[tomcat8] 06/13: Updated the policy files
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Thu Nov 17 23:51:43 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch experimental
in repository tomcat8.
commit efcbf7c52a4abfe1f242f9d3da0d845ed6f1a85f
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Wed Nov 16 23:31:15 2016 +0100
Updated the policy files
---
debian/changelog | 1 +
debian/policy/03catalina.policy | 57 ++++++++++++++++++++++++++++++-------
debian/policy/04webapps.policy | 63 ++++++++++++++++++++++++++++++++---------
debian/policy/50local.policy | 10 +++++++
4 files changed, 107 insertions(+), 24 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index d247341..e2b4bdc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ tomcat8 (8.5.8-1) UNRELEASED; urgency=medium
* New upstream release
- Refreshed the patches
- Tomcat no longer builds tomcat-embed-logging-juli.jar
+ - Updated the policy files
* Adapted debian/orig-tar.sh to download the 8.5.x releases
-- Emmanuel Bourg <ebourg at apache.org> Wed, 16 Nov 2016 18:44:57 +0100
diff --git a/debian/policy/03catalina.policy b/debian/policy/03catalina.policy
index 2de1518..2663813 100644
--- a/debian/policy/03catalina.policy
+++ b/debian/policy/03catalina.policy
@@ -1,22 +1,50 @@
// ========== CATALINA CODE PERMISSIONS =======================================
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
// These permissions apply to the logging API
+// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
+// update this section accordingly.
+// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.util.PropertyPermission "java.util.logging.config.class", "read";
- permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.io.FilePermission
+ "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
permission java.lang.RuntimePermission "shutdownHooks";
- permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
- permission java.util.PropertyPermission "catalina.base", "read";
- permission java.util.logging.LoggingPermission "control";
- permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
- permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
- // To enable per context logging configuration, permit read access to the appropriate file.
- // Be sure that the logging configuration is secure before enabling such access
- // eg for the examples web application:
- // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+
+ permission java.lang.management.ManagementPermission "monitor";
+
+ permission java.util.logging.LoggingPermission "control";
+
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
+ permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
+ permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
+ permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+
+ // Note: To enable per context logging configuration, permit read access to
+ // the appropriate file. Be sure that the logging configuration is
+ // secure before enabling such access.
+ // E.g. for the examples web application (uncomment and unwrap
+ // the following to be on a single line):
+ // permission java.io.FilePermission "${catalina.base}${file.separator}
+ // webapps${file.separator}examples${file.separator}WEB-INF
+ // ${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
@@ -30,3 +58,10 @@ grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
+
+
+// If using a per instance lib directory, i.e. ${catalina.base}/lib,
+// then the following permission will need to be uncommented
+// grant codeBase "file:${catalina.base}/lib/-" {
+// permission java.security.AllPermission;
+// };
diff --git a/debian/policy/04webapps.policy b/debian/policy/04webapps.policy
index 74af20d..5679ca3 100644
--- a/debian/policy/04webapps.policy
+++ b/debian/policy/04webapps.policy
@@ -3,8 +3,8 @@
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant {
+// for all files and directories in its document root.
+grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
@@ -41,19 +41,56 @@ grant {
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
- // Precompiled JSPs need access to this package.
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+ // All JSPs need to be able to read this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
- // Example JSPs need those to work properly
+ // Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
- // Precompiled JSPs need access to this system property.
- permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.org.apache.jasper.runtime.*";
+
+ // Precompiled JSPs need access to these system properties.
+ permission java.util.PropertyPermission
+ "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+ permission java.util.PropertyPermission
+ "org.apache.el.parser.COERCE_TO_ZERO", "read";
+
+ // The cookie code needs these.
+ permission java.util.PropertyPermission
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
- // java.io.tmpdir should be usable as a temporary file directory
- permission java.util.PropertyPermission "java.io.tmpdir", "read";
- permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
+ // Applications using WebSocket need to be able to access these packages
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
+ // Applications need to access these packages to use the Servlet 4.0 Preview
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlet4preview";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlet4preview.http";
+};
+
+
+// The Manager application needs access to the following packages to support the
+// session display functionality. These settings support the following
+// configurations:
+// - default CATALINA_HOME == CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
+grant codeBase "file:${catalina.base}/../tomcat8-admin/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+grant codeBase "file:${catalina.home}/../tomcat8-admin/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
diff --git a/debian/policy/50local.policy b/debian/policy/50local.policy
index 3f15a8d..4c177b4 100644
--- a/debian/policy/50local.policy
+++ b/debian/policy/50local.policy
@@ -30,3 +30,13 @@
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
+// To grant permissions for web applications using packed WAR files, use the
+// Tomcat specific WAR url scheme.
+//
+// The permissions granted to the entire web application
+// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
+// };
+//
+// The permissions granted to a specific JAR
+// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
+// };
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list