[
https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15362317#comment-15362317
]
Karl Pauls commented on FELIX-5275:
-----------------------------------
>From what I can tell given the description and the equinox issue, this really
>is just a misunderstanding on how security is working in java.
The test bundle in this example is invoking privileged code (getting the
java.home property) - hence, the test bundle needs the required permission to
do that (it probably did get it - hard to say from the example). However, any
other code on the call stack although needs that permission _unless_ the test
bundle does wrap that call into a doPriv (which it doesn't).
Now in OSGi, if a bundle has a OSGI-INF/permissions.perm file, its _effective_
permissions will be limited to the permissions listed in that file (no matter
what permissions you assign to that bundle). As a result what happens here is:
CM with (presumably) all permission has permissions.perm without java.home
access permission and calls update method of test bundle;
test bundle (presumably) has permission to access java.home and does so without
doPriv block around call;
result should be (and apparently is) a security exception because the effective
permissions of CM on the call stack doesn't allow access to java.home.
The correct thing for the test bundle is to wrap access to java.home in a
doPriv.
> Felix & Equinox handling of OSGI-INF/permissions.perm differs
> -------------------------------------------------------------
>
> Key: FELIX-5275
> URL: https://issues.apache.org/jira/browse/FELIX-5275
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin, Framework Security
> Affects Versions: configadmin-1.8.8
> Environment: Felix config-admin 1.8.8 running on Equinox with
> SecurityManager
> Reporter: Derek Baum
>
> Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active,
> causes the ManagedService.updated() method to get AccessControlExceptions
> when, for example, accessing System properties.
> This is caused by:
> #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039
> #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox.
> I have previously raised this problem against Equinox (see External Issue
> URL), and this is the gist of their analysis:
> ---------------------------
> The felix CM implementation is scoping their own permissions down to a strict
> subset of permissions and Equinox is correctly enforcing that subset of
> permissions.
> So your bundle tries to read a system property, but the CM impl is not
> authorized to read that property.
> One complication may be that Felix is allowing its bundle protection domains
> to be configured with the java policy file (because their ProtectionDomains
> are constructed with that 4 arg constructor).
> This would seem to break the specified behavior though, because clearly the
> CM implementation should never be allowed to have permission to do things
> outside of what is specified by the permissions.perm file or that are
> "implied" permissions auto-granted by the framework for each bundle.
> -----------------------
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
