Add host flag to disable transparency checks in CoreCLR

A lot of security transparency annotations in corefx is missing or inconsistent. People keep running into MethodAccessExceptions because of that. It is not easy (nor cheap) to fix the annotations to make them consistent, and they are not actually required for any of the .NET Core scenarios.

This change is introducing a hosting flag to disable security transparency checks on CoreCLR, and adds this flag to all .NET Core hosts. The .NET Core hosts outside of the CoreCLR tree (e.g. ASP.NET 5) will need this flag added as well.

[tfs-changeset: 1437325]

15 files changed, 128 insertions, 101 deletions

diff --git a/src/coreclr/hosts/coreconsole/coreconsole.cpp b/src/coreclr/hosts/coreconsole/coreconsole.cpp
index 7523bb61ee..5e436ed7a1 100644
--- a/src/coreclr/hosts/coreconsole/coreconsole.cpp
+++ b/src/coreclr/hosts/coreconsole/coreconsole.cpp
@@ -496,7 +496,8 @@ bool TryRun(const int argc, const wchar_t* argv[], Logger &log, const bool verbo
         // - Prevents the application from being torn down if a managed exception is unhandled
         //
         APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS | 
-        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP,
+        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP |
+        APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT,
         NULL,                // Name of the assembly that contains the AppDomainManager implementation
         NULL,                    // The AppDomainManager implementation type name
         sizeof(property_keys)/sizeof(wchar_t*),  // The number of properties
diff --git a/src/coreclr/hosts/corerun/corerun.cpp b/src/coreclr/hosts/corerun/corerun.cpp
index fdcb140607..6766b6ba17 100644
--- a/src/coreclr/hosts/corerun/corerun.cpp
+++ b/src/coreclr/hosts/corerun/corerun.cpp
@@ -537,8 +537,9 @@ bool TryRun(const int argc, const wchar_t* argv[], Logger &log, const bool verbo
         // APPDOMAIN_IGNORE_UNHANDLED_EXCEPTION
         // - Prevents the application from being torn down if a managed exception is unhandled
         //
-        APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS | 
-        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP,
+        APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS |
+        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP |
+        APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT,
         NULL,                // Name of the assembly that contains the AppDomainManager implementation
         NULL,                    // The AppDomainManager implementation type name
         sizeof(property_keys)/sizeof(wchar_t*),  // The number of properties
diff --git a/src/dlls/mscoree/unixinterface.cpp b/src/dlls/mscoree/unixinterface.cpp
index 265e99539e..2eaa1b81cb 100644
--- a/src/dlls/mscoree/unixinterface.cpp
+++ b/src/dlls/mscoree/unixinterface.cpp
@@ -176,7 +176,8 @@ HRESULT ExecuteAssembly(
         // - Prevents the application from being torn down if a managed exception is unhandled
         //
         APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS |
-        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP,
+        APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP |
+        APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT,
         NULL,                    // Name of the assembly that contains the AppDomainManager implementation
         NULL,                    // The AppDomainManager implementation type name
         propertyCount,
diff --git a/src/inc/MSCOREE.IDL b/src/inc/MSCOREE.IDL
index 957b02f44a..ddb326b8ce 100644
--- a/src/inc/MSCOREE.IDL
+++ b/src/inc/MSCOREE.IDL
@@ -368,6 +368,8 @@ typedef enum
 
     APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS = 0x40,
     APPDOMAIN_ENABLE_ASSEMBLY_LOADFILE = 0x80,
+
+    APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT = 0x100,
 #endif //FEATURE_CORECLR  
 } APPDOMAIN_SECURITY_FLAGS;
 
diff --git a/src/pal/prebuilt/inc/mscoree.h b/src/pal/prebuilt/inc/mscoree.h
index 9ec3e6409c..a526da58b6 100644
--- a/src/pal/prebuilt/inc/mscoree.h
+++ b/src/pal/prebuilt/inc/mscoree.h
@@ -236,7 +236,7 @@ struct IActivationFactory;
 
 #define	CLR_MINOR_VERSION	( 0 )
 
-#define	CLR_BUILD_VERSION	( 22220 )
+#define	CLR_BUILD_VERSION	( 22719 )
 
 #define	CLR_ASSEMBLY_MAJOR_VERSION	( 4 )
 
@@ -351,7 +351,8 @@ enum __MIDL___MIDL_itf_mscoree_0000_0000_0005
         APPDOMAIN_ENABLE_PINVOKE_AND_CLASSIC_COMINTEROP	= 0x10,
         APPDOMAIN_SET_TEST_KEY	= 0x20,
         APPDOMAIN_ENABLE_PLATFORM_SPECIFIC_APPS	= 0x40,
-        APPDOMAIN_ENABLE_ASSEMBLY_LOADFILE	= 0x80
+        APPDOMAIN_ENABLE_ASSEMBLY_LOADFILE	= 0x80,
+        APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT	= 0x100
     } 	APPDOMAIN_SECURITY_FLAGS;
 
 STDAPI GetRequestedRuntimeVersionForCLSID(REFCLSID rclsid, _Out_writes_opt_(cchBuffer) LPWSTR pVersion, DWORD cchBuffer, _Out_opt_ DWORD* dwLength, CLSID_RESOLUTION_FLAGS dwResolutionFlags);
diff --git a/src/vm/appdomain.hpp b/src/vm/appdomain.hpp
index 0e966659bb..4840b904df 100644
--- a/src/vm/appdomain.hpp
+++ b/src/vm/appdomain.hpp
@@ -2936,7 +2936,21 @@ public:
         LIMITED_METHOD_CONTRACT;
 
         return (m_dwFlags & ENABLE_ASSEMBLY_LOADFILE);
-     }
+    }
+
+    void DisableTransparencyEnforcement()
+    {
+        LIMITED_METHOD_CONTRACT;
+
+        m_dwFlags |= DISABLE_TRANSPARENCY_ENFORCEMENT;
+    }
+
+    BOOL IsTransparencyEnforcementDisabled()
+    {
+        LIMITED_METHOD_CONTRACT;
+
+        return (m_dwFlags & DISABLE_TRANSPARENCY_ENFORCEMENT);
+    }
 #endif // defined(FEATURE_CORECLR)
 
     void SetPassiveDomain()
@@ -3997,6 +4011,7 @@ public:
 #ifdef FEATURE_CORECLR
         ENABLE_SKIP_PLAT_CHECKS         = 0x200000, // Skip various assembly checks (like platform check)
         ENABLE_ASSEMBLY_LOADFILE        = 0x400000, // Allow Assembly.LoadFile in CoreCLR
+        DISABLE_TRANSPARENCY_ENFORCEMENT= 0x800000, // Disable enforcement of security transparency rules
 #endif        
     };
 
diff --git a/src/vm/clsload.cpp b/src/vm/clsload.cpp
index 8d5fae5c2d..f80041cf38 100644
--- a/src/vm/clsload.cpp
+++ b/src/vm/clsload.cpp
@@ -5,12 +5,6 @@
 //
 // File: clsload.cpp
 //
-
-
-
-//
-
-//
 // ============================================================================
 
 #include "common.h"
@@ -4880,7 +4874,7 @@ BOOL AccessCheckOptions::DemandMemberAccess(AccessCheckContext *pContext, Method
         _ASSERTE(GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted() ||
                  m_accessCheckType == kRestrictedMemberAccess);
 
-        if (visibilityCheck)
+        if (visibilityCheck && Security::IsTransparencyEnforcementEnabled())
         {
             // In CoreCLR RMA means visibility checks always succeed if the target is user code.
             if ((m_accessCheckType == kRestrictedMemberAccess || m_accessCheckType == kRestrictedMemberAccessNoTransparency) &&
@@ -5530,6 +5524,9 @@ static BOOL CheckTransparentAccessToCriticalCode(
     }
     CONTRACTL_END;
 
+    if (!Security::IsTransparencyEnforcementEnabled())
+        return TRUE;
+
     // At most one of these should be non-NULL
     _ASSERTE(1 >= ((pOptionalTargetMethod ? 1 : 0) +
                    (pOptionalTargetField ? 1 : 0) +
@@ -5561,11 +5558,8 @@ static BOOL CheckTransparentAccessToCriticalCode(
         {
             SecurityTransparent::LogTransparencyError(pContext->GetCallerMethod(), "Transparent code accessing a critical type, method, or field", pOptionalTargetMethod);
         }
-        if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-        {
-            return accessCheckOptions.DemandMemberAccessOrFail(pContext, pTargetMT, FALSE /*visibilityCheck*/);
-        }
+        return accessCheckOptions.DemandMemberAccessOrFail(pContext, pTargetMT, FALSE /*visibilityCheck*/);
     }
 
     return TRUE;
diff --git a/src/vm/corhost.cpp b/src/vm/corhost.cpp
index 8f4769d0fe..6e26ceb7d1 100644
--- a/src/vm/corhost.cpp
+++ b/src/vm/corhost.cpp
@@ -1593,6 +1593,11 @@ HRESULT CorHost2::_CreateAppDomain(
     {
         pDomain->SetAllowLoadFile();
     }
+
+    if (dwFlags & APPDOMAIN_DISABLE_TRANSPARENCY_ENFORCEMENT)
+    {
+        pDomain->DisableTransparencyEnforcement();
+    }
 #endif // FEATURE_CORECLR
 
     if (dwFlags & APPDOMAIN_SECURITY_FORBID_CROSSAD_REVERSE_PINVOKE)    
diff --git a/src/vm/invokeutil.cpp b/src/vm/invokeutil.cpp
index 4c623f6981..60ee90630f 100644
--- a/src/vm/invokeutil.cpp
+++ b/src/vm/invokeutil.cpp
@@ -1667,14 +1667,16 @@ void InvokeUtil::CanAccessMethod(MethodDesc*    pMeth,
         if (pMeth->IsNDirect() ||
             (pMeth->IsComPlusCall() && !pMeth->IsInterface()))
         {
-            MethodDesc* pmdCaller = pSCtx->GetCallerMethod();
-
-            if (pmdCaller != NULL &&
-                Security::IsMethodTransparent(pmdCaller))
+            if (Security::IsTransparencyEnforcementEnabled())
             {
-                ThrowMethodAccessException(pSCtx, pMeth, IDS_E_TRANSPARENT_CALL_NATIVE);
-            }
+                MethodDesc* pmdCaller = pSCtx->GetCallerMethod();
 
+                if (pmdCaller != NULL &&
+                    Security::IsMethodTransparent(pmdCaller))
+                {
+                    ThrowMethodAccessException(pSCtx, pMeth, IDS_E_TRANSPARENT_CALL_NATIVE);
+                }
+            }
         }
 
 #else  // FEATURE_CORECLR
@@ -1706,21 +1708,21 @@ void InvokeUtil::CanAccessMethod(MethodDesc*    pMeth,
     //checkSkipVer is set only when the user tries to invoke a constructor on a existing object.
     if (checkSkipVer)
     {
-        MethodDesc *pCallerMD = pSCtx->GetCallerMethod();
-
-        // Interop (NULL) caller should be able to skip verification
-        if (pCallerMD != NULL &&
-            Security::IsMethodTransparent(pCallerMD) &&
-            !pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification())
+        if (Security::IsTransparencyEnforcementEnabled())
         {
-#ifdef _DEBUG
-            if (g_pConfig->LogTransparencyErrors())
+            MethodDesc *pCallerMD = pSCtx->GetCallerMethod();
+
+            // Interop (NULL) caller should be able to skip verification
+            if (pCallerMD != NULL &&
+                Security::IsMethodTransparent(pCallerMD) &&
+                !pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification())
             {
-                SecurityTransparent::LogTransparencyError(pMeth, "Attempt by a transparent method to use unverifiable code");
-            }
-            if (!g_pConfig->DisableTransparencyEnforcement())
+#ifdef _DEBUG
+                if (g_pConfig->LogTransparencyErrors())
+                {
+                    SecurityTransparent::LogTransparencyError(pMeth, "Attempt by a transparent method to use unverifiable code");
+                }
 #endif // _DEBUG
-            {
                 ThrowMethodAccessException(pCallerMD, pMeth, FALSE, IDS_E_TRANSPARENT_REFLECTION);
             }
         }
diff --git a/src/vm/methodtablebuilder.cpp b/src/vm/methodtablebuilder.cpp
index b64772eb40..db099e2996 100644
--- a/src/vm/methodtablebuilder.cpp
+++ b/src/vm/methodtablebuilder.cpp
@@ -12441,6 +12441,9 @@ void MethodTableBuilder::VerifyInheritanceSecurity()
     if (IsInterface())
         return;
 
+    if (!Security::IsTransparencyEnforcementEnabled())
+        return;
+
     // If we have a non-interface class, then do inheritance security
     // checks on it. The check starts by checking for inheritance
     // permission demands on the current class. If these first checks
diff --git a/src/vm/security.cpp b/src/vm/security.cpp
index f30ecd799c..e263c326f4 100644
--- a/src/vm/security.cpp
+++ b/src/vm/security.cpp
@@ -44,6 +44,23 @@ IPEFileSecurityDescriptor* Security::CreatePEFileSecurityDescriptor(AppDomain* p
 }
 #endif
 
+BOOL Security::IsTransparencyEnforcementEnabled()
+{
+    LIMITED_METHOD_CONTRACT;
+
+#ifdef FEATURE_CORECLR
+    if (GetAppDomain()->IsTransparencyEnforcementDisabled())
+        return FALSE;
+#endif
+
+#ifdef _DEBUG
+    if (g_pConfig->DisableTransparencyEnforcement())
+        return FALSE;
+#endif
+
+    return TRUE;
+}
+
 //---------------------------------------------------------------------------------------
 //
 // Determine if security checks should be bypassed for a method because the method is
diff --git a/src/vm/security.h b/src/vm/security.h
index 9331a6820a..f549b1045b 100644
--- a/src/vm/security.h
+++ b/src/vm/security.h
@@ -78,6 +78,8 @@ namespace Security
     inline bool CanLoadFromRemoteSources();
 #endif // FEATURE_CAS_POLICY
 
+    BOOL IsTransparencyEnforcementEnabled();
+
     BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD);
     inline BOOL CanCallUnmanagedCode(Module *pModule);
     inline BOOL CanAssert(Module *pModule);
diff --git a/src/vm/securitydeclarative.cpp b/src/vm/securitydeclarative.cpp
index d302a6c208..b2e07974fd 100644
--- a/src/vm/securitydeclarative.cpp
+++ b/src/vm/securitydeclarative.cpp
@@ -1423,19 +1423,16 @@ void SecurityDeclarative::EnsureAssertAllowed(MethodDesc *pMeth, MethodSecurityD
     }
 
     // Check if the Method is allowed to assert based on transparent/critical classification
-    if (!SecurityTransparent::IsAllowedToAssert(pMeth))
+    if (!SecurityTransparent::IsAllowedToAssert(pMeth) && Security::IsTransparencyEnforcementEnabled())
     {
 #ifdef _DEBUG
         if (g_pConfig->LogTransparencyErrors())
         {
             SecurityTransparent::LogTransparencyError(pMeth, "Transparent method using a security assert");
         }
-        if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-        {
-            // if assembly is transparent fail the ASSERT operations
-            COMPlusThrow(kInvalidOperationException, W("InvalidOperation_AssertTransparentCode"));
-        }
+        // if assembly is transparent fail the ASSERT operations
+        COMPlusThrow(kInvalidOperationException, W("InvalidOperation_AssertTransparentCode"));
     }
 
     return;
diff --git a/src/vm/securitymeta.cpp b/src/vm/securitymeta.cpp
index 1d50c76a76..f631cc17d1 100644
--- a/src/vm/securitymeta.cpp
+++ b/src/vm/securitymeta.cpp
@@ -644,9 +644,9 @@ void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
         PRECONDITION(CheckPointer(pChildMD));
     }
     CONTRACTL_END;
-   
+
     const SecurityTransparencyBehavior *pTransparencyBehavior = pChildMD->GetAssembly()->GetSecurityTransparencyBehavior();
-    if (pTransparencyBehavior->AreInheritanceRulesEnforced())
+    if (pTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled())
     {
         // The profiler may want to suppress these checks if it's currently running on the child type
         if (Security::BypassSecurityChecksForProfiler(pChildMD))
@@ -692,11 +692,8 @@ void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
                     {
                         SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a SafeCritical base method", m_pMD);
                     }
-                    if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                    {
-                        SecurityTransparent::ThrowTypeLoadException(pChildMD);
-                    }
+                    SecurityTransparent::ThrowTypeLoadException(pChildMD);
                 }
             }
             else
@@ -711,11 +708,8 @@ void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
                     {
                         SecurityTransparent::LogTransparencyError(pChildMD, "Transparent method overriding a critical base method", m_pMD);
                     }
-                    if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                    {
-                        SecurityTransparent::ThrowTypeLoadException(pChildMD);
-                    }
+                    SecurityTransparent::ThrowTypeLoadException(pChildMD);
                 }
                 else if (methSecurityDescriptor.IsTreatAsSafe() && !methSecurityDescriptor.IsOpportunisticallyCritical())
                 {
@@ -726,11 +720,8 @@ void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
                     {
                         SecurityTransparent::LogTransparencyError(pChildMD, "Safe critical method overriding a SafeCritical base method", m_pMD);
                     }
-                    if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                    {
-                        SecurityTransparent::ThrowTypeLoadException(pChildMD);
-                    }
+                    SecurityTransparent::ThrowTypeLoadException(pChildMD);
                 }
             }
         }
@@ -744,14 +735,12 @@ void MethodSecurityDescriptor::InvokeInheritanceChecks(MethodDesc *pChildMD)
                 {
                     SecurityTransparent::LogTransparencyError(pChildMD, "Critical method overriding a transparent base method", m_pMD);
                 }
-                if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                {
-                    SecurityTransparent::ThrowTypeLoadException(pChildMD);
-                }
+                SecurityTransparent::ThrowTypeLoadException(pChildMD);
             }
         }
     }
+
 #ifndef FEATURE_CORECLR
     // Check CAS Inheritance
 
@@ -1395,7 +1384,7 @@ void TypeSecurityDescriptor::InvokeInheritanceChecks(MethodTable* pChildMT)
     CONTRACTL_END;
 
     const SecurityTransparencyBehavior *pChildTransparencyBehavior = pChildMT->GetAssembly()->GetSecurityTransparencyBehavior();
-    if (pChildTransparencyBehavior->AreInheritanceRulesEnforced())
+    if (pChildTransparencyBehavior->AreInheritanceRulesEnforced() && Security::IsTransparencyEnforcementEnabled())
     {
         // We compare the child class with the most critical base class in the type hierarchy.
         //
@@ -1476,12 +1465,9 @@ void TypeSecurityDescriptor::InvokeInheritanceChecks(MethodTable* pChildMT)
                 {
                     SecurityTransparent::LogTransparencyError(pChildMT, "Transparent or safe critical type deriving from a critical base type");
                 }
-                if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                {
-                    // The parent class is critical, but the child class is not
-                    SecurityTransparent::ThrowTypeLoadException(pChildMT);
-                }
+                // The parent class is critical, but the child class is not
+                SecurityTransparent::ThrowTypeLoadException(pChildMT);
             }
         }
         else if (fFoundSafeCriticalParent)
@@ -1493,17 +1479,14 @@ void TypeSecurityDescriptor::InvokeInheritanceChecks(MethodTable* pChildMT)
                 {
                     SecurityTransparent::LogTransparencyError(pChildMT, "Transparent type deriving from a safe critical base type");
                 }
-                if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-                {
-                    // The parent class is safe critical, but the child class is transparent
-                    SecurityTransparent::ThrowTypeLoadException(pChildMT);
-                }
+                // The parent class is safe critical, but the child class is transparent
+                SecurityTransparent::ThrowTypeLoadException(pChildMT);
             }
         }
     }
-#ifndef FEATURE_CORECLR
 
+#ifndef FEATURE_CORECLR
     // Fast path check
     if (SecurityDeclarative::FullTrustCheckForLinkOrInheritanceDemand(pChildMT->GetAssembly()))
     {
diff --git a/src/vm/securitytransparentassembly.cpp b/src/vm/securitytransparentassembly.cpp
index 2a3ac4e493..d9b2401110 100644
--- a/src/vm/securitytransparentassembly.cpp
+++ b/src/vm/securitytransparentassembly.cpp
@@ -7,8 +7,6 @@
 //
 // Implementation for transparent code feature
 //
-
-
 //--------------------------------------------------------------------------
 
 
@@ -703,7 +701,7 @@ CorInfoIsAccessAllowedResult SecurityTransparent::RequiresTransparentCodeChecks(
 	// check if the caller assembly is transparent and NOT an interception stub (e.g. marshalling)
 	bool doChecks = !pCallerMD->IsILStub() && IsMethodTransparent(pCallerMD);
 
-    if (doChecks) 
+    if (doChecks && Security::IsTransparencyEnforcementEnabled())
     {
         if (!IsTransparentCallerAllowed(pCallerMD, pCalleeMD, pError))
         {
@@ -812,6 +810,11 @@ static void ConvertLinkDemandToFullDemand(MethodDesc* pCallerMD, MethodDesc* pCa
         return;
     }
 
+    if (!Security::IsTransparencyEnforcementEnabled())
+    {
+        return;
+    }
+
     // Profilers may wish to suppress linktime checks for methods they're profiling
     if (Security::BypassSecurityChecksForProfiler(pCallerMD))
     {
@@ -925,34 +928,32 @@ static void ConvertLinkDemandToFullDemand(MethodDesc* pCallerMD, MethodDesc* pCa
         {
             SecurityTransparent::LogTransparencyError(pCallerMD, "Transparent method calling unmanaged code");
         }
-        if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
+
+        if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallUnmanagedCode())
         {
-            if (pCallerMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeCallUnmanagedCode())
-            {
 #ifdef FEATURE_APTCA
-                if (fCallerIsAPTCA)
-                {
-                    // if the caller assembly is APTCA, then only inject this demand, for NON-APTCA we will allow
-                    // calls to native code
-                    // NOTE: the JIT would have already performed the LinkDemand for this anyways
-                    Security::SpecialDemand(SSWT_LATEBOUND_LINKDEMAND, SECURITY_UNMANAGED_CODE);        
-                }
-#endif // FEATURE_APTCA
-            }
-            else
+            if (fCallerIsAPTCA)
             {
+                // if the caller assembly is APTCA, then only inject this demand, for NON-APTCA we will allow
+                // calls to native code
+                // NOTE: the JIT would have already performed the LinkDemand for this anyways
+                Security::SpecialDemand(SSWT_LATEBOUND_LINKDEMAND, SECURITY_UNMANAGED_CODE);        
+            }
+#endif // FEATURE_APTCA
+        }
+        else
+        {
 #if defined(FEATURE_CORECLR_COVERAGE_BUILD) && defined(FEATURE_STRONGNAME_DELAY_SIGNING_ALLOWED)
-                // For code coverage builds we have an issue where the inserted types/methods are not annotated.
-                // In patricular, there may be p/invokes from transparent code. Allow that on cov builds for platform assemblies.
-                // Paranoia: allow this only on non shp builds - all builds except the SHP type will have
-                // FEATURE_STRONGNAME_DELAY_SIGNING_ALLOWED defined. So we can use that to figure out if this is a SHP build
-                // type that someone is trying to relax that constraint on and not allow that.
-                if (!pCalleeMD->GetModule()->GetFile()->GetAssembly()->IsProfileAssembly())
+            // For code coverage builds we have an issue where the inserted types/methods are not annotated.
+            // In patricular, there may be p/invokes from transparent code. Allow that on cov builds for platform assemblies.
+            // Paranoia: allow this only on non shp builds - all builds except the SHP type will have
+            // FEATURE_STRONGNAME_DELAY_SIGNING_ALLOWED defined. So we can use that to figure out if this is a SHP build
+            // type that someone is trying to relax that constraint on and not allow that.
+            if (!pCalleeMD->GetModule()->GetFile()->GetAssembly()->IsProfileAssembly())
 #endif // defined(FEATURE_CORECLR_COVERAGE_BUILD) && defined(FEATURE_STRONGNAME_DELAY_SIGNING_ALLOWED)
-                {
-                    ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_NATIVE);
-                }
+            {
+                ::ThrowMethodAccessException(pCallerMD, pCalleeMD, FALSE, IDS_E_TRANSPARENT_CALL_NATIVE);
             }
         }
     }
@@ -975,6 +976,11 @@ VOID SecurityTransparent::EnforceTransparentAssemblyChecks(MethodDesc* pCallerMD
     }
     CONTRACTL_END;
 
+    if (!Security::IsTransparencyEnforcementEnabled())
+    {
+        return;
+    }
+
     // Profilers may wish to suppress transparency checks for methods they're profiling
     if (Security::BypassSecurityChecksForProfiler(pCallerMD))
     {
@@ -1005,11 +1011,8 @@ VOID SecurityTransparent::EnforceTransparentAssemblyChecks(MethodDesc* pCallerMD
             {
                 LogTransparencyError(pCallerMD, "Transparent method accessing a critical method", pCalleeMD);
             }
-            if (!g_pConfig->DisableTransparencyEnforcement())
 #endif // _DEBUG
-            {
-                ::ThrowMethodAccessException(pCallerMD, pCalleeMD, TRUE, IDS_E_CRITICAL_METHOD_ACCESS_DENIED);
-            }
+            ::ThrowMethodAccessException(pCallerMD, pCalleeMD, TRUE, IDS_E_CRITICAL_METHOD_ACCESS_DENIED);
         }
     }