Permcalc tool and FullTrust issues

When I was performing a CAS analysis with the PermCalc tool on some assemblies that I expected to run under a zone with constrained permissions like “Intranet”, I came across a couple of interesting issues with this very helpful tool.

There are two especially useful switches that have this command line tool. One is the “-sandbox” switch, that reports the minimum permissions an application requires to run (so you can build a sandboxed environment, typically for ClickOnce applications). The other switch that helps to diagnose where permissions demands originated from is the “-stack” switch.

So far so good, but let’s say that you run the tool with “-sandbox” and the result is (in my words) “Your assembly requires FullTrust permission”. Well that may imply that your assembly is calling some API or some BCL function that is demanding FullTrust or… you may‘ve got one or both of these two scenarios in your call stack.

Calling Assemblies without APTCA

You code may be calling an external referenced assembly that does not have the APTCA (Allow Partially Trusted Code Attribute) so any caller to this assembly should be a FullTrust caller. Assuming you want your application to run in a partially trusted environment, you first need to identify which is the non-APTC assembly that your application is calling, and then devise a strategy to circumvent this (redesign your app or use a sandbox pattern).

The point is that PermCalc could not get the “offending” non-APTCA assembly with the stacks switch, so a more manual analisys was required (run the tool with a modified assembly with a subset of classes and keep on adding more classes until you get the FullTrust requirement).

I already reported this in the PFC if you want further details.

Classes with InheritanceDemand Permission

Another non reported cause of FullTrust requirement for a sandbox analysis was the scenario where you have a base class decorated with the “InheritanceDemand” attribute. More details on this here.