If I understand you correctly you want to: a) prevent any bundle to open any socket
b) prevent bundles not signed by your certificate from being installed In regard to a, can't you just put a DENY java.net.SocketPermission at the beginning of your policy? In regard to b, I guess the best I can think of in a hurry is to first grant AdminPermission["signer=CN=XZX,O=XYX,C=XX",LIFECYCLE] and then DENY AdminPermission["*",LIFECYCLE] Keep in mind that the permission order is important hence, if you e.g. for b first allow AdminPermission LIFECYCLE for bundles signed by your CA and then DENY AdminPermission it basically will only allow to install bundles signed by your CA. Does this help? regards, Karl On Thu, Sep 15, 2016 at 11:38 AM, sid19039 <sid19...@gmail.com> wrote: > > Hello @Karl and @Robert, again thank you so much for your help. > And I am sorry for this late reply for I got occupied in other priority > activities. > Yeah , I tried Robert's point and it worked well. > We created our security bundle which reads the following policy file to > bring it into picture via ConditionalPermissionAdmin. > policy file: > ALLOW { > [ org.osgi.service.condpermadmin.BundleSignerCondition "CN=XZX, O=XYX, > C=XX" ] > ( java.security.AllPermission "*" "*") > } "Bundles Signed by XZX certificate get AllPermission" > ALLOW { > [org.osgi.service.condpermadmin.BundleLocationCondition > "file:/D:/dir_A/dir_B/felix-framework 5.4.0/bundle/*"] > (java.security.AllPermission "*" "*") > } "Existing bundles of felix" > DENY { > (java.security.AllPermission "*" "*") > } "And give denied permissions to all bundles" > > In above set of permissions, first ALLOW set of permissions gives all > permission to all bundles which are signed by our certificate. Second set of > permissions assign all permissions to all those bundles which are already > present in felix framework default bundle directory. And Third set denies > all permissions to all those bundles which are not signed by our certificate > or which are unsigned and which are not present in default bundle directory > of felix framework. > > Now, signed bundles are successfully installed, become active and run fine > with all permission granted. > But we want to restrict all running bundles to not able to access any > ethernet port on device inside which our felix framework is running. How can > we deny this particular permission to a bundle? > > Moreover, a bundle which is not signed or signed with any other certificate, > also gets installed in the framework without giving any security exception, > though an *unresolved exception as shown below*, appears on the console when > we try to start this unsigned bundle: > > *org.osgi.framework.BundleException: Unable to resolve TCPModBus [14](R > 14.0): missing requirement [TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osg > i.wiring.package=org.osgi.framework)(version>=1.3.0)) Unresolved > requirements: [[TCPModBus [14](R 14.0)] osgi.wiring.package; > (&(osgi.wiring.package=o > rg.osgi.framework)(version>=1.3.0))]* > > Is there any way to prevent these unsigned bundles or bundles signed with > other certificates from even being installed into the framework? > > > Regards > Siddharth > > > > > > > > -- > View this message in context: http://apache-felix.18485.x6.nabble.com/how-to-enable-felix-verify-the-contents-of-a-signed-bundle-tp5018089p5018412.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@felix.apache.org > For additional commands, e-mail: users-h...@felix.apache.org > -- Karl Pauls karlpa...@gmail.com