You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Simon <si...@outlook.com> on 2016/01/08 16:57:13 UTC
Security Conditions not working on Java 1.8
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25",
and Felix "felix-framework-5.4.0". I have enabled security by adding
"org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the
offending bundle "p1-evil" (I'll attach all code). My scenario is as
follows; /I do not want p1-evil to connect to the Internet/. However in
p1-evil Activator I placed some code that makes a request to google and
prints the response.
The p1-check bundle has only one condition; MyCheck.java. The
/isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic name
is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in
security.policy)
/
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
/
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with *java 1.7* I can see the logs from p1-check
and as expected p1-evil does not connect and I get an exception
[java.security.AccessControlException: access denied
("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with *java 1.8* I can see the logs from p1-check
however p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I
doing something wrong? Or there is something I do not know?
felix-framework-5.zip
<http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip>
p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip>
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Security Conditions not working on Java 1.8
Posted by Simon <si...@outlook.com>.
I have created jira issue FELIX-5162
<https://issues.apache.org/jira/browse/FELIX-5162> . (Please note I cannot
set assignee). I have set priority to "minor" as there is a work around (run
on java7).
I am not sure I understand what you mean by "_grant_ SocketPermission in
java8". The security.policy file needs to have at least the following one
entry at the end;
> ...
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "Give all permissions to all bundles"
If I remove that one permission (and I use p1-policy bundle) nothing works.
If I change the DENY rule to ALLOW and I leave MyCheck the same (returns
true) the connection is allowed. If I change MyCheck to return "false" it
still connects to remote server. My understanding is that the next rule
(give all permission to all bundles) is checked and this returns a true for
all permissions.
Attached is another not-OSGi example I made. This one has a "get.jar" which
does the same thing as "p1-evil" bundle (i.e. - connect to a remote site). I
have placed the following "all.policy" file:
> grant { permission java.net.SocketPermission "*", "connect,resolve"; };
I run it as follows using the command "java -Djava.security.manager
-Djava.security.policy=all.policy -jar get.jar". This works the same on
Java1.7 and Java1.8.
get.zip <http://apache-felix.18485.x6.nabble.com/file/n5016178/get.zip>
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167p5016178.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Security Conditions not working on Java 1.8
Posted by Karl Pauls <ka...@gmail.com>.
Yeah, the point is that starting somewhere in java8 sandboxed apps can't
get SocketPermission anymore. In your case that bits backwards as you are
asking for a DENY. Unfortunately, that might imply that one can not grant
SocketPermission anymore either (which would be pretty shitty). Not sure
what can be done about it - if you have some time feel free to create a
jira issue with your examples and assign it to me (it would be great if you
could also test if you can still _grant_ SocketPermission in java8).
regards,
Karl
On Mon, Jan 11, 2016 at 11:31 AM, Simon <si...@outlook.com> wrote:
> Hi Karl, You are right. With another permission it works.
>
> I created another bundle "p1-evil-fs". The /Activator/ of this bundle lists
> all files in current directory. I changed the rule in "security.policy" as
> follows:
>
> /
> DENY {
> [com.p1.check.MyCheck]
> ( java.io.FilePermission "-" "read" )
> } "MyCheck"
> /
>
> (MyCheck changed to also work for the p1-evil-fs)
>
> For me this worked the same with both java7 and java8. I have attached all
> code.
> So I guess this is an issue with /SocketPermission/?
>
> felix-framework-5.zip
> <
> http://apache-felix.18485.x6.nabble.com/file/n5016171/felix-framework-5.zip
> >
> p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016171/p1.zip>
>
>
>
> --
> View this message in context:
> http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167p5016171.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
Re: Security Conditions not working on Java 1.8
Posted by Simon <si...@outlook.com>.
Hi Karl, You are right. With another permission it works.
I created another bundle "p1-evil-fs". The /Activator/ of this bundle lists
all files in current directory. I changed the rule in "security.policy" as
follows:
/
DENY {
[com.p1.check.MyCheck]
( java.io.FilePermission "-" "read" )
} "MyCheck"
/
(MyCheck changed to also work for the p1-evil-fs)
For me this worked the same with both java7 and java8. I have attached all
code.
So I guess this is an issue with /SocketPermission/?
felix-framework-5.zip
<http://apache-felix.18485.x6.nabble.com/file/n5016171/felix-framework-5.zip>
p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016171/p1.zip>
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167p5016171.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Security Conditions not working on Java 1.8
Posted by Karl Pauls <ka...@gmail.com>.
Could you try with a different Permission? My guess right now would be that
you/we are running into a very special case but for that to be true, I
would expect that your setup should work correctly with any other
permission...
regards,
Karl
On Fri, Jan 8, 2016 at 4:57 PM, Simon <si...@outlook.com> wrote:
> Hello, I have done my tests on the Java runtimes; "1.7.0_71" and
> "1.8.0_25",
> and Felix "felix-framework-5.4.0". I have enabled security by adding
> "org.apache.felix.framework.security-2.4.0" to the bundle directory.
>
> I have then created three projects; "p1-check", "p1-policy" and the
> offending bundle "p1-evil" (I'll attach all code). My scenario is as
> follows; /I do not want p1-evil to connect to the Internet/. However in
> p1-evil Activator I placed some code that makes a request to google and
> prints the response.
>
> The p1-check bundle has only one condition; MyCheck.java. The
> /isSatisfied()/ method of MyCheck returns /true/ if the bundle symbolic
> name
> is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
>
> This is meant to be used with the following security rule (can be found in
> security.policy)
>
> /
> DENY {
> [com.p1.check.MyCheck]
> ( java.net.SocketPermission "*" "connect" )
> } "MyCheck"
> /
>
> (note: I also tried "connect,resolve", still does not work on java 1.8)
>
> When I execute felix.jar with *java 1.7* I can see the logs from p1-check
> and as expected p1-evil does not connect and I get an exception
> [java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
>
> When I execute felix.jar with *java 1.8* I can see the logs from p1-check
> however p1-evil activator is still allowed to connect to google.
>
> I have tried this on two different machines and I got the same results. Am
> I
> doing something wrong? Or there is something I do not know?
>
> felix-framework-5.zip
> <
> http://apache-felix.18485.x6.nabble.com/file/n5016167/felix-framework-5.zip
> >
> p1.zip <http://apache-felix.18485.x6.nabble.com/file/n5016167/p1.zip>
>
>
>
> --
> View this message in context:
> http://apache-felix.18485.x6.nabble.com/Security-Conditions-not-working-on-Java-1-8-tp5016167.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls