From ad57f1127ffad893698b0e95b98e4382e0ca0094 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Apr 22 2020 19:23:50 +0000 Subject: Add updated catalina.policy patch to allow ECJ usage under the Security Manager --- diff --git a/tomcat-9.0-catalina-policy.patch b/tomcat-9.0-catalina-policy.patch index 3694929..487e2be 100644 --- a/tomcat-9.0-catalina-policy.patch +++ b/tomcat-9.0-catalina-policy.patch @@ -1,39 +1,20 @@ ---- conf/catalina.policy~ 2016-06-17 10:20:17.649171968 -0400 -+++ conf/catalina.policy 2016-06-17 10:23:35.358309244 -0400 -@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex - permission java.security.AllPermission; +--- conf/catalina.policy.orig 2020-04-22 14:51:13.734893403 -0400 ++++ conf/catalina.policy 2020-04-22 15:14:57.609677967 -0400 +@@ -51,6 +51,17 @@ grant codeBase "file:${java.home}/lib/ex }; + +// ========== RHEL SPECIFIC CODE PERMISSIONS ======================================= + ++ +// Allowing everything in /usr/share/java allows too many unknowns to be permitted +// Specifying the individual jars that tomcat needs to function with the security manager +// is the safest way forward. -+grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/tomcat-jsp-2.2-api.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/log4j.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/ecj.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/apache-commons-pool.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" { -+ permission java.security.AllPermission; -+}; -+grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { ++grant codeBase "file:/usr/share/java/ecj/ecj.jar" { + permission java.security.AllPermission; +}; + - ++ // ========== CATALINA CODE PERMISSIONS ======================================= + diff --git a/tomcat.spec b/tomcat.spec index a10f05f..8589391 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -59,7 +59,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -82,6 +82,7 @@ Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.p Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch2: %{name}-build.patch Patch3: change-defaults-for-CVE-2020-1938.patch +Patch4: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch BuildArch: noarch @@ -208,6 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch1 -p0 %patch2 -p0 %patch3 -p0 +%patch4 -p0 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar @@ -617,6 +619,9 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Wed Apr 22 2020 Coty Sutherland - 1:9.0.34-2 +- Add updated catalina.policy patch to allow ECJ usage under the Security Manager + * Tue Apr 21 2020 Coty Sutherland - 1:9.0.34-1 - Update to 9.0.34