RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses only
Robbin Ehn
robbin.ehn at oracle.com
Thu Mar 16 12:59:02 UTC 2017
Hi Dmitry, thanks for the update.
One follow-up issue is that if you start suspended and than connect with an unallowed client the JVM starts and executes the program.
Simple program prints "Hello".
[rehn at rehn-ws vanilla-hs]$ java -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:9999,allow=1.2.3.0/32 -cp . H
Listening for transport dt_socket at address: 9999
ERROR: Peer not allowed to connect
Listening for transport dt_socket at address: 9999
Hello
I think it would be good if the VM stayed suspended when an unallowed client connects.
Thanks, Robbin
On 03/13/2017 08:07 PM, Dmitry Samersoff wrote:
> Robbin,
>
> Please, see:
>
> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11
>
>> 1:
>> So connecting with an unallowed client terminates the VM.
>
> Fixed.
>
>> 2:
>> Starting with an bad allow filter terminates the VM when connecting a
>> client.
>
> Moved allowed parameter (and parser call) to StartListening.
>
> -Dmitry
>
>
> On 2017-03-10 15:56, Robbin Ehn wrote:
>> Hi Dmitry,
>>
>> I took a look at this, I have two practical issues:
>>
>> 1:
>> [rehn at rehn-ws dev]$ java
>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6
>> -cp runs ForEver
>> Listening for transport dt_socket at address: 9999
>> ERROR: transport error 202: peer not allowed to connect: Success
>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>> error [transport.c:358]
>>
>> So connecting with an unallowed client terminates the VM.
>>
>> 2:
>> [rehn at rehn-ws dev]$ java
>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6
>> -cp runs ForEver
>> Listening for transport dt_socket at address: 9999
>> ERROR: transport error 202: unable to parse list of allowed peers: Success
>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>> error [transport.c:358]
>>
>> Starting with an bad allow filter terminates the VM when connecting a
>> client.
>>
>>
>> Connecting with an unallowed ip/port should not terminate the VM and we
>> should verify allow filter directly at startup.
>>
>> Thanks
>>
>> /Robbin
>>
>> On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
>>> Everybody,
>>>
>>> Please review:
>>>
>>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
>>>
>>> These changes introduce new parameter[1] of the socket transport -
>>> allow. Users can explicitly specify a list of hosts that allowed to
>>> connect to jdwp server and it's the second part of JDWP hardening[2].
>>>
>>> No restrictions are applied by default now but I'll file a separate CR
>>> to restrict list of allowed peers to localhost by default.
>>>
>>> Also these changes implement versioning for jdwp transport and therefor
>>> simplify feature development of jdwp.
>>>
>>>
>>> 1. Example command line:
>>>
>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
>>> address=*,allow="127.0.0.0/8;192.168.0.0/24"
>>>
>>> Possible values for allow parameter:
>>> * - accept connections from everywhere.
>>> N.N.N.N - accept connections from this IP address only
>>> N.N.N.N/nn - accept connections from particular ip subnet
>>>
>>>
>>>
>>> 2. JDK-8052136 JDWP hardening
>>>
>>> -Dmitry
>>>
>
>
More information about the serviceability-dev
mailing list