Osgi, security on the fly

Recently, I got a question on how to disallow bundles to call System.exit method and shutdown the full system. 

The first solution is to do as an old static java applications :

1 - delegate security to osgi framework :
java -jar framework.jar -init -Djava.security.manager -Djava.security.policy=all.policy

all.policy
grant { permission java.security.AllPermission; 
      };


2 - deny all exit method call using java security api and deploy it using single bundle with an activator like :

import org.osgi.framework. {BundleActivator ,BundleContext }


class Activator extends   BundleActivator {
  @throws (classOf[ java.lang.Exception])
  def start( context:BundleContext){
  System setSecurityManager new SecurityManager() {
            override def checkExit( status:Int) {               
                throw new SecurityException("Reject System.exit(" + status + ")!");
            }
        }
  }
  @throws (classOf[ java.lang.Exception])
  def stop( context:BundleContext) {}
}


This blog will show how to change security permission per bundle on the fly using console.


Osgi is more flexible than standard java applications and security inside osgi is not an exception. Using Conditional Permission Admin make security more dynamic. 

to enable security on the fly a will use sosgi scala modules. 

while this bundle is under development, We can do many thing with it.

Prerequisite :

- scala-library-2.8.1.jar  -> scala language based
- scalamodules-core_2.8.1-2.0.4-SNAPSHOT.jar  -> clever osgi dsl
- slf4s_2.8.1-1.0.3.jar   -> scala logging dsl
- slf4j-api-1.6.1.jar with implementation as slf4j-simple-1.6.1.jar -> logging facade and implementation
- sbt-launch-0.7.4.jar -> to compile and package a bundle
- org.eclipse.osgi_3.6.2.jar  -> curently base on equinox and its Command Interpreter

installing :
launch the framework using all.policy file as :
java -Djava.security.manager -Djava.security.policy=all.policy -jar org.eclipse.osgi_3.6.2.R36x_v20110210.jar -console
install base bundles like :

i file:./admin/scala-library-2.8.1.jar
i file:./admin/slf4j-api-1.6.1.jar
i file:./admin/slf4j-simple-1.6.1.jar
i file:./admin/slf4s_2.8.1-1.0.3.jar  
i file:./admin/scalamodules-core_2.8.1-2.0.4-SNAPSHOT.jar
i file:./admin/osgi_2.8.1-1.0.jar

now for example install a  bundles to illustrate usage :

class Activator extends   BundleActivator {
  @throws (classOf[ java.lang.Exception])
  def start( context:BundleContext){
 
    try{
     
      System exit 0
   
    }catch {
      case e => println  (e)
    }

  }
.....

supposse theses bundles have 7 


running :

1 - list bundles

osgi> ss

Framework is launched.

id	State       Bundle
0	ACTIVE      org.eclipse.osgi_3.6.2.R36x_v20110210
1	INSTALLED   scala-library_2.8.1
2	INSTALLED   slf4j.api_1.6.1
3	INSTALLED   slf4j.simple_1.6.1
4	INSTALLED   com.weiglewilczek.slf4s_1.0.3
5	INSTALLED   com.weiglewilczek.scalamodules.core_2.0.4.SNAPSHOT
6	INSTALLED   com.ouertani.osgi_1.0.0
7	INSTALLED   com.osgi.1e_1.0.0.SNAPSHOT

osgi> 


2 - start security bundle 
 start 6
3 - update admin dir
setprop ADMIN_DIR="*/admin/*"
4- init security bundle
sosgi !
5- try to call start bundle 7
start 7
java.security.AccessControlException: access denied (java.lang.RuntimePermission exitVM.0)
great system.exit is not allowed for this bundle

6- to allow bundle 7 to call exit and shutdown the VM 
sosgi + 7 ( java.lang.RuntimePermission ""exitVM.*"" )

7- add permissions to bundle 7


sosgi + 7 (  org.osgi.framework.PackagePermission ""*"" ""import"" )
sosgi + 7 ( java.lang.RuntimePermission ""exitVM.*"" )

8- start bundle 7 or update it 
start 7
great ! VM is shuting down

More :

display security

sosgi ?


FOR 
+ [generated_1301865364030] 
If 
	org.osgi.service.condpermadmin.BundleLocationCondition */admin/*
Then  
		org.osgi.framework.ServicePermission  org.eclipse.osgi.framework.console.CommandProvider register  AND 
 		java.security.AllPermission  * *  AND 
 		org.osgi.framework.AdminPermission  * *  AND 
 		org.osgi.framework.PackagePermission  * * 
END FI

clear all security

sosgi !!