Bug 752: Review Code Vulnerabilities (Permission Checks of new exposed code and privileged access)

This review focuses on how we perform permission checks,
or better - do we circumvent some assuming full privileges ?
Some native methods do need extra permission validation, i.e. loading native libraries.

Further more AccessController.doPrivileged(..) shall not cover generic code
exposing a critical feature to the user.

Further more .. we should rely on the SecuritManager, i.e. AccessControlContext's
'checkPermission(Permission)' code to comply w/ fine grained permission access.

It is also possible to have full permission w/o having any certificates (-> policy file).

+++

We remove implicit AccessController.doPrivileged(..) from within our trusted code
for generic methods, like Property access, temp. files.

+++

SecurityUtil:
 - Remove 'getCommonAccessControlContext(Class<?> clz)',
   which returned a local AccessControlContext for later restriction
   if the passed class contains all certificates as the 'trusted' GlueGen class has.

 - Simply expose convenient permission check methods relying on
   SecurityManager / AccessControlContext.

PropertyAccess:
 - 'protected static void addTrustedPrefix(..)' requires AllPermissions if SecurityManager is installed.
 - Remove implicit doPrivileged(..) triggered by passed AccessControlContext instance,
   only leave it for trusted prefixes.

IOUtil:
  - Remove all doPrivileged(..) - Elevation shall be performed by caller.

DynamicLinker:
  - 'public long openLibraryLocal(..)' and 'public long openLibraryGlobal(..)'
    may throw SecurityException, if a SecurityManager is installed and the dyn. link permission
    is not granted in the calling code.
    Implemented in their respective Unix, OSX and Windows manifestation.

    Caller has to elevate privileges via 'doPrivileged(..) {}' !

+++

Tests:
 - Property access
 - File access
 - Native library loading

Manual Applet test (unsigned, but w/ SecurityManager and policy file):
  > gluegen/test/applet

  Applet has been tested w/ signed JAR w/ Firefox and Java7 on GNU/Linux as well.

Manual Application test (unsigned, but w/ SecurityManager and policy file):
  com.jogamp.junit.sec.TestSecIOUtil01

  - Run w/ SecurityManager and policy file:
    - gluegen/scripts/runtest-secmgr.sh

  - Run w/o SecurityManager:
    - gluegen/scripts/runtest.sh

3 files changed, 33 insertions, 0 deletions

diff --git a/test/applet/applet01.html b/test/applet/applet01.html
new file mode 100644
index 0000000..df8a926
--- /dev/null
+++ b/test/applet/applet01.html
@@ -0,0 +1,11 @@
+<html>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+<body>
+<p>
+Provoke AccessControlException while writing to file!
+</p>
+<applet code=com.jogamp.junit.sec.Applet01 width="200" height="200"
+        archive="jar/gluegen-rt.jar,gluegen-test.jar">
+</applet>
+</body>
+</html>
diff --git a/test/applet/java.policy.applet b/test/applet/java.policy.applet
new file mode 100644
index 0000000..a1ac2a0
--- /dev/null
+++ b/test/applet/java.policy.applet
@@ -0,0 +1,5 @@
+
+grant codeBase "file:/home/sven/projects/JOGL/gluegen/test/applet/jar/*" {
+      permission java.security.AllPermission;
+};
+
diff --git a/test/applet/runapplet.sh b/test/applet/runapplet.sh
new file mode 100644
index 0000000..cc14554
--- /dev/null
+++ b/test/applet/runapplet.sh
@@ -0,0 +1,17 @@
+#! /bin/bash
+
+RDIR=`pwd`
+
+rm -rf jar
+rm -f gluegen-test.jar
+
+mkdir jar
+cp ../../build/*jar jar/
+cp ../../build/test/build/gluegen-test.jar .
+
+/opt-linux-x86_64/jdk1.6.0_35/bin/java \
+    -Djogamp.debug.IOUtil -Djogamp.debug.JNILibLoader -Djogamp.debug.TempFileCache -Djogamp.debug.JarUtil -Djogamp.debug.TempJarCache \
+    -Djava.security.policy=$RDIR/java.policy.applet \
+    -Dfile.encoding=UTF-8 \
+    sun.applet.AppletViewer $RDIR/applet01.html
+