Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » Restricting package access with PackagePermission
Restricting package access with PackagePermission [message #810119] Wed, 29 February 2012 18:11 Go to next message
Cristian Mising name is currently offline Cristian Mising nameFriend
Messages: 95
Registered: July 2009
Member
Hello,

My question is simple. For a given plugin, is it possible to limit its access to only a restricted set of packages? And deny access to other packages?

My context is the following. I have a server application based on equinox, that can accept new third party plugins via upload from users. The code that is uploaded to the server is not trusted and could be malicious. I want these plugins to have access only to a limited set of packages.

E.g.: the code requires bundle "org.eclipse.core.runtime". This bundle exports 3 packages:
* org.eclipse.core.internal.preferences.legacy
* org.eclipse.core.internal.runtime
* org.eclipse.core.runtime

I want the code to be able to access only classes from the *.runtime package.

I have tried using PackagePermission. But this seems to work only if the bundle explicitly declares that it uses those packages. I.e. PackagePermission seems to be effective only during plugin load, by analizing the manifest of the loaded plugin. PackagePermission doesn't seem to be evaluated at runtime, e.g. by the class loader, when the plugin actually tries to access classes from the restricted packages.

Thank you in advance.
Best regards,
Cristian.
Re: Restricting package access with PackagePermission [message #810154 is a reply to message #810119] Wed, 29 February 2012 19:13 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 501
Registered: July 2009
Senior Member
When you use PackagePermission how are you using it? I assume you are configuring it using the ConditionalPermissionAdmin (or PermisionAdmin) services? Also, I have to confirm you are launching eclipse with security enabled. Permissions are only checked if you have security enabled (i.e. setting the eclipse.security=osgi configuration property).

Tom
Re: Restricting package access with PackagePermission [message #810227 is a reply to message #810154] Wed, 29 February 2012 21:43 Go to previous messageGo to next message
Cristian Mising name is currently offline Cristian Mising nameFriend
Messages: 95
Registered: July 2009
Member
Hello Tom,

Thank you for your reply.

Quote:
Also, I have to confirm you are launching eclipse with security enabled


I start equinox with a security manager that points to a policy that grants AllPermission:
-Djava.security.manager -Djava.security.policy=${workspace_loc}\test.permisiuni_osgi.main\all.policy


Quote:
When you use PackagePermission how are you using it?


First: I install the plugin:
pluginB = Activator.getDefault().getBundle().getBundleContext().installBundle(bLocationString);			


Second: I add a new permission using ConditionalPermissionAdmin:

// add deny permissions
ConditionalPermissionInfo info = permissionAdmin.newConditionalPermissionInfo(
	bundle.getLocation() + "_2",
	new ConditionInfo[]{
		new ConditionInfo(BundleLocationCondition.class.getName(), new String[] {bundle.getLocation()})
	}
	, new PermissionInfo[]{			
			new PermissionInfo(PackagePermission.class.getName(), "p2", "import")				
	}, 
	ConditionalPermissionInfo.DENY
);


Using the above construct, I wish to restrict the access to the "p2" package.

Third: I start the plugin.
pluginB.start();


Results:

If the plugin declares in the manifest file that it imports package "p2", then the start methods throws an exception, and the plugin won't start. However, if the plugin doesn't declare the "p2" import, but its code tries to access the class (e.g. Class.forName("p2.MyClass"), I get no security exception. And I would expect/want to have one (security exception).

Best regards,
Cristian.
Re: Restricting package access with PackagePermission [message #810236 is a reply to message #810227] Wed, 29 February 2012 21:59 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 501
Registered: July 2009
Senior Member
I am guessing you are using Require-Bundle also? Require-Bundle will get you access to all packages exported by a bundle. So if the bundle in question is using Require-Bundle then the PackagePermission does not help. You can use the org.osgi.framework.BundlePermission for that. But it is much more fine grain since you have to allow/deny requiring the "complete" bundle. That is the disadvantage of require-bundle, you have no control over the packages you get access to.
Re: Restricting package access with PackagePermission [message #810239 is a reply to message #810236] Wed, 29 February 2012 22:00 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 501
Registered: July 2009
Senior Member
Thomas Watson wrote on Wed, 29 February 2012 15:59

... But it is much more fine grain ...


I meant to say "But it is much more coarse grain ..."
Re: Restricting package access with PackagePermission [message #810454 is a reply to message #810239] Thu, 01 March 2012 05:36 Go to previous messageGo to next message
Cristian Mising name is currently offline Cristian Mising nameFriend
Messages: 95
Registered: July 2009
Member
Yes indeed, I use the Require Bundle.

So if I understand correctly, my only option is to deny the use of "Require bundle" and to force the third party plugins use the "import package" statements. This way, if the plugin uses "illegal" packages, it is stopped from the beginning (i.e. during the plugin startup). So there is no way to make equinox control the package access during runtime (i.e. during class instantiation).

Is this understanding correct?

If yes, another thought crosses my mind: using a custom classloader for the plugin, that checks for permissions during "findClass()" calls.

Thank you.
Best regards,
Cristian.
Re: Restricting package access with PackagePermission [message #810743 is a reply to message #810454] Thu, 01 March 2012 13:54 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 501
Registered: July 2009
Senior Member
Cristian Mising name wrote on Wed, 29 February 2012 23:36
Yes indeed, I use the Require Bundle.

So if I understand correctly, my only option is to deny the use of "Require bundle" and to force the third party plugins use the "import package" statements. This way, if the plugin uses "illegal" packages, it is stopped from the beginning (i.e. during the plugin startup). So there is no way to make equinox control the package access during runtime (i.e. during class instantiation).

Is this understanding correct?


Cristian Mising name wrote on Wed, 29 February 2012 23:36

If yes, another thought crosses my mind: using a custom classloader for the plugin, that checks for permissions during "findClass()" calls.

Thank you.
Best regards,
Cristian.


If you don't mind using Equinox specific APIs then you could hook into the class loader of the bundles. Equinox Framework Hooks

I would suggest using the org.eclipse.osgi.framework.adaptor.ClassLoaderDelegateHook hook and the preFind* methods. This would allow you to throw a runtime exception (like SecurityException) or a ClassNotFoundException if you detect a particular bundle is trying to load a class you don't want them to.

HTH.
Re: Restricting package access with PackagePermission [message #810747 is a reply to message #810743] Thu, 01 March 2012 14:02 Go to previous messageGo to next message
Cristian Mising name is currently offline Cristian Mising nameFriend
Messages: 95
Registered: July 2009
Member
Thanks for the tip.

I understand that my first statement is also correct, right? I.e., besides modifying the class loader (or using a hook), I can block the access to a class only by doing this:

Quote:

So if I understand correctly, my only option is to deny the use of "Require bundle" and to force the third party plugins use the "import package" statements. This way, if the plugin uses "illegal" packages, it is stopped from the beginning (i.e. during the plugin startup). So there is no way to make equinox control the package access during runtime (i.e. during class instantiation).


Best regards,
Cristian.
Re: Restricting package access with PackagePermission [message #810784 is a reply to message #810747] Thu, 01 March 2012 14:55 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 501
Registered: July 2009
Senior Member
Cristian Mising name wrote on Thu, 01 March 2012 08:02
Thanks for the tip.

I understand that my first statement is also correct, right? I.e., besides modifying the class loader (or using a hook), I can block the access to a class only by doing this:

Quote:

So if I understand correctly, my only option is to deny the use of "Require bundle" and to force the third party plugins use the "import package" statements. This way, if the plugin uses "illegal" packages, it is stopped from the beginning (i.e. during the plugin startup). So there is no way to make equinox control the package access during runtime (i.e. during class instantiation).


Best regards,
Cristian.


Sorry, I split your comment to insert my reply and forgot to Wink

Yes, your understanding is correct. Require-Bundle is a coarse grained dependency and therefore only has a coarse grain permission that allows you to either allow the whole bundle to be required or deny the whole thing.

Tom.
Re: Restricting package access with PackagePermission [message #810825 is a reply to message #810784] Thu, 01 March 2012 15:45 Go to previous message
Cristian Mising name is currently offline Cristian Mising nameFriend
Messages: 95
Registered: July 2009
Member
Thanks a lot for your feedback.

Regards,
Cristian.
Previous Topic:How to accept certificates p2.director
Next Topic:ERROR
Goto Forum:
  


Current Time: Sat Oct 23 03:04:14 GMT 2021

Powered by FUDForum. Page generated in 0.02046 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top