I'm sure I had tried the "-" parameter in FilePermission condition as first
parameter, but maybe at least the first slash is needed ("/-"). Now this
seems to work, thanks! Where can I found clear explanations of how to
specify the parameters of this and other Permissions? I'm not sure all the
OSGi specifications are implemented in Felix and following syntax... (I read
on your presentation of 2008 "/Felix security is still experimental:
• Not all permission checks implemented
• Configuration and documentation needs improvement/" )
If I want to avoid any malicious bundle to read and write any file in the
filesystem I should add:
/DENY {
( java.io.FilePermission "/-" "read,write")
} "Deny bundles not signed to read and write any file" /
,right?
But if I make this way the "system" bundles (from Eclipse and Felix) are
also blocked... I verified that the Felix bundle are not signed, thus I
tried to sign them with my certificate treating them as bundles signed from
ME.
The result from "/jarsigner -verify bundlename/" with Eclipse bundles is:
/CN="Eclipse.org Foundation, Inc", OU=Digital ID Class 3 - Java Object
Signing, O="Eclipse.org Foundation, Inc", L=Ottawa, ST=Ontario, C=CA
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at
https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US/
Should I import Eclipse certificate into my keystore.jks? or maybe Verisign
CA certificate (can be exported from cacerts)?
how to include in BundleSignerCondition certificate with quotes symbol (i.e.
O="Eclipse.org Foundation, Inc")?
--
View this message in context:
http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007977.html
Sent from the Apache Felix - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
