Hi Dmitry, sorry for the delay.
Yes thanks, everything seems to work.
Code looks reasonable.
/Robbin
On 03/29/2017 05:10 PM, Dmitry Samersoff wrote:
Robbin,
One follow-up issue is that if you start suspended
and than connect with
an unallowed client the JVM starts and executes the program.
Fixed.
see http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.15
-Dmitry
On 2017-03-16 15:59, Robbin Ehn wrote:
Hi Dmitry, thanks for the update.
One follow-up issue is that if you start suspended and than connect with
an unallowed client the JVM starts and executes the program.
Simple program prints "Hello".
[rehn@rehn-ws vanilla-hs]$ java
-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:9999,allow=1.2.3.0/32
-cp . H
Listening for transport dt_socket at address: 9999
ERROR: Peer not allowed to connect
Listening for transport dt_socket at address: 9999
Hello
I think it would be good if the VM stayed suspended when an unallowed
client connects.
Thanks, Robbin
On 03/13/2017 08:07 PM, Dmitry Samersoff wrote:
Robbin,
Please, see:
http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11
1:
So connecting with an unallowed client terminates the VM.
Fixed.
2:
Starting with an bad allow filter terminates the VM when connecting a
client.
Moved allowed parameter (and parser call) to StartListening.
-Dmitry
On 2017-03-10 15:56, Robbin Ehn wrote:
Hi Dmitry,
I took a look at this, I have two practical issues:
1:
[rehn@rehn-ws dev]$ java
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6
-cp runs ForEver
Listening for transport dt_socket at address: 9999
ERROR: transport error 202: peer not allowed to connect: Success
JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
error [transport.c:358]
So connecting with an unallowed client terminates the VM.
2:
[rehn@rehn-ws dev]$ java
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6
-cp runs ForEver
Listening for transport dt_socket at address: 9999
ERROR: transport error 202: unable to parse list of allowed peers:
Success
JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
error [transport.c:358]
Starting with an bad allow filter terminates the VM when connecting a
client.
Connecting with an unallowed ip/port should not terminate the VM and we
should verify allow filter directly at startup.
Thanks
/Robbin
On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
Everybody,
Please review:
http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
These changes introduce new parameter[1] of the socket transport -
allow. Users can explicitly specify a list of hosts that allowed to
connect to jdwp server and it's the second part of JDWP hardening[2].
No restrictions are applied by default now but I'll file a separate CR
to restrict list of allowed peers to localhost by default.
Also these changes implement versioning for jdwp transport and therefor
simplify feature development of jdwp.
1. Example command line:
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
address=*,allow="127.0.0.0/8;192.168.0.0/24"
Possible values for allow parameter:
* - accept connections from everywhere.
N.N.N.N - accept connections from this IP address only
N.N.N.N/nn - accept connections from particular ip subnet
2. JDK-8052136 JDWP hardening
-Dmitry
