Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Occasionally, the acdebugger will log denied permissions which have no apparent effect on the attached DDF. If you encounter such an error, please document it here for further investigation.

Operation (Include steps to reproduce)Denied PermissionsClassification
Attach to running DDF using client script{org.jline=[ "<<ALL FILES>>", "execute"]}Expected
$ profile:install standard

Linux (CentOS 7 - varies by distro):

{org.eclipse.jetty.util=[ "/", "read"]}
{org.eclipse.jetty.util=[ "/dev", "read"]}
{org.eclipse.jetty.util=[ "/dev/console", "read"]}
{org.eclipse.jetty.util=[ "/dev/mqueue", "read"]}
{org.eclipse.jetty.util=[ "/dev/pts", "read"]}
{org.eclipse.jetty.util=[ "/dev/shm", "read"]}
{org.eclipse.jetty.util=[ "/etc/hostname", "read"]}
{org.eclipse.jetty.util=[ "/etc/hosts", "read"]}
{org.eclipse.jetty.util=[ "/etc/resolv.conf", "read"]}
{org.eclipse.jetty.util=[ "/mnt", "read"]}
{org.eclipse.jetty.util=[ "/proc", "read"]}
{org.eclipse.jetty.util=[ "/sys", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/blkio", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/cpuacct,cpu", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/cpuset", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/devices", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/freezer", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/hugetlb", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/memory", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/net_prio,net_cls", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/perf_event", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/pids", "read"]}
{org.eclipse.jetty.util=[ "/sys/fs/cgroup/systemd", "read"]}


{org.apache.cxf.cxf-rt-transports-http=[ "\dev\urandom", "read”]}


User Home Directory

Starting the OSGi container inside user.home impacts security manager decisions.  The OSGi container should not be started inside the user's defined home directory.  Karaf also reads from the local Maven repository which is usually in the user's home directory and inherits its permissions.  If the Maven repository is moved outside of user.home then the user.home property needs to be updated to avoid changes to the policy.


Page Properties

Related issues