The operations script has been modified to generate pki.policy dynamically from links in the <instance>/common/lib directory. This allows the pki.policy to match the actual paths in different platforms.
https://fedorahosted.org/pki/ticket/2403 -- Endi S. Dewata
>From c837aafc90f9d95dbe38cc2fa8e38118016a515c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Fri, 22 Jul 2016 17:31:20 +0200 Subject: [PATCH] Removed hard-coded paths in pki.policy. The operations script has been modified to generate pki.policy dynamically from links in the <instance>/common/lib directory. This allows the pki.policy to match the actual paths in different platforms. https://fedorahosted.org/pki/ticket/2403 --- base/server/scripts/operations | 16 ++++- base/server/share/conf/pki.policy | 132 +------------------------------------- 2 files changed, 17 insertions(+), 131 deletions(-) diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 14443c4a5251c8f5405dc8abf2146e2b45fae0c7..59916700866073ca64201004c874116cbdbc1bb9 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -1352,10 +1352,24 @@ start_instance() return $rv fi + # Copy pki.policy template + /bin/cp /usr/share/pki/server/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf + + # Add permissions for all JAR files in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib + for path in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib/*; do + + cat >> /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy << EOF + +grant codeBase "file:$(realpath $path)" { + permission java.security.AllPermission; +}; +EOF + done + # Generate catalina.policy dynamically. cat /usr/share/pki/server/conf/catalina.policy \ /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy index e281e0191690e770082740745ac9eea964da55c4..7d8cfec4591ec3ee28ade876253f4f593e086e67 100644 --- a/base/server/share/conf/pki.policy +++ b/base/server/share/conf/pki.policy @@ -4,10 +4,10 @@ // --- END COPYRIGHT BLOCK --- // ============================================================================ -// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7 +// pki.policy - Default Security Policy Permissions for PKI on Tomcat // // This file contains a default set of security policies for PKI running inside -// Tomcat 7. +// Tomcat. // ============================================================================ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { @@ -22,42 +22,6 @@ grant codeBase "file:${catalina.base}/lib/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/commons-codec.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-io.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-logging.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/ecj.jar" { permission java.security.AllPermission; }; @@ -70,18 +34,6 @@ grant codeBase "file:/usr/share/java/glassfish-jsp.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/javassist.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/jaxb-api.jar" { permission java.security.AllPermission; }; @@ -98,66 +50,10 @@ grant codeBase "file:/usr/share/java/jboss-web.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/jackson/jackson-core-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mapper-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mrbean.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-smile.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-xc.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/log4j.jar" { permission java.security.AllPermission; }; -grant codeBase "file:${RESTEASY_LIB}/jaxrs-api.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jackson-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/scannotation.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/servlet.jar" { permission java.security.AllPermission; }; @@ -166,10 +62,6 @@ grant codeBase "file:/usr/share/java/tomcat/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { permission java.security.AllPermission; }; @@ -178,22 +70,6 @@ grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xerces-j2.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-apis.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/pki/-" { permission java.security.AllPermission; }; @@ -221,7 +97,3 @@ grant codeBase "file:${catalina.base}/webapps/tks/-" { grant codeBase "file:${catalina.base}/webapps/ROOT/-" { permission java.security.AllPermission; }; - -grant codeBase "file:/usr/lib/java/nuxwdog.jar" { - permission java.security.AllPermission; -}; -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
