[mono.git] / mono / metadata / security-core-clr.c

/*
 * security-core-clr.c: CoreCLR security
 *
 * Authors:
 *      Mark Probst <mark.probst@gmail.com>
 *      Sebastien Pouliot  <sebastien@ximian.com>
 *
 * Copyright 2007-2010 Novell, Inc (http://www.novell.com)
 */

#include <mono/metadata/class-internals.h>
#include <mono/metadata/security-manager.h>
#include <mono/metadata/assembly.h>
#include <mono/metadata/appdomain.h>
#include <mono/metadata/verify-internals.h>
#include <mono/metadata/object.h>
#include <mono/metadata/exception.h>
#include <mono/metadata/debug-helpers.h>
#include <mono/utils/mono-logger-internals.h>

#include "security-core-clr.h"

gboolean mono_security_core_clr_test = FALSE;

static MonoSecurityCoreCLROptions security_core_clr_options = MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT;

/**
 * mono_security_core_clr_set_options:
 * @options: the new options for the coreclr system to use
 *
 * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
 * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
 * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
 * This function allows specific relaxations from the default behaviour to be set.
 *
 * Use MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT for the default coreclr coreclr behaviour as used in Moonlight.
 *
 * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION to allow transparent code to execute methods and access 
 * fields that are not in platformcode, even if those methods and fields are private or otherwise not visible to the calling code.
 *
 * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE to allow delegates to be created that point at methods that are not in
 * platformcode even if those methods and fields are private or otherwise not visible to the calling code.
 *
 */
void
mono_security_core_clr_set_options (MonoSecurityCoreCLROptions options) {
        security_core_clr_options = options;
}

/**
 * mono_security_core_clr_get_options:
 *
 * Retrieves the current options used by the coreclr system.
 */

MonoSecurityCoreCLROptions
mono_security_core_clr_get_options ()
{
        return security_core_clr_options;
}

/*
 * default_platform_check:
 *
 *      Default platform check. Always TRUE for current corlib (minimum 
 *      trust-able subset) otherwise return FALSE. Any real CoreCLR host
 *      should provide its own callback to define platform code (i.e.
 *      this default is meant for test only).
 */
static gboolean
default_platform_check (const char *image_name)
{
        if (mono_defaults.corlib) {
                return (strcmp (mono_defaults.corlib->name, image_name) == 0);
        } else {
                /* this can get called even before we load corlib (e.g. the EXE itself) */
                const char *corlib = "mscorlib.dll";
                int ilen = strlen (image_name);
                int clen = strlen (corlib);
                return ((ilen >= clen) && (strcmp ("mscorlib.dll", image_name + ilen - clen) == 0));
        }
}

static MonoCoreClrPlatformCB platform_callback = default_platform_check;

/*
 * mono_security_core_clr_determine_platform_image:
 *
 *  Call the supplied callback (from mono_security_set_core_clr_platform_callback) 
 *  to determine if this image represents platform code.
 */
gboolean
mono_security_core_clr_determine_platform_image (MonoImage *image)
{
        return platform_callback (image->name);
}

/*
 * mono_security_set_core_clr_platform_callback:
 *
 *  Set the callback function that will be used to determine if an image
 *  is part, or not, of the platform code.
 */
void
mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback)
{
        platform_callback = callback;
}

/*
 * mono_security_core_clr_is_platform_image:
 *
 *   Return the (cached) boolean value indicating if this image represent platform code
 */
gboolean
mono_security_core_clr_is_platform_image (MonoImage *image)
{
        return image->core_clr_platform_code;
}

/* Note: The above functions are outside this guard so that the public API isn't affected. */

#ifndef DISABLE_SECURITY

/* Class lazy loading functions */
static GENERATE_GET_CLASS_WITH_CACHE (security_critical, System.Security, SecurityCriticalAttribute)
static GENERATE_GET_CLASS_WITH_CACHE (security_safe_critical, System.Security, SecuritySafeCriticalAttribute)

static MonoClass*
security_critical_attribute (void)
{
        return mono_class_get_security_critical_class ();
}

static MonoClass*
security_safe_critical_attribute (void)
{
        return mono_class_get_security_safe_critical_class ();

}

/* sometime we get a NULL (not found) caller (e.g. get_reflection_caller) */
static char*
get_method_full_name (MonoMethod * method)
{
        return method ? mono_method_full_name (method, TRUE) : g_strdup ("'no caller found'");
}

/*
 * set_type_load_exception_type
 *
 *      Set MONO_EXCEPTION_TYPE_LOAD on the specified 'class' and provide
 *      a descriptive message for the exception. This message is also, 
 *      optionally, being logged (export MONO_LOG_MASK="security") for
 *      debugging purposes.
 */
static void
set_type_load_exception_type (const char *format, MonoClass *klass)
{
        char *type_name = mono_type_get_full_name (klass);
        char *parent_name = mono_type_get_full_name (klass->parent);
        char *message = g_strdup_printf (format, type_name, parent_name);

        g_free (parent_name);
        g_free (type_name);
        
        mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
        mono_class_set_failure (klass, MONO_EXCEPTION_TYPE_LOAD, message);
        // note: do not free string given to mono_class_set_failure
}

/*
 * set_type_load_exception_methods
 *
 *      Set MONO_EXCEPTION_TYPE_LOAD on the 'override' class and provide
 *      a descriptive message for the exception. This message is also, 
 *      optionally, being logged (export MONO_LOG_MASK="security") for
 *      debugging purposes.
 */
static void
set_type_load_exception_methods (const char *format, MonoMethod *override, MonoMethod *base)
{
        char *method_name = get_method_full_name (override);
        char *base_name = get_method_full_name (base);
        char *message = g_strdup_printf (format, method_name, base_name);

        g_free (base_name);
        g_free (method_name);

        mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
        mono_class_set_failure (override->klass, MONO_EXCEPTION_TYPE_LOAD, message);
        // note: do not free string given to mono_class_set_failure
}

/* MonoClass is not fully initialized (inited is not yet == 1) when we 
 * check the inheritance rules so we need to look for the default ctor
 * ourselve to avoid recursion (and aborting)
 */
static MonoMethod*
get_default_ctor (MonoClass *klass)
{
        int i;

        mono_class_setup_methods (klass);
        if (!klass->methods)
                return NULL;

        for (i = 0; i < klass->method.count; ++i) {
                MonoMethodSignature *sig;
                MonoMethod *method = klass->methods [i];

                if (!method)
                        continue;

                if ((method->flags & METHOD_ATTRIBUTE_SPECIAL_NAME) == 0)
                        continue;
                if ((method->name[0] != '.') || strcmp (".ctor", method->name))
                        continue;
                sig = mono_method_signature (method);
                if (sig && (sig->param_count == 0))
                        return method;
        }

        return NULL;
}

/*
 * mono_security_core_clr_check_inheritance:
 *
 *      Determine if the specified class can inherit from its parent using 
 *      the CoreCLR inheritance rules.
 *
 *      Base Type       Allow Derived Type
 *      ------------    ------------------
 *      Transparent     Transparent, SafeCritical, Critical
 *      SafeCritical    SafeCritical, Critical
 *      Critical        Critical
 *
 *      Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
 *
 *      Furthermore a class MUST have a default constructor if its base 
 *      class has a non-transparent, public or protected, default constructor. 
 *      The same inheritance rule applies to both default constructors.
 *
 *      Reference: message from a SecurityException in SL4RC
 *      Reference: fxcop CA2132 rule
 */
void
mono_security_core_clr_check_inheritance (MonoClass *klass)
{
        MonoSecurityCoreCLRLevel class_level, parent_level;
        MonoClass *parent = klass->parent;

        if (!parent)
                return;

        class_level = mono_security_core_clr_class_level (klass);
        parent_level = mono_security_core_clr_class_level (parent);

        if (class_level < parent_level) {
                set_type_load_exception_type (
                        "Inheritance failure for type %s. Parent class %s is more restricted.",
                        klass);
        } else {
                MonoMethod *parent_ctor = get_default_ctor (parent);
                if (parent_ctor && ((parent_ctor->flags & METHOD_ATTRIBUTE_PUBLIC) != 0)) {
                        class_level = mono_security_core_clr_method_level (get_default_ctor (klass), FALSE);
                        parent_level = mono_security_core_clr_method_level (parent_ctor, FALSE);
                        if (class_level < parent_level) {
                                set_type_load_exception_type (
                                        "Inheritance failure for type %s. Default constructor security mismatch with %s.",
                                        klass);
                        }
                }
        }
}

/*
 * mono_security_core_clr_check_override:
 *
 *      Determine if the specified override can "legally" override the 
 *      specified base method using the CoreCLR inheritance rules.
 *
 *      Base (virtual/interface)        Allowed override
 *      ------------------------        -------------------------
 *      Transparent                     Transparent, SafeCritical
 *      SafeCritical                    Transparent, SafeCritical
 *      Critical                        Critical
 *
 *      Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
 */
void
mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
{
        MonoSecurityCoreCLRLevel base_level = mono_security_core_clr_method_level (base, FALSE);
        MonoSecurityCoreCLRLevel override_level = mono_security_core_clr_method_level (override, FALSE);
        /* if the base method is decorated with [SecurityCritical] then the overrided method MUST be too */
        if (base_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
                if (override_level != MONO_SECURITY_CORE_CLR_CRITICAL) {
                        set_type_load_exception_methods (
                                "Override failure for %s over %s. Override MUST be [SecurityCritical].",
                                override, base);
                }
        } else {
                /* base is [SecuritySafeCritical] or [SecurityTransparent], override MUST NOT be [SecurityCritical] */
                if (override_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
                        set_type_load_exception_methods (
                                "Override failure for %s over %s. Override must NOT be [SecurityCritical].", 
                                override, base);
                }
        }
}

/*
 * get_caller_no_reflection_related:
 *
 *      Find the first managed caller that is either:
 *      (a) located outside the platform code assemblies; or
 *      (b) not related to reflection and delegates
 *
 *      Returns TRUE to stop the stackwalk, FALSE to continue to the next frame.
 */
static gboolean
get_caller_no_reflection_related (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
{
        MonoMethod **dest = (MonoMethod **)data;
        const char *ns;

        /* skip unmanaged frames */
        if (!managed)
                return FALSE;

        if (m->wrapper_type != MONO_WRAPPER_NONE)
                return FALSE;

        /* quick out (any namespace not starting with an 'S' */
        ns = m->klass->name_space;
        if (!ns || (*ns != 'S')) {
                *dest = m;
                return TRUE;
        }

        /* stop if the method is not part of platform code */
        if (!mono_security_core_clr_is_platform_image (m->klass->image)) {
                *dest = m;
                return TRUE;
        }

        /* any number of calls inside System.Reflection are allowed */
        if (strcmp (ns, "System.Reflection") == 0)
                return FALSE;

        /* any number of calls inside System.Reflection are allowed */
        if (strcmp (ns, "System.Reflection.Emit") == 0)
                return FALSE;

        /* calls from System.Delegate are also possible and allowed */
        if (strcmp (ns, "System") == 0) {
                const char *kname = m->klass->name;
                if ((*kname == 'A') && (strcmp (kname, "Activator") == 0))
                        return FALSE;

                /* unlike most Invoke* cases InvokeMember is not inside System.Reflection[.Emit] but is SecuritySafeCritical */
                if (((*kname == 'T') && (strcmp (kname, "Type") == 0)) || 
                        ((*kname == 'M') && (strcmp (kname, "MonoType")) == 0)) {

                        /* if calling InvokeMember then we can't stop the stackwalk here and need to look at the caller */
                        if (strcmp (m->name, "InvokeMember") == 0)
                                return FALSE;
                }

                /* the security check on the delegate is made at creation time, not at invoke time */
                if (((*kname == 'D') && (strcmp (kname, "Delegate") == 0)) || 
                        ((*kname == 'M') && (strcmp (kname, "MulticastDelegate")) == 0)) {

                        /* if we're invoking then we can stop our stack walk */
                        if (strcmp (m->name, "DynamicInvoke") != 0)
                                return FALSE;
                }
        }

        if (m == *dest) {
                *dest = NULL;
                return FALSE;
        }

        *dest = m;
        return TRUE;
}

/*
 * get_reflection_caller:
 * 
 *      Walk to the first managed method outside:
 *      - System.Reflection* namespaces
 *      - System.[Multicast]Delegate or Activator type
 *      - platform code
 *      and return a pointer to its MonoMethod.
 *
 *      This is required since CoreCLR checks needs to be done on this "real" caller.
 */
static MonoMethod*
get_reflection_caller (void)
{
        MonoMethod *m = NULL;
        mono_stack_walk_no_il (get_caller_no_reflection_related, &m);
        if (G_UNLIKELY (!m)) {
                mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "No caller outside reflection was found");
        }
        return m;
}

typedef struct {
        int depth;
        MonoMethod *caller;
} ElevatedTrustCookie;

/*
 * get_caller_of_elevated_trust_code
 *
 *      Stack walk to find who is calling code requiring Elevated Trust.
 *      If a critical method is found then the caller is platform code
 *      and has elevated trust, otherwise (transparent) a check needs to
 *      be done (on the managed side) to determine if the application is
 *      running with elevated permissions.
 */
static gboolean
get_caller_of_elevated_trust_code (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
{
        ElevatedTrustCookie *cookie = (ElevatedTrustCookie *)data;

        /* skip unmanaged frames and wrappers */
        if (!managed || (m->wrapper_type != MONO_WRAPPER_NONE))
                return FALSE;

        /* end stack walk if we find ourselves outside platform code (we won't find critical code anymore) */
        if (!mono_security_core_clr_is_platform_image (m->klass->image)) {
                cookie->caller = m;
                return TRUE;
        }

        switch (cookie->depth) {
        /* while depth == 0 look for SecurityManager::[Check|Ensure]ElevatedPermissions */
        case 0:
                if (strcmp (m->klass->name_space, "System.Security"))
                        return FALSE;
                if (strcmp (m->klass->name, "SecurityManager"))
                        return FALSE;
                if ((strcmp (m->name, "EnsureElevatedPermissions")) && strcmp (m->name, "CheckElevatedPermissions"))
                        return FALSE;
                cookie->depth = 1;
                break;
        /* while depth == 1 look for the caller to SecurityManager::[Check|Ensure]ElevatedPermissions */
        case 1:
                /* this frame is [SecuritySafeCritical] because it calls [SecurityCritical] [Check|Ensure]ElevatedPermissions */
                /* the next frame will contain the caller(s) we want to check */
                cookie->depth = 2;
                break;
        /* while depth >= 2 look for [safe]critical caller, end stack walk if we find it  */
        default:
                cookie->depth++;
                /* if the caller is transparent then we continue the stack walk */
                if (mono_security_core_clr_method_level (m, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT)
                        break;

                /* Security[Safe]Critical code is always allowed to call elevated-trust code */
                cookie->caller = m;
                return TRUE;
        }

        return FALSE;
}

/*
 * mono_security_core_clr_require_elevated_permissions:
 *
 *      Return TRUE if the caller of the current method (the code who 
 *      called SecurityManager.get_RequiresElevatedPermissions) needs
 *      elevated trust to perform an action.
 *
 *      A stack walk is done to find the callers. If one of the callers
 *      is either [SecurityCritical] or [SecuritySafeCritical] then the
 *      action is needed for platform code (i.e. no restriction). 
 *      Otherwise (transparent) the requested action needs elevated trust
 */
gboolean
mono_security_core_clr_require_elevated_permissions (void)
{
        ElevatedTrustCookie cookie;
        cookie.depth = 0;
        cookie.caller = NULL;
        mono_stack_walk_no_il (get_caller_of_elevated_trust_code, &cookie);

        /* return TRUE if the stack walk did not reach far enough or did not find callers */
        if (!cookie.caller || cookie.depth < 3)
                return TRUE;

        /* return TRUE if the caller is transparent, i.e. if elevated trust is required to continue executing the method */
        return (mono_security_core_clr_method_level (cookie.caller, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT);
}


/*
 * check_field_access:
 *
 *      Return TRUE if the caller method can access the specified field, FALSE otherwise.
 */
static gboolean
check_field_access (MonoMethod *caller, MonoClassField *field)
{
        /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
        if (caller) {
                MonoError error;
                MonoClass *klass;

                /* this check can occur before the field's type is resolved (and that can fail) */
                mono_field_get_type_checked (field, &error);
                if (!mono_error_ok (&error)) {
                        mono_error_cleanup (&error);
                        return FALSE;
                }

                klass = (mono_field_get_flags (field) & FIELD_ATTRIBUTE_STATIC) ? NULL : mono_field_get_parent (field);
                return mono_method_can_access_field_full (caller, field, klass);
        }
        return FALSE;
}

/*
 * check_method_access:
 *
 *      Return TRUE if the caller method can access the specified callee method, FALSE otherwise.
 */
static gboolean
check_method_access (MonoMethod *caller, MonoMethod *callee)
{
        /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
        if (caller) {
                MonoClass *klass = (callee->flags & METHOD_ATTRIBUTE_STATIC) ? NULL : callee->klass;
                return mono_method_can_access_method_full (caller, callee, klass);
        }
        return FALSE;
}

/*
 * get_argument_exception
 *
 *      Helper function to create an MonoException (ArgumentException in
 *      managed-land) and provide a descriptive message for it. This 
 *      message is also, optionally, being logged (export 
 *      MONO_LOG_MASK="security") for debugging purposes.
 */
static MonoException*
get_argument_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
{
        MonoException *ex;
        char *caller_name = get_method_full_name (caller);
        char *callee_name = get_method_full_name (callee);
        char *message = g_strdup_printf (format, caller_name, callee_name);
        g_free (callee_name);
        g_free (caller_name);

        mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
        ex = mono_get_exception_argument ("method", message);
        g_free (message);

        return ex;
}

/*
 * get_field_access_exception
 *
 *      Helper function to create an MonoException (FieldAccessException
 *      in managed-land) and provide a descriptive message for it. This
 *      message is also, optionally, being logged (export 
 *      MONO_LOG_MASK="security") for debugging purposes.
 */
static MonoException*
get_field_access_exception (const char *format, MonoMethod *caller, MonoClassField *field)
{
        MonoException *ex;
        char *caller_name = get_method_full_name (caller);
        char *field_name = mono_field_full_name (field);
        char *message = g_strdup_printf (format, caller_name, field_name);
        g_free (field_name);
        g_free (caller_name);

        mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
        ex = mono_get_exception_field_access_msg (message);
        g_free (message);

        return ex;
}

/*
 * get_method_access_exception
 *
 *      Helper function to create an MonoException (MethodAccessException
 *      in managed-land) and provide a descriptive message for it. This
 *      message is also, optionally, being logged (export 
 *      MONO_LOG_MASK="security") for debugging purposes.
 */
static MonoException*
get_method_access_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
{
        MonoException *ex;
        char *caller_name = get_method_full_name (caller);
        char *callee_name = get_method_full_name (callee);
        char *message = g_strdup_printf (format, caller_name, callee_name);
        g_free (callee_name);
        g_free (caller_name);

        mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
        ex = mono_get_exception_method_access_msg (message);
        g_free (message);

        return ex;
}

/*
 * mono_security_core_clr_ensure_reflection_access_field:
 *
 *      Ensure that the specified field can be used with reflection since 
 *      Transparent code cannot access to Critical fields and can only use
 *      them if they are visible from it's point of view.
 *
 *      Returns TRUE if acess is allowed.  Otherwise returns FALSE and sets @error to a FieldAccessException if the field is cannot be accessed.
 */
gboolean
mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
{
        mono_error_init (error);
        MonoMethod *caller = get_reflection_caller ();
        /* CoreCLR restrictions applies to Transparent code/caller */
        if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
                return TRUE;

        if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
                if (!mono_security_core_clr_is_platform_image (mono_field_get_parent(field)->image))
                        return TRUE;
        }

        /* Transparent code cannot [get|set]value on Critical fields */
        if (mono_security_core_clr_class_level (mono_field_get_parent (field)) == MONO_SECURITY_CORE_CLR_CRITICAL) {
                mono_error_set_exception_instance (error, get_field_access_exception (
                        "Transparent method %s cannot get or set Critical field %s.", 
                        caller, field));
                return FALSE;
        }

        /* also it cannot access a fields that is not visible from it's (caller) point of view */
        if (!check_field_access (caller, field)) {
                mono_error_set_exception_instance (error, get_field_access_exception (
                        "Transparent method %s cannot get or set private/internal field %s.", 
                        caller, field));
                return FALSE;
        }
        return TRUE;
}

/*
 * mono_security_core_clr_ensure_reflection_access_method:
 *
 *      Ensure that the specified method can be used with reflection since
 *      Transparent code cannot call Critical methods and can only call them
 *      if they are visible from it's point of view.
 *
 *      If access is allowed returns TRUE.  Returns FALSE and sets @error to a MethodAccessException if the field is cannot be accessed.
 */
gboolean
mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
{
        mono_error_init (error);
        MonoMethod *caller = get_reflection_caller ();
        /* CoreCLR restrictions applies to Transparent code/caller */
        if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
                return TRUE;

        if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
                if (!mono_security_core_clr_is_platform_image (method->klass->image))
                        return TRUE;
        }

        /* Transparent code cannot invoke, even using reflection, Critical code */
        if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
                mono_error_set_exception_instance (error, get_method_access_exception (
                        "Transparent method %s cannot invoke Critical method %s.", 
                        caller, method));
                return FALSE;
        }

        /* also it cannot invoke a method that is not visible from it's (caller) point of view */
        if (!check_method_access (caller, method)) {
                mono_error_set_exception_instance (error, get_method_access_exception (
                        "Transparent method %s cannot invoke private/internal method %s.", 
                        caller, method));
                return FALSE;
        }
        return TRUE;
}

/*
 * can_avoid_corlib_reflection_delegate_optimization:
 *
 *      Mono's mscorlib use delegates to optimize PropertyInfo and EventInfo
 *      reflection calls. This requires either a bunch of additional, and not
 *      really required, [SecuritySafeCritical] in the class libraries or 
 *      (like this) a way to skip them. As a bonus we also avoid the stack
 *      walk to find the caller.
 *
 *      Return TRUE if we can skip this "internal" delegate creation, FALSE
 *      otherwise.
 */
static gboolean
can_avoid_corlib_reflection_delegate_optimization (MonoMethod *method)
{
        if (!mono_security_core_clr_is_platform_image (method->klass->image))
                return FALSE;

        if (strcmp (method->klass->name_space, "System.Reflection") != 0)
                return FALSE;

        if (strcmp (method->klass->name, "MonoProperty") == 0) {
                if ((strcmp (method->name, "GetterAdapterFrame") == 0) || strcmp (method->name, "StaticGetterAdapterFrame") == 0)
                        return TRUE;
        } else if (strcmp (method->klass->name, "EventInfo") == 0) {
                if ((strcmp (method->name, "AddEventFrame") == 0) || strcmp (method->name, "StaticAddEventAdapterFrame") == 0)
                        return TRUE;
        }

        return FALSE;
}

/*
 * mono_security_core_clr_ensure_delegate_creation:
 *
 *      Return TRUE if a delegate can be created on the specified
 *      method.  CoreCLR can also affect the binding, this function may
 *      return (FALSE) and set @error to an ArgumentException.
 *
 *      @error is set to a MethodAccessException if the specified method is not
 *      visible from the caller point of view.
 */
gboolean
mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
{
        MonoMethod *caller;

        mono_error_init (error);

        /* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
        if (can_avoid_corlib_reflection_delegate_optimization (method))
                return TRUE;

        caller = get_reflection_caller ();
        /* if the "real" caller is not Transparent then it do can anything */
        if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
                return TRUE;

        /* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
        if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
                mono_error_set_exception_instance (error, get_argument_exception (
                        "Transparent method %s cannot create a delegate on Critical method %s.", 
                        caller, method));
                return FALSE;
        }

        if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE) {
                if (!mono_security_core_clr_is_platform_image (method->klass->image))
                        return TRUE;
        }

        /* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
        if (!check_method_access (caller, method)) {
                mono_error_set_exception_instance (error, get_method_access_exception (
                        "Transparent method %s cannot create a delegate on private/internal method %s.", 
                        caller, method));
                return FALSE;
        }

        return TRUE;
}

/*
 * mono_security_core_clr_ensure_dynamic_method_resolved_object:
 *
 *      Called from mono_reflection_create_dynamic_method (reflection.c) to add some extra checks required for CoreCLR.
 *      Dynamic methods needs to check to see if the objects being used (e.g. methods, fields) comes from platform code
 *      and do an accessibility check in this case. Otherwise (i.e. user/application code) can be used without this extra
 *      accessbility check.
 */
MonoException*
mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
{
        /* XXX find/create test cases for other handle_class XXX */
        if (handle_class == mono_defaults.fieldhandle_class) {
                MonoClassField *field = (MonoClassField*) ref;
                MonoClass *klass = mono_field_get_parent (field);
                /* fields coming from platform code have extra protection (accessibility check) */
                if (mono_security_core_clr_is_platform_image (klass->image)) {
                        MonoMethod *caller = get_reflection_caller ();
                        /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
                        if (!check_field_access (caller, field)) {
                                return get_field_access_exception (
                                        "Dynamic method %s cannot create access private/internal field %s.", 
                                        caller, field);
                        }
                }
        } else if (handle_class == mono_defaults.methodhandle_class) {
                MonoMethod *method = (MonoMethod*) ref;
                /* methods coming from platform code have extra protection (accessibility check) */
                if (mono_security_core_clr_is_platform_image (method->klass->image)) {
                        MonoMethod *caller = get_reflection_caller ();
                        /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
                        if (!check_method_access (caller, method)) {
                                return get_method_access_exception (
                                        "Dynamic method %s cannot create access private/internal method %s.", 
                                        caller, method);
                        }
                }
        }
        return NULL;
}

/*
 * mono_security_core_clr_can_access_internals
 *
 *      Check if we allow [InternalsVisibleTo] to work between two images.
 */
gboolean
mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
{
        /* are we trying to access internals of a platform assembly ? if not this is acceptable */
        if (!mono_security_core_clr_is_platform_image (accessed))
                return TRUE;

        /* we can't let everyone with the right name and public key token access the internals of platform code.
         * (Silverlight can rely on the strongname signature of the assemblies, but Mono does not verify them)
         * However platform code is fully trusted so it can access the internals of other platform code assemblies */
        if (mono_security_core_clr_is_platform_image (accessing))
                return TRUE;

        /* catch-22: System.Xml needs access to mscorlib's internals (e.g. ArrayList) but is not considered platform code.
         * Promoting it to platform code would create another issue since (both Mono/Moonlight or MS version of) 
         * System.Xml.Linq.dll (an SDK, not platform, assembly) needs access to System.Xml.dll internals (either ). 
         * The solution is to trust, even transparent code, in the plugin directory to access platform code internals */
        if (!accessed->assembly->basedir || !accessing->assembly->basedir)
                return FALSE;
        return (strcmp (accessed->assembly->basedir, accessing->assembly->basedir) == 0);
}

/*
 * mono_security_core_clr_is_field_access_allowed
 *
 *      Return a MonoException (FieldccessException in managed-land) if
 *      the access from "caller" to "field" is not valid under CoreCLR -
 *      i.e. a [SecurityTransparent] method calling a [SecurityCritical]
 *      field.
 */
MonoException*
mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
{
        /* there's no restriction to access Transparent or SafeCritical fields, so we only check calls to Critical methods */
        if (mono_security_core_clr_class_level (mono_field_get_parent (field)) != MONO_SECURITY_CORE_CLR_CRITICAL)
                return NULL;

        /* caller is Critical! only SafeCritical and Critical callers can access the field, so we throw if caller is Transparent */
        if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
                return NULL;

        return get_field_access_exception (
                "Transparent method %s cannot call use Critical field %s.", 
                caller, field);
}

/*
 * mono_security_core_clr_is_call_allowed
 *
 *      Return a MonoException (MethodAccessException in managed-land) if
 *      the call from "caller" to "callee" is not valid under CoreCLR -
 *      i.e. a [SecurityTransparent] method calling a [SecurityCritical]
 *      method.
 */
MonoException*
mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
{
        /* there's no restriction to call Transparent or SafeCritical code, so we only check calls to Critical methods */
        if (mono_security_core_clr_method_level (callee, TRUE) != MONO_SECURITY_CORE_CLR_CRITICAL)
                return NULL;

        /* callee is Critical! only SafeCritical and Critical callers can call it, so we throw if the caller is Transparent */
        if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
                return NULL;

        return get_method_access_exception (
                "Transparent method %s cannot call Critical method %s.", 
                caller, callee);
}

/*
 * mono_security_core_clr_level_from_cinfo:
 *
 *      Return the MonoSecurityCoreCLRLevel that match the attribute located
 *      in the specified custom attributes. If no attribute is present it 
 *      defaults to MONO_SECURITY_CORE_CLR_TRANSPARENT, which is the default
 *      level for all code under the CoreCLR.
 */
static MonoSecurityCoreCLRLevel
mono_security_core_clr_level_from_cinfo (MonoCustomAttrInfo *cinfo, MonoImage *image)
{
        int level = MONO_SECURITY_CORE_CLR_TRANSPARENT;

        if (cinfo && mono_custom_attrs_has_attr (cinfo, security_safe_critical_attribute ()))
                level = MONO_SECURITY_CORE_CLR_SAFE_CRITICAL;
        if (cinfo && mono_custom_attrs_has_attr (cinfo, security_critical_attribute ()))
                level = MONO_SECURITY_CORE_CLR_CRITICAL;

        return (MonoSecurityCoreCLRLevel)level;
}

/*
 * mono_security_core_clr_class_level_no_platform_check:
 *
 *      Return the MonoSecurityCoreCLRLevel for the specified class, without 
 *      checking for platform code. This help us avoid multiple redundant 
 *      checks, e.g.
 *      - a check for the method and one for the class;
 *      - a check for the class and outer class(es) ...
 */
static MonoSecurityCoreCLRLevel
mono_security_core_clr_class_level_no_platform_check (MonoClass *klass)
{
        MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
        MonoCustomAttrInfo *cinfo = mono_custom_attrs_from_class (klass);
        if (cinfo) {
                level = mono_security_core_clr_level_from_cinfo (cinfo, klass->image);
                mono_custom_attrs_free (cinfo);
        }

        if (level == MONO_SECURITY_CORE_CLR_TRANSPARENT && klass->nested_in)
                level = mono_security_core_clr_class_level_no_platform_check (klass->nested_in);

        return level;
}

/*
 * mono_security_core_clr_class_level:
 *
 *      Return the MonoSecurityCoreCLRLevel for the specified class.
 */
MonoSecurityCoreCLRLevel
mono_security_core_clr_class_level (MonoClass *klass)
{
        /* non-platform code is always Transparent - whatever the attributes says */
        if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (klass->image))
                return MONO_SECURITY_CORE_CLR_TRANSPARENT;

        return mono_security_core_clr_class_level_no_platform_check (klass);
}

/*
 * mono_security_core_clr_field_level:
 *
 *      Return the MonoSecurityCoreCLRLevel for the specified field.
 *      If with_class_level is TRUE then the type (class) will also be
 *      checked, otherwise this will only report the information about
 *      the field itself.
 */
MonoSecurityCoreCLRLevel
mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
{
        MonoCustomAttrInfo *cinfo;
        MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;

        /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
        if (!field)
                return level;

        /* non-platform code is always Transparent - whatever the attributes says */
        if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (field->parent->image))
                return level;

        cinfo = mono_custom_attrs_from_field (field->parent, field);
        if (cinfo) {
                level = mono_security_core_clr_level_from_cinfo (cinfo, field->parent->image);
                mono_custom_attrs_free (cinfo);
        }

        if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
                level = mono_security_core_clr_class_level (field->parent);

        return level;
}

/*
 * mono_security_core_clr_method_level:
 *
 *      Return the MonoSecurityCoreCLRLevel for the specified method.
 *      If with_class_level is TRUE then the type (class) will also be
 *      checked, otherwise this will only report the information about
 *      the method itself.
 */
MonoSecurityCoreCLRLevel
mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
{
        MonoCustomAttrInfo *cinfo;
        MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;

        /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
        if (!method)
                return level;

        /* non-platform code is always Transparent - whatever the attributes says */
        if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (method->klass->image))
                return level;

        cinfo = mono_custom_attrs_from_method (method);
        if (cinfo) {
                level = mono_security_core_clr_level_from_cinfo (cinfo, method->klass->image);
                mono_custom_attrs_free (cinfo);
        }

        if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
                level = mono_security_core_clr_class_level (method->klass);

        return level;
}

/*
 * mono_security_enable_core_clr:
 *
 *   Enable the verifier and the CoreCLR security model
 */
void
mono_security_enable_core_clr ()
{
        mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE);
        mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR);
}

#else

void
mono_security_core_clr_check_inheritance (MonoClass *klass)
{
}

void
mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
{
}

gboolean
mono_security_core_clr_require_elevated_permissions (void)
{
        return FALSE;
}

gboolean
mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
{
        mono_error_init (error);
        return TRUE;
}

void
mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
{
        mono_error_init (error);
        return TRUE;
}

gboolean
mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
{
        mono_error_init (error);
        return TRUE;
}

MonoException*
mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
{
        return NULL;
}

gboolean
mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
{
        return TRUE;
}

MonoException*
mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
{
        return NULL;
}

MonoException*
mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
{
        return NULL;
}

MonoSecurityCoreCLRLevel
mono_security_core_clr_class_level (MonoClass *klass)
{
        return MONO_SECURITY_CORE_CLR_TRANSPARENT;
}

MonoSecurityCoreCLRLevel
mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
{
        return MONO_SECURITY_CORE_CLR_TRANSPARENT;
}

MonoSecurityCoreCLRLevel
mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
{
        return MONO_SECURITY_CORE_CLR_TRANSPARENT;
}

void
mono_security_enable_core_clr ()
{
}

#endif /* DISABLE_SECURITY */