RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses only
Robbin Ehn
robbin.ehn at oracle.com
Fri Mar 10 12:56:58 UTC 2017
Hi Dmitry,
I took a look at this, I have two practical issues:
1:
[rehn at rehn-ws dev]$ java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6 -cp runs ForEver
Listening for transport dt_socket at address: 9999
ERROR: transport error 202: peer not allowed to connect: Success
JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal error [transport.c:358]
So connecting with an unallowed client terminates the VM.
2:
[rehn at rehn-ws dev]$ java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6 -cp runs ForEver
Listening for transport dt_socket at address: 9999
ERROR: transport error 202: unable to parse list of allowed peers: Success
JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal error [transport.c:358]
Starting with an bad allow filter terminates the VM when connecting a client.
Connecting with an unallowed ip/port should not terminate the VM and we should verify allow filter directly at startup.
Thanks
/Robbin
On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
> Everybody,
>
> Please review:
>
> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
>
> These changes introduce new parameter[1] of the socket transport -
> allow. Users can explicitly specify a list of hosts that allowed to
> connect to jdwp server and it's the second part of JDWP hardening[2].
>
> No restrictions are applied by default now but I'll file a separate CR
> to restrict list of allowed peers to localhost by default.
>
> Also these changes implement versioning for jdwp transport and therefor
> simplify feature development of jdwp.
>
>
> 1. Example command line:
>
> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
> address=*,allow="127.0.0.0/8;192.168.0.0/24"
>
> Possible values for allow parameter:
> * - accept connections from everywhere.
> N.N.N.N - accept connections from this IP address only
> N.N.N.N/nn - accept connections from particular ip subnet
>
>
>
> 2. JDK-8052136 JDWP hardening
>
> -Dmitry
>
More information about the serviceability-dev
mailing list