diff options
Diffstat (limited to 'src/vm/aptca.h')
-rw-r--r-- | src/vm/aptca.h | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/src/vm/aptca.h b/src/vm/aptca.h new file mode 100644 index 0000000000..3d590a093a --- /dev/null +++ b/src/vm/aptca.h @@ -0,0 +1,110 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. +// See the LICENSE file in the project root for more information. +//-------------------------------------------------------------------------- +// aptca.h +// +// Functions for handling allow partially trusted callers assemblies +// +// This should be the only interface for talking about the APTCA-ness of an assembly, and even then should +// be used only from very select areas of the CLR that absolutely need to know the information. For +// instance: +// +// * the class loader (for code sharing and formatting exception messages) +// * NGEN (for determining if a native image is valid) +// * security attribute processing code (for obvious reasons) +// +// may use this interface. Nearly every other section of the code should simply be relying on the +// ModuleSecurityDescriptor for the assembly in question. And no other sections of the code should be +// directly asking questions like "is this assembly conditional APTCA" ... we explicitly want to hide that +// information away behind the final assembly security attribute computation as much as possible. +// +// In particular, no code should be making security enforcement decisions based upon conditional APTCA, and +// instead should rely on the existing transparency / legacy APTCA enforcement. This means that once the +// security system, JIT, and class loader have finished setting up an assembly's APTCA attributes, there +// should be no further questions asked about the particular APTCA attribute applied to the assembly. +// +// Put another way, once an assembly is loaded, the APTCA kill bit and conditional APTCA enabled / disabled +// decision for an assembly should evaporate away, and all assemblies should look as if they either have a +// full APTCA attribute (in the not-killbitted / conditional APTCA enabled case) or no APTCA attribute at +// all (killbitted or conditional APTCA disabled). +// + +// +//-------------------------------------------------------------------------- + + +#ifndef __APTCA_H__ +#define __APTCA_H__ + +#ifndef FEATURE_APTCA +#error FEATURE_APTCA is required for this file +#endif // FEATURE_APTCA + +#include "securitymeta.h" + +class ConditionalAptcaCache +{ +public: + typedef enum + { + kUnknown, // No cached state + kEnabled, // The assembly is enabled in this domain + kDisabled, // The assembly is disabled in this domain + kNotCAptca, // The assembly is not conditionally APTCA + } + State; + + typedef enum + { + kDomainStateUnknown, // The domain state is not yet initialized + kAllEnabled, // All assemblies in the domain are enabled + kSomeEnabled, // Some assemblies in the domain are enabled + kAllDisabled, // All assemblies in the domain are disabled + } + DomainState; + + ConditionalAptcaCache(AppDomain *pAppDomain); + ~ConditionalAptcaCache(); + + State GetCachedState(PTR_PEImage pImage); + void SetCachedState(PTR_PEImage pImage, State state); + + DomainState GetConditionalAptcaDomainState(); + void SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList); + + static bool ConsiderFullTrustConditionalAptcaLists(); + +private: + ConditionalAptcaCache(ConditionalAptcaCache &other); // not implemented - used to prevent compiler generating a copy constructor + ConditionalAptcaCache& operator=(const ConditionalAptcaCache &other); // not implemented - used to prevent compiler generating an assignment operator + +private: + AppDomain *m_pAppDomain; + + bool m_canonicalListIsNull; + SString m_canonicalList; + DomainState m_domainState; +}; + +// Determine if the AppDomain can share an assembly or if APTCA restrictions prevent sharing +bool DomainCanShareAptcaAssembly(DomainAssembly *pDomainAssembly); + +// Get an exception string indicating how to enable a conditional APTCA assembly if it was disabled and +// caused an exception +SString GetConditionalAptcaAccessExceptionContext(Assembly *pTargetAssembly); + +// Get an exception string indicating that +SString GetConditionalAptcaSharingExceptionContext(Assembly *pTargetAssembly); + +// Get an exception string indicating that an assembly was on the kill bit list if it caused an exception +SString GetAptcaKillBitAccessExceptionContext(Assembly *pTargetAssembly); + +// Determine if a native image is OK to use from an APTCA perspective (it and its dependencies all have the +// same APTCA-ness now as at NGEN time) +bool NativeImageHasValidAptcaDependencies(PEImage *pNativeImage, DomainAssembly *pDomainAssembly); + +// Process an assembly's real APTCA flags to determine if the assembly should be considered APTCA or not +TokenSecurityDescriptorFlags ProcessAssemblyAptcaFlags(DomainAssembly *pDomainAssembly, TokenSecurityDescriptorFlags tokenFlags); + +#endif // __APTCA_H__ |