'Re: RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-serviceability-dev
Subject:    Re: RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses 
From:       Dmitry Samersoff <dmitry.samersoff () oracle ! com>
Date:       2017-03-29 15:10:40
Message-ID: 41366a7c-f92d-b02f-01e3-85832c1086db () oracle ! com
[Download RAW message or body]

Robbin,

> One follow-up issue is that if you start suspended
> and than connect with
> an unallowed client the JVM starts and executes the program.

Fixed.

see http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.15

-Dmitry

On 2017-03-16 15:59, Robbin Ehn wrote:
> Hi Dmitry, thanks for the update.
> 
> One follow-up issue is that if you start suspended and than connect with
> an unallowed client the JVM starts and executes the program.
> Simple program prints "Hello".
> 
> [rehn@rehn-ws vanilla-hs]$ java
> -agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:9999,allow=1.2.3.0/32
> -cp . H
> Listening for transport dt_socket at address: 9999
> ERROR: Peer not allowed to connect
> Listening for transport dt_socket at address: 9999
> Hello
> 
> I think it would be good if the VM stayed suspended when an unallowed
> client connects.
> 
> Thanks, Robbin
> 
> On 03/13/2017 08:07 PM, Dmitry Samersoff wrote:
>> Robbin,
>>
>> Please, see:
>>
>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11
>>
>>> 1:
>>> So connecting with an unallowed client terminates the VM.
>>
>> Fixed.
>>
>>> 2:
>>> Starting with an bad allow filter terminates the VM when connecting a
>>> client.
>>
>> Moved allowed parameter (and parser call) to StartListening.
>>
>> -Dmitry
>>
>>
>> On 2017-03-10 15:56, Robbin Ehn wrote:
>>> Hi Dmitry,
>>>
>>> I took a look at this, I have two practical issues:
>>>
>>> 1:
>>> [rehn@rehn-ws dev]$ java
>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6
>>>
>>> -cp runs ForEver
>>> Listening for transport dt_socket at address: 9999
>>> ERROR: transport error 202: peer not allowed to connect: Success
>>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>>> error [transport.c:358]
>>>
>>> So connecting with an unallowed client terminates the VM.
>>>
>>> 2:
>>> [rehn@rehn-ws dev]$ java
>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6
>>>
>>> -cp runs ForEver
>>> Listening for transport dt_socket at address: 9999
>>> ERROR: transport error 202: unable to parse list of allowed peers:
>>> Success
>>> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
>>> error [transport.c:358]
>>>
>>> Starting with an bad allow filter terminates the VM when connecting a
>>> client.
>>>
>>>
>>> Connecting with an unallowed ip/port should not terminate the VM and we
>>> should verify allow filter directly at startup.
>>>
>>> Thanks
>>>
>>> /Robbin
>>>
>>> On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
>>>> Everybody,
>>>>
>>>> Please review:
>>>>
>>>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
>>>>
>>>> These changes introduce new parameter[1] of the socket transport -
>>>> allow. Users can explicitly specify a list of hosts that allowed to
>>>> connect to jdwp server and it's the second part of JDWP hardening[2].
>>>>
>>>> No restrictions are applied by default now but I'll file a separate CR
>>>> to restrict list of allowed peers to localhost by default.
>>>>
>>>> Also these changes implement versioning for jdwp transport and therefor
>>>> simplify feature development of jdwp.
>>>>
>>>>
>>>> 1. Example command line:
>>>>
>>>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
>>>> address=*,allow="127.0.0.0/8;192.168.0.0/24"
>>>>
>>>> Possible values for allow parameter:
>>>>   *           - accept connections from everywhere.
>>>>   N.N.N.N     - accept connections from this IP address only
>>>>   N.N.N.N/nn  - accept connections from particular ip subnet
>>>>
>>>>
>>>>
>>>> 2. JDK-8052136 JDWP hardening
>>>>
>>>> -Dmitry
>>>>
>>
>>


-- 
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic