[rfc][icedtea-web] Fix support for signed applets with sandbox permissions in manifest

Andrew Azores aazores at redhat.com
Tue Jun 3 17:48:54 UTC 2014 

On 05/27/2014 12:23 PM, Andrew Azores wrote:
> Hi,
>
> This patch allows signed applets with sandbox permissions specified in 
> their manifests to actually be run sandboxed. This is in contrast to 
> the current behaviour where such applets will fail to launch, and the 
> failure message presented asks the user to try launching via the 
> Sandbox button next time. This was because the dialog which presented 
> the Sandbox button appeared very early in the JNLPClassLoader's life 
> cycle - early enough that no security settings had yet been set for 
> the classloader or any of the applet's JAR locations - whereas the 
> manifest checks were done later, after these settings would have 
> already been initialized. Fixing the issue was not as simple as doing 
> the manifest checks before presenting the security dialog because the 
> dialog was presented part way through the initialization process, 
> where JARs are being downloaded and checked for signing, so that the 
> appropriate security dialog could be shown to the user. Putting the 
> manifest checks first would therefore not work properly because the 
> JARs were not yet available. This patch resolves the issue by moving 
> the manifest checks inside the method which initializes the relevant 
> security settings, such that the required resources are available, it 
> is known what type of applet is about to be run, but the security 
> settings for the JAR locations have not yet been initialized and the 
> applet can thus still be set to run sandboxed safely.
>
> Additionally, the ManifestAttributesChecker check for the Permissions 
> attribute is no longer skipped when Extended Applet Security is set to 
> the Low level, since this allows for signed applets with Sandbox 
> permissions specified in their manifests to run with full permissions 
> when Low security is set.
>
> All existing reproducers have been run with this patch applied and 
> there appears to be no effect. Manual tests from the wiki have also 
> been run and no failures noted. Two new applets, reported in PR1767 
> [0], have been added as test cases to the wiki. These fail without the 
> patch and pass with it. A reproducer is also included, however, the 
> ALACA dialog will appear, which means manual intervention is required 
> to run this test as well. The test is marked KnownToFail and this 
> issue documented with the test case. This cannot be worked around by 
> disabling manifest attributes checking since this would render the 
> test meaningless as the Permissions manifest attribute would then not 
> be run to force sandboxing.
>
> ChangeLog:
>
> 2014-05-27  Andrew Azores  <aazores at redhat.com>
>
>     Fixed support for signed applets which specify the Permissions 
> attribute
>     as "sandbox" in their manifests. These applets are now properly run
>     sandboxed automatically, rather than requiring the user to click the
>     "Sandbox" run button.
>     * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>     (JNLPClassLoader): manifest attributes checking and security settings
>     moved inside initializeResources
>     (initializeResources): do not set entries in 
> jarLocationSecurityMap until
>     after prompting the user on whether to run the applet as well as
>     performing manifest attribute checks
>     (initializeManifestAttributesChecker): new method
>     (getJnlpFileCodebase): new method, extracted from initializeResources
>     (SecurityDelegateImpl.setRunInSandbox): throw exception if already 
> forced
>     to run in sandbox, rather than if already prompted
>     * netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
>     (checkPermissionsAttribute): do not skip checking if Extended Applet
>     Security is Low. Remove try/catch on setRunInSandbox call as this 
> is now
>     supported.
>     * 
> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/testcases/SignedAppletManifestSpecifiesSandboxTests.java:
>     new test case
>     * 
> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandbox.html:
>     same
>     * 
> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF:
>     same
>     * 
> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/Makefile:
>     same
>     * 
> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/SignedAppletManifestSpecifiesSandbox.java:
>     same
>
>
> [0] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1767
>
> Thanks,
>

Ping. I know this is a big one, and there's currently a decent 
workaround in place, so no rush on review. Just need to make sure it 
doesn't get lost.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list