You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by alpha sparc <al...@gmail.com> on 2011/10/02 14:23:39 UTC
Re: Embedding Felix Security
Hi, I am attempting to run felix security bundle.
I have given all.permission to felix, installed the security bundle and
tried to load policy using the policy bundle in the examples as well as
tried to programatically set the policy but the bundle still run regardless
of how I tried to deny read and write to <<ALL FILES>>.
Can anyone help me to point out what I missed? The result of this code is
that all the bundles run even when I tried to stop them
public static void main( String[] args ) throws BundleException
{
String [] bundledir=null;
System.setProperty("java.security.policy","./Policy/all.policy");
//OSGi need all Permission
System.setProperty("org.osgi.framework.security=osgi","true");
Map<String, String> fmap = new HashMap<String, String>();
fmap.put(FelixConstants.FRAMEWORK_STORAGE, "./Bundles/"); //Run in
the bundle directory
fmap.put(FelixConstants.FRAMEWORK_STORAGE_CLEAN, "true");
fmap.put(FelixConstants.FRAMEWORK_SECURITY_OSGI, "true");
Felix felix = new Felix(fmap);
try{
felix.start();
SimpleSecurityManager sm = new SimpleSecurityManager();
System.setSecurityManager(sm);
Bundle securitybundle = null;
File file = new
File("./Bundles/Security/framework.security.jar");
URL url = file.toURI().toURL();
securitybundle = felix.getBundleContext().
installBundle(
url.toString());
securitybundle.start();
Bundle policybundle = null;
File file2 = new File("./Bundles/Security/PolicyActivator.jar");
URL url2 = file2.toURI().toURL();
policybundle =
felix.getBundleContext().installBundle(url2.toString());
policybundle.start();
final ConditionalPermissionAdmin cpa = (ConditionalPermissionAdmin)
felix.getBundleContext().getService(felix.getBundleContext().getServiceReference(ConditionalPermissionAdmin.class.getName()));
final ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate();
List<ConditionalPermissionInfo> permlist =
u.getConditionalPermissionInfos();
permlist.clear();
// Give the System Bundle AllPermissions
permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
new ConditionInfo(
BundleLocationCondition.class.getName(), new String[] {
felix.getBundleContext().getBundle(0).getLocation() }) },
new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(),
"*", "*") },
ConditionalPermissionInfo.DENY));
// Allow the first two system bundles (Log and ConfigAdmin) to import
org.osgi.framework
permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
new ConditionInfo(
BundleLocationCondition.class.getName(), new String[] {
felix.getBundleContext().getBundle(1).getLocation() }) },
new PermissionInfo[] { new PermissionInfo(PackagePermission.class.getName(),
"org.osgi.framework",
PackagePermission.IMPORT) }, ConditionalPermissionInfo.DENY));
permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
new ConditionInfo(
BundleLocationCondition.class.getName(), new String[] {
felix.getBundleContext().getBundle().getLocation(),"C:/Users/User/Documents/NetBeansProjects/OSGiVerify/Bundles/*"
}) },
new PermissionInfo[] { new PermissionInfo(
java.io.FilePermission.class.getName(),"<<ALL FILES>>","read,write") },
ConditionalPermissionInfo.DENY));
u.commit();
for(int i=0;(bundledir[i]!=null);i++)
{
System.out.println(bundledir[i]);
Bundle bundlelauncher=null;
File file1 = new File(bundledir[i]);
URL url1 = file1.toURI().toURL();
bundlelauncher=felix.getBundleContext().installBundle(url1.toString());
bundlelauncher.start();
}
}catch(Exception e){e.printStackTrace();}
Re: Embedding Felix Security
Posted by Karl Pauls <ka...@gmail.com>.
It looks to me like you are not using the DENY, ALLOW policies
correctly. You use DENY even when you want to say ALLOW I guess.
Furthermore, you don't have to give permissions to the system bundle
(that is so by default) and you shouldn't set your own security
manager (the framework will do that by itself if you set the
osgi.security=true flag, as you do).
However, I agree, that your code looks like it should still prevent
bundles from reading/writing files. The one thing that is possible is
that it doesn't pick up the <<ALL FILES>> correctly. Can you try with
any other permission or even better, just try with a recursive file
permission starting at some point like "C:/-" and see whether that
prevents bundles from accessing files on the c: drive?
regards,
Karl
On Sun, Oct 2, 2011 at 2:23 PM, alpha sparc <al...@gmail.com> wrote:
> Hi, I am attempting to run felix security bundle.
> I have given all.permission to felix, installed the security bundle and
> tried to load policy using the policy bundle in the examples as well as
> tried to programatically set the policy but the bundle still run regardless
> of how I tried to deny read and write to <<ALL FILES>>.
>
> Can anyone help me to point out what I missed? The result of this code is
> that all the bundles run even when I tried to stop them
> public static void main( String[] args ) throws BundleException
> {
> String [] bundledir=null;
>
> System.setProperty("java.security.policy","./Policy/all.policy");
> //OSGi need all Permission
> System.setProperty("org.osgi.framework.security=osgi","true");
>
>
> Map<String, String> fmap = new HashMap<String, String>();
> fmap.put(FelixConstants.FRAMEWORK_STORAGE, "./Bundles/"); //Run in
> the bundle directory
> fmap.put(FelixConstants.FRAMEWORK_STORAGE_CLEAN, "true");
> fmap.put(FelixConstants.FRAMEWORK_SECURITY_OSGI, "true");
>
> Felix felix = new Felix(fmap);
>
> try{
> felix.start();
>
> SimpleSecurityManager sm = new SimpleSecurityManager();
> System.setSecurityManager(sm);
>
> Bundle securitybundle = null;
> File file = new
> File("./Bundles/Security/framework.security.jar");
> URL url = file.toURI().toURL();
> securitybundle = felix.getBundleContext().
> installBundle(
> url.toString());
> securitybundle.start();
>
> Bundle policybundle = null;
> File file2 = new File("./Bundles/Security/PolicyActivator.jar");
> URL url2 = file2.toURI().toURL();
> policybundle =
> felix.getBundleContext().installBundle(url2.toString());
> policybundle.start();
>
>
> final ConditionalPermissionAdmin cpa = (ConditionalPermissionAdmin)
> felix.getBundleContext().getService(felix.getBundleContext().getServiceReference(ConditionalPermissionAdmin.class.getName()));
> final ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate();
> List<ConditionalPermissionInfo> permlist =
> u.getConditionalPermissionInfos();
> permlist.clear();
> // Give the System Bundle AllPermissions
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle(0).getLocation() }) },
> new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(),
> "*", "*") },
> ConditionalPermissionInfo.DENY));
> // Allow the first two system bundles (Log and ConfigAdmin) to import
> org.osgi.framework
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle(1).getLocation() }) },
> new PermissionInfo[] { new PermissionInfo(PackagePermission.class.getName(),
> "org.osgi.framework",
> PackagePermission.IMPORT) }, ConditionalPermissionInfo.DENY));
>
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle().getLocation(),"C:/Users/User/Documents/NetBeansProjects/OSGiVerify/Bundles/*"
> }) },
> new PermissionInfo[] { new PermissionInfo(
> java.io.FilePermission.class.getName(),"<<ALL FILES>>","read,write") },
> ConditionalPermissionInfo.DENY));
> u.commit();
>
> for(int i=0;(bundledir[i]!=null);i++)
> {
> System.out.println(bundledir[i]);
>
> Bundle bundlelauncher=null;
> File file1 = new File(bundledir[i]);
> URL url1 = file1.toURI().toURL();
>
> bundlelauncher=felix.getBundleContext().installBundle(url1.toString());
> bundlelauncher.start();
> }
>
> }catch(Exception e){e.printStackTrace();}
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Embedding Felix Security
Posted by Karl Pauls <ka...@gmail.com>.
you can send it to me in private: karlpauls@gmail.com.
regards,
Karl
On Mon, Oct 3, 2011 at 4:37 AM, alpha sparc <al...@gmail.com> wrote:
> Hi, I have tried to set the permission to the testfile text to be deny
> read,write and execute but it still runs.
> I am doing this using Netbeans.
> Can I attach the project here?
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Embedding Felix Security
Posted by alpha sparc <al...@gmail.com>.
Hi, I have tried to set the permission to the testfile text to be deny
read,write and execute but it still runs.
I am doing this using Netbeans.
Can I attach the project here?