| blob | fab9cb946b013e0441ed99896a543656a8b47b48 |
1 /*
2 * security-core-clr.c: CoreCLR security
3 *
4 * Authors:
5 * Mark Probst <mark.probst@gmail.com>
6 * Sebastien Pouliot <sebastien@ximian.com>
7 *
8 * Copyright 2007-2010 Novell, Inc (http://www.novell.com)
9 * Licensed under the MIT license. See LICENSE file in the project root for full license information.
10 */
12 #include <mono/metadata/class-internals.h>
13 #include <mono/metadata/security-manager.h>
14 #include <mono/metadata/assembly.h>
15 #include <mono/metadata/appdomain.h>
16 #include <mono/metadata/verify-internals.h>
17 #include <mono/metadata/object.h>
18 #include <mono/metadata/exception.h>
19 #include <mono/metadata/debug-helpers.h>
20 #include <mono/utils/mono-logger-internals.h>
26 static MonoSecurityCoreCLROptions security_core_clr_options = MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT;
28 /**
29 * mono_security_core_clr_set_options:
30 * @options: the new options for the coreclr system to use
31 *
32 * By default, the CoreCLRs security model forbids execution trough reflection of methods not visible from the calling code.
33 * Even if the method being called is not in a platform assembly. For non moonlight CoreCLR users this restriction does not
34 * make a lot of sense, since the author could have just changed the non platform assembly to allow the method to be called.
35 * This function allows specific relaxations from the default behaviour to be set.
36 *
37 * Use MONO_SECURITY_CORE_CLR_OPTIONS_DEFAULT for the default coreclr coreclr behaviour as used in Moonlight.
38 *
39 * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_REFLECTION to allow transparent code to execute methods and access
40 * fields that are not in platformcode, even if those methods and fields are private or otherwise not visible to the calling code.
41 *
42 * Use MONO_SECURITY_CORE_CLR_OPTIONS_RELAX_DELEGATE to allow delegates to be created that point at methods that are not in
43 * platformcode even if those methods and fields are private or otherwise not visible to the calling code.
44 *
45 */
46 void
49 }
51 /**
52 * mono_security_core_clr_get_options:
53 *
54 * Retrieves the current options used by the coreclr system.
55 */
57 MonoSecurityCoreCLROptions
59 {
61 }
63 /*
64 * default_platform_check:
65 *
66 * Default platform check. Always TRUE for current corlib (minimum
67 * trust-able subset) otherwise return FALSE. Any real CoreCLR host
68 * should provide its own callback to define platform code (i.e.
69 * this default is meant for test only).
70 */
71 static gboolean
73 {
77 /* this can get called even before we load corlib (e.g. the EXE itself) */
82 }
83 }
87 /*
88 * mono_security_core_clr_determine_platform_image:
89 *
90 * Call the supplied callback (from mono_security_set_core_clr_platform_callback)
91 * to determine if this image represents platform code.
92 */
93 gboolean
95 {
97 }
99 /*
100 * mono_security_set_core_clr_platform_callback:
101 *
102 * Set the callback function that will be used to determine if an image
103 * is part, or not, of the platform code.
104 */
105 void
107 {
109 }
111 /*
112 * mono_security_core_clr_is_platform_image:
113 *
114 * Return the (cached) boolean value indicating if this image represent platform code
115 */
116 gboolean
118 {
120 }
122 /* Note: The above functions are outside this guard so that the public API isn't affected. */
124 #ifndef DISABLE_SECURITY
126 /* Class lazy loading functions */
127 static GENERATE_GET_CLASS_WITH_CACHE (security_critical, "System.Security", "SecurityCriticalAttribute")
128 static GENERATE_GET_CLASS_WITH_CACHE (security_safe_critical, "System.Security", "SecuritySafeCriticalAttribute")
132 {
134 }
138 {
141 }
143 /* sometime we get a NULL (not found) caller (e.g. get_reflection_caller) */
146 {
148 }
150 /*
151 * set_type_load_exception_type
152 *
153 * Set MONO_EXCEPTION_TYPE_LOAD on the specified 'class' and provide
154 * a descriptive message for the exception. This message is also,
155 * optionally, being logged (export MONO_LOG_MASK="security") for
156 * debugging purposes.
157 */
158 static void
160 {
170 // note: do not free string given to mono_class_set_failure
171 }
173 /*
174 * set_type_load_exception_methods
175 *
176 * Set MONO_EXCEPTION_TYPE_LOAD on the 'override' class and provide
177 * a descriptive message for the exception. This message is also,
178 * optionally, being logged (export MONO_LOG_MASK="security") for
179 * debugging purposes.
180 */
181 static void
183 {
186 char *message = mono_image_strdup_printf (override->klass->image, format, method_name, base_name);
193 // note: do not free string given to mono_class_set_failure
194 }
196 /* MonoClass is not fully initialized (inited is not yet == 1) when we
197 * check the inheritance rules so we need to look for the default ctor
198 * ourselve to avoid recursion (and aborting)
199 */
202 {
224 }
227 }
229 /*
230 * mono_security_core_clr_check_inheritance:
231 *
232 * Determine if the specified class can inherit from its parent using
233 * the CoreCLR inheritance rules.
234 *
235 * Base Type Allow Derived Type
236 * ------------ ------------------
237 * Transparent Transparent, SafeCritical, Critical
238 * SafeCritical SafeCritical, Critical
239 * Critical Critical
240 *
241 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
242 *
243 * Furthermore a class MUST have a default constructor if its base
244 * class has a non-transparent, public or protected, default constructor.
245 * The same inheritance rule applies to both default constructors.
246 *
247 * Reference: message from a SecurityException in SL4RC
248 * Reference: fxcop CA2132 rule
249 */
250 void
252 {
265 klass);
274 klass);
275 }
276 }
277 }
278 }
280 /*
281 * mono_security_core_clr_check_override:
282 *
283 * Determine if the specified override can "legally" override the
284 * specified base method using the CoreCLR inheritance rules.
285 *
286 * Base (virtual/interface) Allowed override
287 * ------------------------ -------------------------
288 * Transparent Transparent, SafeCritical
289 * SafeCritical Transparent, SafeCritical
290 * Critical Critical
291 *
292 * Reference: http://msdn.microsoft.com/en-us/magazine/cc765416.aspx#id0190030
293 */
294 void
295 mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
296 {
298 MonoSecurityCoreCLRLevel override_level = mono_security_core_clr_method_level (override, FALSE);
299 /* if the base method is decorated with [SecurityCritical] then the overrided method MUST be too */
305 }
307 /* base is [SecuritySafeCritical] or [SecurityTransparent], override MUST NOT be [SecurityCritical] */
312 }
313 }
314 }
316 /*
317 * get_caller_no_reflection_related:
318 *
319 * Find the first managed caller that is either:
320 * (a) located outside the platform code assemblies; or
321 * (b) not related to reflection and delegates
322 *
323 * Returns TRUE to stop the stackwalk, FALSE to continue to the next frame.
324 */
325 static gboolean
326 get_caller_no_reflection_related (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
327 {
331 /* skip unmanaged frames */
338 /* quick out (any namespace not starting with an 'S' */
343 }
345 /* stop if the method is not part of platform code */
349 }
351 /* any number of calls inside System.Reflection are allowed */
355 /* any number of calls inside System.Reflection are allowed */
359 /* calls from System.Delegate are also possible and allowed */
365 /* unlike most Invoke* cases InvokeMember is not inside System.Reflection[.Emit] but is SecuritySafeCritical */
369 /* if calling InvokeMember then we can't stop the stackwalk here and need to look at the caller */
372 }
374 /* the security check on the delegate is made at creation time, not at invoke time */
378 /* if we're invoking then we can stop our stack walk */
381 }
382 }
387 }
391 }
393 /*
394 * get_reflection_caller:
395 *
396 * Walk to the first managed method outside:
397 * - System.Reflection* namespaces
398 * - System.[Multicast]Delegate or Activator type
399 * - platform code
400 * and return a pointer to its MonoMethod.
401 *
402 * This is required since CoreCLR checks needs to be done on this "real" caller.
403 */
406 {
410 mono_trace (G_LOG_LEVEL_WARNING, MONO_TRACE_SECURITY, "No caller outside reflection was found");
411 }
413 }
420 /*
421 * get_caller_of_elevated_trust_code
422 *
423 * Stack walk to find who is calling code requiring Elevated Trust.
424 * If a critical method is found then the caller is platform code
425 * and has elevated trust, otherwise (transparent) a check needs to
426 * be done (on the managed side) to determine if the application is
427 * running with elevated permissions.
428 */
429 static gboolean
430 get_caller_of_elevated_trust_code (MonoMethod *m, gint32 no, gint32 ilo, gboolean managed, gpointer data)
431 {
434 /* skip unmanaged frames and wrappers */
438 /* end stack walk if we find ourselves outside platform code (we won't find critical code anymore) */
442 }
445 /* while depth == 0 look for SecurityManager::[Check|Ensure]ElevatedPermissions */
451 if ((strcmp (m->name, "EnsureElevatedPermissions")) && strcmp (m->name, "CheckElevatedPermissions"))
455 /* while depth == 1 look for the caller to SecurityManager::[Check|Ensure]ElevatedPermissions */
457 /* this frame is [SecuritySafeCritical] because it calls [SecurityCritical] [Check|Ensure]ElevatedPermissions */
458 /* the next frame will contain the caller(s) we want to check */
461 /* while depth >= 2 look for [safe]critical caller, end stack walk if we find it */
464 /* if the caller is transparent then we continue the stack walk */
468 /* Security[Safe]Critical code is always allowed to call elevated-trust code */
471 }
474 }
476 /*
477 * mono_security_core_clr_require_elevated_permissions:
478 *
479 * Return TRUE if the caller of the current method (the code who
480 * called SecurityManager.get_RequiresElevatedPermissions) needs
481 * elevated trust to perform an action.
482 *
483 * A stack walk is done to find the callers. If one of the callers
484 * is either [SecurityCritical] or [SecuritySafeCritical] then the
485 * action is needed for platform code (i.e. no restriction).
486 * Otherwise (transparent) the requested action needs elevated trust
487 */
488 gboolean
490 {
491 ElevatedTrustCookie cookie;
496 /* return TRUE if the stack walk did not reach far enough or did not find callers */
500 /* return TRUE if the caller is transparent, i.e. if elevated trust is required to continue executing the method */
501 return (mono_security_core_clr_method_level (cookie.caller, TRUE) == MONO_SECURITY_CORE_CLR_TRANSPARENT);
502 }
505 /*
506 * check_field_access:
507 *
508 * Return TRUE if the caller method can access the specified field, FALSE otherwise.
509 */
510 static gboolean
512 {
513 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
515 MonoError error;
518 /* this check can occur before the field's type is resolved (and that can fail) */
523 }
525 klass = (mono_field_get_flags (field) & FIELD_ATTRIBUTE_STATIC) ? NULL : mono_field_get_parent (field);
527 }
529 }
531 /*
532 * check_method_access:
533 *
534 * Return TRUE if the caller method can access the specified callee method, FALSE otherwise.
535 */
536 static gboolean
538 {
539 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
543 }
545 }
547 /*
548 * get_argument_exception
549 *
550 * Helper function to create an MonoException (ArgumentException in
551 * managed-land) and provide a descriptive message for it. This
552 * message is also, optionally, being logged (export
553 * MONO_LOG_MASK="security") for debugging purposes.
554 */
557 {
570 }
572 /*
573 * get_field_access_exception
574 *
575 * Helper function to create an MonoException (FieldAccessException
576 * in managed-land) and provide a descriptive message for it. This
577 * message is also, optionally, being logged (export
578 * MONO_LOG_MASK="security") for debugging purposes.
579 */
582 {
595 }
597 /*
598 * get_method_access_exception
599 *
600 * Helper function to create an MonoException (MethodAccessException
601 * in managed-land) and provide a descriptive message for it. This
602 * message is also, optionally, being logged (export
603 * MONO_LOG_MASK="security") for debugging purposes.
604 */
607 {
620 }
622 /*
623 * mono_security_core_clr_ensure_reflection_access_field:
624 *
625 * Ensure that the specified field can be used with reflection since
626 * Transparent code cannot access to Critical fields and can only use
627 * them if they are visible from it's point of view.
628 *
629 * Returns TRUE if acess is allowed. Otherwise returns FALSE and sets @error to a FieldAccessException if the field is cannot be accessed.
630 */
631 gboolean
633 {
636 /* CoreCLR restrictions applies to Transparent code/caller */
643 }
645 /* Transparent code cannot [get|set]value on Critical fields */
646 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) == MONO_SECURITY_CORE_CLR_CRITICAL) {
651 }
653 /* also it cannot access a fields that is not visible from it's (caller) point of view */
659 }
661 }
663 /*
664 * mono_security_core_clr_ensure_reflection_access_method:
665 *
666 * Ensure that the specified method can be used with reflection since
667 * Transparent code cannot call Critical methods and can only call them
668 * if they are visible from it's point of view.
669 *
670 * If access is allowed returns TRUE. Returns FALSE and sets @error to a MethodAccessException if the field is cannot be accessed.
671 */
672 gboolean
674 {
677 /* CoreCLR restrictions applies to Transparent code/caller */
684 }
686 /* Transparent code cannot invoke, even using reflection, Critical code */
692 }
694 /* also it cannot invoke a method that is not visible from it's (caller) point of view */
700 }
702 }
704 /*
705 * can_avoid_corlib_reflection_delegate_optimization:
706 *
707 * Mono's mscorlib use delegates to optimize PropertyInfo and EventInfo
708 * reflection calls. This requires either a bunch of additional, and not
709 * really required, [SecuritySafeCritical] in the class libraries or
710 * (like this) a way to skip them. As a bonus we also avoid the stack
711 * walk to find the caller.
712 *
713 * Return TRUE if we can skip this "internal" delegate creation, FALSE
714 * otherwise.
715 */
716 static gboolean
718 {
726 if ((strcmp (method->name, "GetterAdapterFrame") == 0) || strcmp (method->name, "StaticGetterAdapterFrame") == 0)
729 if ((strcmp (method->name, "AddEventFrame") == 0) || strcmp (method->name, "StaticAddEventAdapterFrame") == 0)
731 }
734 }
736 /*
737 * mono_security_core_clr_ensure_delegate_creation:
738 *
739 * Return TRUE if a delegate can be created on the specified
740 * method. CoreCLR can also affect the binding, this function may
741 * return (FALSE) and set @error to an ArgumentException.
742 *
743 * @error is set to a MethodAccessException if the specified method is not
744 * visible from the caller point of view.
745 */
746 gboolean
748 {
753 /* note: mscorlib creates delegates to avoid reflection (optimization), we ignore those cases */
758 /* if the "real" caller is not Transparent then it do can anything */
762 /* otherwise it (as a Transparent caller) cannot create a delegate on a Critical method... */
768 }
773 }
775 /* also it cannot create the delegate on a method that is not visible from it's (caller) point of view */
781 }
784 }
786 /*
787 * mono_security_core_clr_ensure_dynamic_method_resolved_object:
788 *
789 * Called from mono_reflection_create_dynamic_method (reflection.c) to add some extra checks required for CoreCLR.
790 * Dynamic methods needs to check to see if the objects being used (e.g. methods, fields) comes from platform code
791 * and do an accessibility check in this case. Otherwise (i.e. user/application code) can be used without this extra
792 * accessbility check.
793 */
794 MonoException*
795 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
796 {
797 /* XXX find/create test cases for other handle_class XXX */
801 /* fields coming from platform code have extra protection (accessibility check) */
804 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
809 }
810 }
813 /* methods coming from platform code have extra protection (accessibility check) */
816 /* XXX Critical code probably can do this / need some test cases (safer off otherwise) XXX */
821 }
822 }
823 }
825 }
827 /*
828 * mono_security_core_clr_can_access_internals
829 *
830 * Check if we allow [InternalsVisibleTo] to work between two images.
831 */
832 gboolean
834 {
835 /* are we trying to access internals of a platform assembly ? if not this is acceptable */
839 /* we can't let everyone with the right name and public key token access the internals of platform code.
840 * (Silverlight can rely on the strongname signature of the assemblies, but Mono does not verify them)
841 * However platform code is fully trusted so it can access the internals of other platform code assemblies */
845 /* catch-22: System.Xml needs access to mscorlib's internals (e.g. ArrayList) but is not considered platform code.
846 * Promoting it to platform code would create another issue since (both Mono/Moonlight or MS version of)
847 * System.Xml.Linq.dll (an SDK, not platform, assembly) needs access to System.Xml.dll internals (either ).
848 * The solution is to trust, even transparent code, in the plugin directory to access platform code internals */
852 }
854 /*
855 * mono_security_core_clr_is_field_access_allowed
856 *
857 * Return a MonoException (FieldccessException in managed-land) if
858 * the access from "caller" to "field" is not valid under CoreCLR -
859 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
860 * field.
861 */
862 MonoException*
864 {
865 /* there's no restriction to access Transparent or SafeCritical fields, so we only check calls to Critical methods */
866 if (mono_security_core_clr_class_level (mono_field_get_parent (field)) != MONO_SECURITY_CORE_CLR_CRITICAL)
869 /* caller is Critical! only SafeCritical and Critical callers can access the field, so we throw if caller is Transparent */
870 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
876 }
878 /*
879 * mono_security_core_clr_is_call_allowed
880 *
881 * Return a MonoException (MethodAccessException in managed-land) if
882 * the call from "caller" to "callee" is not valid under CoreCLR -
883 * i.e. a [SecurityTransparent] method calling a [SecurityCritical]
884 * method.
885 */
886 MonoException*
888 {
889 /* there's no restriction to call Transparent or SafeCritical code, so we only check calls to Critical methods */
893 /* callee is Critical! only SafeCritical and Critical callers can call it, so we throw if the caller is Transparent */
894 if (!caller || (mono_security_core_clr_method_level (caller, TRUE) != MONO_SECURITY_CORE_CLR_TRANSPARENT))
900 }
902 /*
903 * mono_security_core_clr_level_from_cinfo:
904 *
905 * Return the MonoSecurityCoreCLRLevel that match the attribute located
906 * in the specified custom attributes. If no attribute is present it
907 * defaults to MONO_SECURITY_CORE_CLR_TRANSPARENT, which is the default
908 * level for all code under the CoreCLR.
909 */
910 static MonoSecurityCoreCLRLevel
912 {
921 }
923 /*
924 * mono_security_core_clr_class_level_no_platform_check:
925 *
926 * Return the MonoSecurityCoreCLRLevel for the specified class, without
927 * checking for platform code. This help us avoid multiple redundant
928 * checks, e.g.
929 * - a check for the method and one for the class;
930 * - a check for the class and outer class(es) ...
931 */
932 static MonoSecurityCoreCLRLevel
934 {
940 }
946 }
948 /*
949 * mono_security_core_clr_class_level:
950 *
951 * Return the MonoSecurityCoreCLRLevel for the specified class.
952 */
953 MonoSecurityCoreCLRLevel
955 {
956 /* non-platform code is always Transparent - whatever the attributes says */
961 }
963 /*
964 * mono_security_core_clr_field_level:
965 *
966 * Return the MonoSecurityCoreCLRLevel for the specified field.
967 * If with_class_level is TRUE then the type (class) will also be
968 * checked, otherwise this will only report the information about
969 * the field itself.
970 */
971 MonoSecurityCoreCLRLevel
973 {
977 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
981 /* non-platform code is always Transparent - whatever the attributes says */
982 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (field->parent->image))
989 }
995 }
997 /*
998 * mono_security_core_clr_method_level:
999 *
1000 * Return the MonoSecurityCoreCLRLevel for the specified method.
1001 * If with_class_level is TRUE then the type (class) will also be
1002 * checked, otherwise this will only report the information about
1003 * the method itself.
1004 */
1005 MonoSecurityCoreCLRLevel
1007 {
1011 /* if get_reflection_caller returns NULL then we assume the caller has NO privilege */
1015 /* non-platform code is always Transparent - whatever the attributes says */
1016 if (!mono_security_core_clr_test && !mono_security_core_clr_is_platform_image (method->klass->image))
1023 }
1029 }
1031 /*
1032 * mono_security_enable_core_clr:
1033 *
1034 * Enable the verifier and the CoreCLR security model
1035 */
1036 void
1038 {
1041 }
1043 #else
1045 void
1047 {
1048 }
1050 void
1051 mono_security_core_clr_check_override (MonoClass *klass, MonoMethod *override, MonoMethod *base)
1052 {
1053 }
1055 gboolean
1057 {
1059 }
1061 gboolean
1062 mono_security_core_clr_ensure_reflection_access_field (MonoClassField *field, MonoError *error)
1063 {
1066 }
1068 gboolean
1070 {
1073 }
1075 gboolean
1077 {
1080 }
1082 MonoException*
1083 mono_security_core_clr_ensure_dynamic_method_resolved_object (gpointer ref, MonoClass *handle_class)
1084 {
1086 }
1088 gboolean
1090 {
1092 }
1094 MonoException*
1096 {
1098 }
1100 MonoException*
1102 {
1104 }
1106 MonoSecurityCoreCLRLevel
1108 {
1110 }
1112 MonoSecurityCoreCLRLevel
1114 {
1116 }
1118 MonoSecurityCoreCLRLevel
1120 {
1122 }
1124 void
1126 {
1127 }