/** * Executes the provided operation against this store */ // we can do FS ops with only two elevated permissions: // 1) hadoop dynamic proxy is messy with access rules // 2) allow hadoop to add credentials to our Subject <V> V execute(Operation<V> operation) throws IOException { SpecialPermission.check(); if (closed) { throw new AlreadyClosedException("HdfsBlobStore is closed: " + this); } try { return AccessController.doPrivileged((PrivilegedExceptionAction<V>) () -> operation.run(fileContext), null, new ReflectPermission("suppressAccessChecks"), new AuthPermission("modifyPrivateCredentials"), new SocketPermission("*", "connect")); } catch (PrivilegedActionException pae) { throw (IOException) pae.getException(); } }
static PermissionCollection getRestrictedPermissions() { Permissions perms = new Permissions(); // property/env access needed for parsing perms.add(new PropertyPermission("*", "read")); perms.add(new RuntimePermission("getenv.TIKA_CONFIG")); // add permissions for resource access: // classpath addReadPermissions(perms, JarHell.parseClassPath()); // plugin jars if (TikaImpl.class.getClassLoader() instanceof URLClassLoader) { addReadPermissions(perms, ((URLClassLoader)TikaImpl.class.getClassLoader()).getURLs()); } // jvm's java.io.tmpdir (needs read/write) perms.add(new FilePermission(System.getProperty("java.io.tmpdir") + System.getProperty("file.separator") + "-", "read,readlink,write,delete")); // current hacks needed for POI/PDFbox issues: perms.add(new SecurityPermission("putProviderProperty.BC")); perms.add(new SecurityPermission("insertProvider")); perms.add(new ReflectPermission("suppressAccessChecks")); // xmlbeans, use by POI, needs to get the context classloader perms.add(new RuntimePermission("getClassLoader")); perms.setReadOnly(); return perms; }
/** * Returns the list of permissions for the running test. * * @return */ protected List<Permission> getTestPermissions() { List<Permission> perms = new ArrayList<Permission>(); perms.add(new PackagePermission("*", PackagePermission.EXPORT)); perms.add(new PackagePermission("*", PackagePermission.IMPORT)); perms.add(new BundlePermission("*", BundlePermission.HOST)); perms.add(new BundlePermission("*", BundlePermission.PROVIDE)); perms.add(new BundlePermission("*", BundlePermission.REQUIRE)); perms.add(new ServicePermission("*", ServicePermission.REGISTER)); perms.add(new ServicePermission("*", ServicePermission.GET)); perms.add(new PropertyPermission("*", "read,write")); // required by Spring perms.add(new RuntimePermission("*", "accessDeclaredMembers")); perms.add(new ReflectPermission("*", "suppressAccessChecks")); // logging permission perms.add(new FilePermission("-", "write")); perms.add(new FilePermission("-", "read")); return perms; }
protected List<Permission> getIAndTPermissions() { List<Permission> perms = new ArrayList<Permission>(); // export package perms.add(new PackagePermission("*", PackagePermission.EXPORT)); perms.add(new PackagePermission("*", PackagePermission.IMPORT)); perms.add(new BundlePermission("*", BundlePermission.FRAGMENT)); perms.add(new BundlePermission("*", BundlePermission.PROVIDE)); perms.add(new ServicePermission("*", ServicePermission.REGISTER)); perms.add(new ServicePermission("*", ServicePermission.GET)); perms.add(new PropertyPermission("*", "read,write")); // required by Spring perms.add(new RuntimePermission("*", "accessDeclaredMembers")); perms.add(new ReflectPermission("*", "suppressAccessChecks")); // logging permission perms.add(new FilePermission("-", "write")); perms.add(new FilePermission("-", "read")); return perms; }
public SimplePolicy(TestCase test, ThreadLocal<AtomicBoolean> allowAll) { this.allowAll = allowAll; // Permission needed by the tested code exercised in the test permissions = new Permissions(); permissions.add(new RuntimePermission("fileSystemProvider")); permissions.add(new RuntimePermission("createClassLoader")); permissions.add(new RuntimePermission("closeClassLoader")); permissions.add(new RuntimePermission("getClassLoader")); permissions.add(new RuntimePermission("accessDeclaredMembers")); permissions.add(new ReflectPermission("suppressAccessChecks")); permissions.add(new PropertyPermission("*", "read")); permissions.add(new FilePermission("<<ALL FILES>>", "read")); // these are used for configuring the test itself... allPermissions = new Permissions(); allPermissions.add(new java.security.AllPermission()); }
private void newProxyInstance() { // expect newProxyInstance to succeed if it's in the same runtime package int i = proxyClass.getName().lastIndexOf('.'); String pkg = (i != -1) ? proxyClass.getName().substring(0, i) : ""; boolean hasAccess = pkg.isEmpty() || hasAccess(); try { Proxy.newProxyInstance(loader, interfaces, handler); if (!hasAccess) { throw new RuntimeException("ERROR: Proxy.newProxyInstance should fail " + proxyClass); } } catch (AccessControlException e) { if (hasAccess) { throw e; } if (e.getPermission().getClass() != ReflectPermission.class || !e.getPermission().getName().equals(NEW_PROXY_IN_PKG + pkg)) { throw e; } } }
public SimplePolicy(TestCase test, ThreadLocal<AtomicBoolean> allowAll) { this.allowAll = allowAll; // Permission needed by the tested code exercised in the test permissions = new Permissions(); permissions.add(new RuntimePermission("fileSystemProvider")); permissions.add(new RuntimePermission("createClassLoader")); permissions.add(new RuntimePermission("closeClassLoader")); permissions.add(new RuntimePermission("getClassLoader")); permissions.add(new RuntimePermission("accessDeclaredMembers")); permissions.add(new RuntimePermission("accessSystemModules")); permissions.add(new ReflectPermission("suppressAccessChecks")); permissions.add(new PropertyPermission("*", "read")); permissions.add(new FilePermission("<<ALL FILES>>", "read")); // these are used for configuring the test itself... allPermissions = new Permissions(); allPermissions.add(new java.security.AllPermission()); }
private void addPermissionsForCompilation(PermissionCollection permissions) { permissions.add(new PropertyPermission("sun.*", "read")); permissions.add(new PropertyPermission("java.*", "read")); permissions.add(new PropertyPermission("nonBatchMode", "read")); permissions.add(new PropertyPermission("os.name", "read")); permissions.add(new PropertyPermission("line.separator", "read")); permissions.add(new PropertyPermission("env.class.path", "read")); permissions.add(new PropertyPermission("application.home", "read")); permissions.add(new FilePermission("<<ALL FILES>>", "read")); permissions.add(new RuntimePermission("createClassLoader")); permissions.add(new ReflectPermission("suppressAccessChecks")); permissions.add(new SocketPermission(DynaCompTest.PADDLES_CODESOURCE, "resolve")); }
/** * Returns the list of permissions for the running test. * * @return */ protected List getTestPermissions() { List perms = new ArrayList(); perms.add(new PackagePermission("*", PackagePermission.EXPORT)); perms.add(new PackagePermission("*", PackagePermission.IMPORT)); perms.add(new BundlePermission("*", BundlePermission.HOST)); perms.add(new BundlePermission("*", BundlePermission.PROVIDE)); perms.add(new BundlePermission("*", BundlePermission.REQUIRE)); perms.add(new ServicePermission("*", ServicePermission.REGISTER)); perms.add(new ServicePermission("*", ServicePermission.GET)); perms.add(new PropertyPermission("org.springframework.osgi.*", "read")); perms.add(new PropertyPermission("org.springframework.osgi.iandt.*", "write")); // required by Spring perms.add(new RuntimePermission("*", "accessDeclaredMembers")); perms.add(new ReflectPermission("*", "suppressAccessChecks")); return perms; }
protected List getIAndTPermissions() { List perms = new ArrayList(); // export package perms.add(new PackagePermission("*", PackagePermission.EXPORT)); perms.add(new PackagePermission("*", PackagePermission.IMPORT)); perms.add(new BundlePermission("*", BundlePermission.FRAGMENT)); perms.add(new BundlePermission("*", BundlePermission.PROVIDE)); perms.add(new ServicePermission("*", ServicePermission.REGISTER)); perms.add(new ServicePermission("*", ServicePermission.GET)); perms.add(new PropertyPermission("*", "read,write")); // required by Spring perms.add(new RuntimePermission("*", "accessDeclaredMembers")); perms.add(new ReflectPermission("*", "suppressAccessChecks")); return perms; }
private static AccessControlContext createSecurityContext() { PermissionCollection perms = new Permissions(); perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging perms.add(new ReflectPermission("suppressAccessChecks")); return new AccessControlContext( new ProtectionDomain[]{ new ProtectionDomain(null, perms), }); }
/** * {@inheritDoc} * * @see java.lang.SecurityManager#checkPermission(java.security.Permission) */ @Override public void checkPermission ( Permission perm ) { if ( perm instanceof RuntimePermission ) { if ( checkRuntimePermission((RuntimePermission) perm) ) { return; } } else if ( perm instanceof ReflectPermission ) { return; } else if ( perm instanceof LoggingPermission ) { return; } else if ( perm instanceof SecurityPermission ) { return; } else if ( perm instanceof PropertyPermission ) { return; } else if ( perm instanceof NetPermission && perm.getName().equals("specifyStreamHandler") ) { return; } else if ( perm instanceof FilePermission && perm.getActions().equals("read") ) { return; } else if ( perm instanceof SerializablePermission ) { return; } super.checkPermission(perm); }
public SimplePolicy(TestCase test, ThreadLocal<AtomicBoolean> allowAll) { this.allowAll = allowAll; // we don't actually need any permission to create our // FileHandlers because we're passing invalid parameters // which will make the creation fail... permissions = new Permissions(); permissions.add(new RuntimePermission("accessDeclaredMembers")); permissions.add(new ReflectPermission("suppressAccessChecks")); // these are used for configuring the test itself... allPermissions = new Permissions(); allPermissions.add(new java.security.AllPermission()); }
NewInstancePolicy(boolean grant) { this.grant = grant; permissions.add(new SecurityPermission("getPolicy")); if (grant) { permissions.add(new RuntimePermission("getClassLoader")); permissions.add(new ReflectPermission(NEW_PROXY_IN_PKG + "p")); permissions.add(new ReflectPermission(NEW_PROXY_IN_PKG + "java.util.zip")); } }
private static boolean canAccessPrivateMethods() { try { SecurityManager securityManager = System.getSecurityManager(); if (null != securityManager) { securityManager.checkPermission(new ReflectPermission("suppressAccessChecks")); } } catch (SecurityException e) { return false; } return true; }
private boolean canAccessPrivateMethods() { try { SecurityManager securityManager = System.getSecurityManager(); if (null != securityManager) { securityManager.checkPermission(new ReflectPermission("suppressAccessChecks")); } } catch (SecurityException e) { return false; } return true; }
private static boolean canAccessPrivateMethods() { try { SecurityManager securityManager = System.getSecurityManager(); if (null != securityManager) { securityManager.checkPermission(new ReflectPermission( "suppressAccessChecks")); } } catch (SecurityException e) { return false; } return true; }