diff options
Diffstat (limited to 'src/vm/securitydescriptorassembly.cpp')
-rw-r--r-- | src/vm/securitydescriptorassembly.cpp | 229 |
1 files changed, 0 insertions, 229 deletions
diff --git a/src/vm/securitydescriptorassembly.cpp b/src/vm/securitydescriptorassembly.cpp index c2aef22019..715d956123 100644 --- a/src/vm/securitydescriptorassembly.cpp +++ b/src/vm/securitydescriptorassembly.cpp @@ -34,82 +34,6 @@ AssemblySecurityDescriptor::AssemblySecurityDescriptor(AppDomain *pDomain, Domai } CONTRACTL_END; } -#ifdef FEATURE_CAS_POLICY -OBJECTREF AssemblySecurityDescriptor::GetRequestedPermissionSet(OBJECTREF *pOptionalPermissionSet, - OBJECTREF *pDeniedPermissionSet) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - PRECONDITION(m_pAppDomain == GetAppDomain()); - PRECONDITION(CheckPointer(pOptionalPermissionSet)); - PRECONDITION(CheckPointer(pDeniedPermissionSet)); - PRECONDITION(m_pAppDomain->GetSecurityDescriptor()->IsLegacyCasPolicyEnabled()); - INJECT_FAULT(COMPlusThrowOM();); - } - CONTRACTL_END; - - OBJECTREF req = NULL; - GCPROTECT_BEGIN(req); - - if (!IsAssemblyRequestsComputed()) - { - ReleaseHolder<IMDInternalImport> pImport (m_pAssem->GetFile()->GetMDImportWithRef()); - - // Try to load permission requests from assembly first. - SecurityAttributes::LoadPermissionRequestsFromAssembly(pImport, - &req, - pOptionalPermissionSet, - pDeniedPermissionSet); - - SetRequestedPermissionSet(req, *pOptionalPermissionSet, *pDeniedPermissionSet); - } - else - { - *pOptionalPermissionSet = ObjectFromLazyHandle(m_hOptionalPermissionSet, m_pLoaderAllocator); - *pDeniedPermissionSet = ObjectFromLazyHandle(m_hDeniedPermissionSet, m_pLoaderAllocator); - req = ObjectFromLazyHandle(m_hRequiredPermissionSet, m_pLoaderAllocator); - } - - GCPROTECT_END(); - return req; -} - -void AssemblySecurityDescriptor::SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet, - OBJECTREF OptionalPermissionSet, - OBJECTREF DeniedPermissionSet) -{ - CONTRACTL - { - THROWS; - GC_TRIGGERS; - MODE_COOPERATIVE; - } - CONTRACTL_END; - - struct _gc - { - OBJECTREF RequiredPermissionSet; - OBJECTREF OptionalPermissionSet; - OBJECTREF DeniedPermissionSet; - } gc; - - gc.RequiredPermissionSet = RequiredPermissionSet; - gc.OptionalPermissionSet = OptionalPermissionSet; - gc.DeniedPermissionSet = DeniedPermissionSet; - - GCPROTECT_BEGIN(gc); - StoreObjectInLazyHandle(m_hRequiredPermissionSet, gc.RequiredPermissionSet, m_pLoaderAllocator); - StoreObjectInLazyHandle(m_hOptionalPermissionSet, gc.OptionalPermissionSet, m_pLoaderAllocator); - StoreObjectInLazyHandle(m_hDeniedPermissionSet, gc.DeniedPermissionSet, m_pLoaderAllocator); - GCPROTECT_END(); - - m_fAssemblyRequestsComputed = TRUE; -} -#endif // FEATURE_CAS_POLICY - // // This method will return TRUE if this assembly is allowed to skip verification. // @@ -485,160 +409,7 @@ void AssemblySecurityDescriptor::ResolveWorker() INJECT_FAULT(COMPlusThrowOM();); } CONTRACTL_END; -#ifdef FEATURE_CORECLR SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF); -#else - if (CanSkipPolicyResolution() || NingenEnabled()) { - SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF); - m_pAssem->GetFile()->SetStrongNameBypassed(); - return; - } - -#ifndef CROSSGEN_COMPILE - struct _gc { - OBJECTREF reqdPset; // Required Requested Permissions - OBJECTREF optPset; // Optional Requested Permissions - OBJECTREF denyPset; // Denied Permissions - OBJECTREF evidence; // Object containing evidence - OBJECTREF granted; // Policy based Granted Permission - OBJECTREF grantdenied; // Policy based explicitly Denied Permissions - } gc; - ZeroMemory(&gc, sizeof(gc)); - - // Policy resolution can cause string comparisons that trigger .nlp module loads. (Specifically, - // FileIOPermission can trigger this). At this point mscorlib is already loaded, so we can - // override the load levels here to allow the .nlp module loads. - OVERRIDE_LOAD_LEVEL_LIMIT(FILE_ACTIVE); - OVERRIDE_TYPE_LOAD_LEVEL_LIMIT(CLASS_LOADED); - - // Resolve is one of the few SecurityDescriptor routines that may be called - // from the wrong appdomain context. If that's the case we will transition - // into the correct appdomain for the duration of the call. - - ENTER_DOMAIN_PTR_PREDICATED(m_pAppDomain,ADV_RUNNINGIN,!IsSystem()) - { - GCPROTECT_BEGIN(gc); - - // - // GAC assemblies with no RequestRefuse get FullTrust - // Also AppDomains with an AppTrust that are fully trusted are - // homogeneous and so every assembly that does not have a RequestRefuse - // will also get FullTrust. - // - - DWORD dwSpecialFlags; - - if (QuickIsFullyTrusted()) - { - Security::GetPermissionInstance(&gc.granted, SECURITY_FULL_TRUST); - dwSpecialFlags = 0xFFFFFFFF; - } - else - { - // We couldn't quickly figure out that the assembly was fully trusted, so gather its evidence and - // call managed code to get the final grant set. - if (IsEvidenceComputed()) - { - gc.evidence = ObjectFromLazyHandle(m_hAdditionalEvidence, m_pLoaderAllocator); - } - else - { - gc.evidence = GetEvidence(); - } - - if (!m_pAppDomain->GetSecurityDescriptor()->IsLegacyCasPolicyEnabled()) - { - // Either we have a host security manager or a homogenous AppDomain that could make this - // assembly be partially trusted. Call out to managed to get the grant set. - gc.granted = SecurityPolicy::ResolveGrantSet(gc.evidence, &dwSpecialFlags, TRUE); - } - else - { - // Legacy CAS policy is enabled, so do a full CAS resolve - gc.reqdPset = GetRequestedPermissionSet(&gc.optPset, &gc.denyPset); - gc.granted = SecurityPolicy::ResolveCasPolicy(gc.evidence, - gc.reqdPset, - gc.optPset, - gc.denyPset, - &gc.grantdenied, - &dwSpecialFlags, - TRUE); - } - } - - SetGrantedPermissionSet(gc.granted, gc.denyPset, dwSpecialFlags); - -#ifdef FEATURE_CAS_POLICY - // If we're delaying verification of the assembly's strong name, check to see if we need to force a - // verification at this point. - if (!m_pAssem->IsSystem() && - !m_pAssem->GetFile()->IsSourceGAC() && - !m_pAssem->GetFile()->IsStrongNameVerified()) - { - // - // #StrongNameBypass - // - // If the application has opted into the strong name bypass feature, then we will attempt to - // load its assemblies without verifying their strong names. We can get away with avoiding the - // strong name verification in the case where all of the following apply. - // - // 1. The application has asked for strong name bypass - // 2. The machine administrator has not disabled strong name bypass for the machine - // 3. The assembly being loaded is fully trusted, and this trust is not soley based upon its - // strong name. - // 4. The AppDomain the assembly is being loaded into is fully trusted - // 5. The assembly is fully signed - // 6. The appdomain is not attempting to run ngen. - // - // Condition #3 requires that the grant set of the assembly not be obtained via the strong name - // evidence of the assembly. Note that this requirement does not forbid matching a code group - // with a strong name membership condition, as long as that code group and any children code - // groups produce a grant set which was less than or equal to the grant set produced by other - // code groups. For instance, in standard security policy: - // - // 1.1 MyComputer -> FullTrust - // 1.1.1 Microsoft Strong Name -> FullTrust - // - // In this case, an assembly loaded from the local machine with the Microsoft strong name is - // still eligable for strong name bypass via condition #3, since the MyComputer FullTrust grant - // set unioned with the StrongName FullTrust grant set will produce the same results as if we - // didn't evaluate the StrongName code group. - // - // Note that strong name bypass is not the same thing as strong name skip verification. Skip - // verification is a development time feature which enables developers to test privately built - // assemblies that do not have a full signature yet. It is not intended for use at runtime on - // non-developer machines, nor is it intended for use on assemblies with valid strong names. - // - // In contrast strong name bypass is intended to be used on assemblies with valid strong names - // that are deployed to end users machines. It's a performance feature which enables assemblies - // that were not gaining any benefit from having their strong name validated to avoid having to - // pay the expense of a full signature verification. This is why ngen does not skip. There - // are potential ways to use the ngen cache to skip strong name verification if ngen participates - // in strong name bypass, and the startup performance concern of the application is not a concern - // when running at ngen time. - // - - if (IsFullyTrusted() && - GetDomain()->GetSecurityDescriptor()->IsFullyTrusted() && - !SecurityPolicy::WasStrongNameEvidenceUsed(gc.evidence) && - DontNeedToFlagAccidentalDelaySigning(m_pAssem->GetFile()) && - !IsCompilationProcess()) - { - m_pAssem->GetFile()->SetStrongNameBypassed(); - } - else - { - m_pAssem->GetFile()->VerifyStrongName(); - } - } -#endif // FEATURE_CAS_POLICY - - GCPROTECT_END(); - } - END_DOMAIN_TRANSITION; -#endif // CROSSGEN_COMPILE - -#endif // FEATURE_CORECLR } void AssemblySecurityDescriptor::ResolvePolicy(ISharedSecurityDescriptor *pSharedSecDesc, BOOL fShouldSkipPolicyResolution) |