diff options
Diffstat (limited to 'src/vm/securitytransparentassembly.cpp')
-rw-r--r-- | src/vm/securitytransparentassembly.cpp | 314 |
1 files changed, 0 insertions, 314 deletions
diff --git a/src/vm/securitytransparentassembly.cpp b/src/vm/securitytransparentassembly.cpp index f798df159f..c1823fc034 100644 --- a/src/vm/securitytransparentassembly.cpp +++ b/src/vm/securitytransparentassembly.cpp @@ -324,7 +324,6 @@ BOOL SecurityTransparent::CheckCriticalAccess(AccessCheckContext* pContext, return TRUE; } -#ifdef FEATURE_CORECLR // On the coreCLR, a method can be transparent even if the containing type is marked Critical. // This will happen when that method is an override of a base transparent method, and the type that // contains the override is marked Critical. And that's the only case it can happen. @@ -334,7 +333,6 @@ BOOL SecurityTransparent::CheckCriticalAccess(AccessCheckContext* pContext, { return TRUE; } -#endif // FEATURE_CORECLR // an attached profiler may wish to have these checks suppressed if (Security::BypassSecurityChecksForProfiler(pCurrentMD)) @@ -395,41 +393,9 @@ BOOL SecurityTransparent::IsAllowedToAssert(MethodDesc *pMD) return TRUE; } -#ifdef FEATURE_CORECLR // On CoreCLR only critical code may ever assert - there are no compatibility reasons to allow // transparent asserts. return FALSE; -#else // !FEATURE_CORECLR - // We must be in a heterogenous AppDomain for transparent asserts to work - if (GetAppDomain()->GetSecurityDescriptor()->IsHomogeneous()) - { - return FALSE; - } - - ModuleSecurityDescriptor *pMSD = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pMD->GetAssembly()); - - // Only assemblies whose version requires them to use legacy transparency (rather than assemblies which - // get legacy transparency via RuleSet.Level1) can assert from transparent code - if (!pMSD->AssemblyVersionRequiresLegacyTransparency()) - { - return FALSE; - } - - // Finally, the assembly must not have had any of the transparency attributes on it - const TokenSecurityDescriptorFlags transparencyAwareFlags = - TokenSecurityDescriptorFlags_AllCritical | // [SecurityCritical(SecurityCriticalScope.All)] - TokenSecurityDescriptorFlags_Critical | // [SecurityCritical] - TokenSecurityDescriptorFlags_SafeCritical | // [SecuritySafeCritical] - TokenSecurityDescriptorFlags_Transparent | // [SecurityTransparent] - TokenSecurityDescriptorFlags_TreatAsSafe; // [SecurityTreatAsSafe] - TokenSecurityDescriptorFlags moduleAttributes = pMSD->GetTokenFlags(); - if ((moduleAttributes & transparencyAwareFlags) != TokenSecurityDescriptorFlags_None) - { - return FALSE; - } - - return TRUE; -#endif // FEATURE_CORECLR } // Functor class to aid in determining if a type requires a transparency check @@ -528,40 +494,6 @@ CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(Met CorInfoCanSkipVerificationResult canSkipVerif = hasSkipVerificationPermisson ? CORINFO_VERIFICATION_CAN_SKIP : CORINFO_VERIFICATION_CANNOT_SKIP; -#ifndef FEATURE_CORECLR - // also check to see if the method is marked transparent - if (hasSkipVerificationPermisson) - { - if (pDomainAssembly == GetAppDomain()->GetAnonymouslyHostedDynamicMethodsAssembly()) - { - // This assembly is FullTrust. However, it cannot contain unverifiable code. - // The JIT compiler is not hardened to deal with invalid code. Hence, we cannot - // return CORINFO_VERIFICATION_RUNTIME_CHECK for IL that could have been generated - // by a low-trust assembly. - canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP; - } - // also check to see if the method is marked transparent - else if (SecurityTransparent::IsMethodTransparent(pMD)) - { - // If the assembly requested that even its transparent members not be verified, then we can skip - // verification. Otherwise, we need to either inject a runtime demand in the v2 model, or fail - // verification in the v4 model. - ModuleSecurityDescriptor *pModuleSecDesc = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pMD->GetAssembly()); - if (pModuleSecDesc->CanTransparentCodeSkipVerification()) - { - canSkipVerif = CORINFO_VERIFICATION_CAN_SKIP; - } - else if (pMD->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification()) - { - canSkipVerif = CORINFO_VERIFICATION_RUNTIME_CHECK; - } - else - { - canSkipVerif = CORINFO_VERIFICATION_CANNOT_SKIP; - } - } - } -#endif //FEATURE_CORECLR return canSkipVerif; } @@ -587,14 +519,6 @@ CorInfoCanSkipVerificationResult SecurityTransparent::JITCanSkipVerification(Dom { // In CoreCLR, do not enable transparency checks here. We depend on this method being "honest" in // JITCanSkipVerification to skip transparency checks on profile assemblies. -#ifndef FEATURE_CORECLR - ModuleSecurityDescriptor *pMsd = ModuleSecurityDescriptor::GetModuleSecurityDescriptor(pAssembly->GetAssembly()); - if (pMsd->IsAllTransparent() && - pAssembly->GetAssembly()->GetSecurityTransparencyBehavior()->CanTransparentCodeSkipVerification()) - { - canSkipVerif = CORINFO_VERIFICATION_RUNTIME_CHECK; - } -#endif // !FEATURE_CORECLR } return canSkipVerif; @@ -620,34 +544,6 @@ bool SecurityTransparent::SecurityCalloutQuickCheck(MethodDesc *pCallerMD) // In coreclr, we modified the logic in the callout to also do some transparency method access checks // These checks need to happen regardless of trust level and we shouldn't be bailing out early // just because we happen to be in Full Trust -#ifndef FEATURE_CORECLR - // See if we need to process this callout for real, or if we can bail out early before setting up a HMF, - // and spending a lot of time processing the transparency evaluation. The simplest case where we can do - // this is if the caller is critical. In that case, we know that the caller is allowed to do whatever - // it wants, so we quit out. - // - // Additionally, if the caller is using SecurityRuleSet.Level1, which turns transparency violations into - // security demands, we can bail out early if we know for sure all demands will succeed on the current - // call stack. (Note: this remains true as long as we don't start generating callouts for transparent - // level 1 calling critical level 1, or transparent level 1 doing an assert, which are the only two - // violations which do not succeed in the face of a successful demand). - if (pCallerMD->IsCritical()) - { - return true; - } - else - { - // The caller is transparent, so let's see if demands can cause transparency violations to succeed, - // and also if all demands issued from this context will succeed. - const SecurityTransparencyBehavior *pCallerTransparency = pCallerMD->GetAssembly()->TryGetSecurityTransparencyBehavior(); - if (pCallerTransparency != NULL && - pCallerTransparency->CanTransparentCodeCallLinkDemandMethods() && - SecurityStackWalk::HasFlagsOrFullyTrustedIgnoreMode(0)) - { - return true; - } - } -#endif // !FEATURE_CORECLR return false; } @@ -947,7 +843,6 @@ VOID SecurityTransparent::EnforceTransparentDelegateChecks(MethodTable* pDelegat } CONTRACTL_END; -#ifdef FEATURE_CORECLR // We only enforce delegate binding rules in partial trust if (GetAppDomain()->GetSecurityDescriptor()->IsFullyTrusted()) return; @@ -958,7 +853,6 @@ VOID SecurityTransparent::EnforceTransparentDelegateChecks(MethodTable* pDelegat TypeString::AppendType(strDelegateType, pDelegateMT, TypeString::FormatNamespace | TypeString::FormatAngleBrackets| TypeString::FormatSignature); COMPlusThrowHR(COR_E_METHODACCESS, IDS_E_DELEGATE_BINDING_TRANSPARENCY, strDelegateType.GetUnicode(), strMethod.GetUnicode()); -#endif // FEATURE_CORECLR } #endif // CROSSGEN_COMPILE @@ -1482,199 +1376,6 @@ public: } }; -#ifndef FEATURE_CORECLR - -//--------------------------------------------------------------------------------------- -// -// Transparency behavior implementation for v2 assemblies -// - -class LegacyTransparencyBehaviorImpl : public ISecurityTransparencyImpl -{ -public: - // Get bits that indicate how transparency should behave in different situations - virtual SecurityTransparencyBehaviorFlags GetBehaviorFlags() const - { - LIMITED_METHOD_CONTRACT; - return SecurityTransparencyBehaviorFlags_IntroducedCriticalsMayAddTreatAsSafe | - SecurityTransparencyBehaviorFlags_OpportunisticIsSafeCriticalMethods | - SecurityTransparencyBehaviorFlags_PartialTrustImpliesAllTransparent | - SecurityTransparencyBehaviorFlags_PublicImpliesTreatAsSafe | - SecurityTransparencyBehaviorFlags_TransparentCodeCanCallLinkDemand | - SecurityTransaprencyBehaviorFlags_TransparentCodeCanCallUnmanagedCode | - SecurityTransparencyBehaviorFlags_TransparentCodeCanSkipVerification | - SecurityTransparencyBehaviorFlags_UnsignedImpliesAPTCA; - } - - // Legacy transparency field behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (any) Critical - // SafeCritical Safe critical - // TAS (no critical) No effect - // TAS (with any critical) Safe critical - virtual FieldSecurityDescriptorFlags MapFieldAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - WRAPPER_NO_CONTRACT; - - // Legacy transparency behaves the same for fields as the current transparency model, so we just forward - // this call to that implementation. - TransparencyBehaviorImpl forwardImpl; - return forwardImpl.MapFieldAttributes(tokenFlags); - } - - - // Legacy transparency method behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (any) Critical - // SafeCritical Safe critical - // TAS (no critical) No effect - // TAS (with any critical) Safe critical - virtual MethodSecurityDescriptorFlags MapMethodAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - WRAPPER_NO_CONTRACT; - - // Legacy transparency behaves the same for methods as the current transparency model, so we just forward - // this call to that implementation. - TransparencyBehaviorImpl forwardImpl; - return forwardImpl.MapMethodAttributes(tokenFlags); - } - - // Legacy transparency module behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // APTCA APTCA - // ConditionlAPTCA Exception - // Critical (scoped) Mixed transparency - // Critical (all) All critical - // SafeCritical All safe critical - // TAS (no critical) No effect - // TAS (with scoped critical) No effect - // TAS (with all critical) All safe critical - // Transparent All transparent - // - // Having no transparent, critical, or safe critical attributes means that the assembly should have all - // transparent types and all safe critical methods. - virtual ModuleSecurityDescriptorFlags MapModuleAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - ModuleSecurityDescriptorFlags moduleFlags = ModuleSecurityDescriptorFlags_None; - bool fShouldBeOpportunisticallyCritical = true; - - if (tokenFlags & TokenSecurityDescriptorFlags_APTCA) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAPTCA; - } - - if (tokenFlags & TokenSecurityDescriptorFlags_Transparent) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllTransparent; - fShouldBeOpportunisticallyCritical = false; - } - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - fShouldBeOpportunisticallyCritical = false; - - // If we're critical, but not all critical that means we're mixed. - if (tokenFlags & TokenSecurityDescriptorFlags_AllCritical) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllCritical; - - // If we're all critical and treat as safe, that means we're safe critical - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsTreatAsSafe; - } - } - } - - // SafeCritical always means Critical + TreatAsSafe; we can get in this case for legacy assemblies if the - // assembly is actually a v4 assembly which is using the Legacy attribute. - if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical) - { - moduleFlags |= ModuleSecurityDescriptorFlags_IsAllCritical | - ModuleSecurityDescriptorFlags_IsTreatAsSafe; - fShouldBeOpportunisticallyCritical = false; - } - - // If we didn't find an attribute that indicates the assembly cares about transparency, then it is - // opportunistically critical. - if (fShouldBeOpportunisticallyCritical) - { - _ASSERTE(!(moduleFlags & ModuleSecurityDescriptorFlags_IsAllTransparent)); - _ASSERTE(!(moduleFlags & ModuleSecurityDescriptorFlags_IsAllCritical)); - - moduleFlags |= ModuleSecurityDescriptorFlags_IsOpportunisticallyCritical; - } - - // If the token asks to not have IL verification done in full trust, propigate that to the module - if (tokenFlags & TokenSecurityDescriptorFlags_SkipFullTrustVerification) - { - moduleFlags |= ModuleSecurityDescriptorFlags_SkipFullTrustVerification; - } - - return moduleFlags; - } - - // Legacy transparency type behavior mappings: - // Attribute Behavior - // ----------------------------------------------------- - // Critical (scoped) Critical, but not all critical - // Critical (all) All critical - // SafeCritical All safe critical - // TAS (no critical) No effect on the type, but save TAS bit for members of the type - // TAS (with scoped critical) SafeCritical, but not all critical - // TAS (with all critical) All SafeCritical - virtual TypeSecurityDescriptorFlags MapTypeAttributes(TokenSecurityDescriptorFlags tokenFlags) const - { - CONTRACTL - { - THROWS; - GC_TRIGGERS; - SO_INTOLERANT; - } - CONTRACTL_END; - - TypeSecurityDescriptorFlags typeFlags = TypeSecurityDescriptorFlags_None; - - if (tokenFlags & TokenSecurityDescriptorFlags_Critical) - { - typeFlags |= TypeSecurityDescriptorFlags_IsCritical; - - // We only consider all critical if the critical attribute was present - if (tokenFlags & TokenSecurityDescriptorFlags_AllCritical) - { - typeFlags |= TypeSecurityDescriptorFlags_IsAllCritical; - } - } - - // SafeCritical always means all critical + TAS - if (tokenFlags & TokenSecurityDescriptorFlags_SafeCritical) - { - typeFlags |= TypeSecurityDescriptorFlags_IsCritical | - TypeSecurityDescriptorFlags_IsAllCritical | - TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - - if (tokenFlags & TokenSecurityDescriptorFlags_TreatAsSafe) - { - typeFlags |= TypeSecurityDescriptorFlags_IsTreatAsSafe; - } - - return typeFlags; - } -}; - -#endif // !FEATURE_CORECLR // // Shared transparency behavior objects @@ -1720,13 +1421,6 @@ const SecurityTransparencyBehavior *GetOrCreateTransparencyBehavior(SecurityTran // static SecurityTransparencyBehavior *SecurityTransparencyBehavior::s_pStandardTransparencyBehavior = NULL; -#ifndef FEATURE_CORECLR - -// Transpraency behavior object for v2 transparent assemblies -// static -SecurityTransparencyBehavior *SecurityTransparencyBehavior::s_pLegacyTransparencyBehavior = NULL; - -#endif // !FEATURE_CORECLR //--------------------------------------------------------------------------------------- // @@ -1749,14 +1443,6 @@ const SecurityTransparencyBehavior *SecurityTransparencyBehavior::GetTransparenc } CONTRACT_END; -#ifndef FEATURE_CORECLR - if (ruleSet == SecurityRuleSet_Level1) - { - // Level 1 rules - v2.0 behavior - RETURN(GetOrCreateTransparencyBehavior<LegacyTransparencyBehaviorImpl>(&s_pLegacyTransparencyBehavior)); - } - else -#endif // FEATURE_CORECLR; { // Level 2 rules - v4.0 behavior RETURN(GetOrCreateTransparencyBehavior<TransparencyBehaviorImpl>(&s_pStandardTransparencyBehavior)); |