D
David 'Bombe' Roden
Hi, everyone.
I'm trying to create a sandbox that executes code loaded from a JAR file
with reduced privileges. Unfortunately I'm a bit stuck. Here is what I
tried so far.
a) Created my own CodeSource and ProtectionDomain, used a custom ClassLoader
(extending SecureClassLoader) and gave the ProtectionDomain to the
defineClass class. Then I created an AccessControlContext with the
ProtectionDomain, used the ClassLoader to load a class from a JAR file and
tried to execute a method on the JAR file with the created
AccessControlContext.
b) Installed a Policy that would return special Permission object when a
CodeSource from a JAR file is handed to getPermissions(). Then I create two
classes from two different JAR files, create AccessControlContexts for each
of them (using their getClass().getProtectionDomain()) and try to execute
the method: when the method on the first class is called,
getPermissions(CodeSource) on my custom policy is called but when I execute
the method of the second class the policy is not asked, even with its
different ProtectionDomain.
So far I have not been successful using these (and other, more desperate)
methods. Is it really so hard to create a sandbox or am I missing some
important point? Also, it's hard to find examples or other documentation on
how to execute code with _less_ privileges, most of the code using
AccessController.doPrivileged() is aimed at executing code with _more_
privileges.
Grateful for any hints,
David
I'm trying to create a sandbox that executes code loaded from a JAR file
with reduced privileges. Unfortunately I'm a bit stuck. Here is what I
tried so far.
a) Created my own CodeSource and ProtectionDomain, used a custom ClassLoader
(extending SecureClassLoader) and gave the ProtectionDomain to the
defineClass class. Then I created an AccessControlContext with the
ProtectionDomain, used the ClassLoader to load a class from a JAR file and
tried to execute a method on the JAR file with the created
AccessControlContext.
b) Installed a Policy that would return special Permission object when a
CodeSource from a JAR file is handed to getPermissions(). Then I create two
classes from two different JAR files, create AccessControlContexts for each
of them (using their getClass().getProtectionDomain()) and try to execute
the method: when the method on the first class is called,
getPermissions(CodeSource) on my custom policy is called but when I execute
the method of the second class the policy is not asked, even with its
different ProtectionDomain.
So far I have not been successful using these (and other, more desperate)
methods. Is it really so hard to create a sandbox or am I missing some
important point? Also, it's hard to find examples or other documentation on
how to execute code with _less_ privileges, most of the code using
AccessController.doPrivileged() is aimed at executing code with _more_
privileges.
Grateful for any hints,
David