[
https://issues.apache.org/jira/browse/FELIX-5162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simon Joseph Aquilina updated FELIX-5162:
-----------------------------------------
Description:
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25",
and Felix "felix-framework-5.4.0". I have enabled security by adding
"org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending
bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not
want p1-evil to connect to the Internet. However in p1-evil Activator I placed
some code that makes a request to google and prints the response.
The p1-check bundle has only one condition; MyCheck.java. The isSatisfied()
method of MyCheck returns true if the bundle symbolic name is "com.p1.evil",
which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in
security.policy)
{code:title=security.policy}
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
...
{code}
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with java 1.7 I can see the logs from p1-check and as
expected p1-evil does not connect and I get an exception
[java.security.AccessControlException: access denied
("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with java 1.8 I can see the logs from p1-check however
p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I
doing something wrong? Or there is something I do not know?
was:
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25",
and Felix "felix-framework-5.4.0". I have enabled security by adding
"org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending
bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not
want p1-evil to connect to the Internet. However in p1-evil Activator I placed
some code that makes a request to google and prints the response.
The p1-check bundle has only one condition; MyCheck.java. The isSatisfied()
method of MyCheck returns true if the bundle symbolic name is "com.p1.evil",
which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in
security.policy)
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with java 1.7 I can see the logs from p1-check and as
expected p1-evil does not connect and I get an exception
[java.security.AccessControlException: access denied
("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with java 1.8 I can see the logs from p1-check however
p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I
doing something wrong? Or there is something I do not know?
> Security Conditions not working on Java 1.8
> -------------------------------------------
>
> Key: FELIX-5162
> URL: https://issues.apache.org/jira/browse/FELIX-5162
> Project: Felix
> Issue Type: Bug
> Components: Framework Security
> Affects Versions: framework.security-2.4.0
> Environment: Java 1.8
> Reporter: Simon Joseph Aquilina
> Priority: Minor
> Labels: Java8, Security
>
> Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25",
> and Felix "felix-framework-5.4.0". I have enabled security by adding
> "org.apache.felix.framework.security-2.4.0" to the bundle directory.
> I have then created three projects; "p1-check", "p1-policy" and the offending
> bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not
> want p1-evil to connect to the Internet. However in p1-evil Activator I
> placed some code that makes a request to google and prints the response.
> The p1-check bundle has only one condition; MyCheck.java. The isSatisfied()
> method of MyCheck returns true if the bundle symbolic name is "com.p1.evil",
> which is the symbolic name of the p1-evil bundle.
> This is meant to be used with the following security rule (can be found in
> security.policy)
> {code:title=security.policy}
> DENY {
> [com.p1.check.MyCheck]
> ( java.net.SocketPermission "*" "connect" )
> } "MyCheck"
> ...
> {code}
> (note: I also tried "connect,resolve", still does not work on java 1.8)
> When I execute felix.jar with java 1.7 I can see the logs from p1-check and
> as expected p1-evil does not connect and I get an exception
> [java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
> When I execute felix.jar with java 1.8 I can see the logs from p1-check
> however p1-evil activator is still allowed to connect to google.
> I have tried this on two different machines and I got the same results. Am I
> doing something wrong? Or there is something I do not know?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
