Bug 752: Review Code Vulnerabilities (Permission Checks of new exposed code and privileged access)

This review focuses on how we perform permission checks, or better - do we circumvent some assuming full privileges ? Some native methods do need extra permission validation, i.e. loading native libraries. Further more AccessController.doPrivileged(..) shall not cover generic code exposing a critical feature to the user. Further more .. we should rely on the SecuritManager, i.e. AccessControlContext's 'checkPermission(Permission)' code to comply w/ fine grained permission access. It is also possible to have full permission w/o having any certificates (-> policy file). +++ We remove implicit AccessController.doPrivileged(..) from within our trusted code for generic methods, like Property access, temp. files. +++ SecurityUtil: - Remove 'getCommonAccessControlContext(Class<?> clz)', which returned a local AccessControlContext for later restriction if the passed class contains all certificates as the 'trusted' GlueGen class has. - Simply expose convenient permission check methods relying on SecurityManager / AccessControlContext. PropertyAccess: - 'protected static void addTrustedPrefix(..)' requires AllPermissions if SecurityManager is installed. - Remove implicit doPrivileged(..) triggered by passed AccessControlContext instance, only leave it for trusted prefixes. IOUtil: - Remove all doPrivileged(..) - Elevation shall be performed by caller. DynamicLinker: - 'public long openLibraryLocal(..)' and 'public long openLibraryGlobal(..)' may throw SecurityException, if a SecurityManager is installed and the dyn. link permission is not granted in the calling code. Implemented in their respective Unix, OSX and Windows manifestation. Caller has to elevate privileges via 'doPrivileged(..) {}' ! +++ Tests: - Property access - File access - Native library loading Manual Applet test (unsigned, but w/ SecurityManager and policy file): > gluegen/test/applet Applet has been tested w/ signed JAR w/ Firefox and Java7 on GNU/Linux as well. Manual Application test (unsigned, but w/ SecurityManager and policy file): com.jogamp.junit.sec.TestSecIOUtil01 - Run w/ SecurityManager and policy file: - gluegen/scripts/runtest-secmgr.sh - Run w/o SecurityManager: - gluegen/scripts/runtest.sh
author: Sven Gothel <[email protected]> 2013-06-11 16:25:48 +0200
committer: Sven Gothel <[email protected]> 2013-06-11 16:25:48 +0200
commit: 1a01dce6c42b398cdd68d405828774a3ab366456 (patch)
tree: dcbc917b0dbd80c7c5be0b4a9ad35c5489ee64dc /src/java/com/jogamp/common/util/PropertyAccess.java
parent: 377d9de1ff1e2fabcd9bb7f65c0318f3c890392c (diff)
1 files changed, 26 insertions, 41 deletions
diff --git a/src/java/com/jogamp/common/util/PropertyAccess.java b/src/java/com/jogamp/common/util/PropertyAccess.java
index 51b9533..dde6b50 100644
--- a/src/java/com/jogamp/common/util/PropertyAccess.java
+++ b/src/java/com/jogamp/common/util/PropertyAccess.java
@@ -48,12 +48,13 @@ public class PropertyAccess {
       // 'jogamp.' and maybe other trusted prefixes will be added later via 'addTrustedPrefix()'
   }
   
-  public static final void addTrustedPrefix(String prefix, Class<?> certClass) {
-      if(SecurityUtil.equalsLocalCert(certClass)) {
-          trustedPrefixes.add(prefix);
-      } else {
-          throw new SecurityException("Illegal Access - prefix "+prefix+", with cert class "+certClass);
-      }      
+  /**
+   * @param prefix New prefix to be registered as trusted.
+   * @throws AccessControlException as thrown by {@link SecurityUtil#checkAllPermissions()}. 
+   */
+  protected static final void addTrustedPrefix(String prefix) throws AccessControlException {
+      SecurityUtil.checkAllPermissions();
+      trustedPrefixes.add(prefix);
   }
   
   public static final boolean isTrusted(String propertyKey) {
@@ -65,11 +66,11 @@ public class PropertyAccess {
       }
   }
   
-  /** @see #getProperty(String, boolean, AccessControlContext) */
-  public static final int getIntProperty(final String property, final boolean jnlpAlias, final AccessControlContext acc, int defaultValue) {
+  /** @see #getProperty(String, boolean) */
+  public static final int getIntProperty(final String property, final boolean jnlpAlias, int defaultValue) {
     int i=defaultValue;
     try {
-        final String sv = PropertyAccess.getProperty(property, jnlpAlias, acc);
+        final String sv = PropertyAccess.getProperty(property, jnlpAlias);
         if(null!=sv) {
             i = Integer.valueOf(sv).intValue();
         }
@@ -77,11 +78,11 @@ public class PropertyAccess {
     return i;
   }
 
-  /** @see #getProperty(String, boolean, AccessControlContext) */
-  public static final long getLongProperty(final String property, final boolean jnlpAlias, final AccessControlContext acc, long defaultValue) {
+  /** @see #getProperty(String, boolean) */
+  public static final long getLongProperty(final String property, final boolean jnlpAlias, long defaultValue) {
     long l=defaultValue;
     try {
-        final String sv = PropertyAccess.getProperty(property, jnlpAlias, acc);
+        final String sv = PropertyAccess.getProperty(property, jnlpAlias);
         if(null!=sv) {
             l = Long.valueOf(sv).longValue();
         }
@@ -89,23 +90,23 @@ public class PropertyAccess {
     return l;
   }
 
-  /** @see #getProperty(String, boolean, AccessControlContext) */
-  public static final boolean getBooleanProperty(final String property, final boolean jnlpAlias, final AccessControlContext acc) {
-    return Boolean.valueOf(PropertyAccess.getProperty(property, jnlpAlias, acc)).booleanValue();
+  /** @see #getProperty(String, boolean) */
+  public static final boolean getBooleanProperty(final String property, final boolean jnlpAlias) {
+    return Boolean.valueOf(PropertyAccess.getProperty(property, jnlpAlias)).booleanValue();
   }
 
-  /** @see #getProperty(String, boolean, AccessControlContext) */
-  public static final boolean getBooleanProperty(final String property, final boolean jnlpAlias, final AccessControlContext acc, boolean defaultValue) {
-    final String valueS = PropertyAccess.getProperty(property, jnlpAlias, acc);
+  /** @see #getProperty(String, boolean) */
+  public static final boolean getBooleanProperty(final String property, final boolean jnlpAlias, boolean defaultValue) {
+    final String valueS = PropertyAccess.getProperty(property, jnlpAlias);
     if(null != valueS) {
         return Boolean.valueOf(valueS).booleanValue();
     }
     return defaultValue;
   }
 
-  /** @see #getProperty(String, boolean, AccessControlContext) */
-  public static final boolean isPropertyDefined(final String property, final boolean jnlpAlias, final AccessControlContext acc) {
-    return (PropertyAccess.getProperty(property, jnlpAlias, acc) != null) ? true : false;
+  /** @see #getProperty(String, boolean) */
+  public static final boolean isPropertyDefined(final String property, final boolean jnlpAlias) {
+    return (PropertyAccess.getProperty(property, jnlpAlias) != null) ? true : false;
   }
 
   /**
@@ -119,8 +120,6 @@ public class PropertyAccess {
    * @param propertyKey the property name to query. 
    * @param jnlpAlias true if a fallback attempt to query the JNLP aliased <i>trusted property</i> shall be made,
    *                  otherwise false.
-   * @param acc the AccessControlerContext to be used for privileged access to the system property, or null.
-   * 
    * @return the property value if exists, or null
    * 
    * @throws NullPointerException if the property name is null
@@ -129,7 +128,7 @@ public class PropertyAccess {
    * 
    * @see System#getProperty(String)
    */
-  public static final String getProperty(final String propertyKey, final boolean jnlpAlias, final AccessControlContext acc) 
+  public static final String getProperty(final String propertyKey, final boolean jnlpAlias) 
       throws SecurityException, NullPointerException, IllegalArgumentException {
     if(null == propertyKey) {
         throw new NullPointerException("propertyKey is NULL");
@@ -138,23 +137,13 @@ public class PropertyAccess {
         throw new IllegalArgumentException("propertyKey is empty");
     }
     String s=null;
-    // int cause = 0;
     
     if( isTrusted(propertyKey) ) {
         // 'trusted' property (jnlp., javaws., jogamp., ..)
         s = getTrustedPropKey(propertyKey);
-        // cause = null != s ? 1 : 0;
     } else {
-        if( null != acc ) {
-            s = AccessController.doPrivileged(new PrivilegedAction<String>() {
-                public String run() {
-                  return System.getProperty(propertyKey);
-                } }, acc);
-            // cause = null != s ? 2 : 0;
-        } else {
-            s = System.getProperty(propertyKey);
-            // cause = null != s ? 3 : 0;
-        }
+        // may throw SecurityException, AccessControlerException
+        s = System.getProperty(propertyKey);
     }    
     if( null == s && jnlpAlias ) {
         // Try 'jnlp.' aliased property ..
@@ -162,11 +151,8 @@ public class PropertyAccess {
             // Properties within the namespace "jnlp." or "javaws." should be considered trusted,
             // i.e. always granted w/o special privileges.
             s = getTrustedPropKey(jnlp_prefix + propertyKey);
-            // cause = null != s ? 4 : 0;
         }
-    }    
-    // System.err.println("Prop: <"+propertyKey+"> = <"+s+">, cause "+cause);
-    
+    }
     return s;
   }
   
@@ -177,7 +163,6 @@ public class PropertyAccess {
               return System.getProperty(propertyKey);
           } catch (SecurityException se) {
               throw new SecurityException("Could not access trusted property '"+propertyKey+"'", se);
-                      
           }
         }
       });
author	Sven Gothel <[email protected]>	2013-06-11 16:25:48 +0200
committer	Sven Gothel <[email protected]>	2013-06-11 16:25:48 +0200
commit	1a01dce6c42b398cdd68d405828774a3ab366456 (patch)
tree	dcbc917b0dbd80c7c5be0b4a9ad35c5489ee64dc /src/java/com/jogamp/common/util/PropertyAccess.java
parent	377d9de1ff1e2fabcd9bb7f65c0318f3c890392c (diff)