[Java Runtime Sandbox] Use pro-grade to restrict access to files

2025-12-21 09:01:56 -07:00 · 2020-12-20 05:11:27 +07:00 · 2020-12-20 05:11:27 +07:00 · c8ba710509
commit c8ba710509
parent e8fd43dc5f
6 changed files with 35 additions and 22 deletions
--- a/app_pojavlauncher/src/main/assets/about_en.txt
+++ b/app_pojavlauncher/src/main/assets/about_en.txt
@ -1,22 +1,16 @@
 %s (Minecraft Java Launcher for Android), version %s by Tran Khanh Duy (based on "Boardwalk" app)<br>

-* Using libraries:<br>
- • ClassWrapperMC: A simple wrapper to help launching Minecraft LaunchWrapper on JRE9 and later.<br>
- • gl4es: OpenGL for OpenGL ES devices by lunixbochs and ptitSeb.<br>
- • Apache Commons Compress.<br>
- • exp4j.<br>
- • LWJGL2 and LWJGL3.<br>
- 
 * License:<br>
 • This application is licensed under <a href="https://github.com/khanhduytran0/PojavLauncher/blob/master/LICENSE">GNU GPLv3</a>.<br>
 
-* Third party licenses:<br>
+* Third party components and their licenses:<br>
 • Apache Commons Compress (unknown or Apache License 2.0).<br>
 • exp4j: <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License 2.0</a>.<br>
 • GL4ES: <a href="https://github.com/ptitSeb/gl4es/blob/master/LICENSE">MIT License</a>.<br>
 • LegacyLauncher: (unknown license).<br>
 • OpenJDK: <a href="https://openjdk.java.net/legal/gplv2+ce.html">GNU GPLv2 License</a>.<br>
 • LWJGL: <a href="http://legacy.lwjgl.org/license.php.html">LWJGL 2's License</a>.<br><br>
+ • pro-gradle: <a href="https://github.com/pro-grade/pro-grade/blob/master/LICENSE.txt">Apache License 2.0</a>.<br>
 
 * Notes:<br>
 - This app is under development and will not be stable.<br>
--- a/app_pojavlauncher/src/main/assets/components/security/java_sandbox.policy
+++ b/app_pojavlauncher/src/main/assets/components/security/java_sandbox.policy
@ -0,0 +1,16 @@
+// PojavLauncher JRE Sandbox
+// DO NOT EDIT THIS FILE WITHOUT KNOWLEDGE!
+// This file is important to protect you against viruses/malwares that could be come from unknown Java Programs (run on mod install) or a mod.
+
+priority "grant";
+
+grant {
+    permission java.io.FilePermission "${java.io.tmpdir}/-", "read, write, delete";
+    permission java.io.FilePermission "${user.home}/-", "read, write, delete";
+};
+
+deny {
+    permission java.io.FilePermission "${pojav.path.private.account}/-", "read, write, delete";
+    permission java.io.FilePermission "<<ALL FILES>>", "write, delete, execute";
+};
+
--- a/app_pojavlauncher/src/main/assets/components/security/pro-grade.jar
+++ b/app_pojavlauncher/src/main/assets/components/security/pro-grade.jar
--- a/app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/PojavLoginActivity.java
+++ b/app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/PojavLoginActivity.java
@ -331,8 +331,9 @@ public class PojavLoginActivity extends BaseActivity
            new CustomControls(this).save(Tools.CTRLDEF_FILE);

            Tools.copyAssetFile(this, "components/ForgeInstallerHeadless/forge-installer-headless-1.0.1.jar", Tools.DIR_GAME_NEW + "/config", "forge-installer-headless.jar", true);
+            Tools.copyAssetFile(this, "components/security/pro-grade.jar", Tools.DIR_DATA, true);
+            Tools.copyAssetFile(this, "components/security/java_sandbox.policy", Tools.DIR_DATA, true);
            Tools.copyAssetFile(this, "options.txt", Tools.DIR_GAME_NEW, false);
-            // Tools.copyAssetFile(this, "java_sandbox.policy", Tools.DIR_DATA, true);
            // TODO: Remove after implement.
            Tools.copyAssetFile(this, "launcher_profiles.json", Tools.DIR_GAME_NEW, false);

@ -342,20 +343,17 @@ public class PojavLoginActivity extends BaseActivity
            if(!new File(Tools.DIR_GAME_NEW + "/lwjgl3/version").exists()) {
                Log.i("LWJGL3Prep","Pack was installed manually, or does not exist, unpacking new...");
                String[] lwjglFileList = am.list("components/lwjgl3");
-                FileOutputStream fos;
-                InputStream iis;
+                // FileOutputStream fos;
+                // InputStream iis;
                for(String s : lwjglFileList) {
+                    Tools.copyAssetFile(this, "components/lwjgl3/" + s, Tools.DIR_GAME_NEW + "/lwjgl3", true);
+                    /*
                    iis = am.open("components/lwjgl3/"+s);
                    fos = new FileOutputStream(new File(Tools.DIR_GAME_NEW+"/lwjgl3/"+s));
-                    /*
-                    int i; byte[] buf = new byte[1024];
-                    while((i = iis.read(buf)) != -1) {
-                        fos.write(buf,0,i);
-                    }
-                    */
                    IOUtils.copy(iis,fos);
                    fos.close();
                    iis.close();
+                    */
                }
            } else {
                FileInputStream fis = new FileInputStream(new File(Tools.DIR_GAME_NEW + "/lwjgl3/version"));
@ -364,7 +362,7 @@ public class PojavLoginActivity extends BaseActivity
                if (!release1.equals(release2)) {
                    String[] lwjglFileList = am.list("components/lwjgl3");
                    for (String s : lwjglFileList) {
-                        Tools.copyAssetFile(this, "components/lwjgl3/" + s, Tools.DIR_GAME_NEW+"/lwjgl3/",s, true);
+                        Tools.copyAssetFile(this, "components/lwjgl3/" + s, Tools.DIR_GAME_NEW + "/lwjgl3", true);
                    }
                } else {
                    Log.i("LWJGL3Prep","Pack is up-to-date with the launcher, continuing...");
--- a/app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/Tools.java
+++ b/app_pojavlauncher/src/main/java/net/kdt/pojavlaunch/Tools.java
@ -130,8 +130,9 @@ public final class Tools
        javaArgList.addAll(overrideableArgList);
        
        // Run java on sandbox, non-overrideable.
-        // javaArgList.add("-Djava.security.manager");
-        // javaArgList.add("-Djava.security.policy==" + Tools.DIR_DATA + "/java_sandbox.policy");
+        javaArgList.add("-Xbootclasspath/a:" + Tools.DIR_DATA + "/pro-grade.jar");
+        javaArgList.add("-Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM");
+        javaArgList.add("-Djava.security.policy==" + Tools.DIR_DATA + "/java_sandbox.policy");
    }

    public static String[] getMinecraftArgs(MinecraftAccount profile, JMinecraftVersionList.Version versionInfo) {
@ -325,7 +326,7 @@ public final class Tools
    }

    public static void copyAssetFile(Context ctx, String fileName, String output, boolean overwrite) throws IOException {
-        copyAssetFile(ctx, fileName, output, fileName, overwrite);
+        copyAssetFile(ctx, fileName, output, new File(fileName).getName(), overwrite);
    }

    public static void copyAssetFile(Context ctx, String fileName, String output, String outputName, boolean overwrite) throws IOException
--- a/jre_securitymanager/src/main/java/net/pojavlauncher/security/PojavSecurityManager.java
+++ b/jre_securitymanager/src/main/java/net/pojavlauncher/security/PojavSecurityManager.java
@ -1,6 +1,10 @@
 package net.pojavlauncher.security;
+import java.security.*;

 public class PojavSecurityManager extends SecurityManager
 {
-    
+    @Override
+    public void checkPermission(Permission perm, Object obj) {
+        super.checkPermission(perm, obj);
+    }
 }