is it possible to block calls to System.exit through ConditionalPermissionAdmin?

Question

The documentation is not helping at all, OSGi in Action does not have an example head to toes on how to do things. For example, I want bundle A to deny a package import from Bundle B, etc. Simple examples, from start to end - I can't find them.

But back to my question, I want to block calls to System.exit for obvious reasons, besides "do not implement your own Security Manager", I did not get much from the Virgo forum, thus my question here.

EDIT

Since I want this to happen in Virgo, here is what I have tried:

 public void start(BundleContext context) throws Exception {
     System.out.println("===== Starting Bundle PermissionsTest =====");
     SecurityManager securityManager = System.getSecurityManager();
     if(securityManager == null) throw new IllegalArgumentException("Security Manager is not defined!");

     ServiceReference serviceReference = 
            (ServiceReference) context.getServiceReference(ConditionalPermissionAdmin.class.getName());
     if(serviceReference == null) throw new IllegalArgumentException(ConditionalPermissionAdmin.class.getName() + " IS NULL");
    else System.out.println("===== Good so far 1 =====");

     ConditionalPermissionAdmin conditionalPermissionAdmin = 
            (ConditionalPermissionAdmin)context.getService(serviceReference);
     if(conditionalPermissionAdmin == null) throw new IllegalArgumentException("ConditionalPermissionAdmin can not be found");
    else System.out.println("===== Good so far 2 =====");

What I did first in Virgo ie enable the Equinox Security Manager (because this is the one Virgo uses). The specification of the OSGi says that each container has to implement it's own Security Manager extended with a bunch of OSGi specific actions.

In case of Virgo this is Equinox Security Manager. Enabling it is pretty easy - just add two lines in bin/dmk.sh and thus you have it.

Ok, so I do have the ConditionalPermissionAdmin - good! Now, I can for example, add a Security Check, like, BundlePermission say for a Bundle. Sure, but that happens for bundle specific actions, like start/stop/export, etc etc. I can't seem to figure out how to do it for a LifeCycle action - System.exit in my case.

btw, I use version 4.2.0 of the osgi-core, and nope I can't upgrade to 4.3.0, at least not now.

Answer 1

System.exit is governed by RuntimePermission( "exitVm", "<>"), so the example syntax in the spec gives

DENY {
   ( java.lang.RuntimePermission "exitVm" "*" )
}

In Java code (haven't tested it, so beware):

ConditionalPermissionInfo info = admin.newConditionalPermissionInfo(
    "name", 
    null, 
    new PermissionInfo[] { new PermissionInfo(
       "java.lang.RuntimePermission", "exitVm", "*") },
    ConditionalPermissionInfo.DENY
);

ConditionalPermissionUpdate update = admin
   .newConditionalPermissionUpdate();
update.getConditionalPermissionInfos().add(0, info);
update.commit();

The subject is rather well treated in the book "OSGi in Action". Please remember that the primary audience of the specification was the implementer of the specification, not the end user. The members were supposed to provide the educational material to bridge that gap. Later specs tried to become more educational for end-users.