-
-
Save mageddo/70014129c810e36827a135f897a0608d to your computer and use it in GitHub Desktop.
Example of setting security policy through JVM Tool Interface (JVM TI) when is JVM starting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* JVM Tool Interface agent which sets | |
* security policy when is agent loaded | |
* @author Jan Kalina <honza889@gmail.com> | |
*/ | |
#include <string.h> | |
#include <jvmti.h> | |
#include <jni.h> | |
void JNICALL callback_on_VMStart(jvmtiEnv *jvmti, JNIEnv* jni) | |
{ | |
printf("callback_on_VMStart\n"); | |
} | |
JNIEXPORT jint JNICALL Agent_OnLoad(JavaVM *javavm, char *options, void *reserved) | |
{ | |
printf("Agent_OnLoad\n"); | |
// check version of JVMTI | |
jvmtiEnv *jvmti = NULL; | |
{ | |
int result = javavm->GetEnv((void **) &jvmti, JVMTI_VERSION_1_0); | |
if (result != JNI_OK || jvmti == NULL){ | |
printf("COMPATIBILITY ERROR - Unable to access JVMTI Version 1 (0x%x) - is your J2SE a 1.5 or newer version? JavaVM->GetEnv() returned %d\n", JVMTI_VERSION_1, result); | |
return result; | |
} | |
} | |
// set callback functions - currently only VMStart event | |
jvmtiEventCallbacks callbacks; | |
memset(&callbacks, 0, sizeof(callbacks)); | |
callbacks.VMStart = &callback_on_VMStart; | |
jvmti->SetEventCallbacks(&callbacks, sizeof(callbacks)); | |
jvmti->SetEventNotificationMode(JVMTI_ENABLE, JVMTI_EVENT_VM_START, NULL); | |
{ // get and print currently used policy | |
char *string; | |
int result = jvmti->GetSystemProperty("java.security.policy", (char**)(&string) ); | |
printf("C++ OnLoad1: java.security.policy=%s [%d]\n", string, result); | |
} | |
// change security policy | |
jvmti->SetSystemProperty("java.security.manager", "default"); | |
jvmti->SetSystemProperty("java.security.policy", "/home/honza/JVMTI/deny.policy"); | |
{ // get and print currently used policy | |
char *string; | |
int result = jvmti->GetSystemProperty("java.security.policy", (char**)(&string) ); | |
printf("C++ OnLoad2: java.security.policy=%s [%d]\n", string, result); | |
} | |
return JNI_OK; | |
} | |
JNIEXPORT void JNICALL Agent_OnUnload(JavaVM *vm) | |
{ | |
printf("Agent_OnUnload\n"); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grant codeBase "file:/home/honza/JVMTI/" { | |
permission java.util.PropertyPermission "java.security.policy", "read"; | |
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
test: Test.class libagent.so | |
java -agentpath:./libagent.so \ | |
-Djava.security.policy=/home/honza/JVMTI/test.policy \ | |
-Djava.security.manager=default Test | |
clean: | |
rm Test.class libagent.so | |
.PHONY: test clean | |
Test.class: Test.java | |
javac Test.java | |
libagent.so: agent.cpp | |
g++ -Wall -pedantic -ansi -std=c++11 -fPIC \ | |
-I/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.25.x86_64/include \ | |
-I/usr/lib/jvm/java-1.6.0-openjdk-amd64/include/ \ | |
-I/usr/include/abrt/ \ | |
-shared -o libagent.so agent.cpp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Agent_OnLoad | |
C++ OnLoad1: java.security.policy=/home/honza/JVMTI/test.policy [0] | |
C++ OnLoad2: java.security.policy=/home/honza/JVMTI/deny.policy [0] | |
callback_on_VMStart | |
Java: java.security.policy=/home/honza/JVMTI/deny.policy | |
Opening /home/honza/JVMTI/Test.java OK | |
Opening /etc/passwd ACCESS DENIED | |
Opening non-existing EXCEPTION | |
Agent_OnUnload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.security.Policy; | |
import java.io.File; | |
import java.io.FileReader; | |
class Test { | |
public static void main(String[] args){ | |
System.out.println("Java: java.security.policy="+System.getProperty("java.security.policy")); | |
testFile("/home/honza/JVMTI/Test.java"); | |
testFile("/etc/passwd"); | |
testFile("non-existing"); | |
} | |
private static void testFile(String name){ | |
try{ | |
File file = new File(name); | |
FileReader reader = new FileReader(file); | |
char[] chars = new char[(int) file.length()]; | |
reader.read(chars); | |
String content = new String(chars); | |
reader.close(); | |
System.out.println("Opening "+name+" OK"); | |
} | |
catch(java.security.AccessControlException e){ | |
System.err.println("Opening "+name+" ACCESS DENIED"); | |
} | |
catch(Exception e){ | |
System.err.println("Opening "+name+" EXCEPTION"); | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grant codeBase "file:/home/honza/JVMTI/" { | |
permission java.io.FilePermission "/home/-", "read, write, delete, execute"; | |
permission java.security.SecurityPermission "getPolicy"; | |
permission java.util.PropertyPermission "java.security.policy", "read"; | |
}; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment