src/vm/securitydescriptorassembly.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
// 

//


#ifndef __SECURITYDESCRIPTOR_ASSEMBLY_H__
#define __SECURITYDESCRIPTOR_ASSEMBLY_H__

#include "security.h"
#include "securitydescriptor.h"
struct AssemblyLoadSecurity;

class Assembly;
class DomainAssembly;

// Security flags for the objects that store security information
#define CORSEC_ASSERTED             0x000020 // Asseted permission set present on frame
#define CORSEC_DENIED               0x000040 // Denied permission set present on frame
#define CORSEC_REDUCED              0x000080 // Reduced permission set present on frame


///////////////////////////////////////////////////////////////////////////////
//
//      [SecurityDescriptor]
//      |
//      +----[PEFileSecurityDescriptor]
//      |
//      +----[ApplicationSecurityDescriptor]
//      |
//      +----[AssemblySecurityDescriptor]
//
//      [SharedSecurityDescriptor]
//
///////////////////////////////////////////////////////////////////////////////
//
// A Security Descriptor is placed on AppDomain and Assembly (Unmanged) objects.
// AppDomain and Assembly could be from different zones.
// Security Descriptor could also be placed on a native frame.
//
///////////////////////////////////////////////////////////////////////////////

#define MAX_PASSED_DEMANDS 10

//------------------------------------------------------------------
//
//          ASSEMBLY SECURITY DESCRIPTOR
//
//------------------------------------------------------------------

#ifndef DACCESS_COMPILE
void StoreObjectInLazyHandle(LOADERHANDLE& handle, OBJECTREF ref, LoaderAllocator* la);
#endif
class AssemblySecurityDescriptor : public SecurityDescriptorBase<IAssemblySecurityDescriptor>
{
public:
    VPTR_VTABLE_CLASS(AssemblySecurityDescriptor, SecurityDescriptorBase<IAssemblySecurityDescriptor>)

private:
    PsetCacheEntry*   m_arrPassedLinktimeDemands[MAX_PASSED_DEMANDS];
    DWORD   m_dwNumPassedDemands;

    COR_TRUST                                *m_pSignature;            // Contains the publisher, requested permission
    SharedSecurityDescriptor                 *m_pSharedSecDesc;        // Shared state for assemblies loaded into multiple appdomains

#ifdef FEATURE_CAS_POLICY
    LOADERHANDLE m_hRequiredPermissionSet;  // Required Requested Permissions
    LOADERHANDLE m_hOptionalPermissionSet;  // Optional Requested Permissions
    LOADERHANDLE m_hDeniedPermissionSet;    // Denied Permissions

    BOOL                m_fAdditionalEvidence;
    BOOL                m_fIsSignatureLoaded;
    BOOL                m_fAssemblyRequestsComputed;
#endif // FEATURE_CAS_POLICY

    BOOL                m_fMicrosoftPlatform;
    BOOL                m_fAllowSkipVerificationInFullTrust;

#ifndef DACCESS_COMPILE
public:
    virtual SharedSecurityDescriptor *GetSharedSecDesc();

    virtual BOOL CanAssert();
    virtual BOOL HasUnrestrictedUIPermission();
    virtual BOOL IsAllCritical();
    virtual BOOL IsAllSafeCritical();
    virtual BOOL IsAllPublicAreaSafeCritical();
    virtual BOOL IsAllTransparent();
    virtual BOOL IsSystem();
	BOOL QuickIsFullyTrusted();

	BOOL CanSkipVerification();
    virtual BOOL AllowSkipVerificationInFullTrust();

    virtual VOID Resolve();

    virtual void ResolvePolicy(ISharedSecurityDescriptor *pSharedDesc, BOOL fShouldSkipPolicyResolution);

	AssemblySecurityDescriptor(AppDomain *pDomain, DomainAssembly *pAssembly, LoaderAllocator *pLoaderAllocator);

    inline BOOL AlreadyPassedDemand(PsetCacheEntry *pCasDemands);
    inline void TryCachePassedDemand(PsetCacheEntry *pCasDemands);
    Assembly* GetAssembly();
	
#ifndef DACCESS_COMPILE
    virtual void PropagatePermissionSet(OBJECTREF GrantedPermissionSet, OBJECTREF DeniedPermissionSet, DWORD dwSpecialFlags);
#endif	// !DACCESS_COMPILE

#ifdef FEATURE_CAS_POLICY
    virtual HRESULT LoadSignature(COR_TRUST **ppSignature = NULL);
    virtual OBJECTREF GetEvidence();
    DWORD GetZone();

    OBJECTREF GetRequestedPermissionSet(OBJECTREF *pOptionalPermissionSet, OBJECTREF *pDeniedPermissionSet);

    virtual void SetRequestedPermissionSet(OBJECTREF RequiredPermissionSet,
                                          OBJECTREF OptionalPermissionSet,
                                          OBJECTREF DeniedPermissionSet);

#ifndef DACCESS_COMPILE
    virtual void SetAdditionalEvidence(OBJECTREF evidence);
    virtual BOOL HasAdditionalEvidence();
    virtual OBJECTREF GetAdditionalEvidence();
    virtual void SetEvidenceFromPEFile(IPEFileSecurityDescriptor *pPEFileSecDesc);
#endif	// !DACCESS_COMPILE
#endif // FEATURE_CAS_POLICY
	
#ifndef FEATURE_CORECLR 
    virtual BOOL AllowApplicationSpecifiedAppDomainManager();
#endif // !FEATURE_CORECLR

    virtual void CheckAllowAssemblyLoad();

private:
    BOOL CanSkipPolicyResolution();
    OBJECTREF UpgradePEFileEvidenceToAssemblyEvidence(const OBJECTREF& objPEFileEvidence);

    void ResolveWorker();

#ifdef FEATURE_CAS_POLICY
    inline BOOL IsAssemblyRequestsComputed();
    inline BOOL IsSignatureLoaded();
    inline void SetSignatureLoaded();
#endif

#ifdef FEATURE_APTCA
    // If you think you need to call this method, you're probably wrong.  We shouldn't be making any
    // security enforcement decisions based upon this result -- it's strictly for ensuring that we load
    // conditional APTCA assemblies correctly.
    inline BOOL IsConditionalAptca();
#endif // FEATURE_APTCA

#endif // #ifndef DACCESS_COMPILE
};


// This really isn't in the SecurityDescriptor hierarchy, per-se. It's attached
// to the unmanaged assembly object and used to store common information when
// the assembly is shared across multiple appdomains.
class SharedSecurityDescriptor : public ISharedSecurityDescriptor
{
private:
    // Unmanaged assembly this descriptor is attached to.
    Assembly           *m_pAssembly;

    // All policy resolution is funnelled through the shared descriptor so we
    // can guarantee everyone's using the same grant/denied sets.
    BOOL                m_fResolved;
    BOOL                m_fFullyTrusted;
    BOOL                m_fCanCallUnmanagedCode;
    BOOL                m_fCanAssert;
    BOOL                m_fMicrosoftPlatform;

public:
    SharedSecurityDescriptor(Assembly *pAssembly);
    virtual ~SharedSecurityDescriptor() {}

    // All policy resolution is funnelled through the shared descriptor so we
    // can guarantee everyone's using the same grant/denied sets.
    virtual void Resolve(IAssemblySecurityDescriptor *pSecDesc = NULL);
	virtual BOOL IsResolved() const;

    // Is this assembly a system assembly?
    virtual BOOL IsSystem();    
    virtual Assembly* GetAssembly();

    BOOL IsFullyTrusted();
    BOOL CanCallUnmanagedCode() const;
    BOOL CanAssert();
};

#include "securitydescriptorassembly.inl"

#endif // #define __SECURITYDESCRIPTOR_ASSEMBLY_H__