Well you second policy has to fail because '/opt*' is not what you think it is. It would need to be '/opt/-' to achieve what you have in mind i think. Not sure why the BundleSignerCondition doesn't work. Are you sure the dn is matching the certificate (probably the easiest way to figure that out is to try with a single ALLOW rule first that gives AllPermission to bundles with that dn only)?
regards, Karl On Fri, Apr 4, 2014 at 2:57 PM, felixandre <[email protected]>wrote: > Well, let's say this is a step further then, since the standard > java.io.FilePermission is not working for me even in linux with absolute > path. > > This is the command to launch the felix framework: > java -Djava.security.policy=all.policy -Dorg.osgi.framework.security=osgi > -Dosgi.signedcontent.support=trust > -Dfelix.keystore=file:/opt/felix/keystore.jks -Dfelix.keystore.pass=pswd > -Dfelix.keystore.type=jks -jar ./bin/felix.jar > > With this policy file: > > /DENY { > ( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" > "read,write") > } "Deny bundles signed by OTHER to read and write sampleRead.txt file" > > ALLOW { > ( java.security.AllPermission "*" "*") > } "But give all other not denied permissions to all bundles" / > > the policies are applied: no one can read and write the file > "/opt/miv/conf/sampleRead.txt". > > But as soon as I try to insert a BundleSignerCondition: > > /DENY { > [org.osgi.service.condpermadmin.BundleSignerCondition "CN=xxx, OU=xxx, > O=OTHER, L=xxx, ST=xxx, C=xx"] > ( java.io.FilePermission "/opt/miv/conf/sampleRead.txt" > "read,write") > } "Deny bundles signed by OTHER to read and write sampleRead.txt file" > > ALLOW { > ( java.security.AllPermission "*" "*") > } "But give all other not denied permissions to all bundles" / > > or to generalize the file permission to a parent folder: > > /DENY { > ( java.io.FilePermission "/opt*" "read,write") > } "Deny bundles signed by OTHER to read and write sampleRead.txt file" > > ALLOW { > ( java.security.AllPermission "*" "*") > } "But give all other not denied permissions to all bundles" / > > no policies are applied at all and everyone is allowed to read and write > every file! > > What I'm I doing wrong here!? in the keystore.jks there are only the > certificates of ME and OTHER... > The bundles I'm testing are correctly signed (checked with jarsigner). > > No idea how to solve this... > > > > > -- > View this message in context: > http://apache-felix.18485.x6.nabble.com/Problems-with-ConditionalPermissionAdmin-tp5007954p5007967.html > Sent from the Apache Felix - Users mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Karl Pauls [email protected] http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls
