Enabling security in Equinox
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Enabling security in Equinox
by Tom Hsu-2
::
Rate this Message:
Hi all,
I have an usecase in which we'd like to secure the behavior of some particular bundles at runtime. We have an OSGi equinox application that will install custom bundles during runtime and execute code from those custom bundles. We'd like to restrict the execution of those code to specified work directories for security reasons. I have searched for a morning about a quickstart guide to enable java.policy style permissions for installed bundles by the OSGi equinox fwk. But I have not found any easy documentation besides osgi specifications on Admin permission and conditional admin services. Can someone point me to some documentation? In short, I want to restrict runtime-installed bundles to have limited IO privileges. Thanks. Regards, Tom _______________________________________________ equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
|
|
Re: Enabling security in Equinox
by Marcel Offermans
::
Rate this Message:
Hello Tom,
On Oct 28, 2009, at 22:46 , Tom Hsu wrote: > I have an usecase in which we'd like to secure the behavior of some > particular bundles at runtime. We have an OSGi equinox application > that will install custom bundles during runtime and execute code > from those custom bundles. We'd like to restrict the execution of > those code to specified work directories for security reasons. > > I have searched for a morning about a quickstart guide to enable > java.policy style permissions for installed bundles by the OSGi > equinox fwk. But I have not found any easy documentation besides > osgi specifications on Admin permission and conditional admin > services. Can someone point me to some documentation? > > In short, I want to restrict runtime-installed bundles to have > limited IO privileges. Thanks. Last year at EclipseCon, Karl Pauls and I did a workshop on secure OSGi applications. Amongst other things we discussed how to run both Equinox and Felix with security. There are slides in the PDF that explain the command line options you need. http://felix.apache.org/site/presentations.data/Building%20Secure%20OSGi%20Applications%20Workshop.pdf Small disclaimer, this information is over a year old and might be a bit outdated here and there, but still it might be a good starting point. Greetings, Marcel _______________________________________________ equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
|
|
Re: Enabling security in Equinox
by Tom Hsu-2
::
Rate this Message:
Hi all,
I now realized that I need to provide system permissions for the Conditional Permission Admin service in order to secure behaviors of some installed bundles. Please confirm my understanding: 1. The example showed in the PDF seem to suggest achieving this using privileged bundle to assign restricted permission objects for the new bundles. 2. #1 approach needs to be done programmatcally? 3. Is there a way to achieve the restriction of bundles coming from known location <A> to have a limited set of permissions with a configuration file like custo_java.policy? Regards, Tom On 10/28/2009 3:10 PM, Marcel Offermans wrote: > Hello Tom, > > On Oct 28, 2009, at 22:46 , Tom Hsu wrote: > >> I have an usecase in which we'd like to secure the behavior of some >> particular bundles at runtime. We have an OSGi equinox application >> that will install custom bundles during runtime and execute code from >> those custom bundles. We'd like to restrict the execution of those >> code to specified work directories for security reasons. >> >> I have searched for a morning about a quickstart guide to enable >> java.policy style permissions for installed bundles by the OSGi >> equinox fwk. But I have not found any easy documentation besides osgi >> specifications on Admin permission and conditional admin services. >> Can someone point me to some documentation? >> >> In short, I want to restrict runtime-installed bundles to have >> limited IO privileges. Thanks. > > Last year at EclipseCon, Karl Pauls and I did a workshop on secure > OSGi applications. Amongst other things we discussed how to run both > Equinox and Felix with security. There are slides in the PDF that > explain the command line options you need. > > http://felix.apache.org/site/presentations.data/Building%20Secure%20OSGi%20Applications%20Workshop.pdf > > > Small disclaimer, this information is over a year old and might be a > bit outdated here and there, but still it might be a good starting point. > > Greetings, Marcel > > _______________________________________________ > equinox-dev mailing list > equinox-dev@... > https://dev.eclipse.org/mailman/listinfo/equinox-dev equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
|
|
RE: Enabling security in Equinox
by chuso
::
Rate this Message:
Hi Tom,
I think there is no possibility to configure Conditional Permission with policy file. IF you do not want to do it programatically, you should use Local Permission which are defined in permissions.perm file. I think this restriction in Conditional Permission is because of security matters. Regards -----Mensaje original----- De: equinox-dev-bounces@... [mailto:equinox-dev-bounces@...] En nombre de tom.hsu@... Enviado el: viernes, 30 de octubre de 2009 1:31 Para: Equinox development mailing list Asunto: Re: [equinox-dev] Enabling security in Equinox Hi all, I now realized that I need to provide system permissions for the Conditional Permission Admin service in order to secure behaviors of some installed bundles. Please confirm my understanding: 1. The example showed in the PDF seem to suggest achieving this using privileged bundle to assign restricted permission objects for the new bundles. 2. #1 approach needs to be done programmatcally? 3. Is there a way to achieve the restriction of bundles coming from known location <A> to have a limited set of permissions with a configuration file like custo_java.policy? Regards, Tom On 10/28/2009 3:10 PM, Marcel Offermans wrote: > Hello Tom, > > On Oct 28, 2009, at 22:46 , Tom Hsu wrote: > >> I have an usecase in which we'd like to secure the behavior of some >> particular bundles at runtime. We have an OSGi equinox application >> that will install custom bundles during runtime and execute code from >> those custom bundles. We'd like to restrict the execution of those >> code to specified work directories for security reasons. >> >> I have searched for a morning about a quickstart guide to enable >> java.policy style permissions for installed bundles by the OSGi >> equinox fwk. But I have not found any easy documentation besides osgi >> specifications on Admin permission and conditional admin services. >> Can someone point me to some documentation? >> >> In short, I want to restrict runtime-installed bundles to have >> limited IO privileges. Thanks. > > Last year at EclipseCon, Karl Pauls and I did a workshop on secure > OSGi applications. Amongst other things we discussed how to run both > Equinox and Felix with security. There are slides in the PDF that > explain the command line options you need. > > pplications%20Workshop.pdf > > > Small disclaimer, this information is over a year old and might be a > bit outdated here and there, but still it might be a good starting point. > > Greetings, Marcel > > _______________________________________________ > equinox-dev mailing list > equinox-dev@... > https://dev.eclipse.org/mailman/listinfo/equinox-dev equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev _______________________________________________ equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
|
|
Re: Enabling security in Equinox
by Marcel Offermans
::
Rate this Message:
On Oct 30, 2009, at 1:31 , <tom.hsu@...> <tom.hsu@...>
wrote: > Hi all, > > I now realized that I need to provide system permissions for the > Conditional Permission Admin service in order to secure behaviors of > some installed bundles. Please confirm my understanding: > 1. The example showed in the PDF seem to suggest achieving this > using privileged bundle to assign restricted permission objects for > the new bundles. > 2. #1 approach needs to be done programmatcally? Yes, in various places in the OSGi specification, a bundle called the "management agent" is mentioned. This bundle has a couple of responsibilities (scattered throughout the spec) and one of them is to setup and maintain security policies. > 3. Is there a way to achieve the restriction of bundles coming from > known location <A> to have a limited set of permissions with a > configuration file like custo_java.policy? Not that I know of, you'd have to do that programmatically. Greetings, Marcel _______________________________________________ equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
|
|
Re: Enabling security in Equinox
by Marcel Offermans
::
Rate this Message:
On Oct 30, 2009, at 8:53 , David Conde wrote:
> IF you do not want to do it programatically, you should use > Local Permission which are defined in permissions.perm file. I > think this > restriction in Conditional Permission is because of security matters. Local permissions only allow a bundle to declare to the framework the permissions it wants. The framework then makes sure it will never get more than that (but maybe less). This is a good way to prevent having to audit third party bundles/code before accepting it, but I don't think it's a solution to prevent having to setup security. Greetings, Marcel _______________________________________________ equinox-dev mailing list equinox-dev@... https://dev.eclipse.org/mailman/listinfo/equinox-dev |
| Free embeddable forum powered by Nabble | Forum Help |
