345 lines
18 KiB
C#
345 lines
18 KiB
C#
// ==++==
|
|
//
|
|
// Copyright (c) Microsoft Corporation. All rights reserved.
|
|
//
|
|
// ==--==
|
|
//
|
|
// <OWNER>[....]</OWNER>
|
|
//
|
|
|
|
using System;
|
|
using System.Diagnostics.Contracts;
|
|
using System.Security.Permissions;
|
|
using Microsoft.Win32;
|
|
|
|
namespace System.Security
|
|
{
|
|
internal static class BuiltInPermissionSets
|
|
{
|
|
//
|
|
// Raw PermissionSet XML - the built in permission sets are expressed in XML form since they contain
|
|
// permissions from assemblies other than mscorlib.
|
|
//
|
|
|
|
private static readonly string s_everythingXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""Everything""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_Everything") + @"""
|
|
<IPermission class = ""System.Data.OleDb.OleDbPermission, " + AssemblyRef.SystemData + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Data.SqlClient.SqlClientPermission, " + AssemblyRef.SystemData + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Diagnostics.PerformanceCounterPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Net.DnsPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Net.SocketPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Net.WebPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.DataProtectionPermission, " + AssemblyRef.SystemSecurity + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.EnvironmentPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Diagnostics.EventLogPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.FileDialogPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.FileIOPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.IsolatedStorageFilePermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.KeyContainerPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Drawing.Printing.PrintingPermission, " + AssemblyRef.SystemDrawing + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.ReflectionPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.RegistryPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.SecurityPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""Assertion, UnmanagedCode, Execution, ControlThread, ControlEvidence, ControlPolicy, ControlAppDomain, SerializationFormatter, ControlDomainPolicy, ControlPrincipal, RemotingConfiguration, Infrastructure, BindingRedirects"" />
|
|
<IPermission class = ""System.Security.Permissions.UIPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.StorePermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.TypeDescriptorPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
</PermissionSet>";
|
|
|
|
private static readonly string s_executionXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""Execution""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_Execution") + @""">
|
|
<IPermission class = ""System.Security.Permissions.SecurityPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""Execution"" />
|
|
</PermissionSet>";
|
|
|
|
private static readonly string s_fullTrustXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Unrestricted = ""true""
|
|
Name = ""FullTrust""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_FullTrust") + @""" />";
|
|
|
|
private static readonly string s_internetXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""Internet""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_Internet") + @""">
|
|
<IPermission class = ""System.Drawing.Printing.PrintingPermission, " + AssemblyRef.SystemDrawing + @"""
|
|
version = ""1""
|
|
Level = ""SafePrinting"" />
|
|
<IPermission class = ""System.Security.Permissions.FileDialogPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Access = ""Open"" />
|
|
<IPermission class = ""System.Security.Permissions.IsolatedStorageFilePermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
UserQuota = ""1024000""
|
|
Allowed = ""ApplicationIsolationByUser"" />
|
|
<IPermission class = ""System.Security.Permissions.SecurityPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""Execution"" />
|
|
<IPermission class = ""System.Security.Permissions.UIPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Window = ""SafeTopLevelWindows""
|
|
Clipboard = ""OwnClipboard"" />
|
|
</PermissionSet>";
|
|
|
|
private static readonly string s_localIntranetXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""LocalIntranet""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_LocalIntranet") + @""" >
|
|
<IPermission class = ""System.Drawing.Printing.PrintingPermission, " + AssemblyRef.SystemDrawing + @"""
|
|
version = ""1""
|
|
Level = ""DefaultPrinting"" />
|
|
<IPermission class = ""System.Net.DnsPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.EnvironmentPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Read = ""USERNAME"" />
|
|
<IPermission class = ""System.Security.Permissions.FileDialogPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.IsolatedStorageFilePermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Allowed = ""AssemblyIsolationByUser""
|
|
UserQuota = ""9223372036854775807""
|
|
Expiry = ""9223372036854775807""
|
|
Permanent = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.ReflectionPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""ReflectionEmit, RestrictedMemberAccess"" />
|
|
<IPermission class = ""System.Security.Permissions.SecurityPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""Execution, Assertion, BindingRedirects "" />
|
|
<IPermission class = ""System.Security.Permissions.TypeDescriptorPermission, " + AssemblyRef.System + @"""
|
|
version = ""1""
|
|
Flags = ""RestrictedRegistrationAccess"" />
|
|
<IPermission class = ""System.Security.Permissions.UIPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
</PermissionSet>";
|
|
|
|
private static readonly string s_nothingXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""Nothing""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_Nothing") + @""" />";
|
|
|
|
private static readonly string s_skipVerificationXml =
|
|
@"<PermissionSet class = ""System.Security.NamedPermissionSet""
|
|
version = ""1""
|
|
Name = ""SkipVerification""
|
|
Description = """ + Environment.GetResourceString("Policy_PS_SkipVerification") + @""">
|
|
<IPermission class = ""System.Security.Permissions.SecurityPermission, " + AssemblyRef.Mscorlib + @"""
|
|
version = ""1""
|
|
Flags = ""SkipVerification"" />
|
|
</PermissionSet>";
|
|
|
|
#if FEATURE_CAS_POLICY
|
|
private const string s_wpfExtensionXml =
|
|
@"<PermissionSet class = ""System.Security.PermissionSet""
|
|
version = ""1"">
|
|
<IPermission class = ""System.Security.Permissions.MediaPermission, " + AssemblyRef.WindowsBase + @"""
|
|
version = ""1""
|
|
Audio=""SafeAudio"" Video=""SafeVideo"" Image=""SafeImage"" />
|
|
<IPermission class = ""System.Security.Permissions.WebBrowserPermission, " + AssemblyRef.WindowsBase + @"""
|
|
version = ""1""
|
|
Level=""Safe"" />
|
|
</PermissionSet>";
|
|
|
|
private const string s_wpfExtensionUnrestrictedXml =
|
|
@"<PermissionSet class = ""System.Security.PermissionSet""
|
|
version = ""1"">
|
|
<IPermission class = ""System.Security.Permissions.MediaPermission, " + AssemblyRef.WindowsBase + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
<IPermission class = ""System.Security.Permissions.WebBrowserPermission, " + AssemblyRef.WindowsBase + @"""
|
|
version = ""1""
|
|
Unrestricted = ""true"" />
|
|
</PermissionSet>";
|
|
#endif //FEATURE_CAS_POLICY
|
|
|
|
//
|
|
// Built in permission set objects
|
|
//
|
|
|
|
private static NamedPermissionSet s_everything;
|
|
private static NamedPermissionSet s_execution;
|
|
private static NamedPermissionSet s_fullTrust;
|
|
private static NamedPermissionSet s_internet;
|
|
private static NamedPermissionSet s_localIntranet;
|
|
private static NamedPermissionSet s_nothing;
|
|
private static NamedPermissionSet s_skipVerification;
|
|
|
|
//
|
|
// Standard permission sets
|
|
//
|
|
|
|
internal static NamedPermissionSet Everything
|
|
{
|
|
get { return GetOrDeserializeExtendablePermissionSet(ref s_everything, s_everythingXml
|
|
#if FEATURE_CAS_POLICY
|
|
, s_wpfExtensionUnrestrictedXml
|
|
#endif // FEATURE_CAS_POLICY
|
|
); }
|
|
}
|
|
|
|
internal static NamedPermissionSet Execution
|
|
{
|
|
get { return GetOrDeserializePermissionSet(ref s_execution, s_executionXml); }
|
|
}
|
|
|
|
internal static NamedPermissionSet FullTrust
|
|
{
|
|
get { return GetOrDeserializePermissionSet(ref s_fullTrust, s_fullTrustXml); }
|
|
}
|
|
|
|
internal static NamedPermissionSet Internet
|
|
{
|
|
get { return GetOrDeserializeExtendablePermissionSet(ref s_internet, s_internetXml
|
|
#if FEATURE_CAS_POLICY
|
|
, s_wpfExtensionXml
|
|
#endif // FEATURE_CAS_POLICY
|
|
); }
|
|
}
|
|
|
|
internal static NamedPermissionSet LocalIntranet
|
|
{
|
|
get { return GetOrDeserializeExtendablePermissionSet(ref s_localIntranet, s_localIntranetXml
|
|
#if FEATURE_CAS_POLICY
|
|
, s_wpfExtensionXml
|
|
#endif // FEATURE_CAS_POLICY
|
|
); }
|
|
}
|
|
|
|
internal static NamedPermissionSet Nothing
|
|
{
|
|
get { return GetOrDeserializePermissionSet(ref s_nothing, s_nothingXml); }
|
|
}
|
|
|
|
internal static NamedPermissionSet SkipVerification
|
|
{
|
|
get { return GetOrDeserializePermissionSet(ref s_skipVerification, s_skipVerificationXml); }
|
|
}
|
|
|
|
//
|
|
// Utility methods to construct the permission set objects from the well known XML and any permission
|
|
// set extensions if necessary
|
|
//
|
|
|
|
private static NamedPermissionSet GetOrDeserializeExtendablePermissionSet(ref NamedPermissionSet permissionSet,
|
|
string permissionSetXml
|
|
#if FEATURE_CAS_POLICY
|
|
,string extensionXml
|
|
#endif // FEATURE_CAS_POLICY
|
|
)
|
|
{
|
|
Contract.Requires(!String.IsNullOrEmpty(permissionSetXml));
|
|
#if FEATURE_CAS_POLICY
|
|
Contract.Requires(!String.IsNullOrEmpty(extensionXml));
|
|
#endif // FEATURE_CAS_POLICY
|
|
|
|
if (permissionSet == null)
|
|
{
|
|
#if FEATURE_CAS_POLICY
|
|
SecurityElement securityElement = SecurityElement.FromString(permissionSetXml);
|
|
NamedPermissionSet deserializedPermissionSet = new NamedPermissionSet(securityElement);
|
|
|
|
PermissionSet extensions = GetPermissionSetExtensions(extensionXml);
|
|
deserializedPermissionSet.InplaceUnion(extensions);
|
|
|
|
permissionSet = deserializedPermissionSet;
|
|
#endif // FEATURE_CAS_POLICY
|
|
}
|
|
|
|
return permissionSet.Copy() as NamedPermissionSet;
|
|
}
|
|
|
|
private static NamedPermissionSet GetOrDeserializePermissionSet(ref NamedPermissionSet permissionSet,
|
|
string permissionSetXml)
|
|
{
|
|
Contract.Assert(!String.IsNullOrEmpty(permissionSetXml));
|
|
|
|
#if FEATURE_CAS_POLICY
|
|
if (permissionSet == null)
|
|
{
|
|
SecurityElement securityElement = SecurityElement.FromString(permissionSetXml);
|
|
NamedPermissionSet deserializedPermissionSet = new NamedPermissionSet(securityElement);
|
|
|
|
permissionSet = deserializedPermissionSet;
|
|
}
|
|
#endif // FEATURE_CAS_POLICY
|
|
|
|
return permissionSet.Copy() as NamedPermissionSet;
|
|
}
|
|
|
|
#if FEATURE_CAS_POLICY
|
|
private static PermissionSet GetPermissionSetExtensions(string extensionXml)
|
|
{
|
|
Contract.Requires(!String.IsNullOrEmpty(extensionXml));
|
|
|
|
SecurityElement se = SecurityElement.FromString(extensionXml);
|
|
|
|
// Return the permission set extension only if WPF is in the present framework profile.
|
|
// XMLUtil.GetClassFromElement() helps do the quickest check, with no exception thrown and
|
|
// minimal parsing.
|
|
SecurityElement firstPermission = (SecurityElement)se.Children[0];
|
|
if (System.Security.Util.XMLUtil.GetClassFromElement(firstPermission, /*ignoreTypeLoadFailures*/true) != null)
|
|
{
|
|
PermissionSet extensions = new NamedPermissionSet(se);
|
|
return extensions;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
#endif // FEATURE_CAS_POLICY
|
|
}
|
|
}
|