Struct DeclSecurity

pub struct DeclSecurity {
    pub rid: u32,
    pub token: Token,
    pub offset: usize,
    pub action: SecurityAction,
    pub parent: CilTypeReference,
    pub permission_set: Arc<PermissionSet>,
    pub custom_attributes: CustomAttributeValueList,
}

Represents a .NET CIL security declaration with fully resolved metadata and owned data

This structure contains complete security declaration information from the DeclSecurity metadata table (0x0E), with all references resolved to concrete types and permission sets. Unlike crate::metadata::tables::declsecurity::DeclSecurityRaw, this provides immediate access to security data without requiring additional lookups.

.NET Code Access Security

Security declarations in .NET implement Code Access Security (CAS), which allows code to declaratively specify required permissions or security restrictions. Declarations are applied at three levels:

1. Assembly Level: Applied to the entire assembly, often to request minimum permissions
2. Type Level: Applied to a class or interface, affecting all its members
3. Method Level: Applied to a specific method for fine-grained control

Security Actions

Security declarations specify how permissions are enforced:

• Demand: Code must have the specified permission to execute
• Assert: Code temporarily elevates permissions for trusted operations
• Deny: Code cannot use the specified permission, even if granted
• LinkDemand: Direct callers must have the permission (compile-time check)
• InheritanceDemand: Classes inheriting from this type must have permission

Reference

• ECMA-335 II.22.11 - DeclSecurity table specification

Fields

rid: u32

Row identifier within the DeclSecurity metadata table

The 1-based index of this security declaration row. Used for metadata token generation and cross-referencing with other metadata structures.

token: Token

Metadata token for this security declaration

Combines the table identifier (0x0E for DeclSecurity) with the row ID to create a unique token that can be used to reference this declaration from other metadata.

offset: usize

Byte offset of this declaration row within the metadata tables stream

Physical location of the raw security declaration data within the metadata binary format. Used for debugging and low-level metadata analysis.

action: SecurityAction

Security action specifying how the permission is enforced

Determines the enforcement behavior for the associated permission set. See crate::metadata::security::SecurityAction for available actions like Demand, Assert, Deny, etc. This controls whether permissions are checked at runtime, link time, or inheritance.

parent: CilTypeReference

Reference to the entity this security declaration applies to

Can reference a Type (TypeDef), Method (MethodDef), or Assembly through a HasDeclSecurity coded index. This determines the scope of the security declaration - whether it applies to an entire assembly, a specific type, or an individual method.

permission_set: Arc<PermissionSet>

The parsed permission set containing the security permissions

Contains the actual permissions being declared, parsed from the raw permission blob in the metadata. Uses Arc for efficient sharing since permission sets can be referenced from multiple contexts. See crate::metadata::security::PermissionSet for permission details.

custom_attributes: CustomAttributeValueList

Custom attributes attached to this security declaration

Contains additional metadata attributes that may provide context or modify the behavior of this security declaration. These are typically used for tooling or framework-specific annotations.

Implementations

impl DeclSecurity

pub fn is_demand(&self) -> bool

Check if this is a demand security declaration

Returns true if this declaration requires the specified permissions to be present for code execution. Demand checks are performed at runtime when the protected code is accessed.

pub fn is_assert(&self) -> bool

Check if this is an assert security declaration

Returns true if this declaration allows code to temporarily elevate permissions for trusted operations. Assert declarations enable code to perform operations that callers might not have permission for.

Security Implications

Assert declarations should be used carefully as they can bypass normal security checks. They are typically used in trusted library code that needs to perform privileged operations on behalf of less-trusted callers.

pub fn is_deny(&self) -> bool

Check if this is a deny security declaration

Returns true if this declaration prevents the use of specified permissions, even if they have been granted to the code. Deny declarations provide defense in depth by limiting the capabilities of potentially dangerous code.

pub fn is_link_demand(&self) -> bool

Check if this is a link demand security declaration

Returns true if this declaration requires direct callers to have the specified permissions. Link demands are checked at JIT compilation time rather than runtime, providing better performance for security-critical operations.

pub fn is_inheritance_demand(&self) -> bool

Check if this is an inheritance demand security declaration

Returns true if this declaration requires classes that inherit from this type to have the specified permissions. This provides security control over class inheritance hierarchies.

pub fn is_unrestricted(&self) -> bool

Check if this declaration grants unrestricted permissions

Returns true if the associated permission set allows unrestricted access to the protected resource. This is typically used for highly trusted code that needs full system access.

Security Implications

Unrestricted permissions should be granted sparingly and only to fully trusted assemblies, as they bypass most security checks.

pub fn has_file_io(&self) -> bool

Check if this declaration includes file I/O permissions

Returns true if the permission set includes file system access rights. This is useful for analyzing what file operations protected code can perform.

pub fn has_registry(&self) -> bool

Check if this declaration includes registry permissions

Returns true if the permission set includes Windows registry access rights. This helps identify code that can read or modify system registry settings.

pub fn has_reflection(&self) -> bool

Check if this declaration includes reflection permissions

Returns true if the permission set includes reflection access rights. This identifies code that can inspect or modify type metadata, invoke methods dynamically, or access private members through reflection.

Security Implications

Reflection permissions can be used to bypass normal access controls and should be carefully controlled in security-sensitive environments.

pub fn apply(&self) -> Result<()>

Apply this security declaration to its target entity

This method processes the security declaration and applies it to the appropriate entity (type, method, or assembly) by parsing the permission set and setting up the security context. The security information is stored in the target entity’s security field for runtime enforcement.

Implementation Details

The security information is set using std::sync::OnceLock::set which ensures thread-safe initialization. If security has already been set for the target entity, the operation succeeds silently without overwriting existing security configuration.

Returns

Returns Ok(()) on successful application or if security was already configured. Returns an error if the parent reference is invalid or points to an unsupported entity type.

Errors

Returns crate::Error in the following cases:

• crate::Error - When the parent reference is not a valid target type
• crate::Error - When weak references to parent entities cannot be upgraded