Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
framework.security-2.4.0
-
None
-
Java 1.8
Description
Hello, I have done my tests on the Java runtimes; "1.7.0_71" and "1.8.0_25", and Felix "felix-framework-5.4.0". I have enabled security by adding "org.apache.felix.framework.security-2.4.0" to the bundle directory.
I have then created three projects; "p1-check", "p1-policy" and the offending bundle "p1-evil" (I'll attach all code). My scenario is as follows; I do not want p1-evil to connect to the Internet. However in p1-evil Activator I placed some code that makes a request to google and prints the response.
The p1-check bundle has only one condition; MyCheck.java. The isSatisfied() method of MyCheck returns true if the bundle symbolic name is "com.p1.evil", which is the symbolic name of the p1-evil bundle.
This is meant to be used with the following security rule (can be found in security.policy)
DENY {
[com.p1.check.MyCheck]
( java.net.SocketPermission "*" "connect" )
} "MyCheck"
...
(note: I also tried "connect,resolve", still does not work on java 1.8)
When I execute felix.jar with java 1.7 I can see the logs from p1-check and as expected p1-evil does not connect and I get an exception [java.security.AccessControlException: access denied ("java.net.SocketPermission" "google.com:80" "connect,resolve")]
When I execute felix.jar with java 1.8 I can see the logs from p1-check however p1-evil activator is still allowed to connect to google.
I have tried this on two different machines and I got the same results. Am I doing something wrong? Or there is something I do not know?