Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E97F6200B35 for ; Tue, 5 Jul 2016 12:23:12 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E832E160A6F; Tue, 5 Jul 2016 10:23:12 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 3DB33160A60 for ; Tue, 5 Jul 2016 12:23:12 +0200 (CEST) Received: (qmail 2641 invoked by uid 500); 5 Jul 2016 10:23:11 -0000 Mailing-List: contact dev-help@felix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@felix.apache.org Delivered-To: mailing list dev@felix.apache.org Received: (qmail 2545 invoked by uid 99); 5 Jul 2016 10:23:11 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jul 2016 10:23:11 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 07C922C02A5 for ; Tue, 5 Jul 2016 10:23:11 +0000 (UTC) Date: Tue, 5 Jul 2016 10:23:11 +0000 (UTC) From: "Karl Pauls (JIRA)" To: dev@felix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 05 Jul 2016 10:23:13 -0000 [ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15362331#comment-15362331 ] Karl Pauls commented on FELIX-5275: ----------------------------------- Granted, if you tested this with security enabled and the framework.security provider installed and it works in Felix without a doPriv in the test bundle than this is real bug - otherwise, I'd say close this issue. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > ------------------------------------------------------------- > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security > Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with SecurityManager > Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, causes the ManagedService.updated() method to get AccessControlExceptions when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue URL), and this is the gist of their analysis: > --------------------------- > The felix CM implementation is scoping their own permissions down to a strict subset of permissions and Equinox is correctly enforcing that subset of permissions. > So your bundle tries to read a system property, but the CM impl is not authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains to be configured with the java policy file (because their ProtectionDomains are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the CM implementation should never be allowed to have permission to do things outside of what is specified by the permissions.perm file or that are "implied" permissions auto-granted by the framework for each bundle. > ----------------------- -- This message was sent by Atlassian JIRA (v6.3.4#6332)