You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@netbeans.apache.org by Emilian Bold <em...@gmail.com> on 2017/04/04 15:29:09 UTC

Securing the IDE: sandboxing plugins

Hello,

One of the reasons I install only the essential plugins is the fact we have
no sandboxing.

No IDE has plugins sandboxing, but we can do better.

There is a wide array of plugins that need very little permissions (eg. the
highly rated "Toggle line wrap") and users would install them without
worries.

Having a sandbox would also make a plugin review simpler. The less and
lower impact permissions a plugin needs, the easier to review.

On most machines whatever overhead a security manager would have is
tolerable.

Module creators would have to add the global tag OpenIDE-Policy and define
a standard privacy policy file (which we could enhance with IDE-specific
permissions).

Of course, we would need to display some nicer UI when installing in order
to explain the user what kind of permissions the plugin needs. Since the
permissions are checked at runtime we could also have (another) user dialog
then.

I will start looking at the existing code and see about a proof of concept.

Let me know your opinion.

--emi

Re: Securing the IDE: sandboxing plugins

Posted by Yonathan W'Gebriel <yt...@yahoo.com.INVALID>.

+1 Great idea.
 -Yonathan. 

    On Tuesday, April 4, 2017 11:29 AM, Emilian Bold <em...@gmail.com> wrote:
 

 Hello,

One of the reasons I install only the essential plugins is the fact we have
no sandboxing.

No IDE has plugins sandboxing, but we can do better.

There is a wide array of plugins that need very little permissions (eg. the
highly rated "Toggle line wrap") and users would install them without
worries.

Having a sandbox would also make a plugin review simpler. The less and
lower impact permissions a plugin needs, the easier to review.

On most machines whatever overhead a security manager would have is
tolerable.

Module creators would have to add the global tag OpenIDE-Policy and define
a standard privacy policy file (which we could enhance with IDE-specific
permissions).

Of course, we would need to display some nicer UI when installing in order
to explain the user what kind of permissions the plugin needs. Since the
permissions are checked at runtime we could also have (another) user dialog
then.

I will start looking at the existing code and see about a proof of concept.

Let me know your opinion.

--emi

Re: Securing the IDE: sandboxing plugins

Posted by Julien Enselme <je...@jujens.eu>.

Hi,

I like the idea. I also guess most user will understand how it works
since on mobile devices there already is such a system.

I have no idea on how this could be implemented though. Looking forward
to a proof of concept.

Regards,

On Tue, 2017-04-04 at 18:29 +0300, Emilian Bold wrote:
> Hello,
> 
> One of the reasons I install only the essential plugins is the fact
> we have
> no sandboxing.
> 
> No IDE has plugins sandboxing, but we can do better.
> 
> There is a wide array of plugins that need very little permissions
> (eg. the
> highly rated "Toggle line wrap") and users would install them without
> worries.
> 
> Having a sandbox would also make a plugin review simpler. The less
> and
> lower impact permissions a plugin needs, the easier to review.
> 
> On most machines whatever overhead a security manager would have is
> tolerable.
> 
> Module creators would have to add the global tag OpenIDE-Policy and
> define
> a standard privacy policy file (which we could enhance with IDE-
> specific
> permissions).
> 
> Of course, we would need to display some nicer UI when installing in
> order
> to explain the user what kind of permissions the plugin needs. Since
> the
> permissions are checked at runtime we could also have (another) user
> dialog
> then.
> 
> I will start looking at the existing code and see about a proof of
> concept.
> 
> Let me know your opinion.
> 
> --emi
-- 
Julien Enselme
http://www.jujens.eu/

Re: Securing the IDE: sandboxing plugins

Posted by Emilian Bold <em...@gmail.com>.

But the OSGi security is never enforced, no?

--emi

Pe 5 apr. 2017, la 15:35, Jaroslav Tulach <ja...@oracle.com> a scris:

> Challenging task.
> 
>> On úterý 4. dubna 2017 18:29:09 CEST Emilian Bold wrote:
>> Hello,
>> 
>> One of the reasons I install only the essential plugins is the fact we have
>> no sandboxing.
>> 
>> No IDE has plugins sandboxing, but we can do better.
>> 
>> There is a wide array of plugins that need very little permissions (eg. the
>> highly rated "Toggle line wrap") and users would install them without
>> worries.
>> 
>> Having a sandbox would also make a plugin review simpler. The less and
>> lower impact permissions a plugin needs, the easier to review.
>> 
>> On most machines whatever overhead a security manager would have is
>> tolerable.
>> 
>> Module creators would have to add the global tag OpenIDE-Policy and define
>> a standard privacy policy file (which we could enhance with IDE-specific
>> permissions).
> 
> Possible. Compare your approach with OSGi security spec before you go on.
> 
>> Of course, we would need to display some nicer UI when installing in order
>> to explain the user what kind of permissions the plugin needs. Since the
>> permissions are checked at runtime we could also have (another) user dialog
>> then.
>> 
>> I will start looking at the existing code and see about a proof of concept.
> 
> Probably start somewhere around:
> https://github.com/emilianbold/netbeans-releases/blob/master/core.startup/src/
> org/netbeans/core/startup/ModuleSystem.java
> and related class loaders.
> 
> -jt
>

Re: Securing the IDE: sandboxing plugins

Posted by Jaroslav Tulach <ja...@oracle.com>.

Challenging task.

On úterý 4. dubna 2017 18:29:09 CEST Emilian Bold wrote:
> Hello,
> 
> One of the reasons I install only the essential plugins is the fact we have
> no sandboxing.
> 
> No IDE has plugins sandboxing, but we can do better.
> 
> There is a wide array of plugins that need very little permissions (eg. the
> highly rated "Toggle line wrap") and users would install them without
> worries.
> 
> Having a sandbox would also make a plugin review simpler. The less and
> lower impact permissions a plugin needs, the easier to review.
> 
> On most machines whatever overhead a security manager would have is
> tolerable.
> 
> Module creators would have to add the global tag OpenIDE-Policy and define
> a standard privacy policy file (which we could enhance with IDE-specific
> permissions).

Possible. Compare your approach with OSGi security spec before you go on.

> Of course, we would need to display some nicer UI when installing in order
> to explain the user what kind of permissions the plugin needs. Since the
> permissions are checked at runtime we could also have (another) user dialog
> then.
> 
> I will start looking at the existing code and see about a proof of concept.

Probably start somewhere around:
https://github.com/emilianbold/netbeans-releases/blob/master/core.startup/src/
org/netbeans/core/startup/ModuleSystem.java
and related class loaders.

-jt