summaryrefslogtreecommitdiffstats
path: root/src/java/com/jogamp/common/os
diff options
context:
space:
mode:
authorSven Gothel <[email protected]>2013-06-11 16:25:48 +0200
committerSven Gothel <[email protected]>2013-06-11 16:25:48 +0200
commit1a01dce6c42b398cdd68d405828774a3ab366456 (patch)
treedcbc917b0dbd80c7c5be0b4a9ad35c5489ee64dc /src/java/com/jogamp/common/os
parent377d9de1ff1e2fabcd9bb7f65c0318f3c890392c (diff)
Bug 752: Review Code Vulnerabilities (Permission Checks of new exposed code and privileged access)
This review focuses on how we perform permission checks, or better - do we circumvent some assuming full privileges ? Some native methods do need extra permission validation, i.e. loading native libraries. Further more AccessController.doPrivileged(..) shall not cover generic code exposing a critical feature to the user. Further more .. we should rely on the SecuritManager, i.e. AccessControlContext's 'checkPermission(Permission)' code to comply w/ fine grained permission access. It is also possible to have full permission w/o having any certificates (-> policy file). +++ We remove implicit AccessController.doPrivileged(..) from within our trusted code for generic methods, like Property access, temp. files. +++ SecurityUtil: - Remove 'getCommonAccessControlContext(Class<?> clz)', which returned a local AccessControlContext for later restriction if the passed class contains all certificates as the 'trusted' GlueGen class has. - Simply expose convenient permission check methods relying on SecurityManager / AccessControlContext. PropertyAccess: - 'protected static void addTrustedPrefix(..)' requires AllPermissions if SecurityManager is installed. - Remove implicit doPrivileged(..) triggered by passed AccessControlContext instance, only leave it for trusted prefixes. IOUtil: - Remove all doPrivileged(..) - Elevation shall be performed by caller. DynamicLinker: - 'public long openLibraryLocal(..)' and 'public long openLibraryGlobal(..)' may throw SecurityException, if a SecurityManager is installed and the dyn. link permission is not granted in the calling code. Implemented in their respective Unix, OSX and Windows manifestation. Caller has to elevate privileges via 'doPrivileged(..) {}' ! +++ Tests: - Property access - File access - Native library loading Manual Applet test (unsigned, but w/ SecurityManager and policy file): > gluegen/test/applet Applet has been tested w/ signed JAR w/ Firefox and Java7 on GNU/Linux as well. Manual Application test (unsigned, but w/ SecurityManager and policy file): com.jogamp.junit.sec.TestSecIOUtil01 - Run w/ SecurityManager and policy file: - gluegen/scripts/runtest-secmgr.sh - Run w/o SecurityManager: - gluegen/scripts/runtest.sh
Diffstat (limited to 'src/java/com/jogamp/common/os')
-rw-r--r--src/java/com/jogamp/common/os/DynamicLinker.java4
-rw-r--r--src/java/com/jogamp/common/os/Platform.java112
2 files changed, 58 insertions, 58 deletions
diff --git a/src/java/com/jogamp/common/os/DynamicLinker.java b/src/java/com/jogamp/common/os/DynamicLinker.java
index a0da9fb..32aa7eb 100644
--- a/src/java/com/jogamp/common/os/DynamicLinker.java
+++ b/src/java/com/jogamp/common/os/DynamicLinker.java
@@ -46,8 +46,8 @@ public interface DynamicLinker {
public static final boolean DEBUG = NativeLibrary.DEBUG;
public static final boolean DEBUG_LOOKUP = NativeLibrary.DEBUG_LOOKUP;
- public long openLibraryGlobal(String pathname, boolean debug);
- public long openLibraryLocal(String pathname, boolean debug);
+ public long openLibraryGlobal(String pathname, boolean debug) throws SecurityException;
+ public long openLibraryLocal(String pathname, boolean debug) throws SecurityException;
public long lookupSymbol(long libraryHandle, String symbolName);
public long lookupSymbolGlobal(String symbolName);
public void closeLibrary(long libraryHandle);
diff --git a/src/java/com/jogamp/common/os/Platform.java b/src/java/com/jogamp/common/os/Platform.java
index aa9bccd..0ae3cbb 100644
--- a/src/java/com/jogamp/common/os/Platform.java
+++ b/src/java/com/jogamp/common/os/Platform.java
@@ -162,49 +162,69 @@ public class Platform extends PlatformPropsImpl {
/** <code>true</code> if AWT is available and not in headless mode, otherwise <code>false</code>. */
public static final boolean AWT_AVAILABLE;
- private static final URI platformClassJarURI;
+ private static final boolean isRunningFromJarURL;
static {
- PlatformPropsImpl.initSingleton(); // just documenting the order of static initialization
-
- {
- URI _platformClassJarURI;
- try {
- _platformClassJarURI = JarUtil.getJarURI(Platform.class.getName(), Platform.class.getClassLoader());
- } catch (Exception e) {
- _platformClassJarURI = null;
- }
- platformClassJarURI = _platformClassJarURI;
- }
-
- USE_TEMP_JAR_CACHE = (OS_TYPE != OSType.ANDROID) && isRunningFromJarURL() &&
- Debug.getBooleanProperty(useTempJarCachePropName, true, true);
+ final boolean[] _isRunningFromJarURL = new boolean[] { false };
+ final boolean[] _USE_TEMP_JAR_CACHE = new boolean[] { false };
+ final boolean[] _AWT_AVAILABLE = new boolean[] { false };
+
+ AccessController.doPrivileged(new PrivilegedAction<Object>() {
+ public Object run() {
- AWT_AVAILABLE = AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
- public Boolean run() {
- // load GluegenRT native library
- loadGlueGenRTImpl();
+ PlatformPropsImpl.initSingleton(); // documenting the order of static initialization
- // JVM bug workaround
- JVMUtil.initSingleton(); // requires gluegen-rt, one-time init.
+ final ClassLoader cl = Platform.class.getClassLoader();
- // detect AWT availability
- boolean awtAvailable = false;
+ final URI platformClassJarURI;
{
- final ClassLoader cl = Platform.class.getClassLoader();
- if( !Debug.getBooleanProperty("java.awt.headless", true) &&
- ReflectionUtil.isClassAvailable(ReflectionUtil.AWTNames.ComponentClass, cl) &&
- ReflectionUtil.isClassAvailable(ReflectionUtil.AWTNames.GraphicsEnvironmentClass, cl) ) {
- try {
- awtAvailable = false == ((Boolean)ReflectionUtil.callStaticMethod(ReflectionUtil.AWTNames.GraphicsEnvironmentClass, ReflectionUtil.AWTNames.isHeadlessMethod, null, null, cl)).booleanValue();
- } catch (Throwable t) { }
+ URI _platformClassJarURI = null;
+ try {
+ _platformClassJarURI = JarUtil.getJarURI(Platform.class.getName(), cl);
+ } catch (Exception e) { }
+ platformClassJarURI = _platformClassJarURI;
+ }
+ _isRunningFromJarURL[0] = null != platformClassJarURI;
+
+ _USE_TEMP_JAR_CACHE[0] = ( OS_TYPE != OSType.ANDROID ) && ( null != platformClassJarURI ) &&
+ Debug.getBooleanProperty(useTempJarCachePropName, true, true);
+
+ // load GluegenRT native library
+ if(_USE_TEMP_JAR_CACHE[0] && TempJarCache.initSingleton()) {
+ String nativeJarName = null;
+ URI jarUriRoot = null;
+ URI nativeJarURI = null;
+ try {
+ final String jarName = JarUtil.getJarBasename( platformClassJarURI );
+ final String nativeJarBasename = jarName.substring(0, jarName.indexOf(".jar")); // ".jar" already validated w/ JarUtil.getJarBasename(..)
+ nativeJarName = nativeJarBasename+"-natives-"+PlatformPropsImpl.os_and_arch+".jar";
+ jarUriRoot = JarUtil.getURIDirname( JarUtil.getJarSubURI( platformClassJarURI ) );
+ nativeJarURI = JarUtil.getJarFileURI(jarUriRoot, nativeJarName);
+ TempJarCache.bootstrapNativeLib(Platform.class, libBaseName, nativeJarURI);
+ } catch (Exception e0) {
+ // IllegalArgumentException, IOException
+ System.err.println("Catched "+e0.getClass().getSimpleName()+": "+e0.getMessage()+", while TempJarCache.bootstrapNativeLib() of "+nativeJarURI+" ("+jarUriRoot+" + "+nativeJarName+")");
}
}
- return new Boolean(awtAvailable);
- }
- }).booleanValue();
-
-
+ DynamicLibraryBundle.GlueJNILibLoader.loadLibrary(libBaseName, false, cl);
+
+ // JVM bug workaround
+ JVMUtil.initSingleton(); // requires gluegen-rt, one-time init.
+
+ // AWT Headless determination
+ if( !Debug.getBooleanProperty("java.awt.headless", true) &&
+ ReflectionUtil.isClassAvailable(ReflectionUtil.AWTNames.ComponentClass, cl) &&
+ ReflectionUtil.isClassAvailable(ReflectionUtil.AWTNames.GraphicsEnvironmentClass, cl) ) {
+ try {
+ _AWT_AVAILABLE[0] = false == ((Boolean)ReflectionUtil.callStaticMethod(ReflectionUtil.AWTNames.GraphicsEnvironmentClass, ReflectionUtil.AWTNames.isHeadlessMethod, null, null, cl)).booleanValue();
+ } catch (Throwable t) { }
+ }
+ return null;
+ } } );
+ isRunningFromJarURL = _isRunningFromJarURL[0];
+ USE_TEMP_JAR_CACHE = _USE_TEMP_JAR_CACHE[0];
+ AWT_AVAILABLE = _AWT_AVAILABLE[0];
+
MachineDescription md = MachineDescriptionRuntime.getRuntime();
if(null == md) {
MachineDescription.StaticConfig smd = MachineDescriptionRuntime.getStatic();
@@ -228,27 +248,7 @@ public class Platform extends PlatformPropsImpl {
* @return true if we're running from a Jar URL, otherwise false
*/
public static final boolean isRunningFromJarURL() {
- return null != platformClassJarURI;
- }
-
- private static final void loadGlueGenRTImpl() {
- if(USE_TEMP_JAR_CACHE && TempJarCache.initSingleton()) {
- String nativeJarName = null;
- URI jarUriRoot = null;
- URI nativeJarURI = null;
- try {
- final String jarName = JarUtil.getJarBasename(platformClassJarURI);
- final String nativeJarBasename = jarName.substring(0, jarName.indexOf(".jar")); // ".jar" already validated w/ JarUtil.getJarBasename(..)
- nativeJarName = nativeJarBasename+"-natives-"+PlatformPropsImpl.os_and_arch+".jar";
- jarUriRoot = JarUtil.getURIDirname( JarUtil.getJarSubURI( platformClassJarURI ) );
- nativeJarURI = JarUtil.getJarFileURI(jarUriRoot, nativeJarName);
- TempJarCache.bootstrapNativeLib(Platform.class, libBaseName, nativeJarURI);
- } catch (Exception e0) {
- // IllegalArgumentException, IOException
- System.err.println("Catched "+e0.getClass().getSimpleName()+": "+e0.getMessage()+", while TempJarCache.bootstrapNativeLib() of "+nativeJarURI+" ("+jarUriRoot+" + "+nativeJarName+")");
- }
- }
- DynamicLibraryBundle.GlueJNILibLoader.loadLibrary(libBaseName, false, Platform.class.getClassLoader());
+ return isRunningFromJarURL;
}
/**