[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362350#comment-15362350 ] Derek Baum commented on FELIX-5275: --- Karl, thanks for your comments. Our use-case is indeed running with security enabled but _without_ framework.security installed. This is because we have some legacy RMI code that requires a SecurityManager, but we don’t otherwise use security and so we specify a policy that grants all permission. Thanks for indicating the reason that this works in Felix, (but not in Equinox), is because delegation to the java security policy (using the 4-arg ProtectionDomain constructor) is not spec’ed and is therefore framework-specific. This explains why our code runs with Felix + Felix CM, but not with Equinox + Felix CM. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362332#comment-15362332 ] Karl Pauls commented on FELIX-5275: --- Just for completeness sake: 1) felix should honor the OSGI-INF/permissions.perm file assuming it is run with security enabled and the framework.security provider being installed (otherwise, its a bug). 2) This has nothing todo whatsoever with Felix honoring the java security policy file (and for that reason using the 4 arg constructor). Yes, we do that as a (arguably framework specific - because it not spec'ed) feature but it is perfectly fine from a spec point of view (at least from my POV). The thing is that one might want to run felix with security enabled but _without_ framework.security installed. We allow that and enable the user to use a normal java security policy to assign permissions to bundles in that case but that has no impact in this case. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362331#comment-15362331 ] Karl Pauls commented on FELIX-5275: --- Granted, if you tested this with security enabled and the framework.security provider installed and it works in Felix without a doPriv in the test bundle than this is real bug - otherwise, I'd say close this issue. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362317#comment-15362317 ] Karl Pauls commented on FELIX-5275: --- >From what I can tell given the description and the equinox issue, this really >is just a misunderstanding on how security is working in java. The test bundle in this example is invoking privileged code (getting the java.home property) - hence, the test bundle needs the required permission to do that (it probably did get it - hard to say from the example). However, any other code on the call stack although needs that permission _unless_ the test bundle does wrap that call into a doPriv (which it doesn't). Now in OSGi, if a bundle has a OSGI-INF/permissions.perm file, its _effective_ permissions will be limited to the permissions listed in that file (no matter what permissions you assign to that bundle). As a result what happens here is: CM with (presumably) all permission has permissions.perm without java.home access permission and calls update method of test bundle; test bundle (presumably) has permission to access java.home and does so without doPriv block around call; result should be (and apparently is) a security exception because the effective permissions of CM on the call stack doesn't allow access to java.home. The correct thing for the test bundle is to wrap access to java.home in a doPriv. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362304#comment-15362304 ] Karl Pauls commented on FELIX-5275: --- I don't think this is a bug at all. Looks like felix, felix.security, and CM are doing the right thing. > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (FELIX-5275) Felix & Equinox handling of OSGI-INF/permissions.perm differs
[ https://issues.apache.org/jira/browse/FELIX-5275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15362168#comment-15362168 ] Carsten Ziegeler commented on FELIX-5275: - [~db82407] I read the linked eclipse issue and tbh I don't understand what needs to be fixed in our config admin implementation and how. Do you have any additional information? > Felix & Equinox handling of OSGI-INF/permissions.perm differs > - > > Key: FELIX-5275 > URL: https://issues.apache.org/jira/browse/FELIX-5275 > Project: Felix > Issue Type: Bug > Components: Configuration Admin, Framework Security >Affects Versions: configadmin-1.8.8 > Environment: Felix config-admin 1.8.8 running on Equinox with > SecurityManager >Reporter: Derek Baum > > Using Felix config-admin 1.8.8 in Equinox, with a SecurityManager active, > causes the ManagedService.updated() method to get AccessControlExceptions > when, for example, accessing System properties. > This is caused by: > #1 OSGI-INF/permissions.perm added to config-admin in FELIX-4039 > #2 Different handling of OSGI-INF/permissions.perm between Felix and Equinox. > I have previously raised this problem against Equinox (see External Issue > URL), and this is the gist of their analysis: > --- > The felix CM implementation is scoping their own permissions down to a strict > subset of permissions and Equinox is correctly enforcing that subset of > permissions. > So your bundle tries to read a system property, but the CM impl is not > authorized to read that property. > One complication may be that Felix is allowing its bundle protection domains > to be configured with the java policy file (because their ProtectionDomains > are constructed with that 4 arg constructor). > This would seem to break the specified behavior though, because clearly the > CM implementation should never be allowed to have permission to do things > outside of what is specified by the permissions.perm file or that are > "implied" permissions auto-granted by the framework for each bundle. > --- -- This message was sent by Atlassian JIRA (v6.3.4#6332)