Code:
/ DotNET / DotNET / 8.0 / untmp / WIN_WINDOWS / lh_tools_devdiv_wpf / Windows / wcp / Framework / MS / Internal / AppModel / PresentationAppDomainManager.cs / 2 / PresentationAppDomainManager.cs
//----------------------------------------------------------------------------
//
//
// Copyright (C) Microsoft Corporation. All rights reserved.
//
//
// Description:
// Implements a custom AppDomainManager.
//
//---------------------------------------------------------------------------
using System;
using System.Net;
using System.Reflection;
using System.Runtime.Remoting;
using System.Security;
using System.Security.Permissions;
using System.Security.Policy;
using System.Runtime.Hosting;
using System.Text;
using MS.Win32;
using MS.Internal;
using MS.Internal.AppModel;
using MS.Internal.Utility;
using MS.Utility;
namespace System.Windows.Interop
{
internal class PresentationHostSecurityManager : HostSecurityManager
{
///
/// Critical - HostSecurityManager..ctor LinkDemand's. This class should not be called directly by PT'ed callers, since it can interfere with
/// the privileges an AppDomain gets.
///
[SecurityCritical]
internal PresentationHostSecurityManager()
{
}
///
/// Critical - because this accesses critical data AppDomain.CurrentDomain.SetupInformation.ActivationArguments
/// and sets BrowserInteropHelper.IsViewer and .IsBrowserHosted.
/// Safe - because this does not expose that string.
///
[SecurityCritical, SecurityTreatAsSafe]
public override ApplicationTrust DetermineApplicationTrust(Evidence applicationEvidence, Evidence activatorEvidence, TrustManagerContext context)
{
if (EventTrace.IsEnabled(EventTrace.Flags.performance, EventTrace.Level.verbose))
{
EventTrace.EventProvider.TraceEvent(
EventTrace.Level.verbose, EventTrace.GuidFromId(EventTraceGuidId.HOSTINGGUID), (byte)EventTrace.HostingEvent.DetermineApplicationTrustStart);
}
ApplicationTrust trust;
Uri activationUri = GetUriFromActivationData(0);
bool isDebug = PresentationAppDomainManager.IsDebug ? true : GetBoolFromActivationData(1);
bool isViewer = GetBoolFromActivationData(2);
BrowserInteropHelper.SetBrowserHosted(true);
BrowserInteropHelper.IsViewer = isViewer;
if (isDebug)
{
context.IgnorePersistedDecision = true;
context.Persist = false;
context.KeepAlive = false;
context.NoPrompt = true;
trust = base.DetermineApplicationTrust(applicationEvidence, activatorEvidence, context);
Uri debugSecurityZoneURL = GetUriFromActivationData(3);
if (debugSecurityZoneURL != null)
{
PermissionSet permissions = trust.DefaultGrantSet.PermissionSet;
trust.DefaultGrantSet.PermissionSet = AddPermissionForUri(permissions, debugSecurityZoneURL);
}
}
else
{
// Defense in depth. Should never get to this point and require this to be
// set, but just in case, we do this so that we will never get a trust
// prompt even if something goes wrong somewhere else.
context.NoPrompt = true;
trust = base.DetermineApplicationTrust(applicationEvidence, activatorEvidence, context);
if (isViewer)
{
PermissionSet permissions = trust.DefaultGrantSet.PermissionSet;
// Remove permissions to the site of origin of the viewer app
permissions.RemovePermission(typeof(WebPermission));
permissions.RemovePermission(typeof(FileIOPermission));
// Remove IsolatedStorageFilePermission; it is not needed.
permissions.RemovePermission(typeof(IsolatedStorageFilePermission));
// If this is a viewer app, the ApplicationTrust returned by base.DetermineApplicationTrust will
// have the permissions appropriate to the viewer app, which is necessary for non-trivial viewer
// apps to function properly. However, in order to access the viewed document, we will need to
// add permission to access the path/URI where the viewed document comes from.
trust.DefaultGrantSet.PermissionSet = AddPermissionForUri(permissions, activationUri);
}
}
if (EventTrace.IsEnabled(EventTrace.Flags.performance, EventTrace.Level.verbose))
{
EventTrace.EventProvider.TraceEvent(
EventTrace.Level.verbose, EventTrace.GuidFromId(EventTraceGuidId.HOSTINGGUID), (byte)EventTrace.HostingEvent.DetermineApplicationTrustEnd);
}
return trust;
}
///
/// Critical - because adds permission to default permissionset granted by trustmanager.
/// Safe - Only gets called in debug and for loose xaml scenario permissions are removed too.
///
[SecurityCritical, SecurityTreatAsSafe]
private PermissionSet AddPermissionForUri(PermissionSet originalPermSet, Uri srcUri)
{
PermissionSet newPermSet = originalPermSet;
if (srcUri != null)
{
Evidence evidence = new Evidence();
evidence.AddHost(new Url(BindUriHelper.UriToString(srcUri))); // important: the parameter must be a UrL object not a UrI object
IMembershipCondition membership = new UrlMembershipCondition(BindUriHelper.UriToString(srcUri));
CodeGroup group = (srcUri.IsFile) ?
(CodeGroup)new FileCodeGroup(membership, FileIOPermissionAccess.Read | FileIOPermissionAccess.PathDiscovery)
:(CodeGroup)new NetCodeGroup(membership);
PolicyStatement policy = group.Resolve(evidence);
if (!policy.PermissionSet.IsEmpty())
{
newPermSet = originalPermSet.Union(policy.PermissionSet);
}
}
return newPermSet;
}
///
/// Critical - because this accesses critical data AppDomain.CurrentDomain.SetupInformation.ActivationArguments.
/// Safe - because this does not expose that string.
///
[SecurityCritical, SecurityTreatAsSafe]
private bool GetBoolFromActivationData(int index)
{
bool flag = false; // default
if (AppDomain.CurrentDomain.SetupInformation.ActivationArguments != null &&
AppDomain.CurrentDomain.SetupInformation.ActivationArguments.ActivationData.Length > index)
{
if (AppDomain.CurrentDomain.SetupInformation.ActivationArguments.ActivationData[index] == true.ToString())
{
flag = true;
}
}
return flag;
}
///
/// Critical - because this accesses critical data AppDomain.CurrentDomain.SetupInformation.ActivationArguments.
/// Safe - because this does not expose that string.
///
[SecurityCritical, SecurityTreatAsSafe]
private Uri GetUriFromActivationData(int index)
{
Uri uri = null;
if (AppDomain.CurrentDomain.SetupInformation.ActivationArguments != null &&
AppDomain.CurrentDomain.SetupInformation.ActivationArguments.ActivationData.Length > index)
{
if (!string.IsNullOrEmpty(AppDomain.CurrentDomain.SetupInformation.ActivationArguments.ActivationData[index]))
{
uri = new UriBuilder(AppDomain.CurrentDomain.SetupInformation.ActivationArguments.ActivationData[index]).Uri;
}
}
return uri;
}
}
// This is the custom ApplicationActivator that will be returned by
// the PresentationAppDomainManager.ApplicationActivator property.
// CreateInstance will be called twice: the first time to create
// the new AppDomain, and the second time to create the app inside
// of the new AppDomain.
internal class PresentationApplicationActivator : System.Runtime.Hosting.ApplicationActivator
{
///
/// Critical - because this does an elevation to get the ID string.
/// Safe - because this does not expose that string.
///
[SecurityCritical, SecurityTreatAsSafe]
public override ObjectHandle CreateInstance(ActivationContext actCtx)
{
if (EventTrace.IsEnabled(EventTrace.Flags.performance, EventTrace.Level.verbose))
{
EventTrace.EventProvider.TraceEvent(
EventTrace.Level.verbose, EventTrace.GuidFromId(EventTraceGuidId.HOSTINGGUID), (byte)EventTrace.HostingEvent.ApplicationActivatorCreateInstanceStart,
PresentationAppDomainManager.ActivationUri != null ? PresentationAppDomainManager.ActivationUri.ToString() : string.Empty);
}
ObjectHandle oh;
if (PresentationAppDomainManager.ActivationUri != null)
{
oh = base.CreateInstance(
actCtx,
new string[] {
BindUriHelper.UriToString(PresentationAppDomainManager.ActivationUri),
PresentationAppDomainManager.IsDebug.ToString(),
PresentationAppDomainManager.IsViewer.ToString(),
(PresentationAppDomainManager.DebugSecurityZoneURL == null?
string.Empty
: PresentationAppDomainManager.DebugSecurityZoneURL.ToString())});
}
else
{
oh = base.CreateInstance(actCtx);
}
bool returnAppDomain = false;
try
{
new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Assert(); // BlessedAssert:
if (AppDomain.CurrentDomain.ActivationContext != null &&
AppDomain.CurrentDomain.ActivationContext.Identity.ToString().Equals(actCtx.Identity.ToString()))
{
returnAppDomain = true;
}
}
finally
{
CodeAccessPermission.RevertAssert();
}
if (EventTrace.IsEnabled(EventTrace.Flags.performance, EventTrace.Level.verbose))
{
EventTrace.EventProvider.TraceEvent(EventTrace.Level.verbose, EventTrace.GuidFromId(EventTraceGuidId.HOSTINGGUID), (byte)EventTrace.HostingEvent.ApplicationActivatorCreateInstanceEnd);
}
if (returnAppDomain)
{
// this is the server domain
return new ObjectHandle(AppDomain.CurrentDomain);
}
else
{
return oh;
}
}
}
// This is a custom AppDomainManager class we're using. We need to set the
// assembly name and class name in the environment for CLR to use it. We
// need to use this to detect new AppDomain creation.
internal class PresentationAppDomainManager : AppDomainManager
{
///
/// Critical: Initializes Critical data
///
[SecurityCritical, SecurityTreatAsSafe]
static PresentationAppDomainManager()
{
if (EventTrace.IsEnabled(EventTrace.Flags.performance, EventTrace.Level.verbose))
{
EventTrace.EventProvider.TraceEvent(EventTrace.Level.verbose, EventTrace.GuidFromId(EventTraceGuidId.HOSTINGGUID), (byte)EventTrace.HostingEvent.AppDomainManagerCctor);
}
_isViewer = new SecurityCriticalDataForSet(false);
}
///
/// Critical: Base class has link demnd and inheritance demand
///
[SecurityCritical]
public PresentationAppDomainManager()
{
}
public override ApplicationActivator ApplicationActivator
{
get
{
if (_appActivator == null)
_appActivator = new PresentationApplicationActivator();
return _appActivator;
}
}
///
/// Critical: This hooks up the assembly filter which we want to prevent arbitrary code from doing.
///
[SecurityCritical]
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
//Hookup the assembly load event
_assemblyFilter = new AssemblyFilter();
AppDomain.CurrentDomain.AssemblyLoad += new AssemblyLoadEventHandler(_assemblyFilter.FilterCallback);
}
///
/// Critical - get: Discloses a HostSecurityManager object
///
public override HostSecurityManager HostSecurityManager
{
[SecurityCritical]
get
{
if (_hostsecuritymanager == null)
{
_hostsecuritymanager = new PresentationHostSecurityManager();
}
return _hostsecuritymanager;
}
}
// Creates ApplicationProxyInternal. Creating it from Default domain will
// cause a stack walk for ReflectionPermission which will fail for partial
// trust apps.
///
/// Critical: This calls the critical ApplicationProxyInternal ctor
///
[SecurityCritical]
internal ApplicationProxyInternal CreateApplicationProxyInternal()
{
return new ApplicationProxyInternal();
}
internal static AppDomain NewAppDomain
{
get { return _newAppDomain; }
set { _newAppDomain = value; }
}
internal static bool SaveAppDomain
{
get { return _saveAppDomain; }
set
{
_saveAppDomain = value;
// Allow garbage collection to happen.
_newAppDomain = null;
}
}
internal static Uri ActivationUri
{
get { return _activationUri; }
set { _activationUri = value; }
}
internal static Uri DebugSecurityZoneURL
{
get { return _debugSecurityZoneURL; }
set { _debugSecurityZoneURL = value; }
}
internal static bool IsDebug
{
get { return _isdebug; }
set { _isdebug = value; }
}
///
/// Returns true if the app is a viewer app.
///
///
/// This is critical because setting the viewer status is a critical resource.
///
internal static bool IsViewer
{
get { return _isViewer.Value; }
[SecurityCritical]
set { _isViewer.Value = value; }
}
private static bool _isdebug = false;
private static SecurityCriticalDataForSet _isViewer;
private ApplicationActivator _appActivator = null;
///
/// It holds a HostSecurityManager object, which is critical and can interfere with the permissions that are assigned to an AppDomain.
///
[SecurityCritical]
private HostSecurityManager _hostsecuritymanager = null;
private static AppDomain _newAppDomain;
private static bool _saveAppDomain;
private static Uri _activationUri;
private static Uri _debugSecurityZoneURL;
///
/// Critical: This should not be exposed since it can be used to bring down process
///
[SecurityCritical]
private AssemblyFilter _assemblyFilter;
}
}
// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
// Copyright (c) Microsoft Corporation. All rights reserved.
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- EntryIndex.cs
- DecoderExceptionFallback.cs
- ObservableCollection.cs
- OneWayChannelFactory.cs
- QueryAccessibilityHelpEvent.cs
- IsolatedStorageException.cs
- SQLRoleProvider.cs
- WindowsListView.cs
- LabelAutomationPeer.cs
- UInt32Storage.cs
- basenumberconverter.cs
- ReaderWriterLockWrapper.cs
- NamedPermissionSet.cs
- LiteralControl.cs
- CacheMemory.cs
- RectKeyFrameCollection.cs
- StringUtil.cs
- BindStream.cs
- dsa.cs
- LabelAutomationPeer.cs
- XmlRawWriter.cs
- LogReserveAndAppendState.cs
- precedingquery.cs
- ValidatingPropertiesEventArgs.cs
- SessionEndedEventArgs.cs
- TagNameToTypeMapper.cs
- OperatingSystem.cs
- FormViewInsertedEventArgs.cs
- Annotation.cs
- HandlerFactoryWrapper.cs
- MDIClient.cs
- RegistrySecurity.cs
- XmlQueryStaticData.cs
- ScalarType.cs
- TCPListener.cs
- DataGridViewRowCancelEventArgs.cs
- TemplateControl.cs
- HttpStreamFormatter.cs
- DataGridViewDataErrorEventArgs.cs
- SoapClientProtocol.cs
- SqlGenericUtil.cs
- FontStretch.cs
- CfgSemanticTag.cs
- MissingFieldException.cs
- XmlSchemaComplexContentRestriction.cs
- AuthenticationModuleElement.cs
- XmlSerializer.cs
- RayMeshGeometry3DHitTestResult.cs
- EventLogTraceListener.cs
- MasterPage.cs
- SystemIPv6InterfaceProperties.cs
- DiscoveryInnerClientManaged11.cs
- CommandBindingCollection.cs
- CommonDialog.cs
- AttachedPropertyBrowsableAttribute.cs
- AmbientProperties.cs
- SqlTypesSchemaImporter.cs
- EventListener.cs
- AssemblyResourceLoader.cs
- PolyBezierSegment.cs
- ControlCachePolicy.cs
- loginstatus.cs
- SingleKeyFrameCollection.cs
- KeyValuePair.cs
- PropertyDescriptorGridEntry.cs
- HtmlInputHidden.cs
- FormViewInsertEventArgs.cs
- PropertiesTab.cs
- LogicalExpr.cs
- ToolStripEditorManager.cs
- FixedPageProcessor.cs
- Stylesheet.cs
- DataSvcMapFileSerializer.cs
- DefaultAssemblyResolver.cs
- OciEnlistContext.cs
- TdsValueSetter.cs
- DocumentsTrace.cs
- ExternalCalls.cs
- WebSysDisplayNameAttribute.cs
- BCLDebug.cs
- WindowsIPAddress.cs
- HandleRef.cs
- PenThreadWorker.cs
- SetStoryboardSpeedRatio.cs
- OperationPerformanceCounters.cs
- AssemblyBuilder.cs
- StorageBasedPackageProperties.cs
- ComponentChangingEvent.cs
- XmlIterators.cs
- IndependentAnimationStorage.cs
- XmlTextReaderImplHelpers.cs
- SortKey.cs
- HttpListenerException.cs
- WebEventCodes.cs
- XmlDocumentSchema.cs
- MimeMultiPart.cs
- FormatterConverter.cs
- PageAsyncTaskManager.cs
- ToolStripLabel.cs
- Root.cs