locked
General failure in CAS/Trust for sandbox plugin RRS feed

  • Question

  • Hi all,

    We have a 3rd party plugin, that states its able to run in partial trust.

    Its ONLY working in full trust - we don't want to run this way.

    We are running the plugin "from database" (not file system or GAC)

    Their support lines are proving to be very unhelpful.

    We have looked at their code (dotPeek) and there line that is failing is "Trace.TraceError()" (NOTE: it APPEARS to be using the STATIC "Trace" class functions, not a TraceSource of any kind... presumably deliberatley...

    It appears to be failing because of the Partial trust "UnmanagedCode" limitation.

    We have Tracing on for the sandbox server  (set via Registry) but even if we disable it this exception is still thrown...

    if it helps this is the fail trace:

    'System.Security.Permissions.SecurityPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed'
    
    System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
       at System.Security.CodeAccessPermission.Demand()
       at System.Diagnostics.ListenerElementsCollection.GetRuntimeObject()
       at System.Diagnostics.TraceInternal.get_Listeners()
       at System.Diagnostics.TraceInternal.TraceEvent(TraceEventType eventType, Int32 id, String format, Object[] args)
    from
    -->Plugin.Execute(IServiceProvider serviceProvider)   
    

    They state the following:

    1. same code runs fine in CRM online

    2. the issue is our config/security

    My question to you all is:

    does azure/office 365 have the "UnmanagedCode" turned on in their partial trust setup?

    or

    if you register a plugin in "online" does it add it to the VM GAC or file system with special permissions or something?

    or 

    something else?

    Evidence that this is the issue:

    https://msdn.microsoft.com/en-us/library/system.diagnostics.trace(v=vs.110).aspx states: "If you add trace listeners to partially trusted code, you will get a SecurityException exception, because adding trace listeners requires UnmanagedCode permission."

    https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/partial-trust-feature-compatibility :- implies that WCF has slightly more permissions under Medium Trust than what is implied by the System.Diagnostics.Trace documentation - but who knows if WCF has ANYTHING to do with this all at all... but if WCF can do it then maybe CRM or clever plugin developers can also...?

    Any thoughts or ideas on how to troubleshoot this?

    What config is different for sandboxed plugins on premise vs cloud?

    Is there config/ permissions config for partial trust or something that we have missed?


    -- this is not the profile you're looking for --


    • Edited by noJedi Thursday, September 7, 2017 6:10 AM
    Thursday, September 7, 2017 2:23 AM