This depends on the ordering of your rules i.e., the ALLOW must be _before_ the DENY if both match a given bundle.
regards, Karl On Thu, Jan 23, 2014 at 11:05 AM, felixandre <[email protected]>wrote: > I had tried that and every bundle is (correctly) allowed to do everything; > the problem is when starting to restrict policies... > Anyway, I've just managed to make a further step; even if I'm almost sure I > ha dalready tried this way, now something is working as expected... With > > DENY { > [org.osgi.service.condpermadmin.BundleLocationCondition > "file:.\\bundle\\plugins*"] > ( java.io.FilePermission "*" "write") > } "We deny bundles to write file otherwise" > > ALLOW { > ( java.security.AllPermission "*" "*") > } "But give all other not denied permissions to all bundles"/ > > I'm able to DENY file access permission to the bundles in > ".\bundle\plugins" > folder. > In order to distinguish between signed and not signed bundle in that folder > I added a BundleSignerCondition *after* the DENY condition like this: > > /ALLOW { > [org.osgi.service.condpermadmin.BundleSignerCondition > "CN=logboxIP, O=CRF, > OU=ITS, L=Trento C=IT"] > ( java.io.FilePermission "*" "read, write") > } "We allow signed bundles to write file" > > but this is not "overriding" the DENY condition for the whole > ".\bundle\plugins" folder... How could be this accomplished? > > > > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Problem-with-Felix-security-and-bundle-policies-tp5006903p5006948.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Karl Pauls [email protected] http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
