#1 2014-12-17 10:33:19

tastyPI
Member
Registered: 2014-12-17

[Sandbox] Denying access in a used class

Hello everybody,

I struggle a little bit with the java-sandbox API. Consider the following code:

Sandkiste.java:

 
import java.util.List;
import java.util.concurrent.TimeUnit;
 
import net.datenwerke.sandbox.*;
import net.datenwerke.sandbox.SandboxContext.AccessType;
import net.datenwerke.sandbox.SandboxContext.RuntimeMode;
import net.datenwerke.sandbox.handlers.BadThreadKillHandler;
 
public class Sandkiste {
 
         
     public static void main(String[] args) {
         Sandkiste s = new Sandkiste();
         s.run();
     
     }
      
      public void run(){
        SandboxService sandboxService = SandboxServiceImpl.getInstance();
      
       
         
      
        /* configure context */
        SandboxContext context = new SandboxContext();
         
        context.addClassForApplicationLoader("Test");
         
        context.addClassPermission(AccessType.PERMIT,UntrustedCode.class.getName());
        context.addClassPermission(AccessType.DENY, "java.lang.System");
        context.addClassPermission(AccessType.DENY, "java.io.PrintStream");
         
         
        
         
        context.setRunInThread(true);
 
        
         
        /* run code in sandbox */
        
        SandboxedCallResult<List<String>> result = sandboxService.runSandboxed(UntrustedCode.class, context);
        
        /* output result */
      }
}

UntrustedCode.java:

 
import java.util.List;
 
import net.datenwerke.sandbox.SandboxedEnvironment;
 
public class UntrustedCode implements SandboxedEnvironment<List<String>> {
 
    @Override
    public List<String> execute() throws Exception {  
        Test t = new Test();
        t.print();
         
        return null;
    }
}

Test.java:

 
public class Test {
    public void print() {
        System.out.println("Erlaubt!");
    }
}

I want to deny the access of the System.class in all classes which are being executed in the sandbox but
despite denying permission of the System.class the class "Test" is still able to call methods of System.  Is there are way to realize this?


Cheers

Offline

#2 2014-12-20 08:58:00

Arno Mittelbach
datenwerke
Registered: 2012-02-14

Re: [Sandbox] Denying access in a used class

Hi,

this is a bit out of scope in this forum, but let me try to help. All my classes are in the default package, as I guess were yours.

1) If I run the code as is, with a single change, namely I've added the debug option to the context, i.e, the run method in Sandkiste is

     public void run(){
       SandboxService sandboxService = SandboxServiceImpl.getInstance();
     
       /* configure context */
       SandboxContext context = new SandboxContext();
       context.setDebug(true);

       context.addClassForApplicationLoader("Test");
        
       context.addClassPermission(AccessType.PERMIT,UntrustedCode.class.getName());
       context.addClassPermission(AccessType.DENY, "java.lang.System");
       context.addClassPermission(AccessType.DENY, "java.io.PrintStream");
        
       context.setRunInThread(true);
        
       /* run code in sandbox */
       
       SandboxedCallResult<List<String>> result = sandboxService.runSandboxed(UntrustedCode.class, context);
       
       /* output result */
     }

I'll get the following output

Dez 20, 2014 9:46:14 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr1
Dez 20, 2014 9:46:15 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr2
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: UntrustedCode
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: net.datenwerke.sandbox.SandboxedEnvironment
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: java.lang.Object
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: java.util.List
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: java.lang.Exception
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208670712) about to load class: Test
Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : ClassAccessCheck: Test

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Warnung: (2061231983) : DENY: ClassAccessCheck: Test
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class net.datenwerke.sandbox.SandboxLoader
	2	: class java.lang.ClassLoader
	3	: class UntrustedCode
	4	: class net.datenwerke.sandbox.SandboxedThread

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : PackageAccessCheck: java.util

Dez 20, 2014 9:46:16 AM net.datenwerke.sandbox.SandboxContext debug
Information: (2061231983) : PackageAccessCheck: java.util

Exception in thread "main" net.datenwerke.sandbox.exception.SandboxException: java.security.AccessControlException: No class access allowed for class: Test
	at net.datenwerke.sandbox.SandboxServiceImpl.run(SandboxServiceImpl.java:568)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:499)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:490)
	at Sandkiste.run(Sandkiste.java:36)
	at Sandkiste.main(Sandkiste.java:15)
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at net.datenwerke.sandbox.SandboxedThread.run(SandboxedThread.java:59)
Caused by: java.security.AccessControlException: No class access allowed for class: Test
	at net.datenwerke.sandbox.SandboxSecurityManager.checkClassAccess(SandboxSecurityManager.java:146)
	at net.datenwerke.sandbox.SandboxLoader.loadClass(SandboxLoader.java:336)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	at UntrustedCode.execute(UntrustedCode.java:11)
	... 5 more

The important lines are

Warnung: (2061231983) : DENY: ClassAccessCheck: Test
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class net.datenwerke.sandbox.SandboxLoader
	2	: class java.lang.ClassLoader
	3	: class UntrustedCode
	4	: class net.datenwerke.sandbox.SandboxedThread

which is where the UntrustedCode tries to access class Test which is denied, since there is no rule that allows to load class Test. Now, if we
explicitly whitelist Test (i.e. context.addClassPermission(AccessType.PERMIT, "Test");) we get the following response

Dez 20, 2014 9:50:05 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr1
Dez 20, 2014 9:50:06 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr2
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: UntrustedCode
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: net.datenwerke.sandbox.SandboxedEnvironment
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: java.lang.Object
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: java.util.List
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: java.lang.Exception
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (208981104) about to load class: Test
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : ClassAccessCheck: Test

Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PackageAccessCheck: java.io

Erlaubt!
Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PackageAccessCheck: java.util

Dez 20, 2014 9:50:07 AM net.datenwerke.sandbox.SandboxContext debug
Information: (850671470) : PackageAccessCheck: java.util

which I guess is what you were having. The question is, why is Test allowed to call java.lang.System? The reason is that you've told the Sandbox to
load class Test not with the Sandbox loader but with the ApplicationClassloader via

context.addClassForApplicationLoader("Test");

Thus, all subsequent class loading activities triggered by Test are handled not by the SandboxLoader but by the Application ClassLoader which cannot
be monitored by the sandbox and hence the call to java.System goes trough. There should, however, not be any reason to load Test not with the
SandboxLoader. So if Sandkiste is as follows:

   public void run(){
       SandboxService sandboxService = SandboxServiceImpl.getInstance();
     
       /* configure context */
       SandboxContext context = new SandboxContext();
       context.setDebug(true);

       context.addClassPermission(AccessType.PERMIT,UntrustedCode.class.getName());
       context.addClassPermission(AccessType.PERMIT, "Test");
        
       context.setRunInThread(true);
        
       /* run code in sandbox */
       
       SandboxedCallResult<List<String>> result = sandboxService.runSandboxed(UntrustedCode.class, context);
       
       /* output result */
     }

Then you get the expected result. (Note that I also removed the two Deny class permissions since this is implicit as the Sandbox by default
disallows anything that is not explicitly allowed.)

Dez 20, 2014 9:54:29 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr1
Dez 20, 2014 9:54:30 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
Information: started sandbox server: SandboxRemoteServerNr2
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: UntrustedCode
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: net.datenwerke.sandbox.SandboxedEnvironment
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: java.lang.Object
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: java.util.List
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: java.lang.Exception
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: Test
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PermissionCheck: ("java.io.FilePermission" "/Users/arno/Datenwerke/Projekte/Sandbox/current/Test/bin/Test.class" "read")

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : ClassAccessCheck: Test

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: java.lang.System
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : ClassAccessCheck: java.lang.System

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Warnung: (1355039451) : DENY: ClassAccessCheck: java.lang.System
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class net.datenwerke.sandbox.SandboxLoader
	2	: class java.lang.ClassLoader
	3	: class Test
	4	: class UntrustedCode
	5	: class net.datenwerke.sandbox.SandboxedThread

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PackageAccessCheck: java.util

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : PackageAccessCheck: java.util

Exception in thread "main" net.datenwerke.sandbox.exception.SandboxException: java.security.AccessControlException: No class access allowed for class: java.lang.System
	at net.datenwerke.sandbox.SandboxServiceImpl.run(SandboxServiceImpl.java:568)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:499)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:490)
	at Sandkiste.run(Sandkiste.java:35)
	at Sandkiste.main(Sandkiste.java:15)
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at net.datenwerke.sandbox.SandboxedThread.run(SandboxedThread.java:59)
Caused by: java.security.AccessControlException: No class access allowed for class: java.lang.System
	at net.datenwerke.sandbox.SandboxSecurityManager.checkClassAccess(SandboxSecurityManager.java:146)
	at net.datenwerke.sandbox.SandboxLoader.loadClass(SandboxLoader.java:336)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	at Test.print(Test.java:6)
	at UntrustedCode.execute(UntrustedCode.java:12)
	... 5 more

Again the important lines in the debug output are

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxLoader loadClass
Information: (1333699935) about to load class: java.lang.System
Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Information: (1355039451) : ClassAccessCheck: java.lang.System

Dez 20, 2014 9:54:31 AM net.datenwerke.sandbox.SandboxContext debug
Warnung: (1355039451) : DENY: ClassAccessCheck: java.lang.System
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class net.datenwerke.sandbox.SandboxLoader
	2	: class java.lang.ClassLoader
	3	: class Test
	4	: class UntrustedCode
	5	: class net.datenwerke.sandbox.SandboxedThread

I hope this helps.

Cheers
Arno

Offline

#3 2014-12-22 08:47:52

tastyPI
Member
Registered: 2014-12-17

Re: [Sandbox] Denying access in a used class

Hello Arno,

first of all I really appreciate your answer! Sadly I can't reproduce your result. If I take your last piece of code e.g.:

 
import java.util.List;
import java.util.concurrent.TimeUnit;
 
import net.datenwerke.sandbox.*;
import net.datenwerke.sandbox.SandboxContext.AccessType;
import net.datenwerke.sandbox.SandboxContext.RuntimeMode;
import net.datenwerke.sandbox.handlers.BadThreadKillHandler;
 
public class Sandkiste {
 
         
     public static void main(String[] args) {
         Sandkiste s = new Sandkiste();
         s.run();
     
     }
      
     public void run(){
         SandboxService sandboxService = SandboxServiceImpl.getInstance();
       
         /* configure context */
         SandboxContext context = new SandboxContext();
         context.setDebug(true);

         context.addClassPermission(AccessType.PERMIT, Test.class.getName());
         context.addClassPermission(AccessType.PERMIT,UntrustedCode.class.getName());
         
          
         context.setRunInThread(true);
          
         /* run code in sandbox */
         
         SandboxedCallResult<List<String>> result = sandboxService.runSandboxed(UntrustedCode.class, context);
         
         /* output result */
       }
}

My result is sadly a java.lang.NoClassDefFoundError, rather than the expected  java.security.AccessControlException. My full console log:

Dez 22, 2014 9:47:11 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
INFORMATION: started sandbox server: SandboxRemoteServerNr1
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.jvm.server.SandboxJvmServer <init>
INFORMATION: started sandbox server: SandboxRemoteServerNr2
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: UntrustedCode
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: net.datenwerke.sandbox.SandboxedEnvironment
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: java.lang.Object
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: java.util.List
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: java.lang.Exception
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxLoader loadClass
INFORMATION: (939047783) about to load class: Test
Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
INFORMATION: (2042447294) : PermissionCheck: ("java.io.FilePermission" "\C:\Users\Tobias\workspace\Sandkiste\bin\Test.class" "read")

Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
WARNUNG: (2042447294) : DENY: PermissionCheck: ("java.io.FilePermission" "\C:\Users\Tobias\workspace\Sandkiste\bin\Test.class" "read")
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class sun.misc.URLClassPath
	2	: class sun.misc.URLClassPath$FileLoader
	3	: class sun.misc.URLClassPath$FileLoader
	4	: class sun.misc.URLClassPath
	5	: class java.net.URLClassLoader$2
	6	: class java.net.URLClassLoader$2
	7	: class java.net.URLClassLoader
	8	: class java.lang.ClassLoader
	9	: class java.net.URLClassLoader
	10	: class net.datenwerke.sandbox.SandboxLoader
	11	: class java.lang.ClassLoader
	12	: class UntrustedCode
	13	: class net.datenwerke.sandbox.SandboxedThread

Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
INFORMATION: (2042447294) : PermissionCheck: ("java.io.FilePermission" "\C:\Users\Tobias\workspace\Sandkiste\bin\Test.class" "read")

Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
WARNUNG: (2042447294) : DENY: PermissionCheck: ("java.io.FilePermission" "\C:\Users\Tobias\workspace\Sandkiste\bin\Test.class" "read")
	0	: class net.datenwerke.sandbox.SandboxSecurityManager
	1	: class java.lang.SecurityManager
	2	: class sun.misc.URLClassPath
	3	: class sun.misc.URLClassPath$FileLoader
	4	: class sun.misc.URLClassPath$FileLoader
	5	: class sun.misc.URLClassPath
	6	: class java.net.URLClassLoader$2
	7	: class java.net.URLClassLoader$2
	8	: class java.net.URLClassLoader
	9	: class java.lang.ClassLoader
	10	: class java.net.URLClassLoader
	11	: class net.datenwerke.sandbox.SandboxLoader
	12	: class java.lang.ClassLoader
	13	: class UntrustedCode
	14	: class net.datenwerke.sandbox.SandboxedThread

Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
INFORMATION: (2042447294) : PackageAccessCheck: java.util

Dez 22, 2014 9:47:12 AM net.datenwerke.sandbox.SandboxContext debug
INFORMATION: (2042447294) : PackageAccessCheck: java.util

Exception in thread "main" net.datenwerke.sandbox.exception.SandboxException: java.lang.NoClassDefFoundError: Test
	at net.datenwerke.sandbox.SandboxServiceImpl.run(SandboxServiceImpl.java:568)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:499)
	at net.datenwerke.sandbox.SandboxServiceImpl.runSandboxed(SandboxServiceImpl.java:490)
	at Sandkiste.run(Sandkiste.java:34)
	at Sandkiste.main(Sandkiste.java:15)
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at net.datenwerke.sandbox.SandboxedThread.run(SandboxedThread.java:59)
Caused by: java.lang.NoClassDefFoundError: Test
	at UntrustedCode.execute(UntrustedCode.java:9)
	... 5 more
Caused by: java.lang.ClassNotFoundException: Could not load Test
	at net.datenwerke.sandbox.SandboxLoader.loadClass(SandboxLoader.java:330)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	... 6 more
Caused by: java.lang.ClassNotFoundException: Could not find Test
	at net.datenwerke.sandbox.SandboxLoader.loadClass(SandboxLoader.java:308)
	... 7 more

Cheers

Offline

#4 2014-12-22 10:00:36

Arno Mittelbach
datenwerke
Registered: 2012-02-14

Re: [Sandbox] Denying access in a used class

Hi,

you are running into a FilePermission check which is denied. When instantiating a context using

new SandboxContext();

the sandbox tries to add default read permissions for everything in the classpath. For this it uses the property

System.getProperty("java.class.path");

My guess is, that for some reason this does not work on your system. An alternative could be that there is a bug concerning the
path recognition (I think I only tested it on Unix systems). To find out what file permissions are set put a breakpoint after the
instantiation of the context object and look for the member "fileReadPermissions".

To simply allow read access for all files you can add

context.addFilePermission(FileAccess.READ, AccessType.PERMIT, new FilePrefixPermission(""));

Cheers
Arno

Offline

Board footer

Powered by FluxBB