2 * security-core-clr.c: CoreCLR security
5 * Mark Probst <mark.probst@gmail.com>
6 * Sebastien Pouliot <sebastien@ximian.com>
8 * Copyright 2007-2010 Novell, Inc (http://www.novell.com)
11 #include <mono/metadata/class-internals.h>
12 #include <mono/metadata/security-manager.h>
13 #include <mono/metadata/assembly.h>
14 #include <mono/metadata/appdomain.h>
15 #include <mono/metadata/verify-internals.h>
16 #include <mono/metadata/object.h>
17 #include <mono/metadata/exception.h>
18 #include <mono/metadata/debug-helpers.h>
19 #include <mono/utils/mono-logger-internal.h>
21 #include "security-core-clr.h"
23 gboolean mono_security_core_clr_test = FALSE;
26 security_critical_attribute (void)
28 static MonoClass *class = NULL;
31 class = mono_class_from_name (mono_defaults.corlib, "System.Security",
32 "SecurityCriticalAttribute");
39 security_safe_critical_attribute (void)
41 static MonoClass *class = NULL;
44 class = mono_class_from_name (mono_defaults.corlib, "System.Security",
45 "SecuritySafeCriticalAttribute");
52 * set_type_load_exception_type
54 * Set MONO_EXCEPTION_TYPE_LOAD on the specified 'class' and provide
55 * a descriptive message for the exception. This message is also,
56 * optionally, being logged (export MONO_LOG_MASK="security") for
60 set_type_load_exception_type (const char *format, MonoClass *class)
62 char *type_name = mono_type_get_full_name (class);
63 char *parent_name = mono_type_get_full_name (class->parent);
64 char *message = g_strdup_printf (format, type_name, parent_name);
69 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
70 mono_class_set_failure (class, MONO_EXCEPTION_TYPE_LOAD, message);
71 // note: do not free string given to mono_class_set_failure
75 * set_type_load_exception_methods
77 * Set MONO_EXCEPTION_TYPE_LOAD on the 'override' class and provide
78 * a descriptive message for the exception. This message is also,
79 * optionally, being logged (export MONO_LOG_MASK="security") for
83 set_type_load_exception_methods (const char *format, MonoMethod *override, MonoMethod *base)
85 char *method_name = mono_method_full_name (override, TRUE);
86 char *base_name = mono_method_full_name (base, TRUE);
87 char *message = g_strdup_printf (format, method_name, base_name);
92 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
93 mono_class_set_failure (override->klass, MONO_EXCEPTION_TYPE_LOAD, message);
94 // note: do not free string given to mono_class_set_failure
97 /* MonoClass is not fully initialized (inited is not yet == 1) when we
98 * check the inheritance rules so we need to look for the default ctor
99 * ourselve to avoid recursion (and aborting)
102 get_default_ctor (MonoClass *klass)
106 mono_class_setup_methods (klass);
110 for (i = 0; i < klass->method.count; ++i) {
111 MonoMethodSignature *sig;
112 MonoMethod *method = klass->methods [i];
117 if ((method->flags & METHOD_ATTRIBUTE_SPECIAL_NAME) == 0)
119 if ((method->name[0] != '.') || strcmp (".ctor", method->name))
121 sig = mono_method_signature (method);
122 if (sig && (sig->param_count == 0))
130 * mono_security_core_clr_check_inheritance:
132 * Determine if the specified class can inherit from its parent using
133 * the CoreCLR inheritance rules.
135 * Base Type Allow Derived Type
136 * ------------ ------------------
137 * Transparent Transparent, SafeCritical, Critical
138 * SafeCritical SafeCritical, Critical
141 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
143 * Furthermore a class MUST have a default constructor if its base
144 * class has a non-transparent default constructor. The same
145 * inheritance rule applies to both default constructors.
147 * Reference: message from a SecurityException in SL4RC
150 mono_security_core_clr_check_inheritance (MonoClass *class)
152 MonoSecurityCoreCLRLevel class_level, parent_level;
153 MonoClass *parent = class->parent;
158 class_level = mono_security_core_clr_class_level (class);
159 parent_level = mono_security_core_clr_class_level (parent);
161 if (class_level < parent_level) {
162 set_type_load_exception_type (
163 "Inheritance failure for type %s. Parent class %s is more restricted.",
166 class_level = mono_security_core_clr_method_level (get_default_ctor (class), FALSE);
167 parent_level = mono_security_core_clr_method_level (get_default_ctor (parent), FALSE);
168 if (class_level < parent_level) {
169 set_type_load_exception_type (
170 "Inheritance failure for type %s. Default constructor security mismatch with %s.",
177 * mono_security_core_clr_check_override:
179 * Determine if the specified override can "legally" override the
180 * specified base method using the CoreCLR inheritance rules.
182 * Base (virtual/interface) Allowed override
183 * ------------------------ -------------------------
184 * Transparent Transparent, SafeCritical
185 * SafeCritical Transparent, SafeCritical
188 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
191 mono_security_core_clr_check_override (MonoClass *class, MonoMethod *override, MonoMethod *base)
193 MonoSecurityCoreCLRLevel base_level = mono_security_core_clr_method_level (base, FALSE);
194 MonoSecurityCoreCLRLevel override_level = mono_security_core_clr_method_level (override, FALSE);
195 /* if the base method is decorated with [SecurityCritical] then the overrided method MUST be too */
196 if (base_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
197 if (override_level != MONO_SECURITY_CORE_CLR_CRITICAL) {
198 set_type_load_exception_methods (
199 "Override failure for %s over %s. Override MUST be [SecurityCritical].",
203 /* base is [SecuritySafeCritical] or [SecurityTransparent], override MUST NOT be [SecurityCritical] */
204 if (override_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
205 set_type_load_exception_methods (
206 "Override failure for %s over %s. Override must NOT be [SecurityCritical].",
213 * get_caller_no_reflection_related:
215 * Find the first managed caller that is either:
216 * (a) located outside the platform code assemblies; or
217 * (b) not related to reflection and delegates
219 * Returns TRUE to stop the stackwalk, FALSE to continue to the next frame.
222 get_caller_no_reflection_related (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
224 MonoMethod **dest = data;
227 /* skip unmanaged frames */
231 if (m->wrapper_type != MONO_WRAPPER_NONE)
234 /* quick out (any namespace not starting with an 'S' */
235 ns = m->klass->name_space;
236 if (!ns || (*ns != 'S')) {
241 /* stop if the method is not part of platform code */
242 if (!mono_security_core_clr_is_platform_image (m->klass->image)) {
247 /* any number of calls inside System.Reflection are allowed */
248 if (strcmp (ns, "System.Reflection") == 0)
251 /* any number of calls inside System.Reflection are allowed */
252 if (strcmp (ns, "System.Reflection.Emit") == 0)
255 /* calls from System.Delegate are also possible and allowed */
256 if (strcmp (ns, "System") == 0) {
257 const char *kname = m->klass->name;
258 if ((*kname == 'A') && (strcmp (kname, "Activator") == 0))
261 /* unlike most Invoke* cases InvokeMember is not inside System.Reflection[.Emit] but is SecuritySafeCritical */
262 if (((*kname == 'T') && (strcmp (kname, "Type") == 0)) ||
263 ((*kname == 'M') && (strcmp (kname, "MonoType")) == 0)) {
265 /* if calling InvokeMember then we can't stop the stackwalk here and need to look at the caller */
266 if (strcmp (m->name, "InvokeMember") == 0)
270 /* the security check on the delegate is made at creation time, not at invoke time */
271 if (((*kname == 'D') && (strcmp (kname, "Delegate") == 0)) ||
272 ((*kname == 'M') && (strcmp (kname, "MulticastDelegate")) == 0)) {
274 /* if we're invoking then we can stop our stack walk */
275 if (strcmp (m->name, "DynamicInvoke") != 0)
290 * get_reflection_caller:
292 * Walk to the first managed method outside:
293 * - System.Reflection* namespaces
294 * - System.[Multicast]Delegate or Activator type
296 * and return a pointer to its MonoMethod.
298 * This is required since CoreCLR checks needs to be done on this "real" caller.
301 get_reflection_caller (void)
303 MonoMethod *m = NULL;
304 mono_stack_walk_no_il (get_caller_no_reflection_related, &m);
305 if (G_UNLIKELY (!m)) {
306 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "No caller outside reflection was found");
314 } ElevatedTrustCookie;
317 * get_caller_of_elevated_trust_code
319 * Stack walk to find who is calling code requiring Elevated Trust.
320 * If a critical method is found then the caller is platform code
321 * and has elevated trust, otherwise (transparent) a check needs to
322 * be done (on the managed side) to determine if the application is
323 * running with elevated permissions.
326 get_caller_of_elevated_trust_code (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
328 ElevatedTrustCookie *cookie = data;
330 /* skip unmanaged frames and wrappers */
331 if (!managed || (m->wrapper_type != MONO_WRAPPER_NONE))
334 /* end stack walk if we find ourselves outside platform code (we won't find critical code anymore) */
335 if (!mono_security_core_clr_is_platform_image (m->klass->image)) {
340 switch (cookie->depth) {
341 /* while depth == 0 look for SecurityManager::[Check|Ensure]ElevatedPermissions */
343 if (strcmp (m->klass->name_space, "System.Security"))
345 if (strcmp (m->klass->name, "SecurityManager"))
347 if ((strcmp (m->name, "EnsureElevatedPermissions")) && strcmp (m->name, "CheckElevatedPermissions"))
351 /* while depth == 1 look for the caller to SecurityManager::[Check|Ensure]ElevatedPermissions */
353 /* this frame is [SecuritySafeCritical] because it calls [SecurityCritical] [Check|Ensure]ElevatedPermissions */
354 /* the next frame will contain the caller(s) we want to check */
357 /* while depth >= 2 look for [safe]critical caller, end stack walk if we find it */
360 /* if the caller is transparent then we continue the stack walk */
361 if (mono_security_core_clr_method_level (m, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT)
364 /* Security[Safe]Critical code is always allowed to call elevated-trust code */
373 * mono_security_core_clr_require_elevated_permissions:
375 * Return TRUE if the caller of the current method (the code who
376 * called SecurityManager.get_RequiresElevatedPermissions) needs
377 * elevated trust to perform an action.
379 * A stack walk is done to find the callers. If one of the callers
380 * is either [SecurityCritical] or [SecuritySafeCritical] then the
381 * action is needed for platform code (i.e. no restriction).
382 * Otherwise (transparent) the requested action needs elevated trust
385 mono_security_core_clr_require_elevated_permissions (void)
387 ElevatedTrustCookie cookie;
389 cookie.caller = NULL;
390 mono_stack_walk_no_il (get_caller_of_elevated_trust_code, &cookie);
392 /* return TRUE if the stack walk did not reach far enough or did not find callers */
393 if (!cookie.caller || cookie.depth < 3)
396 /* return TRUE if the caller is transparent, i.e. if elevated trust is required to continue executing the method */
397 return (mono_security_core_clr_method_level (cookie.caller, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT);
401 * check_field_access:
403 * Return TRUE if the caller method can access the specified field, FALSE otherwise.
406 check_field_access (MonoMethod *caller, MonoClassField *field)
408 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
410 MonoClass *klass = (mono_field_get_flags (field) & FIELD_ATTRIBUTE_STATIC) ? NULL : mono_field_get_parent (field);
411 return mono_method_can_access_field_full (caller, field, klass);
417 * check_method_access:
419 * Return TRUE if the caller method can access the specified callee method, FALSE otherwise.
422 check_method_access (MonoMethod *caller, MonoMethod *callee)
424 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
426 MonoClass *klass = (callee->flags & METHOD_ATTRIBUTE_STATIC) ? NULL : callee->klass;
427 return mono_method_can_access_method_full (caller, callee, klass);
433 * get_argument_exception
435 * Helper function to create an MonoException (ArgumentException in
436 * managed-land) and provide a descriptive message for it. This
437 * message is also, optionally, being logged (export
438 * MONO_LOG_MASK="security") for debugging purposes.
440 static MonoException*
441 get_argument_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
444 char *caller_name = mono_method_full_name (caller, TRUE);
445 char *callee_name = mono_method_full_name (callee, TRUE);
446 char *message = g_strdup_printf (format, caller_name, callee_name);
447 g_free (callee_name);
448 g_free (caller_name);
450 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
451 ex = mono_get_exception_argument ("method", message);
458 * get_field_access_exception
460 * Helper function to create an MonoException (FieldAccessException
461 * in managed-land) and provide a descriptive message for it. This
462 * message is also, optionally, being logged (export
463 * MONO_LOG_MASK="security") for debugging purposes.
465 static MonoException*
466 get_field_access_exception (const char *format, MonoMethod *caller, MonoClassField *field)
469 char *caller_name = mono_method_full_name (caller, TRUE);
470 char *field_name = mono_field_full_name (field);
471 char *message = g_strdup_printf (format, caller_name, field_name);
473 g_free (caller_name);
475 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
476 ex = mono_get_exception_field_access_msg (message);
483 * get_method_access_exception
485 * Helper function to create an MonoException (MethodAccessException
486 * in managed-land) and provide a descriptive message for it. This
487 * message is also, optionally, being logged (export
488 * MONO_LOG_MASK="security") for debugging purposes.
490 static MonoException*
491 get_method_access_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
494 char *caller_name = caller ? mono_method_full_name (caller, TRUE) : g_strdup ("no caller found");
495 char *callee_name = mono_method_full_name (callee, TRUE);
496 char *message = g_strdup_printf (format, caller_name, callee_name);
497 g_free (callee_name);
498 g_free (caller_name);
500 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
501 ex = mono_get_exception_method_access_msg (message);
508 * mono_security_core_clr_ensure_reflection_access_field:
510 * Ensure that the specified field can be used with reflection since
511 * Transparent code cannot access to Critical fields and can only use
512 * them if they are visible from it's point of view.
514 * A FieldAccessException is thrown if the field is cannot be accessed.
517 mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field)
519 MonoMethod *caller = get_reflection_caller ();
520 /* CoreCLR restrictions applies to Transparent code/caller */
521 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
524 /* Transparent code cannot [get|set]value on Critical fields */
525 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) == MONO_SECURITY_CORE_CLR_CRITICAL) {
526 mono_raise_exception (get_field_access_exception (
527 "Transparent method %s cannot get or set Critical field %s.",
531 /* also it cannot access a fields that is not visible from it's (caller) point of view */
532 if (!check_field_access (caller, field)) {
533 mono_raise_exception (get_field_access_exception (
534 "Transparent method %s cannot get or set private/internal field %s.",
540 * mono_security_core_clr_ensure_reflection_access_method:
542 * Ensure that the specified method can be used with reflection since
543 * Transparent code cannot call Critical methods and can only call them
544 * if they are visible from it's point of view.
546 * A MethodAccessException is thrown if the field is cannot be accessed.
549 mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method)
551 MonoMethod *caller = get_reflection_caller ();
552 /* CoreCLR restrictions applies to Transparent code/caller */
553 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
556 /* Transparent code cannot invoke, even using reflection, Critical code */
557 if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
558 mono_raise_exception (get_method_access_exception (
559 "Transparent method %s cannot invoke Critical method %s.",
563 /* also it cannot invoke a method that is not visible from it's (caller) point of view */
564 if (!check_method_access (caller, method)) {
565 mono_raise_exception (get_method_access_exception (
566 "Transparent method %s cannot invoke private/internal method %s.",
572 * can_avoid_corlib_reflection_delegate_optimization:
574 * Mono's mscorlib use delegates to optimize PropertyInfo and EventInfo
575 * reflection calls. This requires either a bunch of additional, and not
576 * really required, [SecuritySafeCritical] in the class libraries or
577 * (like this) a way to skip them. As a bonus we also avoid the stack
578 * walk to find the caller.
580 * Return TRUE if we can skip this "internal" delegate creation, FALSE
584 can_avoid_corlib_reflection_delegate_optimization (MonoMethod *method)
586 if (!mono_security_core_clr_is_platform_image (method->klass->image))
589 if (strcmp (method->klass->name_space, "System.Reflection") != 0)
592 if (strcmp (method->klass->name, "MonoProperty") == 0) {
593 if ((strcmp (method->name, "GetterAdapterFrame") == 0) || strcmp (method->name, "StaticGetterAdapterFrame") == 0)
595 } else if (strcmp (method->klass->name, "EventInfo") == 0) {
596 if ((strcmp (method->name, "AddEventFrame") == 0) || strcmp (method->name, "StaticAddEventAdapterFrame") == 0)
604 * mono_security_core_clr_ensure_delegate_creation:
606 * Return TRUE if a delegate can be created on the specified method.
607 * CoreCLR also affect the binding, so throwOnBindFailure must be
608 * FALSE to let this function return (FALSE) normally, otherwise (if
609 * throwOnBindFailure is TRUE) it will throw an ArgumentException.
611 * A MethodAccessException is thrown if the specified method is not
612 * visible from the caller point of view.
615 mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, gboolean throwOnBindFailure)
619 /* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
620 if (can_avoid_corlib_reflection_delegate_optimization (method))
623 caller = get_reflection_caller ();
624 /* if the "real" caller is not Transparent then it do can anything */
625 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
628 /* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
629 if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
630 /* but this throws only if 'throwOnBindFailure' is TRUE */
631 if (!throwOnBindFailure)
634 mono_raise_exception (get_argument_exception (
635 "Transparent method %s cannot create a delegate on Critical method %s.",
639 /* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
640 if (!check_method_access (caller, method)) {
641 mono_raise_exception (get_method_access_exception (
642 "Transparent method %s cannot create a delegate on private/internal method %s.",
650 * mono_security_core_clr_ensure_dynamic_method_resolved_object:
652 * Called from mono_reflection_create_dynamic_method (reflection.c) to add some extra checks required for CoreCLR.
653 * Dynamic methods needs to check to see if the objects being used (e.g. methods, fields) comes from platform code
654 * and do an accessibility check in this case. Otherwise (i.e. user/application code) can be used without this extra
655 * accessbility check.
658 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
660 /* XXX find/create test cases for other handle_class XXX */
661 if (handle_class == mono_defaults.fieldhandle_class) {
662 MonoClassField *field = (MonoClassField*) ref;
663 MonoClass *klass = mono_field_get_parent (field);
664 /* fields coming from platform code have extra protection (accessibility check) */
665 if (mono_security_core_clr_is_platform_image (klass->image)) {
666 MonoMethod *caller = get_reflection_caller ();
667 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
668 if (!check_field_access (caller, field)) {
669 return get_field_access_exception (
670 "Dynamic method %s cannot create access private/internal field %s.",
674 } else if (handle_class == mono_defaults.methodhandle_class) {
675 MonoMethod *method = (MonoMethod*) ref;
676 /* methods coming from platform code have extra protection (accessibility check) */
677 if (mono_security_core_clr_is_platform_image (method->klass->image)) {
678 MonoMethod *caller = get_reflection_caller ();
679 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
680 if (!check_method_access (caller, method)) {
681 return get_method_access_exception (
682 "Dynamic method %s cannot create access private/internal method %s.",
691 * mono_security_core_clr_can_access_internals
693 * Check if we allow [InternalsVisibleTo] to work between two images.
696 mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
698 /* are we trying to access internals of a platform assembly ? if not this is acceptable */
699 if (!mono_security_core_clr_is_platform_image (accessed))
702 /* we can't let everyone with the right name and public key token access the internals of platform code.
703 * (Silverlight can rely on the strongname signature of the assemblies, but Mono does not verify them)
704 * However platform code is fully trusted so it can access the internals of other platform code assemblies */
705 if (mono_security_core_clr_is_platform_image (accessing))
708 /* catch-22: System.Xml needs access to mscorlib's internals (e.g. ArrayList) but is not considered platform code.
709 * Promoting it to platform code would create another issue since (both Mono/Moonlight or MS version of)
710 * System.Xml.Linq.dll (an SDK, not platform, assembly) needs access to System.Xml.dll internals (either ).
711 * The solution is to trust, even transparent code, in the plugin directory to access platform code internals */
712 if (!accessed->assembly->basedir || !accessing->assembly->basedir)
714 return (strcmp (accessed->assembly->basedir, accessing->assembly->basedir) == 0);
718 * mono_security_core_clr_is_field_access_allowed
720 * Return a MonoException (FieldccessException in managed-land) if
721 * the access from "caller" to "field" is not valid under CoreCLR -
722 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
726 mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
728 /* there's no restriction to access Transparent or SafeCritical fields, so we only check calls to Critical methods */
729 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) != MONO_SECURITY_CORE_CLR_CRITICAL)
732 /* caller is Critical! only SafeCritical and Critical callers can access the field, so we throw if caller is Transparent */
733 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
736 return get_field_access_exception (
737 "Transparent method %s cannot call use Critical field %s.",
742 * mono_security_core_clr_is_call_allowed
744 * Return a MonoException (MethodAccessException in managed-land) if
745 * the call from "caller" to "callee" is not valid under CoreCLR -
746 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
750 mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
752 /* there's no restriction to call Transparent or SafeCritical code, so we only check calls to Critical methods */
753 if (mono_security_core_clr_method_level (callee, TRUE) != MONO_SECURITY_CORE_CLR_CRITICAL)
756 /* callee is Critical! only SafeCritical and Critical callers can call it, so we throw if the caller is Transparent */
757 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
760 return get_method_access_exception (
761 "Transparent method %s cannot call Critical method %s.",
766 * mono_security_core_clr_level_from_cinfo:
768 * Return the MonoSecurityCoreCLRLevel that match the attribute located
769 * in the specified custom attributes. If no attribute is present it
770 * defaults to MONO_SECURITY_CORE_CLR_TRANSPARENT, which is the default
771 * level for all code under the CoreCLR.
773 static MonoSecurityCoreCLRLevel
774 mono_security_core_clr_level_from_cinfo (MonoCustomAttrInfo *cinfo, MonoImage *image)
776 int level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
778 if (cinfo && mono_custom_attrs_has_attr (cinfo, security_safe_critical_attribute ()))
779 level = MONO_SECURITY_CORE_CLR_SAFE_CRITICAL;
780 if (cinfo && mono_custom_attrs_has_attr (cinfo, security_critical_attribute ()))
781 level = MONO_SECURITY_CORE_CLR_CRITICAL;
787 * mono_security_core_clr_class_level_no_platform_check:
789 * Return the MonoSecurityCoreCLRLevel for the specified class, without
790 * checking for platform code. This help us avoid multiple redundant
792 * - a check for the method and one for the class;
793 * - a check for the class and outer class(es) ...
795 static MonoSecurityCoreCLRLevel
796 mono_security_core_clr_class_level_no_platform_check (MonoClass *class)
798 MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
799 MonoCustomAttrInfo *cinfo = mono_custom_attrs_from_class (class);
801 level = mono_security_core_clr_level_from_cinfo (cinfo, class->image);
802 mono_custom_attrs_free (cinfo);
805 if (level == MONO_SECURITY_CORE_CLR_TRANSPARENT && class->nested_in)
806 level = mono_security_core_clr_class_level_no_platform_check (class->nested_in);
812 * mono_security_core_clr_class_level:
814 * Return the MonoSecurityCoreCLRLevel for the specified class.
816 MonoSecurityCoreCLRLevel
817 mono_security_core_clr_class_level (MonoClass *class)
819 /* non-platform code is always Transparent - whatever the attributes says */
820 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (class->image))
821 return MONO_SECURITY_CORE_CLR_TRANSPARENT;
823 return mono_security_core_clr_class_level_no_platform_check (class);
827 * mono_security_core_clr_method_level:
829 * Return the MonoSecurityCoreCLRLevel for the specified method.
830 * If with_class_level is TRUE then the type (class) will also be
831 * checked, otherwise this will only report the information about
834 MonoSecurityCoreCLRLevel
835 mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
837 MonoCustomAttrInfo *cinfo;
838 MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
840 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
844 /* non-platform code is always Transparent - whatever the attributes says */
845 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (method->klass->image))
848 cinfo = mono_custom_attrs_from_method (method);
850 level = mono_security_core_clr_level_from_cinfo (cinfo, method->klass->image);
851 mono_custom_attrs_free (cinfo);
854 if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
855 level = mono_security_core_clr_class_level (method->klass);
861 * mono_security_core_clr_is_platform_image:
863 * Return the (cached) boolean value indicating if this image represent platform code
866 mono_security_core_clr_is_platform_image (MonoImage *image)
868 return image->core_clr_platform_code;
872 * default_platform_check:
874 * Default platform check. Always TRUE for current corlib (minimum
875 * trust-able subset) otherwise return FALSE. Any real CoreCLR host
876 * should provide its own callback to define platform code (i.e.
877 * this default is meant for test only).
880 default_platform_check (const char *image_name)
882 if (mono_defaults.corlib) {
883 return (strcmp (mono_defaults.corlib->name, image_name) == 0);
885 /* this can get called even before we load corlib (e.g. the EXE itself) */
886 const char *corlib = "mscorlib.dll";
887 int ilen = strlen (image_name);
888 int clen = strlen (corlib);
889 return ((ilen >= clen) && (strcmp ("mscorlib.dll", image_name + ilen - clen) == 0));
893 static MonoCoreClrPlatformCB platform_callback = default_platform_check;
896 * mono_security_core_clr_determine_platform_image:
898 * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
899 * to determine if this image represents platform code.
902 mono_security_core_clr_determine_platform_image (MonoImage *image)
904 return platform_callback (image->name);
908 * mono_security_enable_core_clr:
910 * Enable the verifier and the CoreCLR security model
913 mono_security_enable_core_clr ()
915 mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE);
916 mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR);
920 * mono_security_set_core_clr_platform_callback:
922 * Set the callback function that will be used to determine if an image
923 * is part, or not, of the platform code.
926 mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback)
928 platform_callback = callback;