|
|
@@ -0,0 +1,135 @@
|
|
|
+//
|
|
|
+// Security policy for PL/Java. These grants are intended to add to those
|
|
|
+// contained in the java.policy file of the standard Java installation.
|
|
|
+//
|
|
|
+
|
|
|
+
|
|
|
+//
|
|
|
+// This grant is unconditional. It adds these properties to the standard Java
|
|
|
+// list of system properties that any code may read.
|
|
|
+//
|
|
|
+grant {
|
|
|
+ // "standard" properties that can be read by anyone, by analogy to the
|
|
|
+ // ones so treated in Java itself.
|
|
|
+ //
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.version", "read";
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.pljava.version", "read";
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.pljava.native.version", "read";
|
|
|
+
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.pljava.udt.byteorder.*", "read";
|
|
|
+
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.server.encoding", "read";
|
|
|
+
|
|
|
+ // PostgreSQL allows SELECT current_database() or SHOW cluster_name anyway.
|
|
|
+ //
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.database", "read";
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "org.postgresql.cluster", "read";
|
|
|
+
|
|
|
+ // SQL/JRT specifies this property.
|
|
|
+ //
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "sqlj.defaultconnection", "read";
|
|
|
+
|
|
|
+ // This property is read in the innards of Java 9 and 10, but they forgot
|
|
|
+ // to add a permission for it. Not needed for Java 11 and later.
|
|
|
+ //
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "jdk.lang.ref.disableClearBeforeEnqueue", "read";
|
|
|
+
|
|
|
+ // Something similar happened in Java 14 (not yet fixed in 15).
|
|
|
+ //
|
|
|
+ permission java.util.PropertyPermission
|
|
|
+ "java.util.concurrent.ForkJoinPool.common.maximumSpares", "read";
|
|
|
+};
|
|
|
+
|
|
|
+
|
|
|
+//
|
|
|
+// This grant is specific to the internal implementation of PL/Java itself,
|
|
|
+// which needs these permissions for its own operations.
|
|
|
+//
|
|
|
+// Historically, PL/Java has been able to read any file on the server filesystem
|
|
|
+// when a file: URL is passed to sqlj.install_jar or sqlj.replace_jar. Such a
|
|
|
+// broad grant is not necessary, and can be narrowed below if desired.
|
|
|
+//
|
|
|
+grant codebase "${org.postgresql.pljava.codesource}" {
|
|
|
+ permission java.lang.RuntimePermission
|
|
|
+ "charsetProvider";
|
|
|
+ permission java.lang.RuntimePermission
|
|
|
+ "createClassLoader";
|
|
|
+ permission java.lang.RuntimePermission
|
|
|
+ "getProtectionDomain";
|
|
|
+ permission java.net.NetPermission
|
|
|
+ "specifyStreamHandler";
|
|
|
+ permission java.util.logging.LoggingPermission
|
|
|
+ "control";
|
|
|
+ permission java.security.SecurityPermission
|
|
|
+ "createAccessControlContext";
|
|
|
+
|
|
|
+ // This gives the PL/Java implementation code permission to read
|
|
|
+ // any file, which it only exercises on behalf of sqlj.install_jar()
|
|
|
+ // or sqlj.replace_jar() when called with a file: URL.
|
|
|
+ //
|
|
|
+ // There would be nothing wrong with restricting this permission to
|
|
|
+ // a specific directory, if all jar files to be loaded will be found there,
|
|
|
+ // or replacing it with a URLPermission if they will be hosted on a remote
|
|
|
+ // server, etc.
|
|
|
+ //
|
|
|
+ permission java.io.FilePermission
|
|
|
+ "<<ALL FILES>>", "read";
|
|
|
+};
|
|
|
+
|
|
|
+
|
|
|
+//
|
|
|
+// This grant defines the mapping onto Java of PostgreSQL's "trusted language"
|
|
|
+// category. When PL/Java executes a function whose SQL declaration names
|
|
|
+// a language that was declared WITH the TRUSTED keyword, it will have these
|
|
|
+// permissions, if any (in addition to whatever others might be granted to all
|
|
|
+// code, or to its specific jar, etc.).
|
|
|
+//
|
|
|
+grant principal org.postgresql.pljava.PLPrincipal$Sandboxed * {
|
|
|
+ //permission java.security.AllPermission;
|
|
|
+ permission java.lang.RuntimePermission
|
|
|
+ "createClassLoader";
|
|
|
+};
|
|
|
+
|
|
|
+
|
|
|
+//
|
|
|
+// This grant defines the mapping onto Java of PostgreSQL's "untrusted language"
|
|
|
+// category. When PL/Java executes a function whose SQL declaration names
|
|
|
+// a language that was declared WITHOUT the TRUSTED keyword, it will have these
|
|
|
+// permissions (in addition to whatever others might be granted to all code, or
|
|
|
+// to its specific jar, etc.).
|
|
|
+//
|
|
|
+grant principal org.postgresql.pljava.PLPrincipal$Unsandboxed * {
|
|
|
+ //permission java.security.AllPermission;
|
|
|
+ //permission java.lang.RuntimePermission
|
|
|
+ // "createClassLoader";
|
|
|
+ // Java does not circumvent operating system access controls; this grant
|
|
|
+ // will still be limited to what the OS allows a PostgreSQL backend process
|
|
|
+ // to do.
|
|
|
+ permission java.io.FilePermission
|
|
|
+ "<<ALL FILES>>", "read,readlink,write,delete";
|
|
|
+};
|
|
|
+
|
|
|
+
|
|
|
+//
|
|
|
+// This grant applies to a specific PL/Java sandboxed language named java_tzset
|
|
|
+// (if such a language exists) and grants functions created in that language
|
|
|
+// permission to adjust the time zone. There is an example method in the
|
|
|
+// org.postgresql.pljava.example.annotation.PreJSR310 class, which needs to
|
|
|
+// temporarily adjust the time zone for a test. That example also uses
|
|
|
+// sqlj.alias_java_language to create the java_tzset "language" when deployed,
|
|
|
+// and DROP LANGUAGE to remove it when undeployed.
|
|
|
+//
|
|
|
+grant principal org.postgresql.pljava.PLPrincipal$Sandboxed "java_tzset" {
|
|
|
+ //permission java.lang.RuntimePermission
|
|
|
+ // "createClassLoader";
|
|
|
+ permission java.util.PropertyPermission "user.timezone", "write";
|
|
|
+};
|
Pi