Page Comparison

The OSGi Security Manager allows you to secure your applications by utilizing the built in Java Security Manager and Java's permission system. This does not provide security in the sense that a lot of people tend to think of it: authentication, authorization, etc. The Security Manager allows you to assign/revoke permissions to/from code with a policy.

...

You can also opt to use a custom SecurityManager class by dropping in the standard Java system property instead of using this OSGi specific property. You cannot use both properties at the same time. Adding the Java system property will have the same effect as the above property, except that it will use your custom SecurityManager implmentation, for example:

java.security.manager=net.sourceforge.prograde.sm.ProGradeJSM

You then must add an "all policy" that will allow all of the non-OSGi code to execute with all privileges:

...

Occasionally, the acdebugger will log denied permissions which have no apparent effect on the attached DDF. If you encounter such an error, please document it here for further investigation.

Operation (Include steps to reproduce) Denied Permissions Classification

Attach to running DDF using client script {org.jline=[java.io.FilePermission "<<ALL FILES>>", "execute"]} Expected

$ profile:install standard

Linux (CentOS 7 - varies by distro):

{org.eclipse.jetty.util=[java.io.FilePermission "/", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/console", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/mqueue", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/pts", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/dev/shm", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/hostname", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/hosts", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/etc/resolv.conf", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/mnt", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/proc", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/blkio", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/cpuacct,cpu", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/cpuset", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/devices", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/freezer", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/hugetlb", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/memory", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/net_prio,net_cls", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/perf_event", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/pids", "read"]}
{org.eclipse.jetty.util=[java.io.FilePermission "/sys/fs/cgroup/systemd", "read"]}

Windows:

{org.apache.cxf.cxf-rt-transports-http=[java.io.FilePermission "\dev\urandom", "read”]}

User Home Directory

Starting the OSGi container inside user.home impacts security manager decisions. The OSGi container should not be started inside the user's defined home directory. Karaf also reads from the local Maven repository which is usually in the user's home directory and inherits its permissions. If the Maven repository is moved outside of user.home then the user.home property needs to be updated to avoid changes to the policy.

JAVA_TOOL_OPTIONS="-Duser.home=C:\projects"

Page Properties

hidden	true

Related issues

...

Versions Compared

Old Version 5

New Version 6

Key

User Home Directory