status of Permissions attribute implementation

Jiri Vanek jvanek at redhat.com
Mon Jul 13 15:38:59 UTC 2015 

Hi!

http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20
http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions

I have added reproducers for all possible cases of Permissions attribute usage:
High security (ASK_UNSIGNED)
  - have sense only when attribute is missing. Then user is asked whether to continue. Both signed and unsigned javaws/applets
  - result is pass, itw behaves correctly.
   - whether it have sense to popup also for unsigned applets... Thats questionable. But I would say yes, it is marking that something is wrong. (And Iwould turn to allow_unsigned anyway;)

Low security (ALLOW_UNSIGNED)
   attribute have invalid value
    - always fail to start (ok)

  Signed
   attribute missing
     run with all permissions as expected
   attribute have all-permissions value
     run with all permissions as expected
   attribute have sandbox value
     depends on jnlp requesting security/all-permissions element
      - if there is nothing like it, then app runs n sandbox
      - if jnlp is requesting, then we currently dont lunch. Thats a bug and should be fixed
       - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/01082f3b6119#l34.78

  Unsigned
   attribute missing
     run in sandbox as expected
   attribute have all-permissions value
     - here is one disorder applet runs in sandbox, but jnlp file which is NOT requesting permissions fails. IMho again bug.
     - two occurrences in http://icedtea.classpath.org/hg/icedtea-web/rev/afb391ba4b20#l10.76
   attribute have sandbox value
     - if jnlp is requesting all-permissions, then fails
     - otherwise always run in sandbox

Both bugs seems to have same cause. and should be fixed.




Motivation was report that this dialogue keep popuping for ever under some circumsatnces.
I was not able to reproduce it, and will negotiate with reporter.


I will do similar tests for all implemented manifest attributes.

More information about the distro-pkg-dev mailing list