平台调用安全注意事项

SecurityAction 枚举的 Assert、Deny 和 PermitOnly 成员统称为“堆栈审核修饰符”。 如果平台调用声明和 COM 接口定义语言 (IDL) 语句中将这些成员用作声明性特性,则将忽略这些成员。

平台调用示例

本节中的平台调用示例演示如何将 RegistryPermission 特性与堆栈审核修饰符一起使用。

在下面的代码示例中,SecurityAction Assert、Deny 和 PermitOnly 修饰符均被忽略。

[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
[RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
    private static extern bool CallRegistryPermissionAssert();

[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
[RegistryPermission(SecurityAction.Deny, Unrestricted = true)]
    private static extern bool CallRegistryPermissionDeny();

[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
[RegistryPermission(SecurityAction.PermitOnly, Unrestricted = true)]
    private static extern bool CallRegistryPermissionDeny();

但是,下面的示例接受 Demand 修饰符。

[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
[RegistryPermission(SecurityAction.Demand, Unrestricted = true)]
    private static extern bool CallRegistryPermissionDeny();

如果将 SecurityAction 修饰符置于包含(包装)平台 invoke 调用的类上,它们可以正常工作。

[RegistryPermission(SecurityAction.Demand, Unrestricted = true)]
public ref class PInvokeWrapper
{
public:
[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
    private static extern bool CallRegistryPermissionDeny();
};
[RegistryPermission(SecurityAction.Demand, Unrestricted = true)]
class PInvokeWrapper
{
[DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
    private static extern bool CallRegistryPermissionDeny();
}

在将 SecurityAction 修饰符置于平台 invoke 调用的调用方上的嵌套方案中,这些修饰符也可以正常工作:

{
public ref class PInvokeWrapper
public:
    [DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
    private static extern bool CallRegistryPermissionDeny();

    [RegistryPermission(SecurityAction.Demand, Unrestricted = true)]
    public static bool CallRegistryPermission()
    {
     return CallRegistryPermissionInternal();
    }
};
class PInvokeScenario
{
    [DllImport("MyClass.dll", EntryPoint = "CallRegistryPermission")]
    private static extern bool CallRegistryPermissionInternal();

    [RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
    public static bool CallRegistryPermission()
    {
     return CallRegistryPermissionInternal();
    }
}

COM 互操作示例

本节中的 COM 互操作示例演示如何将 RegistryPermission 特性与堆栈审核修饰符一起使用。

下面的 COM 互操作接口声明忽略 Assert、Deny 和 PermitOnly 修饰符,这与前一节中的平台调用示例类似。

[ComImport, Guid("12345678-43E6-43c9-9A13-47F40B338DE0")]
interface IAssertStubsItf
{
[RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
    bool CallRegistryPermission();
[FileIOPermission(SecurityAction.Assert, Unrestricted = true)]
    bool CallFileIoPermission();
}

[ComImport, Guid("12345678-43E6-43c9-9A13-47F40B338DE0")]
interface IDenyStubsItf
{
[RegistryPermission(SecurityAction.Deny, Unrestricted = true)]
    bool CallRegistryPermission();
[FileIOPermission(SecurityAction.Deny, Unrestricted = true)]
    bool CallFileIoPermission();
}

[ComImport, Guid("12345678-43E6-43c9-9A13-47F40B338DE0")]
interface IAssertStubsItf
{
[RegistryPermission(SecurityAction.PermitOnly, Unrestricted = true)]
    bool CallRegistryPermission();
[FileIOPermission(SecurityAction.PermitOnly, Unrestricted = true)]
    bool CallFileIoPermission();
}

此外,COM 互操作接口声明方案不接受 Demand 修饰符,如下面的示例所示。

[ComImport, Guid("12345678-43E6-43c9-9A13-47F40B338DE0")]
interface IDemandStubsItf
{
[RegistryPermission(SecurityAction.Demand, Unrestricted = true)]
    bool CallRegistryPermission();
[FileIOPermission(SecurityAction.Demand, Unrestricted = true)]
    bool CallFileIoPermission();
}

请参见

参考

SecurityAction

概念

安全权限

在托管代码中创建原型

使用非托管 DLL 函数

其他资源

与非托管代码交互操作

互操作性