1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
// The SecurityManager class provides a general purpose API for interacting
// with the security system.
//
namespace System.Security
{
using System;
using System.Security.Permissions;
using System.Runtime.InteropServices;
using System.Runtime.CompilerServices;
[Serializable]
[System.Runtime.InteropServices.ComVisible(true)]
public enum PolicyLevelType
{
User = 0,
Machine = 1,
Enterprise = 2,
AppDomain = 3
}
[System.Runtime.InteropServices.ComVisible(true)]
static public class SecurityManager
{
private static int[][] s_BuiltInPermissionIndexMap = {
new int[] { BuiltInPermissionIndex.EnvironmentPermissionIndex, (int) PermissionType.EnvironmentPermission },
new int[] { BuiltInPermissionIndex.FileDialogPermissionIndex, (int) PermissionType.FileDialogPermission },
new int[] { BuiltInPermissionIndex.FileIOPermissionIndex, (int) PermissionType.FileIOPermission },
new int[] { BuiltInPermissionIndex.ReflectionPermissionIndex, (int) PermissionType.ReflectionPermission },
new int[] { BuiltInPermissionIndex.SecurityPermissionIndex, (int) PermissionType.SecurityPermission },
new int[] { BuiltInPermissionIndex.UIPermissionIndex, (int) PermissionType.UIPermission }
};
private static CodeAccessPermission[] s_UnrestrictedSpecialPermissionMap = {
new EnvironmentPermission(PermissionState.Unrestricted),
new FileDialogPermission(PermissionState.Unrestricted),
new FileIOPermission(PermissionState.Unrestricted),
new ReflectionPermission(PermissionState.Unrestricted),
new SecurityPermission(PermissionState.Unrestricted),
new UIPermission(PermissionState.Unrestricted)
};
internal static int GetSpecialFlags (PermissionSet grantSet, PermissionSet deniedSet) {
if ((grantSet != null && grantSet.IsUnrestricted()) && (deniedSet == null || deniedSet.IsEmpty())) {
return -1;
}
else {
SecurityPermission securityPermission = null;
#pragma warning disable 618
SecurityPermissionFlag securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
ReflectionPermission reflectionPermission = null;
ReflectionPermissionFlag reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
CodeAccessPermission[] specialPermissions = new CodeAccessPermission[6];
if (grantSet != null) {
if (grantSet.IsUnrestricted()) {
#pragma warning disable 618
securityPermissionFlags = SecurityPermissionFlag.AllFlags;
#pragma warning restore 618
reflectionPermissionFlags = ReflectionPermission.AllFlagsAndMore;
for (int i = 0; i < specialPermissions.Length; i++) {
specialPermissions[i] = s_UnrestrictedSpecialPermissionMap[i];
}
}
else {
securityPermission = grantSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
securityPermissionFlags = securityPermission.Flags;
reflectionPermission = grantSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
reflectionPermissionFlags = reflectionPermission.Flags;
for (int i = 0; i < specialPermissions.Length; i++) {
specialPermissions[i] = grantSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
}
}
}
if (deniedSet != null) {
if (deniedSet.IsUnrestricted()) {
#pragma warning disable 618
securityPermissionFlags = SecurityPermissionFlag.NoFlags;
#pragma warning restore 618
reflectionPermissionFlags = ReflectionPermissionFlag.NoFlags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) {
specialPermissions[i] = null;
}
}
else {
securityPermission = deniedSet.GetPermission(BuiltInPermissionIndex.SecurityPermissionIndex) as SecurityPermission;
if (securityPermission != null)
securityPermissionFlags &= ~securityPermission.Flags;
reflectionPermission = deniedSet.GetPermission(BuiltInPermissionIndex.ReflectionPermissionIndex) as ReflectionPermission;
if (reflectionPermission != null)
reflectionPermissionFlags &= ~reflectionPermission.Flags;
for (int i = 0; i < s_BuiltInPermissionIndexMap.Length; i++) {
CodeAccessPermission deniedSpecialPermission = deniedSet.GetPermission(s_BuiltInPermissionIndexMap[i][0]) as CodeAccessPermission;
if (deniedSpecialPermission != null && !deniedSpecialPermission.IsSubsetOf(null))
specialPermissions[i] = null; // we don't care about the exact value here.
}
}
}
int flags = MapToSpecialFlags(securityPermissionFlags, reflectionPermissionFlags);
if (flags != -1) {
for (int i = 0; i < specialPermissions.Length; i++) {
if (specialPermissions[i] != null && ((IUnrestrictedPermission) specialPermissions[i]).IsUnrestricted())
flags |= (1 << (int) s_BuiltInPermissionIndexMap[i][1]);
}
}
return flags;
}
}
#pragma warning disable 618
private static int MapToSpecialFlags (SecurityPermissionFlag securityPermissionFlags, ReflectionPermissionFlag reflectionPermissionFlags) {
int flags = 0;
if ((securityPermissionFlags & SecurityPermissionFlag.UnmanagedCode) == SecurityPermissionFlag.UnmanagedCode)
flags |= (1 << (int) PermissionType.SecurityUnmngdCodeAccess);
if ((securityPermissionFlags & SecurityPermissionFlag.SkipVerification) == SecurityPermissionFlag.SkipVerification)
flags |= (1 << (int) PermissionType.SecuritySkipVerification);
if ((securityPermissionFlags & SecurityPermissionFlag.Assertion) == SecurityPermissionFlag.Assertion)
flags |= (1 << (int) PermissionType.SecurityAssert);
if ((securityPermissionFlags & SecurityPermissionFlag.SerializationFormatter) == SecurityPermissionFlag.SerializationFormatter)
flags |= (1 << (int) PermissionType.SecuritySerialization);
if ((securityPermissionFlags & SecurityPermissionFlag.BindingRedirects) == SecurityPermissionFlag.BindingRedirects)
flags |= (1 << (int) PermissionType.SecurityBindingRedirects);
if ((securityPermissionFlags & SecurityPermissionFlag.ControlEvidence) == SecurityPermissionFlag.ControlEvidence)
flags |= (1 << (int) PermissionType.SecurityControlEvidence);
if ((securityPermissionFlags & SecurityPermissionFlag.ControlPrincipal) == SecurityPermissionFlag.ControlPrincipal)
flags |= (1 << (int) PermissionType.SecurityControlPrincipal);
if ((reflectionPermissionFlags & ReflectionPermissionFlag.RestrictedMemberAccess) == ReflectionPermissionFlag.RestrictedMemberAccess)
flags |= (1 << (int)PermissionType.ReflectionRestrictedMemberAccess);
if ((reflectionPermissionFlags & ReflectionPermissionFlag.MemberAccess) == ReflectionPermissionFlag.MemberAccess)
flags |= (1 << (int) PermissionType.ReflectionMemberAccess);
return flags;
}
#pragma warning restore 618
[DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
[SuppressUnmanagedCodeSecurity]
internal static extern bool IsSameType(String strLeft, String strRight);
[MethodImplAttribute(MethodImplOptions.InternalCall)]
internal static extern bool _SetThreadSecurity(bool bThreadSecurity);
[DllImport(JitHelpers.QCall, CharSet = CharSet.Unicode)]
[SuppressUnmanagedCodeSecurity]
internal static extern void GetGrantedPermissions(ObjectHandleOnStack retGranted, ObjectHandleOnStack retDenied, StackCrawlMarkHandle stackMark);
}
}
|
