Last active
December 17, 2015 21:50
-
-
Save wsargent/26554cf229931bd620de to your computer and use it in GitHub Desktop.
Prograde example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://github.com/pro-grade/pro-grade | |
| libraryDependencies += "net.sourceforge.pro-grade" % "pro-grade" % "1.1.1" | |
| // Require fork to avoid the SBT security manager | |
| fork := true | |
| // Once prograde has been generated, use the security policy defined. | |
| // REMINDER: You will have to run "reload" if you change these settings with a running SBT. | |
| javaOptions in (run) ++= Seq("-Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM", | |
| "-Djava.security.policy==prograde.policy") | |
| // Run the app initially with the policy file generator (with ALL USE CASES) | |
| javaOptions in (Test) ++= Seq("-Djava.security.manager=net.sourceforge.prograde.sm.PolicyFileGeneratorJSM", | |
| "-Djava.security.policy==/dev/null", | |
| "-Dprograde.generated.policy=prograde.policy") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package com.example | |
| object Hello { | |
| def main(args: Array[String]): Unit = { | |
| val runtime = Runtime.getRuntime | |
| val cwd = System.getProperty("user.dir") | |
| val process = runtime.exec(s"$cwd/testscript.sh") // pick something harmless | |
| println("Process executed without security manager interference!") | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Loose security policy, you must explicitly deny things here. | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html | |
| priority "grant"; | |
| deny { | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#AWTPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#FilePermission | |
| // minimum necessary to make program faile | |
| // permission java.io.FilePermission "<<ALL FILES>>", "execute"; | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SerializablePermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#ManagementPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#RuntimePermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#NetPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SocketPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#URLPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#LinkPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#AllPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SecurityPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#UnresolvedPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SQLPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#LoggingPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#PropertyPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#MBeanPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#MBeanServerPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#MBeanTrustPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SubjectDelegationPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#SSLPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#AuthPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#DelegationPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#ServicePermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#PrivateCredentialPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#AudioPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#JAXBPermission | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html#WebServicePermission | |
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Strict security policy that will only give the minimum needed. | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html | |
| // https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html | |
| grant { | |
| // You can read user.dir | |
| permission java.util.PropertyPermission "user.dir", "read"; | |
| // Gets access to the current user directory script | |
| permission java.io.FilePermission "${user.dir}/testscript.sh", "execute"; | |
| permission java.util.PropertyPermission "scala.control.noTraceSuppression", "read"; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment