Sandboxing an application with the java security manager

Dobai-Pataky_BSSSSl · October 16, 2010, 6:35pm

Hello,

I’m trying to sandbox an application by having the Java security manager
check its permissions, but JRuby seems to bypass those restrictions. For
instance,

jruby -J-Djava.security.manager -e
“puts File.read(‘/etc/hosts’).size”

simply succeeds, while

java -Djava.security.manager Main

on a previously compiled Main.java[1] fails as expected with an

Exception in thread “main” java.security.AccessControlException:
access denied (java.io.FilePermission /etc/hosts read)

Can you explain why JRuby doesn’t trip over the security manager?

[1] Main.java
import java.io.*;

public class Main {

public static void main(String[] args) throws Exception {
    char[] cbuf = new char[4*1024];
    System.out.println(new FileReader(new

File(“/etc/hosts”)).read(cbuf));
}
}

best regards,

Ivo W.

ivo · October 18, 2010, 5:28pm

On Sat, Oct 16, 2010 at 11:35 AM, Ivo W. [email protected] wrote:

import java.io.*;

public class Main {

public static void main(String[] args) throws Exception {
char[] cbuf = new char[4*1024];
System.out.println(new FileReader(new
File(“/etc/hosts”)).read(cbuf));
}
}

It’s probably because of our custom IO layer and the way we deal with
things at the descriptor level, bypassing FileReader/Writer etc. I’d
file a bug, as JRuby should probably heed the Java security manager
behavior.

Thanks,
/Nick