ); - } -#endif // !PLATFORM_UNIX - - END_QCALL; -} - -#if !defined(PLATFORM_UNIX) -size_t GetLongPathNameHelperthatThrows(const WCHAR* wszShortPath, SString& wszBuffer) -{ - CONTRACTL{ - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - DWORD size = WszGetLongPathName(wszShortPath, wszBuffer); - - if (size == 0) - { - // We have to deal with files that do not exist so just - // because GetLongPathName doesn't give us anything doesn't - // mean that we can give up. We iterate through the input - // trying GetLongPathName on every subdirectory until - // it succeeds or we run out of string. - - size_t len = wcslen(wszShortPath); - NewArrayHolder<WCHAR> wszIntermediateBuffer = new (nothrow) WCHAR[len + 1]; - - if (wszIntermediateBuffer == NULL) - { - return 0; - } - - wcscpy_s(wszIntermediateBuffer, len + 1, wszShortPath); - - size_t index = len; - - do - { - while (index > 0 && (wszIntermediateBuffer[index - 1] != W('\\') && wszIntermediateBuffer[index - 1] != W('/'))) - --index; - - if (index == 0) - break; - -#ifdef _PREFAST_ -#pragma prefast(push) -#pragma prefast(disable:26001, "suppress prefast warning about underflow by doing index-1 which is checked above.") -#endif // _PREFAST_ - - wszIntermediateBuffer[index - 1] = W('\0'); - -#ifdef _PREFAST_ -#pragma prefast(pop) -#endif - - size = WszGetLongPathName(wszIntermediateBuffer, wszBuffer); - - if (size != 0) - { - - int sizeBuffer = wszBuffer.GetCount(); - - if (wszBuffer[sizeBuffer - 1] != W('\\') && wszBuffer[sizeBuffer - 1] != W('/')) - wszBuffer.Append(W("\\")); - - wszBuffer.Append(&wszIntermediateBuffer[index]); - - - return (DWORD)wszBuffer.GetCount(); - - } - } while (true); - - return 0; - } - else - { - return (DWORD)wszBuffer.GetCount(); - } -} -size_t SecurityPolicy::GetLongPathNameHelper(const WCHAR* wszShortPath, SString& wszBuffer) -{ - CONTRACTL{ - NOTHROW; - GC_NOTRIGGER; - MODE_ANY; - } CONTRACTL_END; - - HRESULT hr = S_OK; - size_t retval = 0; - - EX_TRY - { - retval = GetLongPathNameHelperthatThrows(wszShortPath,wszBuffer); - } - EX_CATCH_HRESULT(hr); - - if (hr != S_OK) - { - retval = 0; - } - - return retval; -} - -#endif // !PLATFORM_UNIX - -void QCALLTYPE SecurityPolicy::GetDeviceName(LPCWSTR wszDriveLetter, QCall::StringHandleOnStack retDeviceName) -{ - QCALL_CONTRACT; - -} - - -FCIMPL0(void, SecurityPolicy::IncrementOverridesCount) -{ - FCALL_CONTRACT; - - Thread *pThread = GetThread(); - pThread->IncrementOverridesCount(); -} -FCIMPLEND - -FCIMPL0(void, SecurityPolicy::DecrementOverridesCount) -{ - FCALL_CONTRACT; - - Thread *pThread = GetThread(); - pThread->DecrementOverridesCount(); -} -FCIMPLEND - -FCIMPL0(void, SecurityPolicy::IncrementAssertCount) -{ - FCALL_CONTRACT; - - Thread *pThread = GetThread(); - pThread->IncrementAssertCount(); -} -FCIMPLEND - -FCIMPL0(void, SecurityPolicy::DecrementAssertCount) -{ - FCALL_CONTRACT; - - Thread *pThread = GetThread(); - pThread->DecrementAssertCount(); -} -FCIMPLEND - - - -BOOL QCALLTYPE SecurityPolicy::IsSameType(LPCWSTR pLeft, LPCWSTR pRight) -{ - QCALL_CONTRACT; - - BOOL bEqual = FALSE; - - BEGIN_QCALL; - -// @telesto: Is this #ifdef-#else-#endif required anymore? Used to be needed when security was bypassing -// loader and accessing Fusion interfaces. Seems like that's been fixed to use GetFusionNameFrom... - bEqual=TRUE; - - END_QCALL; - - return bEqual; -} - -FCIMPL1(FC_BOOL_RET, SecurityPolicy::SetThreadSecurity, CLR_BOOL fThreadSecurity) -{ - FCALL_CONTRACT; - - Thread* pThread = GetThread(); - BOOL inProgress = pThread->IsSecurityStackwalkInProgess(); - pThread->SetSecurityStackwalkInProgress(fThreadSecurity); - FC_RETURN_BOOL(inProgress); -} -FCIMPLEND - -FCIMPL0(FC_BOOL_RET, SecurityPolicy::IsDefaultThreadSecurityInfo) -{ - FCALL_CONTRACT; - - FC_RETURN_BOOL(SecurityStackWalk::HasFlagsOrFullyTrusted(0)); -} -FCIMPLEND - -#endif // CROSSGEN_COMPILE diff --git a/src/vm/securitypolicy.h b/src/vm/securitypolicy.h deleted file mode 100644 index d13ab04eb1..0000000000 --- a/src/vm/securitypolicy.h +++ /dev/null @@ -1,255 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - -// - - -#ifndef __SECURITYPOLICY_H__ -#define __SECURITYPOLICY_H__ - -#include "crst.h" -#include "objecthandle.h" -#include "securityattributes.h" -#include "securitydeclarativecache.h" -#include "declsec.h" -#include "fcall.h" -#include "qcall.h" -#include "cgensys.h" - -#define SPFLAGSASSERTION 0x01 -#define SPFLAGSUNMANAGEDCODE 0x02 -#define SPFLAGSSKIPVERIFICATION 0x04 - -#define CORSEC_STACKWALK_HALTED 0x00000001 // Stack walk was halted -#define CORSEC_FT_ASSERT 0x00000004 // Hit a FT-assert during the stackwalk - -// Forward declarations to avoid pulling in too many headers. -class Frame; -class FramedMethodFrame; -class ClassLoader; -class Thread; -class CrawlFrame; -class SystemNative; -class NDirect; -class SystemDomain; -class AssemblySecurityDescriptor; -class SharedSecurityDescriptor; -class SecurityStackWalkData; -class DemandStackWalk; -class SecurityDescriptor; -class COMPrincipal; - -#define CLR_CASOFF_MUTEX W("Global\\CLR_CASOFF_MUTEX") - -// This enumeration must be kept in sync with the managed System.Security.Policy.EvidenceTypeGenerated enum -typedef enum -{ - kAssemblySupplied, // Evidence supplied by the assembly itself - kGac, // System.Security.Policy.GacInstalled - kHash, // System.Security.Policy.Hash - kPermissionRequest, // System.Security.Policy.PermissionRequestEvidence - kPublisher, // System.Security.Policy.Publisher - kSite, // System.Security.Policy.Site - kStrongName, // System.Security.Policy.StrongName - kUrl, // System.Security.Policy.Url - kZone // System.Security.Policy.Zone -} -EvidenceType; - -namespace SecurityPolicy -{ - // ----------------------------------------------------------- - // FCalls - // ----------------------------------------------------------- - - BOOL QCALLTYPE IsSameType(LPCWSTR pLeft, LPCWSTR pRight); - - FCDECL1(FC_BOOL_RET, SetThreadSecurity, CLR_BOOL fThreadSecurity); - - void QCALLTYPE GetGrantedPermissions(QCall::ObjectHandleOnStack retGranted, QCall::ObjectHandleOnStack retDenied, QCall::StackCrawlMarkHandle stackmark); - - - - FCDECL0(FC_BOOL_RET, IsDefaultThreadSecurityInfo); - void QCALLTYPE _GetLongPathName(LPCWSTR wszPath, QCall::StringHandleOnStack retLongPath); - - BOOL QCALLTYPE IsLocalDrive(LPCWSTR wszPath); - - void QCALLTYPE GetDeviceName(LPCWSTR wszDriveLetter, QCall::StringHandleOnStack retDeviceName); - - FCDECL0(VOID, IncrementOverridesCount); - - FCDECL0(VOID, DecrementOverridesCount); - - FCDECL0(VOID, IncrementAssertCount); - - FCDECL0(VOID, DecrementAssertCount); - - -//private: - // ----------------------------------------------------------- - // Init methods - // ----------------------------------------------------------- - - // Calls all the security-related init methods - // Callers: - // EEStartupHelper - void Start(); - - // Calls all the security-related shutdown methods - // Callers: - // <currently unused> @TODO: shouldn't EEShutDownHelper call this? - void Stop(); - - - - // ----------------------------------------------------------- - // Policy - // ----------------------------------------------------------- - - // Returns TRUE if the assembly has permission to call unmanaged code - // Callers: - // CEEInfo::getNewHelper - // MakeStubWorker - // MethodDesc::DoPrestub - BOOL CanCallUnmanagedCode(Module *pModule); - - // Throws a security exception - // Callers: - // JIT_SecurityUnmanagedCodeException - void CreateSecurityException(__in_z const char *szDemandClass, DWORD dwFlags, OBJECTREF* pThrowable); - DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags); - - BOOL CanSkipVerification(DomainAssembly * pAssembly); - - // Like WszGetLongPathName, but it works with nonexistant files too - size_t GetLongPathNameHelper( const WCHAR* wszShortPath, SString& wszBuffer); - -} - -struct SharedPermissionObjects -{ - OBJECTHANDLE hPermissionObject; // Commonly used Permission Object - BinderClassID idClass; // ID of class - BinderMethodID idConstructor; // ID of constructor to call - DWORD dwPermissionFlag; // Flag needed by the constructors (Only a single argument is assumed) -}; - -/******** Shared Permission Objects related constants *******/ -#define NUM_PERM_OBJECTS (sizeof(g_rPermObjectsTemplate) / sizeof(SharedPermissionObjects)) - -// Constants to use with SecurityPermission -#define SECURITY_PERMISSION_ASSERTION 1 // SecurityPermission.cs -#define SECURITY_PERMISSION_UNMANAGEDCODE 2 // SecurityPermission.cs -#define SECURITY_PERMISSION_SKIPVERIFICATION 4 // SecurityPermission.cs -#define SECURITY_PERMISSION_CONTROLEVIDENCE 0x20 // SecurityPermission.cs -#define SECURITY_PERMISSION_SERIALIZATIONFORMATTER 0X80 // SecurityPermission.cs -#define SECURITY_PERMISSION_CONTROLPRINCIPAL 0x200 // SecurityPermission.cs -#define SECURITY_PERMISSION_BINDINGREDIRECTS 0X2000 // SecurityPermission.cs - -// Constants to use with ReflectionPermission -#define REFLECTION_PERMISSION_TYPEINFO 1 // ReflectionPermission.cs -#define REFLECTION_PERMISSION_MEMBERACCESS 2 // ReflectionPermission.cs -#define REFLECTION_PERMISSION_RESTRICTEDMEMBERACCESS 8 // ReflectionPermission.cs - -// PermissionState.Unrestricted -#define PERMISSION_STATE_UNRESTRICTED 1 // PermissionState.cs - -// Array index in SharedPermissionObjects array -// Note: these should all be permissions that implement IUnrestrictedPermission. -// Any changes to these must be reflected in bcl\system\security\codeaccesssecurityengine.cs and the above table - -// special flags -#define SECURITY_UNMANAGED_CODE 0 -#define SECURITY_SKIP_VER 1 -#define REFLECTION_TYPE_INFO 2 -#define SECURITY_ASSERT 3 -#define REFLECTION_MEMBER_ACCESS 4 -#define SECURITY_SERIALIZATION 5 -#define REFLECTION_RESTRICTED_MEMBER_ACCESS 6 -#define SECURITY_FULL_TRUST 7 -#define SECURITY_BINDING_REDIRECTS 8 - -// special permissions -#define UI_PERMISSION 9 -#define ENVIRONMENT_PERMISSION 10 -#define FILEDIALOG_PERMISSION 11 -#define FILEIO_PERMISSION 12 -#define REFLECTION_PERMISSION 13 -#define SECURITY_PERMISSION 14 - -// additional special flags -#define SECURITY_CONTROL_EVIDENCE 16 -#define SECURITY_CONTROL_PRINCIPAL 17 - -// Objects corresponding to the above index could be Permission or PermissionSet objects. -// Helper macro to identify which kind it is. If you're adding to the index above, please update this also. -#define IS_SPECIAL_FLAG_PERMISSION_SET(x) ((x) == SECURITY_FULL_TRUST) - -// Class holding a grab bag of security stuff we need on a per-appdomain basis. -struct SecurityContext -{ - // Cached declarative permissions per method - EEPtrHashTable m_pCachedMethodPermissionsHash; - SimpleRWLock * m_prCachedMethodPermissionsLock; - SecurityDeclarativeCache m_pSecurityDeclarativeCache; - size_t m_nCachedPsetsSize; - - SecurityContext(LoaderHeap* pHeap) : - m_prCachedMethodPermissionsLock(NULL), - m_nCachedPsetsSize(0) - { - CONTRACTL { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } CONTRACTL_END; - - // initialize cache of method-level declarative security permissions - // Note that the method-level permissions are stored elsewhere - m_prCachedMethodPermissionsLock = new SimpleRWLock(PREEMPTIVE, LOCK_TYPE_DEFAULT); - if (!m_pCachedMethodPermissionsHash.Init(100, &g_lockTrustMeIAmThreadSafe)) - ThrowOutOfMemory(); - - m_pSecurityDeclarativeCache.Init (pHeap); - } - - ~SecurityContext() - { - CONTRACTL { - NOTHROW; - GC_TRIGGERS; - MODE_ANY; - } CONTRACTL_END; - - // no need to explicitly delete the cache contents, since they will be deallocated with the AppDomain's heap - if (m_prCachedMethodPermissionsLock) delete m_prCachedMethodPermissionsLock; - } -}; - -#ifdef _DEBUG - -#define DBG_TRACE_METHOD(cf) \ - do { \ - MethodDesc * __pFunc = cf -> GetFunction(); \ - if (__pFunc) { \ - LOG((LF_SECURITY, LL_INFO1000, \ - " Method: %s.%s\n", \ - (__pFunc->m_pszDebugClassName == NULL) ? \ - "<null>" : __pFunc->m_pszDebugClassName, \ - __pFunc->GetName())); \ - } \ - } while (false) - -#define DBG_TRACE_STACKWALK(msg, verbose) LOG((LF_SECURITY, (verbose) ? LL_INFO10000 : LL_INFO1000, msg)) -#else //_DEBUG - -#define DBG_TRACE_METHOD(cf) -#define DBG_TRACE_STACKWALK(msg, verbose) - -#endif //_DEBUG - - -#endif // __SECURITYPOLICY_H__ diff --git a/src/vm/securitystackwalk.h b/src/vm/securitystackwalk.h deleted file mode 100644 index 57be57f387..0000000000 --- a/src/vm/securitystackwalk.h +++ /dev/null @@ -1,261 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// - - -// - - -#ifndef __SECURITYSTACKWALK_H__ -#define __SECURITYSTACKWALK_H__ - -#include "common.h" - -#include "object.h" -#include "util.hpp" -#include "fcall.h" -#include "perfcounters.h" -#include "security.h" -#include "holder.h" - -class ApplicationSecurityDescriptor; -class DemandStackWalk; -class CountOverridesStackWalk; -class AssertStackWalk; -struct TokenDeclActionInfo; - -//----------------------------------------------------------- -// SecurityStackWalk implements all the native methods -// for the managed class System.Security.CodeAccessSecurityEngine. -//----------------------------------------------------------- -class SecurityStackWalk -{ -protected: - - SecurityStackWalkType m_eStackWalkType; - DWORD m_dwFlags; - -public: - struct ObjectCache - { - struct gc - { - OBJECTREF object1; - OBJECTREF object2; - } - m_sGC; - AppDomain* m_pOriginalDomain; - -#ifndef DACCESS_COMPILE - OBJECTREF GetObjects(AppDomain *pDomain, OBJECTREF *porObject2) - { - _ASSERTE(pDomain == ::GetAppDomain()); - _ASSERTE(m_pOriginalDomain == ::GetAppDomain()); - *porObject2 = m_sGC.object2; - return m_sGC.object1; - }; - OBJECTREF GetObject(AppDomain *pDomain) - { - LIMITED_METHOD_CONTRACT; - _ASSERTE(pDomain == ::GetAppDomain()); - _ASSERTE(m_pOriginalDomain == ::GetAppDomain()); - return m_sGC.object1; - }; - void SetObject(OBJECTREF orObject) - { - LIMITED_METHOD_CONTRACT; - m_pOriginalDomain = ::GetAppDomain(); - m_sGC.object1 = orObject; - } - - // Set the original values of both cached objects. - void SetObjects(OBJECTREF orObject1, OBJECTREF orObject2) - { - LIMITED_METHOD_CONTRACT; - m_pOriginalDomain = ::GetAppDomain(); - m_sGC.object1 = orObject1; - m_sGC.object2 = orObject2; - } - - void UpdateObject(AppDomain *pDomain, OBJECTREF orObject) - { - LIMITED_METHOD_CONTRACT; - _ASSERTE(pDomain == ::GetAppDomain()); - _ASSERTE(m_pOriginalDomain == ::GetAppDomain()); - m_sGC.object1 = orObject; - } -#endif //!DACCESS_COMPILE - ObjectCache() - { - m_pOriginalDomain = NULL; - ZeroMemory(&m_sGC,sizeof(m_sGC)); - } - - } m_objects; - - SecurityStackWalk(SecurityStackWalkType eType, DWORD flags) - { - LIMITED_METHOD_CONTRACT; - m_eStackWalkType = eType; - m_dwFlags = flags; - } - - // ---------------------------------------------------- - // FCalls - // ---------------------------------------------------- - - // FCall wrapper for CheckInternal - static FCDECL3(void, Check, Object* permOrPermSetUNSAFE, StackCrawlMark* stackMark, CLR_BOOL isPermSet); - static void CheckFramed(Object* permOrPermSetUNSAFE, StackCrawlMark* stackMark, CLR_BOOL isPermSet); - - // FCALL wrapper for quickcheckforalldemands - static FCDECL0(FC_BOOL_RET, FCallQuickCheckForAllDemands); - static FCDECL0(FC_BOOL_RET, FCallAllDomainsHomogeneousWithNoStackModifiers); - - - static FCDECL3(void, GetZoneAndOrigin, Object* pZoneListUNSAFE, Object* pOriginListUNSAFE, StackCrawlMark* stackMark); - - // Do an imperative assert. (Check the for the permission and return the SecurityObject for the first frame) - static FCDECL4(Object*, CheckNReturnSO, Object* permTokenUNSAFE, Object* permUNSAFE, StackCrawlMark* stackMark, INT32 create); - - - // Do a demand for a special permission type - static FCDECL2(void, FcallSpecialDemand, DWORD whatPermission, StackCrawlMark* stackMark); - - // ---------------------------------------------------- - // Checks - // ---------------------------------------------------- - - // Methods for checking grant and refused sets - -public: - void CheckPermissionAgainstGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly); - -protected: - void CheckSetAgainstGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly); - - void GetZoneAndOriginGrants(OBJECTREF refCS, OBJECTREF refGrants, OBJECTREF refRefused, AppDomain *pDomain, MethodDesc* pMethod, Assembly* pAssembly); - - // Methods for checking stack modifiers - BOOL CheckPermissionAgainstFrameData(OBJECTREF refFrameData, AppDomain* pDomain, MethodDesc* pMethod); - BOOL CheckSetAgainstFrameData(OBJECTREF refFrameData, AppDomain* pDomain, MethodDesc* pMethod); - -public: - // ---------------------------------------------------- - // CAS Actions - // ---------------------------------------------------- - - // Native version of CodeAccessPermission.Demand() - // Callers: - // <Currently unused> - static void Demand(SecurityStackWalkType eType, OBJECTREF demand); - - // Demand all of the permissions granted to an assembly, with the exception of any identity permissions - static void DemandGrantSet(AssemblySecurityDescriptor *psdAssembly); - - // Native version of PermissionSet.Demand() - // Callers: - // CanAccess (ReflectionInvocation) - // ReflectionSerialization::GetSafeUninitializedObject - static void DemandSet(SecurityStackWalkType eType, OBJECTREF demand); - - // Native version of PermissionSet.Demand() that delays instantiating the PermissionSet object - // Callers: - // InvokeDeclarativeActions - static void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction); - - - static void ReflectionTargetDemand(DWORD dwPermission, AssemblySecurityDescriptor *psdTarget); - - static void ReflectionTargetDemand(DWORD dwPermission, - AssemblySecurityDescriptor *psdTarget, - DynamicResolver * pAccessContext); - - // Optimized demand for a well-known permission - // Callers: - // SecurityDeclarative::DoDeclarativeActions - // Security::CheckLinkDemandAgainstAppDomain - // TryDemand (ReflectionInvocation) - // CanAccess (ReflectionInvocation) - // ReflectionInvocation::CanValueSpecialCast - // RuntimeTypeHandle::CreateInstance - // RuntimeMethodHandle::InvokeMethod_Internal - // InvokeArrayConstructor (ReflectionInvocation) - // ReflectionInvocation::InvokeDispMethod - // COMArrayInfo::CreateInstance - // COMArrayInfo::CreateInstanceEx - // COMDelegate::BindToMethodName - // InvokeUtil::CheckArg - // InvokeUtil::ValidField - // RefSecContext::CallerHasPerm - // MngStdItfBase::ForwardCallToManagedView - // ObjectClone::Clone - static void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission, StackCrawlMark* stackMark = NULL); - - // ---------------------------------------------------- - // Compressed Stack - // ---------------------------------------------------- -public: - -#ifndef DACCESS_COMPILE - FORCEINLINE static BOOL HasFlagsOrFullyTrustedIgnoreMode (DWORD flags); - FORCEINLINE static BOOL HasFlagsOrFullyTrusted (DWORD flags); -#endif // #ifndef DACCESS_COMPILE - -public: - // Perf Counters - FORCEINLINE static VOID IncrementSecurityPerfCounter() - { - CONTRACTL { - MODE_ANY; - GC_NOTRIGGER; - NOTHROW; - SO_TOLERANT; - } CONTRACTL_END; - COUNTER_ONLY(GetPerfCounters().m_Security.cTotalRTChecks++); - } - - // ---------------------------------------------------- - // Misc - // ---------------------------------------------------- - static bool IsSpecialRunFrame(MethodDesc *pMeth); - - static BOOL SkipAndFindFunctionInfo(INT32, MethodDesc**, OBJECTREF**, AppDomain **ppAppDomain = NULL); - static BOOL SkipAndFindFunctionInfo(StackCrawlMark*, MethodDesc**, OBJECTREF**, AppDomain **ppAppDomain = NULL); - - // Check the provided demand set against the provided grant/refused set - static void CheckSetHelper(OBJECTREF *prefDemand, - OBJECTREF *prefGrant, - OBJECTREF *prefDenied, - AppDomain *pGrantDomain, - MethodDesc *pMethod, - OBJECTREF *pAssembly, - CorDeclSecurity action); - - // Check for Link/Inheritance CAS permissions - static void LinkOrInheritanceCheck(IAssemblySecurityDescriptor *pSecDesc, OBJECTREF refDemands, Assembly* pAssembly, CorDeclSecurity action); - -private: - FORCEINLINE static BOOL QuickCheckForAllDemands(DWORD flags); - - // Tries to avoid unnecessary demands - static BOOL PreCheck(OBJECTREF* orDemand, BOOL fDemandSet = FALSE); - static DWORD GetPermissionSpecialFlags (OBJECTREF* orDemand); - - // Does a demand for a CodeAccessPermission : First does PreCheck. If PreCheck fails then calls Check_StackWalk - static void Check_PLS_SW(BOOL isPermSet, SecurityStackWalkType eType, OBJECTREF* permOrPermSet, StackCrawlMark* stackMark); - - // Calls into Check_PLS_SW after GC protecting "perm " - static void Check_PLS_SW_GC(BOOL isPermSet, SecurityStackWalkType eType, OBJECTREF permOrPermSet, StackCrawlMark* stackMark); - - // Walks the stack for a CodeAccessPermission demand (assumes PreCheck was already called) - static void Check_StackWalk(SecurityStackWalkType eType, OBJECTREF* pPerm, StackCrawlMark* stackMark, BOOL isPermSet); - - // Walk the stack and count all the frame descriptors with an Assert, Deny, or PermitOnly - static VOID UpdateOverridesCount(); -}; - - -#endif /* __SECURITYSTACKWALK_H__ */ - diff --git a/src/vm/securitytransparentassembly.cpp b/src/vm/securitytransparentassembly.cpp deleted file mode 100644 index b48451f41c..0000000000 --- a/src/vm/securitytransparentassembly.cpp +++ /dev/null @@ -1,1399 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securityTransparentAssembly.cpp -// -// Implementation for transparent code feature -// -//-------------------------------------------------------------------------- - - -#include "common.h" -#include "field.h" -#include "securitydeclarative.h" -#include "security.h" -#include "customattribute.h" -#include "securitytransparentassembly.h" -#include "securitymeta.h" -#include "typestring.h" -#include "comdelegate.h" - -#if defined(FEATURE_PREJIT) -#include "compile.h" -#endif - -#ifdef _DEBUG -// -// In debug builds of the CLR, we support a mode where transparency errors are not enforced with exceptions; instead -// they are written to the CLR debug log. This allows us to migrate tests from the v2 to the v4 transparency model by -// allowing test runs to continue to the end of the run, and keeping a log file of which assemblies need migration. -// - -// static -void SecurityTransparent::LogTransparencyError(Assembly *pAssembly, const LPCSTR szError) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pAssembly)); - PRECONDITION(CheckPointer(szError)); - PRECONDITION(g_pConfig->LogTransparencyErrors()); - } - CONTRACTL_END; - - const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath(); - - LOG((LF_SECURITY, - LL_INFO1000, - "Security Transparency Violation: Assembly '%S': %s\n", - strAssemblyName.GetUnicode(), - szError)); -} - -// static -void SecurityTransparent::LogTransparencyError(MethodTable *pMT, const LPCSTR szError) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pMT)); - PRECONDITION(CheckPointer(szError)); - PRECONDITION(g_pConfig->LogTransparencyErrors()); - } - CONTRACTL_END; - - Assembly *pAssembly = pMT->GetAssembly(); - const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath(); - - LOG((LF_SECURITY, - LL_INFO1000, - "Security Transparency Violation: Assembly '%S' - Type '%s': %s\n", - strAssemblyName.GetUnicode(), - pMT->GetDebugClassName(), - szError)); -} - -// static -void SecurityTransparent::LogTransparencyError(MethodDesc *pMD, const LPCSTR szError, MethodDesc *pTargetMD /* = NULL */) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pMD)); - PRECONDITION(CheckPointer(szError)); - PRECONDITION(g_pConfig->LogTransparencyErrors()); - } - CONTRACTL_END; - - Assembly *pAssembly = pMD->GetAssembly(); - const SString &strAssemblyName = pAssembly->GetManifestModule()->GetPath(); - - if (pTargetMD == NULL) - { - LOG((LF_SECURITY, - LL_INFO1000, - "Security Transparency Violation: Assembly '%S' - Method '%s::%s': %s\n", - strAssemblyName.GetUnicode(), - pMD->m_pszDebugClassName, - pMD->m_pszDebugMethodName, - szError)); - } - else - { - Assembly *pTargetAssembly = pTargetMD->GetAssembly(); - const SString &strTargetAssemblyName = pTargetAssembly->GetManifestModule()->GetPath(); - - LOG((LF_SECURITY, - LL_INFO1000, - "Security Transparency Violation: Assembly '%S' - Method '%s::%s' - Target Assembly '%S': %s\n", - strAssemblyName.GetUnicode(), - pMD->m_pszDebugClassName, - pMD->m_pszDebugMethodName, - strTargetAssemblyName.GetUnicode(), - szError)); - } -} - -#endif // _DEBUG - -// There are a few places we throw transparency method access exceptions that aren't "real" -// method access exceptions - such as unverifiable code in a transparent assembly, and having a critical -// attribute on a transparent method. Those continue to use the one-MethodDesc form of throwing - -// everything else should use the standard ::ThrowMethodAccessException call - -// static -void DECLSPEC_NORETURN SecurityTransparent::ThrowMethodAccessException(MethodDesc* pMD, - DWORD dwMessageId /* = IDS_CRITICAL_METHOD_ACCESS_DENIED */) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - // throw method access exception - StackSString strMethod; - TypeString::AppendMethod(strMethod, pMD, pMD->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature); - COMPlusThrowHR(COR_E_METHODACCESS, dwMessageId, strMethod.GetUnicode()); -} - -// static -void DECLSPEC_NORETURN SecurityTransparent::ThrowTypeLoadException(MethodDesc* pMethod, DWORD dwMessageID /* = IDS_METHOD_INHERITANCE_RULES_VIOLATED */) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pMethod)); - } - CONTRACTL_END; - - // Throw an exception here - StackSString strMethod; - StackScratchBuffer buffer; - TypeString::AppendMethod(strMethod, pMethod, pMethod->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets | TypeString::FormatSignature); - pMethod->GetAssembly()->ThrowTypeLoadException(strMethod.GetUTF8(buffer), dwMessageID); -} - -// static -void DECLSPEC_NORETURN SecurityTransparent::ThrowTypeLoadException(MethodTable *pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - // Throw an exception here - StackScratchBuffer buffer; - SString strType; - TypeString::AppendType(strType, TypeHandle(pMT), TypeString::FormatNamespace | TypeString::FormatAngleBrackets ); - pMT->GetAssembly()->ThrowTypeLoadException(strType.GetUTF8(buffer), IDS_TYPE_INHERITANCE_RULES_VIOLATED); -} - -static BOOL IsTransparentCallerAllowed(MethodDesc *pCallerMD, MethodDesc *pCalleeMD, SecurityTransparencyError *pError) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(CheckPointer(pCalleeMD)); - PRECONDITION(CheckPointer(pError, NULL_OK)); - PRECONDITION(pCallerMD->IsTransparent()); - } - CONTRACTL_END; - - // If the target is critical, and not treat as safe, then we cannot allow the call - if (Security::IsMethodCritical(pCalleeMD) && !Security::IsMethodSafeCritical(pCalleeMD)) - { - if (pError != NULL) - { - *pError = SecurityTransparencyError_CallCriticalMethod; - } - - return FALSE; - } - - return TRUE; -} - -//--------------------------------------------------------------------------------------- -// -// Convert the critical member to a LinkDemand for FullTrust, and convert that LinkDemand to a -// full demand. If the current call stack allows this conversion to succeed, this method returns. Otherwise -// a security exception is thrown. -// -// Arguments: -// pCallerMD - The method calling the critical method -// - -static void ConvertCriticalMethodToLinkDemand(MethodDesc *pCallerMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(pCallerMD->IsTransparent()); - PRECONDITION(pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods()); - } - CONTRACTL_END; - -} - -// static -BOOL SecurityTransparent::CheckCriticalAccess(AccessCheckContext* pContext, - MethodDesc* pOptionalTargetMethod, - FieldDesc* pOptionalTargetField, - MethodTable * pOptionalTargetType) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - PRECONDITION(CheckPointer(pContext)); - } - CONTRACTL_END; - - // At most one of these should be non-NULL - _ASSERTE(1 >= ((pOptionalTargetMethod ? 1 : 0) + - (pOptionalTargetField ? 1 : 0) + - (pOptionalTargetType ? 1 : 0))); - - // okay caller is transparent, additional checks needed - BOOL fIsTargetCritical = FALSE; // check if target is critical - BOOL fIsTargetSafe = FALSE; // check if target is marked safe - Assembly *pTargetAssembly = NULL; - - if (pOptionalTargetMethod != NULL) - { - fIsTargetCritical = IsMethodCritical(pOptionalTargetMethod); - fIsTargetSafe = IsMethodSafeCritical(pOptionalTargetMethod); - pTargetAssembly = pOptionalTargetMethod->GetAssembly(); - } - else if (pOptionalTargetField != NULL) - { - FieldSecurityDescriptor fieldSecurityDescriptor(pOptionalTargetField); - fIsTargetCritical = fieldSecurityDescriptor.IsCritical(); - fIsTargetSafe = fieldSecurityDescriptor.IsTreatAsSafe(); - pTargetAssembly = pOptionalTargetField->GetModule()->GetAssembly(); - } - else if (pOptionalTargetType != NULL) - { - fIsTargetCritical = IsTypeAllCritical(pOptionalTargetType); // check for only all critical classes - fIsTargetSafe = IsTypeSafeCritical(pOptionalTargetType); - pTargetAssembly = pOptionalTargetType->GetAssembly(); - } - - // If the target is transparent or safe critical, then no further checks are needed. Otherwise, if a - // legacy caller is targeting a new critical method, we may be able to allow the call by converting - // the critical method to a LinkDemand for FullTrust and converting the LinkDemand to a full demand. - // - // This allows for the case where a v2 transparent assembly called a method that was proteced by a - // LinkDemand in v2 and followed our suggested path of converting to being critical in v4. By treating - // the v4 critical method as if it were protected with a LinkDmeand instead, we're simply reversing this - // conversion to provide compatible behavior with legacy binaries - if (!fIsTargetCritical || fIsTargetSafe) - { - return TRUE; - } - - if (pContext->IsCalledFromInterop()) - return TRUE; - - MethodDesc* pCurrentMD = pContext->GetCallerMethod(); - MethodTable* pCurrentMT = pContext->GetCallerMT(); - - // Not from interop but the caller is NULL, this can only happen - // when we are checking from a Type/Assembly. - if (pCurrentMD != NULL) - { - // TODO: need to probably CheckCastToClass as well.. - if (!IsMethodTransparent(pCurrentMD)) - { - // Return TRUE if caller is NULL (interop caller) or critical. - return TRUE; - } - - // On the coreCLR, a method can be transparent even if the containing type is marked Critical. - // This will happen when that method is an override of a base transparent method, and the type that - // contains the override is marked Critical. And that's the only case it can happen. - // This particular case is not a failure. To state this another way, from a security transpararency perspective, - // a method will always have access to the type that it is a member of. - if (pOptionalTargetType == pCurrentMD->GetMethodTable()) - { - return TRUE; - } - - // an attached profiler may wish to have these checks suppressed - if (Security::BypassSecurityChecksForProfiler(pCurrentMD)) - { - return TRUE; - } - - if (pTargetAssembly != NULL && - pTargetAssembly->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand() && - pCurrentMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods()) - { - // Convert the critical member to a LinkDemand for FullTrust, and convert that LinkDemand to a - // full demand. If the resulting full demand for FullTrust is successful, then we'll allow the access - // to the critical method to succeed - ConvertCriticalMethodToLinkDemand(pCurrentMD); - return TRUE; - } - } - else if (pCurrentMT != NULL) - { - if (!IsTypeTransparent(pCurrentMT)) - { - return TRUE; - } - } - - return FALSE; -} - -// Determine if a method is allowed to perform a CAS assert within the transparency rules. Generally, only -// critical code may assert. However, for compatibility with v2.0 we allow asserts from transparent code if -// the following criteria are met: -// 1. The assembly is a true v2.0 binary, and is not just using v2.0 transparency rules via the -// SecurityRuleSet.Level1 annotation. -// 2. The assembly is agnostic to transparency (that is, if it were fully trusted it would be -// opprotunistically critical). -// 3. We are currently in a heterogenous AppDomain. -// -// This compensates for the fact that while partial trust code could have asserted in v2.0, it can no longer -// assert in v4.0 as we force it to be transparent. While the v2.0 transparency rules still don't allow -// asserting, assemblies that would have been critical in v2.0 are allowed to continue asserting in v4.0. - -// static -BOOL SecurityTransparent::IsAllowedToAssert(MethodDesc *pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - // Critical code is always allowed to assert - if (IsMethodCritical(pMD)) - { - return TRUE; - } - - // On CoreCLR only critical code may ever assert - there are no compatibility reasons to allow - // transparent asserts. - return FALSE; -} - -// Functor class to aid in determining if a type requires a transparency check -class TypeRequiresTransparencyCheckFunctor -{ -private: - bool m_requiresTransparencyCheck; - bool m_checkForLinkDemands; - -public: - TypeRequiresTransparencyCheckFunctor(bool checkForLinkDemands) : - m_requiresTransparencyCheck(false), - m_checkForLinkDemands(checkForLinkDemands) - { - LIMITED_METHOD_CONTRACT; - } - - TypeRequiresTransparencyCheckFunctor(const TypeRequiresTransparencyCheckFunctor &other); // not implemented - - bool RequiresTransparencyCheck() const - { - LIMITED_METHOD_CONTRACT; - return m_requiresTransparencyCheck; - } - - void operator()(MethodTable *pMT) - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - - // We only need to do a check if so far none of the other component typpes required a transparency - // check. Critical, but not safe critical, types require transparency checks of their callers. - if (!m_requiresTransparencyCheck) - { - m_requiresTransparencyCheck = Security::IsTypeCritical(pMT) && !Security::IsTypeSafeCritical(pMT) && - (!m_checkForLinkDemands || pMT->GetAssembly()->GetSecurityTransparencyBehavior()->CanCriticalMembersBeConvertedToLinkDemand()); - } - } -}; - -// Determine if accessing a type requires doing a transparency check - this checks to see if the type -// itself, or any of its generic variables are security critical. - -// static -bool SecurityTransparent::TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - TypeRequiresTransparencyCheckFunctor typeChecker(checkForLinkDemands); - type.ForEachComponentMethodTable(typeChecker); - return typeChecker.RequiresTransparencyCheck(); -} - -CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(MethodDesc * pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - /* XXX Fri 1/12/2007 - * This code is cloned from security.inl!Security::CanSkipVerification(MethodDesc, BOOL). - */ - // Special case the System.Object..ctor: - // System.Object..ctor is not verifiable according to current verifier rules (that require to call the - // base class ctor). But since we want System.Object..ctor() to be marked transparent, it cannot be - // unverifiable (telesto security rules prohibit transparent code from being unverifiable) - -#ifndef DACCESS_COMPILE - if (g_pObjectCtorMD == pMD) - return CORINFO_VERIFICATION_CAN_SKIP; -#endif //!DACCESS_COMPILE - - // If a profiler is attached, we may want to bypass verification as well - if (Security::BypassSecurityChecksForProfiler(pMD)) - { - return CORINFO_VERIFICATION_CAN_SKIP; - } - - BOOL hasSkipVerificationPermisson = false; - DomainAssembly * pDomainAssembly = pMD->GetAssembly()->GetDomainAssembly(); - hasSkipVerificationPermisson = Security::CanSkipVerification(pDomainAssembly); - - CorInfoCanSkipVerificationResult canSkipVerif = hasSkipVerificationPermisson ? CORINFO_VERIFICATION_CAN_SKIP : CORINFO_VERIFICATION_CANNOT_SKIP; - - - return canSkipVerif; -} - -CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(DomainAssembly * pAssembly) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_PREEMPTIVE; - } - CONTRACTL_END; - - BOOL hasSkipVerificationPermisson = Security::CanSkipVerification(pAssembly); - - CorInfoCanSkipVerificationResult canSkipVerif = hasSkipVerificationPermisson ? CORINFO_VERIFICATION_CAN_SKIP : CORINFO_VERIFICATION_CANNOT_SKIP; - - // If the assembly has permission to skip verification, but its transparency model requires that - // transparency can only be skipped with a runtime demand, then we need to make sure that there is a - // runtime check done. - if (hasSkipVerificationPermisson) - { - // In CoreCLR, do not enable transparency checks here. We depend on this method being "honest" in - // JITCanSkipVerification to skip transparency checks on profile assemblies. - } - - return canSkipVerif; -} - -// Determine if a method can quickly exit a runtime callout from the JIT - a true return value indicates -// that the callout is not needed, false means that we cannot quicky exit - -// static -bool SecurityTransparent::SecurityCalloutQuickCheck(MethodDesc *pCallerMD) -{ - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_COOPERATIVE; - SO_TOLERANT; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(pCallerMD->HasCriticalTransparentInfo()); - } - CONTRACTL_END; - - // In coreclr, we modified the logic in the callout to also do some transparency method access checks - // These checks need to happen regardless of trust level and we shouldn't be bailing out early - // just because we happen to be in Full Trust - - return false; -} - -CorInfoIsAccessAllowedResult SecurityTransparent::RequiresTransparentAssemblyChecks(MethodDesc* pCallerMD, - MethodDesc* pCalleeMD, - SecurityTransparencyError *pError) -{ - LIMITED_METHOD_CONTRACT; - return RequiresTransparentCodeChecks(pCallerMD, pCalleeMD, pError); -} - -CorInfoIsAccessAllowedResult SecurityTransparent::RequiresTransparentCodeChecks(MethodDesc* pCallerMD, - MethodDesc* pCalleeMD, - SecurityTransparencyError *pError) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(CheckPointer(pCalleeMD)); - PRECONDITION(CheckPointer(pError, NULL_OK)); - PRECONDITION(!pCalleeMD->IsILStub()); - } - CONTRACTL_END; - - // check if the caller assembly is transparent and NOT an interception stub (e.g. marshalling) - bool doChecks = !pCallerMD->IsILStub() && IsMethodTransparent(pCallerMD); - - if (doChecks && Security::IsTransparencyEnforcementEnabled()) - { - if (!IsTransparentCallerAllowed(pCallerMD, pCalleeMD, pError)) - { - // intercept the call to throw a MAE at runtime (more debuggable than throwing MAE at JIT-time) - // IsTransparentCallerAllowed will have set pError if necessary - return CORINFO_ACCESS_RUNTIME_CHECK; - } - - // Check to see if the callee has a LinkDemand, if so we may need to intercept the call. - if (pCalleeMD->RequiresLinktimeCheck()) - { - if (pCalleeMD->RequiresLinkTimeCheckHostProtectionOnly()) - { - // exclude HPA which are marked as LinkDemand and there is no HostProtection enabled currently - return CORINFO_ACCESS_ALLOWED; - } - - // There was a reason other than simply conditional APTCA that the method required a linktime - // check - intercept the call later. - if (pError != NULL) - { - *pError = SecurityTransparencyError_CallLinkDemand; - } - - return CORINFO_ACCESS_RUNTIME_CHECK; - } - } - - return CORINFO_ACCESS_ALLOWED; -} - - -#ifndef CROSSGEN_COMPILE - -// Perform appropriate Transparency checks if the caller to the Load(byte[] ) without passing in an input Evidence is Transparent -VOID SecurityTransparent::PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallerMD, AssemblySecurityDescriptor* pLoadedSecDesc) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END - -} - -static void ConvertLinkDemandToFullDemand(MethodDesc* pCallerMD, MethodDesc* pCalleeMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(CheckPointer(pCalleeMD)); - PRECONDITION(pCallerMD->IsTransparent()); - } - CONTRACTL_END; - - if (!pCalleeMD->RequiresLinktimeCheck() || - pCalleeMD->RequiresLinkTimeCheckHostProtectionOnly()) - { - return; - } - - if (!Security::IsTransparencyEnforcementEnabled()) - { - return; - } - - // Profilers may wish to suppress linktime checks for methods they're profiling - if (Security::BypassSecurityChecksForProfiler(pCallerMD)) - { - return; - } - - struct - { - OBJECTREF refClassNonCasDemands; - OBJECTREF refClassCasDemands; - OBJECTREF refMethodNonCasDemands; - OBJECTREF refMethodCasDemands; - OBJECTREF refThrowable; - } - gc; - ZeroMemory(&gc, sizeof(gc)); - GCPROTECT_BEGIN(gc); - - LinktimeCheckReason linktimeCheckReason = Security::GetLinktimeCheckReason(pCalleeMD, - &gc.refClassCasDemands, - &gc.refClassNonCasDemands, - &gc.refMethodCasDemands, - &gc.refMethodNonCasDemands); - - - - // The following logic turns link demands on the target method into full stack walks - - if ((linktimeCheckReason & LinktimeCheckReason_CasDemand) || - (linktimeCheckReason & LinktimeCheckReason_NonCasDemand)) - { - // If we found a link demand, then we need to make sure that both the callee's transparency model - // allows for it to satisfy a link demand. We check both since a v4 caller calling a v2 assembly may - // be attempting to satisfy a LinkDemand which the v2 assembly has not yet had a chance to remove. - if (!pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods() && - !pCalleeMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallLinkDemandMethods() && - (gc.refClassCasDemands != NULL || gc.refMethodCasDemands != NULL)) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling a LinkDemand protected method", pCalleeMD); - } - if (!g_pConfig->DisableTransparencyEnforcement()) -#endif // _DEBUG - { - ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_LINKDEMAND); - } - } - - // CAS Link Demands - if (gc.refClassCasDemands != NULL) - Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refClassCasDemands); - if (gc.refMethodCasDemands != NULL) - Security::DemandSet(SSWT_LATEBOUND_LINKDEMAND, gc.refMethodCasDemands); - - // Non-CAS demands are not applied against a grant set, they're standalone. - if (gc.refClassNonCasDemands != NULL) - Security::CheckNonCasDemand(&gc.refClassNonCasDemands); - if (gc.refMethodNonCasDemands != NULL) - Security::CheckNonCasDemand(&gc.refMethodNonCasDemands); - } - - - // - // Make sure that the callee is allowed to call unmanaged code if the target is native. - // - - if (linktimeCheckReason & LinktimeCheckReason_NativeCodeCall) - { -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling unmanaged code"); - } -#endif // _DEBUG - - if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallUnmanagedCode()) - { - } - else - { - ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_NATIVE); - } - } - - GCPROTECT_END(); -} - - -VOID SecurityTransparent::EnforceTransparentAssemblyChecks(MethodDesc* pCallerMD, MethodDesc* pCalleeMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(CheckPointer(pCallerMD)); - PRECONDITION(Security::IsMethodTransparent(pCallerMD)); - PRECONDITION(CheckPointer(pCalleeMD)); - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - if (!Security::IsTransparencyEnforcementEnabled()) - { - return; - } - - // Profilers may wish to suppress transparency checks for methods they're profiling - if (Security::BypassSecurityChecksForProfiler(pCallerMD)) - { - return; - } - - // if target is critical, and not marked as TreatAsSafe, Access ERROR. - if (Security::IsMethodCritical(pCalleeMD) && !Security::IsMethodSafeCritical(pCalleeMD)) - { - - const SecurityTransparencyBehavior *pCalleeTransparency = - pCalleeMD->GetAssembly()->GetSecurityTransparencyBehavior(); - const SecurityTransparencyBehavior *pCallerTransparency = - pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior(); - - // If critical methods in the target can be converted to a link demand for legacy callers, then we - // need to do that conversion. Otherwise, this access is disallowed. - if (pCalleeTransparency->CanCriticalMembersBeConvertedToLinkDemand() && - pCallerTransparency->CanTransparentCodeCallLinkDemandMethods()) - { - ConvertCriticalMethodToLinkDemand(pCallerMD); - } - else - { - // Conversion to a LinkDemand was not allowed, so we need to -#ifdef _DEBUG - if (g_pConfig->LogTransparencyErrors()) - { - LogTransparencyError(pCallerMD, "Transparent method accessing a critical method", pCalleeMD); - } -#endif // _DEBUG - ::ThrowMethodAccessException(pCallerMD, pCalleeMD, TRUE, IDS_E_CRITICAL_METHOD_ACCESS_DENIED); - } - } - - ConvertLinkDemandToFullDemand(pCallerMD, pCalleeMD); -} - - -VOID SecurityTransparent::EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCalleeMD) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(pDelegateMT)); - PRECONDITION(CheckPointer(pCalleeMD)); - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - // We only enforce delegate binding rules in partial trust - if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) - return; - - StackSString strMethod; - TypeString::AppendMethod(strMethod, pCalleeMD, pCalleeMD->GetClassInstantiation(), TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature); - StackSString strDelegateType; - TypeString::AppendType(strDelegateType, pDelegateMT, TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature); - - COMPlusThrowHR(COR_E_METHODACCESS, IDS_E_DELEGATE_BINDING_TRANSPARENCY, strDelegateType.GetUnicode(), strMethod.GetUnicode()); -} - -#endif // CROSSGEN_COMPILE - - -BOOL SecurityTransparent::IsMethodTransparent(MethodDesc* pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - // Is transparency info cached? - if (pMD->HasCriticalTransparentInfo()) - { - return !pMD->IsCritical(); - } - - MethodSecurityDescriptor methSecurityDescriptor(pMD); - return !methSecurityDescriptor.IsCritical(); -} - -BOOL SecurityTransparent::IsMethodCritical(MethodDesc* pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - // Is transparency info cached? - if (pMD->HasCriticalTransparentInfo()) - { - return pMD->IsCritical(); - } - - MethodSecurityDescriptor methSecurityDescriptor(pMD); - return methSecurityDescriptor.IsCritical(); -} - -// Returns True if a method is SafeCritical (=> not Transparent and not Critical) -BOOL SecurityTransparent::IsMethodSafeCritical(MethodDesc* pMD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMD)); - } - CONTRACTL_END; - - // Is transparency info cached? - if (pMD->HasCriticalTransparentInfo()) - { - return (pMD->IsCritical() && pMD->IsTreatAsSafe()); - } - - MethodSecurityDescriptor methSecurityDescriptor(pMD); - return (methSecurityDescriptor.IsCritical() && methSecurityDescriptor.IsTreatAsSafe()); -} - -BOOL SecurityTransparent::IsTypeCritical(MethodTable *pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - EEClass *pClass = pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - return pClass->IsCritical(); - } - - TypeSecurityDescriptor typeSecurityDescriptor(pMT); - return typeSecurityDescriptor.IsCritical(); -} - -BOOL SecurityTransparent::IsTypeSafeCritical(MethodTable *pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - EEClass *pClass = pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - return pClass->IsCritical() && pClass->IsTreatAsSafe(); - } - - TypeSecurityDescriptor typeSecurityDescriptor(pMT); - return typeSecurityDescriptor.IsCritical() && - typeSecurityDescriptor.IsTreatAsSafe(); -} - -BOOL SecurityTransparent::IsTypeTransparent(MethodTable *pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - EEClass *pClass = pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - return !pClass->IsCritical(); - } - - TypeSecurityDescriptor typeSecurityDescriptor(pMT); - return !typeSecurityDescriptor.IsCritical(); -} - -// Returns TRUE if a type is transparent and contains only transparent members -// static -BOOL SecurityTransparent::IsTypeAllTransparent(MethodTable * pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - EEClass *pClass = pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - return pClass->IsAllTransparent(); - } - - TypeSecurityDescriptor typeSecurityDescriptor(pMT); - return typeSecurityDescriptor.IsAllTransparent(); -} - -BOOL SecurityTransparent::IsTypeAllCritical(MethodTable * pMT) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pMT)); - } - CONTRACTL_END; - - EEClass *pClass = pMT->GetClass(); - if (pClass->HasCriticalTransparentInfo()) - { - return pClass->IsAllCritical(); - } - - TypeSecurityDescriptor typeSecurityDescriptor(pMT); - return typeSecurityDescriptor.IsAllCritical(); -} - -BOOL SecurityTransparent::IsFieldTransparent(FieldDesc* pFD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - FieldSecurityDescriptor fsd(pFD); - return !fsd.IsCritical(); -} - -BOOL SecurityTransparent::IsFieldCritical(FieldDesc* pFD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - FieldSecurityDescriptor fsd(pFD); - return fsd.IsCritical(); -} - -// Returns True if a method is SafeCritical (=> not Transparent and not Critical) -BOOL SecurityTransparent::IsFieldSafeCritical(FieldDesc* pFD) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - PRECONDITION(CheckPointer(pFD)); - } - CONTRACTL_END; - - FieldSecurityDescriptor fsd(pFD); - return fsd.IsCritical() && fsd.IsTreatAsSafe(); -} - -// Returns True if the token is transparent -BOOL SecurityTransparent::IsTokenTransparent(Module *pModule, mdToken tkToken) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_ANY; - } - CONTRACTL_END; - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pModule->GetAssembly()); - if (pMsd->IsAllCritical()) - { - return FALSE; - } - - const TokenSecurityDescriptorFlags criticalMask = TokenSecurityDescriptorFlags_AllCritical | - TokenSecurityDescriptorFlags_Critical | - TokenSecurityDescriptorFlags_SafeCritical; - TokenSecurityDescriptor tokenSecurityDescriptor(pModule, tkToken); - return !(tokenSecurityDescriptor.GetMetadataFlags() & criticalMask); -} - -// Fuctor type to do perform class access checks on any disallowed transparent -> critical accesses. -class DoSecurityClassAccessChecksFunctor -{ -private: - MethodDesc *m_pCallerMD; - CorInfoSecurityRuntimeChecks m_check; - -public: - DoSecurityClassAccessChecksFunctor(MethodDesc *pCallerMD, CorInfoSecurityRuntimeChecks check) - : m_pCallerMD(pCallerMD), - m_check(check) - { - LIMITED_METHOD_CONTRACT; - } - - DoSecurityClassAccessChecksFunctor(const DoSecurityClassAccessChecksFunctor &other); // not implemented - - void operator()(MethodTable *pMT) - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - // We can get caller checks of 0 if we're in AlwaysInsertCallout mode, so make sure to do all of our - // work under checks for specific flags - if (m_check & CORINFO_ACCESS_SECURITY_TRANSPARENCY) - { - StaticAccessCheckContext accessContext(m_pCallerMD); - - if (!Security::CheckCriticalAccess(&accessContext, NULL, NULL, pMT)) - { - ThrowTypeAccessException(m_pCallerMD, pMT, TRUE, IDS_E_CRITICAL_TYPE_ACCESS_DENIED); - } - } - } -}; - -// Check that a calling method is allowed to access a type handle for security reasons. This checks: -// 1. That transparency allows the caller to use the type -// -// The method returns if the checks succeed and throws on error. -// -// static -void SecurityTransparent::DoSecurityClassAccessChecks(MethodDesc *pCallerMD, - const TypeHandle &calleeTH, - CorInfoSecurityRuntimeChecks check) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - DoSecurityClassAccessChecksFunctor classAccessChecks(pCallerMD, check); - calleeTH.ForEachComponentMethodTable(classAccessChecks); -} - -// -// Transparency behavior implementations -// - -//--------------------------------------------------------------------------------------- -// -// Transparency behavior implementation for v4 and CoreCLR assemblies -// - -class TransparencyBehaviorImpl : public ISecurityTransparencyImpl -{ -public: - - // Get bits that indicate how transparency should behave in different situations - virtual SecurityTransparencyBehaviorFlags GetBehaviorFlags() const - { - LIMITED_METHOD_CONTRACT; - return SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck | - SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand | - SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced | - SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent | - SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods; - } - - // Transparency field behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (any) Critical - // SafeCritical Safe critical - // TAS (no critical) No effect - // TAS (with any critical) Safe critical - virtual FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - FieldSecurityDescriptorFlags fieldFlags = FieldSecurityDescriptorFlags_None; - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsCritical; - - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical) - { - fieldFlags |= FieldSecurityDescriptorFlags_IsCritical | FieldSecurityDescriptorFlags_IsTreatAsSafe; - } - - return fieldFlags; - } - - // Transparency module behavior mappings for an introduced method: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (any) Critical - // SafeCritical Safe critical - // TAS (no critical) No effect - // TAS (with any critical) Safe critical - virtual MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - MethodSecurityDescriptorFlags methodFlags = MethodSecurityDescriptorFlags_None; - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - methodFlags |= MethodSecurityDescriptorFlags_IsCritical; - - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - methodFlags |= MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical) - { - methodFlags |= MethodSecurityDescriptorFlags_IsCritical | - MethodSecurityDescriptorFlags_IsTreatAsSafe; - } - - return methodFlags; - } - - // Transparency module behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // APTCA Mixed transparency + APTCA - // Critical (scoped) All critical + APTCA - // Critical (all) All critical + APTCA - // SafeCritical No effect - // TAS (no critical) No effect - // TAS (with scoped critical) All safe critical + APTCA - // TAS (with all critical) All safe critical + APTCA - // Transparent All transparent + APTCA - // - // If the assembly has no attributes, then it will be opportunistically critical. - // - // APTCA is granted to all assemblies because we rely upon transparent code being unable to call critical - // code to enforce the APTCA check. Since all partial trust code must be transparent, this provides the - // same effect. - virtual ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - ModuleSecurityDescriptorFlags moduleFlags = ModuleSecurityDescriptorFlags_None; - -#if defined(FEATURE_CORESYSTEM) - if (tokenFlags & TokenSecurityDescriptorFlags_APTCA) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA; - } -#endif // defined(FEATURE_CORESYSTEM) - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - // We don't pay attention to the critical scope if we're not a legacy assembly - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllCritical; - - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsTreatAsSafe; - } - } - - if (tokenFlags & TokenSecurityDescriptorFlags_Transparent) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent; - } - - // If we didn't see APTCA/CA, Transparent, or any form of Critical, then the assembly is opportunistically - // critical. - const ModuleSecurityDescriptorFlags transparencyMask = ModuleSecurityDescriptorFlags_IsAPTCA | - ModuleSecurityDescriptorFlags_IsAllTransparent | - ModuleSecurityDescriptorFlags_IsAllCritical; - if (!(moduleFlags & transparencyMask)) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical; - } - - // If the token asks to not have IL verification done in full trust, propigate that to the module - if (tokenFlags & TokenSecurityDescriptorFlags_SkipFullTrustVerification) - { - moduleFlags |= ModuleSecurityDescriptorFlags_SkipFullTrustVerification; - } - - // We rely on transparent / critical checks to provide APTCA enforcement in the v4 model, so all assemblies - // get APTCA. - moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA; - - return moduleFlags; - } - - // Transparency type behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (any) All critical - // SafeCritical All safe critical - // TAS (no critical) No effect on the type, but save TAS bit since members of the type may be critical - // TAS (with any critical) All SafeCritical - virtual TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - TypeSecurityDescriptorFlags typeFlags = TypeSecurityDescriptorFlags_None; - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - typeFlags |= TypeSecurityDescriptorFlags_IsCritical | - TypeSecurityDescriptorFlags_IsAllCritical; - } - - // SafeCritical always means all critical + TAS - if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical) - { - typeFlags |= TypeSecurityDescriptorFlags_IsCritical | - TypeSecurityDescriptorFlags_IsAllCritical | - TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - - return typeFlags; - } -}; - -// -// Shared transparency behavior objects -// - -//--------------------------------------------------------------------------------------- -// -// Access a shared security transparency behavior object, creating it if the object has -// not yet been used. -// - -template <class T> -const SecurityTransparencyBehavior *GetOrCreateTransparencyBehavior(SecurityTransparencyBehavior **ppBehavior) -{ - CONTRACT(const SecurityTransparencyBehavior *) - { - THROWS; - GC_TRIGGERS; - PRECONDITION(CheckPointer(ppBehavior)); - POSTCONDITION(CheckPointer(RETVAL)); - } - CONTRACT_END; - - if (*ppBehavior == NULL) - { - NewHolder<ISecurityTransparencyImpl> pImpl(new T); - NewHolder<SecurityTransparencyBehavior> pBehavior(new SecurityTransparencyBehavior(pImpl)); - - SecurityTransparencyBehavior *pPrevBehavior = - InterlockedCompareExchangeT(ppBehavior, pBehavior.GetValue(), NULL); - - if (pPrevBehavior == NULL) - { - pBehavior.SuppressRelease(); - pImpl.SuppressRelease(); - } - } - - RETURN(*ppBehavior); -} - -// Transparency behavior object for v4 transparent assemblies -// static -SecurityTransparencyBehavior *SecurityTransparencyBehavior::s_pStandardTransparencyBehavior = NULL; - - -//--------------------------------------------------------------------------------------- -// -// Get a security transparency object for an assembly with the specified attributes on -// its manifest -// -// Arguments: -// moduleTokenFlags - flags from reading the security attributes of the assembly's -// manifest module -// - -const SecurityTransparencyBehavior *SecurityTransparencyBehavior::GetTransparencyBehavior(SecurityRuleSet ruleSet) -{ - CONTRACT(const SecurityTransparencyBehavior *) - { - THROWS; - GC_TRIGGERS; - PRECONDITION(ruleSet == SecurityRuleSet_Level1 || ruleSet == SecurityRuleSet_Level2); - POSTCONDITION(CheckPointer(RETVAL)); - } - CONTRACT_END; - - { - // Level 2 rules - v4.0 behavior - RETURN(GetOrCreateTransparencyBehavior<TransparencyBehaviorImpl>(&s_pStandardTransparencyBehavior)); - } -} diff --git a/src/vm/securitytransparentassembly.h b/src/vm/securitytransparentassembly.h deleted file mode 100644 index 9f0d38f7ca..0000000000 --- a/src/vm/securitytransparentassembly.h +++ /dev/null @@ -1,249 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securityTransparentAssembly.h -// -// Implementation for transparent code feature -// - - -//-------------------------------------------------------------------------- - - -#ifndef __SECURITYTRANSPARENT_H__ -#define __SECURITYTRANSPARENT_H__ - -#include "securitymeta.h" - -// Reason that a transparency error was flagged -enum SecurityTransparencyError -{ - SecurityTransparencyError_None, - SecurityTransparencyError_CallCriticalMethod, // A transparent method tried to call a critical method - SecurityTransparencyError_CallLinkDemand // A transparent method tried to call a method with a LinkDemand -}; - -namespace SecurityTransparent -{ -//private: - BOOL IsMethodTransparent(MethodDesc *pMD); - BOOL IsMethodCritical(MethodDesc *pMD); - BOOL IsMethodSafeCritical(MethodDesc *pMD); - BOOL IsTypeCritical(MethodTable *pMT); - BOOL IsTypeSafeCritical(MethodTable *pMT); - BOOL IsTypeTransparent(MethodTable *pMT); - BOOL IsTypeAllTransparent(MethodTable *pMT); - BOOL IsTypeAllCritical(MethodTable *pMT); - BOOL IsFieldTransparent(FieldDesc *pFD); - BOOL IsFieldCritical(FieldDesc *pFD); - BOOL IsFieldSafeCritical(FieldDesc *pFD); - BOOL IsTokenTransparent(Module *pModule, mdToken tkToken); - -//public: - bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD); - - CorInfoIsAccessAllowedResult RequiresTransparentCodeChecks(MethodDesc* pCaller, - MethodDesc* pCallee, - SecurityTransparencyError *pError); - CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller, - MethodDesc* pCallee, - SecurityTransparencyError *pError); - void EnforceTransparentAssemblyChecks(MethodDesc* pCaller, MethodDesc* pCallee); - void EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCallee); - CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly); - CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD); - VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, AssemblySecurityDescriptor* pLoadedSecDesc); - BOOL CheckCriticalAccess(AccessCheckContext* pContext, - MethodDesc* pOptionalTargetMethod, - FieldDesc* pOptionalTargetField, - MethodTable * pOptionalTargetType); - BOOL IsAllowedToAssert(MethodDesc *pMD); - - bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands); - - void DECLSPEC_NORETURN ThrowMethodAccessException(MethodDesc* pMD, DWORD dwMessageId = IDS_CRITICAL_METHOD_ACCESS_DENIED); - - void DECLSPEC_NORETURN ThrowTypeLoadException(MethodDesc* pMD, DWORD dwMessageId = IDS_METHOD_INHERITANCE_RULES_VIOLATED); - void DECLSPEC_NORETURN ThrowTypeLoadException(MethodTable* pMT); - - void DoSecurityClassAccessChecks(MethodDesc *pCallerMD, - const TypeHandle &calleeTH, - CorInfoSecurityRuntimeChecks checks); -#ifdef _DEBUG - void LogTransparencyError(Assembly *pAssembly, const LPCSTR szError); - void LogTransparencyError(MethodTable *pMT, const LPCSTR szError); - void LogTransparencyError(MethodDesc *pMD, const LPCSTR szError, MethodDesc *pTargetMD = NULL); -#endif // _DEBUG -}; - -// -// Transparency is implemented slightly differently between v2 desktop, v4 desktop, and CoreCLR. In order to -// support running v2 desktop assemblies on the v4 CLR without modifying their expected transparency behavior, -// we indirect all questions about what transparency means through a SecurityTransparencyBehavior object. -// -// The SecurityTransparencyBehavior object uses implementations of ISecurityTransparencyImpl to query about -// specific behavior differences. -// - -enum SecurityTransparencyBehaviorFlags -{ - SecurityTransparencyBehaviorFlags_None = 0x0000, - - // Custom attributes require transparency checks in order to be used by transparent code - SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck = 0x0001, - - // Public critical members of an assembly can behave as if they were safe critical with a LinkDemand - // for FullTrust - SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand = 0x0002, - - // Types and methods must obey the transparency inheritance rules - SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced = 0x0004, - - // Members contained within a scope that introduces members as critical may add their own treat as safe - SecurityTransparencyBehaviorFlags_IntroducedCriticalsMayAddTreatAsSafe = 0x0008, - - // Opportunistically critical assemblies consist of entirely transparent types with entirely safe - // critical methods. - SecurityTransparencyBehaviorFlags_OpportunisticIsSafeCriticalMethods = 0x0010, - - // Assemblies loaded in partial trust are implicitly all transparent - SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent = 0x0020, - - // All public critical types and methods get an implicit treat as safe marking - SecurityTransparencyBehaviorFlags_PublicImpliesTreatAsSafe = 0x0040, - - // Security critical or safe critical at a larger than method scope applies only to methods introduced - // within that scope, rather than all methods contained in the scope - SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods = 0x0080, - - // Security transparent code can call methods protected with a LinkDemand - SecurityTransparencyBehaviorFlags_TransparentCodeCanCallLinkDemand = 0x0100, - - // Security transparent code can call native code via P/Invoke or COM Interop - SecurityTransaprencyBehaviorFlags_TransparentCodeCanCallUnmanagedCode = 0x0200, - - // Security transparent code can skip verification with a runtime check - SecurityTransparencyBehaviorFlags_TransparentCodeCanSkipVerification = 0x0400, - - // Unsigned assemblies implicitly are APTCA - SecurityTransparencyBehaviorFlags_UnsignedImpliesAPTCA = 0x0800, -}; - -inline SecurityTransparencyBehaviorFlags operator|(SecurityTransparencyBehaviorFlags lhs, - SecurityTransparencyBehaviorFlags rhs); - -inline SecurityTransparencyBehaviorFlags operator|=(SecurityTransparencyBehaviorFlags& lhs, - SecurityTransparencyBehaviorFlags rhs); - -inline SecurityTransparencyBehaviorFlags operator&(SecurityTransparencyBehaviorFlags lhs, - SecurityTransparencyBehaviorFlags rhs); - -inline SecurityTransparencyBehaviorFlags operator&=(SecurityTransparencyBehaviorFlags &lhs, - SecurityTransparencyBehaviorFlags rhs); - -// Base interface for transparency behavior implementations -class ISecurityTransparencyImpl -{ -public: - virtual ~ISecurityTransparencyImpl() - { - LIMITED_METHOD_CONTRACT; - } - - // Get flags that indicate specific on/off behaviors of transparency - virtual SecurityTransparencyBehaviorFlags GetBehaviorFlags() const = 0; - - // Map security attributes that a field contains to the set of behaviors it supports - virtual FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0; - - // Map security attributes that a method contains to the set of behaviors it supports - virtual MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0; - - // Map security attributes that a module contains to the set of behaviors it supports - virtual ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0; - - // Map security attributes that a type contains to the set of behaviors it supports - virtual TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const = 0; -}; - -class SecurityTransparencyBehavior -{ -public: - // Get a transparency behavior for a module with the given attributes applied to it - static - const SecurityTransparencyBehavior *GetTransparencyBehavior(SecurityRuleSet ruleSet); - -public: - // Are types and methods required to obey the transparency inheritance rules - inline bool AreInheritanceRulesEnforced() const; - - // Can public critical members of an assembly behave as if they were safe critical with a LinkDemand - // for FullTrust - inline bool CanCriticalMembersBeConvertedToLinkDemand() const; - - // Can members contained within a scope that introduces members as critical add their own TreatAsSafe - // attribute - inline bool CanIntroducedCriticalMembersAddTreatAsSafe() const; - - // Can transparent methods call methods protected with a LinkDemand - inline bool CanTransparentCodeCallLinkDemandMethods() const; - - // Can transparent methods call native code - inline bool CanTransparentCodeCallUnmanagedCode() const; - - // Can transparent members skip verification if the callstack passes a runtime check - inline bool CanTransparentCodeSkipVerification() const; - - // Custom attributes require transparency checks in order to be used by transparent code - inline bool DoAttributesRequireTransparencyChecks() const; - - // Opportunistically critical assemblies consist of entirely transparent types with entirely safe - // critical methods. - inline bool DoesOpportunisticRequireOnlySafeCriticalMethods() const; - - // Does being loaded in partial trust imply that the assembly is implicitly all transparent - inline bool DoesPartialTrustImplyAllTransparent() const; - - // Do all public members of the assembly get an implicit treat as safe marking - inline bool DoesPublicImplyTreatAsSafe() const; - - // Do security critical or safe critical at a larger than method scope apply only to methods introduced - // within that scope, or to all methods conateind within the scope. - inline bool DoesScopeApplyOnlyToIntroducedMethods() const; - - // Do unsigned assemblies implicitly become APTCA - inline bool DoesUnsignedImplyAPTCA() const; - - // Get flags that indicate specific on/off behaviors of transparency - inline FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const; - - // Map security attributes that a method contains to the set of behaviors it supports - inline MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const; - - // Map security attributes that a module contains to the set of behaviors it supports - inline ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const; - - // Map security attributes that a type contains to the set of behaviors it supports - inline TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const; - -private: - explicit inline SecurityTransparencyBehavior(ISecurityTransparencyImpl *pTransparencyImpl); - SecurityTransparencyBehavior(const SecurityTransparencyBehavior &); // not implemented - SecurityTransparencyBehavior &operator=(const SecurityTransparencyBehavior &); // not implemented - -private: - template <class T> - friend const SecurityTransparencyBehavior *GetOrCreateTransparencyBehavior(SecurityTransparencyBehavior **ppBehavior); - -private: - static SecurityTransparencyBehavior *s_pStandardTransparencyBehavior; - static SecurityTransparencyBehavior *s_pLegacyTransparencyBehavior; - - ISecurityTransparencyImpl *m_pTransparencyImpl; - SecurityTransparencyBehaviorFlags m_flags; -}; - -#include "securitytransparentassembly.inl" - -#endif // __SECURITYTRANSPARENT_H__ diff --git a/src/vm/securitytransparentassembly.inl b/src/vm/securitytransparentassembly.inl deleted file mode 100644 index 2b35a7ebe4..0000000000 --- a/src/vm/securitytransparentassembly.inl +++ /dev/null @@ -1,259 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -//-------------------------------------------------------------------------- -// securitytransparentassembly.inl -// -// Implementation for transparent code feature -// - - -//-------------------------------------------------------------------------- - - -#ifndef __SECURITYTRANSPARENT_INL__ -#define __SECURITYTRANSPARENT_INL__ - -//--------------------------------------------------------------------------------------- -// -// Create a transparency behavior object -// -// Arguments: -// pTransparencyImpl - transparency implementation to base behavior decisions on -// -// Notes: -// The tranparency implementation object must have a lifetime at least as long as the -// created transparency behavior object. -// - -inline SecurityTransparencyBehavior::SecurityTransparencyBehavior(ISecurityTransparencyImpl *pTransparencyImpl) : - m_pTransparencyImpl(pTransparencyImpl), - m_flags(pTransparencyImpl->GetBehaviorFlags()) -{ - LIMITED_METHOD_CONTRACT; - _ASSERTE(pTransparencyImpl); -} - -// -// Typed logical operators for transparency flags -// - -inline SecurityTransparencyBehaviorFlags operator|(SecurityTransparencyBehaviorFlags lhs, - SecurityTransparencyBehaviorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); -} - -inline SecurityTransparencyBehaviorFlags operator|=(SecurityTransparencyBehaviorFlags& lhs, - SecurityTransparencyBehaviorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) | - static_cast<DWORD>(rhs)); - return lhs; -} - -inline SecurityTransparencyBehaviorFlags operator&(SecurityTransparencyBehaviorFlags lhs, - SecurityTransparencyBehaviorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - return static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); -} - -inline SecurityTransparencyBehaviorFlags operator&=(SecurityTransparencyBehaviorFlags& lhs, - SecurityTransparencyBehaviorFlags rhs) -{ - LIMITED_METHOD_CONTRACT; - lhs = static_cast<SecurityTransparencyBehaviorFlags>(static_cast<DWORD>(lhs) & - static_cast<DWORD>(rhs)); - return lhs; -} - -//--------------------------------------------------------------------------------------- -// -// Are types and methods required to obey the transparency inheritance rules -// - -inline bool SecurityTransparencyBehavior::AreInheritanceRulesEnforced() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_InheritanceRulesEnforced); -} - -//--------------------------------------------------------------------------------------- -// -// Can public critical members of an assembly behave as if they were safe critical with a -// LinkDemand for FullTrust -// - -inline bool SecurityTransparencyBehavior::CanCriticalMembersBeConvertedToLinkDemand() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_CriticalMembersConvertToLinkDemand); -} - -//--------------------------------------------------------------------------------------- -// -// Can members contained within a scope that introduces members as critical add their own -// TreatAsSafe attribute -// - -inline bool SecurityTransparencyBehavior::CanIntroducedCriticalMembersAddTreatAsSafe() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_IntroducedCriticalsMayAddTreatAsSafe); -} - -//--------------------------------------------------------------------------------------- -// -// Can transparent methods call methods protected with a LinkDemand -// - -inline bool SecurityTransparencyBehavior::CanTransparentCodeCallLinkDemandMethods() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_TransparentCodeCanCallLinkDemand); -} - -//--------------------------------------------------------------------------------------- -// -// Can transparent members call native code directly -// - -inline bool SecurityTransparencyBehavior::CanTransparentCodeCallUnmanagedCode() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransaprencyBehaviorFlags_TransparentCodeCanCallUnmanagedCode); -} - -//--------------------------------------------------------------------------------------- -// -// Can transparent members skip verification if the callstack passes a runtime check -// - -inline bool SecurityTransparencyBehavior::CanTransparentCodeSkipVerification() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_TransparentCodeCanSkipVerification); -} - -//--------------------------------------------------------------------------------------- -// -// Custom attributes require transparency checks in order to be used by critical code -// - -inline bool SecurityTransparencyBehavior::DoAttributesRequireTransparencyChecks() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_AttributesRequireTransparencyCheck); -} - -//--------------------------------------------------------------------------------------- -// -// Opportunistically critical assemblies consist of entirely transparent types with entirely safe -// critical methods. -inline bool SecurityTransparencyBehavior::DoesOpportunisticRequireOnlySafeCriticalMethods() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_OpportunisticIsSafeCriticalMethods); -} - -//--------------------------------------------------------------------------------------- -// -// Does being loaded in partial trust imply that the assembly is implicitly all transparent -// - -inline bool SecurityTransparencyBehavior::DoesPartialTrustImplyAllTransparent() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent); -} - -//--------------------------------------------------------------------------------------- -// -// Do all public types and methods automatically become treat as safe -// - -inline bool SecurityTransparencyBehavior::DoesPublicImplyTreatAsSafe() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_PublicImpliesTreatAsSafe); -} - -//--------------------------------------------------------------------------------------- -// -// Do security critical or safe critical at a larger than method scope apply only to methods introduced -// within that scope, or to all methods conateind within the scope. -// -// For instance, if this method returns true, a critical type does not make a method it overrides critical -// because that method was introduced in a base type. -// - -inline bool SecurityTransparencyBehavior::DoesScopeApplyOnlyToIntroducedMethods() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_ScopeAppliesOnlyToIntroducedMethods); -} - -//--------------------------------------------------------------------------------------- -// -// Do unsigned assemblies implicitly become APTCA -// - -inline bool SecurityTransparencyBehavior::DoesUnsignedImplyAPTCA() const -{ - LIMITED_METHOD_CONTRACT; - return !!(m_flags & SecurityTransparencyBehaviorFlags_UnsignedImpliesAPTCA); -} - -//--------------------------------------------------------------------------------------- -// -// Map the attributes found on a field into bits that represent what those attributes -// mean to this field. -// - -inline FieldSecurityDescriptorFlags SecurityTransparencyBehavior::MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const -{ - WRAPPER_NO_CONTRACT; - return m_pTransparencyImpl->MapFieldAttributes(tokenFlags); -} - -//--------------------------------------------------------------------------------------- -// -// Map the attributes found on a method to the security transparency of that method -// - -inline MethodSecurityDescriptorFlags SecurityTransparencyBehavior::MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const -{ - WRAPPER_NO_CONTRACT; - return m_pTransparencyImpl->MapMethodAttributes(tokenFlags); -} - -//--------------------------------------------------------------------------------------- -// -// Map the attributes found on an assembly into bits that represent what those -// attributes mean to this assembly. -// - -inline ModuleSecurityDescriptorFlags SecurityTransparencyBehavior::MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const -{ - WRAPPER_NO_CONTRACT; - return m_pTransparencyImpl->MapModuleAttributes(tokenFlags); -} - -//--------------------------------------------------------------------------------------- -// -// Map the attributes found on a type into bits that represent what those -// attributes mean to this type. -// - -inline TypeSecurityDescriptorFlags SecurityTransparencyBehavior::MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const -{ - WRAPPER_NO_CONTRACT; - return m_pTransparencyImpl->MapTypeAttributes(tokenFlags); -} - -#endif // __SECURTYTRANSPARENT_INL__ diff --git a/src/vm/siginfo.cpp b/src/vm/siginfo.cpp index 82aef45026..cf0cceaf53 100644 --- a/src/vm/siginfo.cpp +++ b/src/vm/siginfo.cpp @@ -3245,10 +3245,6 @@ BOOL IsTypeDefEquivalent(mdToken tk, Module *pModule) // take care of that possibility pModule->EnsureAllocated(); - // 5. Type is in a fully trusted assembly - if (!pModule->GetSecurityDescriptor()->IsFullyTrusted()) - return FALSE; - // 6. If type is nested, nesting type must be equivalent. if (IsTdNested(dwAttrType)) { diff --git a/src/vm/threadpoolrequest.cpp b/src/vm/threadpoolrequest.cpp index 247deea304..a1ec4b087e 100644 --- a/src/vm/threadpoolrequest.cpp +++ b/src/vm/threadpoolrequest.cpp @@ -752,9 +752,6 @@ void ManagedPerAppDomainTPCount::DispatchWorkItem(bool* foundWork, bool* wasNotR // TODO: fix this another way! // if (IsRequestPending()) { - //This holder resets our thread's security state when exiting this scope - ThreadSecurityStateHolder secState(pThread); - ManagedThreadBase::ThreadPool(appDomainId, QueueUserWorkItemManagedCallback, wasNotRecalled); } diff --git a/src/vm/threads.cpp b/src/vm/threads.cpp index df8916c1f9..1eeadf7ead 100644 --- a/src/vm/threads.cpp +++ b/src/vm/threads.cpp @@ -28,7 +28,6 @@ #include "corhost.h" #include "win32threadpool.h" #include "jitinterface.h" -#include "appdomainstack.inl" #include "eventtrace.h" #include "comutilnative.h" #include "finalizerthread.h" @@ -929,14 +928,6 @@ Thread* SetupUnstartedThread(BOOL bRequiresTSL) return pThread; } -FCIMPL0(INT32, GetRuntimeId_Wrapper) -{ - FCALL_CONTRACT; - - return GetRuntimeId(); -} -FCIMPLEND - //------------------------------------------------------------------------- // Public function: DestroyThread() // Destroys the specified Thread object, for a thread which is about to die. @@ -8103,9 +8094,6 @@ void Thread::InitContext() m_pDomain = m_Context->GetDomain(); _ASSERTE(m_pDomain); m_pDomain->ThreadEnter(this, NULL); - - // Every thread starts in the default domain, so push it here. - PushDomain((ADID)DefaultADID); } void Thread::ClearContext() @@ -8131,7 +8119,6 @@ void Thread::ClearContext() m_fDisableComObjectEagerCleanup = false; #endif //FEATURE_COMINTEROP m_Context = NULL; - m_ADStack.ClearDomainStack(); } @@ -8394,7 +8381,6 @@ void Thread::EnterContextRestricted(Context *pContext, ContextTransitionFrame *p _ASSERTE(pFrame); - PushDomain(pDomain->GetId()); STRESS_LOG1(LF_APPDOMAIN, LL_INFO100000, "Entering into ADID=%d\n", pDomain->GetId().m_dwId); @@ -8551,7 +8537,6 @@ void Thread::ReturnToContext(ContextTransitionFrame *pFrame) if (fChangedDomains) { - pADOnStack = m_ADStack.PopDomain(); STRESS_LOG2(LF_APPDOMAIN, LL_INFO100000, "Returning from %d to %d\n", pADOnStack.m_dwId, pReturnContext->GetDomain()->GetId().m_dwId); _ASSERTE(pADOnStack == m_pDomain->GetId()); @@ -10674,7 +10659,6 @@ void Thread::FullResetThread() GCX_FORBID(); DeleteThreadStaticData(); - ResetSecurityInfo(); m_alloc_context.alloc_bytes = 0; m_fPromoted = FALSE; diff --git a/src/vm/threads.h b/src/vm/threads.h index fbff1b9bdd..2c0ce93984 100644 --- a/src/vm/threads.h +++ b/src/vm/threads.h @@ -141,7 +141,6 @@ #include "context.h" #include "regdisp.h" #include "mscoree.h" -#include "appdomainstack.h" #include "gcheaputilities.h" #include "gchandleutilities.h" #include "gcinfotypes.h" @@ -629,8 +628,6 @@ Thread* SetupUnstartedThread(BOOL bRequiresTSL=TRUE); void DestroyThread(Thread *th); -FCDECL0(INT32, GetRuntimeId_Wrapper); - //--------------------------------------------------------------------------- //--------------------------------------------------------------------------- #ifndef FEATURE_IMPLICIT_TLS @@ -4202,11 +4199,6 @@ public: private: //------------------------------------------------------------------------- - // AppDomains on the current call stack - //------------------------------------------------------------------------- - AppDomainStack m_ADStack; - - //------------------------------------------------------------------------- // Support creation of assemblies in DllMain (see ceemain.cpp) //------------------------------------------------------------------------- DomainFile* m_pLoadingFile; @@ -4234,55 +4226,6 @@ public: return m_fInteropDebuggingHijacked; } - inline DWORD IncrementOverridesCount(); - inline DWORD DecrementOverridesCount(); - inline DWORD GetOverridesCount(); - inline DWORD IncrementAssertCount(); - inline DWORD DecrementAssertCount(); - inline DWORD GetAssertCount(); - inline void PushDomain(ADID pDomain); - inline ADID PopDomain(); - inline DWORD GetNumAppDomainsOnThread(); - inline BOOL CheckThreadWideSpecialFlag(DWORD flags); - inline void InitDomainIteration(DWORD *pIndex); - inline ADID GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts); - inline void UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides); - - BOOL IsDefaultSecurityInfo(void) - { - WRAPPER_NO_CONTRACT; - return m_ADStack.IsDefaultSecurityInfo(); - } - - BOOL AllDomainsHomogeneousWithNoStackModifiers(void) - { - WRAPPER_NO_CONTRACT; - return m_ADStack.AllDomainsHomogeneousWithNoStackModifiers(); - } - - const AppDomainStack& GetAppDomainStack(void) - { - LIMITED_METHOD_CONTRACT; - return m_ADStack; - } - AppDomainStack* GetAppDomainStackPointer(void) - { - LIMITED_METHOD_CONTRACT; - return &m_ADStack; - } - - void SetAppDomainStack(const AppDomainStack& appDomainStack) - { - WRAPPER_NO_CONTRACT; - m_ADStack = appDomainStack; // this is a function call, massive operator= - } - - void ResetSecurityInfo( void ) - { - WRAPPER_NO_CONTRACT; - m_ADStack.ClearDomainStack(); - } - void SetFilterContext(T_CONTEXT *pContext); T_CONTEXT *GetFilterContext(void); diff --git a/src/vm/threads.inl b/src/vm/threads.inl index 26682ec09b..ee2aaacf94 100644 --- a/src/vm/threads.inl +++ b/src/vm/threads.inl @@ -186,86 +186,6 @@ inline void Thread::FinishSOWork() #endif } -inline DWORD Thread::IncrementOverridesCount() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.IncrementOverridesCount(); -} - -inline DWORD Thread::DecrementOverridesCount() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.DecrementOverridesCount(); -} - -inline DWORD Thread::GetOverridesCount() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.GetOverridesCount(); -} - -inline DWORD Thread::IncrementAssertCount() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.IncrementAssertCount(); -} - -inline DWORD Thread::DecrementAssertCount() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.DecrementAssertCount(); -} - -inline DWORD Thread::GetAssertCount() -{ - LIMITED_METHOD_CONTRACT; - return m_ADStack.GetAssertCount(); -} - -#ifndef DACCESS_COMPILE -inline void Thread::PushDomain(ADID pDomain) -{ - WRAPPER_NO_CONTRACT; - m_ADStack.PushDomain(pDomain); -} - -inline ADID Thread::PopDomain() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.PopDomain(); -} -#endif // DACCESS_COMPILE - -inline DWORD Thread::GetNumAppDomainsOnThread() -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.GetNumDomains(); -} - -inline BOOL Thread::CheckThreadWideSpecialFlag(DWORD flags) -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.GetThreadWideSpecialFlag() & flags; -} - -inline void Thread::InitDomainIteration(DWORD *pIndex) -{ - WRAPPER_NO_CONTRACT; - m_ADStack.InitDomainIteration(pIndex); -} - -inline ADID Thread::GetNextDomainOnStack(DWORD *pIndex, DWORD *pOverrides, DWORD *pAsserts) -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.GetNextDomainOnStack(pIndex, pOverrides, pAsserts); -} - -inline void Thread::UpdateDomainOnStack(DWORD pIndex, DWORD asserts, DWORD overrides) -{ - WRAPPER_NO_CONTRACT; - return m_ADStack.UpdateDomainOnStack(pIndex, asserts, overrides); -} - #ifdef FEATURE_COMINTEROP inline void Thread::RevokeApartmentSpy() { @@ -301,8 +221,6 @@ inline void Thread::SetLastSTACtxCookie(LPVOID pCtxCookie, BOOL fNAContext) } #endif // FEATURE_COMINTEROP -#include "appdomainstack.inl" - inline bool Thread::IsGCSpecial() { LIMITED_METHOD_CONTRACT; diff --git a/src/vm/util.cpp b/src/vm/util.cpp index da7d18c390..260e0daa38 100644 --- a/src/vm/util.cpp +++ b/src/vm/util.cpp @@ -1283,478 +1283,8 @@ void VMDumpCOMErrors(HRESULT hrErr) } //----------------------------------------------------------------------------- -// Helper method to load mscorsn.dll. It is used when an app requests a legacy -// mode where mscorsn.dll it to be loaded during startup. -//----------------------------------------------------------------------------- -const WCHAR g_pwzOldStrongNameLibrary[] = W("mscorsn.dll"); -#define cchOldStrongNameLibrary ( \ - (sizeof(g_pwzOldStrongNameLibrary)/sizeof(WCHAR))) - -HRESULT LoadMscorsn() -{ - CONTRACTL - { - NOTHROW; - GC_TRIGGERS; - INJECT_FAULT(return FALSE;); - } - CONTRACTL_END; - - DWORD size = 0; - HRESULT hr = GetInternalSystemDirectory(NULL, &size); - if (hr != HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER)) - return hr; - - DWORD dwLength = size + cchOldStrongNameLibrary; - if (dwLength < size) - return HRESULT_FROM_WIN32(ERROR_ARITHMETIC_OVERFLOW); - NewArrayHolder<WCHAR> wszPath(new (nothrow) WCHAR[dwLength]); - if (!wszPath) - return E_OUTOFMEMORY; - - hr = GetInternalSystemDirectory(wszPath, &size); - if (FAILED(hr)) - return hr; - - wcscat_s(wszPath, dwLength, g_pwzOldStrongNameLibrary); - CLRLoadLibrary(wszPath); - return S_OK; -} - #ifndef FEATURE_PAL -//----------------------------------------------------------------------------- -// WszSHGetFolderPath -// -// @func takes the CSIDL of a folder and returns the path name -// -// @rdesc Result Handle -//----------------------------------------------------------------------------------- -HRESULT WszSHGetFolderPath( - HWND hwndOwner, - int nFolder, - HANDLE hToken, - DWORD dwFlags, - size_t cchPathMax, - __out_ecount(MAX_LONGPATH) LPWSTR pwszPath) -{ - CONTRACTL - { - NOTHROW; - MODE_PREEMPTIVE; - INJECT_FAULT(return E_OUTOFMEMORY;); - } - CONTRACTL_END; - - // SHGetFolderPath requirement: path buffer >= MAX_LONGPATH chars - _ASSERTE(cchPathMax >= MAX_LONGPATH); - - HRESULT hr; - ULONG maxLength = MAX_LONGPATH; - HMODULE _hmodShell32 = 0; - HMODULE _hmodSHFolder = 0; - - ETWOnStartup (LdLibShFolder_V1, LdLibShFolderEnd_V1); - - typedef HRESULT (*PFNSHGETFOLDERPATH_W) (HWND hwndOwner, int nFolder, HANDLE hToken, DWORD dwFlags, LPWSTR pszPath); - static PFNSHGETFOLDERPATH_W pfnW = NULL; - if (NULL == pfnW) - { - _hmodShell32 = CLRLoadLibrary(W("shell32.dll")); - - if (_hmodShell32) - pfnW = (PFNSHGETFOLDERPATH_W)GetProcAddress(_hmodShell32, "SHGetFolderPathW"); - - if (NULL == pfnW) - { - if (NULL == _hmodSHFolder) - _hmodSHFolder = CLRLoadLibrary(W("shfolder.dll")); - - if (_hmodSHFolder) - pfnW = (PFNSHGETFOLDERPATH_W)GetProcAddress(_hmodSHFolder, "SHGetFolderPathW"); - } - } - - if (pfnW) - hr = pfnW(hwndOwner, nFolder, hToken, dwFlags, pwszPath); - else - hr = HRESULT_FROM_WIN32(GetLastError()); - - // NOTE: We leak the module handles and let the OS gather them at process shutdown. - - return hr; -} - -//----------------------------------------------------------------------------- -// WszShellExecute -// -// @func calls ShellExecute with the provided parameters -// -// @rdesc Result -//----------------------------------------------------------------------------------- -HRESULT WszShellExecute( - HWND hwnd, - LPCTSTR lpOperation, - LPCTSTR lpFile, - LPCTSTR lpParameters, - LPCTSTR lpDirectory, - INT nShowCmd) -{ - CONTRACTL - { - NOTHROW; - MODE_PREEMPTIVE; - INJECT_FAULT(return E_OUTOFMEMORY;); - } - CONTRACTL_END; - - HRESULT hr = S_OK; - HMODULE _hmodShell32 = 0; - - typedef HINSTANCE (*PFNSHELLEXECUTE_W) (HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd); - static PFNSHELLEXECUTE_W pfnW = NULL; - if (NULL == pfnW) - { - _hmodShell32 = CLRLoadLibrary(W("shell32.dll")); - - if (_hmodShell32) - pfnW = (PFNSHELLEXECUTE_W)GetProcAddress(_hmodShell32, "ShellExecuteW"); - } - - if (pfnW) - { - HINSTANCE hSE = pfnW(hwnd, lpOperation, lpFile, lpParameters, lpDirectory, nShowCmd); - - if ((int) hSE <= 32) - { - hr = HRESULT_FROM_WIN32((int) hSE); - } - } - else - { - hr = HRESULT_FROM_WIN32(GetLastError()); - } - - // NOTE: We leak the module handles and let the OS gather them at process shutdown. - - return hr; -} - -#ifndef DACCESS_COMPILE -//----------------------------------------------------------------------------- - -//----------------------------------------------------------------------------- -// WszShellExecuteEx -// -// @func calls ShellExecuteEx with the provided parameters -// -// @rdesc Result -//----------------------------------------------------------------------------------- -HRESULT WszShellExecuteEx( - LPSHELLEXECUTEINFO lpExecInfo) -{ - CONTRACTL - { - NOTHROW; - MODE_PREEMPTIVE; - INJECT_FAULT(return E_OUTOFMEMORY;); - } - CONTRACTL_END; - - HRESULT hr = S_OK; - HMODULE _hmodShell32 = 0; - - typedef BOOL (*PFNSHELLEXECUTEEX_W) (LPSHELLEXECUTEINFO lpExecInfo); - static PFNSHELLEXECUTEEX_W pfnW = NULL; - if (NULL == pfnW) - { - _hmodShell32 = CLRLoadLibrary(W("shell32.dll")); - - if (_hmodShell32) - pfnW = (PFNSHELLEXECUTEEX_W)GetProcAddress(_hmodShell32, "ShellExecuteExW"); - } - - if (pfnW) - { - BOOL bSE = pfnW(lpExecInfo); - - if (bSE) - { - hr = HRESULT_FROM_WIN32(GetLastError()); - } - } - else - { - hr = HRESULT_FROM_WIN32(GetLastError()); - } - - // NOTE: We leak the module handles and let the OS gather them at process shutdown. - - return hr; -} - -#endif // #ifndef DACCESS_COMPILE - -BOOL IsUsingValidAppDataPath(__in_z WCHAR *userPath) -{ - CONTRACTL - { - NOTHROW; - MODE_PREEMPTIVE; - } - CONTRACTL_END; - - WCHAR defaultPath[MAX_LONGPATH]; - HRESULT hr; - HANDLE hToken; - - hToken = (HANDLE)(-1); - - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA, hToken, SHGFP_TYPE_CURRENT, MAX_LONGPATH, defaultPath); - if (FAILED(hr)) - { - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA, hToken, SHGFP_TYPE_DEFAULT, MAX_LONGPATH, defaultPath); - } - if (FAILED(hr)) - return FALSE; - - int result = wcscmp(defaultPath, userPath); - - return result != 0; -} - -#define FOLDER_LOCAL_SETTINGS_W W("Local Settings") -#define FOLDER_APP_DATA_W W("\\Application Data") -#define FOLDER_APP_DATA "\\Application Data" - -// Gets the location for roaming and local AppData -BOOL GetUserDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount, BOOL fRoaming) -{ - CONTRACTL - { - NOTHROW; - MODE_PREEMPTIVE; - INJECT_FAULT(return FALSE;); - } - CONTRACTL_END; - - // SHGetFolderPath will return the default user profile if the context is that of a user - // without a user profile. Since we never want to end up writing files into the default profile - // which is used as a template for future user profiles, we first try to find out if the user - // profile is not loaded; and if that's the case we return an error. - - if (!IsUserProfileLoaded()) - return FALSE; - - HRESULT hr; - - // In Windows ME, there is currently a bug that makes local appdata and roaming appdata - // point to the same location, so we've decided to "do our own thing" and add \Local Settings before \Application Data - if (!fRoaming) { - WCHAR appdatafolder[MAX_LONGPATH]; - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, MAX_LONGPATH, appdatafolder); - if (FAILED(hr)) - { - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, MAX_LONGPATH, appdatafolder); - } - if (FAILED(hr)) - return FALSE; - hr = WszSHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer); - if (FAILED(hr)) - { - hr = WszSHGetFolderPath(NULL, CSIDL_LOCAL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer); - } - if (FAILED(hr)) - return FALSE; - - // folders are the same or failed to get local folder - - if (!wcscmp(appdatafolder, buffer)) - { - WCHAR tempPartialPath[MAX_LONGPATH]; - ULONG slen = (ULONG)wcslen(buffer); - - if (buffer[slen - 1] == W('\\')) - { - --slen; - } - - // Search for the parent directory. - - WCHAR* parentDirectoryEnd = &buffer[slen - 1]; - tempPartialPath[0] = W('\0'); - - for (ULONG index = slen - 1; index > 0; --index) - { - if (buffer[index] == W('\\')) - { - if (wcslen(&buffer[index]) >= NumItems(tempPartialPath)) - { - _ASSERTE(!"Buffer not large enough"); - return FALSE; - } - - wcscpy_s( tempPartialPath, COUNTOF(tempPartialPath), &buffer[index] ); - parentDirectoryEnd = &buffer[index+1]; - break; - } - } - - // Create the intermediate directory if it is not present - if ((parentDirectoryEnd + wcslen(FOLDER_LOCAL_SETTINGS_W)) >= (buffer + bufferCount)) - { - _ASSERTE(!"Buffer not large enough"); - return FALSE; - } - - SIZE_T cchSafe; - // Prefast overflow sanity check the subtraction. - if (!ClrSafeInt<SIZE_T>::subtraction(bufferCount, (parentDirectoryEnd - buffer), cchSafe)) - { - _ASSERTE(!"ClrSafeInt: Buffer is not large enough"); - return FALSE; - } - - wcscpy_s(parentDirectoryEnd, cchSafe, FOLDER_LOCAL_SETTINGS_W); - - LONG lresult; - - { - // Check if the directory is already present - lresult = WszGetFileAttributes(buffer); - - if (lresult == -1) - { - if (!WszCreateDirectory(buffer, NULL) && - !(WszGetFileAttributes(buffer) & FILE_ATTRIBUTE_DIRECTORY)) - return FALSE; - } - else if ((lresult & FILE_ATTRIBUTE_DIRECTORY) == 0) - { - return FALSE; - } - } - if ((bufferCount - wcslen(buffer)) <= wcslen(tempPartialPath)) - { - _ASSERTE(!"Buffer not large enough"); - return FALSE; - } - - wcscat_s(buffer, bufferCount, tempPartialPath); - - // Check if the directory is already present - lresult = WszGetFileAttributes(buffer); - - if (lresult == -1) - { - if (!WszCreateDirectory(buffer, NULL) && - !(WszGetFileAttributes(buffer) & FILE_ATTRIBUTE_DIRECTORY)) - return FALSE; - } - else if ((lresult & FILE_ATTRIBUTE_DIRECTORY) == 0) - { - return FALSE; - } - } - } - else { - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer); - if (FAILED(hr)) - { - hr = WszSHGetFolderPath(NULL, CSIDL_APPDATA|CSIDL_FLAG_CREATE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer); - } - if (FAILED(hr)) - return FALSE; - - if (!IsUsingValidAppDataPath(buffer)) - return FALSE; - } - - return TRUE; -} - -const WCHAR PROFILE_LIST_PATH[] = W("Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"); -#define nProfileListPathKeyLen ( \ - sizeof(PROFILE_LIST_PATH)/sizeof(WCHAR)) - -HRESULT GetUserSidString (HANDLE hToken, __deref_out LPWSTR *pwszSid) { - DWORD dwSize = 0; - GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize); - NewArrayHolder<BYTE> pb(new (nothrow) BYTE[dwSize]); - if (pb == NULL) - return E_OUTOFMEMORY; - if (!GetTokenInformation(hToken, TokenUser, pb, dwSize, &dwSize)) - return HRESULT_FROM_GetLastError(); - - PTOKEN_USER pUser = (PTOKEN_USER) pb.GetValue(); - - typedef BOOL (*CONVERTSIDTOSTRINGSID_W) (PSID Sid, LPWSTR* StringSid); - static CONVERTSIDTOSTRINGSID_W pfnW = NULL; - if (NULL == pfnW) { - HMODULE hModAdvapi32 = CLRLoadLibrary(W("advapi32.dll")); - if (hModAdvapi32) - pfnW = (CONVERTSIDTOSTRINGSID_W) GetProcAddress(hModAdvapi32, "ConvertSidToStringSidW"); - } - - if (!pfnW) - return E_NOTIMPL; - if (!pfnW(pUser->User.Sid, pwszSid)) - return HRESULT_FROM_GetLastError(); - return S_OK; -} - -BOOL IsUserProfileLoaded() { - HandleHolder hToken; - if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)) - if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) - return FALSE; - - // Get the SID string - LPWSTR wszSid = NULL; - if (FAILED(GetUserSidString(hToken, &wszSid))) - return FALSE; - - // Concatenate the Sid string with the profile list path - size_t cchProfileRegPath = nProfileListPathKeyLen + wcslen(wszSid) + 1; - NewArrayHolder<WCHAR> wszProfileRegPath(new (nothrow) WCHAR[cchProfileRegPath]); - if (wszProfileRegPath == NULL) { -#undef LocalFree - LocalFree(wszSid); -#define LocalFree(hMem) Dont_Use_LocalFree(hMem) - return FALSE; - } - wcscpy_s(wszProfileRegPath, cchProfileRegPath, PROFILE_LIST_PATH); - wcscat_s(wszProfileRegPath, cchProfileRegPath, wszSid); - -#undef LocalFree - LocalFree(wszSid); -#define LocalFree(hMem) Dont_Use_LocalFree(hMem) - - // Open the user profile registry key - HKEYHolder hKey; - return (WszRegOpenKeyEx(HKEY_LOCAL_MACHINE, wszProfileRegPath, 0, KEY_READ, &hKey) == ERROR_SUCCESS); -} - -BOOL GetInternetCacheDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount) -{ - CONTRACTL - { - NOTHROW; - GC_TRIGGERS; - INJECT_FAULT(return FALSE;); - } - CONTRACTL_END; - - _ASSERTE( bufferCount == MAX_LONGPATH && "You should pass in a buffer of size MAX_LONGPATH" ); - - HRESULT hr = WszSHGetFolderPath( NULL, CSIDL_INTERNET_CACHE, NULL, SHGFP_TYPE_CURRENT, bufferCount, buffer ); - if (FAILED(hr)) - hr = WszSHGetFolderPath( NULL, CSIDL_INTERNET_CACHE, NULL, SHGFP_TYPE_DEFAULT, bufferCount, buffer ); - - return SUCCEEDED(hr); -} - -//----------------------------------------------------------------------------- // Wrap registry functions to use CQuickWSTR to allocate space. This does it // in a stack friendly manner. //----------------------------------------------------------------------------- diff --git a/src/vm/util.hpp b/src/vm/util.hpp index 554429259f..1f86d6c2d5 100644 --- a/src/vm/util.hpp +++ b/src/vm/util.hpp @@ -356,28 +356,9 @@ HRESULT VMPostError( // Returned error. //===================================================================== // Displays the messaage box or logs the message, corresponding to the last COM+ error occurred void VMDumpCOMErrors(HRESULT hrErr); -HRESULT LoadMscorsn(); #include "nativevaraccessors.h" -#ifndef FEATURE_PAL - -HRESULT WszSHGetFolderPath(HWND hwndOwner, int nFolder, HANDLE hToken, DWORD dwFlags, size_t cchPath, __out_ecount(MAX_LONGPATH) LPWSTR pszwPath); -HRESULT WszShellExecute(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd); - -#ifndef DACCESS_COMPILE -#include "shellapi.h" -HRESULT WszShellExecuteEx(LPSHELLEXECUTEINFO lpExecInfo); -#endif // #ifndef DACCESS_COMPILE - -#endif // !FEATURE_PAL - -BOOL GetUserDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount, BOOL fRoaming); -BOOL GetInternetCacheDir(__out_ecount(bufferCount) WCHAR * buffer, size_t bufferCount ); - -HRESULT GetUserSidString (HANDLE hToken, __deref_out LPWSTR *wszSid); -BOOL IsUserProfileLoaded(); - //====================================================================== // Stack friendly registry helpers // diff --git a/src/vm/vars.cpp b/src/vm/vars.cpp index 165d172e74..3a8046b26b 100644 --- a/src/vm/vars.cpp +++ b/src/vm/vars.cpp @@ -231,14 +231,6 @@ bool g_fShutDownCOM = false; DWORD g_FinalizerWaiterStatus = 0; -const WCHAR g_pwzClickOnceEnv_FullName[] = W("__COR_COMMAND_LINE_APP_FULL_NAME__"); -const WCHAR g_pwzClickOnceEnv_Manifest[] = W("__COR_COMMAND_LINE_MANIFEST__"); -const WCHAR g_pwzClickOnceEnv_Parameter[] = W("__COR_COMMAND_LINE_PARAMETER__"); - -#ifdef FEATURE_LOADER_OPTIMIZATION -DWORD g_dwGlobalSharePolicy = AppDomain::SHARE_POLICY_UNSPECIFIED; -#endif - // // Do we own the lifetime of the process, ie. is it an EXE? // @@ -256,15 +248,6 @@ bool g_fInControlC = false; LPWSTR g_pCachedCommandLine = NULL; LPWSTR g_pCachedModuleFileName = 0; -// host configuration file. If set, it is added to every AppDomain (fusion context) -LPCWSTR g_pszHostConfigFile = NULL; -SIZE_T g_dwHostConfigFile = 0; - -// AppDomainManager assembly and type names provided as environment variables. -LPWSTR g_wszAppDomainManagerAsm = NULL; -LPWSTR g_wszAppDomainManagerType = NULL; -bool g_fDomainManagerInitialized = false; - // // IJW needs the shim HINSTANCE // diff --git a/src/vm/vars.hpp b/src/vm/vars.hpp index 391fa4335b..cc167f2809 100644 --- a/src/vm/vars.hpp +++ b/src/vm/vars.hpp @@ -592,14 +592,6 @@ EXTERN const char g_psBaseLibraryTLB[]; #endif // FEATURE_COMINTEROP #endif // DACCESS_COMPILE -EXTERN const WCHAR g_pwzClickOnceEnv_FullName[]; -EXTERN const WCHAR g_pwzClickOnceEnv_Manifest[]; -EXTERN const WCHAR g_pwzClickOnceEnv_Parameter[]; - -#ifdef FEATURE_LOADER_OPTIMIZATION -EXTERN DWORD g_dwGlobalSharePolicy; -#endif - // // Do we own the lifetime of the process, ie. is it an EXE? // @@ -621,17 +613,6 @@ extern LPWSTR g_pCachedCommandLine; extern LPWSTR g_pCachedModuleFileName; // -// Host configuration file. One per process. -// -extern LPCWSTR g_pszHostConfigFile; -extern SIZE_T g_dwHostConfigFile; - -// AppDomainManager type -extern LPWSTR g_wszAppDomainManagerAsm; -extern LPWSTR g_wszAppDomainManagerType; -extern bool g_fDomainManagerInitialized; - -// // Macros to check debugger and profiler settings. // inline bool CORDebuggerPendingAttach() diff --git a/src/vm/verifier.cpp b/src/vm/verifier.cpp deleted file mode 100644 index 366b44787e..0000000000 --- a/src/vm/verifier.cpp +++ /dev/null @@ -1,469 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// -// verifier.cpp -// - -// -// -// -// Registry / Environment settings : -// -// Create registry entries in CURRENT_USER\Software\Microsoft\.NETFramework -// or set environment variables COMPlus_* with the names given below. -// Environment settings override registry settings. -// -// For breaking into the debugger / Skipping verification : -// (available only in the debug build). -// -// VerBreakOnError [STRING] Break into the debugger on error. Set to 1 -// VerSkip [STRING] method names (case sensitive) -// VerBreak [STRING] method names (case sensitive) -// VerOffset [STRING] Offset in the method in hex -// VerPass [STRING] 1 / 2 ==> First pass, second pass -// VerMsgMethodInfoOff [STRING] Print method / module info on error -// -// NOTE : If there are more than one methods in the list and an offset -// is specified, this offset is applicable to all methods in the list -// -// NOTE : Verifier should be enabled for this to work. -// -// To Switch the verifier Off (Default is On) : -// (available on all builds). -// -// VerifierOff [STRING] 1 ==> Verifier is Off, 0 ==> Verifier is On -// -// [See EEConfig.h / EEConfig.cpp] -// -// -// Meaning of code marked with @XXX -// -// @VER_ASSERT : Already verified. -// @VER_IMPL : Verification rules implemented here. -// @DEBUG : To be removed/commented before checkin. -// - - -#include "common.h" - -#include "verifier.hpp" -#include "ceeload.h" -#include "clsload.hpp" -#include "method.hpp" -#include "vars.hpp" -#include "object.h" -#include "field.h" -#include "comdelegate.h" -#include "security.h" -#include "dbginterface.h" -#include "securityattributes.h" -#include "eeconfig.h" -#include "sourceline.h" -#include "typedesc.h" -#include "typestring.h" -#include "../dlls/mscorrc/resource.h" - - -#define VER_NAME_INFO_SIZE 128 -#define VER_SMALL_BUF_LEN 256 -#define VER_FAILED_TO_LOAD_RESOURCE_STRING "(Failed to load resource string)" - -#define VER_LD_RES(e, fld) \ - { \ - if ((sRes.LoadResource(CCompRC::Error, e ))) \ - { \ - sPrint.Printf(sRes.GetUnicode(), err.fld); \ - sMessage += sPrint; \ - } \ - else \ - { \ - SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); \ - sMessage += s; \ - } \ - } - -// Copies the error message to the input char* -WCHAR* Verifier::GetErrorMsg( - HRESULT hrError, - VerError err, - __inout_ecount(len) WCHAR *wszMsg, - int len, - ValidateWorkerArgs* pArgs) -{ - CONTRACTL { - THROWS; - GC_TRIGGERS; - } CONTRACTL_END; - - SString sMessage; // to debug, watch "(WCHAR*)sMessage.m_buffer" - SString sPrint; - LPCSTR szMethodName; - - NewHolder<SourceLine> pSL(NULL); - - if (pArgs->pMethodDesc) - { - // source lines - if (pArgs->fShowSourceLines && pArgs->wszFileName) - { - pSL = new SourceLine(pArgs->wszFileName); - if(pSL->IsInitialized()) - { - DWORD dwFunctionToken = pArgs->pMethodDesc->GetMemberDef(); - WCHAR wcBuffer[VER_SMALL_BUF_LEN]; - wcBuffer[0] = 0; - DWORD dwLineNumber; - HRESULT hr; - hr = pSL->GetSourceLine( dwFunctionToken, err.dwOffset, wcBuffer, VER_SMALL_BUF_LEN, &dwLineNumber ); - sPrint.Printf(W("%s(%d) : "), wcBuffer, dwLineNumber); - sMessage += sPrint; - } - SString sRes; - sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_ILERROR); - sMessage += sRes; - } - - // module - sMessage += W("["); - sMessage += pArgs->pMethodDesc->GetModule()->GetPath(); - - // class - sMessage += W(" : "); - if (pArgs->pMethodDesc->GetMethodTable() != NULL) - { - // DefineFullyQualifiedNameForClass(); - // GetFullyQualifiedNameForClassNestedAware(pClass); - // sMessage += FilterAscii(_szclsname_, szTemp, VER_NAME_INFO_SIZE); - SString clsname; - TypeString::AppendType(clsname,TypeHandle(pArgs->pMethodDesc->GetMethodTable())); - sMessage += clsname; - } - else - { - SString sRes; - sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_GLOBAL); - sMessage += sRes; - } - - // method - sMessage += W("::"); - if (FAILED(pArgs->pMethodDesc->GetModule()->GetMDImport()->GetNameOfMethodDef(pArgs->pMethodDesc->GetMemberDef(), &szMethodName))) - { - szMethodName = "Invalid MethodDef record"; - } - SString sNameOfMethod(SString::Utf8, szMethodName); - sMessage += sNameOfMethod; - - if (pArgs->pMethodDesc->IsGenericMethodDefinition()) - { - SString inst; - TypeString::AppendInst(inst,pArgs->pMethodDesc->GetMethodInstantiation(),TypeString::FormatBasic); - sMessage += inst; - } - - sMessage += W("]"); - - // MD token - if(pArgs->fVerbose) - { - SString sRes; - sRes.LoadResource(CCompRC::Debugging, IDS_VER_E_MDTOKEN); - DWORD dwMDToken = pArgs->pMethodDesc->GetMemberDef(); - sPrint.Printf(sRes.GetUnicode(), dwMDToken); - sMessage += sPrint; - } - } - - // Fill In the details - SString sRes; - - // Create the generic error fields - - if (err.dwFlags & VER_ERR_OFFSET) - VER_LD_RES(VER_E_OFFSET, dwOffset); - - if (err.dwFlags & VER_ERR_OPCODE) - { - if (sRes.LoadResource(CCompRC::Error, VER_E_OPCODE)) - { - sPrint.Printf(sRes, ppOpcodeNameList[err.opcode]); - sMessage += W(" "); - sMessage += sPrint; - } - } - - if (err.dwFlags & VER_ERR_OPERAND) - VER_LD_RES(VER_E_OPERAND, dwOperand); - - if (err.dwFlags & VER_ERR_TOKEN) - VER_LD_RES(VER_E_TOKEN, token); - - if (err.dwFlags & VER_ERR_EXCEP_NUM_1) - VER_LD_RES(VER_E_EXCEPT, dwException1); - - if (err.dwFlags & VER_ERR_EXCEP_NUM_2) - VER_LD_RES(VER_E_EXCEPT, dwException2); - - if (err.dwFlags & VER_ERR_STACK_SLOT) - VER_LD_RES(VER_E_STACK_SLOT, dwStackSlot); - - if ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_LOCAL_SIG) - { - if (err.dwVarNumber != VER_ERR_NO_LOC) - { - if(pArgs->fShowSourceLines && pSL && pSL->IsInitialized() && pArgs->pMethodDesc) - { - if ((sRes.LoadResource(CCompRC::Error, VER_E_LOC_BYNAME))) - { - DWORD dwFunctionToken = pArgs->pMethodDesc->GetMemberDef(); - WCHAR wcBuffer[VER_SMALL_BUF_LEN]; - wcBuffer[0] = 0; - HRESULT hr; - hr = pSL->GetLocalName(dwFunctionToken, err.dwVarNumber, wcBuffer, VER_SMALL_BUF_LEN); - sPrint.Printf(sRes.GetUnicode(), wcBuffer); - } - else - { - SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); - sPrint = s; - } - } - else - { - if ((sRes.LoadResource(CCompRC::Error, VER_E_LOC))) - sPrint.Printf(sRes.GetUnicode(), err.dwVarNumber); - else - { - SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); - sPrint = s; - } - } - sMessage += sPrint; - } - } - - if ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_FIELD_SIG) - { - if (sRes.LoadResource(CCompRC::Error, VER_E_FIELD_SIG)) - { - sMessage += W(" "); - sMessage += sRes; - } - } - - if (((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_METHOD_SIG) || - ((err.dwFlags & VER_ERR_SIG_MASK) == VER_ERR_CALL_SIG)) - { - if (err.dwArgNumber != VER_ERR_NO_ARG) - { - if (err.dwArgNumber != VER_ERR_ARG_RET) - { - VER_LD_RES(VER_E_ARG, dwArgNumber); - } - else if (sRes.LoadResource(CCompRC::Error, VER_E_RET_SIG)) - { - sMessage += W(" "); - sMessage += sRes; - } - } - } - - if (err.dwFlags & VER_ERR_TYPE_1) - sMessage += err.wszType1; - - if (err.dwFlags & VER_ERR_TYPE_2) - sMessage += err.wszType2; - - if (err.dwFlags & VER_ERR_ADDL_MSG) - sMessage += err.wszAdditionalMessage; - - if (err.dwFlags & VER_ERR_TYPE_F) - { - if (sRes.LoadResource(CCompRC::Error, VER_E_FOUND)) - { - sPrint.Printf(sRes, err.wszTypeFound); - sMessage += sPrint; - } - } - - if (err.dwFlags & VER_ERR_TYPE_E) - { - if (sRes.LoadResource(CCompRC::Error, VER_E_EXPECTED)) - { - sPrint.Printf(sRes, err.wszTypeExpected); - sMessage += sPrint; - } - } - - // Handle the special cases - switch (hrError) - { - case VER_E_UNKNOWN_OPCODE: - VER_LD_RES(VER_E_UNKNOWN_OPCODE, opcode); - break; - - case VER_E_SIG_CALLCONV: - VER_LD_RES(VER_E_SIG_CALLCONV, bCallConv); - break; - - case VER_E_SIG_ELEMTYPE: - VER_LD_RES(VER_E_SIG_ELEMTYPE, elem); - break; - - case COR_E_ASSEMBLYEXPECTED: - Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs); - break; - - case SECURITY_E_UNVERIFIABLE: - Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs); - break; - - case CORSEC_E_MIN_GRANT_FAIL: - Verifier::GetAssemblyName(hrError,sMessage, sRes, sPrint, pArgs); - break; - - case __HRESULT_FROM_WIN32(ERROR_BAD_FORMAT): - // fall through - - default: - Verifier::GetDefaultMessage(hrError,sMessage, sRes, sPrint); - } - - wcsncpy_s(wszMsg, len, sMessage.GetUnicode(), _TRUNCATE); - return wszMsg; -} - -/*static*/ VOID Verifier::GetDefaultMessage(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint) -{ - if (sMessage.GetCount() > 0) - sMessage += W(" "); - - if (HRESULT_FACILITY(hrError) == FACILITY_URT && sRes.LoadResource(CCompRC::Error, MSG_FOR_URT_HR(hrError))) - sMessage += sRes; - else - { - WCHAR win32Msg[VER_SMALL_BUF_LEN]; - BOOL useWin32Msg = WszFormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, - hrError, -#if FEATURE_USE_LCID - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language -#else - 0, -#endif - (LPTSTR) win32Msg, - VER_SMALL_BUF_LEN - 1, - NULL ); - - if (sRes.LoadResource(CCompRC::Error, VER_E_HRESULT)) - { - sPrint.Printf(sRes, hrError); - - if (useWin32Msg) - { - sPrint += W(" - "); - sPrint += win32Msg; - } - - sMessage += W(" "); - sMessage += sPrint; - } - else - { - SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); - sMessage += s; - } - } -} - -/*static*/ HRESULT Verifier::ReportError(IVEHandler *pVeh, HRESULT hrError, VEContext* pVec, ValidateWorkerArgs* pArgs) -{ - CONTRACTL { - NOTHROW; - GC_TRIGGERS; - } CONTRACTL_END; - - // Filter out error messages that require parameters - switch(hrError) - { - case COR_E_TYPELOAD: hrError = VER_E_TYPELOAD; break; - } - - HRESULT hr = E_FAIL; - EX_TRY - { - GCX_PREEMP(); - - // There is no room for expansion in the VEHandler interface, so we're - // stuffing our extra data into the SafeArray that was originally - // designed to be used only by the MDValidator. - - // Note: VT_VARIANT is the only supported safe array type on Rotor - SAFEARRAY* pSafeArray = SafeArrayCreateVector(VT_VARIANT, 0, 1); - _ASSERTE(pSafeArray); - if (pSafeArray) - { - VARIANT var; -#ifdef _WIN64 - V_VT(&var) = VT_UI8; // machine sized int. (VT_UI8 not supported on Windows 2000) - V_UINT_PTR(&var) = (UINT64)(size_t)(pArgs); -#else - V_VT(&var) = VT_UINT; // machine sized int - V_UINT_PTR(&var) = (ULONG_PTR)(pArgs); -#endif - LONG i = 0; - HRESULT hrPutElement; - hrPutElement = SafeArrayPutElement(pSafeArray, &i, &var); - _ASSERTE(hrPutElement == S_OK); - } - - // Call the handler - hr = pVeh->VEHandler(hrError, *pVec, pSafeArray); - - // Clean up the SafeArray we allocated - HRESULT hrDestroy; - hrDestroy = SafeArrayDestroy(pSafeArray); - _ASSERTE(hrDestroy == S_OK); - } - EX_CATCH_HRESULT(hr); - - return hr; -} - -/*static*/ VOID Verifier::GetAssemblyName(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint, ValidateWorkerArgs* pArgs) -{ - CONTRACTL - { - THROWS; - GC_NOTRIGGER; - MODE_ANY; - } - CONTRACTL_END; - if(sRes.LoadResource(CCompRC::Error, hrError)) - { - // find the '%1' - SString::Iterator i = sRes.Begin(); - if (sRes.Find(i, W("'%1'"))) - { - // replace the '%1' with the module name - if(pArgs->wszFileName) - { - sPrint = pArgs->wszFileName; - sRes.Replace(i + 1, 2, sPrint); - } - else - { - sPrint = W(""); - sRes.Replace(i, 4, sPrint); - } - sMessage += sRes; - } - } - else - { - SString s(SString::Ascii, VER_FAILED_TO_LOAD_RESOURCE_STRING); - sMessage += s; - } -} diff --git a/src/vm/verifier.hpp b/src/vm/verifier.hpp deleted file mode 100644 index a2395e26a0..0000000000 --- a/src/vm/verifier.hpp +++ /dev/null @@ -1,111 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// -// verifier.hpp -// - -// -// -// -// Dead code verification is for supporting FJIT. If FJIT gets fixed so that it -// can handle dead code, remove code #ifdefed in _VER_VERIFY_DEAD_CODE -// - - -#ifndef _VERIFIER_HPP -#define _VERIFIER_HPP - -#define _VER_VERIFY_DEAD_CODE 1 // Verifies dead code - -#include "ivehandler.h" -#include "vererror.h" - -class Verifier; -class CValidator; -class ValidateWorkerArgs; - -#define VER_FORCE_VERIFY 0x0001 // Fail even for fully trusted code -#define VER_STOP_ON_FIRST_ERROR 0x0002 // Tools can handle multiple errors - -// Extensions to ELEMENT_TYPE_* enumeration in cor.h - -// Any objref -#define VER_ELEMENT_TYPE_OBJREF (ELEMENT_TYPE_MAX) - -// Any value class -#define VER_ELEMENT_TYPE_VALUE_CLASS (ELEMENT_TYPE_MAX+1) - -// A by-ref anything -#define VER_ELEMENT_TYPE_BYREF (ELEMENT_TYPE_MAX+2) - -// Unknown/invalid type -#define VER_ELEMENT_TYPE_UNKNOWN (ELEMENT_TYPE_MAX+3) - -// Sentinel value (stored at slots -1 and -2 of the stack to catch stack overflow) -#define VER_ELEMENT_TYPE_SENTINEL (ELEMENT_TYPE_MAX+4) - -#define VER_LAST_BASIC_TYPE (ELEMENT_TYPE_MAX+4) - -#define VER_ARG_RET VER_ERR_ARG_RET -#define VER_NO_ARG VER_ERR_NO_ARG - - - -#include "cor.h" -#include "veropcodes.hpp" -#include "util.hpp" - - -#define MAX_SIGMSG_LENGTH 100 -#define MAX_FAILMSG_LENGTH 384 + MAX_SIGMSG_LENGTH - - -struct VerExceptionInfo; -struct VerExceptionBlock; -class Verifier; - - - -class Verifier -{ - friend class VerSig; - friend class Item; - -public: - static WCHAR* GetErrorMsg(HRESULT hError, VerError err, __inout_ecount(len) WCHAR *wszMsg, int len, ValidateWorkerArgs* pArgs); - static HRESULT ReportError(IVEHandler *pVeh, HRESULT hrError, VEContext* pVec, ValidateWorkerArgs* pArgs); - -private: - static VOID GetDefaultMessage(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint); - static VOID GetAssemblyName(HRESULT hrError, SString& sMessage, SString& sRes, SString& sPrint, ValidateWorkerArgs* pArgs); -}; - - -class ValidateWorkerArgs -{ -public: - CValidator *val; - HRESULT hr; - bool fDeletePEFile; - MethodDesc* pMethodDesc; - LPWSTR wszFileName; - BYTE *pe; - unsigned int size; - bool fVerbose; - bool fShowSourceLines; - bool fTransparentMethodsOnly; - - ValidateWorkerArgs() - : val(NULL), - hr(S_OK), - fDeletePEFile(true), - pMethodDesc(NULL), - wszFileName(NULL), - fVerbose(false), - fShowSourceLines(false), - fTransparentMethodsOnly(false) - {LIMITED_METHOD_CONTRACT; } -}; - -#endif /* _VERIFIER_HPP */ diff --git a/src/vm/veropcodes.hpp b/src/vm/veropcodes.hpp deleted file mode 100644 index 1d25b75ac9..0000000000 --- a/src/vm/veropcodes.hpp +++ /dev/null @@ -1,30 +0,0 @@ -// Licensed to the .NET Foundation under one or more agreements. -// The .NET Foundation licenses this file to you under the MIT license. -// See the LICENSE file in the project root for more information. -// -// veropcodes.hpp -// - -// -// Declares the enumeration of the opcodes and the decoding tables. -// - -#include "openum.h" - -#define HackInlineAnnData 0x7F - -#ifdef DECLARE_DATA -#define OPDEF(c,s,pop,push,args,type,l,s1,s2,ctrl) L##s, - -const WCHAR * const ppOpcodeNameList[] = -{ -#include "../inc/opcode.def" -}; - -#undef OPDEF - -#else /* !DECLARE_DATA */ - -extern const WCHAR * const ppOpcodeNameList[]; - -#endif /* DECLARE_DATA */ diff --git a/src/vm/weakreferencenative.cpp b/src/vm/weakreferencenative.cpp index f6badd5321..b7052b82b1 100644 --- a/src/vm/weakreferencenative.cpp +++ b/src/vm/weakreferencenative.cpp @@ -13,6 +13,8 @@ #include "weakreferencenative.h" #include "handletablepriv.h" +#include "typestring.h" +#include "typeparse.h" //************************************************************************ diff --git a/src/vm/winrttypenameconverter.cpp b/src/vm/winrttypenameconverter.cpp index c5dc969f90..e30128b5df 100644 --- a/src/vm/winrttypenameconverter.cpp +++ b/src/vm/winrttypenameconverter.cpp @@ -692,7 +692,6 @@ WinMDAdapter::RedirectedTypeIndex WinRTTypeNameConverter::GetRedirectedTypeIndex dwFlags)); Assembly* pRedirectedAssembly = spec.LoadAssembly( FILE_LOADED, - NULL, // pLoadSecurity FALSE); // fThrowOnFileNotFound if (pRedirectedAssembly == NULL) |