1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
|
//
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
//
//
//
#ifndef __security_h__
#define __security_h__
#include "securitypolicy.h"
#include "securityattributes.h"
#include "securitydeclarativecache.h"
#include "securitydeclarative.h"
#include "securityimperative.h"
#include "securitytransparentassembly.h"
#ifdef FEATURE_APTCA
#include "aptca.h"
#endif
class IAssemblySecurityDescriptor;
class IApplicationSecurityDescriptor;
class IPEFileSecurityDescriptor;
enum SecurityStackWalkType
{
SSWT_DECLARATIVE_DEMAND = 1,
SSWT_IMPERATIVE_DEMAND = 2,
SSWT_DEMAND_FROM_NATIVE = 3,
SSWT_IMPERATIVE_ASSERT = 4,
SSWT_DENY_OR_PERMITONLY = 5,
SSWT_LATEBOUND_LINKDEMAND = 6,
SSWT_COUNT_OVERRIDES = 7,
SSWT_GET_ZONE_AND_URL = 8,
};
// AssemblyLoadSecurity is used to describe to the loader security information to apply to an assembly at
// load time. This includes information such as the assembly's evidence, as well as if we should resolve
// policy on the assembly or push a grant set to its security descriptor.
struct AssemblyLoadSecurity
{
OBJECTREF *m_pEvidence;
OBJECTREF *m_pAdditionalEvidence;
OBJECTREF *m_pGrantSet;
OBJECTREF *m_pRefusedSet;
DWORD m_dwSpecialFlags;
bool m_fCheckLoadFromRemoteSource;
bool m_fSuppressSecurityChecks;
bool m_fPropagatingAnonymouslyHostedDynamicMethodGrant;
inline AssemblyLoadSecurity();
// Should the assembly have policy resolved on it, or should it use a pre-determined grant set
inline bool ShouldResolvePolicy();
};
// Ultimately this will become the only interface through
// which the VM will access security code.
namespace Security
{
// ----------------------------------------
// SecurityPolicy
// ----------------------------------------
// Init
inline void Start();
inline void Stop();
inline void SaveCache();
// Policy
#ifdef FEATURE_CAS_POLICY
inline bool IsProcessWideLegacyCasPolicyEnabled();
inline bool CanLoadFromRemoteSources();
#endif // FEATURE_CAS_POLICY
BOOL IsTransparencyEnforcementEnabled();
BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD);
inline BOOL CanCallUnmanagedCode(Module *pModule);
inline BOOL CanAssert(Module *pModule);
inline DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags);
#ifndef DACCESS_COMPILE
inline BOOL CanTailCall(MethodDesc* pMD);
inline BOOL CanHaveRVA(Assembly * pAssembly);
inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD);
inline BOOL CanSkipVerification(MethodDesc * pMethod);
#endif
inline BOOL CanSkipVerification(DomainAssembly * pAssembly);
inline CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly);
inline CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD);
// ----------------------------------------
// SecurityAttributes
// ----------------------------------------
inline OBJECTREF CreatePermissionSet(BOOL fTrusted);
inline void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData);
inline void CopyEncodingToByteArray(IN PBYTE pbData, IN DWORD cbData, IN OBJECTREF* pArray);
// ----------------------------------------
// SecurityDeclarative
// ----------------------------------------
inline HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL);
inline void RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas);
inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) ;
inline LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD,
OBJECTREF *pClassCasDemands,
OBJECTREF *pClassNonCasDemands,
OBJECTREF *pMethodCasDemands,
OBJECTREF *pMethodNonCasDemands);
inline void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee);
inline void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent);
inline void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent);
inline void GetPermissionInstance(OBJECTREF *perm, int index);
inline void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL);
#ifndef DACCESS_COMPILE
inline void CheckNonCasDemand(OBJECTREF *prefDemand);
#endif // #ifndef DACCESS_COMPILE
inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD);
inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass);
inline void CheckBeforeAllocConsole(AppDomain* pDomain, Assembly* pAssembly);
// ----------------------------------------
// SecurityStackWalk
// ----------------------------------------
// other CAS Actions
inline void Demand(SecurityStackWalkType eType, OBJECTREF demand) ;
#ifdef FEATURE_CAS_POLICY
inline void DemandGrantSet(IAssemblySecurityDescriptor *psdAssembly);
#endif // FEATURE_CAS_POLICY
inline void DemandSet(SecurityStackWalkType eType, OBJECTREF demand) ;
inline void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) ;
#ifdef FEATURE_CAS_POLICY
inline void ReflectionTargetDemand(DWORD dwPermission, IAssemblySecurityDescriptor *psdTarget);
inline void ReflectionTargetDemand(DWORD dwPermission,
IAssemblySecurityDescriptor *psdTarget,
DynamicResolver * pAccessContext);
#endif // FEATURE_CAS_POLICY
inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) ;
inline void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand);
inline void FullTrustInheritanceDemand(Assembly *pTargetAssembly);
inline void FullTrustLinkDemand(Assembly *pTargetAssembly);
// Compressed Stack
#ifdef FEATURE_COMPRESSEDSTACK
inline COMPRESSEDSTACKREF GetCSFromContextTransitionFrame(Frame *pFrame) ;
inline BOOL IsContextTransitionFrameWithCS(Frame *pFrame);
#endif // #ifdef FEATURE_COMPRESSEDSTACK
// Misc - todo: put these in better categories
inline BOOL AllDomainsOnStackFullyTrusted();
IApplicationSecurityDescriptor* CreateApplicationSecurityDescriptor(AppDomain * pDomain);
IAssemblySecurityDescriptor* CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
ISharedSecurityDescriptor* CreateSharedSecurityDescriptor(Assembly* pAssembly);
void DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor);
#ifndef FEATURE_CORECLR
IPEFileSecurityDescriptor* CreatePEFileSecurityDescriptor(AppDomain* pDomain, PEFile *pPEFile);
#endif
inline void SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD);
inline void SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD);
// Checks for one of the special domain wide flags
// such as if we are currently in a "fully trusted" environment
// or if unmanaged code access is allowed at this time
// Note: This is an inline method instead of a virtual method on IApplicationSecurityDescriptor
// for stackwalk perf.
inline BOOL CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags);
inline BOOL IsResolved(Assembly *pAssembly);
FORCEINLINE VOID IncrementSecurityPerfCounter() ;
inline BOOL IsSpecialRunFrame(MethodDesc *pMeth) ;
inline BOOL SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
inline BOOL SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
// Transparency checks
inline BOOL IsMethodTransparent(MethodDesc * pMD);
inline BOOL IsMethodCritical(MethodDesc * pMD);
inline BOOL IsMethodSafeCritical(MethodDesc * pMD);
inline BOOL IsTypeCritical(MethodTable *pMT);
inline BOOL IsTypeSafeCritical(MethodTable *pMT);
inline BOOL IsTypeTransparent(MethodTable * pMT);
inline BOOL IsTypeAllTransparent(MethodTable * pMT);
inline BOOL IsFieldTransparent(FieldDesc * pFD);
inline BOOL IsFieldCritical(FieldDesc * pFD);
inline BOOL IsFieldSafeCritical(FieldDesc * pFD);
inline BOOL IsTokenTransparent(Module* pModule, mdToken token);
inline void DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
const TypeHandle &calleeTH,
CorInfoSecurityRuntimeChecks check);
inline CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
MethodDesc* pCallee,
SecurityTransparencyError *pError);
inline VOID EnforceTransparentAssemblyChecks(MethodDesc* pCallee, MethodDesc* pCaller);
inline VOID EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller);
inline VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc);
inline bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands = false);
inline BOOL CheckCriticalAccess(AccessCheckContext* pContext,
MethodDesc* pOptionalTargetMethod = NULL,
FieldDesc* pOptionalTargetField = NULL,
MethodTable * pOptionalTargetType = NULL);
// declarative security
inline HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry = NULL) ;
// security enforcement
inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);
#ifdef FEATURE_APTCA
inline BOOL IsUntrustedCallerCheckNeeded(MethodDesc *pCalleeMD, Assembly *pCallerAssem = NULL) ;
inline void DoUntrustedCallerChecks(Assembly *pCaller, MethodDesc *pCalee, BOOL fFullStackWalk) ;
inline bool NativeImageHasValidAptcaDependencies(PEImage *pNativeImage, DomainAssembly *pDomainAssembly);
inline SString GetAptcaKillBitAccessExceptionContext(Assembly *pTargetAssembly);
inline SString GetConditionalAptcaAccessExceptionContext(Assembly *pTargetAssembly);
#endif // FEATURE_APTCA
#ifdef FEATURE_CORECLR
inline BOOL IsMicrosoftPlatform(IAssemblySecurityDescriptor *pSecDesc);
#endif // FEATURE_CORECLR
inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);
inline bool CanShareAssembly(DomainAssembly *pAssembly);
};
class ISecurityDescriptor
{
public:
VPTR_BASE_VTABLE_CLASS_AND_CTOR(ISecurityDescriptor)
virtual ~ISecurityDescriptor() { LIMITED_METHOD_CONTRACT; }
virtual BOOL IsFullyTrusted() = 0;
virtual BOOL CanCallUnmanagedCode() const = 0;
#ifndef DACCESS_COMPILE
virtual DWORD GetSpecialFlags() const = 0;
virtual AppDomain* GetDomain() const = 0;
virtual void Resolve() = 0;
virtual BOOL IsResolved() const = 0;
#ifdef FEATURE_CAS_POLICY
virtual OBJECTREF GetEvidence() = 0;
virtual BOOL IsEvidenceComputed() const = 0;
virtual void SetEvidence(OBJECTREF evidence) = 0;
#endif // FEATURE_CAS_POLICY
virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) = 0;
#endif // !DACCESS_COMPILE
};
class IApplicationSecurityDescriptor : public ISecurityDescriptor
{
public:
VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IApplicationSecurityDescriptor, ISecurityDescriptor)
#ifndef DACCESS_COMPILE
public:
virtual BOOL IsHomogeneous() const = 0;
virtual void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) = 0;
virtual BOOL ContainsAnyRefusedPermissions() = 0;
virtual BOOL IsDefaultAppDomain() const = 0;
virtual BOOL IsDefaultAppDomainEvidence() = 0;
virtual BOOL DomainMayContainPartialTrustCode() = 0;
virtual BOOL CallHostSecurityManager() = 0;
virtual void SetHostSecurityManagerFlags(DWORD dwFlags) = 0;
virtual void SetPolicyLevelFlag() = 0;
virtual void FinishInitialization() = 0;
virtual BOOL IsInitializationInProgress() = 0;
// Determine the security state that an AppDomain will arrive in if nothing changes during domain
// initialization. (ie, get the input security state of the domain)
virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) = 0;
// Gets special domain wide flags that specify things
// such as whether we are currently in a "fully trusted" environment
// or if unmanaged code access is allowed at this time
virtual DWORD GetDomainWideSpecialFlag() const = 0;
#ifdef FEATURE_CAS_POLICY
virtual void SetLegacyCasPolicyEnabled() = 0;
virtual BOOL IsLegacyCasPolicyEnabled() = 0;
virtual BOOL AllowsLoadsFromRemoteSources() = 0;
#endif // FEATURE_CAS_POLICY
#ifdef FEATURE_APTCA
virtual ConditionalAptcaCache *GetConditionalAptcaCache() = 0;
virtual void SetCanonicalConditionalAptcaList(LPCWSTR wszCanonicalConditionalAptcaList) = 0;
#endif // FEATURE_APTCA
#endif // !DACCESS_COMPILE
};
class IAssemblySecurityDescriptor : public ISecurityDescriptor
{
public:
VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IAssemblySecurityDescriptor, ISecurityDescriptor)
#ifndef DACCESS_COMPILE
virtual SharedSecurityDescriptor *GetSharedSecDesc() = 0;
virtual BOOL CanAssert() = 0;
virtual BOOL HasUnrestrictedUIPermission() = 0;
virtual BOOL IsAllCritical() = 0;
virtual BOOL IsAllSafeCritical() = 0;
virtual BOOL IsAllPublicAreaSafeCritical() = 0;
virtual BOOL IsAllTransparent() = 0;
virtual BOOL IsSystem() = 0;
virtual BOOL AllowSkipVerificationInFullTrust() = 0;
virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution) = 0;
#ifdef FEATURE_CAS_POLICY
virtual HRESULT LoadSignature( COR_TRUST **ppSignature = NULL) = 0;
virtual void SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet, OBJECTREF OptionalPermissionSet, OBJECTREF DeniedPermissionSet) = 0;
virtual void SetAdditionalEvidence(OBJECTREF evidence) = 0;
virtual BOOL HasAdditionalEvidence() = 0;
virtual OBJECTREF GetAdditionalEvidence() = 0;
virtual void SetEvidenceFromPEFile(IPEFileSecurityDescriptor *pPEFileSecDesc) = 0;
#endif // FEATURE_CAS_POLICY
virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) = 0;
#ifndef FEATURE_CORECLR
virtual BOOL AllowApplicationSpecifiedAppDomainManager() = 0;
#endif
// Check to make sure that security will allow this assembly to load. Throw an exception if the
// assembly should be forbidden from loading for security related purposes
virtual void CheckAllowAssemblyLoad() = 0;
#endif // #ifndef DACCESS_COMPILE
};
class ISharedSecurityDescriptor
{
public:
virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL) = 0;
virtual BOOL IsResolved() const = 0;
virtual BOOL IsSystem() = 0;
virtual Assembly* GetAssembly() = 0;
};
#ifndef FEATURE_CORECLR
class IPEFileSecurityDescriptor : public ISecurityDescriptor
{
public:
virtual BOOL AllowBindingRedirects() = 0;
};
#endif
#include "security.inl"
#include "securitydeclarative.inl"
#include "securityattributes.inl"
#endif
|
