You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Andrea Carlino <an...@gmail.com> on 2014/04/03 12:28:55 UTC
Problems with ConditionalPermissionAdmin
Dear all,
I'm designing a system based on Felix, which should allow certain operation
only to certain bundles.
I followed basic and clear scheme from:
https://code.google.com/p/osgi
-in-action/source/browse/trunk/chapter14/#chapter14%2Fcombined-example%2Forg.foo.policy
I have a "philosophical" and a technical question:
1. Philosophical: The ConditionalPermissionAdmin is operating only if
the custom bundle committing the ConditionalPermissionInfo is up and
running. If for any reason this is not correctly starting the
ConditionalPermission are not considered at all. Is this really a safe
way to implement security? Are there other ways to enforce this mechanism?
(I've seen some documentation and tutorials on OSGi security
implementation in Felix, but everything seems partial, fragmentary and not
up-to-date...If you have some good resources please share them)
2. Technical:I have bundles signed by ME, which should be allowed to
write and read files everywhere within the Felix folders tree and some
other bundles signed by OTHERS which should be allowed only to read from
subfolder ./readableFolder. Every other system bundle which is not I
think I tried every possibility but nothing is working...I need help for
this... Below my security.policy file that I expected to work, according to
what I understood so far (reference from project linked before, modified
with indications from OSGi rev5. specifications and
http://www.knopflerfish.org/releases/3.2/docs/osgi_with_security.html#easyto
adapt to Windows Environment)
ALLOW {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "file:.\\readableFolder\\\*" "read")
} "Allow bundles signed by OTHER to read every file in readableFolder "
DENY {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "*" "*")
} "Deny bundles signed by OTHER to read and write file everywhere else"
ALLOW {
( java.security.AllPermission "*" "*")
} "Give all other not denied permissions to all bundles"
In the end, what is the logic more restrictive conditions first, right?
I've already spent a lot of time on this without success...any help or hint
is highly appreciated (and needed :-) )!
Thanks,
Andrea
Re: Problems with ConditionalPermissionAdmin
Posted by felixandre <an...@gmail.com>.
I'm sure I had tried the "-" parameter in FilePermission condition as first
parameter, but maybe at least the first slash is needed ("/-"). Now this
seems to work, thanks! Where can I found clear explanations of how to
specify the parameters of this and other Permissions? I'm not sure all the
OSGi specifications are implemented in Felix and following syntax... (I read
on your presentation of 2008 "/Felix security is still experimental:
• Not all permission checks implemented
• Configuration and documentation needs improvement/" )
If I want to avoid any malicious bundle to read and write any file in the
filesystem I should add:
/DENY {
( java.io.FilePermission "/-" "read,write")
} "Deny bundles not signed to read and write any file" /
,right?
But if I make this way the "system" bundles (from Eclipse and Felix) are
also blocked... I verified that the Felix bundle are not signed, thus I
tried to sign them with my certificate treating them as bundles signed from
ME.
The result from "/jarsigner -verify bundlename/" with Eclipse bundles is:
/CN="Eclipse.org Foundation, Inc", OU=Digital ID Class 3 - Java Object
Signing, O="Eclipse.org Foundation, Inc", L=Ottawa, ST=Ontario, C=CA
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at
https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US/
Should I import Eclipse certificate into my keystore.jks? or maybe Verisign
CA certificate (can be exported from cacerts)?
how to include in BundleSignerCondition certificate with quotes symbol (i.e.
O="Eclipse.org Foundation, Inc")?
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007977.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Problems with ConditionalPermissionAdmin
Posted by Karl Pauls <ka...@gmail.com>.
Well you second policy has to fail because '/opt*' is not what you think it
is. It would need to be '/opt/-' to achieve what you have in mind i think.
Not sure why the BundleSignerCondition doesn't work. Are you sure the dn is
matching the certificate (probably the easiest way to figure that out is to
try with a single ALLOW rule first that gives AllPermission to bundles with
that dn only)?
regards,
Karl
On Fri, Apr 4, 2014 at 2:57 PM, felixandre <an...@gmail.com>wrote:
> Well, let's say this is a step further then, since the standard
> java.io.FilePermission is not working for me even in linux with absolute
> path.
>
> This is the command to launch the felix framework:
> java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi
> -Dosgi.signedcontent.support=trust
> -Dfelix.keystore=file:/opt/felix/keystore.jks -Dfelix.keystore.pass=pswd
> -Dfelix.keystore.type=jks -jar ./bin/felix.jar
>
> With this policy file:
>
> /DENY {
> ( java.io.FilePermission "/opt/miv/conf/sampleRead.txt"
> "read,write")
> } "Deny bundles signed by OTHER to read and write sampleRead.txt file"
>
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "But give all other not denied permissions to all bundles" /
>
> the policies are applied: no one can read and write the file
> "/opt/miv/conf/sampleRead.txt".
>
> But as soon as I try to insert a BundleSignerCondition:
>
> /DENY {
> [org.osgi.service.condpermadmin.BundleSignerCondition "CN=xxx, OU=xxx,
> O=OTHER, L=xxx, ST=xxx, C=xx"]
> ( java.io.FilePermission "/opt/miv/conf/sampleRead.txt"
> "read,write")
> } "Deny bundles signed by OTHER to read and write sampleRead.txt file"
>
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "But give all other not denied permissions to all bundles" /
>
> or to generalize the file permission to a parent folder:
>
> /DENY {
> ( java.io.FilePermission "/opt*" "read,write")
> } "Deny bundles signed by OTHER to read and write sampleRead.txt file"
>
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "But give all other not denied permissions to all bundles" /
>
> no policies are applied at all and everyone is allowed to read and write
> every file!
>
> What I'm I doing wrong here!? in the keystore.jks there are only the
> certificates of ME and OTHER...
> The bundles I'm testing are correctly signed (checked with jarsigner).
>
> No idea how to solve this...
>
>
>
>
> --
> View this message in context:
> http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007967.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
Re: Problems with ConditionalPermissionAdmin
Posted by felixandre <an...@gmail.com>.
Well, let's say this is a step further then, since the standard
java.io.FilePermission is not working for me even in linux with absolute
path.
This is the command to launch the felix framework:
java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi
-Dosgi.signedcontent.support=trust
-Dfelix.keystore=file:/opt/felix/keystore.jks -Dfelix.keystore.pass=pswd
-Dfelix.keystore.type=jks -jar ./bin/felix.jar
With this policy file:
/DENY {
( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
the policies are applied: no one can read and write the file
"/opt/miv/conf/sampleRead.txt".
But as soon as I try to insert a BundleSignerCondition:
/DENY {
[org.osgi.service.condpermadmin.BundleSignerCondition "CN=xxx, OU=xxx,
O=OTHER, L=xxx, ST=xxx, C=xx"]
( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
or to generalize the file permission to a parent folder:
/DENY {
( java.io.FilePermission "/opt*" "read,write")
} "Deny bundles signed by OTHER to read and write sampleRead.txt file"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
no policies are applied at all and everyone is allowed to read and write
every file!
What I'm I doing wrong here!? in the keystore.jks there are only the
certificates of ME and OTHER...
The bundles I'm testing are correctly signed (checked with jarsigner).
No idea how to solve this...
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007967.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Problems with ConditionalPermissionAdmin
Posted by Karl Pauls <ka...@gmail.com>.
I don't think there is a way to make this a relative path. Basically,
relative paths are relative to the current user.dir which is set to the dir
the user is in when invoking the jvm. You might be able to create your own
permission that gets this done, however. It would need to imply file
permission but derive relative path from the felix.jar location which it
should be able to figure out.
regards,
Karl
On Thu, Apr 3, 2014 at 3:40 PM, felixandre <an...@gmail.com>wrote:
> Thanks Karl!
> I report here last attempts with results:
>
> *ATTEMPT 1:*
>
> /ALLOW {
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
> ( java.io.FilePermission "readableFolder\-" "read")
> } "Allow bundles signed by OTHER to read file in readableFolder"
>
> DENY {
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
> ( java.io.FilePermission "-" "*")
> } "Deny bundles signed by OTHER to read and write files everywhere else"
>
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "But give all other not denied permissions to all bundles" /
>
> with this, the bundle signed by OTHER can read and write all files under
> Felix folder tree
>
>
> *ATTEMPT 2:*
>
> /ALLOW {
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
> ( java.io.FilePermission "readableFolder\-" "read")
> }"Allow bundles signed by OTHER to read file in readableFolder"
>
> DENY {
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
> ( java.io.FilePermission "-" "write")
> } "Deny bundles signed by OTHER to read and write files everywhere else"
>
> ALLOW {
> ( java.security.AllPermission "*" "*")
> } "But give all other not denied permissions to all bundles" /
>
> with this, the bundle signed by OTHER cannot write all files under Felix
> folder tree, but can read every file.
> But if within the DENY condition I use "read,write" instead of only "wrte"
> then the bundle cannot read even in the "allowed" folder (first ALLOW
> condition).
> I think the problem here is the syntax of the first parameter of the
> java.io.FilePermission condition.
> What is the correct way to write it? Is it possible to use a path relative
> to the felix execution folder? Is there a way to write it which is
> compatible with both Windows and Linux folder?
> (I'm now working in Windows but I'll have to use the same framework under
> linux too).
>
> Thanks,
> Andrea
>
>
>
> --
> View this message in context:
> http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007961.html
> Sent from the Apache Felix - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
Re: Problems with ConditionalPermissionAdmin
Posted by felixandre <an...@gmail.com>.
Thanks Karl!
I report here last attempts with results:
*ATTEMPT 1:*
/ALLOW {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "readableFolder\-" "read")
} "Allow bundles signed by OTHER to read file in readableFolder"
DENY {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "-" "*")
} "Deny bundles signed by OTHER to read and write files everywhere else"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
with this, the bundle signed by OTHER can read and write all files under
Felix folder tree
*ATTEMPT 2:*
/ALLOW {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "readableFolder\-" "read")
}"Allow bundles signed by OTHER to read file in readableFolder"
DENY {
[org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
( java.io.FilePermission "-" "write")
} "Deny bundles signed by OTHER to read and write files everywhere else"
ALLOW {
( java.security.AllPermission "*" "*")
} "But give all other not denied permissions to all bundles" /
with this, the bundle signed by OTHER cannot write all files under Felix
folder tree, but can read every file.
But if within the DENY condition I use "read,write" instead of only "wrte"
then the bundle cannot read even in the "allowed" folder (first ALLOW
condition).
I think the problem here is the syntax of the first parameter of the
java.io.FilePermission condition.
What is the correct way to write it? Is it possible to use a path relative
to the felix execution folder? Is there a way to write it which is
compatible with both Windows and Linux folder?
(I'm now working in Windows but I'll have to use the same framework under
linux too).
Thanks,
Andrea
--
View this message in context: http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007961.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Problems with ConditionalPermissionAdmin
Posted by Karl Pauls <ka...@gmail.com>.
In regard to 1) you could consider bundling the two together (see an
example of this here:
http://svn.apache.org/repos/asf/felix/sandbox/rickhall/ct-launcher/)
In regard to 2) you'd have to first give me a bit more details: are you
saying your bundles can not r/w any file or that they _can_ r/w files they
shouldn't? Furthermore, did you test that permission assignment based on
your OTHER certificate is working at all like this (i.e., with a simple
bundle and a simple permission)? It's sometimes not that easy to get a
correct filter for the dn...
regards,
Karl
On Thu, Apr 3, 2014 at 12:28 PM, Andrea Carlino
<an...@gmail.com>wrote:
> Dear all,
> I'm designing a system based on Felix, which should allow certain operation
> only to certain bundles.
>
> I followed basic and clear scheme from:
> https://code.google.com/p/osgi
>
> -in-action/source/browse/trunk/chapter14/#chapter14%2Fcombined-example%2Forg.foo.policy
>
> I have a "philosophical" and a technical question:
>
> 1. Philosophical: The ConditionalPermissionAdmin is operating only if
> the custom bundle committing the ConditionalPermissionInfo is up and
> running. If for any reason this is not correctly starting the
> ConditionalPermission are not considered at all. Is this really a safe
> way to implement security? Are there other ways to enforce this
> mechanism?
> (I've seen some documentation and tutorials on OSGi security
> implementation in Felix, but everything seems partial, fragmentary and
> not
> up-to-date...If you have some good resources please share them)
> 2. Technical:I have bundles signed by ME, which should be allowed to
> write and read files everywhere within the Felix folders tree and some
> other bundles signed by OTHERS which should be allowed only to read from
> subfolder ./readableFolder. Every other system bundle which is not I
> think I tried every possibility but nothing is working...I need help for
> this... Below my security.policy file that I expected to work,
> according to
> what I understood so far (reference from project linked before, modified
> with indications from OSGi rev5. specifications and
>
> http://www.knopflerfish.org/releases/3.2/docs/osgi_with_security.html#easyto
> adapt to Windows Environment)
>
> ALLOW {
>
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
>
> ( java.io.FilePermission "file:.\\readableFolder\\\*" "read")
>
> } "Allow bundles signed by OTHER to read every file in readableFolder "
>
>
> DENY {
>
> [org.osgi.service.condpermadmin.BundleSignerCondition "*; O=OTHER"]
>
> ( java.io.FilePermission "*" "*")
>
> } "Deny bundles signed by OTHER to read and write file everywhere else"
>
>
> ALLOW {
>
> ( java.security.AllPermission "*" "*")
>
> } "Give all other not denied permissions to all bundles"
>
>
> In the end, what is the logic more restrictive conditions first, right?
>
>
> I've already spent a lot of time on this without success...any help or hint
> is highly appreciated (and needed :-) )!
>
> Thanks,
> Andrea
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls