# # Medium security policy that prevents the most critical security risks and additionally prevents access to files and # network. # # Higher position of ALLOW/DENY block has higher priority. # For more info about permissions in JDK see https://docs.oracle.com/en/java/javase/11/security/permissions-jdk1.html # For more info about OSGi permissions see http://docs.osgi.org/specification/osgi.core/7.0.0/framework.module.html#d0e6606 # DENY { [org.osgi.service.condpermadmin.BundleLocationCondition "*"] (org.osgi.framework.ServicePermission "org.osgi.service.permissionadmin.PermissionAdmin" "register") } "The OSGi framework reserves certain privileges for itself." # # Permissions for FLOW Sandbox # ALLOW { [org.osgi.service.condpermadmin.BundleLocationCondition "FLOW/*"] (java.lang.RuntimePermission "accessClassInPackage.net.corda.v5.*" "") (org.osgi.framework.PackagePermission "net.corda.v5.*" "import") (org.osgi.framework.ServicePermission "net.corda.v5.*" "get") (org.osgi.framework.ServicePermission "(location=FLOW/*)" "get") (org.osgi.framework.PackagePermission "co.paralleluniverse.fibers.suspend" "import") (net.corda.internal.serialization.amqp.CustomSerializerPermission "FLOW") } "Allow public packages and services for FLOW Sandbox" DENY { [org.osgi.service.condpermadmin.BundleLocationCondition "FLOW/*"] (org.osgi.framework.AdminPermission "*" "*") (org.osgi.framework.BundlePermission "*" "host,fragment") (org.osgi.framework.PackagePermission "org.osgi.framework" "import") (org.osgi.framework.PackagePermission "org.osgi.service.component" "import") (org.osgi.framework.PackagePermission "net.corda" "exportonly,import") (org.osgi.framework.PackagePermission "net.corda.*" "exportonly,import") (org.osgi.framework.ServicePermission "org.osgi.framework.hooks.*" "register") (org.osgi.framework.ServicePermission "*" "get") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.common.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.fibers.*" "import") (co.paralleluniverse.fibers.instrument.QuasarPermission "configuration" "") (net.corda.internal.serialization.amqp.CustomSerializerPermission "*") (java.io.SerializablePermission "enableSubclassImplementation" "") (java.io.SerializablePermission "enableSubstitution" "") (java.lang.management.ManagementPermission "control" "") (java.lang.management.ManagementPermission "monitor" "") (java.lang.RuntimePermission "createClassLoader" "") (java.lang.RuntimePermission "getClassLoader" "") (java.lang.RuntimePermission "setContextClassLoader" "") (java.lang.RuntimePermission "enableContextClassLoaderOverride" "") (java.lang.RuntimePermission "closeClassLoader" "") (java.lang.RuntimePermission "setSecurityManager" "") (java.lang.RuntimePermission "createSecurityManager" "") (java.lang.RuntimePermission "getenv.*" "") (java.lang.RuntimePermission "exitVM" "") (java.lang.RuntimePermission "shutdownHooks" "") (java.lang.RuntimePermission "setFactory" "") (java.lang.RuntimePermission "setIO" "") (java.lang.RuntimePermission "modifyThread" "") (java.lang.RuntimePermission "stopThread" "") (java.lang.RuntimePermission "modifyThreadGroup" "") (java.lang.RuntimePermission "getProtectionDomain" "") (java.lang.RuntimePermission "loadLibrary.*" "") (java.lang.RuntimePermission "accessClassInPackage.net.corda.*" "") (java.lang.RuntimePermission "defineClassInPackage.*" "") (java.lang.RuntimePermission "queuePrintJob" "") (java.lang.RuntimePermission "getStackTrace" "") (java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler" "") (java.lang.RuntimePermission "preferences" "") (java.net.NetPermission "setDefaultAuthenticator" "") (java.net.NetPermission "requestPasswordAuthentication" "") (java.net.NetPermission "specifyStreamHandler" "") (java.net.NetPermission "setProxySelector" "") (java.net.NetPermission "getProxySelector" "") (java.net.NetPermission "setCookieHandler" "") (java.net.NetPermission "getCookieHandler" "") (java.net.NetPermission "setResponseCache" "") (java.net.NetPermission "getResponseCache" "") (java.net.SocketPermission "*" "accept,listen,connect,resolve") (java.net.URLPermission "http://*:*" "*:*") (java.net.URLPermission "https://*:*" "*:*") (java.nio.file.LinkPermission "hard" "") (java.nio.file.LinkPermission "symbolic" "") (java.security.SecurityPermission "createAccessControlContext" "") (java.security.SecurityPermission "getDomainCombiner" "") (java.security.SecurityPermission "getPolicy" "") (java.security.SecurityPermission "setPolicy" "") (java.security.SecurityPermission "createPolicy.*" "") (java.security.SecurityPermission "getProperty.*" "") (java.security.SecurityPermission "setProperty.*" "") (java.security.SecurityPermission "insertProvider" "") (java.security.SecurityPermission "removeProvider.*" "") (java.security.SecurityPermission "clearProviderProperties.*" "") (java.security.SecurityPermission "putProviderProperty.*" "") (java.security.SecurityPermission "removeProviderProperty.*" "") (java.sql.SQLPermission "setLog" "") (java.sql.SQLPermission "callAbort" "") (java.sql.SQLPermission "setSyncFactory" "") (java.sql.SQLPermission "setNetworkTimeout" "") (java.sql.SQLPermission "deregisterDriver" "") (java.util.PropertyPermission "*" "read,write") (javax.management.MBeanPermission "*" "*") (javax.management.MBeanServerPermission "*" "") (javax.management.MBeanTrustPermission "*" "") (javax.management.remote.SubjectDelegationPermission "*" "") (javax.net.ssl.SSLPermission "setHostnameVerifier" "") (javax.net.ssl.SSLPermission "getSSLSessionContext" "") (javax.net.ssl.SSLPermission "setDefaultSSLContext" "") (javax.security.auth.AuthPermission "doAs" "") (javax.security.auth.AuthPermission "doAsPrivileged" "") (javax.security.auth.AuthPermission "getSubject" "") (javax.security.auth.AuthPermission "getSubjectFromDomainCombiner" "") (javax.security.auth.AuthPermission "setReadOnly" "") (javax.security.auth.AuthPermission "modifyPrincipals" "") (javax.security.auth.AuthPermission "modifyPublicCredentials" "") (javax.security.auth.AuthPermission "modifyPrivateCredentials" "") (javax.security.auth.AuthPermission "refreshCredential" "") (javax.security.auth.AuthPermission "destroyCredential" "") (javax.security.auth.AuthPermission "createLoginContext.*" "") (javax.security.auth.AuthPermission "getLoginConfiguration" "") (javax.security.auth.AuthPermission "setLoginConfiguration" "") (javax.security.auth.AuthPermission "createLoginConfiguration.*" "") (javax.security.auth.AuthPermission "refreshLoginConfiguration" "") (javax.security.auth.PrivateCredentialPermission "*" "") (javax.sound.sampled.AudioPermission "play" "") (javax.sound.sampled.AudioPermission "record" "") (javax.xml.bind.JAXBPermission "setDatatypeConverter" "") (javax.xml.ws.WebServicePermission "publishEndpoint" "") (java.io.FilePermission "<>" "read,write,delete,execute,readLink") (java.lang.RuntimePermission "getFileSystemAttributes" "") (java.lang.RuntimePermission "readFileDescriptor" "") (java.lang.RuntimePermission "writeFileDescriptor" "") } "Medium security profile for FLOW Sandbox" # # Permissions for PERSISTENCE Sandbox # ALLOW { [org.osgi.service.condpermadmin.BundleLocationCondition "PERSISTENCE/*"] (java.lang.RuntimePermission "accessClassInPackage.net.corda.v5.*" "") (org.osgi.framework.PackagePermission "net.corda.v5.*" "import") (org.osgi.framework.ServicePermission "net.corda.v5.*" "get") (org.osgi.framework.ServicePermission "(location=PERSISTENCE/*)" "get") (net.corda.internal.serialization.amqp.CustomSerializerPermission "PERSISTENCE") } "Allow public packages and services for PERSISTENCE Sandbox" DENY { [org.osgi.service.condpermadmin.BundleLocationCondition "PERSISTENCE/*"] (org.osgi.framework.AdminPermission "*" "*") (org.osgi.framework.BundlePermission "*" "host,fragment") (org.osgi.framework.PackagePermission "org.osgi.framework" "import") (org.osgi.framework.PackagePermission "org.osgi.service.component" "import") (org.osgi.framework.PackagePermission "net.corda" "exportonly,import") (org.osgi.framework.PackagePermission "net.corda.*" "exportonly,import") (org.osgi.framework.ServicePermission "org.osgi.framework.hooks.*" "register") (org.osgi.framework.ServicePermission "*" "get") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.common.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.fibers.*" "import") (co.paralleluniverse.fibers.instrument.QuasarPermission "configuration" "") (net.corda.internal.serialization.amqp.CustomSerializerPermission "*") (java.io.SerializablePermission "enableSubclassImplementation" "") (java.io.SerializablePermission "enableSubstitution" "") (java.lang.management.ManagementPermission "control" "") (java.lang.management.ManagementPermission "monitor" "") (java.lang.RuntimePermission "createClassLoader" "") (java.lang.RuntimePermission "getClassLoader" "") (java.lang.RuntimePermission "setContextClassLoader" "") (java.lang.RuntimePermission "enableContextClassLoaderOverride" "") (java.lang.RuntimePermission "closeClassLoader" "") (java.lang.RuntimePermission "setSecurityManager" "") (java.lang.RuntimePermission "createSecurityManager" "") (java.lang.RuntimePermission "getenv.*" "") (java.lang.RuntimePermission "exitVM" "") (java.lang.RuntimePermission "shutdownHooks" "") (java.lang.RuntimePermission "setFactory" "") (java.lang.RuntimePermission "setIO" "") (java.lang.RuntimePermission "modifyThread" "") (java.lang.RuntimePermission "stopThread" "") (java.lang.RuntimePermission "modifyThreadGroup" "") (java.lang.RuntimePermission "getProtectionDomain" "") (java.lang.RuntimePermission "loadLibrary.*" "") (java.lang.RuntimePermission "accessClassInPackage.net.corda.*" "") (java.lang.RuntimePermission "defineClassInPackage.*" "") (java.lang.RuntimePermission "queuePrintJob" "") (java.lang.RuntimePermission "getStackTrace" "") (java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler" "") (java.lang.RuntimePermission "preferences" "") (java.net.NetPermission "setDefaultAuthenticator" "") (java.net.NetPermission "requestPasswordAuthentication" "") (java.net.NetPermission "specifyStreamHandler" "") (java.net.NetPermission "setProxySelector" "") (java.net.NetPermission "getProxySelector" "") (java.net.NetPermission "setCookieHandler" "") (java.net.NetPermission "getCookieHandler" "") (java.net.NetPermission "setResponseCache" "") (java.net.NetPermission "getResponseCache" "") (java.net.SocketPermission "*" "accept,listen,connect,resolve") (java.net.URLPermission "http://*:*" "*:*") (java.net.URLPermission "https://*:*" "*:*") (java.nio.file.LinkPermission "hard" "") (java.nio.file.LinkPermission "symbolic" "") (java.security.SecurityPermission "createAccessControlContext" "") (java.security.SecurityPermission "getDomainCombiner" "") (java.security.SecurityPermission "getPolicy" "") (java.security.SecurityPermission "setPolicy" "") (java.security.SecurityPermission "createPolicy.*" "") (java.security.SecurityPermission "getProperty.*" "") (java.security.SecurityPermission "setProperty.*" "") (java.security.SecurityPermission "insertProvider" "") (java.security.SecurityPermission "removeProvider.*" "") (java.security.SecurityPermission "clearProviderProperties.*" "") (java.security.SecurityPermission "putProviderProperty.*" "") (java.security.SecurityPermission "removeProviderProperty.*" "") (java.sql.SQLPermission "setLog" "") (java.sql.SQLPermission "callAbort" "") (java.sql.SQLPermission "setSyncFactory" "") (java.sql.SQLPermission "setNetworkTimeout" "") (java.sql.SQLPermission "deregisterDriver" "") (java.util.PropertyPermission "*" "read,write") (javax.management.MBeanPermission "*" "*") (javax.management.MBeanServerPermission "*" "") (javax.management.MBeanTrustPermission "*" "") (javax.management.remote.SubjectDelegationPermission "*" "") (javax.net.ssl.SSLPermission "setHostnameVerifier" "") (javax.net.ssl.SSLPermission "getSSLSessionContext" "") (javax.net.ssl.SSLPermission "setDefaultSSLContext" "") (javax.security.auth.AuthPermission "doAs" "") (javax.security.auth.AuthPermission "doAsPrivileged" "") (javax.security.auth.AuthPermission "getSubject" "") (javax.security.auth.AuthPermission "getSubjectFromDomainCombiner" "") (javax.security.auth.AuthPermission "setReadOnly" "") (javax.security.auth.AuthPermission "modifyPrincipals" "") (javax.security.auth.AuthPermission "modifyPublicCredentials" "") (javax.security.auth.AuthPermission "modifyPrivateCredentials" "") (javax.security.auth.AuthPermission "refreshCredential" "") (javax.security.auth.AuthPermission "destroyCredential" "") (javax.security.auth.AuthPermission "createLoginContext.*" "") (javax.security.auth.AuthPermission "getLoginConfiguration" "") (javax.security.auth.AuthPermission "setLoginConfiguration" "") (javax.security.auth.AuthPermission "createLoginConfiguration.*" "") (javax.security.auth.AuthPermission "refreshLoginConfiguration" "") (javax.security.auth.PrivateCredentialPermission "*" "") (javax.sound.sampled.AudioPermission "play" "") (javax.sound.sampled.AudioPermission "record" "") (javax.xml.bind.JAXBPermission "setDatatypeConverter" "") (javax.xml.ws.WebServicePermission "publishEndpoint" "") (java.io.FilePermission "<>" "read,write,delete,execute,readLink") (java.lang.RuntimePermission "getFileSystemAttributes" "") (java.lang.RuntimePermission "readFileDescriptor" "") (java.lang.RuntimePermission "writeFileDescriptor" "") (java.lang.RuntimePermission "accessDeclaredMembers" "") (java.lang.reflect.ReflectPermission "suppressAccessChecks" "") (java.lang.reflect.ReflectPermission "newProxyInPackage.*" "") } "Medium security profile for PERSISTENCE Sandbox" # # Permissions for VERIFICATION Sandbox # ALLOW { [org.osgi.service.condpermadmin.BundleLocationCondition "VERIFICATION/*"] (java.lang.RuntimePermission "accessClassInPackage.net.corda.v5.*" "") (org.osgi.framework.PackagePermission "net.corda.v5.*" "import") (org.osgi.framework.ServicePermission "net.corda.v5.*" "get") (org.osgi.framework.ServicePermission "(location=VERIFICATION/*)" "get") (net.corda.internal.serialization.amqp.CustomSerializerPermission "VERIFICATION") } "Allow public packages and services for VERIFICATION Sandbox" DENY { [org.osgi.service.condpermadmin.BundleLocationCondition "VERIFICATION/*"] (org.osgi.framework.AdminPermission "*" "*") (org.osgi.framework.BundlePermission "*" "host,fragment") (org.osgi.framework.PackagePermission "org.osgi.framework" "import") (org.osgi.framework.PackagePermission "org.osgi.service.component" "import") (org.osgi.framework.PackagePermission "net.corda" "exportonly,import") (org.osgi.framework.PackagePermission "net.corda.*" "exportonly,import") (org.osgi.framework.ServicePermission "org.osgi.framework.hooks.*" "register") (org.osgi.framework.ServicePermission "*" "get") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.asm.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.common.*" "import") (org.osgi.framework.PackagePermission "co.paralleluniverse.fibers.*" "import") (co.paralleluniverse.fibers.instrument.QuasarPermission "configuration" "") (net.corda.internal.serialization.amqp.CustomSerializerPermission "*") (java.io.SerializablePermission "enableSubclassImplementation" "") (java.io.SerializablePermission "enableSubstitution" "") (java.lang.management.ManagementPermission "control" "") (java.lang.management.ManagementPermission "monitor" "") (java.lang.RuntimePermission "createClassLoader" "") (java.lang.RuntimePermission "getClassLoader" "") (java.lang.RuntimePermission "setContextClassLoader" "") (java.lang.RuntimePermission "enableContextClassLoaderOverride" "") (java.lang.RuntimePermission "closeClassLoader" "") (java.lang.RuntimePermission "setSecurityManager" "") (java.lang.RuntimePermission "createSecurityManager" "") (java.lang.RuntimePermission "getenv.*" "") (java.lang.RuntimePermission "exitVM" "") (java.lang.RuntimePermission "shutdownHooks" "") (java.lang.RuntimePermission "setFactory" "") (java.lang.RuntimePermission "setIO" "") (java.lang.RuntimePermission "modifyThread" "") (java.lang.RuntimePermission "stopThread" "") (java.lang.RuntimePermission "modifyThreadGroup" "") (java.lang.RuntimePermission "getProtectionDomain" "") (java.lang.RuntimePermission "loadLibrary.*" "") (java.lang.RuntimePermission "accessClassInPackage.net.corda.*" "") (java.lang.RuntimePermission "defineClassInPackage.*" "") (java.lang.RuntimePermission "queuePrintJob" "") (java.lang.RuntimePermission "getStackTrace" "") (java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler" "") (java.lang.RuntimePermission "preferences" "") (java.net.NetPermission "setDefaultAuthenticator" "") (java.net.NetPermission "requestPasswordAuthentication" "") (java.net.NetPermission "specifyStreamHandler" "") (java.net.NetPermission "setProxySelector" "") (java.net.NetPermission "getProxySelector" "") (java.net.NetPermission "setCookieHandler" "") (java.net.NetPermission "getCookieHandler" "") (java.net.NetPermission "setResponseCache" "") (java.net.NetPermission "getResponseCache" "") (java.net.SocketPermission "*" "accept,listen,connect,resolve") (java.net.URLPermission "http://*:*" "*:*") (java.net.URLPermission "https://*:*" "*:*") (java.nio.file.LinkPermission "hard" "") (java.nio.file.LinkPermission "symbolic" "") (java.security.SecurityPermission "createAccessControlContext" "") (java.security.SecurityPermission "getDomainCombiner" "") (java.security.SecurityPermission "getPolicy" "") (java.security.SecurityPermission "setPolicy" "") (java.security.SecurityPermission "createPolicy.*" "") (java.security.SecurityPermission "getProperty.*" "") (java.security.SecurityPermission "setProperty.*" "") (java.security.SecurityPermission "insertProvider" "") (java.security.SecurityPermission "removeProvider.*" "") (java.security.SecurityPermission "clearProviderProperties.*" "") (java.security.SecurityPermission "putProviderProperty.*" "") (java.security.SecurityPermission "removeProviderProperty.*" "") (java.sql.SQLPermission "setLog" "") (java.sql.SQLPermission "callAbort" "") (java.sql.SQLPermission "setSyncFactory" "") (java.sql.SQLPermission "setNetworkTimeout" "") (java.sql.SQLPermission "deregisterDriver" "") (java.util.PropertyPermission "*" "read,write") (javax.management.MBeanPermission "*" "*") (javax.management.MBeanServerPermission "*" "") (javax.management.MBeanTrustPermission "*" "") (javax.management.remote.SubjectDelegationPermission "*" "") (javax.net.ssl.SSLPermission "setHostnameVerifier" "") (javax.net.ssl.SSLPermission "getSSLSessionContext" "") (javax.net.ssl.SSLPermission "setDefaultSSLContext" "") (javax.security.auth.AuthPermission "doAs" "") (javax.security.auth.AuthPermission "doAsPrivileged" "") (javax.security.auth.AuthPermission "getSubject" "") (javax.security.auth.AuthPermission "getSubjectFromDomainCombiner" "") (javax.security.auth.AuthPermission "setReadOnly" "") (javax.security.auth.AuthPermission "modifyPrincipals" "") (javax.security.auth.AuthPermission "modifyPublicCredentials" "") (javax.security.auth.AuthPermission "modifyPrivateCredentials" "") (javax.security.auth.AuthPermission "refreshCredential" "") (javax.security.auth.AuthPermission "destroyCredential" "") (javax.security.auth.AuthPermission "createLoginContext.*" "") (javax.security.auth.AuthPermission "getLoginConfiguration" "") (javax.security.auth.AuthPermission "setLoginConfiguration" "") (javax.security.auth.AuthPermission "createLoginConfiguration.*" "") (javax.security.auth.AuthPermission "refreshLoginConfiguration" "") (javax.security.auth.PrivateCredentialPermission "*" "") (javax.sound.sampled.AudioPermission "play" "") (javax.sound.sampled.AudioPermission "record" "") (javax.xml.bind.JAXBPermission "setDatatypeConverter" "") (javax.xml.ws.WebServicePermission "publishEndpoint" "") (java.io.FilePermission "<>" "read,write,delete,execute,readLink") (java.lang.RuntimePermission "getFileSystemAttributes" "") (java.lang.RuntimePermission "readFileDescriptor" "") (java.lang.RuntimePermission "writeFileDescriptor" "") } "Medium security profile for VERIFICATION Sandbox" ALLOW { (java.security.AllPermission "" "") } "Allow everything else"