[Git][java-team/tomcat8][master] Updated the policy files in /etc/tomcat8/policy.d/

Emmanuel Bourg gitlab at salsa.debian.org
Wed Aug 8 12:48:34 BST 2018 

Emmanuel Bourg pushed to branch master at Debian Java Maintainers / tomcat8


Commits:
b151b64a by Emmanuel Bourg at 2018-08-08T11:45:25Z
Updated the policy files in /etc/tomcat8/policy.d/

- - - - -


4 changed files:

- debian/changelog
- debian/policy/01system.policy
- debian/policy/03catalina.policy
- debian/policy/04webapps.policy


Changes:

=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ tomcat8 (8.5.32-2) UNRELEASED; urgency=medium
 
   * Team upload.
   * Disabled the shutdown port (8005) by default
+  * Updated the policy files in /etc/tomcat8/policy.d/
   * Added the missing Maven rules to use the 8.x generic version for
     tomcat-jaspic-api, tomcat-storeconfig and tomcat-util-scan
   * No longer set JSSE_HOME in the init script (JSSE is enabled by default)


=====================================
debian/policy/01system.policy
=====================================
--- a/debian/policy/01system.policy
+++ b/debian/policy/01system.policy
@@ -14,16 +14,15 @@
 // limitations under the License.
 
 // ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 8
+// catalina.policy - Security Policy Permissions for Tomcat
 //
 // This file contains a default set of security policies to be enforced (by the
 // JVM) when Catalina is executed with the "-security" option.  In addition
 // to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
+// granted to each web application:
 //
-// * Read access to the document root directory
-//
-// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
+// * Read access to the web application's document root directory
+// * Read, write and delete access to the web application's working directory
 // ============================================================================
 
 


=====================================
debian/policy/03catalina.policy
=====================================
--- a/debian/policy/03catalina.policy
+++ b/debian/policy/03catalina.policy
@@ -19,7 +19,7 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
         permission java.io.FilePermission
          "${catalina.base}${file.separator}logs", "read, write";
         permission java.io.FilePermission
-         "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+         "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete";
 
         permission java.lang.RuntimePermission "shutdownHooks";
         permission java.lang.RuntimePermission "getClassLoader";


=====================================
debian/policy/04webapps.policy
=====================================
--- a/debian/policy/04webapps.policy
+++ b/debian/policy/04webapps.policy
@@ -50,12 +50,6 @@ grant {
     permission java.lang.RuntimePermission
      "accessClassInPackage.org.apache.jasper.runtime.*";
 
-    // Precompiled JSPs need access to these system properties.
-    permission java.util.PropertyPermission
-     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-    permission java.util.PropertyPermission
-     "org.apache.el.parser.COERCE_TO_ZERO", "read";
-
     // The cookie code needs these.
     permission java.util.PropertyPermission
      "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
@@ -75,8 +69,9 @@ grant {
 
 
 // The Manager application needs access to the following packages to support the
-// session display functionality. These settings support the following
-// configurations:
+// session display functionality. It also requires the custom Tomcat
+// DeployXmlPermission to enable the use of META-INF/context.xml
+// These settings support the following configurations:
 // - default CATALINA_HOME == CATALINA_BASE
 // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
 // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
@@ -86,6 +81,7 @@ grant codeBase "file:${catalina.base}/../tomcat8-admin/manager/-" {
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+    permission org.apache.catalina.security.DeployXmlPermission "manager";
 };
 grant codeBase "file:${catalina.home}/../tomcat8-admin/manager/-" {
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
@@ -93,4 +89,18 @@ grant codeBase "file:${catalina.home}/../tomcat8-admin/manager/-" {
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+    permission org.apache.catalina.security.DeployXmlPermission "manager";
+};
+
+// The Host Manager application needs the custom Tomcat DeployXmlPermission to
+// enable the use of META-INF/context.xml
+// These settings support the following configurations:
+// - default CATALINA_HOME == CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME
+grant codeBase "file:${catalina.base}/../tomcat8-admin/host-manager/-" {
+    permission org.apache.catalina.security.DeployXmlPermission "host-manager";
+};
+grant codeBase "file:${catalina.home}/../tomcat8-admin/host-manager/-" {
+    permission org.apache.catalina.security.DeployXmlPermission "host-manager";
 };



View it on GitLab: https://salsa.debian.org/java-team/tomcat8/commit/b151b64aeb359a6c0751ab1bc19082c211dfdbd2

-- 
View it on GitLab: https://salsa.debian.org/java-team/tomcat8/commit/b151b64aeb359a6c0751ab1bc19082c211dfdbd2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20180808/c628e27b/attachment.html>

More information about the pkg-java-commits mailing list