felix-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Pauls <karlpa...@gmail.com>
Subject Re: Embedding Felix Security
Date Sun, 02 Oct 2011 18:34:59 GMT
It looks to me like you are not using the DENY, ALLOW policies
correctly. You use DENY even when you want to say ALLOW I guess.
Furthermore, you don't have to give permissions to the system bundle
(that is so by default) and you shouldn't set your own security
manager (the framework will do that by itself if you set the
osgi.security=true flag, as you do).

However, I agree, that your code looks like it should still prevent
bundles from reading/writing files. The one thing that is possible is
that it doesn't pick up the <<ALL FILES>> correctly. Can you try with
any other permission or even better, just try with a recursive file
permission starting at some point like "C:/-" and see whether that
prevents bundles from accessing files on the c: drive?

regards,

Karl

On Sun, Oct 2, 2011 at 2:23 PM, alpha sparc <alphasparc@gmail.com> wrote:
> Hi, I am attempting to run felix security bundle.
> I have given all.permission to felix, installed the security bundle and
> tried to load policy using the policy bundle in the examples as well as
> tried to programatically set the policy but the bundle still run regardless
> of how I tried to deny read and write to <<ALL FILES>>.
>
> Can anyone help me to point out what I missed? The result of this code is
> that all the bundles run even when I tried to stop them
>  public static void main( String[] args ) throws BundleException
>    {
>        String [] bundledir=null;
>
>        System.setProperty("java.security.policy","./Policy/all.policy");
> //OSGi need all Permission
>        System.setProperty("org.osgi.framework.security=osgi","true");
>
>
>        Map<String, String> fmap = new HashMap<String, String>();
>        fmap.put(FelixConstants.FRAMEWORK_STORAGE, "./Bundles/"); //Run in
> the bundle directory
>        fmap.put(FelixConstants.FRAMEWORK_STORAGE_CLEAN, "true");
>        fmap.put(FelixConstants.FRAMEWORK_SECURITY_OSGI, "true");
>
>        Felix felix = new Felix(fmap);
>
>        try{
>        felix.start();
>
>                SimpleSecurityManager sm = new SimpleSecurityManager();
>                System.setSecurityManager(sm);
>
>            Bundle securitybundle = null;
>            File file = new
> File("./Bundles/Security/framework.security.jar");
>            URL url = file.toURI().toURL();
>            securitybundle = felix.getBundleContext().
>                    installBundle(
>                    url.toString());
>            securitybundle.start();
>
>            Bundle policybundle = null;
>            File file2 = new File("./Bundles/Security/PolicyActivator.jar");
>            URL url2 = file2.toURI().toURL();
>            policybundle =
> felix.getBundleContext().installBundle(url2.toString());
>            policybundle.start();
>
>
> final ConditionalPermissionAdmin cpa = (ConditionalPermissionAdmin)
> felix.getBundleContext().getService(felix.getBundleContext().getServiceReference(ConditionalPermissionAdmin.class.getName()));
> final ConditionalPermissionUpdate u = cpa.newConditionalPermissionUpdate();
> List<ConditionalPermissionInfo> permlist =
> u.getConditionalPermissionInfos();
> permlist.clear();
> // Give the System Bundle AllPermissions
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle(0).getLocation() }) },
> new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(),
> "*", "*") },
> ConditionalPermissionInfo.DENY));
> // Allow the first two system bundles (Log and ConfigAdmin) to import
> org.osgi.framework
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle(1).getLocation() }) },
> new PermissionInfo[] { new PermissionInfo(PackagePermission.class.getName(),
> "org.osgi.framework",
> PackagePermission.IMPORT) }, ConditionalPermissionInfo.DENY));
>
> permlist.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {
> new ConditionInfo(
> BundleLocationCondition.class.getName(), new String[] {
> felix.getBundleContext().getBundle().getLocation(),"C:/Users/User/Documents/NetBeansProjects/OSGiVerify/Bundles/*"
> }) },
> new PermissionInfo[] { new PermissionInfo(
> java.io.FilePermission.class.getName(),"<<ALL FILES>>","read,write") },
> ConditionalPermissionInfo.DENY));
> u.commit();
>
>        for(int i=0;(bundledir[i]!=null);i++)
>        {
>            System.out.println(bundledir[i]);
>
>            Bundle bundlelauncher=null;
>            File file1 = new File(bundledir[i]);
>            URL url1 = file1.toURI().toURL();
>
> bundlelauncher=felix.getBundleContext().installBundle(url1.toString());
>            bundlelauncher.start();
>        }
>
> }catch(Exception e){e.printStackTrace();}
>



-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org


Mime
View raw message