2f0819ae20
This pr gives classes defined in agent and extension class loaders all permissions. Injected helper classes are also defined with all permissions. Agent startup is altered so that we won't call methods that require permission before we are able to get those permissions. This pr does not attempt to address issues where agent code could allow user code to circumvent security manager e.g. https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/main/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/InstrumentationHolder.java gives access to `Instrumentation` that could be used to redefine classes and remove security checks. Also this pr does not address failed permission checks that could arise from user code calling agent code. When user code, that does not have privileges, calls agent code, that has the privileges, and agent code performs a sensitive operation then permission check would fail because it is performed for all calling classes, including the user classes. To fix this agent code should uses `AccessController.doPrivileged` which basically means that, hey I have done all the checks, run this call with my privileges and ignore the privileges of my callers. |
||
|---|---|---|
| .. | ||
| images | ||
| src/test | ||
| README.md | ||
| build.gradle.kts | ||
README.md
Smoke Tests
Assert that various applications will start up with the JavaAgent without any obvious ill effects.
Each subproject underneath smoke-tests produces one or more docker images containing some application
under the test. Various tests in the main module then use them to run the appropriate tests.