search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[interp] Small fixes (#11667)
[mono-project.git] / mono / metadata / security-core-clr.c
blobb36cf6886b14e65115682f5f6dc4eacc6da0bdec
1 /**
2 * \file
3 * CoreCLR security
4 *
5 * Authors:
6 * Mark Probst <mark.probst@gmail.com>
7 * Sebastien Pouliot <sebastien@ximian.com>
8 *
9 * Copyright 2007-2010 Novell, Inc (http://www.novell.com)
10 * Licensed under the MIT license. See LICENSE file in the project root for full license information.
11 */
12
13 #include <config.h>
14 #include <mono/metadata/class-init.h>
15 #include <mono/metadata/class-internals.h>
16 #include <mono/metadata/security-manager.h>
17 #include <mono/metadata/assembly.h>
18 #include <mono/metadata/appdomain.h>
19 #include <mono/metadata/verify-internals.h>
20 #include <mono/metadata/object.h>
21 #include <mono/metadata/exception.h>
22 #include <mono/metadata/debug-helpers.h>
23 #include <mono/metadata/reflection-internals.h>
24 #include <mono/utils/mono-logger-internals.h>
25
26 #include "security-core-clr.h"
27
28 gboolean mono_security_core_clr_test = FALSE;
29
30 static MonoSecurityCoreCLROptions security_core_clr_options = MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT;
31
32 /**
33 * mono_security_core_clr_set_options:
34 * \param options the new options for the coreclr system to use
35 *
36 * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
37 * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
38 * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
39 * This function allows specific relaxations from the default behaviour to be set.
40 *
41 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT for the default coreclr coreclr behaviour as used in Moonlight.
42 *
43 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION to allow transparent code to execute methods and access
44 * fields that are not in platformcode, even if those methods and fields are private or otherwise not visible to the calling code.
45 *
46 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE to allow delegates to be created that point at methods that are not in
47 * platformcode even if those methods and fields are private or otherwise not visible to the calling code.
48 *
49 */
50 void
51 mono_security_core_clr_set_options (MonoSecurityCoreCLROptions options) {
52 security_core_clr_options = options;
53 }
54
55 /**
56 * mono_security_core_clr_get_options:
57 *
58 * Retrieves the current options used by the coreclr system.
59 */
60
61 MonoSecurityCoreCLROptions
62 mono_security_core_clr_get_options ()
63 {
64 return security_core_clr_options;
65 }
66
67 /*
68 * default_platform_check:
69 *
70 * Default platform check. Always TRUE for current corlib (minimum
71 * trust-able subset) otherwise return FALSE. Any real CoreCLR host
72 * should provide its own callback to define platform code (i.e.
73 * this default is meant for test only).
74 */
75 static gboolean
76 default_platform_check (const char *image_name)
77 {
78 if (mono_defaults.corlib) {
79 return (strcmp (mono_defaults.corlib->name, image_name) == 0);
80 } else {
81 /* this can get called even before we load corlib (e.g. the EXE itself) */
82 const char *corlib = "mscorlib.dll";
83 int ilen = strlen (image_name);
84 int clen = strlen (corlib);
85 return ((ilen >= clen) && (strcmp ("mscorlib.dll", image_name + ilen - clen) == 0));
86 }
87 }
88
89 static MonoCoreClrPlatformCB platform_callback = default_platform_check;
90
91 /*
92 * mono_security_core_clr_determine_platform_image:
93 *
94 * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
95 * to determine if this image represents platform code.
96 */
97 gboolean
98 mono_security_core_clr_determine_platform_image (MonoImage *image)
99 {
100 return platform_callback (image->name);
101 }
102
103 /*
104 * mono_security_set_core_clr_platform_callback:
105 *
106 * Set the callback function that will be used to determine if an image
107 * is part, or not, of the platform code.
108 */
109 void
110 mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback)
111 {
112 platform_callback = callback;
113 }
114
115 /*
116 * mono_security_core_clr_is_platform_image:
117 *
118 * Return the (cached) boolean value indicating if this image represent platform code
119 */
120 gboolean
121 mono_security_core_clr_is_platform_image (MonoImage *image)
122 {
123 return image->core_clr_platform_code;
124 }
125
126 /* Note: The above functions are outside this guard so that the public API isn't affected. */
127
128 #ifndef DISABLE_SECURITY
129
130 /* Class lazy loading functions */
131 static GENERATE_GET_CLASS_WITH_CACHE (security_critical, "System.Security", "SecurityCriticalAttribute")
132 static GENERATE_GET_CLASS_WITH_CACHE (security_safe_critical, "System.Security", "SecuritySafeCriticalAttribute")
133
134 static MonoClass*
135 security_critical_attribute (void)
136 {
137 return mono_class_get_security_critical_class ();
138 }
139
140 static MonoClass*
141 security_safe_critical_attribute (void)
142 {
143 return mono_class_get_security_safe_critical_class ();
144
145 }
146
147 /* sometime we get a NULL (not found) caller (e.g. get_reflection_caller) */
148 static char*
149 get_method_full_name (MonoMethod * method)
150 {
151 return method ? mono_method_full_name (method, TRUE) : g_strdup ("'no caller found'");
152 }
153
154 /*
155 * set_type_load_exception_type
156 *
157 * Set MONO_EXCEPTION_TYPE_LOAD on the specified 'class' and provide
158 * a descriptive message for the exception. This message is also,
159 * optionally, being logged (export MONO_LOG_MASK="security") for
160 * debugging purposes.
161 */
162 static void
163 set_type_load_exception_type (const char *format, MonoClass *klass)
164 {
165 char *type_name = mono_type_get_full_name (klass);
166 char *parent_name = mono_type_get_full_name (m_class_get_parent (klass));
167 char *message = mono_image_strdup_printf (m_class_get_image (klass), format, type_name, parent_name);
168
169 g_free (parent_name);
170 g_free (type_name);
171
172 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "%s", message);
173 mono_class_set_type_load_failure (klass, "%s", message);
174 // note: do not free string given to mono_class_set_failure
175 }
176
177 /*
178 * set_type_load_exception_methods
179 *
180 * Set MONO_EXCEPTION_TYPE_LOAD on the 'override' class and provide
181 * a descriptive message for the exception. This message is also,
182 * optionally, being logged (export MONO_LOG_MASK="security") for
183 * debugging purposes.
184 */
185 static void
186 set_type_load_exception_methods (const char *format, MonoMethod *override, MonoMethod *base)
187 {
188 char *method_name = get_method_full_name (override);
189 char *base_name = get_method_full_name (base);
190 char *message = mono_image_strdup_printf (m_class_get_image (override->klass), format, method_name, base_name);
191
192 g_free (base_name);
193 g_free (method_name);
194
195 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "%s", message);
196 mono_class_set_type_load_failure (override->klass, "%s", message);
197 // note: do not free string given to mono_class_set_failure
198 }
199
200 /* MonoClass is not fully initialized (inited is not yet == 1) when we
201 * check the inheritance rules so we need to look for the default ctor
202 * ourselve to avoid recursion (and aborting)
203 */
204 static MonoMethod*
205 get_default_ctor (MonoClass *klass)
206 {
207 int i;
208
209 mono_class_setup_methods (klass);
210 if (!m_class_get_methods (klass))
211 return NULL;
212
213 int mcount = mono_class_get_method_count (klass);
214 MonoMethod **klass_methods = m_class_get_methods (klass);
215 for (i = 0; i < mcount; ++i) {
216 MonoMethodSignature *sig;
217 MonoMethod *method = klass_methods [i];
218
219 if (!method)
220 continue;
221
222 if ((method->flags & METHOD_ATTRIBUTE_SPECIAL_NAME) == 0)
223 continue;
224 if ((method->name[0] != '.') || strcmp (".ctor", method->name))
225 continue;
226 sig = mono_method_signature_internal (method);
227 if (sig && (sig->param_count == 0))
228 return method;
229 }
230
231 return NULL;
232 }
233
234 /*
235 * mono_security_core_clr_check_inheritance:
236 *
237 * Determine if the specified class can inherit from its parent using
238 * the CoreCLR inheritance rules.
239 *
240 * Base Type Allow Derived Type
241 * ------------ ------------------
242 * Transparent Transparent, SafeCritical, Critical
243 * SafeCritical SafeCritical, Critical
244 * Critical Critical
245 *
246 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
247 *
248 * Furthermore a class MUST have a default constructor if its base
249 * class has a non-transparent, public or protected, default constructor.
250 * The same inheritance rule applies to both default constructors.
251 *
252 * Reference: message from a SecurityException in SL4RC
253 * Reference: fxcop CA2132 rule
254 */
255 void
256 mono_security_core_clr_check_inheritance (MonoClass *klass)
257 {
258 MonoSecurityCoreCLRLevel class_level, parent_level;
259 MonoClass *parent = m_class_get_parent (klass);
260
261 if (!parent)
262 return;
263
264 class_level = mono_security_core_clr_class_level (klass);
265 parent_level = mono_security_core_clr_class_level (parent);
266
267 if (class_level < parent_level) {
268 set_type_load_exception_type (
269 "Inheritance failure for type %s. Parent class %s is more restricted.",
270 klass);
271 } else {
272 MonoMethod *parent_ctor = get_default_ctor (parent);
273 if (parent_ctor && ((parent_ctor->flags & METHOD_ATTRIBUTE_PUBLIC) != 0)) {
274 class_level = mono_security_core_clr_method_level (get_default_ctor (klass), FALSE);
275 parent_level = mono_security_core_clr_method_level (parent_ctor, FALSE);
276 if (class_level < parent_level) {
277 set_type_load_exception_type (
278 "Inheritance failure for type %s. Default constructor security mismatch with %s.",
279 klass);
280 }
281 }
282 }
283 }
284
285 /*
286 * mono_security_core_clr_check_override:
287 *
288 * Determine if the specified override can "legally" override the
289 * specified base method using the CoreCLR inheritance rules.
290 *
291 * Base (virtual/interface) Allowed override
292 * ------------------------ -------------------------
293 * Transparent Transparent, SafeCritical
294 * SafeCritical Transparent, SafeCritical
295 * Critical Critical
296 *
297 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
298 */
299 void
300 mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
301 {
302 MonoSecurityCoreCLRLevel base_level = mono_security_core_clr_method_level (base, FALSE);
303 MonoSecurityCoreCLRLevel override_level = mono_security_core_clr_method_level (override, FALSE);
304 /* if the base method is decorated with [SecurityCritical] then the overrided method MUST be too */
305 if (base_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
306 if (override_level != MONO_SECURITY_CORE_CLR_CRITICAL) {
307 set_type_load_exception_methods (
308 "Override failure for %s over %s. Override MUST be [SecurityCritical].",
309 override, base);
310 }
311 } else {
312 /* base is [SecuritySafeCritical] or [SecurityTransparent], override MUST NOT be [SecurityCritical] */
313 if (override_level == MONO_SECURITY_CORE_CLR_CRITICAL) {
314 set_type_load_exception_methods (
315 "Override failure for %s over %s. Override must NOT be [SecurityCritical].",
316 override, base);
317 }
318 }
319 }
320
321 /*
322 * get_caller_no_reflection_related:
323 *
324 * Find the first managed caller that is either:
325 * (a) located outside the platform code assemblies; or
326 * (b) not related to reflection and delegates
327 *
328 * Returns TRUE to stop the stackwalk, FALSE to continue to the next frame.
329 */
330 static gboolean
331 get_caller_no_reflection_related (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
332 {
333 MonoMethod **dest = (MonoMethod **)data;
334 const char *ns;
335
336 /* skip unmanaged frames */
337 if (!managed)
338 return FALSE;
339
340 if (m->wrapper_type != MONO_WRAPPER_NONE)
341 return FALSE;
342
343 /* quick out (any namespace not starting with an 'S' */
344 ns = m_class_get_name_space (m->klass);
345 if (!ns || (*ns != 'S')) {
346 *dest = m;
347 return TRUE;
348 }
349
350 /* stop if the method is not part of platform code */
351 if (!mono_security_core_clr_is_platform_image (m_class_get_image (m->klass))) {
352 *dest = m;
353 return TRUE;
354 }
355
356 /* any number of calls inside System.Reflection are allowed */
357 if (strcmp (ns, "System.Reflection") == 0)
358 return FALSE;
359
360 /* any number of calls inside System.Reflection are allowed */
361 if (strcmp (ns, "System.Reflection.Emit") == 0)
362 return FALSE;
363
364 /* calls from System.Delegate are also possible and allowed */
365 if (strcmp (ns, "System") == 0) {
366 const char *kname = m_class_get_name (m->klass);
367 if ((*kname == 'A') && (strcmp (kname, "Activator") == 0))
368 return FALSE;
369
370 /* unlike most Invoke* cases InvokeMember is not inside System.Reflection[.Emit] but is SecuritySafeCritical */
371 if (((*kname == 'T') && (strcmp (kname, "Type") == 0)) ||
372 ((*kname == 'R') && (strcmp (kname, "RuntimeType")) == 0)) {
373
374 /* if calling InvokeMember then we can't stop the stackwalk here and need to look at the caller */
375 if (strcmp (m->name, "InvokeMember") == 0)
376 return FALSE;
377 }
378
379 /* the security check on the delegate is made at creation time, not at invoke time */
380 if (((*kname == 'D') && (strcmp (kname, "Delegate") == 0)) ||
381 ((*kname == 'M') && (strcmp (kname, "MulticastDelegate")) == 0)) {
382
383 /* if we're invoking then we can stop our stack walk */
384 if (strcmp (m->name, "DynamicInvoke") != 0)
385 return FALSE;
386 }
387 }
388
389 if (m == *dest) {
390 *dest = NULL;
391 return FALSE;
392 }
393
394 *dest = m;
395 return TRUE;
396 }
397
398 /*
399 * get_reflection_caller:
400 *
401 * Walk to the first managed method outside:
402 * - System.Reflection* namespaces
403 * - System.[Multicast]Delegate or Activator type
404 * - platform code
405 * and return a pointer to its MonoMethod.
406 *
407 * This is required since CoreCLR checks needs to be done on this "real" caller.
408 */
409 static MonoMethod*
410 get_reflection_caller (void)
411 {
412 MonoMethod *m = NULL;
413 mono_stack_walk_no_il (get_caller_no_reflection_related, &m);
414 if (G_UNLIKELY (!m)) {
415 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "No caller outside reflection was found");
416 }
417 return m;
418 }
419
420 typedef struct {
421 int depth;
422 MonoMethod *caller;
423 } ElevatedTrustCookie;
424
425 /*
426 * get_caller_of_elevated_trust_code
427 *
428 * Stack walk to find who is calling code requiring Elevated Trust.
429 * If a critical method is found then the caller is platform code
430 * and has elevated trust, otherwise (transparent) a check needs to
431 * be done (on the managed side) to determine if the application is
432 * running with elevated permissions.
433 */
434 static gboolean
435 get_caller_of_elevated_trust_code (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
436 {
437 ElevatedTrustCookie *cookie = (ElevatedTrustCookie *)data;
438
439 /* skip unmanaged frames and wrappers */
440 if (!managed || (m->wrapper_type != MONO_WRAPPER_NONE))
441 return FALSE;
442
443 /* end stack walk if we find ourselves outside platform code (we won't find critical code anymore) */
444 if (!mono_security_core_clr_is_platform_image (m_class_get_image (m->klass))) {
445 cookie->caller = m;
446 return TRUE;
447 }
448
449 switch (cookie->depth) {
450 /* while depth == 0 look for SecurityManager::[Check|Ensure]ElevatedPermissions */
451 case 0:
452 if (strcmp (m_class_get_name_space (m->klass), "System.Security"))
453 return FALSE;
454 if (strcmp (m_class_get_name (m->klass), "SecurityManager"))
455 return FALSE;
456 if ((strcmp (m->name, "EnsureElevatedPermissions")) && strcmp (m->name, "CheckElevatedPermissions"))
457 return FALSE;
458 cookie->depth = 1;
459 break;
460 /* while depth == 1 look for the caller to SecurityManager::[Check|Ensure]ElevatedPermissions */
461 case 1:
462 /* this frame is [SecuritySafeCritical] because it calls [SecurityCritical] [Check|Ensure]ElevatedPermissions */
463 /* the next frame will contain the caller(s) we want to check */
464 cookie->depth = 2;
465 break;
466 /* while depth >= 2 look for [safe]critical caller, end stack walk if we find it */
467 default:
468 cookie->depth++;
469 /* if the caller is transparent then we continue the stack walk */
470 if (mono_security_core_clr_method_level (m, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT)
471 break;
472
473 /* Security[Safe]Critical code is always allowed to call elevated-trust code */
474 cookie->caller = m;
475 return TRUE;
476 }
477
478 return FALSE;
479 }
480
481 /*
482 * mono_security_core_clr_require_elevated_permissions:
483 *
484 * Return TRUE if the caller of the current method (the code who
485 * called SecurityManager.get_RequiresElevatedPermissions) needs
486 * elevated trust to perform an action.
487 *
488 * A stack walk is done to find the callers. If one of the callers
489 * is either [SecurityCritical] or [SecuritySafeCritical] then the
490 * action is needed for platform code (i.e. no restriction).
491 * Otherwise (transparent) the requested action needs elevated trust
492 */
493 gboolean
494 mono_security_core_clr_require_elevated_permissions (void)
495 {
496 ElevatedTrustCookie cookie;
497 cookie.depth = 0;
498 cookie.caller = NULL;
499 mono_stack_walk_no_il (get_caller_of_elevated_trust_code, &cookie);
500
501 /* return TRUE if the stack walk did not reach far enough or did not find callers */
502 if (!cookie.caller || cookie.depth < 3)
503 return TRUE;
504
505 /* return TRUE if the caller is transparent, i.e. if elevated trust is required to continue executing the method */
506 return (mono_security_core_clr_method_level (cookie.caller, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT);
507 }
508
509
510 /*
511 * check_field_access:
512 *
513 * Return TRUE if the caller method can access the specified field, FALSE otherwise.
514 */
515 static gboolean
516 check_field_access (MonoMethod *caller, MonoClassField *field)
517 {
518 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
519 if (caller) {
520 ERROR_DECL (error);
521 MonoClass *klass;
522
523 /* this check can occur before the field's type is resolved (and that can fail) */
524 mono_field_get_type_checked (field, error);
525 if (!mono_error_ok (error)) {
526 mono_error_cleanup (error);
527 return FALSE;
528 }
529
530 klass = (mono_field_get_flags (field) & FIELD_ATTRIBUTE_STATIC) ? NULL : mono_field_get_parent (field);
531 return mono_method_can_access_field_full (caller, field, klass);
532 }
533 return FALSE;
534 }
535
536 /*
537 * check_method_access:
538 *
539 * Return TRUE if the caller method can access the specified callee method, FALSE otherwise.
540 */
541 static gboolean
542 check_method_access (MonoMethod *caller, MonoMethod *callee)
543 {
544 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
545 if (caller) {
546 MonoClass *klass = (callee->flags & METHOD_ATTRIBUTE_STATIC) ? NULL : callee->klass;
547 return mono_method_can_access_method_full (caller, callee, klass);
548 }
549 return FALSE;
550 }
551
552 /*
553 * get_argument_exception
554 *
555 * Helper function to create an MonoException (ArgumentException in
556 * managed-land) and provide a descriptive message for it. This
557 * message is also, optionally, being logged (export
558 * MONO_LOG_MASK="security") for debugging purposes.
559 */
560 static MonoException*
561 get_argument_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
562 {
563 MonoException *ex;
564 char *caller_name = get_method_full_name (caller);
565 char *callee_name = get_method_full_name (callee);
566 char *message = g_strdup_printf (format, caller_name, callee_name);
567 g_free (callee_name);
568 g_free (caller_name);
569
570 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "%s", message);
571 ex = mono_get_exception_argument ("method", message);
572 g_free (message);
573
574 return ex;
575 }
576
577 /*
578 * get_field_access_exception
579 *
580 * Helper function to create an MonoException (FieldAccessException
581 * in managed-land) and provide a descriptive message for it. This
582 * message is also, optionally, being logged (export
583 * MONO_LOG_MASK="security") for debugging purposes.
584 */
585 static MonoException*
586 get_field_access_exception (const char *format, MonoMethod *caller, MonoClassField *field)
587 {
588 MonoException *ex;
589 char *caller_name = get_method_full_name (caller);
590 char *field_name = mono_field_full_name (field);
591 char *message = g_strdup_printf (format, caller_name, field_name);
592 g_free (field_name);
593 g_free (caller_name);
594
595 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "%s", message);
596 ex = mono_get_exception_field_access_msg (message);
597 g_free (message);
598
599 return ex;
600 }
601
602 /*
603 * get_method_access_exception
604 *
605 * Helper function to create an MonoException (MethodAccessException
606 * in managed-land) and provide a descriptive message for it. This
607 * message is also, optionally, being logged (export
608 * MONO_LOG_MASK="security") for debugging purposes.
609 */
610 static MonoException*
611 get_method_access_exception (const char *format, MonoMethod *caller, MonoMethod *callee)
612 {
613 MonoException *ex;
614 char *caller_name = get_method_full_name (caller);
615 char *callee_name = get_method_full_name (callee);
616 char *message = g_strdup_printf (format, caller_name, callee_name);
617 g_free (callee_name);
618 g_free (caller_name);
619
620 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "%s", message);
621 ex = mono_get_exception_method_access_msg (message);
622 g_free (message);
623
624 return ex;
625 }
626
627 /*
628 * mono_security_core_clr_ensure_reflection_access_field:
629 *
630 * Ensure that the specified field can be used with reflection since
631 * Transparent code cannot access to Critical fields and can only use
632 * them if they are visible from it's point of view.
633 *
634 * Returns TRUE if acess is allowed. Otherwise returns FALSE and sets @error to a FieldAccessException if the field is cannot be accessed.
635 */
636 gboolean
637 mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
638 {
639 error_init (error);
640 MonoMethod *caller = get_reflection_caller ();
641 /* CoreCLR restrictions applies to Transparent code/caller */
642 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
643 return TRUE;
644
645 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
646 if (!mono_security_core_clr_is_platform_image (m_class_get_image (mono_field_get_parent(field))))
647 return TRUE;
648 }
649
650 /* Transparent code cannot [get|set]value on Critical fields */
651 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) == MONO_SECURITY_CORE_CLR_CRITICAL) {
652 mono_error_set_exception_instance (error, get_field_access_exception (
653 "Transparent method %s cannot get or set Critical field %s.",
654 caller, field));
655 return FALSE;
656 }
657
658 /* also it cannot access a fields that is not visible from it's (caller) point of view */
659 if (!check_field_access (caller, field)) {
660 mono_error_set_exception_instance (error, get_field_access_exception (
661 "Transparent method %s cannot get or set private/internal field %s.",
662 caller, field));
663 return FALSE;
664 }
665 return TRUE;
666 }
667
668 /*
669 * mono_security_core_clr_ensure_reflection_access_method:
670 *
671 * Ensure that the specified method can be used with reflection since
672 * Transparent code cannot call Critical methods and can only call them
673 * if they are visible from it's point of view.
674 *
675 * If access is allowed returns TRUE. Returns FALSE and sets @error to a MethodAccessException if the field is cannot be accessed.
676 */
677 gboolean
678 mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
679 {
680 error_init (error);
681 MonoMethod *caller = get_reflection_caller ();
682 /* CoreCLR restrictions applies to Transparent code/caller */
683 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
684 return TRUE;
685
686 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION) {
687 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method->klass)))
688 return TRUE;
689 }
690
691 /* Transparent code cannot invoke, even using reflection, Critical code */
692 if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
693 mono_error_set_exception_instance (error, get_method_access_exception (
694 "Transparent method %s cannot invoke Critical method %s.",
695 caller, method));
696 return FALSE;
697 }
698
699 /* also it cannot invoke a method that is not visible from it's (caller) point of view */
700 if (!check_method_access (caller, method)) {
701 mono_error_set_exception_instance (error, get_method_access_exception (
702 "Transparent method %s cannot invoke private/internal method %s.",
703 caller, method));
704 return FALSE;
705 }
706 return TRUE;
707 }
708
709 /*
710 * can_avoid_corlib_reflection_delegate_optimization:
711 *
712 * Mono's mscorlib use delegates to optimize PropertyInfo and EventInfo
713 * reflection calls. This requires either a bunch of additional, and not
714 * really required, [SecuritySafeCritical] in the class libraries or
715 * (like this) a way to skip them. As a bonus we also avoid the stack
716 * walk to find the caller.
717 *
718 * Return TRUE if we can skip this "internal" delegate creation, FALSE
719 * otherwise.
720 */
721 static gboolean
722 can_avoid_corlib_reflection_delegate_optimization (MonoMethod *method)
723 {
724 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method->klass)))
725 return FALSE;
726
727 if (strcmp (m_class_get_name_space (method->klass), "System.Reflection") != 0)
728 return FALSE;
729
730 if (strcmp (m_class_get_name (method->klass), "MonoProperty") == 0) {
731 if ((strcmp (method->name, "GetterAdapterFrame") == 0) || strcmp (method->name, "StaticGetterAdapterFrame") == 0)
732 return TRUE;
733 } else if (strcmp (m_class_get_name (method->klass), "EventInfo") == 0) {
734 if ((strcmp (method->name, "AddEventFrame") == 0) || strcmp (method->name, "StaticAddEventAdapterFrame") == 0)
735 return TRUE;
736 }
737
738 return FALSE;
739 }
740
741 /*
742 * mono_security_core_clr_ensure_delegate_creation:
743 *
744 * Return TRUE if a delegate can be created on the specified
745 * method. CoreCLR can also affect the binding, this function may
746 * return (FALSE) and set @error to an ArgumentException.
747 *
748 * @error is set to a MethodAccessException if the specified method is not
749 * visible from the caller point of view.
750 */
751 gboolean
752 mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
753 {
754 MonoMethod *caller;
755
756 error_init (error);
757
758 /* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
759 if (can_avoid_corlib_reflection_delegate_optimization (method))
760 return TRUE;
761
762 caller = get_reflection_caller ();
763 /* if the "real" caller is not Transparent then it do can anything */
764 if (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT)
765 return TRUE;
766
767 /* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
768 if (mono_security_core_clr_method_level (method, TRUE) == MONO_SECURITY_CORE_CLR_CRITICAL) {
769 mono_error_set_exception_instance (error, get_argument_exception (
770 "Transparent method %s cannot create a delegate on Critical method %s.",
771 caller, method));
772 return FALSE;
773 }
774
775 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE) {
776 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method->klass)))
777 return TRUE;
778 }
779
780 /* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
781 if (!check_method_access (caller, method)) {
782 mono_error_set_exception_instance (error, get_method_access_exception (
783 "Transparent method %s cannot create a delegate on private/internal method %s.",
784 caller, method));
785 return FALSE;
786 }
787
788 return TRUE;
789 }
790
791 /*
792 * mono_security_core_clr_ensure_dynamic_method_resolved_object:
793 *
794 * Called from mono_reflection_create_dynamic_method (reflection.c) to add some extra checks required for CoreCLR.
795 * Dynamic methods needs to check to see if the objects being used (e.g. methods, fields) comes from platform code
796 * and do an accessibility check in this case. Otherwise (i.e. user/application code) can be used without this extra
797 * accessbility check.
798 */
799 MonoException*
800 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
801 {
802 /* XXX find/create test cases for other handle_class XXX */
803 if (handle_class == mono_defaults.fieldhandle_class) {
804 MonoClassField *field = (MonoClassField*) ref;
805 MonoClass *klass = mono_field_get_parent (field);
806 /* fields coming from platform code have extra protection (accessibility check) */
807 if (mono_security_core_clr_is_platform_image (m_class_get_image (klass))) {
808 MonoMethod *caller = get_reflection_caller ();
809 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
810 if (!check_field_access (caller, field)) {
811 return get_field_access_exception (
812 "Dynamic method %s cannot create access private/internal field %s.",
813 caller, field);
814 }
815 }
816 } else if (handle_class == mono_defaults.methodhandle_class) {
817 MonoMethod *method = (MonoMethod*) ref;
818 /* methods coming from platform code have extra protection (accessibility check) */
819 if (mono_security_core_clr_is_platform_image (m_class_get_image (method->klass))) {
820 MonoMethod *caller = get_reflection_caller ();
821 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
822 if (!check_method_access (caller, method)) {
823 return get_method_access_exception (
824 "Dynamic method %s cannot create access private/internal method %s.",
825 caller, method);
826 }
827 }
828 }
829 return NULL;
830 }
831
832 /*
833 * mono_security_core_clr_can_access_internals
834 *
835 * Check if we allow [InternalsVisibleTo] to work between two images.
836 */
837 gboolean
838 mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
839 {
840 /* are we trying to access internals of a platform assembly ? if not this is acceptable */
841 if (!mono_security_core_clr_is_platform_image (accessed))
842 return TRUE;
843
844 /* we can't let everyone with the right name and public key token access the internals of platform code.
845 * (Silverlight can rely on the strongname signature of the assemblies, but Mono does not verify them)
846 * However platform code is fully trusted so it can access the internals of other platform code assemblies */
847 if (mono_security_core_clr_is_platform_image (accessing))
848 return TRUE;
849
850 /* catch-22: System.Xml needs access to mscorlib's internals (e.g. ArrayList) but is not considered platform code.
851 * Promoting it to platform code would create another issue since (both Mono/Moonlight or MS version of)
852 * System.Xml.Linq.dll (an SDK, not platform, assembly) needs access to System.Xml.dll internals (either ).
853 * The solution is to trust, even transparent code, in the plugin directory to access platform code internals */
854 if (!accessed->assembly->basedir || !accessing->assembly->basedir)
855 return FALSE;
856 return (strcmp (accessed->assembly->basedir, accessing->assembly->basedir) == 0);
857 }
858
859 /*
860 * mono_security_core_clr_is_field_access_allowed
861 *
862 * Return a MonoException (FieldccessException in managed-land) if
863 * the access from "caller" to "field" is not valid under CoreCLR -
864 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
865 * field.
866 */
867 MonoException*
868 mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
869 {
870 /* there's no restriction to access Transparent or SafeCritical fields, so we only check calls to Critical methods */
871 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) != MONO_SECURITY_CORE_CLR_CRITICAL)
872 return NULL;
873
874 /* caller is Critical! only SafeCritical and Critical callers can access the field, so we throw if caller is Transparent */
875 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
876 return NULL;
877
878 return get_field_access_exception (
879 "Transparent method %s cannot call use Critical field %s.",
880 caller, field);
881 }
882
883 /*
884 * mono_security_core_clr_is_call_allowed
885 *
886 * Return a MonoException (MethodAccessException in managed-land) if
887 * the call from "caller" to "callee" is not valid under CoreCLR -
888 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
889 * method.
890 */
891 MonoException*
892 mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
893 {
894 /* there's no restriction to call Transparent or SafeCritical code, so we only check calls to Critical methods */
895 if (mono_security_core_clr_method_level (callee, TRUE) != MONO_SECURITY_CORE_CLR_CRITICAL)
896 return NULL;
897
898 /* callee is Critical! only SafeCritical and Critical callers can call it, so we throw if the caller is Transparent */
899 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
900 return NULL;
901
902 return get_method_access_exception (
903 "Transparent method %s cannot call Critical method %s.",
904 caller, callee);
905 }
906
907 /*
908 * mono_security_core_clr_level_from_cinfo:
909 *
910 * Return the MonoSecurityCoreCLRLevel that match the attribute located
911 * in the specified custom attributes. If no attribute is present it
912 * defaults to MONO_SECURITY_CORE_CLR_TRANSPARENT, which is the default
913 * level for all code under the CoreCLR.
914 */
915 static MonoSecurityCoreCLRLevel
916 mono_security_core_clr_level_from_cinfo (MonoCustomAttrInfo *cinfo, MonoImage *image)
917 {
918 int level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
919
920 if (cinfo && mono_custom_attrs_has_attr (cinfo, security_safe_critical_attribute ()))
921 level = MONO_SECURITY_CORE_CLR_SAFE_CRITICAL;
922 if (cinfo && mono_custom_attrs_has_attr (cinfo, security_critical_attribute ()))
923 level = MONO_SECURITY_CORE_CLR_CRITICAL;
924
925 return (MonoSecurityCoreCLRLevel)level;
926 }
927
928 /*
929 * mono_security_core_clr_class_level_no_platform_check:
930 *
931 * Return the MonoSecurityCoreCLRLevel for the specified class, without
932 * checking for platform code. This help us avoid multiple redundant
933 * checks, e.g.
934 * - a check for the method and one for the class;
935 * - a check for the class and outer class(es) ...
936 */
937 static MonoSecurityCoreCLRLevel
938 mono_security_core_clr_class_level_no_platform_check (MonoClass *klass)
939 {
940 ERROR_DECL (error);
941 MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
942 MonoCustomAttrInfo *cinfo = mono_custom_attrs_from_class_checked (klass, error);
943 mono_error_cleanup (error);
944 if (cinfo) {
945 level = mono_security_core_clr_level_from_cinfo (cinfo, m_class_get_image (klass));
946 mono_custom_attrs_free (cinfo);
947 }
948
949 if (level == MONO_SECURITY_CORE_CLR_TRANSPARENT && m_class_get_nested_in (klass))
950 level = mono_security_core_clr_class_level_no_platform_check (m_class_get_nested_in (klass));
951
952 return level;
953 }
954
955 /*
956 * mono_security_core_clr_class_level:
957 *
958 * Return the MonoSecurityCoreCLRLevel for the specified class.
959 */
960 MonoSecurityCoreCLRLevel
961 mono_security_core_clr_class_level (MonoClass *klass)
962 {
963 /* non-platform code is always Transparent - whatever the attributes says */
964 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (m_class_get_image (klass)))
965 return MONO_SECURITY_CORE_CLR_TRANSPARENT;
966
967 return mono_security_core_clr_class_level_no_platform_check (klass);
968 }
969
970 /*
971 * mono_security_core_clr_field_level:
972 *
973 * Return the MonoSecurityCoreCLRLevel for the specified field.
974 * If with_class_level is TRUE then the type (class) will also be
975 * checked, otherwise this will only report the information about
976 * the field itself.
977 */
978 MonoSecurityCoreCLRLevel
979 mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
980 {
981 ERROR_DECL (error);
982 MonoCustomAttrInfo *cinfo;
983 MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
984
985 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
986 if (!field)
987 return level;
988
989 /* non-platform code is always Transparent - whatever the attributes says */
990 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (m_class_get_image (field->parent)))
991 return level;
992
993 cinfo = mono_custom_attrs_from_field_checked (field->parent, field, error);
994 mono_error_cleanup (error);
995 if (cinfo) {
996 level = mono_security_core_clr_level_from_cinfo (cinfo, m_class_get_image (field->parent));
997 mono_custom_attrs_free (cinfo);
998 }
999
1000 if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
1001 level = mono_security_core_clr_class_level (field->parent);
1002
1003 return level;
1004 }
1005
1006 /*
1007 * mono_security_core_clr_method_level:
1008 *
1009 * Return the MonoSecurityCoreCLRLevel for the specified method.
1010 * If with_class_level is TRUE then the type (class) will also be
1011 * checked, otherwise this will only report the information about
1012 * the method itself.
1013 */
1014 MonoSecurityCoreCLRLevel
1015 mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
1016 {
1017 ERROR_DECL (error);
1018 MonoCustomAttrInfo *cinfo;
1019 MonoSecurityCoreCLRLevel level = MONO_SECURITY_CORE_CLR_TRANSPARENT;
1020
1021 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
1022 if (!method)
1023 return level;
1024
1025 /* non-platform code is always Transparent - whatever the attributes says */
1026 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (m_class_get_image (method->klass)))
1027 return level;
1028
1029 cinfo = mono_custom_attrs_from_method_checked (method, error);
1030 mono_error_cleanup (error);
1031 if (cinfo) {
1032 level = mono_security_core_clr_level_from_cinfo (cinfo, m_class_get_image (method->klass));
1033 mono_custom_attrs_free (cinfo);
1034 }
1035
1036 if (with_class_level && level == MONO_SECURITY_CORE_CLR_TRANSPARENT)
1037 level = mono_security_core_clr_class_level (method->klass);
1038
1039 return level;
1040 }
1041
1042 /*
1043 * mono_security_enable_core_clr:
1044 *
1045 * Enable the verifier and the CoreCLR security model
1046 */
1047 void
1048 mono_security_enable_core_clr ()
1049 {
1050 mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE);
1051 mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR);
1052 }
1053
1054 #else
1055
1056 void
1057 mono_security_core_clr_check_inheritance (MonoClass *klass)
1058 {
1059 }
1060
1061 void
1062 mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
1063 {
1064 }
1065
1066 gboolean
1067 mono_security_core_clr_require_elevated_permissions (void)
1068 {
1069 return FALSE;
1070 }
1071
1072 gboolean
1073 mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
1074 {
1075 error_init (error);
1076 return TRUE;
1077 }
1078
1079 gboolean
1080 mono_security_core_clr_ensure_reflection_access_method (MonoMethod *method, MonoError *error)
1081 {
1082 error_init (error);
1083 return TRUE;
1084 }
1085
1086 gboolean
1087 mono_security_core_clr_ensure_delegate_creation (MonoMethod *method, MonoError *error)
1088 {
1089 error_init (error);
1090 return TRUE;
1091 }
1092
1093 MonoException*
1094 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
1095 {
1096 return NULL;
1097 }
1098
1099 gboolean
1100 mono_security_core_clr_can_access_internals (MonoImage *accessing, MonoImage* accessed)
1101 {
1102 return TRUE;
1103 }
1104
1105 MonoException*
1106 mono_security_core_clr_is_field_access_allowed (MonoMethod *caller, MonoClassField *field)
1107 {
1108 return NULL;
1109 }
1110
1111 MonoException*
1112 mono_security_core_clr_is_call_allowed (MonoMethod *caller, MonoMethod *callee)
1113 {
1114 return NULL;
1115 }
1116
1117 MonoSecurityCoreCLRLevel
1118 mono_security_core_clr_class_level (MonoClass *klass)
1119 {
1120 return MONO_SECURITY_CORE_CLR_TRANSPARENT;
1121 }
1122
1123 MonoSecurityCoreCLRLevel
1124 mono_security_core_clr_field_level (MonoClassField *field, gboolean with_class_level)
1125 {
1126 return MONO_SECURITY_CORE_CLR_TRANSPARENT;
1127 }
1128
1129 MonoSecurityCoreCLRLevel
1130 mono_security_core_clr_method_level (MonoMethod *method, gboolean with_class_level)
1131 {
1132 return MONO_SECURITY_CORE_CLR_TRANSPARENT;
1133 }
1134
1135 void
1136 mono_security_enable_core_clr ()
1137 {
1138 }
1139
1140 #endif /* DISABLE_SECURITY */
Mirror of the official Mono project git repository