Home Explore Help
Sign In
gogsadmin
/
pljava-jsword
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

add pljava.policy to work around use of custom classLoader in JSword

Pi 2 years ago
parent
07f2d77891
commit
79e1567d0d
1 changed files with 135 additions and 0 deletions
Unified View Show Diff Stats
  1. 135 0
      pljava.policy

+ 135 - 0
pljava.policy
View File 

@@ -0,0 +1,135 @@
 
+//
 
+// Security policy for PL/Java. These grants are intended to add to those
 
+// contained in the java.policy file of the standard Java installation.
 
+//
 
+
 
+
 
+//
 
+// This grant is unconditional. It adds these properties to the standard Java
 
+// list of system properties that any code may read.
 
+//
 
+grant {
 
+	// "standard" properties that can be read by anyone, by analogy to the
 
+	// ones so treated in Java itself.
 
+	//
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.version", "read";
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.pljava.version", "read";
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.pljava.native.version", "read";
 
+
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.pljava.udt.byteorder.*", "read";
 
+
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.server.encoding", "read";
 
+
 
+	// PostgreSQL allows SELECT current_database() or SHOW cluster_name anyway.
 
+	//
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.database", "read";
 
+	permission java.util.PropertyPermission
 
+		"org.postgresql.cluster", "read";
 
+
 
+	// SQL/JRT specifies this property.
 
+	//
 
+	permission java.util.PropertyPermission
 
+		"sqlj.defaultconnection", "read";
 
+
 
+	// This property is read in the innards of Java 9 and 10, but they forgot
 
+	// to add a permission for it. Not needed for Java 11 and later.
 
+	//
 
+	permission java.util.PropertyPermission
 
+		"jdk.lang.ref.disableClearBeforeEnqueue", "read";
 
+
 
+	// Something similar happened in Java 14 (not yet fixed in 15).
 
+	//
 
+	permission java.util.PropertyPermission
 
+		"java.util.concurrent.ForkJoinPool.common.maximumSpares", "read";
 
+};
 
+
 
+
 
+//
 
+// This grant is specific to the internal implementation of PL/Java itself,
 
+// which needs these permissions for its own operations.
 
+//
 
+// Historically, PL/Java has been able to read any file on the server filesystem
 
+// when a file: URL is passed to sqlj.install_jar or sqlj.replace_jar. Such a
 
+// broad grant is not necessary, and can be narrowed below if desired.
 
+//
 
+grant codebase "${org.postgresql.pljava.codesource}" {
 
+	permission java.lang.RuntimePermission
 
+		"charsetProvider";
 
+	permission java.lang.RuntimePermission
 
+		"createClassLoader";
 
+	permission java.lang.RuntimePermission
 
+		"getProtectionDomain";
 
+	permission java.net.NetPermission
 
+		"specifyStreamHandler";
 
+	permission java.util.logging.LoggingPermission
 
+		"control";
 
+	permission java.security.SecurityPermission
 
+		"createAccessControlContext";
 
+
 
+	// This gives the PL/Java implementation code permission to read
 
+	// any file, which it only exercises on behalf of sqlj.install_jar()
 
+	// or sqlj.replace_jar() when called with a file: URL.
 
+	//
 
+	// There would be nothing wrong with restricting this permission to
 
+	// a specific directory, if all jar files to be loaded will be found there,
 
+	// or replacing it with a URLPermission if they will be hosted on a remote
 
+	// server, etc.
 
+	//
 
+	permission java.io.FilePermission
 
+		"<<ALL FILES>>", "read";
 
+};
 
+
 
+
 
+//
 
+// This grant defines the mapping onto Java of PostgreSQL's "trusted language"
 
+// category. When PL/Java executes a function whose SQL declaration names
 
+// a language that was declared WITH the TRUSTED keyword, it will have these
 
+// permissions, if any (in addition to whatever others might be granted to all
 
+// code, or to its specific jar, etc.).
 
+//
 
+grant principal org.postgresql.pljava.PLPrincipal$Sandboxed * {
 
+        //permission java.security.AllPermission;
 
+	permission java.lang.RuntimePermission
 
+		"createClassLoader";
 
+};
 
+
 
+
 
+//
 
+// This grant defines the mapping onto Java of PostgreSQL's "untrusted language"
 
+// category. When PL/Java executes a function whose SQL declaration names
 
+// a language that was declared WITHOUT the TRUSTED keyword, it will have these
 
+// permissions (in addition to whatever others might be granted to all code, or
 
+// to its specific jar, etc.).
 
+//
 
+grant principal org.postgresql.pljava.PLPrincipal$Unsandboxed * {
 
+        //permission java.security.AllPermission;
 
+	//permission java.lang.RuntimePermission
 
+	//	"createClassLoader";
 
+	// Java does not circumvent operating system access controls; this grant
 
+	// will still be limited to what the OS allows a PostgreSQL backend process
 
+	// to do.
 
+	permission java.io.FilePermission
 
+		"<<ALL FILES>>", "read,readlink,write,delete";
 
+};
 
+
 
+
 
+//
 
+// This grant applies to a specific PL/Java sandboxed language named java_tzset
 
+// (if such a language exists) and grants functions created in that language
 
+// permission to adjust the time zone. There is an example method in the
 
+// org.postgresql.pljava.example.annotation.PreJSR310 class, which needs to
 
+// temporarily adjust the time zone for a test. That example also uses
 
+// sqlj.alias_java_language to create the java_tzset "language" when deployed,
 
+// and DROP LANGUAGE to remove it when undeployed.
 
+//
 
+grant principal org.postgresql.pljava.PLPrincipal$Sandboxed "java_tzset" {
 
+	//permission java.lang.RuntimePermission
 
+	//	"createClassLoader";
 
+	permission java.util.PropertyPermission "user.timezone", "write";
 
+};