RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses only
Robbin Ehn
robbin.ehn at oracle.com
Wed Apr 19 14:37:59 UTC 2017
Hi Dmitry, sorry for the delay.
Yes thanks, everything seems to work.
Code looks reasonable.
/Robbin
On 03/29/2017 05:10 PM, Dmitry Samersoff wrote:
> Robbin,
>
>> One follow-up issue is that if you start suspended
>> and than connect with
>> an unallowed client the JVM starts and executes the program.
>
> Fixed.
>
> see http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.15
>
> -Dmitry
>
> On 2017-03-16 15:59, Robbin Ehn wrote:
>> Hi Dmitry, thanks for the update.
>>
>> One follow-up issue is that if you start suspended and than connect with
>> an unallowed client the JVM starts and executes the program.
>> Simple program prints "Hello".
>>
>> [rehn at rehn-ws vanilla-hs]$ java
>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:9999,allow=1.2.3.0/32
>> -cp . H
>> Listening for transport dt_socket at address: 9999
>> ERROR: Peer not allowed to connect
>> Listening for transport dt_socket at address: 9999
>> Hello
>>
>> I think it would be good if the VM stayed suspended when an unallowed
>> client connects.
>>
>> Thanks, Robbin
>>
>> On 03/13/2017 08:07 PM, Dmitry Samersoff wrote:
>>> Robbin,
>>>
>>> Please, see:
>>>
>>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11
>>>
>>>> 1:
>>>> So connecting with an unallowed client terminates the VM.
>>>
>>> Fixed.
>>>
>>>> 2:
>>>> Starting with an bad allow filter terminates the VM when connecting a
>>>> client.
>>>
>>> Moved allowed parameter (and parser call) to StartListening.
>>>
>>> -Dmitry
>>>
>>>
>>> On 2017-03-10 15:56, Robbin Ehn wrote:
>>>> Hi Dmitry,
>>>>
>>>> I took a look at this, I have two practical issues:
>>>>
>>>> 1:
>>>> [rehn at rehn-ws dev]$ java
>>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6
>>>>
>>>> -cp runs ForEver
>>>> Listening for transport dt_socket at address: 9999
>>>> ERROR: transport error 202: peer not allowed to connect: Success
>>>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>>>> error [transport.c:358]
>>>>
>>>> So connecting with an unallowed client terminates the VM.
>>>>
>>>> 2:
>>>> [rehn at rehn-ws dev]$ java
>>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6
>>>>
>>>> -cp runs ForEver
>>>> Listening for transport dt_socket at address: 9999
>>>> ERROR: transport error 202: unable to parse list of allowed peers:
>>>> Success
>>>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>>>> error [transport.c:358]
>>>>
>>>> Starting with an bad allow filter terminates the VM when connecting a
>>>> client.
>>>>
>>>>
>>>> Connecting with an unallowed ip/port should not terminate the VM and we
>>>> should verify allow filter directly at startup.
>>>>
>>>> Thanks
>>>>
>>>> /Robbin
>>>>
>>>> On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
>>>>> Everybody,
>>>>>
>>>>> Please review:
>>>>>
>>>>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
>>>>>
>>>>> These changes introduce new parameter[1] of the socket transport -
>>>>> allow. Users can explicitly specify a list of hosts that allowed to
>>>>> connect to jdwp server and it's the second part of JDWP hardening[2].
>>>>>
>>>>> No restrictions are applied by default now but I'll file a separate CR
>>>>> to restrict list of allowed peers to localhost by default.
>>>>>
>>>>> Also these changes implement versioning for jdwp transport and therefor
>>>>> simplify feature development of jdwp.
>>>>>
>>>>>
>>>>> 1. Example command line:
>>>>>
>>>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
>>>>> address=*,allow="127.0.0.0/8;192.168.0.0/24"
>>>>>
>>>>> Possible values for allow parameter:
>>>>> * - accept connections from everywhere.
>>>>> N.N.N.N - accept connections from this IP address only
>>>>> N.N.N.N/nn - accept connections from particular ip subnet
>>>>>
>>>>>
>>>>>
>>>>> 2. JDK-8052136 JDWP hardening
>>>>>
>>>>> -Dmitry
>>>>>
>>>
>>>
>
>
More information about the serviceability-dev
mailing list