Add updated catalina.policy patch to allow ECJ usage under the Security Manager

This commit is contained in:
Coty Sutherland 2020-04-22 14:55:15 -04:00
parent eaac8d384c
commit 8d1457151e
2 changed files with 14 additions and 28 deletions

View File

@ -1,39 +1,20 @@
--- conf/catalina.policy~ 2016-06-17 10:20:17.649171968 -0400
+++ conf/catalina.policy 2016-06-17 10:23:35.358309244 -0400
@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex
permission java.security.AllPermission;
--- conf/catalina.policy.orig 2020-04-22 14:51:13.734893403 -0400
+++ conf/catalina.policy 2020-04-22 15:14:57.609677967 -0400
@@ -51,6 +51,17 @@ grant codeBase "file:${java.home}/lib/ex
};
+// ========== RHEL SPECIFIC CODE PERMISSIONS =======================================
+
+
+// Allowing everything in /usr/share/java allows too many unknowns to be permitted
+// Specifying the individual jars that tomcat needs to function with the security manager
+// is the safest way forward.
+grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/tomcat-jsp-2.2-api.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/log4j.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/ecj.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/apache-commons-pool.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
+grant codeBase "file:/usr/share/java/ecj/ecj.jar" {
+ permission java.security.AllPermission;
+};
+
+
// ========== CATALINA CODE PERMISSIONS =======================================

View File

@ -59,7 +59,7 @@
Name: tomcat
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: ASL 2.0
@ -81,6 +81,7 @@ Source32: tomcat-named.service
Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
Patch2: %{name}-build.patch
Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
BuildArch: noarch
@ -208,6 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch0 -p0
%patch1 -p0
%patch2 -p0
%patch3 -p0
%{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@ -617,6 +619,9 @@ fi
%attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
%changelog
* Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2
- Add updated catalina.policy patch to allow ECJ usage under the Security Manager
* Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
- Update to 9.0.34