Export (0) Print
Expand All
Expand Minimize

Assemblies should declare minimum security

Visual Studio 2005

TypeName

AssembliesShouldDeclareMinimumSecurity

CheckId

CA2209

Category

Microsoft.Usage

Breaking Change

Breaking

An assembly does not have attributes that specify its minimum, optional, or refused security permissions.

Assemblies specify security permission requests to communicate to administrators the minimum permissions that are required to execute the assembly, and to limit security vulnerabilities caused by mistakenly omitting demands at the type and member level. Assemblies should be marked with security permissions requirements by using the following members of the System.Security.Permissions.SecurityAction enumeration:

This rule is satisfied if any of the actions is specified. Specify RequestMinimum to prevent the assembly from loading if the specified permissions have not been granted to the caller. Use this action when the caller always needs the permission to have access to anything defined in the assembly. Use the RequestOptional security action to specify permissions that are used if granted. When there are permissions that should not be granted to the assembly, specify these using RequestRefuse. If the assembly refuses permissions, it is not granted these permissions, regardless of the permissions it would be granted by the current security policy.

This rule reports a violation if you have specified a permission request incorrectly, or incompletely. If you have specified requests but a violation of this rule is reported, use the Permission Calculator Tool (Permission Calculator Tool (Permcalc.exe)) to estimate the permissions callers must be granted to access the public entry points of an assembly. This tool is new in the .NET Framework SDK version 2.0.

To fix a violation of this rule, specify at least one of the assembly-level permission requests.

Do not exclude a warning from this rule.

The following example shows an assembly with permission to execute but no other permissions.

using System;
using System.Security.Permissions;

[assembly: SecurityPermission(
   SecurityAction.RequestMinimum, Execution = true)]
[assembly: PermissionSet(
   SecurityAction.RequestOptional, Name = "Nothing")]
namespace UsageLibrary
{
   public class Test{}

The following example shows an assembly with the full set of permission requests.

using System;
using System.Security.Permissions;

[assembly:IsolatedStorageFilePermission(SecurityAction.RequestMinimum, UserQuota=1048576)]
[assembly:SecurityPermission(SecurityAction.RequestRefuse, UnmanagedCode=true)]
[assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)]

namespace UsageLibrary
{
   public class Test{}
}

The following example shows an assembly with an unenforceable permission request.

using System;
using System.Security.Permissions;

// Without Unrestricted=true or Read or Write, this permission request 
// is incomplete, and cannot be enforced.
[assembly:FileIOPermission(SecurityAction.RequestMinimum)]

namespace UsageLibrary
{
   public class Test{}
}

Permview.exe shows this permission request as an empty permission set.

Output

minimal permission set:
<PermissionSet class="System.Security.PermissionSet"/>

optional permission set:
  Not specified

refused permission set:
  Not specified

Community Additions

ADD
Show:
© 2014 Microsoft