import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
+import java.security.AllPermission;
import java.util.Dictionary;
import java.util.List;
import java.util.Locale;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
import org.osgi.framework.ServiceReference;
+import org.osgi.service.condpermadmin.BundleLocationCondition;
+import org.osgi.service.condpermadmin.ConditionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
+import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
+import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
import org.osgi.service.log.LogReaderService;
+import org.osgi.service.permissionadmin.PermissionInfo;
import org.osgi.service.useradmin.UserAdmin;
import org.osgi.util.tracker.ServiceTracker;
private static Activator instance;
+ // TODO make it configurable
+ private boolean hardened = false;
+
private BundleContext bc;
private LogReaderService logReaderService;
// explicitly load JAAS configuration
Configuration.getConfiguration();
- // ConditionalPermissionAdmin permissionAdmin = bc
- // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
- // ConditionalPermissionUpdate update =
- // permissionAdmin.newConditionalPermissionUpdate();
- // // Self
- // update.getConditionalPermissionInfos()
- // .add(permissionAdmin.newConditionalPermissionInfo(null,
- // new ConditionInfo[] {
- // new ConditionInfo(BundleLocationCondition.class.getName(), new
- // String[] { "*" }) },
- // new PermissionInfo[] { new
- // PermissionInfo(AllPermission.class.getName(), null, null) },
- // ConditionalPermissionInfo.ALLOW));
- //
+ // code-level permissions
+ String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY);
+ if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) {
+ // TODO rather use a tracker?
+ ConditionalPermissionAdmin permissionAdmin = bc
+ .getService(bc.getServiceReference(ConditionalPermissionAdmin.class));
+ if (!hardened) {
+ // All permissions to all bundles
+ ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate();
+ update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null,
+ new ConditionInfo[] {
+ new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) },
+ new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) },
+ ConditionalPermissionInfo.ALLOW));
+ } else {
+ SecurityProfile securityProfile = new SecurityProfile() {
+ };
+ securityProfile.applySystemPermissions(permissionAdmin);
+ }
+ }
+
}
private void initArgeoLogger() {
import org.osgi.service.condpermadmin.ConditionalPermissionAdmin;
import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
+import org.osgi.service.permissionadmin.PermissionAdmin;
import org.osgi.service.permissionadmin.PermissionInfo;
+/** Security profile based on OSGi {@link PermissionAdmin}. */
public interface SecurityProfile {
BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext();
ConditionalPermissionInfo.ALLOW));
// Blueprint
- Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
- update.getConditionalPermissionInfos()
- .add(permissionAdmin.newConditionalPermissionInfo(null,
- new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
- new String[] { blueprintBundle.getLocation() }) },
- new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
- new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
- ConditionalPermissionInfo.ALLOW));
- Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender");
- update.getConditionalPermissionInfos()
- .add(permissionAdmin
- .newConditionalPermissionInfo(null,
- new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
- new String[] { blueprintExtenderBundle.getLocation() }) },
- new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
- new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*",
- "read"),
- new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
- new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
- ConditionalPermissionInfo.ALLOW));
- Bundle springCoreBundle = findBundle("org.springframework.core");
- update.getConditionalPermissionInfos()
- .add(permissionAdmin.newConditionalPermissionInfo(null,
- new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
- new String[] { springCoreBundle.getLocation() }) },
- new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
- new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
- ConditionalPermissionInfo.ALLOW));
- Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io");
- update.getConditionalPermissionInfos()
- .add(permissionAdmin.newConditionalPermissionInfo(null,
- new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
- new String[] { blueprintIoBundle.getLocation() }) },
- new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
- new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
- ConditionalPermissionInfo.ALLOW));
+// Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core");
+// update.getConditionalPermissionInfos()
+// .add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+// new String[] { blueprintBundle.getLocation() }) },
+// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
+// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
+// ConditionalPermissionInfo.ALLOW));
+// Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender");
+// update.getConditionalPermissionInfos()
+// .add(permissionAdmin
+// .newConditionalPermissionInfo(null,
+// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+// new String[] { blueprintExtenderBundle.getLocation() }) },
+// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
+// new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*",
+// "read"),
+// new PermissionInfo(AdminPermission.class.getName(), "*", "*"),
+// new PermissionInfo(ServicePermission.class.getName(), "*", "register"), },
+// ConditionalPermissionInfo.ALLOW));
+// Bundle springCoreBundle = findBundle("org.springframework.core");
+// update.getConditionalPermissionInfos()
+// .add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+// new String[] { springCoreBundle.getLocation() }) },
+// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
+// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
+// ConditionalPermissionInfo.ALLOW));
+// Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io");
+// update.getConditionalPermissionInfos()
+// .add(permissionAdmin.newConditionalPermissionInfo(null,
+// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(),
+// new String[] { blueprintIoBundle.getLocation() }) },
+// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null),
+// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), },
+// ConditionalPermissionInfo.ALLOW));
// Equinox
Bundle registryBundle = findBundle("org.eclipse.equinox.registry");