[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Using the org.eclipse.osgi.jar.verifier

In the OSGi security model, it is really the bundle signer that is setting the 
permission.perm file. Obviously, he will know what to put in there based on 
the developer, but the model is this:

Permissions are granted to a signer in CondPermAdmin with BundleSigner. When a 
signer signs a bundle he can scope the permissions that a bundle receives 
with the permissions.perm file (which is included in the signature).

Imagine the ACME signer has AllPermission, perhaps because they supply alot of 
the admin bundles. Now imagine that summer students at ACME develop a fun 
bundle for running the game of life (the one that turns all your letters into 
cells and then makes them create new cells or die) in your editor when you 
get frustrated. It's a popular bundle, but when ACME signs it, ACME doesn't 
want that bundle to run with AllPermission, so permission.perm is added to 
the bundle to restrict the permissions to just what is needed. The 
permissions.perm file should be thought of a statement from the signer saying 
"these are the permissions that I authorize the bundle to have". Those 
permissions are then subject to the actual permissions that a signer 
receives.

I agree there does need to be an override. One way to override is to use 
PermissionAdmin to explicitly set the permissions for that exact bundle. In 
the future it would be nice to have a way to allow the administrator to 
override the permissions.perm file as well as other things like the 
import/export packages, names, versions, etc. The override should not change 
the actual resources of the bundle though since the resources are protected 
by the signature.

ben

On Friday 23 September 2005 06:28 am, tjwatson@xxxxxxxxxx wrote:
> I was browsing the new content for the equinox-home web site (looks like
> Jeff has been busy) and came accross a page for Signing Plug-ins at:
>
> http://dev.eclipse.org/viewcvs/indextech.cgi/~checkout~/equinox-home/securi
>ty/Signing.html
>
> It asks, how PDE should be extended to sign plugins?  I thought PDE
> already had this capability when you export a plug-in from your workspace.
>  There is an option to provide a private key to sign the plug-in on export
> from a workspace.  Is there more work to be done here?  Is this capability
> not included in PDE build yet?
>
> We should probably separate out requirments for an interface to specify
> the permissions required by a plug-in in PDE.  This should be orthogonal
> to signing a bundle.  An interface could be developed to add
> PermissionInfo data into the OSGI-INF/permissions.perm file.  But we need
> to be careful here because this file specifies the maximum set of
> permissions a bundle will ever need.  If the developer gets it wrong then
> there is no way an administrator can override the permissions.perm file to
> give a bundle more permissions at runtime.  Hopefully tooling can help to
> identify what permissions a particular bundle needs.
>
> It seems like we need to develop a separate location to store permission
> requirements for bundles (maybe in a feature).  And then update could
> assign the permissions using ConditionalPermissionAdmin when it installs
> features.
>
> Tom
>
> equinox-dev-bounces@xxxxxxxxxxx wrote on 09/22/2005 09:39:13 PM:
> > For fun I put this on the Equinox web site at
> >         http://dev.eclipse.org/viewcvs/indextech.
> > cgi/~checkout~/equinox-home/security/verifier.html
> >
> > After the transition we should have a Wiki on the site and that will
> > make things much easier.
> >
> > Jeff