BOTTARO Andre RD-MAPS-GRE wrote:
For security purposes, I would like to prevent bundles from using classes that belong to private packages of any bundle.
I checked that if I have a hacking bundle (B) with the following code, it will
be able to call a method (criticalAlert) on a private class
(private.packages.Sample) of a bundle (A), i.e. a class which neither exported
by A nor imported by B. In order to do that, B must acces the classloader of A,
thus I suppose that B imports an exported package (public.packages) from A:
public void start(BundleContext bc) throws Exception {
//Getting an instance of an exported class from A...
public.packages.Sample sample = new public.packages.Sample();
//Trying to access the private class from A...
ClassLoader loader = sample.getClass().getClassLoader();
Class clazz = loader.loadClass("private.packages.Sample");
Object o = clazz.newInstance();
Method m = o.getClass().getMethod("criticalAlert", new
Class[]{});
m.invoke(o,new Object[]{});
}
So, tell me if I am wrong, the OSGi solution to this bundle isolation issue is to use Java 2 permissions (with OSGi CPA or PA) to forbid the use of reflection (Class.newInstance and java.lang.reflect) to untrusted bundles.
There is also another threat (even more direct) in OSGi R4 : the use of
Fragments. Are there other threats ?
Well, bundle B would need permission to do "getClassLoader" if security
were enabled. Without security enabled, we have no way to prevent bundle
B from accessing private classes from A, since A's class loader must be
able to access them otherwise A would not be able to access them.
-> richard
