Mercurial > hg > icedtea12
changeset 2321:b0e276df145d
Fix issue that allowed unsigned applications to modify system properties.
| author | Deepak Bhole <dbhole@redhat.com> |
|---|---|
| date | Wed, 28 Jul 2010 15:20:07 -0400 |
| parents | df5f1084ee3c |
| children | af0efa63ddfe |
| files | ChangeLog netx/net/sourceforge/jnlp/SecurityDesc.java netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java |
| diffstat | 4 files changed, 77 insertions(+), 83 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Jul 28 17:16:40 2010 +0100 +++ b/ChangeLog Wed Jul 28 15:20:07 2010 -0400 @@ -1,3 +1,18 @@ +2010-07-21 Deepak Bhole <dbhole@redhat.com> + + * netx/net/sourceforge/jnlp/SecurityDesc.java: Converge all property + permission settings info a single class. + (getPermissions): Do not give read/write permissions to anything other + than what is allowed by spec. + (getSandBoxPermissions): Same. + * netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java: Remove + blanket imports. + (installEnvironment): Write properties in a restricted + AccessControlContext based on app specific permissions only. + * netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java + (checkPermission): Remove all property permission decision making code + and collapse it all into SecurityDesc.java. + 2010-07-23 Andrew John Hughes <ahughes@redhat.com> * Makefile.am:
--- a/netx/net/sourceforge/jnlp/SecurityDesc.java Wed Jul 28 17:16:40 2010 +0100 +++ b/netx/net/sourceforge/jnlp/SecurityDesc.java Wed Jul 28 15:20:07 2010 -0400 @@ -53,6 +53,11 @@ /** the JNLP file */ private JNLPFile file; + // We go by the rules here: + // http://java.sun.com/docs/books/tutorial/deployment/doingMoreWithRIA/properties.html + + // Since this is security sensitive, take a conservative approach: + // Allow only what is specifically allowed, and deny everything else /** basic permissions for restricted mode */ private static Permission j2eePermissions[] = { @@ -95,6 +100,9 @@ new PropertyPermission("java.vm.vendor", "read"), new PropertyPermission("java.vm.name", "read"), new PropertyPermission("javawebstart.version", "read"), + new PropertyPermission("javaplugin.*", "read"), + new PropertyPermission("jnlp.*", "read,write"), + new PropertyPermission("javaws.*", "read,write"), new RuntimePermission("exitVM"), new RuntimePermission("stopThread"), new AWTPermission("showWindowWithoutWarningBanner"), @@ -105,6 +113,26 @@ // new AWTPermission("accessEventQueue"), }; + /** basic permissions for restricted mode */ + private static Permission jnlpRIAPermissions[] = { + new PropertyPermission("awt.useSystemAAFontSettings", "read,write"), + new PropertyPermission("http.agent", "read,write"), + new PropertyPermission("http.keepAlive", "read,write"), + new PropertyPermission("java.awt.syncLWRequests", "read,write"), + new PropertyPermission("java.awt.Window.locationByPlatform", "read,write"), + new PropertyPermission("javaws.cfg.jauthenticator", "read,write"), + new PropertyPermission("javax.swing.defaultlf", "read,write"), + new PropertyPermission("sun.awt.noerasebackground", "read,write"), + new PropertyPermission("sun.awt.erasebackgroundonresize", "read,write"), + new PropertyPermission("sun.java2d.d3d", "read,write"), + new PropertyPermission("sun.java2d.dpiaware", "read,write"), + new PropertyPermission("sun.java2d.noddraw", "read,write"), + new PropertyPermission("sun.java2d.opengl", "read,write"), + new PropertyPermission("swing.boldMetal", "read,write"), + new PropertyPermission("swing.metalTheme", "read,write"), + new PropertyPermission("swing.noxp", "read,write"), + new PropertyPermission("swing.useSystemFontSettings", "read,write"), + }; /** * Create a security descriptor. @@ -155,12 +183,9 @@ for (int i=0; i < j2eePermissions.length; i++) permissions.add(j2eePermissions[i]); - // properties - PropertyDesc props[] = file.getResources().getProperties(); - for (int i=0; i < props.length; i++) { - // should only allow jnlp.* properties if in sandbox? - permissions.add(new PropertyPermission(props[i].getKey(), "read,write")); - } + if (file.isApplication()) + for (int i=0; i < jnlpRIAPermissions.length; i++) + permissions.add(jnlpRIAPermissions[i]); return permissions; } @@ -175,17 +200,14 @@ for (int i=0; i < sandboxPermissions.length; i++) permissions.add(sandboxPermissions[i]); + if (file.isApplication()) + for (int i=0; i < jnlpRIAPermissions.length; i++) + permissions.add(jnlpRIAPermissions[i]); + if (downloadHost != null) permissions.add(new SocketPermission(downloadHost, "connect, accept")); - // properties - PropertyDesc props[] = file.getResources().getProperties(); - for (int i=0; i < props.length; i++) { - // should only allow jnlp.* properties if in sandbox? - permissions.add(new PropertyPermission(props[i].getKey(), "read,write")); - } - return permissions; }
--- a/netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java Wed Jul 28 17:16:40 2010 +0100 +++ b/netx/net/sourceforge/jnlp/runtime/ApplicationInstance.java Wed Jul 28 15:20:07 2010 -0400 @@ -17,17 +17,26 @@ package net.sourceforge.jnlp.runtime; -import java.awt.*; -import java.util.*; -import java.util.List; -import java.security.*; +import java.awt.Window; +import java.net.URL; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.CodeSource; +import java.security.PrivilegedAction; +import java.security.ProtectionDomain; + import javax.swing.event.EventListenerList; -import net.sourceforge.jnlp.*; -import net.sourceforge.jnlp.event.*; +import net.sourceforge.jnlp.JNLPFile; +import net.sourceforge.jnlp.PropertyDesc; +import net.sourceforge.jnlp.SecurityDesc; +import net.sourceforge.jnlp.ShortcutDesc; +import net.sourceforge.jnlp.event.ApplicationEvent; +import net.sourceforge.jnlp.event.ApplicationListener; import net.sourceforge.jnlp.security.SecurityWarningDialog.AccessType; import net.sourceforge.jnlp.services.ServiceUtil; -import net.sourceforge.jnlp.util.*; +import net.sourceforge.jnlp.util.WeakList; +import net.sourceforge.jnlp.util.XDesktopEntry; /** * Represents a running instance of an application described in a @@ -160,6 +169,16 @@ void installEnvironment() { final PropertyDesc props[] = file.getResources().getProperties(); + CodeSource cs = new CodeSource((URL) null, (java.security.cert.Certificate [])null); + + JNLPClassLoader loader = (JNLPClassLoader) this.loader; + SecurityDesc s = loader.getSecurity(); + + ProtectionDomain pd = new ProtectionDomain(cs, s.getPermissions(), null, null); + + // Add to hashmap + AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] {pd}); + PrivilegedAction installProps = new PrivilegedAction() { public Object run() { for (int i=0; i < props.length; i++) { @@ -169,7 +188,7 @@ return null; } }; - AccessController.doPrivileged(installProps); + AccessController.doPrivileged(installProps, acc); } /**
--- a/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Wed Jul 28 17:16:40 2010 +0100 +++ b/netx/net/sourceforge/jnlp/runtime/JNLPSecurityManager.java Wed Jul 28 15:20:07 2010 -0400 @@ -335,68 +335,6 @@ } } - } else if (perm instanceof PropertyPermission) { - - if (JNLPRuntime.isDebug()) - System.err.println("Requesting property: " + perm.toString()); - - // We go by the rules here: - // http://java.sun.com/docs/books/tutorial/deployment/doingMoreWithRIA/properties.html - - // Since this is security sensitive, take a conservative approach: - // Allow only what is specifically allowed, and deny everything else - - // First, allow what everyone is allowed to read - if (perm.getActions().equals("read")) { - if ( perm.getName().equals("java.class.version") || - perm.getName().equals("java.vendor") || - perm.getName().equals("java.vendor.url") || - perm.getName().equals("java.version") || - perm.getName().equals("os.name") || - perm.getName().equals("os.arch") || - perm.getName().equals("os.version") || - perm.getName().equals("file.separator") || - perm.getName().equals("path.separator") || - perm.getName().equals("line.separator") || - perm.getName().startsWith("javaplugin.") - ) { - return; - } - } - - // Next, allow what only JNLP apps can do - if (getApplication().getJNLPFile().isApplication()) { - if ( perm.getName().equals("awt.useSystemAAFontSettings") || - perm.getName().equals("http.agent") || - perm.getName().equals("http.keepAlive") || - perm.getName().equals("java.awt.syncLWRequests") || - perm.getName().equals("java.awt.Window.locationByPlatform") || - perm.getName().equals("javaws.cfg.jauthenticator") || - perm.getName().equals("javax.swing.defaultlf") || - perm.getName().equals("sun.awt.noerasebackground") || - perm.getName().equals("sun.awt.erasebackgroundonresize") || - perm.getName().equals("sun.java2d.d3d") || - perm.getName().equals("sun.java2d.dpiaware") || - perm.getName().equals("sun.java2d.noddraw") || - perm.getName().equals("sun.java2d.opengl") || - perm.getName().equals("swing.boldMetal") || - perm.getName().equals("swing.metalTheme") || - perm.getName().equals("swing.noxp") || - perm.getName().equals("swing.useSystemFontSettings") - ) { - return; // JNLP apps can read and write to these - } - } - - // Next, allow access to customizable properties - if (perm.getName().startsWith("jnlp.") || - perm.getName().startsWith("javaws.")) { - return; - } - - // Everything else is denied - throw se; - } else if (perm instanceof SecurityPermission) { // JCE's initialization requires putProviderProperty permission