1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
//
#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_H__
#define __SECURITYDESCRIPTOR_ASSEMBLY_H__
#include "security.h"
#include "securitydescriptor.h"
struct AssemblyLoadSecurity;
class Assembly;
class DomainAssembly;
// Security flags for the objects that store security information
#define CORSEC_ASSERTED 0x000020 // Asseted permission set present on frame
#define CORSEC_DENIED 0x000040 // Denied permission set present on frame
#define CORSEC_REDUCED 0x000080 // Reduced permission set present on frame
///////////////////////////////////////////////////////////////////////////////
//
// [SecurityDescriptor]
// |
// +----[PEFileSecurityDescriptor]
// |
// +----[ApplicationSecurityDescriptor]
// |
// +----[AssemblySecurityDescriptor]
//
// [SharedSecurityDescriptor]
//
///////////////////////////////////////////////////////////////////////////////
//
// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects.
// AppDomain and Assembly could be from different zones.
// Security Descriptor could also be placed on a native frame.
//
///////////////////////////////////////////////////////////////////////////////
#define MAX_PASSED_DEMANDS 10
//------------------------------------------------------------------
//
// ASSEMBLY SECURITY DESCRIPTOR
//
//------------------------------------------------------------------
#ifndef DACCESS_COMPILE
void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la);
#endif
class AssemblySecurityDescriptor : public SecurityDescriptorBase<IAssemblySecurityDescriptor>
{
public:
VPTR_VTABLE_CLASS(AssemblySecurityDescriptor, SecurityDescriptorBase<IAssemblySecurityDescriptor>)
private:
PsetCacheEntry* m_arrPassedLinktimeDemands[MAX_PASSED_DEMANDS];
DWORD m_dwNumPassedDemands;
COR_TRUST *m_pSignature; // Contains the publisher, requested permission
SharedSecurityDescriptor *m_pSharedSecDesc; // Shared state for assemblies loaded into multiple appdomains
#ifdef FEATURE_CAS_POLICY
LOADERHANDLE m_hRequiredPermissionSet; // Required Requested Permissions
LOADERHANDLE m_hOptionalPermissionSet; // Optional Requested Permissions
LOADERHANDLE m_hDeniedPermissionSet; // Denied Permissions
BOOL m_fAdditionalEvidence;
BOOL m_fIsSignatureLoaded;
BOOL m_fAssemblyRequestsComputed;
#endif // FEATURE_CAS_POLICY
BOOL m_fMicrosoftPlatform;
BOOL m_fAllowSkipVerificationInFullTrust;
#ifndef DACCESS_COMPILE
public:
virtual SharedSecurityDescriptor *GetSharedSecDesc();
virtual BOOL CanAssert();
virtual BOOL HasUnrestrictedUIPermission();
virtual BOOL IsAllCritical();
virtual BOOL IsAllSafeCritical();
virtual BOOL IsAllPublicAreaSafeCritical();
virtual BOOL IsAllTransparent();
virtual BOOL IsSystem();
BOOL QuickIsFullyTrusted();
BOOL CanSkipVerification();
virtual BOOL AllowSkipVerificationInFullTrust();
virtual VOID Resolve();
virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution);
AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);
inline BOOL AlreadyPassedDemand(PsetCacheEntry *pCasDemands);
inline void TryCachePassedDemand(PsetCacheEntry *pCasDemands);
Assembly* GetAssembly();
#ifndef DACCESS_COMPILE
virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags);
#endif // !DACCESS_COMPILE
#ifdef FEATURE_CAS_POLICY
virtual HRESULT LoadSignature(COR_TRUST **ppSignature = NULL);
virtual OBJECTREF GetEvidence();
DWORD GetZone();
OBJECTREF GetRequestedPermissionSet(OBJECTREF *pOptionalPermissionSet, OBJECTREF *pDeniedPermissionSet);
virtual void SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet,
OBJECTREF OptionalPermissionSet,
OBJECTREF DeniedPermissionSet);
#ifndef DACCESS_COMPILE
virtual void SetAdditionalEvidence(OBJECTREF evidence);
virtual BOOL HasAdditionalEvidence();
virtual OBJECTREF GetAdditionalEvidence();
virtual void SetEvidenceFromPEFile(IPEFileSecurityDescriptor *pPEFileSecDesc);
#endif // !DACCESS_COMPILE
#endif // FEATURE_CAS_POLICY
#ifndef FEATURE_CORECLR
virtual BOOL AllowApplicationSpecifiedAppDomainManager();
#endif // !FEATURE_CORECLR
virtual void CheckAllowAssemblyLoad();
private:
BOOL CanSkipPolicyResolution();
OBJECTREF UpgradePEFileEvidenceToAssemblyEvidence(const OBJECTREF& objPEFileEvidence);
void ResolveWorker();
#ifdef FEATURE_CAS_POLICY
inline BOOL IsAssemblyRequestsComputed();
inline BOOL IsSignatureLoaded();
inline void SetSignatureLoaded();
#endif
#ifdef FEATURE_APTCA
// If you think you need to call this method, you're probably wrong. We shouldn't be making any
// security enforcement decisions based upon this result -- it's strictly for ensuring that we load
// conditional APTCA assemblies correctly.
inline BOOL IsConditionalAptca();
#endif // FEATURE_APTCA
#endif // #ifndef DACCESS_COMPILE
};
// This really isn't in the SecurityDescriptor hierarchy, per-se. It's attached
// to the unmanaged assembly object and used to store common information when
// the assembly is shared across multiple appdomains.
class SharedSecurityDescriptor : public ISharedSecurityDescriptor
{
private:
// Unmanaged assembly this descriptor is attached to.
Assembly *m_pAssembly;
// All policy resolution is funnelled through the shared descriptor so we
// can guarantee everyone's using the same grant/denied sets.
BOOL m_fResolved;
BOOL m_fFullyTrusted;
BOOL m_fCanCallUnmanagedCode;
BOOL m_fCanAssert;
BOOL m_fMicrosoftPlatform;
public:
SharedSecurityDescriptor(Assembly *pAssembly);
virtual ~SharedSecurityDescriptor() {}
// All policy resolution is funnelled through the shared descriptor so we
// can guarantee everyone's using the same grant/denied sets.
virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL);
virtual BOOL IsResolved() const;
// Is this assembly a system assembly?
virtual BOOL IsSystem();
virtual Assembly* GetAssembly();
BOOL IsFullyTrusted();
BOOL CanCallUnmanagedCode() const;
BOOL CanAssert();
};
#include "securitydescriptorassembly.inl"
#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_H__
|