Skip to content

Instantly share code, notes, and snippets.

@mageddo
Forked from hkalina/agent.cpp
Created Jun 20, 2020
Embed
What would you like to do?
Example of setting security policy through JVM Tool Interface (JVM TI) when is JVM starting
/**
* JVM Tool Interface agent which sets
* security policy when is agent loaded
* @author Jan Kalina <honza889@gmail.com>
*/
#include <string.h>
#include <jvmti.h>
#include <jni.h>
void JNICALL callback_on_VMStart(jvmtiEnv *jvmti, JNIEnv* jni)
{
printf("callback_on_VMStart\n");
}
JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *javavm, char *options, void *reserved)
{
printf("Agent_OnLoad\n");
// check version of JVMTI
jvmtiEnv *jvmti = NULL;
{
int result = javavm->GetEnv((void **) &jvmti, JVMTI_VERSION_1_0);
if (result != JNI_OK || jvmti == NULL){
printf("COMPATIBILITY ERROR - Unable to access JVMTI Version 1 (0x%x) - is your J2SE a 1.5 or newer version? JavaVM->GetEnv() returned %d\n", JVMTI_VERSION_1, result);
return result;
}
}
// set callback functions - currently only VMStart event
jvmtiEventCallbacks callbacks;
memset(&callbacks, 0, sizeof(callbacks));
callbacks.VMStart = &callback_on_VMStart;
jvmti->SetEventCallbacks(&callbacks, sizeof(callbacks));
jvmti->SetEventNotificationMode(JVMTI_ENABLE, JVMTI_EVENT_VM_START, NULL);
{ // get and print currently used policy
char *string;
int result = jvmti->GetSystemProperty("java.security.policy", (char**)(&string) );
printf("C++ OnLoad1: java.security.policy=%s [%d]\n", string, result);
}
// change security policy
jvmti->SetSystemProperty("java.security.manager", "default");
jvmti->SetSystemProperty("java.security.policy", "/home/honza/JVMTI/deny.policy");
{ // get and print currently used policy
char *string;
int result = jvmti->GetSystemProperty("java.security.policy", (char**)(&string) );
printf("C++ OnLoad2: java.security.policy=%s [%d]\n", string, result);
}
return JNI_OK;
}
JNIEXPORT void JNICALL Agent_OnUnload(JavaVM *vm)
{
printf("Agent_OnUnload\n");
}
grant codeBase "file:/home/honza/JVMTI/" {
permission java.util.PropertyPermission "java.security.policy", "read";
};
test: Test.class libagent.so
java -agentpath:./libagent.so \
-Djava.security.policy=/home/honza/JVMTI/test.policy \
-Djava.security.manager=default Test
clean:
rm Test.class libagent.so
.PHONY: test clean
Test.class: Test.java
javac Test.java
libagent.so: agent.cpp
g++ -Wall -pedantic -ansi -std=c++11 -fPIC \
-I/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/include \
-I/usr/lib/jvm/java-1.6.0-openjdk-amd64/include/ \
-I/usr/include/abrt/ \
-shared -o libagent.so agent.cpp
Agent_OnLoad
C++ OnLoad1: java.security.policy=/home/honza/JVMTI/test.policy [0]
C++ OnLoad2: java.security.policy=/home/honza/JVMTI/deny.policy [0]
callback_on_VMStart
Java: java.security.policy=/home/honza/JVMTI/deny.policy
Opening /home/honza/JVMTI/Test.java OK
Opening /etc/passwd ACCESS DENIED
Opening non-existing EXCEPTION
Agent_OnUnload
import java.security.Policy;
import java.io.File;
import java.io.FileReader;
class Test {
public static void main(String[] args){
System.out.println("Java: java.security.policy="+System.getProperty("java.security.policy"));
testFile("/home/honza/JVMTI/Test.java");
testFile("/etc/passwd");
testFile("non-existing");
}
private static void testFile(String name){
try{
File file = new File(name);
FileReader reader = new FileReader(file);
char[] chars = new char[(int) file.length()];
reader.read(chars);
String content = new String(chars);
reader.close();
System.out.println("Opening "+name+" OK");
}
catch(java.security.AccessControlException e){
System.err.println("Opening "+name+" ACCESS DENIED");
}
catch(Exception e){
System.err.println("Opening "+name+" EXCEPTION");
}
}
}
grant codeBase "file:/home/honza/JVMTI/" {
permission java.io.FilePermission "/home/-", "read, write, delete, execute";
permission java.security.SecurityPermission "getPolicy";
permission java.util.PropertyPermission "java.security.policy", "read";
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment