You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Simon Joseph Aquilina (JIRA)" <ji...@apache.org> on 2016/01/11 15:43:39 UTC

[jira] [Updated] (FELIX-5162) Security Conditions not working on Java 1.8

     [ https://issues.apache.org/jira/browse/FELIX-5162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Simon Joseph Aquilina updated FELIX-5162:
-----------------------------------------
    Description: 
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory. 

I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response. 

The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle. 

This is meant to be used with the following security rule (can be found in security.policy) 

{code:title=security.policy}
DENY { 
  [com.p1.check.MyCheck] 
  ( java.net.SocketPermission "*" "connect" ) 
} "MyCheck"
...
{code}

(note: I also tried "connect,resolve", still does not work on java 1.8) 

When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")] 

When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google. 

I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know? 

  was:
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory. 

I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response. 

The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle. 

This is meant to be used with the following security rule (can be found in security.policy) 


DENY { 
  [com.p1.check.MyCheck] 
  ( java.net.SocketPermission "*" "connect" ) 
} "MyCheck" 


(note: I also tried "connect,resolve", still does not work on java 1.8) 

When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")] 

When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google. 

I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know? 


> Security Conditions not working on Java 1.8
> -------------------------------------------
>
>                 Key: FELIX-5162
>                 URL: https://issues.apache.org/jira/browse/FELIX-5162
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework Security
>    Affects Versions: framework.security-2.4.0
>         Environment: Java 1.8
>            Reporter: Simon Joseph Aquilina
>            Priority: Minor
>              Labels: Java8, Security
>
> Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory. 
> I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response. 
> The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle. 
> This is meant to be used with the following security rule (can be found in security.policy) 
> {code:title=security.policy}
> DENY { 
>   [com.p1.check.MyCheck] 
>   ( java.net.SocketPermission "*" "connect" ) 
> } "MyCheck"
> ...
> {code}
> (note: I also tried "connect,resolve", still does not work on java 1.8) 
> When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")] 
> When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google. 
> I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know? 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)