Assemblies should declare minimum security
TypeName |
AssembliesShouldDeclareMinimumSecurity |
CheckId |
CA2209 |
Category |
Microsoft.Usage |
Breaking Change |
Breaking |
Cause
An assembly does not have attributes that specify its minimum, optional, or refused security permissions.
Rule Description
Assemblies specify security permission requests to communicate to administrators the minimum permissions that are required to execute the assembly, and to limit security vulnerabilities caused by mistakenly omitting demands at the type and member level. Assemblies should be marked with security permissions requirements by using the following members of the System.Security.Permissions.SecurityAction enumeration:
This rule is satisfied if any of the actions is specified. Specify RequestMinimum to prevent the assembly from loading if the specified permissions have not been granted to the caller. Use this action when the caller always needs the permission to have access to anything defined in the assembly. Use the RequestOptional security action to specify permissions that are used if granted. When there are permissions that should not be granted to the assembly, specify these using RequestRefuse. If the assembly refuses permissions, it is not granted these permissions, regardless of the permissions it would be granted by the current security policy.
This rule reports a violation if you have specified a permission request incorrectly, or incompletely. If you have specified requests but a violation of this rule is reported, use the Permission Calculator Tool (Permission Calculator Tool (Permcalc.exe)) to estimate the permissions callers must be granted to access the public entry points of an assembly. This tool is new in the .NET Framework SDK version 2.0.
How to Fix Violations
To fix a violation of this rule, specify at least one of the assembly-level permission requests.
When to Exclude Warnings
Do not exclude a warning from this rule.
Example
The following example shows an assembly with permission to execute but no other permissions.
using System;
using System.Security.Permissions;
[assembly: SecurityPermission(
SecurityAction.RequestMinimum, Execution = true)]
[assembly: PermissionSet(
SecurityAction.RequestOptional, Name = "Nothing")]
namespace UsageLibrary
{
public class Test{}
The following example shows an assembly with the full set of permission requests.
using System;
using System.Security.Permissions;
[assembly:IsolatedStorageFilePermission(SecurityAction.RequestMinimum, UserQuota=1048576)]
[assembly:SecurityPermission(SecurityAction.RequestRefuse, UnmanagedCode=true)]
[assembly:FileIOPermission(SecurityAction.RequestOptional, Unrestricted=true)]
namespace UsageLibrary
{
public class Test{}
}
The following example shows an assembly with an unenforceable permission request.
using System;
using System.Security.Permissions;
// Without Unrestricted=true or Read or Write, this permission request
// is incomplete, and cannot be enforced.
[assembly:FileIOPermission(SecurityAction.RequestMinimum)]
namespace UsageLibrary
{
public class Test{}
}
Permview.exe shows this permission request as an empty permission set.
Output
minimal permission set: <PermissionSet class="System.Security.PermissionSet"/> optional permission set: Not specified refused permission set: Not specified
See Also
Reference
Permissions View Tool (Permview.exe)
System.Security.Permissions.SecurityAction