8272317: jstatd has dependency on Security Manager which needs to be removed #6919
Conversation
|
/label serviceability |
|
👋 Welcome back kevinw! A progress list of the required criteria for merging this PR into |
openjdk
bot
added
rfr
|
@kevinjwalls |
Webrevs
|
|
Mailing list message from Bernd Eckenfels on serviceability-dev: Hello, Is it safe to allow generic proxy objects, could they not execute arbritrary backend methods? Are the invocation handlers filtered indirectly? What about those inner classes, are they stable? Could the whole protocol maybe changed to a different protocol? Gruss -- Remove the use of Security Manager from jstatd. Also we can undo the property-setting Launcher.gmk change from: 8279007: jstatd fails to start because SecurityManager is disabled Docs/man page update to follow (JDK-8278619). ------------- Commit messages: Changes: https://git.openjdk.java.net/jdk/pull/6919/files PR: https://git.openjdk.java.net/jdk/pull/6919 |
| @@ -47,6 +48,8 @@ | |||
| private static boolean startRegistry = true; | |||
| private static RemoteHost remoteHost; | |||
|
|
|||
| private static final String rmiFilterPattern = "sun.jvmstat.monitor.remote.RemoteVm;com.sun.proxy.jdk.proxy1.$Proxy1;com.sun.proxy.jdk.proxy1.$Proxy2;java.lang.reflect.Proxy;java.rmi.server.RemoteObjectInvocationHandler;java.rmi.server.RemoteObject;!*"; | |||
There was a problem hiding this comment.
The class name of the dynamic proxy is generated at runtime and can be different. As Bernd commented, the proxy classes cannot/should not be listed in the filter pattern.
There was a problem hiding this comment.
OK thanks - I was trying the minimal pattern to overcome rejections such as the following, captured in logs on different runs:
ObjectInputFilter REJECTED: class com.sun.proxy.jdk.proxy1.$Proxy1, array length: -1, nRefs: 2, depth: 1, bytes: 84, ex: n/a
ObjectInputFilter REJECTED: class com.sun.proxy.jdk.proxy1.$Proxy2, array length: -1, nRefs: 2, depth: 1, bytes: 84, ex: n/a
There was a problem hiding this comment.
I think the proxy classes need to be there. The RemoteHost API has a parameter of type RemoteVm which is a stub to an RMI remote object, which consists of a proxy and a handler. The proxy's interface list is filtered by the serialization filter so somebody can't just pass a proxy for anything.
The name of the proxy class probably does need to be wildcarded though.
There was a problem hiding this comment.
@mlchung The Proxy class passed to the filter has been created in this VM from the interfaces listed.
The interfaces have already been filtered prior to creating the proxy.
The Proxy classes can safely be allowed based on a wildcard of the name. (As Stuart said).
|
/label security |
|
@seanjmullan |
|
Thanks for the comments - The proxy objects are needed in the filter for this to work at all. The proxy names/numbers and innner class names/numbers are predictable and stable IF we are using jstatd and jstat as standalone programs. But they are unstable if there is other relevant activity in the VM process, e.g. a JMX connection comes in before they are created. We should wildcard the proxy names to work in such a situation: com.sun.proxy.jdk.proxy* I'll mention also that jstatd has always been an experimental feature. The man page warns about lack of authentication and advises usage with caution. |
…n this JVM changes the nameing/numbering of proxy classes.
openjdk
bot
added
csr
|
CSR has been approved (https://bugs.openjdk.java.net/browse/JDK-8279891) |
|
Are all the proxy interfaces public? The package in which a proxy class is created may be different depending if whether any proxy interface is in a non-exported and non-open package. |
sun.jvmstat.monitor.remote.RemoteVm is "public interface RemoteVm extends Remote" and methods in there only return basic types. The only other names permitted are proxy/reflect/rmi related. |
|
If |
Thanks. With that endorsement I think there are no unresolved issues with this change. |
|
@kevinjwalls This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been no new commits pushed to the ➡️ To integrate this PR with the above commit message to the |
|
Many thanks Chris, Roger! |
|
/integrate |
openjdk
bot
removed
ready
|
@kevinjwalls Pushed as commit cb8a82e. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Remove the use of Security Manager from jstatd.
Add use of an ObjectInputFilter to restrict RMI.
Also we can undo the property-setting Launcher.gmk change from: 8279007: jstatd fails to start because SecurityManager is disabled
..as that is no longer needed.
Docs/man page update to follow (JDK-8278619).
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6919/head:pull/6919$ git checkout pull/6919Update a local copy of the PR:
$ git checkout pull/6919$ git pull https://git.openjdk.java.net/jdk pull/6919/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6919View PR using the GUI difftool:
$ git pr show -t 6919Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6919.diff