summaryrefslogtreecommitdiff
path: root/src/vm/securitydescriptorassembly.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/vm/securitydescriptorassembly.cpp')
-rw-r--r--src/vm/securitydescriptorassembly.cpp229
1 files changed, 0 insertions, 229 deletions
diff --git a/src/vm/securitydescriptorassembly.cpp b/src/vm/securitydescriptorassembly.cpp
index c2aef22019..715d956123 100644
--- a/src/vm/securitydescriptorassembly.cpp
+++ b/src/vm/securitydescriptorassembly.cpp
@@ -34,82 +34,6 @@ AssemblySecurityDescriptor::AssemblySecurityDescriptor(AppDomain *pDomain, Domai
} CONTRACTL_END;
}
-#ifdef FEATURE_CAS_POLICY
-OBJECTREF AssemblySecurityDescriptor::GetRequestedPermissionSet(OBJECTREF *pOptionalPermissionSet,
- OBJECTREF *pDeniedPermissionSet)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- PRECONDITION(m_pAppDomain == GetAppDomain());
- PRECONDITION(CheckPointer(pOptionalPermissionSet));
- PRECONDITION(CheckPointer(pDeniedPermissionSet));
- PRECONDITION(m_pAppDomain->GetSecurityDescriptor()->IsLegacyCasPolicyEnabled());
- INJECT_FAULT(COMPlusThrowOM(););
- }
- CONTRACTL_END;
-
- OBJECTREF req = NULL;
- GCPROTECT_BEGIN(req);
-
- if (!IsAssemblyRequestsComputed())
- {
- ReleaseHolder<IMDInternalImport> pImport (m_pAssem->GetFile()->GetMDImportWithRef());
-
- // Try to load permission requests from assembly first.
- SecurityAttributes::LoadPermissionRequestsFromAssembly(pImport,
- &req,
- pOptionalPermissionSet,
- pDeniedPermissionSet);
-
- SetRequestedPermissionSet(req, *pOptionalPermissionSet, *pDeniedPermissionSet);
- }
- else
- {
- *pOptionalPermissionSet = ObjectFromLazyHandle(m_hOptionalPermissionSet, m_pLoaderAllocator);
- *pDeniedPermissionSet = ObjectFromLazyHandle(m_hDeniedPermissionSet, m_pLoaderAllocator);
- req = ObjectFromLazyHandle(m_hRequiredPermissionSet, m_pLoaderAllocator);
- }
-
- GCPROTECT_END();
- return req;
-}
-
-void AssemblySecurityDescriptor::SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet,
- OBJECTREF OptionalPermissionSet,
- OBJECTREF DeniedPermissionSet)
-{
- CONTRACTL
- {
- THROWS;
- GC_TRIGGERS;
- MODE_COOPERATIVE;
- }
- CONTRACTL_END;
-
- struct _gc
- {
- OBJECTREF RequiredPermissionSet;
- OBJECTREF OptionalPermissionSet;
- OBJECTREF DeniedPermissionSet;
- } gc;
-
- gc.RequiredPermissionSet = RequiredPermissionSet;
- gc.OptionalPermissionSet = OptionalPermissionSet;
- gc.DeniedPermissionSet = DeniedPermissionSet;
-
- GCPROTECT_BEGIN(gc);
- StoreObjectInLazyHandle(m_hRequiredPermissionSet, gc.RequiredPermissionSet, m_pLoaderAllocator);
- StoreObjectInLazyHandle(m_hOptionalPermissionSet, gc.OptionalPermissionSet, m_pLoaderAllocator);
- StoreObjectInLazyHandle(m_hDeniedPermissionSet, gc.DeniedPermissionSet, m_pLoaderAllocator);
- GCPROTECT_END();
-
- m_fAssemblyRequestsComputed = TRUE;
-}
-#endif // FEATURE_CAS_POLICY
-
//
// This method will return TRUE if this assembly is allowed to skip verification.
//
@@ -485,160 +409,7 @@ void AssemblySecurityDescriptor::ResolveWorker()
INJECT_FAULT(COMPlusThrowOM(););
} CONTRACTL_END;
-#ifdef FEATURE_CORECLR
SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF);
-#else
- if (CanSkipPolicyResolution() || NingenEnabled()) {
- SetGrantedPermissionSet(NULL, NULL, 0xFFFFFFFF);
- m_pAssem->GetFile()->SetStrongNameBypassed();
- return;
- }
-
-#ifndef CROSSGEN_COMPILE
- struct _gc {
- OBJECTREF reqdPset; // Required Requested Permissions
- OBJECTREF optPset; // Optional Requested Permissions
- OBJECTREF denyPset; // Denied Permissions
- OBJECTREF evidence; // Object containing evidence
- OBJECTREF granted; // Policy based Granted Permission
- OBJECTREF grantdenied; // Policy based explicitly Denied Permissions
- } gc;
- ZeroMemory(&gc, sizeof(gc));
-
- // Policy resolution can cause string comparisons that trigger .nlp module loads. (Specifically,
- // FileIOPermission can trigger this). At this point mscorlib is already loaded, so we can
- // override the load levels here to allow the .nlp module loads.
- OVERRIDE_LOAD_LEVEL_LIMIT(FILE_ACTIVE);
- OVERRIDE_TYPE_LOAD_LEVEL_LIMIT(CLASS_LOADED);
-
- // Resolve is one of the few SecurityDescriptor routines that may be called
- // from the wrong appdomain context. If that's the case we will transition
- // into the correct appdomain for the duration of the call.
-
- ENTER_DOMAIN_PTR_PREDICATED(m_pAppDomain,ADV_RUNNINGIN,!IsSystem())
- {
- GCPROTECT_BEGIN(gc);
-
- //
- // GAC assemblies with no RequestRefuse get FullTrust
- // Also AppDomains with an AppTrust that are fully trusted are
- // homogeneous and so every assembly that does not have a RequestRefuse
- // will also get FullTrust.
- //
-
- DWORD dwSpecialFlags;
-
- if (QuickIsFullyTrusted())
- {
- Security::GetPermissionInstance(&gc.granted, SECURITY_FULL_TRUST);
- dwSpecialFlags = 0xFFFFFFFF;
- }
- else
- {
- // We couldn't quickly figure out that the assembly was fully trusted, so gather its evidence and
- // call managed code to get the final grant set.
- if (IsEvidenceComputed())
- {
- gc.evidence = ObjectFromLazyHandle(m_hAdditionalEvidence, m_pLoaderAllocator);
- }
- else
- {
- gc.evidence = GetEvidence();
- }
-
- if (!m_pAppDomain->GetSecurityDescriptor()->IsLegacyCasPolicyEnabled())
- {
- // Either we have a host security manager or a homogenous AppDomain that could make this
- // assembly be partially trusted. Call out to managed to get the grant set.
- gc.granted = SecurityPolicy::ResolveGrantSet(gc.evidence, &dwSpecialFlags, TRUE);
- }
- else
- {
- // Legacy CAS policy is enabled, so do a full CAS resolve
- gc.reqdPset = GetRequestedPermissionSet(&gc.optPset, &gc.denyPset);
- gc.granted = SecurityPolicy::ResolveCasPolicy(gc.evidence,
- gc.reqdPset,
- gc.optPset,
- gc.denyPset,
- &gc.grantdenied,
- &dwSpecialFlags,
- TRUE);
- }
- }
-
- SetGrantedPermissionSet(gc.granted, gc.denyPset, dwSpecialFlags);
-
-#ifdef FEATURE_CAS_POLICY
- // If we're delaying verification of the assembly's strong name, check to see if we need to force a
- // verification at this point.
- if (!m_pAssem->IsSystem() &&
- !m_pAssem->GetFile()->IsSourceGAC() &&
- !m_pAssem->GetFile()->IsStrongNameVerified())
- {
- //
- // #StrongNameBypass
- //
- // If the application has opted into the strong name bypass feature, then we will attempt to
- // load its assemblies without verifying their strong names. We can get away with avoiding the
- // strong name verification in the case where all of the following apply.
- //
- // 1. The application has asked for strong name bypass
- // 2. The machine administrator has not disabled strong name bypass for the machine
- // 3. The assembly being loaded is fully trusted, and this trust is not soley based upon its
- // strong name.
- // 4. The AppDomain the assembly is being loaded into is fully trusted
- // 5. The assembly is fully signed
- // 6. The appdomain is not attempting to run ngen.
- //
- // Condition #3 requires that the grant set of the assembly not be obtained via the strong name
- // evidence of the assembly. Note that this requirement does not forbid matching a code group
- // with a strong name membership condition, as long as that code group and any children code
- // groups produce a grant set which was less than or equal to the grant set produced by other
- // code groups. For instance, in standard security policy:
- //
- // 1.1 MyComputer -> FullTrust
- // 1.1.1 Microsoft Strong Name -> FullTrust
- //
- // In this case, an assembly loaded from the local machine with the Microsoft strong name is
- // still eligable for strong name bypass via condition #3, since the MyComputer FullTrust grant
- // set unioned with the StrongName FullTrust grant set will produce the same results as if we
- // didn't evaluate the StrongName code group.
- //
- // Note that strong name bypass is not the same thing as strong name skip verification. Skip
- // verification is a development time feature which enables developers to test privately built
- // assemblies that do not have a full signature yet. It is not intended for use at runtime on
- // non-developer machines, nor is it intended for use on assemblies with valid strong names.
- //
- // In contrast strong name bypass is intended to be used on assemblies with valid strong names
- // that are deployed to end users machines. It's a performance feature which enables assemblies
- // that were not gaining any benefit from having their strong name validated to avoid having to
- // pay the expense of a full signature verification. This is why ngen does not skip. There
- // are potential ways to use the ngen cache to skip strong name verification if ngen participates
- // in strong name bypass, and the startup performance concern of the application is not a concern
- // when running at ngen time.
- //
-
- if (IsFullyTrusted() &&
- GetDomain()->GetSecurityDescriptor()->IsFullyTrusted() &&
- !SecurityPolicy::WasStrongNameEvidenceUsed(gc.evidence) &&
- DontNeedToFlagAccidentalDelaySigning(m_pAssem->GetFile()) &&
- !IsCompilationProcess())
- {
- m_pAssem->GetFile()->SetStrongNameBypassed();
- }
- else
- {
- m_pAssem->GetFile()->VerifyStrongName();
- }
- }
-#endif // FEATURE_CAS_POLICY
-
- GCPROTECT_END();
- }
- END_DOMAIN_TRANSITION;
-#endif // CROSSGEN_COMPILE
-
-#endif // FEATURE_CORECLR
}
void AssemblySecurityDescriptor::ResolvePolicy(ISharedSecurityDescriptor *pSharedSecDesc, BOOL fShouldSkipPolicyResolution)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-21 14:19:46 +0000