Skip to content

Don't fail if SaferPolicy API is not available on Win10 IoT or NanoServer #7075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityapatwardhan merged 3 commits into from
Jun 20, 2018
Merged

Don't fail if SaferPolicy API is not available on Win10 IoT or NanoServer #7075

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d775bc2
don't fail if SaferApi is not available
SteveL-MSFT Jun 15, 2018
3d4ff04
address feedback
Jun 15, 2018
ee7e380
address codefactor issues
SteveL-MSFT Jun 18, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion src/System.Management.Automation/security/SecuritySupport.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,8 @@ private static string GetLocalPreferenceValue(string shellId, ExecutionPolicySco

#endregion execution policy

private static bool _saferIdentifyLevelApiSupported = true;

/// <summary>
/// Get the pass / fail result of calling the SAFER API
/// </summary>
Expand All @@ -489,6 +491,11 @@ internal static SaferPolicy GetSaferPolicy(string path, SafeHandle handle)
{
SaferPolicy status = SaferPolicy.Allowed;

if (!_saferIdentifyLevelApiSupported)
{
return status;
}

SAFER_CODE_PROPERTIES codeProperties = new SAFER_CODE_PROPERTIES();
IntPtr hAuthzLevel;

Expand Down Expand Up @@ -555,7 +562,15 @@ internal static SaferPolicy GetSaferPolicy(string path, SafeHandle handle)
}
else
{
throw new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error());
int lastError = Marshal.GetLastWin32Error();
if (lastError == NativeConstants.FUNCTION_NOT_SUPPORTED)
{
_saferIdentifyLevelApiSupported = false;
}
else
{
throw new System.ComponentModel.Win32Exception(lastError);
}
}

return status;
Expand Down
47 changes: 47 additions & 0 deletions src/System.Management.Automation/security/nativeMethods.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,68 +24,115 @@ internal partial class NativeConstants
// Safer native constants
internal partial class NativeConstants
{
/// <Summary>
/// SAFER_TOKEN_NULL_IF_EQUAL -> 0x00000001
/// </Summary>
public const int SAFER_TOKEN_NULL_IF_EQUAL = 1;

/// <Summary>
/// SAFER_TOKEN_COMPARE_ONLY -> 0x00000002
/// </Summary>
public const int SAFER_TOKEN_COMPARE_ONLY = 2;

/// <Summary>
/// SAFER_TOKEN_MAKE_INERT -> 0x00000004
/// </Summary>
public const int SAFER_TOKEN_MAKE_INERT = 4;

/// <Summary>
/// SAFER_CRITERIA_IMAGEPATH -> 0x00001
/// </Summary>
public const int SAFER_CRITERIA_IMAGEPATH = 1;

/// <Summary>
/// SAFER_CRITERIA_NOSIGNEDHASH -> 0x00002
/// </Summary>
public const int SAFER_CRITERIA_NOSIGNEDHASH = 2;

/// <Summary>
/// SAFER_CRITERIA_IMAGEHASH -> 0x00004
/// </Summary>
public const int SAFER_CRITERIA_IMAGEHASH = 4;

/// <Summary>
/// SAFER_CRITERIA_AUTHENTICODE -> 0x00008
/// </Summary>
public const int SAFER_CRITERIA_AUTHENTICODE = 8;

/// <Summary>
/// SAFER_CRITERIA_URLZONE -> 0x00010
/// </Summary>
public const int SAFER_CRITERIA_URLZONE = 16;

/// <Summary>
/// SAFER_CRITERIA_IMAGEPATH_NT -> 0x01000
/// </Summary>
public const int SAFER_CRITERIA_IMAGEPATH_NT = 4096;

/// <Summary>
/// WTD_UI_NONE -> 0x00002
/// </Summary>
public const int WTD_UI_NONE = 2;

/// <Summary>
/// S_OK -> ((HRESULT)0L)
/// </Summary>
public const int S_OK = 0;

/// <Summary>
/// S_FALSE -> ((HRESULT)1L)
/// </Summary>
public const int S_FALSE = 1;

/// <Summary>
/// ERROR_MORE_DATA -> 234L
/// </Summary>
public const int ERROR_MORE_DATA = 234;

/// <Summary>
/// ERROR_ACCESS_DISABLED_BY_POLICY -> 1260L
/// </Summary>
public const int ERROR_ACCESS_DISABLED_BY_POLICY = 1260;

/// <Summary>
/// ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY -> 786L
/// </Summary>
public const int ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY = 786;

/// <Summary>
/// SAFER_MAX_HASH_SIZE -> 64
/// </Summary>
public const int SAFER_MAX_HASH_SIZE = 64;

/// <Summary>
/// SRP_POLICY_SCRIPT -> L"SCRIPT"
/// </Summary>
public const string SRP_POLICY_SCRIPT = "SCRIPT";

/// <Summary>
/// SIGNATURE_DISPLAYNAME_LENGTH -> MAX_PATH
/// </Summary>
internal const int SIGNATURE_DISPLAYNAME_LENGTH = NativeConstants.MAX_PATH;

/// <Summary>
/// SIGNATURE_PUBLISHER_LENGTH -> 128
/// </Summary>
internal const int SIGNATURE_PUBLISHER_LENGTH = 128;

/// <Summary>
/// SIGNATURE_HASH_LENGTH -> 64
/// </Summary>
internal const int SIGNATURE_HASH_LENGTH = 64;

/// <Summary>
/// MAX_PATH -> 260
/// </Summary>
internal const int MAX_PATH = 260;

/// <Summary>
/// This function is not supported on this system
/// </Summary>
internal const int FUNCTION_NOT_SUPPORTED = 120;
}

/// <summary>
Expand Down
14 changes: 12 additions & 2 deletions src/powershell-native/Install-PowerShellRemoting.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ function Install-PluginEndpoint {
# #
######################

if ($PsCmdlet.ParameterSetName -eq "ByPath")
if ($PowerShellHome -ne $null)
{
$targetPsHome = $PowerShellHome
$targetPsVersion = & "$targetPsHome\pwsh" -NoProfile -Command '$PSVersionTable.PSVersion.ToString()'
Expand All @@ -135,6 +135,7 @@ function Install-PluginEndpoint {
$targetPsHome = $PSHOME
$targetPsVersion = $PSVersionTable.PSVersion.ToString()
}
Write-Verbose "PowerShellHome: $targetPsHome" -Verbose

# For default, not tied to the specific version endpoint, we apply
# only first number in the PSVersion string to the endpoint name.
Expand Down Expand Up @@ -163,7 +164,16 @@ function Install-PluginEndpoint {
return
}

$pluginBasePath = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::Windows) + "\System32\PowerShell") $targetPsVersion
if ($PSVersionTable.PSVersion -lt "6.0")
{
# This script is primarily used from Windows PowerShell for Win10 IoT and NanoServer to setup PSCore6 remoting endpoint
# so it's ok to hardcode to 'C:\Windows' for those systems
$pluginBasePath = Join-Path "C:\Windows\System32\PowerShell" $targetPsVersion
}
else
{
$pluginBasePath = Join-Path ([System.Environment]::GetFolderPath([System.Environment+SpecialFolder]::Windows) + "\System32\PowerShell") $targetPsVersion
}

$resolvedPluginAbsolutePath = ""
if (! (Test-Path $pluginBasePath))
Expand Down