Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve compatibility with SecurityManager #7983

Merged
merged 10 commits into from
Apr 5, 2023

Conversation

laurit
Copy link
Contributor

@laurit laurit commented Mar 6, 2023

This pr gives classes defined in agent and extension class loaders all permissions. Injected helper classes are also defined with all permissions. Agent startup is altered so that we won't call methods that require permission before we are able to get those permissions.
This pr does not attempt to address issues where agent code could allow user code to circumvent security manager e.g. https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/InstrumentationHolder.java gives access to Instrumentation that could be used to redefine classes and remove security checks. Also this pr does not address failed permission checks that could arise from user code calling agent code. When user code, that does not have privileges, calls agent code, that has the privileges, and agent code performs a sensitive operation then permission check would fail because it is performed for all calling classes, including the user classes. To fix this agent code should uses AccessController.doPrivileged which basically means that, hey I have done all the checks, run this call with my privileges and ignore the privileges of my callers.

@laurit laurit marked this pull request as ready for review March 6, 2023 16:28
@laurit laurit requested a review from a team March 6, 2023 16:28
@trask
Copy link
Member

trask commented Mar 8, 2023

I added to SIG agenda, just want to talk through and understand this part better:

This pr does not attempt to address issues where agent code could allow user code to circumvent security manager

@laurit laurit force-pushed the security-manager branch from 70b1cd2 to 43133e0 Compare March 23, 2023 11:59
laurit added a commit that referenced this pull request Mar 23, 2023
// verification is very slow before the JIT compiler starts up, which on Java 8 is not until
// after premain execution completes
JarFile agentJar = new JarFile(javaagentFile, false);
JarFile agentJar = ((JarURLConnection) url.openConnection()).getJarFile();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this now reuse the underlying JarFile that was already opened for reading OpenTelemetryAgent class file? and by doing so bypass (re-)verification?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought this would have access to an already open JarFile, but debugger shows that it is opening a new one. Reverted this back to new JarFile(javaagentFile, false);
There are more places where jar files are open with verification. When the main agent class (OpenTelemetryAgent) is loaded then the agent jar is open with verification. I think this could be avoided by adding the agent jar to boot classpath, could use Boot-Class-Path manifest attribute. When byte buddy starts retransforming then class file locators call getResourceAsStream on BootstrapClassLoaderProxy which results in jar verification (adding agent to boot loader should also fix these).
If you are serious about speeding up jdk8 startup with jar verification then your best bet is to enable the delay agent start thing in AgentInitializer for all jdk8.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are serious about speeding up jdk8 startup with jar verification then your best bet is to enable the delay agent start thing in AgentInitializer for all jdk8.

oh, good idea, I'll try this out, thx

@laurit
Copy link
Contributor Author

laurit commented Apr 3, 2023

@trask The final remaining issue is where should we document this flag and add the disclaimer. Any ideas?

@trask
Copy link
Member

trask commented Apr 3, 2023

@trask The final remaining issue is where should we document this flag and add the disclaimer. Any ideas?

I forgot this existed, but could at least go here: https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/docs/advanced-configuration-options.md

@github-actions github-actions bot requested a review from theletterf April 4, 2023 12:38
Comment on lines +29 to +30
[1] Disclaimer: agent can provide application means for escaping security manager sandbox. Do not use
this option if your application relies on security manager to run untrusted code.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@laurit laurit force-pushed the security-manager branch from 4eae9b0 to d4df9a9 Compare April 5, 2023 09:57
@laurit laurit merged commit 2f0819a into open-telemetry:main Apr 5, 2023
@laurit laurit deleted the security-manager branch April 5, 2023 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants