[rfc][icedtea-web] Fix support for signed applets with sandbox permissions in manifest

Andrew Azores aazores at redhat.com
Tue Jun 17 13:24:20 UTC 2014 

On 06/11/2014 09:46 AM, Andrew Azores wrote:
> On 06/03/2014 01:48 PM, Andrew Azores wrote:
>> On 05/27/2014 12:23 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> This patch allows signed applets with sandbox permissions specified 
>>> in their manifests to actually be run sandboxed. This is in contrast 
>>> to the current behaviour where such applets will fail to launch, and 
>>> the failure message presented asks the user to try launching via the 
>>> Sandbox button next time. This was because the dialog which 
>>> presented the Sandbox button appeared very early in the 
>>> JNLPClassLoader's life cycle - early enough that no security 
>>> settings had yet been set for the classloader or any of the applet's 
>>> JAR locations - whereas the manifest checks were done later, after 
>>> these settings would have already been initialized. Fixing the issue 
>>> was not as simple as doing the manifest checks before presenting the 
>>> security dialog because the dialog was presented part way through 
>>> the initialization process, where JARs are being downloaded and 
>>> checked for signing, so that the appropriate security dialog could 
>>> be shown to the user. Putting the manifest checks first would 
>>> therefore not work properly because the JARs were not yet available. 
>>> This patch resolves the issue by moving the manifest checks inside 
>>> the method which initializes the relevant security settings, such 
>>> that the required resources are available, it is known what type of 
>>> applet is about to be run, but the security settings for the JAR 
>>> locations have not yet been initialized and the applet can thus 
>>> still be set to run sandboxed safely.
>>>
>>> Additionally, the ManifestAttributesChecker check for the 
>>> Permissions attribute is no longer skipped when Extended Applet 
>>> Security is set to the Low level, since this allows for signed 
>>> applets with Sandbox permissions specified in their manifests to run 
>>> with full permissions when Low security is set.
>>>
>>> All existing reproducers have been run with this patch applied and 
>>> there appears to be no effect. Manual tests from the wiki have also 
>>> been run and no failures noted. Two new applets, reported in PR1767 
>>> [0], have been added as test cases to the wiki. These fail without 
>>> the patch and pass with it. A reproducer is also included, however, 
>>> the ALACA dialog will appear, which means manual intervention is 
>>> required to run this test as well. The test is marked KnownToFail 
>>> and this issue documented with the test case. This cannot be worked 
>>> around by disabling manifest attributes checking since this would 
>>> render the test meaningless as the Permissions manifest attribute 
>>> would then not be run to force sandboxing.
>>>
>>> ChangeLog:
>>>
>>> 2014-05-27  Andrew Azores  <aazores at redhat.com>
>>>
>>>     Fixed support for signed applets which specify the Permissions 
>>> attribute
>>>     as "sandbox" in their manifests. These applets are now properly run
>>>     sandboxed automatically, rather than requiring the user to click 
>>> the
>>>     "Sandbox" run button.
>>>     * netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
>>>     (JNLPClassLoader): manifest attributes checking and security 
>>> settings
>>>     moved inside initializeResources
>>>     (initializeResources): do not set entries in 
>>> jarLocationSecurityMap until
>>>     after prompting the user on whether to run the applet as well as
>>>     performing manifest attribute checks
>>>     (initializeManifestAttributesChecker): new method
>>>     (getJnlpFileCodebase): new method, extracted from 
>>> initializeResources
>>>     (SecurityDelegateImpl.setRunInSandbox): throw exception if 
>>> already forced
>>>     to run in sandbox, rather than if already prompted
>>>     * netx/net/sourceforge/jnlp/runtime/ManifestAttributesChecker.java
>>>     (checkPermissionsAttribute): do not skip checking if Extended 
>>> Applet
>>>     Security is Low. Remove try/catch on setRunInSandbox call as 
>>> this is now
>>>     supported.
>>>     * 
>>> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/testcases/SignedAppletManifestSpecifiesSandboxTests.java:
>>>     new test case
>>>     * 
>>> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/resources/SignedAppletManifestSpecifiesSandbox.html:
>>>     same
>>>     * 
>>> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/MANIFEST.MF:
>>>     same
>>>     * 
>>> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/Makefile:
>>>     same
>>>     * 
>>> tests/reproducers/custom/SignedAppletManifestSpecifiesSandbox/srcs/SignedAppletManifestSpecifiesSandbox.java:
>>>     same
>>>
>>>
>>> [0] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1767
>>>
>>> Thanks,
>>>
>>
>> Ping. I know this is a big one, and there's currently a decent 
>> workaround in place, so no rush on review. Just need to make sure it 
>> doesn't get lost.
>>
>> Thanks,
>>
>
> Ping again. I think this is probably going to have to wait for Jiri to 
> come back though.
>
> Thanks,
>

Ping.

Thanks,

-- 
Andrew A

More information about the distro-pkg-dev mailing list