Bug 752: Review Code Vulnerabilities (Permission Checks of new exposed code and privileged access)

This review focuses on how we perform permission checks, or better - do we circumvent some assuming full privileges ? Some native methods do need extra permission validation, i.e. loading native libraries. Further more AccessController.doPrivileged(..) shall not cover generic code exposing a critical feature to the user. Further more .. we should rely on the SecuritManager, i.e. AccessControlContext's 'checkPermission(Permission)' code to comply w/ fine grained permission access. It is also possible to have full permission w/o having any certificates (-> policy file). +++ We remove implicit AccessController.doPrivileged(..) from within our trusted code for generic methods, like Property access, temp. files. +++ SecurityUtil: - Remove 'getCommonAccessControlContext(Class<?> clz)', which returned a local AccessControlContext for later restriction if the passed class contains all certificates as the 'trusted' GlueGen class has. - Simply expose convenient permission check methods relying on SecurityManager / AccessControlContext. PropertyAccess: - 'protected static void addTrustedPrefix(..)' requires AllPermissions if SecurityManager is installed. - Remove implicit doPrivileged(..) triggered by passed AccessControlContext instance, only leave it for trusted prefixes. IOUtil: - Remove all doPrivileged(..) - Elevation shall be performed by caller. DynamicLinker: - 'public long openLibraryLocal(..)' and 'public long openLibraryGlobal(..)' may throw SecurityException, if a SecurityManager is installed and the dyn. link permission is not granted in the calling code. Implemented in their respective Unix, OSX and Windows manifestation. Caller has to elevate privileges via 'doPrivileged(..) {}' ! +++ Tests: - Property access - File access - Native library loading Manual Applet test (unsigned, but w/ SecurityManager and policy file): > gluegen/test/applet Applet has been tested w/ signed JAR w/ Firefox and Java7 on GNU/Linux as well. Manual Application test (unsigned, but w/ SecurityManager and policy file): com.jogamp.junit.sec.TestSecIOUtil01 - Run w/ SecurityManager and policy file: - gluegen/scripts/runtest-secmgr.sh - Run w/o SecurityManager: - gluegen/scripts/runtest.sh
author: Sven Gothel <[email protected]> 2013-06-11 16:25:48 +0200
committer: Sven Gothel <[email protected]> 2013-06-11 16:25:48 +0200
commit: 1a01dce6c42b398cdd68d405828774a3ab366456 (patch)
tree: dcbc917b0dbd80c7c5be0b4a9ad35c5489ee64dc /src/java/com/jogamp/common/util/SecurityUtil.java
parent: 377d9de1ff1e2fabcd9bb7f65c0318f3c890392c (diff)
1 files changed, 111 insertions, 30 deletions
diff --git a/src/java/com/jogamp/common/util/SecurityUtil.java b/src/java/com/jogamp/common/util/SecurityUtil.java
index 4583201..4d7aa5d 100644
--- a/src/java/com/jogamp/common/util/SecurityUtil.java
+++ b/src/java/com/jogamp/common/util/SecurityUtil.java
@@ -27,30 +27,127 @@
  */
 package com.jogamp.common.util;
 
-import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.AllPermission;
 import java.security.CodeSource;
+import java.security.Permission;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
 import java.security.cert.Certificate;
 
 public class SecurityUtil {
-    /* package private */ static final AccessControlContext localACC;
-    /* package private */ static final Certificate[] localCerts;
+    private static final SecurityManager securityManager;
+    private static final Permission allPermissions;
+    private static final boolean DEBUG = false;
     
     static {
-        localACC = AccessController.doPrivileged(new PrivilegedAction<AccessControlContext>() {
-                                public AccessControlContext run() { 
-                                    return AccessController.getContext(); 
-                                } } );        
-        localCerts = getCerts(SecurityUtil.class);
+        allPermissions = new AllPermission();
+        securityManager = System.getSecurityManager();
+        
+        if( DEBUG ) {
+            final boolean hasAllPermissions;
+            {
+                final ProtectionDomain insecPD = AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() {
+                                                public ProtectionDomain run() {
+                                                    return SecurityUtil.class.getProtectionDomain();
+                                                } } );
+                boolean _hasAllPermissions;
+                try {
+                    insecPD.implies(allPermissions);
+                    _hasAllPermissions = true;
+                } catch( SecurityException ace ) { 
+                    _hasAllPermissions = false;
+                }
+                hasAllPermissions = _hasAllPermissions;
+            }
+            
+            System.err.println("SecurityUtil: Has SecurityManager: "+ ( null != securityManager ) ) ;
+            System.err.println("SecurityUtil: Has AllPermissions: "+hasAllPermissions);
+            final Certificate[] certs = AccessController.doPrivileged(new PrivilegedAction<Certificate[]>() {
+                                                public Certificate[] run() {
+                                                    return getCerts(SecurityUtil.class);
+                                                } } );
+            System.err.println("SecurityUtil: Cert count: "+ ( null != certs ? certs.length : 0 ));
+            if( null != certs ) {
+                for(int i=0; i<certs.length; i++) {
+                    System.err.println("\t cert["+i+"]: "+certs[i].toString());
+                }
+            }
+        }
+    }
+    
+    /**
+     * Returns <code>true</code> if no {@link SecurityManager} has been installed
+     * or the installed {@link SecurityManager}'s <code>checkPermission(new AllPermission())</code>
+     * passes. Otherwise method returns <code>false</code>.
+     */
+    public static final boolean hasAllPermissions() {
+        return hasPermission(allPermissions);
+    }
+    
+    /**
+     * Returns <code>true</code> if no {@link SecurityManager} has been installed
+     * or the installed {@link SecurityManager}'s <code>checkPermission(perm)</code>
+     * passes. Otherwise method returns <code>false</code>.
+     */
+    public static final boolean hasPermission(Permission perm) {
+        try {
+            checkPermission(perm);
+            return true;
+        } catch( SecurityException ace ) { 
+            return false;
+        }
+    }
+    
+    /**
+     * Throws an {@link SecurityException} if an installed {@link SecurityManager}
+     * does not permit the requested {@link AllPermission}.
+     */
+    public static final void checkAllPermissions() throws SecurityException {
+        checkPermission(allPermissions);
+    }
+    
+    /**
+     * Throws an {@link SecurityException} if an installed {@link SecurityManager}
+     * does not permit the requested {@link Permission}.
+     */
+    public static final void checkPermission(Permission perm) throws SecurityException {
+        if( null != securityManager ) {
+            securityManager.checkPermission(perm);
+        }
+    }
+    
+    /**
+     * Returns <code>true</code> if no {@link SecurityManager} has been installed
+     * or the installed {@link SecurityManager}'s <code>checkLink(libName)</code>
+     * passes. Otherwise method returns <code>false</code>.
+     */
+    public static final boolean hasLinkPermission(String libName) {
+        try {
+            checkLinkPermission(libName);
+            return true;
+        } catch( SecurityException ace ) { 
+            return false;
+        }
     }
     
-    public static final Certificate[] getCerts(final Class<?> clz) {
-        final ProtectionDomain pd = AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() {
-                                        public ProtectionDomain run() {
-                                            return clz.getProtectionDomain();
-                                        } } );                
+    /**
+     * Throws an {@link SecurityException} if an installed {@link SecurityManager}
+     * does not permit to dynamically link the given libName.
+     */
+    public static final void checkLinkPermission(String libName) throws SecurityException {
+        if( null != securityManager ) {
+            securityManager.checkLink(libName);
+        }
+    }
+    
+    /**
+     * @param clz
+     * @return
+     * @throws SecurityException if the caller has no permission to access the ProtectedDomain of the given class.
+     */
+    public static final Certificate[] getCerts(final Class<?> clz) throws SecurityException {
+        final ProtectionDomain pd = clz.getProtectionDomain();
         final CodeSource cs = (null != pd) ? pd.getCodeSource() : null;
         final Certificate[] certs = (null != cs) ? cs.getCertificates() : null;
         return (null != certs && certs.length>0) ? certs : null;
@@ -72,21 +169,5 @@ public class SecurityUtil {
             i++;
         }        
         return i == a.length;
-    }
-    
-    public static final boolean equalsLocalCert(Certificate[] b) {
-        return equals(localCerts, b);
-    }
-    
-    public static final boolean equalsLocalCert(Class<?> clz) {
-        return equalsLocalCert(getCerts(clz));
-    }
-    
-    public static final AccessControlContext getCommonAccessControlContext(Class<?> clz) {
-        if(equalsLocalCert(clz)) {
-            return localACC;
-        } else {
-            return null;
-        }
-    }
+    }    
 }
author	Sven Gothel <[email protected]>	2013-06-11 16:25:48 +0200
committer	Sven Gothel <[email protected]>	2013-06-11 16:25:48 +0200
commit	1a01dce6c42b398cdd68d405828774a3ab366456 (patch)
tree	dcbc917b0dbd80c7c5be0b4a9ad35c5489ee64dc /src/java/com/jogamp/common/util/SecurityUtil.java
parent	377d9de1ff1e2fabcd9bb7f65c0318f3c890392c (diff)