Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Create java sandbox based on security policies

Tags:

java

sandbox

I need to create environment to run potentially untrusted code. Program allowed to connect to preconfigured address:port and nothing else (even read the system time). I have compiled the class whitelist. I'd searched similar questions, but found only template that based on SecurityManager which AFAIK is deprecated. Can anybody give me a simple sample how to run code in sandbox based on security policies and AccessController?

like image 352
gordon-quad Avatar asked May 19 '10 17:05

gordon-quad


People also ask

What is Java sandbox model of security?

The original security model provided by the Java platform is known as the sandbox model, which existed in order to provide a very restricted environment in which to run untrusted code obtained from the open network.

What are the elements of Java sandbox?

In a Java programming language, the sandbox is the program area and it has some set of rules that programmers need to follow when creating Java code (like an applet) that is sent as part of a page. The sandbox restrictions provide strict limitations on which system resources the applet can request or access.

Which element of the Java sandbox Associates permission with a particular code source?

The java. security file associates the permission (grant ... permission ...) with the principals.

Does JVM provide default security manager?

By default, Java applications have no security restrictions placed on activities requested of the Java API. To use Java security to protect a Java application from performing potentially unsafe actions, you can enable a security manager for the JVM in which the application runs.


1 Answers

As far as I know it's still SecurityManager that runs the security checks. But it seems to delegate to the AccessController nowadays.

First you'll need to switch on the security manager:

-Djava.security.manager

If you omit this argument there'll be no sandbox whatsoever.

Second you'll need to tell where to find the policy file:

-Djava.security.policy=

This will add your permissions to the ones already defined in your java home. The original sandbox rules in .../jre/lib/security/java.policy. However, if you want your policy to be the only one you'll need to use a double "=". This way you control completely what's allowed.

For example:

-Djava.security.policy==

I would advise you to use the "policytool" shipped with the Java. It's fairly basic but it helps you to write quickly a policy file with the correct syntax.

I hope this helps...

like image 138
Jan Goyvaerts Avatar answered Oct 06 '22 05:10

Jan Goyvaerts