src/vm/security.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
// 


// 


#ifndef __security_h__
#define __security_h__

#include "securitypolicy.h"
#include "securityattributes.h"
#include "securitydeclarativecache.h"
#include "securitydeclarative.h"
#include "securitytransparentassembly.h"


class IAssemblySecurityDescriptor;
class IApplicationSecurityDescriptor;
class IPEFileSecurityDescriptor;

enum SecurityStackWalkType
{
    SSWT_DECLARATIVE_DEMAND = 1,
    SSWT_IMPERATIVE_DEMAND = 2,
    SSWT_DEMAND_FROM_NATIVE = 3,
    SSWT_IMPERATIVE_ASSERT = 4,
    SSWT_DENY_OR_PERMITONLY = 5,
    SSWT_LATEBOUND_LINKDEMAND = 6,
    SSWT_COUNT_OVERRIDES = 7,
    SSWT_GET_ZONE_AND_URL = 8,
};

// AssemblyLoadSecurity is used to describe to the loader security information to apply to an assembly at
// load time.  This includes information such as the assembly's evidence, as well as if we should resolve
// policy on the assembly or push a grant set to its security descriptor.
struct AssemblyLoadSecurity
{
    OBJECTREF   *m_pEvidence;
    OBJECTREF   *m_pAdditionalEvidence;
    OBJECTREF   *m_pGrantSet;
    OBJECTREF   *m_pRefusedSet;
    DWORD       m_dwSpecialFlags;
    bool        m_fCheckLoadFromRemoteSource;
    bool        m_fSuppressSecurityChecks;
    bool        m_fPropagatingAnonymouslyHostedDynamicMethodGrant;

    inline AssemblyLoadSecurity();

    // Should the assembly have policy resolved on it, or should it use a pre-determined grant set
    inline bool ShouldResolvePolicy();
};

// Ultimately this will become the only interface through
// which the VM will access security code.

namespace Security
{
    // ----------------------------------------
    // SecurityPolicy
    // ----------------------------------------

    // Init
    inline void Start();
    inline void Stop();
    inline void SaveCache();

    // Policy

    BOOL IsTransparencyEnforcementEnabled();

    BOOL BypassSecurityChecksForProfiler(MethodDesc *pMD);
    inline BOOL CanCallUnmanagedCode(Module *pModule);
    inline BOOL CanAssert(Module *pModule);
    inline DECLSPEC_NORETURN void ThrowSecurityException(__in_z const char *szDemandClass, DWORD dwFlags);

#ifndef DACCESS_COMPILE
    inline BOOL CanTailCall(MethodDesc* pMD);
    inline BOOL CanHaveRVA(Assembly * pAssembly);
    inline BOOL CanAccessNonVerifiableExplicitField(MethodDesc* pMD);
    inline BOOL CanSkipVerification(MethodDesc * pMethod);
#endif

    inline BOOL CanSkipVerification(DomainAssembly * pAssembly);
    inline CorInfoCanSkipVerificationResult JITCanSkipVerification(DomainAssembly * pAssembly);
    inline CorInfoCanSkipVerificationResult JITCanSkipVerification(MethodDesc * pMD);

    // ----------------------------------------
    // SecurityAttributes
    // ----------------------------------------

    inline OBJECTREF CreatePermissionSet(BOOL fTrusted);
    inline void CopyByteArrayToEncoding(IN U1ARRAYREF* pArray, OUT PBYTE* pbData, OUT DWORD* cbData);
    inline void CopyEncodingToByteArray(IN PBYTE   pbData, IN DWORD   cbData, IN OBJECTREF* pArray);    

    // ----------------------------------------
    // SecurityDeclarative
    // ----------------------------------------
    inline HRESULT GetDeclarationFlags(IMDInternalImport *pInternalImport, mdToken token, DWORD* pdwFlags, DWORD* pdwNullFlags, BOOL* fHasSuppressUnmanagedCodeAccessAttr = NULL);
    inline void RetrieveLinktimeDemands(MethodDesc* pMD, OBJECTREF* pClassCas, OBJECTREF* pClassNonCas, OBJECTREF* pMethodCas, OBJECTREF* pMethodNonCas);
    inline void CheckLinkDemandAgainstAppDomain(MethodDesc *pMD) ;

    inline LinktimeCheckReason GetLinktimeCheckReason(MethodDesc *pMD,
                                                      OBJECTREF  *pClassCasDemands,
                                                      OBJECTREF  *pClassNonCasDemands,
                                                      OBJECTREF  *pMethodCasDemands,
                                                      OBJECTREF  *pMethodNonCasDemands);

    inline void LinktimeCheckMethod(Assembly *pCaller, MethodDesc *pCallee);
    inline void ClassInheritanceCheck(MethodTable *pClass, MethodTable *pParent);
    inline void MethodInheritanceCheck(MethodDesc *pMethod, MethodDesc *pParent);
    inline void GetPermissionInstance(OBJECTREF *perm, int index);
    inline void DoDeclarativeActions(MethodDesc *pMD, DeclActionInfo *pActions, LPVOID pSecObj, MethodSecurityDescriptor *pMSD = NULL);
#ifndef DACCESS_COMPILE
    inline void CheckNonCasDemand(OBJECTREF *prefDemand);
#endif // #ifndef DACCESS_COMPILE
    inline BOOL MethodIsVisibleOutsideItsAssembly(MethodDesc * pMD);
    inline BOOL MethodIsVisibleOutsideItsAssembly(DWORD dwMethodAttr, DWORD dwClassAttr, BOOL fIsGlobalClass);

    // ----------------------------------------
    // SecurityStackWalk
    // ----------------------------------------

    // other CAS Actions
    inline void Demand(SecurityStackWalkType eType, OBJECTREF demand) ;
    inline void DemandSet(SecurityStackWalkType eType, OBJECTREF demand) ;
    inline void DemandSet(SecurityStackWalkType eType, PsetCacheEntry *pPCE, DWORD dwAction) ;
    inline void SpecialDemand(SecurityStackWalkType eType, DWORD whatPermission) ;

    inline void InheritanceLinkDemandCheck(Assembly *pTargetAssembly, MethodDesc * pMDLinkDemand);

    inline void FullTrustInheritanceDemand(Assembly *pTargetAssembly);
    inline void FullTrustLinkDemand(Assembly *pTargetAssembly);

    // Compressed Stack

    // Misc - todo: put these in better categories
    
    inline BOOL AllDomainsOnStackFullyTrusted();
    IApplicationSecurityDescriptor* CreateApplicationSecurityDescriptor(AppDomain * pDomain);
    IAssemblySecurityDescriptor* CreateAssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
    ISharedSecurityDescriptor* CreateSharedSecurityDescriptor(Assembly* pAssembly);
    void DeleteSharedSecurityDescriptor(ISharedSecurityDescriptor *descriptor);
    inline void SetDefaultAppDomainProperty(IApplicationSecurityDescriptor* pASD);
    inline void SetDefaultAppDomainEvidenceProperty(IApplicationSecurityDescriptor* pASD);

    
    // Checks for one of the special domain wide flags 
    // such as if we are currently in a "fully trusted" environment
    // or if unmanaged code access is allowed at this time
    // Note: This is an inline method instead of a virtual method on IApplicationSecurityDescriptor
    // for stackwalk perf.
    inline BOOL CheckDomainWideSpecialFlag(IApplicationSecurityDescriptor *pASD, DWORD flags);

    inline BOOL IsResolved(Assembly *pAssembly);

    FORCEINLINE VOID IncrementSecurityPerfCounter() ;
    inline BOOL IsSpecialRunFrame(MethodDesc *pMeth) ;
    inline BOOL SkipAndFindFunctionInfo(INT32 i, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);
    inline BOOL SkipAndFindFunctionInfo(StackCrawlMark* pSCM, MethodDesc** ppMD, OBJECTREF** ppOR, AppDomain **ppAppDomain = NULL);

    // Transparency checks
    inline BOOL IsMethodTransparent(MethodDesc * pMD);
    inline BOOL IsMethodCritical(MethodDesc * pMD);
    inline BOOL IsMethodSafeCritical(MethodDesc * pMD);

    inline BOOL IsTypeCritical(MethodTable *pMT);
    inline BOOL IsTypeSafeCritical(MethodTable *pMT);
    inline BOOL IsTypeTransparent(MethodTable * pMT);
    inline BOOL IsTypeAllTransparent(MethodTable * pMT);

    inline BOOL IsFieldTransparent(FieldDesc * pFD);
    inline BOOL IsFieldCritical(FieldDesc * pFD);
    inline BOOL IsFieldSafeCritical(FieldDesc * pFD);

    inline BOOL IsTokenTransparent(Module* pModule, mdToken token);
    
    inline void DoSecurityClassAccessChecks(MethodDesc *pCallerMD,
                                                   const TypeHandle &calleeTH,
                                                   CorInfoSecurityRuntimeChecks check);

    inline CorInfoIsAccessAllowedResult RequiresTransparentAssemblyChecks(MethodDesc* pCaller,
                                                                          MethodDesc* pCallee,
                                                                          SecurityTransparencyError *pError);
    inline VOID EnforceTransparentAssemblyChecks(MethodDesc* pCallee, MethodDesc* pCaller);
    inline VOID EnforceTransparentDelegateChecks(MethodTable* pDelegateMT, MethodDesc* pCaller);
    inline VOID PerformTransparencyChecksForLoadByteArray(MethodDesc* pCallersMD, IAssemblySecurityDescriptor* pLoadedSecDesc);

    inline bool TypeRequiresTransparencyCheck(TypeHandle type, bool checkForLinkDemands = false);

    inline BOOL CheckCriticalAccess(AccessCheckContext* pContext,
        MethodDesc* pOptionalTargetMethod = NULL,
        FieldDesc* pOptionalTargetField = NULL,
        MethodTable * pOptionalTargetType = NULL);

    // declarative security
    inline HRESULT GetDeclaredPermissions(IN IMDInternalImport *pInternalImport, IN mdToken token, IN CorDeclSecurity action, OUT OBJECTREF *pDeclaredPermissions, OUT PsetCacheEntry **pPSCacheEntry = NULL) ;

    // security enforcement
    inline BOOL ContainsBuiltinCASPermsOnly(CORSEC_ATTRSET* pAttrSet);


    inline bool SecurityCalloutQuickCheck(MethodDesc *pCallerMD);

    inline bool CanShareAssembly(DomainAssembly *pAssembly);
};

class ISecurityDescriptor
{
public:
    VPTR_BASE_VTABLE_CLASS_AND_CTOR(ISecurityDescriptor)

    virtual ~ISecurityDescriptor() { LIMITED_METHOD_CONTRACT; }

    virtual BOOL IsFullyTrusted() = 0;
    
    virtual BOOL CanCallUnmanagedCode() const = 0;

#ifndef DACCESS_COMPILE
    virtual DWORD GetSpecialFlags() const = 0;
    
    virtual AppDomain* GetDomain() const = 0;

    virtual void Resolve() = 0;
    virtual BOOL IsResolved() const = 0;


    virtual OBJECTREF GetGrantedPermissionSet(OBJECTREF* RefusedPermissions = NULL) = 0;
#endif // !DACCESS_COMPILE
};

class IApplicationSecurityDescriptor : public ISecurityDescriptor
{
public:
    VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IApplicationSecurityDescriptor, ISecurityDescriptor)

#ifndef DACCESS_COMPILE
public:
    virtual BOOL IsHomogeneous() const = 0;
    virtual void SetHomogeneousFlag(BOOL fRuntimeSuppliedHomogenousGrantSet) = 0;
    virtual BOOL ContainsAnyRefusedPermissions() = 0;

    virtual BOOL IsDefaultAppDomain() const = 0;
    virtual BOOL IsDefaultAppDomainEvidence() = 0;
    virtual BOOL DomainMayContainPartialTrustCode() = 0;

    virtual BOOL CallHostSecurityManager() = 0;
    virtual void SetHostSecurityManagerFlags(DWORD dwFlags) = 0;
    virtual void SetPolicyLevelFlag() = 0;
    
    virtual void FinishInitialization() = 0;
    virtual BOOL IsInitializationInProgress() = 0;

    // Determine the security state that an AppDomain will arrive in if nothing changes during domain
    // initialization.  (ie, get the input security state of the domain)
    virtual void PreResolve(BOOL *pfIsFullyTrusted, BOOL *pfIsHomogeneous) = 0;
    
    // Gets special domain wide flags that specify things 
    // such as whether we are currently in a "fully trusted" environment
    // or if unmanaged code access is allowed at this time
    virtual DWORD GetDomainWideSpecialFlag() const = 0;


#endif // !DACCESS_COMPILE
};

class IAssemblySecurityDescriptor : public ISecurityDescriptor
{
public:
    VPTR_ABSTRACT_VTABLE_CLASS_AND_CTOR(IAssemblySecurityDescriptor, ISecurityDescriptor)

#ifndef DACCESS_COMPILE
    virtual SharedSecurityDescriptor *GetSharedSecDesc() = 0;
    
    virtual BOOL CanAssert() = 0;
    virtual BOOL HasUnrestrictedUIPermission() = 0;
    virtual BOOL IsAllCritical() = 0;
    virtual BOOL IsAllSafeCritical() = 0;
    virtual BOOL IsAllPublicAreaSafeCritical() = 0;
    virtual BOOL IsAllTransparent() = 0;
    virtual BOOL IsSystem() = 0;
    virtual BOOL AllowSkipVerificationInFullTrust() = 0;

    virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution) = 0;


    virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags) = 0;


    // Check to make sure that security will allow this assembly to load.  Throw an exception if the
    // assembly should be forbidden from loading for security related purposes
    virtual void CheckAllowAssemblyLoad() = 0;
#endif // #ifndef DACCESS_COMPILE
};

class ISharedSecurityDescriptor
{
public:
    virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL) = 0;
    virtual BOOL IsResolved() const = 0;
    virtual BOOL IsSystem() = 0;
    virtual Assembly* GetAssembly() = 0;
};


#include "security.inl"
#include "securitydeclarative.inl"
#include "securityattributes.inl"

#endif