安全沙箱的资料

Java

官方文档

• JavaSE platform security architecture
• 类 BasicPermission
• 类 AudioPermission
• 类 AWTPermission
• 类 AuthPermission
• 类 SSLPermission
• 类 SerializablePermission
• 类 SQLPermission
• 类 RuntimePermission
• 类 NetPermission
• 类 PropertyPermission
• 类 DelegationPermission
• 类 SubjectDelegationPermission
• 类 LoggingPermission
• 类 ManagementPermission
• 类 MBeanServerPermission
• 类 MBeanTrustPermission
• 类 ReflectPermission
• 类 SecurityPermission
• 类 WebServicePermission

参考资料

• Java - 安全沙箱
• java中的安全模型(沙箱机制)
• Java安全——安全管理器、访问控制器和类装载器

安全策略文件

JDK默认的安全策略文件$JAVA_HOME/conf/security/java.policy，样例内容如下：

//
// This system policy file grants a set of default permissions to all domains
// and can be configured to grant additional permissions to modules and other
// code sources. The code source URL scheme for modules linked into a
// run-time image is "jrt".
//
// For example, to grant permission to read the "foo" property to the module
// "com.greetings", the grant entry is:
//
// grant codeBase "jrt:/com.greetings" {
//     permission java.util.PropertyPermission "foo", "read";
// };
//

// default permissions granted to all domains
grant {
    // allows anyone to listen on dynamic ports
    permission java.net.SocketPermission "localhost:0", "listen";

    // "standard" properties that can be read by anyone
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";
    permission java.util.PropertyPermission
                   "java.specification.version", "read";
    permission java.util.PropertyPermission
                   "java.specification.maintenance.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";
    permission java.util.PropertyPermission
                   "java.vm.specification.version", "read";
    permission java.util.PropertyPermission
                   "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission
                   "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";
};

安全属性文件

JDK默认的安全属性文件$JAVA_HOME/conf/security/java.security，内容比较长，信息很丰富。

加载指定属性参数文件的方法：

• 加载URL指定的文件，命令中增加如下参数。

  -Djava.security.properties=<URL>
  

• 或者限定只加载URL指定的文件，命令行中使用如下参数：

  -Djava.security.properties==<URL>
  

安全属性

• security.provider.X

• jdk.security.provider.preferred

• securerandom.source

• securerandom.strongAlgorithms

• securerandom.drbg.config

• login.configuration.provider

• login.config.url.X

• policy.provider

• policy.url.X

• policy.expandProperties

• policy.allowSystemProperty

• policy.ignoreIdentityScope

• keystore.type

• keystore.type.compat

• package.access

• package.definition

• security.overridePropertiesFile

• ssl.KeyManagerFactory.algorithm

• ssl.TrustManagerFactory.algorithm

• networkaddress.cache.ttl

• networkaddress.cache.stale.ttl

• networkaddress.cache.negative.ttl

• ocsp.enable

• ocsp.responderURL

• ocsp.responderCertSubjectName

• ocsp.responderCertIssuerName

• ocsp.responderCertSerialNumber

• krb5.kdc.bad.policy

• sun.security.krb5.disableReferrals

• sun.security.krb5.maxReferrals

• jdk.disabled.namedCurves

• jdk.certpath.disabledAlgorithms

• jdk.security.legacyAlgorithms

• jdk.jar.disabledAlgorithms

• http.auth.digest.disabledAlgorithms

• jdk.tls.disabledAlgorithms

• jdk.tls.legacyAlgorithms

• jdk.tls.server.defaultDHEParameters

• jdk.tls.keyLimits

• crypto.policy
  默认值为unlimited。

• jdk.xml.dsig.secureValidationPolicy

• jdk.xml.dsig.hereFunctionSupported
  默认值为true。

• jdk.serialFilterFactory

• jdk.serialFilter

• sun.rmi.registry.registryFilter
  默认值为maxarray=1000000;maxdepth=20;java.lang.String;java.lang.Number;java.lang.reflect.Proxy;java.rmi.Remote;sun.rmi.server.UnicastRef;sun.rmi.server.RMIClientSocketFactory;sun.rmi.server.RMIServerSocketFactory;java.rmi.server.UID。

• sun.rmi.transport.dgcFilter
  默认值为java.rmi.server.ObjID;java.rmi.server.UID;java.rmi.dgc.VMID;java.rmi.dgc.Lease;maxdepth=5;maxarray=10000。

• jceks.key.serialFilter
  默认值为java.base/java.lang.Enum;java.base/java.security.KeyRep;java.base/java.security.KeyRep$Type;java.base/javax.crypto.spec.SecretKeySpec;!*。

• jdk.jceks.iterationCount
  默认值为200000。

• keystore.pkcs12.certProtectionAlgorithm
  默认值为PBEWithHmacSHA256AndAES_256。

• keystore.pkcs12.certPbeIterationCount
  默认值为10000。

• keystore.pkcs12.keyProtectionAlgorithm
  默认值为PBEWithHmacSHA256AndAES_256。

• keystore.pkcs12.keyPbeIterationCount
  默认值为10000。

• keystore.pkcs12.macAlgorithm
  默认值为HmacPBESHA256。

• keystore.pkcs12.macIterationCount
  默认值为10000。

• jdk.includeInExceptions

  Enhanced exception message information

  默认值为hostInfo,jar。
  可选值为：

  • hostInfo
  • jar

• jdk.sasl.disabledMechanisms

  Disabled mechanisms for the Simple Authentication and Security Layer (SASL)

• jdk.security.caDistrustPolicies

  Policies for distrusting Certificate Authorities (CAs).

  默认值为SYMANTEC_TLS。

• jdk.io.permissionsUseCanonicalPath

  FilePermission path canonicalization

  默认值为false。

• jdk.security.krb5.default.initiate.credential

  Policies for the proxy_impersonator Kerberos ccache configuration entry

  默认值为always-impersonate。
  可选值如下：

  • no-impersonate
  • try-impersonate
  • always-impersonate

• jdk.security.allowNonCaAnchor

  Trust Anchor Certificates - CA Basic Constraint check

  默认值为true。

• jdk.tls.alpnCharset

  The default Character set name (java.nio.charset.Charset.forName()) for converting TLS ALPN values between byte arrays and Strings.

  默认值为ISO_8859_1。

• jdk.jndi.object.factoriesFilter

  Global JNDI Object Factories Filter

  默认值为*。

• jdk.jndi.ldap.object.factoriesFilter

  Protocol Specific JNDI/LDAP Object Factories Filter

  默认值为java.naming/com.sun.jndi.ldap.**;!*。

• jdk.jndi.rmi.object.factoriesFilter

  Protocol Specific JNDI/RMI Object Factories Filter

  默认值为jdk.naming.rmi/com.sun.jndi.rmi.**;!*。

• jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket

  Policy for non-forwardable service ticket in a S4U2proxy request

  默认值为false。
  参考1.3.2 S4U2proxy。

Python

• Python沙箱逃逸终极指南：安全漏洞分析和解决方案一网打尽
• Python Jail 沙盒逃逸 合集
• python沙箱环境
• python安全学习笔记-沙箱逃逸
• RestrictedPython 设计理念
• RestrictedPython

  pip install RestrictedPython
  

  项目主页
• Sandboxed Python