This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch experimental in repository tomcat8.
commit efcbf7c52a4abfe1f242f9d3da0d845ed6f1a85f Author: Emmanuel Bourg <ebo...@apache.org> Date: Wed Nov 16 23:31:15 2016 +0100 Updated the policy files --- debian/changelog | 1 + debian/policy/03catalina.policy | 57 ++++++++++++++++++++++++++++++------- debian/policy/04webapps.policy | 63 ++++++++++++++++++++++++++++++++--------- debian/policy/50local.policy | 10 +++++++ 4 files changed, 107 insertions(+), 24 deletions(-) diff --git a/debian/changelog b/debian/changelog index d247341..e2b4bdc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ tomcat8 (8.5.8-1) UNRELEASED; urgency=medium * New upstream release - Refreshed the patches - Tomcat no longer builds tomcat-embed-logging-juli.jar + - Updated the policy files * Adapted debian/orig-tar.sh to download the 8.5.x releases -- Emmanuel Bourg <ebo...@apache.org> Wed, 16 Nov 2016 18:44:57 +0100 diff --git a/debian/policy/03catalina.policy b/debian/policy/03catalina.policy index 2de1518..2663813 100644 --- a/debian/policy/03catalina.policy +++ b/debian/policy/03catalina.policy @@ -1,22 +1,50 @@ // ========== CATALINA CODE PERMISSIONS ======================================= +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + // These permissions apply to the logging API +// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, +// update this section accordingly. +// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { - permission java.util.PropertyPermission "java.util.logging.config.class", "read"; - permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission + "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + + permission java.io.FilePermission + "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "shutdownHooks"; - permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.util.logging.LoggingPermission "control"; - permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; - permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; - // To enable per context logging configuration, permit read access to the appropriate file. - // Be sure that the logging configuration is secure before enabling such access - // eg for the examples web application: - // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; + + permission java.lang.management.ManagementPermission "monitor"; + + permission java.util.logging.LoggingPermission "control"; + + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read"; + permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + + // Note: To enable per context logging configuration, permit read access to + // the appropriate file. Be sure that the logging configuration is + // secure before enabling such access. + // E.g. for the examples web application (uncomment and unwrap + // the following to be on a single line): + // permission java.io.FilePermission "${catalina.base}${file.separator} + // webapps${file.separator}examples${file.separator}WEB-INF + // ${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code @@ -30,3 +58,10 @@ grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; + + +// If using a per instance lib directory, i.e. ${catalina.base}/lib, +// then the following permission will need to be uncommented +// grant codeBase "file:${catalina.base}/lib/-" { +// permission java.security.AllPermission; +// }; diff --git a/debian/policy/04webapps.policy b/debian/policy/04webapps.policy index 74af20d..5679ca3 100644 --- a/debian/policy/04webapps.policy +++ b/debian/policy/04webapps.policy @@ -3,8 +3,8 @@ // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission -// and JndiPermission for all files and directories in its document root. -grant { +// for all files and directories in its document root. +grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; @@ -41,19 +41,56 @@ grant { // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; - // Precompiled JSPs need access to this package. - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + // All JSPs need to be able to read this package + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; - // Example JSPs need those to work properly + // Precompiled JSPs need access to these packages. permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - - // Precompiled JSPs need access to this system property. - permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission + "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to these system properties. + permission java.util.PropertyPermission + "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + permission java.util.PropertyPermission + "org.apache.el.parser.COERCE_TO_ZERO", "read"; + + // The cookie code needs these. + permission java.util.PropertyPermission + "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; + permission java.util.PropertyPermission + "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; - // java.io.tmpdir should be usable as a temporary file directory - permission java.util.PropertyPermission "java.io.tmpdir", "read"; - permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; + // Applications using WebSocket need to be able to access these packages + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; + // Applications need to access these packages to use the Servlet 4.0 Preview + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlet4preview"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlet4preview.http"; +}; + + +// The Manager application needs access to the following packages to support the +// session display functionality. These settings support the following +// configurations: +// - default CATALINA_HOME == CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE +// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME +grant codeBase "file:${catalina.base}/../tomcat8-admin/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; +}; +grant codeBase "file:${catalina.home}/../tomcat8-admin/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; }; diff --git a/debian/policy/50local.policy b/debian/policy/50local.policy index 3f15a8d..4c177b4 100644 --- a/debian/policy/50local.policy +++ b/debian/policy/50local.policy @@ -30,3 +30,13 @@ // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; +// To grant permissions for web applications using packed WAR files, use the +// Tomcat specific WAR url scheme. +// +// The permissions granted to the entire web application +// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" { +// }; +// +// The permissions granted to a specific JAR +// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { +// }; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list pkg-java-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits