[rfc][icedtea-web] (PR1264) Run in Sandbox button

Andrew Azores aazores at redhat.com
Wed Feb 26 06:48:32 PST 2014 

On 02/10/2014 11:25 AM, Andrew Azores wrote:
> On 01/27/2014 02:55 PM, Andrew Azores wrote:
>> On 01/14/2014 04:26 PM, Andrew Azores wrote:
>>> On 01/10/2014 04:58 PM, Andrew Azores wrote:
>>>> Hi,
>>>>
>>>> As inspired by an earlier mailing list thread [1]/[2]/[3], this 
>>>> patch introduces a new "Sandbox" button in the dialog that appears 
>>>> when a user is prompted to decide whether or not they trust the 
>>>> signer of an applet. If the user clicks "Run", then the applet 
>>>> proceeds as normal, being granted full Java Permissions (except in 
>>>> edge cases such as PR1592 - mixed JAR signing - and PR1513 - 
>>>> external main-class). If the user clicks "Sandbox", however, the 
>>>> classloader will treat the applet as if it is completely unsigned, 
>>>> and run it only with Sandbox Permissions, disregarding the fact 
>>>> that the applet has been signed.
>>>>
>>>> More work will need to be done with this patch once the 
>>>> PartiallySigned Dialogs patch goes in, so that that dialog also 
>>>> supports this action. This will be done at a later date in a new 
>>>> changeset.
>>>>
>>>> Automated tests have been largely left out of this patch since it 
>>>> deals with adding GUI elements, and the state of the ClassLoader 
>>>> itself cannot be directly influenced by a reproducer without 
>>>> interacting with security prompts (obviously). A small unit test 
>>>> was included to check the conversion between a new AppletAction 
>>>> enum type and arbitrary Object references - see the patch for the 
>>>> relevance of this enum and why this test needs to be done.
>>>>
>>>> Non-automated testing should involve:
>>>> 1) running unsigned applets and verifying that the CertWarning 
>>>> dialog does not appear
>>>> 2) running unsigned applets and verifying that there is no Sandbox 
>>>> button
>>>> 3) running signed applets and verifying that there is a Sandbox 
>>>> button, which is enabled iff the "always trust content" checkbox is 
>>>> NOT ticked
>>>> 4) running signed applets with the "Run" button results in a normal 
>>>> applet launch (same behaviour with and without patch applied)
>>>> 5) running signed applets with the "Sandbox" button results in the 
>>>> applet not being able to perform privileged actions
>>>>
>>>> Some sample signed applets to test with:
>>>> a) http://caff.de/applettest/Signed.html - once the applet 
>>>> launches, privileged actions include printing and saving local 
>>>> files. "Sandbox" mode should result in permission denied error dialogs
>>>> b) https://oasisweb.uga.edu/oasis.html - launch browser from 
>>>> terminal to run this test. The applet will attempt to read several 
>>>> system properties, which it will print out. In standard run, these 
>>>> will be successfully read. In Sandbox mode, permission denied 
>>>> errors will be printed instead.
>>>> c) JOGL tests at 
>>>> http://jogamp.org/deployment/jogamp-current/jogl-test-applets.html 
>>>> - launch browser from terminal to run this test. Running applets in 
>>>> Sandbox mode will cause most of the applets to fail at runtime, 
>>>> with AccessControlExceptions printed to the terminal.
>>>>
>>>> Known issues (needing discussion):
>>>> - The CertWarning dialog sometimes appears more than once for a 
>>>> given applet (this is existing behaviour) - once per certificate 
>>>> that the user needs to approve trust. It doesn't seem to make sense 
>>>> for the "Sandbox" button to only apply to some subset of JARs in an 
>>>> applet based on signers, rather it should simply apply to the 
>>>> entire applet. Should further CertWarnings simply not be shown 
>>>> after the first time, if the Sandbox option is chosen the first 
>>>> time? Currently the implementation sets the entire classloader to 
>>>> Sandbox mode when a Sandbox button is pressed, which *must* occur 
>>>> before any classes are loaded and assigned security descriptors, so 
>>>> pressing Sandbox the first time and Run the second time will still 
>>>> result in Sandboxed behaviour. Or, should subsequent CertWarnings 
>>>> still be shown but perhaps with the Run button disabled if Sandbox 
>>>> has been chosen at least once prior?
>>>> - The entire classloader is set to Sandbox mode, and this is not 
>>>> done with any more fine-grained control than this. If multiple 
>>>> applets are sharing the same classloader instance, then they will 
>>>> all be run sandboxed. This can be changed, but I think it's going 
>>>> to be a very rare situation where applets that are sharing a 
>>>> classloader will not all be trusted at the same level by the user. 
>>>> Leaving it as it is keeps the implementation simpler.
>>>>
>>>> ChangeLog:
>>>> Added "Sandbox" button to CertWarning dialogs, allowing signed applets
>>>> to be run with restricted permissions
>>>> * netx/net/sourceforge/jnlp/resources/Messages.properties: 
>>>> (ButSandbox,
>>>> LRunInSandboxError, LRunInSandboxErrorInfo): new messages
>>>> * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java: (security)
>>>> initialize to null when declared. (runInSandbox) new field.
>>>> (getRunInSandbox) getter for new field. (setRunInSandbox) set the
>>>> classloader to run current applet sandboxed. (activateJars,
>>>> initializeResources, addNewJar, setSecurity) assign sandbox 
>>>> permissions
>>>> regardless of signing if runInSandbox is set. (createInstance) do 
>>>> not show
>>>> unsigned applet prompt if runInSandbox is set.
>>>> * netx/net/sourceforge/jnlp/security/AppVerifier.java:
>>>> (checkTrustWithUser) added JNLPClassLoader param
>>>> * netx/net/sourceforge/jnlp/security/CertWarningPane.java: added 
>>>> Sandbox
>>>> button
>>>> * netx/net/sourceforge/jnlp/security/JNLPAppVerifier.java:
>>>> (checkTrustWithUser) uses AppletAction enum type, calls
>>>> JNLPClassLoader#setRunInSandbox if AppletAction is SANDBOX
>>>> * netx/net/sourceforge/jnlp/security/PluginAppVerifier.java: same
>>>> * netx/net/sourceforge/jnlp/security/SecurityDialogs.java: added
>>>> (AppletAction) enum type. (showCertWarning) returns AppletAction
>>>> rather than boolean
>>>> * netx/net/sourceforge/jnlp/security/VariableX509TrustManager.java:
>>>> (askUser) refactor to use AppletAction rather than boolean
>>>> * netx/net/sourceforge/jnlp/tools/JarCertVerifier.java:
>>>> (checkTrustWithUser) added JNLPClassLoader param
>>>> * 
>>>> tests/netx/unit/net/sourceforge/jnlp/security/SecurityDialogsTest.java: 
>>>>
>>>> (testGetIntegerResponseAsAppletAction) new tests for converting Object
>>>> references into AppletActions
>>>>
>>>>
>>>> [1] 
>>>> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-October/025394.html
>>>> [2] 
>>>> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-November/025396.html
>>>> [3] 
>>>> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-December/025399.html
>>>>
>>>> Thanks,
>>>>
>>>
>>> Again, updating the patches here due to discussions on IRC.
>>>
>>> Changes since the last set:
>>> - There's a new "-Xtrustnone" switch for command-line javaws. This 
>>> is like -Xtrustall but rather than choosing the "Run/Proceed" 
>>> option, the "Sandbox" option is taken.
>>>     - this is used for the new reproducer that is included, which 
>>> verifies that the Run in Sandbox button really does reduce the 
>>> permissions of a signed applet
>>> - part of JNLPClassLoader#initializeResources was refactored
>>> - the buttons on CertWarningDialogs now have tooltips
>>> - Clicking "Sandbox" on a CertWarningDialog causes any subsequent 
>>> CertWarningDialogs to not appear, at least not from the same 
>>> classloader. In the unusual cases where an applet has multiple 
>>> classloaders (eg some of the jogl jnlp applets), then multiple 
>>> dialogs may still appear.
>>>
>>> Thanks,
>>>
>>
>> Ping.
>>
>> Thanks,
>>
>
> Ping... ?
>
> Thanks,
>

Ping.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list