2 // System.Security.SecurityManager.cs
5 // Nick Drochak(ndrochak@gol.com)
6 // Sebastien Pouliot <sebastien@ximian.com>
9 // Portions (C) 2004 Motus Technologies Inc. (http://www.motus.com)
10 // Copyright (C) 2004-2005 Novell, Inc (http://www.novell.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 using System.Collections;
33 using System.Globalization;
35 using System.Reflection;
36 using System.Runtime.CompilerServices;
37 using System.Runtime.InteropServices;
38 using System.Security.Permissions;
39 using System.Security.Policy;
44 namespace System.Security {
46 // Must match MonoDeclSecurityActions in /mono/metadata/reflection.h
47 internal struct RuntimeDeclSecurityActions {
48 public RuntimeDeclSecurityEntry cas;
49 public RuntimeDeclSecurityEntry noncas;
50 public RuntimeDeclSecurityEntry choice;
55 public static class SecurityManager {
57 public sealed class SecurityManager {
59 private SecurityManager ()
63 private static object _lockObject;
64 private static ArrayList _hierarchy;
65 private static IPermission _unmanagedCode;
66 private static Hashtable _declsecCache;
67 private static PolicyLevel _level;
69 static SecurityManager ()
72 // http://msdn.microsoft.com/library/en-us/dnaskdr/html/askgui06032003.asp?frame=true
73 _lockObject = new object ();
78 extern public static bool CheckExecutionRights {
79 [MethodImplAttribute (MethodImplOptions.InternalCall)]
82 [MethodImplAttribute (MethodImplOptions.InternalCall)]
83 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
88 [Obsolete ("The security manager cannot be turned off on MS runtime")]
90 extern public static bool SecurityEnabled {
91 [MethodImplAttribute (MethodImplOptions.InternalCall)]
94 [MethodImplAttribute (MethodImplOptions.InternalCall)]
95 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
102 // NOTE: This method doesn't show in the class library status page because
103 // it cannot be "found" with the StrongNameIdentityPermission for ECMA key.
105 // FIXME works for fulltrust (empty), documentation doesn't really make sense, type wise
106 [MonoTODO ("CAS support is experimental (and unsupported). This method only works in FullTrust.")]
107 [StrongNameIdentityPermission (SecurityAction.LinkDemand, PublicKey = "0x00000000000000000400000000000000")]
108 public static void GetZoneAndOrigin (out ArrayList zone, out ArrayList origin)
110 zone = new ArrayList ();
111 origin = new ArrayList ();
115 public static bool IsGranted (IPermission perm)
119 if (!SecurityEnabled)
123 // - Only check the caller (no stack walk required)
124 // - Not affected by overrides (like Assert, Deny and PermitOnly)
125 // - calls IsSubsetOf even for non CAS permissions
126 // (i.e. it does call Demand so any code there won't be executed)
128 // with 2.0 identity permission are unrestrictable
129 return IsGranted (Assembly.GetCallingAssembly (), perm);
131 if (perm is IUnrestrictedPermission)
132 return IsGranted (Assembly.GetCallingAssembly (), perm);
134 return IsGrantedRestricted (Assembly.GetCallingAssembly (), perm);
139 // only for permissions that do not implement IUnrestrictedPermission
140 internal static bool IsGrantedRestricted (Assembly a, IPermission perm)
142 PermissionSet granted = a.GrantedPermissionSet;
\r
143 if (granted != null) {
\r
144 CodeAccessPermission grant = (CodeAccessPermission) granted.GetPermission (perm.GetType ());
145 if (!perm.IsSubsetOf (grant)) {
150 PermissionSet denied = a.DeniedPermissionSet;
151 if (denied != null) {
\r
152 CodeAccessPermission refuse = (CodeAccessPermission) a.DeniedPermissionSet.GetPermission (perm.GetType ());
153 if ((refuse != null) && perm.IsSubsetOf (refuse))
159 // note: in 2.0 *all* permissions (including identity permissions) support unrestricted
160 internal static bool IsGranted (Assembly a, IPermission perm)
162 PermissionSet granted = a.GrantedPermissionSet;
\r
163 if ((granted != null) && !granted.IsUnrestricted ()) {
\r
164 CodeAccessPermission grant = (CodeAccessPermission) granted.GetPermission (perm.GetType ());
\r
165 if (!perm.IsSubsetOf (grant)) {
\r
170 PermissionSet denied = a.DeniedPermissionSet;
\r
171 if ((denied != null) && !denied.IsEmpty ()) {
\r
172 if (denied.IsUnrestricted ())
\r
174 CodeAccessPermission refuse = (CodeAccessPermission) a.DeniedPermissionSet.GetPermission (perm.GetType ());
\r
175 if ((refuse != null) && perm.IsSubsetOf (refuse))
\r
181 internal static IPermission CheckPermissionSet (Assembly a, PermissionSet ps, bool noncas)
186 foreach (IPermission p in ps) {
187 // note: this may contains non CAS permissions
188 if ((!noncas) && (p is CodeAccessPermission)) {
190 if (!IsGranted (a, p))
193 if (p is IUnrestrictedPermission) {
194 if (!IsGranted (a, p))
197 if (!IsGrantedRestricted (a, p))
202 // but non-CAS will throw on failure...
206 catch (SecurityException) {
215 internal static IPermission CheckPermissionSet (AppDomain ad, PermissionSet ps)
217 if ((ps == null) || ps.IsEmpty ())
220 PermissionSet granted = ad.GrantedPermissionSet;
224 if (granted.IsUnrestricted ())
227 if ((granted.Count == 0) && granted.IsUnrestricted ())
230 if (ps.IsUnrestricted ())
231 return new SecurityPermission (SecurityPermissionFlag.NoFlags);
233 foreach (IPermission p in ps) {
234 if (p is CodeAccessPermission) {
235 CodeAccessPermission grant = (CodeAccessPermission) granted.GetPermission (p.GetType ());
237 if (!granted.IsUnrestricted () || !(p is IUnrestrictedPermission)) {
238 if (!p.IsSubsetOf (null))
241 } else if (!p.IsSubsetOf (grant)) {
245 // but non-CAS will throw on failure...
249 catch (SecurityException) {
258 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
259 public static PolicyLevel LoadPolicyLevelFromFile (string path, PolicyLevelType type)
262 throw new ArgumentNullException ("path");
264 PolicyLevel pl = null;
266 pl = new PolicyLevel (type.ToString (), type);
267 pl.LoadFromFile (path);
269 catch (Exception e) {
270 throw new ArgumentException (Locale.GetText ("Invalid policy XML"), e);
275 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
276 public static PolicyLevel LoadPolicyLevelFromString (string str, PolicyLevelType type)
279 throw new ArgumentNullException ("str");
281 PolicyLevel pl = null;
283 pl = new PolicyLevel (type.ToString (), type);
284 pl.LoadFromString (str);
286 catch (Exception e) {
287 throw new ArgumentException (Locale.GetText ("Invalid policy XML"), e);
292 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
293 public static IEnumerator PolicyHierarchy ()
298 public static PermissionSet ResolvePolicy (Evidence evidence)
300 // no evidence, no permission
301 if (evidence == null)
302 return new PermissionSet (PermissionState.None);
304 PermissionSet ps = null;
305 // Note: can't call PolicyHierarchy since ControlPolicy isn't required to resolve policies
306 IEnumerator ple = Hierarchy;
307 while (ple.MoveNext ()) {
308 PolicyLevel pl = (PolicyLevel) ple.Current;
309 if (ResolvePolicyLevel (ref ps, pl, evidence)) {
310 break; // i.e. PolicyStatementAttribute.LevelFinal
314 ResolveIdentityPermissions (ps, evidence);
320 [MonoTODO ("(2.0) more tests are needed")]
321 public static PermissionSet ResolvePolicy (Evidence[] evidences)
323 if ((evidences == null) || (evidences.Length == 0) ||
324 ((evidences.Length == 1) && (evidences [0].Count == 0))) {
325 return new PermissionSet (PermissionState.None);
328 // probably not optimal
329 PermissionSet ps = ResolvePolicy (evidences [0]);
330 for (int i=1; i < evidences.Length; i++) {
331 ps = ps.Intersect (ResolvePolicy (evidences [i]));
336 public static PermissionSet ResolveSystemPolicy (Evidence evidence)
338 // no evidence, no permission
339 if (evidence == null)
340 return new PermissionSet (PermissionState.None);
342 // Note: can't call PolicyHierarchy since ControlPolicy isn't required to resolve policies
343 PermissionSet ps = null;
344 IEnumerator ple = Hierarchy;
345 while (ple.MoveNext ()) {
346 PolicyLevel pl = (PolicyLevel) ple.Current;
347 if (pl.Type == PolicyLevelType.AppDomain)
349 if (ResolvePolicyLevel (ref ps, pl, evidence))
350 break; // i.e. PolicyStatementAttribute.LevelFinal
353 ResolveIdentityPermissions (ps, evidence);
358 static private SecurityPermission _execution = new SecurityPermission (SecurityPermissionFlag.Execution);
360 public static PermissionSet ResolvePolicy (Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied)
362 PermissionSet resolved = ResolvePolicy (evidence);
363 // do we have the minimal permission requested by the assembly ?
364 if ((reqdPset != null) && !reqdPset.IsSubsetOf (resolved)) {
365 throw new PolicyException (Locale.GetText (
366 "Policy doesn't grant the minimal permissions required to execute the assembly."));
369 // do we check for execution rights ?
370 if (CheckExecutionRights) {
371 bool execute = false;
372 // an empty permissionset doesn't include Execution
373 if (resolved != null) {
374 // unless we have "Full Trust"...
375 if (resolved.IsUnrestricted ()) {
378 // ... we need to find a SecurityPermission
379 IPermission security = resolved.GetPermission (typeof (SecurityPermission));
380 execute = _execution.IsSubsetOf (security);
385 throw new PolicyException (Locale.GetText (
386 "Policy doesn't grant the right to execute the assembly."));
394 public static IEnumerator ResolvePolicyGroups (Evidence evidence)
396 if (evidence == null)
397 throw new ArgumentNullException ("evidence");
399 ArrayList al = new ArrayList ();
400 // Note: can't call PolicyHierarchy since ControlPolicy isn't required to resolve policies
401 IEnumerator ple = Hierarchy;
402 while (ple.MoveNext ()) {
403 PolicyLevel pl = (PolicyLevel) ple.Current;
404 CodeGroup cg = pl.ResolveMatchingCodeGroups (evidence);
407 return al.GetEnumerator ();
410 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
411 public static void SavePolicy ()
413 IEnumerator e = Hierarchy;
414 while (e.MoveNext ()) {
415 PolicyLevel level = (e.Current as PolicyLevel);
420 [SecurityPermission (SecurityAction.Demand, ControlPolicy = true)]
421 public static void SavePolicyLevel (PolicyLevel level)
423 // Yes this will throw a NullReferenceException, just like MS (see FDBK13121)
427 // private/internal stuff
429 private static IEnumerator Hierarchy {
432 if (_hierarchy == null)
433 InitializePolicyHierarchy ();
435 return _hierarchy.GetEnumerator ();
439 private static void InitializePolicyHierarchy ()
441 string machinePolicyPath = Path.GetDirectoryName (Environment.GetMachineConfigPath ());
442 // note: use InternalGetFolderPath to avoid recursive policy initialization
443 string userPolicyPath = Path.Combine (Environment.InternalGetFolderPath (Environment.SpecialFolder.ApplicationData), "mono");
445 PolicyLevel enterprise = new PolicyLevel ("Enterprise", PolicyLevelType.Enterprise);
447 enterprise.LoadFromFile (Path.Combine (machinePolicyPath, "enterprisesec.config"));
449 PolicyLevel machine = new PolicyLevel ("Machine", PolicyLevelType.Machine);
451 machine.LoadFromFile (Path.Combine (machinePolicyPath, "security.config"));
453 PolicyLevel user = new PolicyLevel ("User", PolicyLevelType.User);
455 user.LoadFromFile (Path.Combine (userPolicyPath, "security.config"));
457 ArrayList al = new ArrayList ();
462 _hierarchy = ArrayList.Synchronized (al);
466 internal static bool ResolvePolicyLevel (ref PermissionSet ps, PolicyLevel pl, Evidence evidence)
468 PolicyStatement pst = pl.Resolve (evidence);
471 // only for initial (first) policy level processed
472 ps = pst.PermissionSet;
474 ps = ps.Intersect (pst.PermissionSet);
476 // null is equals to None - exist that null can throw NullReferenceException ;-)
477 ps = new PermissionSet (PermissionState.None);
481 if ((pst.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal)
487 internal static void ResolveIdentityPermissions (PermissionSet ps, Evidence evidence)
490 // in 2.0 identity permissions can now be unrestricted
491 if (ps.IsUnrestricted ())
494 // Only host evidence are used for policy resolution
495 IEnumerator ee = evidence.GetHostEnumerator ();
496 while (ee.MoveNext ()) {
497 IIdentityPermissionFactory ipf = (ee.Current as IIdentityPermissionFactory);
499 IPermission p = ipf.CreateIdentityPermission (evidence);
500 ps.AddPermission (p);
505 internal static PolicyLevel ResolvingPolicyLevel {
506 get { return _level; }
507 set { _level = value; }
510 internal static PermissionSet Decode (IntPtr permissions, int length)
512 // Permission sets from the runtime (declarative security) can be cached
513 // for performance as they can never change (i.e. they are read-only).
514 PermissionSet ps = null;
517 if (_declsecCache == null) {
518 _declsecCache = new Hashtable ();
521 object key = (object) (int) permissions;
522 ps = (PermissionSet) _declsecCache [key];
524 // create permissionset and add it to the cache
525 byte[] data = new byte [length];
526 Marshal.Copy (permissions, data, 0, length);
528 ps.DeclarativeSecurity = true;
529 _declsecCache.Add (key, ps);
535 internal static PermissionSet Decode (byte[] encodedPermissions)
537 if ((encodedPermissions == null) || (encodedPermissions.Length < 1))
538 throw new SecurityException ("Invalid metadata format.");
540 switch (encodedPermissions [0]) {
542 // Fx 1.0/1.1 declarative security permissions metadata is in Unicode-encoded XML
543 string xml = Encoding.Unicode.GetString (encodedPermissions);
544 return new PermissionSet (xml);
546 // Fx 2.0 are encoded "somewhat, but not enough, like" custom attributes
547 // note: we still support the older format!
548 return PermissionSet.CreateFromBinaryFormat (encodedPermissions);
550 throw new SecurityException (Locale.GetText ("Unknown metadata format."));
554 private static IPermission UnmanagedCode {
557 if (_unmanagedCode == null)
558 _unmanagedCode = new SecurityPermission (SecurityPermissionFlag.UnmanagedCode);
560 return _unmanagedCode;
564 // security check when using reflection
566 [MethodImplAttribute(MethodImplOptions.InternalCall)]
567 private static unsafe extern bool GetLinkDemandSecurity (MethodBase method, RuntimeDeclSecurityActions *cdecl, RuntimeDeclSecurityActions *mdecl);
569 // When using reflection LinkDemand are promoted to full Demand (i.e. stack walk)
570 internal unsafe static void ReflectedLinkDemandInvoke (MethodBase mb)
572 RuntimeDeclSecurityActions klass;
573 RuntimeDeclSecurityActions method;
575 if (!GetLinkDemandSecurity (mb, &klass, &method))
578 PermissionSet ps = null;
580 if (klass.cas.size > 0) {
581 ps = Decode (klass.cas.blob, klass.cas.size);
583 if (klass.noncas.size > 0) {
584 PermissionSet p = Decode (klass.noncas.blob, klass.noncas.size);
585 ps = (ps == null) ? p : ps.Union (p);
588 if (method.cas.size > 0) {
589 PermissionSet p = Decode (method.cas.blob, method.cas.size);
590 ps = (ps == null) ? p : ps.Union (p);
592 if (method.noncas.size > 0) {
593 PermissionSet p = Decode (method.noncas.blob, method.noncas.size);
594 ps = (ps == null) ? p : ps.Union (p);
597 // in this case we union-ed the permission sets because we want to do
598 // a single stack walk (not up to 4).
603 internal unsafe static bool ReflectedLinkDemandQuery (MethodBase mb)
605 RuntimeDeclSecurityActions klass;
606 RuntimeDeclSecurityActions method;
608 if (!GetLinkDemandSecurity (mb, &klass, &method))
611 return LinkDemand (mb.ReflectedType.Assembly, &klass, &method);
614 private unsafe static bool LinkDemand (Assembly a, RuntimeDeclSecurityActions *klass, RuntimeDeclSecurityActions *method)
617 PermissionSet ps = null;
619 if (klass->cas.size > 0) {
620 ps = Decode (klass->cas.blob, klass->cas.size);
621 result = (SecurityManager.CheckPermissionSet (a, ps, false) == null);
623 if (result && (klass->noncas.size > 0)) {
624 ps = Decode (klass->noncas.blob, klass->noncas.size);
625 result = (SecurityManager.CheckPermissionSet (a, ps, true) == null);
628 if (result && (method->cas.size > 0)) {
629 ps = Decode (method->cas.blob, method->cas.size);
630 result = (SecurityManager.CheckPermissionSet (a, ps, false) == null);
632 if (result && (method->noncas.size > 0)) {
633 ps = Decode (method->noncas.blob, method->noncas.size);
634 result = (SecurityManager.CheckPermissionSet (a, ps, true) == null);
638 catch (SecurityException) {
643 #pragma warning disable 169
644 private static bool LinkDemandFullTrust (Assembly a)
646 // FullTrust is immutable (and means Unrestricted)
647 // so we can skip the subset operations and jump to IsUnrestricted.
648 PermissionSet granted = a.GrantedPermissionSet;
649 if ((granted != null) && !granted.IsUnrestricted ())
652 PermissionSet denied = a.DeniedPermissionSet;
653 if ((denied != null) && !denied.IsEmpty ())
659 private static bool LinkDemandUnmanaged (Assembly a)
661 // note: we know that UnmanagedCode (SecurityPermission) implements IUnrestrictedPermission
662 return IsGranted (a, UnmanagedCode);
665 // we try to provide as much details as possible to help debugging
666 private static void LinkDemandSecurityException (int securityViolation, IntPtr methodHandle)
668 RuntimeMethodHandle runtimeHandle = new RuntimeMethodHandle (methodHandle);
669 MethodInfo method = (MethodInfo)(MethodBase.GetMethodFromHandle (runtimeHandle));
670 Assembly a = method.DeclaringType.Assembly;
672 string message = null;
673 AssemblyName an = null;
674 PermissionSet granted = null;
675 PermissionSet refused = null;
676 object demanded = null;
677 IPermission failed = null;
680 an = a.UnprotectedGetName ();
681 granted = a.GrantedPermissionSet;
682 refused = a.DeniedPermissionSet;
685 switch (securityViolation) {
686 case 1: // MONO_JIT_LINKDEMAND_PERMISSION
687 message = Locale.GetText ("Permissions refused to call this method.");
689 case 2: // MONO_JIT_LINKDEMAND_APTC
690 message = Locale.GetText ("Partially trusted callers aren't allowed to call into this assembly.");
691 demanded = (object) DefaultPolicies.FullTrust; // immutable
693 case 4: // MONO_JIT_LINKDEMAND_ECMA
694 message = Locale.GetText ("Calling internal calls is restricted to ECMA signed assemblies.");
696 case 8: // MONO_JIT_LINKDEMAND_PINVOKE
697 message = Locale.GetText ("Calling unmanaged code isn't allowed from this assembly.");
698 demanded = (object) _unmanagedCode;
699 failed = _unmanagedCode;
702 message = Locale.GetText ("JIT time LinkDemand failed.");
706 throw new SecurityException (message, an, granted, refused, method, SecurityAction.LinkDemand, demanded, failed, null);
709 private static void InheritanceDemandSecurityException (int securityViolation, Assembly a, Type t, MethodInfo method)
711 string message = null;
712 AssemblyName an = null;
713 PermissionSet granted = null;
714 PermissionSet refused = null;
717 an = a.UnprotectedGetName ();
718 granted = a.GrantedPermissionSet;
719 refused = a.DeniedPermissionSet;
722 switch (securityViolation) {
723 case 1: // MONO_METADATA_INHERITANCEDEMAND_CLASS
724 message = String.Format (Locale.GetText ("Class inheritance refused for {0}."), t);
726 case 2: // MONO_METADATA_INHERITANCEDEMAND_CLASS
727 message = Locale.GetText ("Method override refused.");
730 message = Locale.GetText ("Load time InheritDemand failed.");
734 throw new SecurityException (message, an, granted, refused, method, SecurityAction.InheritanceDemand, null, null, null);
737 private static void FieldAccessException (IntPtr caller, IntPtr field)
739 throw new FieldAccessException (Locale.GetText ("Field access not allowed."));
742 private static void MethodAccessException (IntPtr caller, IntPtr callee)
744 throw new MethodAccessException (Locale.GetText ("Method call not allowed."));
747 // internal - get called by the class loader
750 // - class inheritance
751 // - method overrides
752 private unsafe static bool InheritanceDemand (AppDomain ad, Assembly a, RuntimeDeclSecurityActions *actions)
755 PermissionSet ps = null;
757 if (actions->cas.size > 0) {
758 ps = Decode (actions->cas.blob, actions->cas.size);
759 result = (SecurityManager.CheckPermissionSet (a, ps, false) == null);
761 // also check appdomain
762 result = (SecurityManager.CheckPermissionSet (ad, ps) == null);
765 if (actions->noncas.size > 0) {
766 ps = Decode (actions->noncas.blob, actions->noncas.size);
767 result = (SecurityManager.CheckPermissionSet (a, ps, true) == null);
769 // also check appdomain
770 result = (SecurityManager.CheckPermissionSet (ad, ps) == null);
775 catch (SecurityException) {
780 // internal - get called at JIT time
782 private static void DemandUnmanaged ()
784 UnmanagedCode.Demand ();
787 // internal - get called by JIT generated code
789 private static void InternalDemand (IntPtr permissions, int length)
791 PermissionSet ps = Decode (permissions, length);
795 private static void InternalDemandChoice (IntPtr permissions, int length)
797 throw new SecurityException ("SecurityAction.DemandChoice was removed from 2.0");
799 #pragma warning restore 169
projects / mono.git / blob