* Sebastien Pouliot <sebastien@ximian.com>
*
* Copyright 2007-2010 Novell, Inc (http://www.novell.com)
+ * Licensed under the MIT license. See LICENSE file in the project root for full license information.
*/
#include <mono/metadata/class-internals.h>
#include <mono/metadata/object.h>
#include <mono/metadata/exception.h>
#include <mono/metadata/debug-helpers.h>
-#include <mono/utils/mono-logger-internal.h>
+#include <mono/utils/mono-logger-internals.h>
#include "security-core-clr.h"
gboolean mono_security_core_clr_test = FALSE;
-static MonoClass*
-security_critical_attribute (void)
+static MonoSecurityCoreCLROptions security_core_clr_options = MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT;
+
+/**
+ * mono_security_core_clr_set_options:
+ * @options: the new options for the coreclr system to use
+ *
+ * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
+ * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
+ * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
+ * This function allows specific relaxations from the default behaviour to be set.
+ *
+ * Use MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT for the default coreclr coreclr behaviour as used in Moonlight.
+ *
+ * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION to allow transparent code to execute methods and access
+ * fields that are not in platformcode, even if those methods and fields are private or otherwise not visible to the calling code.
+ *
+ * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE to allow delegates to be created that point at methods that are not in
+ * platformcode even if those methods and fields are private or otherwise not visible to the calling code.
+ *
+ */
+void
+mono_security_core_clr_set_options (MonoSecurityCoreCLROptions options) {
+ security_core_clr_options = options;
+}
+
+/**
+ * mono_security_core_clr_get_options:
+ *
+ * Retrieves the current options used by the coreclr system.
+ */
+
+MonoSecurityCoreCLROptions
+mono_security_core_clr_get_options ()
{
- static MonoClass *class = NULL;
+ return security_core_clr_options;
+}
- if (!class) {
- class = mono_class_from_name (mono_defaults.corlib, "System.Security",
- "SecurityCriticalAttribute");
+/*
+ * default_platform_check:
+ *
+ * Default platform check. Always TRUE for current corlib (minimum
+ * trust-able subset) otherwise return FALSE. Any real CoreCLR host
+ * should provide its own callback to define platform code (i.e.
+ * this default is meant for test only).
+ */
+static gboolean
+default_platform_check (const char *image_name)
+{
+ if (mono_defaults.corlib) {
+ return (strcmp (mono_defaults.corlib->name, image_name) == 0);
+ } else {
+ /* this can get called even before we load corlib (e.g. the EXE itself) */
+ const char *corlib = "mscorlib.dll";
+ int ilen = strlen (image_name);
+ int clen = strlen (corlib);
+ return ((ilen >= clen) && (strcmp ("mscorlib.dll", image_name + ilen - clen) == 0));
}
- g_assert (class);
- return class;
+}
+
+static MonoCoreClrPlatformCB platform_callback = default_platform_check;
+
+/*
+ * mono_security_core_clr_determine_platform_image:
+ *
+ * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
+ * to determine if this image represents platform code.
+ */
+gboolean
+mono_security_core_clr_determine_platform_image (MonoImage *image)
+{
+ return platform_callback (image->name);
+}
+
+/*
+ * mono_security_set_core_clr_platform_callback:
+ *
+ * Set the callback function that will be used to determine if an image
+ * is part, or not, of the platform code.
+ */
+void
+mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback)
+{
+ platform_callback = callback;
+}
+
+/*
+ * mono_security_core_clr_is_platform_image:
+ *
+ * Return the (cached) boolean value indicating if this image represent platform code
+ */
+gboolean
+mono_security_core_clr_is_platform_image (MonoImage *image)
+{
+ return image->core_clr_platform_code;
+}
+
+/* Note: The above functions are outside this guard so that the public API isn't affected. */
+
+#ifndef DISABLE_SECURITY
+
+/* Class lazy loading functions */
+static GENERATE_GET_CLASS_WITH_CACHE (security_critical, System.Security, SecurityCriticalAttribute)
+static GENERATE_GET_CLASS_WITH_CACHE (security_safe_critical, System.Security, SecuritySafeCriticalAttribute)
+
+static MonoClass*
+security_critical_attribute (void)
+{
+ return mono_class_get_security_critical_class ();
}
static MonoClass*
security_safe_critical_attribute (void)
{
- static MonoClass *class = NULL;
+ return mono_class_get_security_safe_critical_class ();
- if (!class) {
- class = mono_class_from_name (mono_defaults.corlib, "System.Security",
- "SecuritySafeCriticalAttribute");
- }
- g_assert (class);
- return class;
}
/* sometime we get a NULL (not found) caller (e.g. get_reflection_caller) */
* debugging purposes.
*/
static void
-set_type_load_exception_type (const char *format, MonoClass *class)
+set_type_load_exception_type (const char *format, MonoClass *klass)
{
- char *type_name = mono_type_get_full_name (class);
- char *parent_name = mono_type_get_full_name (class->parent);
+ char *type_name = mono_type_get_full_name (klass);
+ char *parent_name = mono_type_get_full_name (klass->parent);
char *message = g_strdup_printf (format, type_name, parent_name);
g_free (parent_name);
g_free (type_name);
mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, message);
- mono_class_set_failure (class, MONO_EXCEPTION_TYPE_LOAD, message);
+ mono_class_set_failure (klass, MONO_EXCEPTION_TYPE_LOAD, message);
// note: do not free string given to mono_class_set_failure
}
* Reference: fxcop CA2132 rule
*/
void
-mono_security_core_clr_check_inheritance (MonoClass *class)
+mono_security_core_clr_check_inheritance (MonoClass *klass)
{
MonoSecurityCoreCLRLevel class_level, parent_level;
- MonoClass *parent = class->parent;
+ MonoClass *parent = klass->parent;
if (!parent)
return;
- class_level = mono_security_core_clr_class_level (class);
+ class_level = mono_security_core_clr_class_level (klass);
parent_level = mono_security_core_clr_class_level (parent);
if (class_level < parent_level) {
set_type_load_exception_type (
"Inheritance failure for type %s. Parent class %s is more restricted.",
- class);
+ klass);
} else {
MonoMethod *parent_ctor = get_default_ctor (parent);
if (parent_ctor && ((parent_ctor->flags & METHOD_ATTRIBUTE_PUBLIC) != 0)) {
- class_level = mono_security_core_clr_method_level (get_default_ctor (class), FALSE);
+ class_level = mono_security_core_clr_method_level (get_default_ctor (klass), FALSE);
parent_level = mono_security_core_clr_method_level (parent_ctor, FALSE);
if (class_level < parent_level) {
set_type_load_exception_type (
"Inheritance failure for type %s. Default constructor security mismatch with %s.",
- class);
+ klass);
}
}
}
* Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
*/
void
-mono_security_core_clr_check_override (MonoClass *class, MonoMethod *override, MonoMethod *base)
+mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
{
MonoSecurityCoreCLRLevel base_level = mono_security_core_clr_method_level (base, FALSE);
MonoSecurityCoreCLRLevel override_level = mono_security_core_clr_method_level (override, FALSE);
static gboolean
get_caller_no_reflection_related (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
{
- MonoMethod **dest = data;
+ MonoMethod **dest = (MonoMethod **)data;
const char *ns;
/* skip unmanaged frames */
static gboolean
get_caller_of_elevated_trust_code (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
{
- ElevatedTrustCookie *cookie = data;
+ ElevatedTrustCookie *cookie = (ElevatedTrustCookie *)data;
/* skip unmanaged frames and wrappers */
if (!managed || (m->wrapper_type != MONO_WRAPPER_NONE))
}
-static MonoSecurityCoreCLROptions security_core_clr_options = MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT;
-
-/*
- * mono_security_core_clr_set_options
- *
- * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
- * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
- * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
- * this function allows specific relaxations from the default behaviour to be set.
- */
-
-void
-mono_security_core_clr_set_options (MonoSecurityCoreCLROptions options) {
- security_core_clr_options = options;
-}
-
-MonoSecurityCoreCLROptions
-mono_security_core_clr_get_options ()
-{
- return security_core_clr_options;
-}
-
-
/*
* check_field_access:
*
* Transparent code cannot access to Critical fields and can only use
* them if they are visible from it's point of view.
*
- * A FieldAccessException is thrown if the field is cannot be accessed.
+ * Returns TRUE if acess is allowed. Otherwise returns FALSE and sets @error to a FieldAccessException if the field is cannot be accessed.
*/
-void
-mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field)
+gboolean
+mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
{
+ mono_error_init (error);
MonoMethod *caller = get_reflection_caller ();
/* CoreCLR restrictions applies to Transparent code/caller */
if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
- return;
+ return TRUE;
if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
if (!mono_security_core_clr_is_platform_image (mono_field_get_parent(field)->image))
- return;
+ return TRUE;
}
/* Transparent code cannot [get|set]value on Critical fields */
if (mono_security_core_clr_class_level (mono_field_get_parent (field)) == MONO_SECURITY_CORE_CLR_CRITICAL) {
- mono_raise_exception (get_field_access_exception (
+ mono_error_set_exception_instance (error, get_field_access_exception (
"Transparent method %s cannot get or set Critical field %s.",
caller, field));
+ return FALSE;
}
/* also it cannot access a fields that is not visible from it's (caller) point of view */
if (!check_field_access (caller, field)) {
- mono_raise_exception (get_field_access_exception (
+ mono_error_set_exception_instance (error, get_field_access_exception (
"Transparent method %s cannot get or set private/internal field %s.",
caller, field));
+ return FALSE;
}
+ return TRUE;
}
/*
* Transparent code cannot call Critical methods and can only call them
* if they are visible from it's point of view.
*
- * A MethodAccessException is thrown if the field is cannot be accessed.
+ * If access is allowed returns TRUE. Returns FALSE and sets @error to a MethodAccessException if the field is cannot be accessed.
*/
-void
-mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method)
+gboolean
+mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
{
+ mono_error_init (error);
MonoMethod *caller = get_reflection_caller ();
/* CoreCLR restrictions applies to Transparent code/caller */
if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
- return;
+ return TRUE;
if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
if (!mono_security_core_clr_is_platform_image (method->klass->image))
- return;
+ return TRUE;
}
/* Transparent code cannot invoke, even using reflection, Critical code */
if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
- mono_raise_exception (get_method_access_exception (
+ mono_error_set_exception_instance (error, get_method_access_exception (
"Transparent method %s cannot invoke Critical method %s.",
caller, method));
+ return FALSE;
}
/* also it cannot invoke a method that is not visible from it's (caller) point of view */
if (!check_method_access (caller, method)) {
- mono_raise_exception (get_method_access_exception (
+ mono_error_set_exception_instance (error, get_method_access_exception (
"Transparent method %s cannot invoke private/internal method %s.",
caller, method));
+ return FALSE;
}
+ return TRUE;
}
/*
/*
* mono_security_core_clr_ensure_delegate_creation:
*
- * Return TRUE if a delegate can be created on the specified method.
- * CoreCLR also affect the binding, so throwOnBindFailure must be
- * FALSE to let this function return (FALSE) normally, otherwise (if
- * throwOnBindFailure is TRUE) it will throw an ArgumentException.
+ * Return TRUE if a delegate can be created on the specified
+ * method. CoreCLR can also affect the binding, this function may
+ * return (FALSE) and set @error to an ArgumentException.
*
- * A MethodAccessException is thrown if the specified method is not
+ * @error is set to a MethodAccessException if the specified method is not
* visible from the caller point of view.
*/
gboolean
-mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, gboolean throwOnBindFailure)
+mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
{
MonoMethod *caller;
+ mono_error_init (error);
+
/* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
if (can_avoid_corlib_reflection_delegate_optimization (method))
return TRUE;
/* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
- /* but this throws only if 'throwOnBindFailure' is TRUE */
- if (!throwOnBindFailure)
- return FALSE;
-
- mono_raise_exception (get_argument_exception (
+ mono_error_set_exception_instance (error, get_argument_exception (
"Transparent method %s cannot create a delegate on Critical method %s.",
caller, method));
+ return FALSE;
}
- if (mono_security_core_clr_get_options() & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE) {
+ if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE) {
if (!mono_security_core_clr_is_platform_image (method->klass->image))
return TRUE;
}
/* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
if (!check_method_access (caller, method)) {
- mono_raise_exception (get_method_access_exception (
+ mono_error_set_exception_instance (error, get_method_access_exception (
"Transparent method %s cannot create a delegate on private/internal method %s.",
caller, method));
+ return FALSE;
}
return TRUE;
if (cinfo && mono_custom_attrs_has_attr (cinfo, security_critical_attribute ()))
level = MONO_SECURITY_CORE_CLR_CRITICAL;
- return level;
+ return (MonoSecurityCoreCLRLevel)level;
}
/*
* - a check for the class and outer class(es) ...
*/
static MonoSecurityCoreCLRLevel
-mono_security_core_clr_class_level_no_platform_check (MonoClass *class)
+mono_security_core_clr_class_level_no_platform_check (MonoClass *klass)
{
MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
- MonoCustomAttrInfo *cinfo = mono_custom_attrs_from_class (class);
+ MonoCustomAttrInfo *cinfo = mono_custom_attrs_from_class (klass);
if (cinfo) {
- level = mono_security_core_clr_level_from_cinfo (cinfo, class->image);
+ level = mono_security_core_clr_level_from_cinfo (cinfo, klass->image);
mono_custom_attrs_free (cinfo);
}
- if (level == MONO_SECURITY_CORE_CLR_TRANSPARENT && class->nested_in)
- level = mono_security_core_clr_class_level_no_platform_check (class->nested_in);
+ if (level == MONO_SECURITY_CORE_CLR_TRANSPARENT && klass->nested_in)
+ level = mono_security_core_clr_class_level_no_platform_check (klass->nested_in);
return level;
}
* Return the MonoSecurityCoreCLRLevel for the specified class.
*/
MonoSecurityCoreCLRLevel
-mono_security_core_clr_class_level (MonoClass *class)
+mono_security_core_clr_class_level (MonoClass *klass)
{
/* non-platform code is always Transparent - whatever the attributes says */
- if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (class->image))
+ if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (klass->image))
return MONO_SECURITY_CORE_CLR_TRANSPARENT;
- return mono_security_core_clr_class_level_no_platform_check (class);
+ return mono_security_core_clr_class_level_no_platform_check (klass);
+}
+
+/*
+ * mono_security_core_clr_field_level:
+ *
+ * Return the MonoSecurityCoreCLRLevel for the specified field.
+ * If with_class_level is TRUE then the type (class) will also be
+ * checked, otherwise this will only report the information about
+ * the field itself.
+ */
+MonoSecurityCoreCLRLevel
+mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
+{
+ MonoCustomAttrInfo *cinfo;
+ MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
+
+ /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
+ if (!field)
+ return level;
+
+ /* non-platform code is always Transparent - whatever the attributes says */
+ if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (field->parent->image))
+ return level;
+
+ cinfo = mono_custom_attrs_from_field (field->parent, field);
+ if (cinfo) {
+ level = mono_security_core_clr_level_from_cinfo (cinfo, field->parent->image);
+ mono_custom_attrs_free (cinfo);
+ }
+
+ if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
+ level = mono_security_core_clr_class_level (field->parent);
+
+ return level;
}
/*
}
/*
- * mono_security_core_clr_is_platform_image:
+ * mono_security_enable_core_clr:
*
- * Return the (cached) boolean value indicating if this image represent platform code
+ * Enable the verifier and the CoreCLR security model
*/
-gboolean
-mono_security_core_clr_is_platform_image (MonoImage *image)
+void
+mono_security_enable_core_clr ()
{
- return image->core_clr_platform_code;
+ mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE);
+ mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR);
}
-/*
- * default_platform_check:
- *
- * Default platform check. Always TRUE for current corlib (minimum
- * trust-able subset) otherwise return FALSE. Any real CoreCLR host
- * should provide its own callback to define platform code (i.e.
- * this default is meant for test only).
- */
-static gboolean
-default_platform_check (const char *image_name)
+#else
+
+void
+mono_security_core_clr_check_inheritance (MonoClass *klass)
{
- if (mono_defaults.corlib) {
- return (strcmp (mono_defaults.corlib->name, image_name) == 0);
- } else {
- /* this can get called even before we load corlib (e.g. the EXE itself) */
- const char *corlib = "mscorlib.dll";
- int ilen = strlen (image_name);
- int clen = strlen (corlib);
- return ((ilen >= clen) && (strcmp ("mscorlib.dll", image_name + ilen - clen) == 0));
- }
}
-static MonoCoreClrPlatformCB platform_callback = default_platform_check;
+void
+mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
+{
+}
-/*
- * mono_security_core_clr_determine_platform_image:
- *
- * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
- * to determine if this image represents platform code.
- */
gboolean
-mono_security_core_clr_determine_platform_image (MonoImage *image)
+mono_security_core_clr_require_elevated_permissions (void)
{
- return platform_callback (image->name);
+ return FALSE;
+}
+
+gboolean
+mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
+{
+ mono_error_init (error);
+ return TRUE;
}
-/*
- * mono_security_enable_core_clr:
- *
- * Enable the verifier and the CoreCLR security model
- */
void
-mono_security_enable_core_clr ()
+mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
{
- mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE);
- mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR);
+ mono_error_init (error);
+ return TRUE;
+}
+
+gboolean
+mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
+{
+ mono_error_init (error);
+ return TRUE;
+}
+
+MonoException*
+mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
+{
+ return NULL;
+}
+
+gboolean
+mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
+{
+ return TRUE;
+}
+
+MonoException*
+mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
+{
+ return NULL;
+}
+
+MonoException*
+mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
+{
+ return NULL;
+}
+
+MonoSecurityCoreCLRLevel
+mono_security_core_clr_class_level (MonoClass *klass)
+{
+ return MONO_SECURITY_CORE_CLR_TRANSPARENT;
+}
+
+MonoSecurityCoreCLRLevel
+mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
+{
+ return MONO_SECURITY_CORE_CLR_TRANSPARENT;
+}
+
+MonoSecurityCoreCLRLevel
+mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
+{
+ return MONO_SECURITY_CORE_CLR_TRANSPARENT;
}
-/*
- * mono_security_set_core_clr_platform_callback:
- *
- * Set the callback function that will be used to determine if an image
- * is part, or not, of the platform code.
- */
void
-mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback)
+mono_security_enable_core_clr ()
{
- platform_callback = callback;
}
+#endif /* DISABLE_SECURITY */
projects / mono.git / blobdiff