Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-5910

Set correct AccessControlContext when receiving configuration events

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • scr-2.1.6
    • scr-2.1.8
    • Declarative Services (SCR)
    • None
    • - Felix fwk 6.0.0
      - Felix security 2.6.0
      - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT

    Description

      ConfigAdmin requests a restricted set of permissions by means of a permissions.perm file, which must not restrict the permissions of other bundles to which it sends events. There is in fact a mechanism in place to prevent this, using the protection domain of the bundle, in the class ManagedServiceTracker (resolving the related issue https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread class does not use this mechanism; instead it explicitly sets an AccessControlContext based on its own protection domain, hence enforcing its own restricted set of permissions to the event listeners. Below are two examples of the resulting AccessControlExceptions I get... there is just one additional bundle in the stack trace, felix-scr, which has all permissions and can be ignored from the permissions point of view. 
      By the way, removing the permissions.perm file from ConfigAdmin resolves the problem, confirming that the bug is indeed in ConfigAdmin. 

      rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
      java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
      at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
      at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
      at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
      at java.base/java.lang.Class.getClassLoader(Class.java:807)
      at org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
      at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
      at org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
      at org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
      at org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
      at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
      at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
      at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
      at org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
      at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
      at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
      at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
      at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
      at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
      at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
      at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
      at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
      at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
      at java.base/java.security.AccessController.doPrivileged(Native Method)
      at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
      at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
      at java.base/java.lang.Thread.run(Thread.java:844)

      org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
      java.security.AccessControlException: access denied ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
      at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
      at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
      at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
      at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
      at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
      at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
      at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
      at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
      at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
      at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
      at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
      at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
      at java.base/java.security.AccessController.doPrivileged(Native Method)
      at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
      at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
      at java.base/java.lang.Thread.run(Thread.java:844)

      Attachments

        Activity

          People

            cziegeler Carsten Ziegeler
            cnoelle Christoph Nölle
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: