Code:
/ DotNET / DotNET / 8.0 / untmp / whidbey / REDBITS / ndp / clr / src / BCL / System / Security / PolicyManager.cs / 1 / PolicyManager.cs
// ==++== // // Copyright (c) Microsoft Corporation. All rights reserved. // // ==--== // // PolicyManager.cs // namespace System.Security { using System.Collections; using System.Globalization; using System.IO; using System.Runtime.CompilerServices; using System.Runtime.Versioning; using System.Security.Util; using System.Security.Policy; using System.Security.Permissions; using System.Text; using System.Threading; internal class PolicyManager { // Only parse the system CAS policy levels when needed. In particular, // we do not use these when the AppDomain is homogeneous for example. private object m_policyLevels; private IList PolicyLevels { get { if (m_policyLevels == null) { ArrayList policyLevels = new ArrayList(); string enterpriseConfig = PolicyLevel.GetLocationFromType(System.Security.PolicyLevelType.Enterprise); policyLevels.Add(new PolicyLevel(System.Security.PolicyLevelType.Enterprise, enterpriseConfig, ConfigId.EnterprisePolicyLevel)); string machineConfig = PolicyLevel.GetLocationFromType(System.Security.PolicyLevelType.Machine); policyLevels.Add(new PolicyLevel(System.Security.PolicyLevelType.Machine, machineConfig, ConfigId.MachinePolicyLevel)); // The user directory could be null if the user does not have a user profile for example. if (Config.UserDirectory != null) { string userConfig = PolicyLevel.GetLocationFromType(System.Security.PolicyLevelType.User); policyLevels.Add(new PolicyLevel(System.Security.PolicyLevelType.User, userConfig, ConfigId.UserPolicyLevel)); } Interlocked.CompareExchange(ref m_policyLevels, policyLevels, null); } return m_policyLevels as ArrayList; } } internal PolicyManager() {} internal void AddLevel (PolicyLevel level) { PolicyLevels.Add(level); } [SecurityPermissionAttribute(SecurityAction.Demand, Flags=SecurityPermissionFlag.ControlPolicy)] internal IEnumerator PolicyHierarchy() { return PolicyLevels.GetEnumerator(); } internal PermissionSet Resolve (Evidence evidence) { // The host might have implemented a ResolvePolicy method in their HostSecurityManager, // so take that into account for non-GAC assemblies. if (!IsGacAssembly(evidence)) { HostSecurityManager securityManager = AppDomain.CurrentDomain.HostSecurityManager; if ((securityManager.Flags & HostSecurityManagerOptions.HostResolvePolicy) == HostSecurityManagerOptions.HostResolvePolicy) return securityManager.ResolvePolicy(evidence); } return ResolveHelper(evidence); } internal PermissionSet ResolveHelper (Evidence evidence) { PermissionSet grant = null; if (IsGacAssembly(evidence)) { // GAC assemblies get FullTrust grant = new PermissionSet(PermissionState.Unrestricted); } else { #if !FEATURE_PAL // In the App security model, the ApplicationTrust applies // to every assembly resolved in this domain ApplicationTrust appTrust = AppDomain.CurrentDomain.ApplicationTrust; if (appTrust != null) { // grant full trust to assemblies in the FullTrust list if (IsFullTrust(evidence, appTrust)) grant = new PermissionSet(PermissionState.Unrestricted); else grant = appTrust.DefaultGrantSet.PermissionSet; } else #endif //!FEATURE_PAL { // Resolve the CAS policy levels on the machine grant = CodeGroupResolve(evidence, false); } } return grant; } internal PermissionSet CodeGroupResolve (Evidence evidence, bool systemPolicy) { PermissionSet grant = null; PolicyStatement policy; PolicyLevel currentLevel = null; IEnumerator levelEnumerator = PolicyLevels.GetEnumerator(); char[] serializedEvidence = MakeEvidenceArray(evidence, false); int count = evidence.Count; bool legacyIgnoreSystemPolicy = (AppDomain.CurrentDomain.GetData("IgnoreSystemPolicy") != null); bool testApplicationLevels = false; while (levelEnumerator.MoveNext()) { currentLevel = (PolicyLevel)levelEnumerator.Current; if (systemPolicy) { if (currentLevel.Type == PolicyLevelType.AppDomain) continue; } else if (legacyIgnoreSystemPolicy && currentLevel.Type != PolicyLevelType.AppDomain) continue; policy = currentLevel.Resolve(evidence, count, serializedEvidence); // If the grant is "AllPossible", the intersection is just the other permission set. // Otherwise, do an inplace intersection (since we know we can alter the grant set since // it is a copy of the first policy statement's permission set). if (grant == null) grant = policy.PermissionSet; else grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); if (grant == null || grant.FastIsEmpty()) { break; } else if ((policy.Attributes & PolicyStatementAttribute.LevelFinal) == PolicyStatementAttribute.LevelFinal) { if (currentLevel.Type != PolicyLevelType.AppDomain) { testApplicationLevels = true; } break; } } if (grant != null && testApplicationLevels) { PolicyLevel appDomainLevel = null; for (int i = PolicyLevels.Count - 1; i >= 0; --i) { currentLevel = (PolicyLevel) PolicyLevels[i]; if (currentLevel.Type == PolicyLevelType.AppDomain) { appDomainLevel = currentLevel; break; } } if (appDomainLevel != null) { policy = appDomainLevel.Resolve(evidence, count, serializedEvidence); grant.InplaceIntersect(policy.GetPermissionSetNoCopy()); } } if (grant == null) grant = new PermissionSet(PermissionState.None); // Each piece of evidence can possibly create an identity permission that we // need to add to our grant set. Therefore, for all pieces of evidence that // implement the IIdentityPermissionFactory interface, ask it for its // adjoining identity permission and add it to the grant. if (!CodeAccessSecurityEngine.DoesFullTrustMeanFullTrust() || !grant.IsUnrestricted()) { IEnumerator enumerator = evidence.GetHostEnumerator(); while (enumerator.MoveNext()) { Object obj = enumerator.Current; IIdentityPermissionFactory factory = obj as IIdentityPermissionFactory; if (factory != null) { IPermission perm = factory.CreateIdentityPermission( evidence ); if (perm != null) grant.AddPermission( perm ); } } } grant.IgnoreTypeLoadFailures = true; return grant; } internal static bool IsGacAssembly (Evidence evidence) { return new GacMembershipCondition().Check(evidence); } #if !FEATURE_PAL private static bool IsFullTrust (Evidence evidence, ApplicationTrust appTrust) { if (appTrust == null) return false; StrongName[] fullTrustAssemblies = appTrust.FullTrustAssemblies; if (fullTrustAssemblies != null) { for (int index = 0; index < fullTrustAssemblies.Length; index++) { if (fullTrustAssemblies[index] != null) { StrongNameMembershipCondition sn = new StrongNameMembershipCondition(fullTrustAssemblies[index].PublicKey, fullTrustAssemblies[index].Name, fullTrustAssemblies[index].Version); if (sn.Check(evidence)) return true; } } } return false; } #endif //!FEATURE_PAL internal IEnumerator ResolveCodeGroups (Evidence evidence) { ArrayList accumList = new ArrayList(); IEnumerator levelEnumerator = PolicyLevels.GetEnumerator(); while (levelEnumerator.MoveNext()) { CodeGroup temp = ((PolicyLevel)levelEnumerator.Current).ResolveMatchingCodeGroups(evidence); if (temp != null) accumList.Add(temp); } return accumList.GetEnumerator(0, accumList.Count); } internal void Save () { EncodeLevel(Environment.GetResourceString("Policy_PL_Enterprise")); EncodeLevel(Environment.GetResourceString("Policy_PL_Machine")); EncodeLevel(Environment.GetResourceString("Policy_PL_User")); } private void EncodeLevel (string label) { for (int i = 0; i < PolicyLevels.Count; ++i) { PolicyLevel currentLevel = (PolicyLevel) PolicyLevels[i]; if (currentLevel.Label.Equals(label)) { EncodeLevel(currentLevel); return; } } } internal static void EncodeLevel (PolicyLevel level) { SecurityElement elConf = new SecurityElement("configuration"); SecurityElement elMscorlib = new SecurityElement("mscorlib"); SecurityElement elSecurity = new SecurityElement("security"); SecurityElement elPolicy = new SecurityElement("policy"); elConf.AddChild(elMscorlib); elMscorlib.AddChild(elSecurity); elSecurity.AddChild(elPolicy); elPolicy.AddChild(level.ToXml()); try { StringBuilder sb = new StringBuilder(); Encoding encoding = Encoding.UTF8; SecurityElement format = new SecurityElement("xml"); format.m_type = SecurityElementType.Format; format.AddAttribute("version", "1.0"); format.AddAttribute("encoding", encoding.WebName); sb.Append(format.ToString()); sb.Append(elConf.ToString()); byte[] data = encoding.GetBytes(sb.ToString()); // Write out the new config. if (level.Path == null || !Config.SaveDataByte(level.Path, data, 0, data.Length)) throw new PolicyException(String.Format(CultureInfo.CurrentCulture, Environment.GetResourceString("Policy_UnableToSave"), level.Label)); } catch (Exception e) { if (e is PolicyException) throw e; else throw new PolicyException(String.Format(CultureInfo.CurrentCulture, Environment.GetResourceString("Policy_UnableToSave"), level.Label), e); } catch { throw new PolicyException(String.Format(CultureInfo.CurrentCulture, Environment.GetResourceString("Policy_UnableToSave"), level.Label)); } Config.ResetCacheData(level.ConfigId); if (CanUseQuickCache(level.RootCodeGroup)) Config.SetQuickCache(level.ConfigId, GenerateQuickCache(level)); } // Here is the managed portion of the QuickCache code. It // is mainly concerned with detecting whether it is valid // for us to use the quick cache, and then calculating the // proper mapping of partial evidence to partial mapping. // // The choice of the partial evidence sets is fairly arbitrary // and in this case is tailored to give us meaningful // results from default policy. // // The choice of whether or not we can use the quick cache // is far from arbitrary. There are a number of conditions that must // be true for the QuickCache to produce valid result. These // are: // // * equivalent evidence objects must produce the same // grant set (i.e. it must be independent of time of day, // space on the harddisk, other "external" factors, and // cannot be random). // // * evidence must be used positively (i.e. if evidence A grants // permission X, then evidence A+B must grant at least permission // X). // // In particular for our implementation, this means that we // limit the classes that can be used by policy to just // the ones defined within mscorlib and that there are // no Exclusive bits set on any code groups. internal static bool CanUseQuickCache (CodeGroup group) { ArrayList list = new ArrayList(); list.Add(group); for (int i = 0; i < list.Count; ++i) { group = (CodeGroup)list[i]; IUnionSemanticCodeGroup unionGroup = group as IUnionSemanticCodeGroup; if (unionGroup != null) { if (!TestPolicyStatement(group.PolicyStatement)) return false; } else { return false; } IMembershipCondition cond = group.MembershipCondition; if (cond != null && !(cond is IConstantMembershipCondition)) { return false; } IList children = group.Children; if (children != null && children.Count > 0) { IEnumerator enumerator = children.GetEnumerator(); while (enumerator.MoveNext()) { list.Add(enumerator.Current); } } } return true; } private static bool TestPolicyStatement (PolicyStatement policy) { if (policy == null) return true; return (policy.Attributes & PolicyStatementAttribute.Exclusive) == 0; } private static QuickCacheEntryType GenerateQuickCache (PolicyLevel level) { QuickCacheEntryType[] FullTrustMap = new QuickCacheEntryType[] { QuickCacheEntryType.FullTrustZoneMyComputer, QuickCacheEntryType.FullTrustZoneIntranet, QuickCacheEntryType.FullTrustZoneInternet, QuickCacheEntryType.FullTrustZoneTrusted, QuickCacheEntryType.FullTrustZoneUntrusted }; QuickCacheEntryType accumulator = (QuickCacheEntryType)0; Evidence noEvidence = new Evidence(); PermissionSet policy = null; try { policy = level.Resolve( noEvidence ).PermissionSet; if (policy.IsUnrestricted()) accumulator |= QuickCacheEntryType.FullTrustAll; } catch (PolicyException) { } Array zones = Enum.GetValues( typeof( SecurityZone ) ); for (int i = 0; i < zones.Length; ++i) { if (((SecurityZone)zones.GetValue( i )) == SecurityZone.NoZone) continue; Evidence zoneEvidence = new Evidence(); zoneEvidence.AddHost( new Zone( (SecurityZone)zones.GetValue( i ) ) ); PermissionSet zonePolicy = null; try { zonePolicy = level.Resolve( zoneEvidence ).PermissionSet; if (zonePolicy.IsUnrestricted()) accumulator |= FullTrustMap[i]; } catch (PolicyException) { } } return accumulator; } internal static char[] MakeEvidenceArray (Evidence evidence, bool verbose) { // We only support caching on our built-in evidence types (excluding hash b/c it would // make our caching scheme just match up the same assembly from the same location which // doesn't gain us anything). IEnumerator enumerator = evidence.GetEnumerator(); int requiredLength = 0; while (enumerator.MoveNext()) { IBuiltInEvidence obj = enumerator.Current as IBuiltInEvidence; if (obj == null) return null; requiredLength += obj.GetRequiredSize(verbose); } enumerator.Reset(); char[] buffer = new char[requiredLength]; int position = 0; while (enumerator.MoveNext()) { position = ((IBuiltInEvidence)enumerator.Current).OutputToBuffer(buffer, position, verbose); } return buffer; } #if _DEBUG [MethodImplAttribute(MethodImplOptions.InternalCall)] internal static extern int _DebugOut(String file, String message); #endif } }
Link Menu
This book is available now!
Buy at Amazon US or
Buy at Amazon UK
- CmsUtils.cs
- CmsInterop.cs
- EntityCollection.cs
- SQLDouble.cs
- ComponentCommands.cs
- sitestring.cs
- BitmapMetadataEnumerator.cs
- peersecurityelement.cs
- SolidColorBrush.cs
- RubberbandSelector.cs
- UserInitiatedRoutedEventPermission.cs
- ComponentManagerBroker.cs
- UnsafeNativeMethods.cs
- NullableConverter.cs
- SmtpAuthenticationManager.cs
- CompensationHandlingFilter.cs
- SafeRegistryHandle.cs
- VectorAnimationBase.cs
- ObjectManager.cs
- EventPrivateKey.cs
- ExpressionBuilderContext.cs
- IFormattable.cs
- IgnoreFileBuildProvider.cs
- ViewCellRelation.cs
- ValueType.cs
- TableCell.cs
- ExtentKey.cs
- ForwardPositionQuery.cs
- GenericWebPart.cs
- ObsoleteAttribute.cs
- HelloMessageCD1.cs
- basenumberconverter.cs
- XmlAnyElementAttributes.cs
- LineMetrics.cs
- MarginsConverter.cs
- RootProfilePropertySettingsCollection.cs
- FileStream.cs
- ApplicationContext.cs
- NameTable.cs
- WebControlAdapter.cs
- MultipleViewPatternIdentifiers.cs
- XmlSchemaSimpleContent.cs
- RadioButtonDesigner.cs
- DataStorage.cs
- X509Extension.cs
- CallbackValidatorAttribute.cs
- DataServiceRequest.cs
- ResponseBodyWriter.cs
- IndexedEnumerable.cs
- FontSizeConverter.cs
- BypassElement.cs
- QuaternionValueSerializer.cs
- CallContext.cs
- WebPageTraceListener.cs
- MenuAdapter.cs
- WebPartManagerInternals.cs
- Serializer.cs
- EntityTransaction.cs
- RuntimeCompatibilityAttribute.cs
- TextRangeEditLists.cs
- HttpCookiesSection.cs
- UnsafeCollabNativeMethods.cs
- HttpModuleActionCollection.cs
- HttpResponse.cs
- FillErrorEventArgs.cs
- ParenExpr.cs
- TagPrefixAttribute.cs
- RequiredFieldValidator.cs
- DataGridCaption.cs
- EntityDataSource.cs
- IODescriptionAttribute.cs
- BehaviorEditorPart.cs
- ProfileBuildProvider.cs
- WorkflowView.cs
- XmlCharType.cs
- UnsafeNativeMethods.cs
- ConstructorNeedsTagAttribute.cs
- DynamicILGenerator.cs
- PolicyLevel.cs
- RestHandler.cs
- SHA512Managed.cs
- AdPostCacheSubstitution.cs
- BinaryParser.cs
- ControlHelper.cs
- ReturnEventArgs.cs
- XmlWrappingWriter.cs
- JsonFormatGeneratorStatics.cs
- QueueProcessor.cs
- GenericQueueSurrogate.cs
- CodeEventReferenceExpression.cs
- GlyphingCache.cs
- DataGridViewDataConnection.cs
- TimeoutHelper.cs
- IsolatedStorageFile.cs
- DataGridViewCellFormattingEventArgs.cs
- WizardStepBase.cs
- LoginName.cs
- XmlAttributeAttribute.cs
- PropertyGridEditorPart.cs
- EncodingTable.cs