From 681290ba6cddc797e8a955d06d40c054b47e2ab2 Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Sun, 8 Sep 2019 08:27:35 +0200 Subject: [PATCH] Start working again on hardening. --- demo/cms-e4-rap.properties | 6 +- .../argeo/cms/internal/kernel/Activator.java | 45 +++++++---- .../cms/internal/kernel/SecurityProfile.java | 74 ++++++++++--------- 3 files changed, 73 insertions(+), 52 deletions(-) diff --git a/demo/cms-e4-rap.properties b/demo/cms-e4-rap.properties index e3f443524..50d8e2b8e 100644 --- a/demo/cms-e4-rap.properties +++ b/demo/cms-e4-rap.properties @@ -22,7 +22,10 @@ org.osgi.service.http.port=7070 # Logging log4j.configuration=file:../../log4j.properties -#log4j.configuration=file:log4j.properties + +# hardened +#org.osgi.framework.security=osgi +#java.security.policy=file:../../all.policy # DON'T CHANGE BELOW org.eclipse.equinox.http.jetty.autostart=false @@ -32,4 +35,3 @@ com.sun.security.jgss,\ com.sun.jndi.dns,\ com.sun.nio.file,\ com.sun.nio.sctp -#org.osgi.framework.system.packages.extra=sun.misc diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java index bba8f2bbb..62c140efd 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/Activator.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.net.URL; import java.nio.file.Files; import java.nio.file.Path; +import java.security.AllPermission; import java.util.Dictionary; import java.util.List; import java.util.Locale; @@ -25,7 +26,13 @@ import org.osgi.framework.BundleActivator; import org.osgi.framework.BundleContext; import org.osgi.framework.Constants; import org.osgi.framework.ServiceReference; +import org.osgi.service.condpermadmin.BundleLocationCondition; +import org.osgi.service.condpermadmin.ConditionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; +import org.osgi.service.condpermadmin.ConditionalPermissionInfo; +import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.log.LogReaderService; +import org.osgi.service.permissionadmin.PermissionInfo; import org.osgi.service.useradmin.UserAdmin; import org.osgi.util.tracker.ServiceTracker; @@ -38,6 +45,9 @@ public class Activator implements BundleActivator { private static Activator instance; + // TODO make it configurable + private boolean hardened = false; + private BundleContext bc; private LogReaderService logReaderService; @@ -81,20 +91,27 @@ public class Activator implements BundleActivator { // explicitly load JAAS configuration Configuration.getConfiguration(); - // ConditionalPermissionAdmin permissionAdmin = bc - // .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); - // ConditionalPermissionUpdate update = - // permissionAdmin.newConditionalPermissionUpdate(); - // // Self - // update.getConditionalPermissionInfos() - // .add(permissionAdmin.newConditionalPermissionInfo(null, - // new ConditionInfo[] { - // new ConditionInfo(BundleLocationCondition.class.getName(), new - // String[] { "*" }) }, - // new PermissionInfo[] { new - // PermissionInfo(AllPermission.class.getName(), null, null) }, - // ConditionalPermissionInfo.ALLOW)); - // + // code-level permissions + String osgiSecurity = KernelUtils.getFrameworkProp(Constants.FRAMEWORK_SECURITY); + if (osgiSecurity != null && Constants.FRAMEWORK_SECURITY_OSGI.equals(osgiSecurity)) { + // TODO rather use a tracker? + ConditionalPermissionAdmin permissionAdmin = bc + .getService(bc.getServiceReference(ConditionalPermissionAdmin.class)); + if (!hardened) { + // All permissions to all bundles + ConditionalPermissionUpdate update = permissionAdmin.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().add(permissionAdmin.newConditionalPermissionInfo(null, + new ConditionInfo[] { + new ConditionInfo(BundleLocationCondition.class.getName(), new String[] { "*" }) }, + new PermissionInfo[] { new PermissionInfo(AllPermission.class.getName(), null, null) }, + ConditionalPermissionInfo.ALLOW)); + } else { + SecurityProfile securityProfile = new SecurityProfile() { + }; + securityProfile.applySystemPermissions(permissionAdmin); + } + } + } private void initArgeoLogger() { diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java index 7d5242fa2..e2683af67 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/SecurityProfile.java @@ -19,8 +19,10 @@ import org.osgi.service.condpermadmin.ConditionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionAdmin; import org.osgi.service.condpermadmin.ConditionalPermissionInfo; import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; +import org.osgi.service.permissionadmin.PermissionAdmin; import org.osgi.service.permissionadmin.PermissionInfo; +/** Security profile based on OSGi {@link PermissionAdmin}. */ public interface SecurityProfile { BundleContext bc = FrameworkUtil.getBundle(SecurityProfile.class).getBundleContext(); @@ -139,42 +141,42 @@ public interface SecurityProfile { ConditionalPermissionInfo.ALLOW)); // Blueprint - Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); - update.getConditionalPermissionInfos() - .add(permissionAdmin - .newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintExtenderBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", - "read"), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), - new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle springCoreBundle = findBundle("org.springframework.core"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { springCoreBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); - Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); - update.getConditionalPermissionInfos() - .add(permissionAdmin.newConditionalPermissionInfo(null, - new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), - new String[] { blueprintIoBundle.getLocation() }) }, - new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), - new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, - ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintBundle = findBundle("org.eclipse.gemini.blueprint.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintExtenderBundle = findBundle("org.eclipse.gemini.blueprint.extender"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin +// .newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintExtenderBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(PropertyPermission.class.getName(), "org.eclipse.gemini.*", +// "read"), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), +// new PermissionInfo(ServicePermission.class.getName(), "*", "register"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle springCoreBundle = findBundle("org.springframework.core"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { springCoreBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); +// Bundle blueprintIoBundle = findBundle("org.eclipse.gemini.blueprint.io"); +// update.getConditionalPermissionInfos() +// .add(permissionAdmin.newConditionalPermissionInfo(null, +// new ConditionInfo[] { new ConditionInfo(BundleLocationCondition.class.getName(), +// new String[] { blueprintIoBundle.getLocation() }) }, +// new PermissionInfo[] { new PermissionInfo(RuntimePermission.class.getName(), "*", null), +// new PermissionInfo(AdminPermission.class.getName(), "*", "*"), }, +// ConditionalPermissionInfo.ALLOW)); // Equinox Bundle registryBundle = findBundle("org.eclipse.equinox.registry"); -- 2.30.2