6 * Mark Probst <mark.probst@gmail.com>
7 * Sebastien Pouliot <sebastien@ximian.com>
9 * Copyright 2007-2010 Novell, Inc (http://www.novell.com)
10 * Licensed under the MIT license. See LICENSE file in the project root for full license information.
14 #include <mono/metadata/class-init.h>
15 #include <mono/metadata/class-internals.h>
16 #include <mono/metadata/security-manager.h>
17 #include <mono/metadata/assembly.h>
18 #include <mono/metadata/appdomain.h>
19 #include <mono/metadata/verify-internals.h>
20 #include <mono/metadata/object.h>
21 #include <mono/metadata/exception.h>
22 #include <mono/metadata/debug-helpers.h>
23 #include <mono/metadata/reflection-internals.h>
24 #include <mono/utils/mono-logger-internals.h>
26 #include "security-core-clr.h"
28 gboolean mono_security_core_clr_test
= FALSE
;
30 static MonoSecurityCoreCLROptions security_core_clr_options
= MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT
;
33 * mono_security_core_clr_set_options:
34 * \param options the new options for the coreclr system to use
36 * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
37 * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
38 * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
39 * This function allows specific relaxations from the default behaviour to be set.
41 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT for the default coreclr coreclr behaviour as used in Moonlight.
43 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION to allow transparent code to execute methods and access
44 * fields that are not in platformcode, even if those methods and fields are private or otherwise not visible to the calling code.
46 * Use \c MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE to allow delegates to be created that point at methods that are not in
47 * platformcode even if those methods and fields are private or otherwise not visible to the calling code.
51 mono_security_core_clr_set_options (MonoSecurityCoreCLROptions options
) {
52 security_core_clr_options
= options
;
56 * mono_security_core_clr_get_options:
58 * Retrieves the current options used by the coreclr system.
61 MonoSecurityCoreCLROptions
62 mono_security_core_clr_get_options ()
64 return security_core_clr_options
;
68 * default_platform_check:
70 * Default platform check. Always TRUE for current corlib (minimum
71 * trust-able subset) otherwise return FALSE. Any real CoreCLR host
72 * should provide its own callback to define platform code (i.e.
73 * this default is meant for test only).
76 default_platform_check (const char *image_name
)
78 if (mono_defaults
.corlib
) {
79 return (strcmp (mono_defaults
.corlib
->name
, image_name
) == 0);
81 /* this can get called even before we load corlib (e.g. the EXE itself) */
82 const char *corlib
= "mscorlib.dll";
83 int ilen
= strlen (image_name
);
84 int clen
= strlen (corlib
);
85 return ((ilen
>= clen
) && (strcmp ("mscorlib.dll", image_name
+ ilen
- clen
) == 0));
89 static MonoCoreClrPlatformCB platform_callback
= default_platform_check
;
92 * mono_security_core_clr_determine_platform_image:
94 * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
95 * to determine if this image represents platform code.
98 mono_security_core_clr_determine_platform_image (MonoImage
*image
)
100 return platform_callback (image
->name
);
104 * mono_security_set_core_clr_platform_callback:
106 * Set the callback function that will be used to determine if an image
107 * is part, or not, of the platform code.
110 mono_security_set_core_clr_platform_callback (MonoCoreClrPlatformCB callback
)
112 platform_callback
= callback
;
116 * mono_security_core_clr_is_platform_image:
118 * Return the (cached) boolean value indicating if this image represent platform code
121 mono_security_core_clr_is_platform_image (MonoImage
*image
)
123 return image
->core_clr_platform_code
;
126 /* Note: The above functions are outside this guard so that the public API isn't affected. */
128 #ifndef DISABLE_SECURITY
130 /* Class lazy loading functions */
131 static GENERATE_GET_CLASS_WITH_CACHE (security_critical
, "System.Security", "SecurityCriticalAttribute")
132 static GENERATE_GET_CLASS_WITH_CACHE (security_safe_critical
, "System.Security", "SecuritySafeCriticalAttribute")
135 security_critical_attribute (void)
137 return mono_class_get_security_critical_class ();
141 security_safe_critical_attribute (void)
143 return mono_class_get_security_safe_critical_class ();
147 /* sometime we get a NULL (not found) caller (e.g. get_reflection_caller) */
149 get_method_full_name (MonoMethod
* method
)
151 return method
? mono_method_full_name (method
, TRUE
) : g_strdup ("'no caller found'");
155 * set_type_load_exception_type
157 * Set MONO_EXCEPTION_TYPE_LOAD on the specified 'class' and provide
158 * a descriptive message for the exception. This message is also,
159 * optionally, being logged (export MONO_LOG_MASK="security") for
160 * debugging purposes.
163 set_type_load_exception_type (const char *format
, MonoClass
*klass
)
165 char *type_name
= mono_type_get_full_name (klass
);
166 char *parent_name
= mono_type_get_full_name (m_class_get_parent (klass
));
167 char *message
= mono_image_strdup_printf (m_class_get_image (klass
), format
, type_name
, parent_name
);
169 g_free (parent_name
);
172 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "%s", message
);
173 mono_class_set_type_load_failure (klass
, "%s", message
);
174 // note: do not free string given to mono_class_set_failure
178 * set_type_load_exception_methods
180 * Set MONO_EXCEPTION_TYPE_LOAD on the 'override' class and provide
181 * a descriptive message for the exception. This message is also,
182 * optionally, being logged (export MONO_LOG_MASK="security") for
183 * debugging purposes.
186 set_type_load_exception_methods (const char *format
, MonoMethod
*override
, MonoMethod
*base
)
188 char *method_name
= get_method_full_name (override
);
189 char *base_name
= get_method_full_name (base
);
190 char *message
= mono_image_strdup_printf (m_class_get_image (override
->klass
), format
, method_name
, base_name
);
193 g_free (method_name
);
195 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "%s", message
);
196 mono_class_set_type_load_failure (override
->klass
, "%s", message
);
197 // note: do not free string given to mono_class_set_failure
200 /* MonoClass is not fully initialized (inited is not yet == 1) when we
201 * check the inheritance rules so we need to look for the default ctor
202 * ourselve to avoid recursion (and aborting)
205 get_default_ctor (MonoClass
*klass
)
209 mono_class_setup_methods (klass
);
210 if (!m_class_get_methods (klass
))
213 int mcount
= mono_class_get_method_count (klass
);
214 MonoMethod
**klass_methods
= m_class_get_methods (klass
);
215 for (i
= 0; i
< mcount
; ++i
) {
216 MonoMethodSignature
*sig
;
217 MonoMethod
*method
= klass_methods
[i
];
222 if ((method
->flags
& METHOD_ATTRIBUTE_SPECIAL_NAME
) == 0)
224 if ((method
->name
[0] != '.') || strcmp (".ctor", method
->name
))
226 sig
= mono_method_signature_internal (method
);
227 if (sig
&& (sig
->param_count
== 0))
235 * mono_security_core_clr_check_inheritance:
237 * Determine if the specified class can inherit from its parent using
238 * the CoreCLR inheritance rules.
240 * Base Type Allow Derived Type
241 * ------------ ------------------
242 * Transparent Transparent, SafeCritical, Critical
243 * SafeCritical SafeCritical, Critical
246 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
248 * Furthermore a class MUST have a default constructor if its base
249 * class has a non-transparent, public or protected, default constructor.
250 * The same inheritance rule applies to both default constructors.
252 * Reference: message from a SecurityException in SL4RC
253 * Reference: fxcop CA2132 rule
256 mono_security_core_clr_check_inheritance (MonoClass
*klass
)
258 MonoSecurityCoreCLRLevel class_level
, parent_level
;
259 MonoClass
*parent
= m_class_get_parent (klass
);
264 class_level
= mono_security_core_clr_class_level (klass
);
265 parent_level
= mono_security_core_clr_class_level (parent
);
267 if (class_level
< parent_level
) {
268 set_type_load_exception_type (
269 "Inheritance failure for type %s. Parent class %s is more restricted.",
272 MonoMethod
*parent_ctor
= get_default_ctor (parent
);
273 if (parent_ctor
&& ((parent_ctor
->flags
& METHOD_ATTRIBUTE_PUBLIC
) != 0)) {
274 class_level
= mono_security_core_clr_method_level (get_default_ctor (klass
), FALSE
);
275 parent_level
= mono_security_core_clr_method_level (parent_ctor
, FALSE
);
276 if (class_level
< parent_level
) {
277 set_type_load_exception_type (
278 "Inheritance failure for type %s. Default constructor security mismatch with %s.",
286 * mono_security_core_clr_check_override:
288 * Determine if the specified override can "legally" override the
289 * specified base method using the CoreCLR inheritance rules.
291 * Base (virtual/interface) Allowed override
292 * ------------------------ -------------------------
293 * Transparent Transparent, SafeCritical
294 * SafeCritical Transparent, SafeCritical
297 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
300 mono_security_core_clr_check_override (MonoClass
*klass
, MonoMethod
*override
, MonoMethod
*base
)
302 MonoSecurityCoreCLRLevel base_level
= mono_security_core_clr_method_level (base
, FALSE
);
303 MonoSecurityCoreCLRLevel override_level
= mono_security_core_clr_method_level (override
, FALSE
);
304 /* if the base method is decorated with [SecurityCritical] then the overrided method MUST be too */
305 if (base_level
== MONO_SECURITY_CORE_CLR_CRITICAL
) {
306 if (override_level
!= MONO_SECURITY_CORE_CLR_CRITICAL
) {
307 set_type_load_exception_methods (
308 "Override failure for %s over %s. Override MUST be [SecurityCritical].",
312 /* base is [SecuritySafeCritical] or [SecurityTransparent], override MUST NOT be [SecurityCritical] */
313 if (override_level
== MONO_SECURITY_CORE_CLR_CRITICAL
) {
314 set_type_load_exception_methods (
315 "Override failure for %s over %s. Override must NOT be [SecurityCritical].",
322 * get_caller_no_reflection_related:
324 * Find the first managed caller that is either:
325 * (a) located outside the platform code assemblies; or
326 * (b) not related to reflection and delegates
328 * Returns TRUE to stop the stackwalk, FALSE to continue to the next frame.
331 get_caller_no_reflection_related (MonoMethod
*m
, gint32 no
, gint32 ilo
, gboolean managed
, gpointer data
)
333 MonoMethod
**dest
= (MonoMethod
**)data
;
336 /* skip unmanaged frames */
340 if (m
->wrapper_type
!= MONO_WRAPPER_NONE
)
343 /* quick out (any namespace not starting with an 'S' */
344 ns
= m_class_get_name_space (m
->klass
);
345 if (!ns
|| (*ns
!= 'S')) {
350 /* stop if the method is not part of platform code */
351 if (!mono_security_core_clr_is_platform_image (m_class_get_image (m
->klass
))) {
356 /* any number of calls inside System.Reflection are allowed */
357 if (strcmp (ns
, "System.Reflection") == 0)
360 /* any number of calls inside System.Reflection are allowed */
361 if (strcmp (ns
, "System.Reflection.Emit") == 0)
364 /* calls from System.Delegate are also possible and allowed */
365 if (strcmp (ns
, "System") == 0) {
366 const char *kname
= m_class_get_name (m
->klass
);
367 if ((*kname
== 'A') && (strcmp (kname
, "Activator") == 0))
370 /* unlike most Invoke* cases InvokeMember is not inside System.Reflection[.Emit] but is SecuritySafeCritical */
371 if (((*kname
== 'T') && (strcmp (kname
, "Type") == 0)) ||
372 ((*kname
== 'R') && (strcmp (kname
, "RuntimeType")) == 0)) {
374 /* if calling InvokeMember then we can't stop the stackwalk here and need to look at the caller */
375 if (strcmp (m
->name
, "InvokeMember") == 0)
379 /* the security check on the delegate is made at creation time, not at invoke time */
380 if (((*kname
== 'D') && (strcmp (kname
, "Delegate") == 0)) ||
381 ((*kname
== 'M') && (strcmp (kname
, "MulticastDelegate")) == 0)) {
383 /* if we're invoking then we can stop our stack walk */
384 if (strcmp (m
->name
, "DynamicInvoke") != 0)
399 * get_reflection_caller:
401 * Walk to the first managed method outside:
402 * - System.Reflection* namespaces
403 * - System.[Multicast]Delegate or Activator type
405 * and return a pointer to its MonoMethod.
407 * This is required since CoreCLR checks needs to be done on this "real" caller.
410 get_reflection_caller (void)
412 MonoMethod
*m
= NULL
;
413 mono_stack_walk_no_il (get_caller_no_reflection_related
, &m
);
414 if (G_UNLIKELY (!m
)) {
415 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "No caller outside reflection was found");
423 } ElevatedTrustCookie
;
426 * get_caller_of_elevated_trust_code
428 * Stack walk to find who is calling code requiring Elevated Trust.
429 * If a critical method is found then the caller is platform code
430 * and has elevated trust, otherwise (transparent) a check needs to
431 * be done (on the managed side) to determine if the application is
432 * running with elevated permissions.
435 get_caller_of_elevated_trust_code (MonoMethod
*m
, gint32 no
, gint32 ilo
, gboolean managed
, gpointer data
)
437 ElevatedTrustCookie
*cookie
= (ElevatedTrustCookie
*)data
;
439 /* skip unmanaged frames and wrappers */
440 if (!managed
|| (m
->wrapper_type
!= MONO_WRAPPER_NONE
))
443 /* end stack walk if we find ourselves outside platform code (we won't find critical code anymore) */
444 if (!mono_security_core_clr_is_platform_image (m_class_get_image (m
->klass
))) {
449 switch (cookie
->depth
) {
450 /* while depth == 0 look for SecurityManager::[Check|Ensure]ElevatedPermissions */
452 if (strcmp (m_class_get_name_space (m
->klass
), "System.Security"))
454 if (strcmp (m_class_get_name (m
->klass
), "SecurityManager"))
456 if ((strcmp (m
->name
, "EnsureElevatedPermissions")) && strcmp (m
->name
, "CheckElevatedPermissions"))
460 /* while depth == 1 look for the caller to SecurityManager::[Check|Ensure]ElevatedPermissions */
462 /* this frame is [SecuritySafeCritical] because it calls [SecurityCritical] [Check|Ensure]ElevatedPermissions */
463 /* the next frame will contain the caller(s) we want to check */
466 /* while depth >= 2 look for [safe]critical caller, end stack walk if we find it */
469 /* if the caller is transparent then we continue the stack walk */
470 if (mono_security_core_clr_method_level (m
, TRUE
) == MONO_SECURITY_CORE_CLR_TRANSPARENT
)
473 /* Security[Safe]Critical code is always allowed to call elevated-trust code */
482 * mono_security_core_clr_require_elevated_permissions:
484 * Return TRUE if the caller of the current method (the code who
485 * called SecurityManager.get_RequiresElevatedPermissions) needs
486 * elevated trust to perform an action.
488 * A stack walk is done to find the callers. If one of the callers
489 * is either [SecurityCritical] or [SecuritySafeCritical] then the
490 * action is needed for platform code (i.e. no restriction).
491 * Otherwise (transparent) the requested action needs elevated trust
494 mono_security_core_clr_require_elevated_permissions (void)
496 ElevatedTrustCookie cookie
;
498 cookie
.caller
= NULL
;
499 mono_stack_walk_no_il (get_caller_of_elevated_trust_code
, &cookie
);
501 /* return TRUE if the stack walk did not reach far enough or did not find callers */
502 if (!cookie
.caller
|| cookie
.depth
< 3)
505 /* return TRUE if the caller is transparent, i.e. if elevated trust is required to continue executing the method */
506 return (mono_security_core_clr_method_level (cookie
.caller
, TRUE
) == MONO_SECURITY_CORE_CLR_TRANSPARENT
);
511 * check_field_access:
513 * Return TRUE if the caller method can access the specified field, FALSE otherwise.
516 check_field_access (MonoMethod
*caller
, MonoClassField
*field
)
518 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
523 /* this check can occur before the field's type is resolved (and that can fail) */
524 mono_field_get_type_checked (field
, error
);
525 if (!mono_error_ok (error
)) {
526 mono_error_cleanup (error
);
530 klass
= (mono_field_get_flags (field
) & FIELD_ATTRIBUTE_STATIC
) ? NULL
: mono_field_get_parent (field
);
531 return mono_method_can_access_field_full (caller
, field
, klass
);
537 * check_method_access:
539 * Return TRUE if the caller method can access the specified callee method, FALSE otherwise.
542 check_method_access (MonoMethod
*caller
, MonoMethod
*callee
)
544 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
546 MonoClass
*klass
= (callee
->flags
& METHOD_ATTRIBUTE_STATIC
) ? NULL
: callee
->klass
;
547 return mono_method_can_access_method_full (caller
, callee
, klass
);
553 * get_argument_exception
555 * Helper function to create an MonoException (ArgumentException in
556 * managed-land) and provide a descriptive message for it. This
557 * message is also, optionally, being logged (export
558 * MONO_LOG_MASK="security") for debugging purposes.
560 static MonoException
*
561 get_argument_exception (const char *format
, MonoMethod
*caller
, MonoMethod
*callee
)
564 char *caller_name
= get_method_full_name (caller
);
565 char *callee_name
= get_method_full_name (callee
);
566 char *message
= g_strdup_printf (format
, caller_name
, callee_name
);
567 g_free (callee_name
);
568 g_free (caller_name
);
570 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "%s", message
);
571 ex
= mono_get_exception_argument ("method", message
);
578 * get_field_access_exception
580 * Helper function to create an MonoException (FieldAccessException
581 * in managed-land) and provide a descriptive message for it. This
582 * message is also, optionally, being logged (export
583 * MONO_LOG_MASK="security") for debugging purposes.
585 static MonoException
*
586 get_field_access_exception (const char *format
, MonoMethod
*caller
, MonoClassField
*field
)
589 char *caller_name
= get_method_full_name (caller
);
590 char *field_name
= mono_field_full_name (field
);
591 char *message
= g_strdup_printf (format
, caller_name
, field_name
);
593 g_free (caller_name
);
595 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "%s", message
);
596 ex
= mono_get_exception_field_access_msg (message
);
603 * get_method_access_exception
605 * Helper function to create an MonoException (MethodAccessException
606 * in managed-land) and provide a descriptive message for it. This
607 * message is also, optionally, being logged (export
608 * MONO_LOG_MASK="security") for debugging purposes.
610 static MonoException
*
611 get_method_access_exception (const char *format
, MonoMethod
*caller
, MonoMethod
*callee
)
614 char *caller_name
= get_method_full_name (caller
);
615 char *callee_name
= get_method_full_name (callee
);
616 char *message
= g_strdup_printf (format
, caller_name
, callee_name
);
617 g_free (callee_name
);
618 g_free (caller_name
);
620 mono_trace (G_LOG_LEVEL_WARNING
, MONO_TRACE_SECURITY
, "%s", message
);
621 ex
= mono_get_exception_method_access_msg (message
);
628 * mono_security_core_clr_ensure_reflection_access_field:
630 * Ensure that the specified field can be used with reflection since
631 * Transparent code cannot access to Critical fields and can only use
632 * them if they are visible from it's point of view.
634 * Returns TRUE if acess is allowed. Otherwise returns FALSE and sets @error to a FieldAccessException if the field is cannot be accessed.
637 mono_security_core_clr_ensure_reflection_access_field (MonoClassField
*field
, MonoError
*error
)
640 MonoMethod
*caller
= get_reflection_caller ();
641 /* CoreCLR restrictions applies to Transparent code/caller */
642 if (mono_security_core_clr_method_level (caller
, TRUE
) != MONO_SECURITY_CORE_CLR_TRANSPARENT
)
645 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION
) {
646 if (!mono_security_core_clr_is_platform_image (m_class_get_image (mono_field_get_parent(field
))))
650 /* Transparent code cannot [get|set]value on Critical fields */
651 if (mono_security_core_clr_class_level (mono_field_get_parent (field
)) == MONO_SECURITY_CORE_CLR_CRITICAL
) {
652 mono_error_set_exception_instance (error
, get_field_access_exception (
653 "Transparent method %s cannot get or set Critical field %s.",
658 /* also it cannot access a fields that is not visible from it's (caller) point of view */
659 if (!check_field_access (caller
, field
)) {
660 mono_error_set_exception_instance (error
, get_field_access_exception (
661 "Transparent method %s cannot get or set private/internal field %s.",
669 * mono_security_core_clr_ensure_reflection_access_method:
671 * Ensure that the specified method can be used with reflection since
672 * Transparent code cannot call Critical methods and can only call them
673 * if they are visible from it's point of view.
675 * If access is allowed returns TRUE. Returns FALSE and sets @error to a MethodAccessException if the field is cannot be accessed.
678 mono_security_core_clr_ensure_reflection_access_method (MonoMethod
*method
, MonoError
*error
)
681 MonoMethod
*caller
= get_reflection_caller ();
682 /* CoreCLR restrictions applies to Transparent code/caller */
683 if (mono_security_core_clr_method_level (caller
, TRUE
) != MONO_SECURITY_CORE_CLR_TRANSPARENT
)
686 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION
) {
687 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method
->klass
)))
691 /* Transparent code cannot invoke, even using reflection, Critical code */
692 if (mono_security_core_clr_method_level (method
, TRUE
) == MONO_SECURITY_CORE_CLR_CRITICAL
) {
693 mono_error_set_exception_instance (error
, get_method_access_exception (
694 "Transparent method %s cannot invoke Critical method %s.",
699 /* also it cannot invoke a method that is not visible from it's (caller) point of view */
700 if (!check_method_access (caller
, method
)) {
701 mono_error_set_exception_instance (error
, get_method_access_exception (
702 "Transparent method %s cannot invoke private/internal method %s.",
710 * can_avoid_corlib_reflection_delegate_optimization:
712 * Mono's mscorlib use delegates to optimize PropertyInfo and EventInfo
713 * reflection calls. This requires either a bunch of additional, and not
714 * really required, [SecuritySafeCritical] in the class libraries or
715 * (like this) a way to skip them. As a bonus we also avoid the stack
716 * walk to find the caller.
718 * Return TRUE if we can skip this "internal" delegate creation, FALSE
722 can_avoid_corlib_reflection_delegate_optimization (MonoMethod
*method
)
724 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method
->klass
)))
727 if (strcmp (m_class_get_name_space (method
->klass
), "System.Reflection") != 0)
730 if (strcmp (m_class_get_name (method
->klass
), "MonoProperty") == 0) {
731 if ((strcmp (method
->name
, "GetterAdapterFrame") == 0) || strcmp (method
->name
, "StaticGetterAdapterFrame") == 0)
733 } else if (strcmp (m_class_get_name (method
->klass
), "EventInfo") == 0) {
734 if ((strcmp (method
->name
, "AddEventFrame") == 0) || strcmp (method
->name
, "StaticAddEventAdapterFrame") == 0)
742 * mono_security_core_clr_ensure_delegate_creation:
744 * Return TRUE if a delegate can be created on the specified
745 * method. CoreCLR can also affect the binding, this function may
746 * return (FALSE) and set @error to an ArgumentException.
748 * @error is set to a MethodAccessException if the specified method is not
749 * visible from the caller point of view.
752 mono_security_core_clr_ensure_delegate_creation (MonoMethod
*method
, MonoError
*error
)
758 /* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
759 if (can_avoid_corlib_reflection_delegate_optimization (method
))
762 caller
= get_reflection_caller ();
763 /* if the "real" caller is not Transparent then it do can anything */
764 if (mono_security_core_clr_method_level (caller
, TRUE
) != MONO_SECURITY_CORE_CLR_TRANSPARENT
)
767 /* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
768 if (mono_security_core_clr_method_level (method
, TRUE
) == MONO_SECURITY_CORE_CLR_CRITICAL
) {
769 mono_error_set_exception_instance (error
, get_argument_exception (
770 "Transparent method %s cannot create a delegate on Critical method %s.",
775 if (mono_security_core_clr_get_options () & MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE
) {
776 if (!mono_security_core_clr_is_platform_image (m_class_get_image (method
->klass
)))
780 /* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
781 if (!check_method_access (caller
, method
)) {
782 mono_error_set_exception_instance (error
, get_method_access_exception (
783 "Transparent method %s cannot create a delegate on private/internal method %s.",
792 * mono_security_core_clr_ensure_dynamic_method_resolved_object:
794 * Called from mono_reflection_create_dynamic_method (reflection.c) to add some extra checks required for CoreCLR.
795 * Dynamic methods needs to check to see if the objects being used (e.g. methods, fields) comes from platform code
796 * and do an accessibility check in this case. Otherwise (i.e. user/application code) can be used without this extra
797 * accessbility check.
800 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref
, MonoClass
*handle_class
)
802 /* XXX find/create test cases for other handle_class XXX */
803 if (handle_class
== mono_defaults
.fieldhandle_class
) {
804 MonoClassField
*field
= (MonoClassField
*) ref
;
805 MonoClass
*klass
= mono_field_get_parent (field
);
806 /* fields coming from platform code have extra protection (accessibility check) */
807 if (mono_security_core_clr_is_platform_image (m_class_get_image (klass
))) {
808 MonoMethod
*caller
= get_reflection_caller ();
809 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
810 if (!check_field_access (caller
, field
)) {
811 return get_field_access_exception (
812 "Dynamic method %s cannot create access private/internal field %s.",
816 } else if (handle_class
== mono_defaults
.methodhandle_class
) {
817 MonoMethod
*method
= (MonoMethod
*) ref
;
818 /* methods coming from platform code have extra protection (accessibility check) */
819 if (mono_security_core_clr_is_platform_image (m_class_get_image (method
->klass
))) {
820 MonoMethod
*caller
= get_reflection_caller ();
821 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
822 if (!check_method_access (caller
, method
)) {
823 return get_method_access_exception (
824 "Dynamic method %s cannot create access private/internal method %s.",
833 * mono_security_core_clr_can_access_internals
835 * Check if we allow [InternalsVisibleTo] to work between two images.
838 mono_security_core_clr_can_access_internals (MonoImage
*accessing
, MonoImage
* accessed
)
840 /* are we trying to access internals of a platform assembly ? if not this is acceptable */
841 if (!mono_security_core_clr_is_platform_image (accessed
))
844 /* we can't let everyone with the right name and public key token access the internals of platform code.
845 * (Silverlight can rely on the strongname signature of the assemblies, but Mono does not verify them)
846 * However platform code is fully trusted so it can access the internals of other platform code assemblies */
847 if (mono_security_core_clr_is_platform_image (accessing
))
850 /* catch-22: System.Xml needs access to mscorlib's internals (e.g. ArrayList) but is not considered platform code.
851 * Promoting it to platform code would create another issue since (both Mono/Moonlight or MS version of)
852 * System.Xml.Linq.dll (an SDK, not platform, assembly) needs access to System.Xml.dll internals (either ).
853 * The solution is to trust, even transparent code, in the plugin directory to access platform code internals */
854 if (!accessed
->assembly
->basedir
|| !accessing
->assembly
->basedir
)
856 return (strcmp (accessed
->assembly
->basedir
, accessing
->assembly
->basedir
) == 0);
860 * mono_security_core_clr_is_field_access_allowed
862 * Return a MonoException (FieldccessException in managed-land) if
863 * the access from "caller" to "field" is not valid under CoreCLR -
864 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
868 mono_security_core_clr_is_field_access_allowed (MonoMethod
*caller
, MonoClassField
*field
)
870 /* there's no restriction to access Transparent or SafeCritical fields, so we only check calls to Critical methods */
871 if (mono_security_core_clr_class_level (mono_field_get_parent (field
)) != MONO_SECURITY_CORE_CLR_CRITICAL
)
874 /* caller is Critical! only SafeCritical and Critical callers can access the field, so we throw if caller is Transparent */
875 if (!caller
|| (mono_security_core_clr_method_level (caller
, TRUE
) != MONO_SECURITY_CORE_CLR_TRANSPARENT
))
878 return get_field_access_exception (
879 "Transparent method %s cannot call use Critical field %s.",
884 * mono_security_core_clr_is_call_allowed
886 * Return a MonoException (MethodAccessException in managed-land) if
887 * the call from "caller" to "callee" is not valid under CoreCLR -
888 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
892 mono_security_core_clr_is_call_allowed (MonoMethod
*caller
, MonoMethod
*callee
)
894 /* there's no restriction to call Transparent or SafeCritical code, so we only check calls to Critical methods */
895 if (mono_security_core_clr_method_level (callee
, TRUE
) != MONO_SECURITY_CORE_CLR_CRITICAL
)
898 /* callee is Critical! only SafeCritical and Critical callers can call it, so we throw if the caller is Transparent */
899 if (!caller
|| (mono_security_core_clr_method_level (caller
, TRUE
) != MONO_SECURITY_CORE_CLR_TRANSPARENT
))
902 return get_method_access_exception (
903 "Transparent method %s cannot call Critical method %s.",
908 * mono_security_core_clr_level_from_cinfo:
910 * Return the MonoSecurityCoreCLRLevel that match the attribute located
911 * in the specified custom attributes. If no attribute is present it
912 * defaults to MONO_SECURITY_CORE_CLR_TRANSPARENT, which is the default
913 * level for all code under the CoreCLR.
915 static MonoSecurityCoreCLRLevel
916 mono_security_core_clr_level_from_cinfo (MonoCustomAttrInfo
*cinfo
, MonoImage
*image
)
918 int level
= MONO_SECURITY_CORE_CLR_TRANSPARENT
;
920 if (cinfo
&& mono_custom_attrs_has_attr (cinfo
, security_safe_critical_attribute ()))
921 level
= MONO_SECURITY_CORE_CLR_SAFE_CRITICAL
;
922 if (cinfo
&& mono_custom_attrs_has_attr (cinfo
, security_critical_attribute ()))
923 level
= MONO_SECURITY_CORE_CLR_CRITICAL
;
925 return (MonoSecurityCoreCLRLevel
)level
;
929 * mono_security_core_clr_class_level_no_platform_check:
931 * Return the MonoSecurityCoreCLRLevel for the specified class, without
932 * checking for platform code. This help us avoid multiple redundant
934 * - a check for the method and one for the class;
935 * - a check for the class and outer class(es) ...
937 static MonoSecurityCoreCLRLevel
938 mono_security_core_clr_class_level_no_platform_check (MonoClass
*klass
)
941 MonoSecurityCoreCLRLevel level
= MONO_SECURITY_CORE_CLR_TRANSPARENT
;
942 MonoCustomAttrInfo
*cinfo
= mono_custom_attrs_from_class_checked (klass
, error
);
943 mono_error_cleanup (error
);
945 level
= mono_security_core_clr_level_from_cinfo (cinfo
, m_class_get_image (klass
));
946 mono_custom_attrs_free (cinfo
);
949 if (level
== MONO_SECURITY_CORE_CLR_TRANSPARENT
&& m_class_get_nested_in (klass
))
950 level
= mono_security_core_clr_class_level_no_platform_check (m_class_get_nested_in (klass
));
956 * mono_security_core_clr_class_level:
958 * Return the MonoSecurityCoreCLRLevel for the specified class.
960 MonoSecurityCoreCLRLevel
961 mono_security_core_clr_class_level (MonoClass
*klass
)
963 /* non-platform code is always Transparent - whatever the attributes says */
964 if (!mono_security_core_clr_test
&& !mono_security_core_clr_is_platform_image (m_class_get_image (klass
)))
965 return MONO_SECURITY_CORE_CLR_TRANSPARENT
;
967 return mono_security_core_clr_class_level_no_platform_check (klass
);
971 * mono_security_core_clr_field_level:
973 * Return the MonoSecurityCoreCLRLevel for the specified field.
974 * If with_class_level is TRUE then the type (class) will also be
975 * checked, otherwise this will only report the information about
978 MonoSecurityCoreCLRLevel
979 mono_security_core_clr_field_level (MonoClassField
*field
, gboolean with_class_level
)
982 MonoCustomAttrInfo
*cinfo
;
983 MonoSecurityCoreCLRLevel level
= MONO_SECURITY_CORE_CLR_TRANSPARENT
;
985 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
989 /* non-platform code is always Transparent - whatever the attributes says */
990 if (!mono_security_core_clr_test
&& !mono_security_core_clr_is_platform_image (m_class_get_image (field
->parent
)))
993 cinfo
= mono_custom_attrs_from_field_checked (field
->parent
, field
, error
);
994 mono_error_cleanup (error
);
996 level
= mono_security_core_clr_level_from_cinfo (cinfo
, m_class_get_image (field
->parent
));
997 mono_custom_attrs_free (cinfo
);
1000 if (with_class_level
&& level
== MONO_SECURITY_CORE_CLR_TRANSPARENT
)
1001 level
= mono_security_core_clr_class_level (field
->parent
);
1007 * mono_security_core_clr_method_level:
1009 * Return the MonoSecurityCoreCLRLevel for the specified method.
1010 * If with_class_level is TRUE then the type (class) will also be
1011 * checked, otherwise this will only report the information about
1012 * the method itself.
1014 MonoSecurityCoreCLRLevel
1015 mono_security_core_clr_method_level (MonoMethod
*method
, gboolean with_class_level
)
1018 MonoCustomAttrInfo
*cinfo
;
1019 MonoSecurityCoreCLRLevel level
= MONO_SECURITY_CORE_CLR_TRANSPARENT
;
1021 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
1025 /* non-platform code is always Transparent - whatever the attributes says */
1026 if (!mono_security_core_clr_test
&& !mono_security_core_clr_is_platform_image (m_class_get_image (method
->klass
)))
1029 cinfo
= mono_custom_attrs_from_method_checked (method
, error
);
1030 mono_error_cleanup (error
);
1032 level
= mono_security_core_clr_level_from_cinfo (cinfo
, m_class_get_image (method
->klass
));
1033 mono_custom_attrs_free (cinfo
);
1036 if (with_class_level
&& level
== MONO_SECURITY_CORE_CLR_TRANSPARENT
)
1037 level
= mono_security_core_clr_class_level (method
->klass
);
1043 * mono_security_enable_core_clr:
1045 * Enable the verifier and the CoreCLR security model
1048 mono_security_enable_core_clr ()
1050 mono_verifier_set_mode (MONO_VERIFIER_MODE_VERIFIABLE
);
1051 mono_security_set_mode (MONO_SECURITY_MODE_CORE_CLR
);
1057 mono_security_core_clr_check_inheritance (MonoClass
*klass
)
1062 mono_security_core_clr_check_override (MonoClass
*klass
, MonoMethod
*override
, MonoMethod
*base
)
1067 mono_security_core_clr_require_elevated_permissions (void)
1073 mono_security_core_clr_ensure_reflection_access_field (MonoClassField
*field
, MonoError
*error
)
1080 mono_security_core_clr_ensure_reflection_access_method (MonoMethod
*method
, MonoError
*error
)
1087 mono_security_core_clr_ensure_delegate_creation (MonoMethod
*method
, MonoError
*error
)
1094 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref
, MonoClass
*handle_class
)
1100 mono_security_core_clr_can_access_internals (MonoImage
*accessing
, MonoImage
* accessed
)
1106 mono_security_core_clr_is_field_access_allowed (MonoMethod
*caller
, MonoClassField
*field
)
1112 mono_security_core_clr_is_call_allowed (MonoMethod
*caller
, MonoMethod
*callee
)
1117 MonoSecurityCoreCLRLevel
1118 mono_security_core_clr_class_level (MonoClass
*klass
)
1120 return MONO_SECURITY_CORE_CLR_TRANSPARENT
;
1123 MonoSecurityCoreCLRLevel
1124 mono_security_core_clr_field_level (MonoClassField
*field
, gboolean with_class_level
)
1126 return MONO_SECURITY_CORE_CLR_TRANSPARENT
;
1129 MonoSecurityCoreCLRLevel
1130 mono_security_core_clr_method_level (MonoMethod
*method
, gboolean with_class_level
)
1132 return MONO_SECURITY_CORE_CLR_TRANSPARENT
;
1136 mono_security_enable_core_clr ()
1140 #endif /* DISABLE_SECURITY */