4

I struggle a little bit with the java-sandbox API. Consider the following code:

Sandkiste.java:

import java.util.List;
import java.util.concurrent.TimeUnit;

import net.datenwerke.sandbox.*;
import net.datenwerke.sandbox.SandboxContext.AccessType;
import net.datenwerke.sandbox.SandboxContext.RuntimeMode;
import net.datenwerke.sandbox.handlers.BadThreadKillHandler;

public class Sandkiste {


     public static void main(String[] args) {
         Sandkiste s = new Sandkiste();
         s.run();

     }

      public void run(){
        SandboxService sandboxService = SandboxServiceImpl.getInstance();




        /* configure context */
        SandboxContext context = new SandboxContext();

        context.addClassForApplicationLoader("Test");

        context.addClassPermission(AccessType.PERMIT, "Test");
        context.addClassPermission(AccessType.PERMIT,UntrustedCode.class.getName());
        context.addClassPermission(AccessType.DENY, "java.lang.System");
        context.addClassPermission(AccessType.DENY, "java.io.PrintStream");




        context.setRunInThread(true);



        /* run code in sandbox */

        SandboxedCallResult<List<String>> result = sandboxService.runSandboxed(UntrustedCode.class, context);

        /* output result */
      }
}

UntrustedCode.java: 

import java.util.List;

import net.datenwerke.sandbox.SandboxedEnvironment;

public class UntrustedCode implements SandboxedEnvironment<List<String>> {

    @Override
    public List<String> execute() throws Exception {  
        Test t = new Test();
        t.print();

        return null;
    }
}

Test.java:

public class Test {
    public void print() {
        System.out.println("Erlaubt!");
    }
}

I want to deny the access of the System.class in all classes which are being executed in the sandbox but despite denying permission of the System.class the class "Test" is still able to call methods of System. Is there are way to realize this?

tastyPI
  • 53
  • 5
  • 1
    Can't reproduce. I get `java.security.AccessControlException: No class access allowed for class: Test`. If I add `context.addClassPermission(AccessType.PERMIT, "Test");`, I get the expected behavior. – geert3 Dec 17 '14 at 13:03
  • You are right. I added the missing line in. But my problem still remains: I want to give Test.class permission to run, but I still want to deny permission of the System object even if the Test.class uses it. If I run the above code I still get "Erlaubt!" as an output. – tastyPI Dec 17 '14 at 13:50
  • I don't, output is `java.security.AccessControlException: No class access allowed for class: java.lang.System`. Took your code, java-sandbox-0.3.jar and the recommended dependencies from their site. – geert3 Dec 17 '14 at 14:04
  • commons-io-2.4.jar, commons-lang-2.6.jar, commons-collections-3.2.1.jar, jsr305-2.0.1.jar, javassist-3.18.1-GA.jar – geert3 Dec 17 '14 at 14:07
  • That's strange. I used the exact same configuration as you did, but sadly I still get the same result: "Erlaubt!". Could it have to do something with the Java version I am using? I am using JDK8. – tastyPI Dec 17 '14 at 15:27
  • I have tested with JRE5 and JRE7. I have no 8 yet on my machine. – geert3 Dec 17 '14 at 15:33
  • I also tested the JRE7. Strangely it didn't work either. Could it have to do something with java or eclipse setting? – tastyPI Dec 17 '14 at 16:30

2 Answers2

0

I think you should remove the line 

context.addClassForApplicationLoader("Test");

I can only guess but it looks like it makes the Test class behave as not under the control of SandBox but under control of the "normal" Class Loader.

geert3
  • 7,086
  • 1
  • 33
  • 49
0

I fixed my problem. The problem was that I was running this code on Windows. In Windows you have to grant all files read access. So adding the following line solved my problem.

context.addFilePermission(FileAccess.READ, AccessType.PERMIT, new FilePrefixPermission(""));
tastyPI
  • 53
  • 5