You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Simon Joseph Aquilina (JIRA)" <ji...@apache.org> on 2016/01/11 15:43:39 UTC
[jira] [Updated] (FELIX-5162) Security Conditions not working on
Java 1.8
[ https://issues.apache.org/jira/browse/FELIX-5162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Joseph Aquilina updated FELIX-5162:
-----------------------------------------
Description:
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response.
The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in security.policy)
{code:title=security.policy}
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
...
{code}
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know?
was:
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response.
The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in security.policy)
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know?
> Security Conditions not working on Java 1.8
> -------------------------------------------
>
> Key: FELIX-5162
> URL: https://issues.apache.org/jira/browse/FELIX-5162
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Affects Versions: framework.security-2.4.0
> Environment: Java 1.8
> Reporter: Simon Joseph Aquilina
> Priority: Minor
> Labels: Java8, Security
>
> Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory.
> I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response.
> The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
> This is meant to be used with the following security rule (can be found in security.policy)
> {code:title=security.policy}
> DENY {
> [com.p1.check.MyCheck]
> ( java.net.SocketPermission "*" "connect" )
> } "MyCheck"
> ...
> {code}
> (note: I also tried "connect,resolve", still does not work on java 1.8)
> When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
> When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google.
> I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)