Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a command which gets the System Lockdown mode information #23799

Open
TravisEz13 opened this issue May 14, 2024 · 2 comments
Open

Add a command which gets the System Lockdown mode information #23799

TravisEz13 opened this issue May 14, 2024 · 2 comments
Labels
Issue-Enhancement the issue is more of a feature request than a bug Needs-Triage The issue is new and needs to be triaged by a work group. WG-Cmdlets general cmdlet issues WG-Reviewed A Working Group has reviewed this and made a recommendation WG-Security security related areas such as JEA

Comments

@TravisEz13
Copy link
Member

Summary of the new feature / enhancement

We should have a command which gets all the Lockdown mode information. The Lockdown Policy. The current language module and the startup language mode of the session.

  • A module may not want to support lockdown mode, it would need to know the policy to implement that as the customer may mark the script as trusted and cause it to run in FLM. Perhaps because it cannot be implemented without arbitrary code execution issues.
  • Although the current language mode can be gotten, it would be good to have all the information from one place.
  • The initial language mode can be anything in a hosted environment. I don't have a use for this right now, but I don't see any reason to exclude it right now. It might be useful for testing that hosted environments in lockdown machines are created correctly.
> get-lockdowninfo             
LockdownPolicy CurrentLanguageMode InitialLanguageMode
-------------- ------------------- -------------------
None           FullLanguage        FullLanguage

Proposed technical implementation details (optional)

Here is a script which gets the information, but the actual one should be in C#, in PowerShell, so that it works when in lockdown mode.

class LockdownInfo {
	[string]$LockdownPolicy
	[string]$CurrentLanguageMode
	[string]$InitialLanguageMode
	LockdownInfo([string]$policy, [string]$clm, [string]$ilm) {
		$this.LockdownPolicy = $policy
		$this.CurrentLanguageMode = $clm
		$this.InitialLanguageMode = $ilm
	}
}
$spType = [psobject].assembly.GetType("System.Management.Automation.Security.SystemPolicy")
$slpMethod = $spType.GetMethod("GetSystemLockdownPolicy")
$lockdownPolicySetting = $slpMethod.Invoke($null, $null)
$currentLM = $ExecutionContext.Host.Runspace.LanguageMode
$initialLM = $ExecutionContext.Host.Runspace.InitialSessionState.LanguageMode
[LockdownInfo]::new($lockdownPolicySetting, $currentLM, $initialLM)
@TravisEz13 TravisEz13 added Issue-Enhancement the issue is more of a feature request than a bug WG-Security security related areas such as JEA Needs-Triage The issue is new and needs to be triaged by a work group. WG-NeedsReview Needs a review by the labeled Working Group labels May 14, 2024
@JamesWTruher JamesWTruher added the WG-Cmdlets general cmdlet issues label May 14, 2024
@rhubarb-geek-nz
Copy link

rhubarb-geek-nz commented May 15, 2024
edited

If the language modes are unrelated to the system lockdown mode

SystemEnforcementMode
GetSystemLockdownPolicy

then I don't see why they should be returned.

Isn't this just a one-liner?

PS> [System.Management.Automation.Security.SystemPolicy]::GetSystemLockdownPolicy()
None

I would suggest it is more related to Get-ExecutionPolicy than languages.

@jdhitsolutions
Copy link
Collaborator

Submitted for Working Group review

@SydneyhSmith SydneyhSmith added WG-Reviewed A Working Group has reviewed this and made a recommendation and removed WG-NeedsReview Needs a review by the labeled Working Group labels May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue-Enhancement the issue is more of a feature request than a bug Needs-Triage The issue is new and needs to be triaged by a work group. WG-Cmdlets general cmdlet issues WG-Reviewed A Working Group has reviewed this and made a recommendation WG-Security security related areas such as JEA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JamesWTruher @TravisEz13 @jdhitsolutions @SydneyhSmith @rhubarb-geek-nz