How to virtualize Java with isolation rules

Article:HOWTO75050  |  Created: 2012-04-10  |  Updated: 2012-04-10  |  Article URL http://www.symantec.com/docs/HOWTO75050
Article Type
How To


Subject


Isolation Scenario:

Users need to prevent each of their Java applications from seeing the Java in the base.
 
To implement this you need to add an "isolation rule" to each of the application layers. This must be done by editing the registry. Each layer stores its settings in a registry key similar to the ones below. The exact number on the end of the key name will depend on your exact system.
 
If you run the command "svscmd.exe enum -v" you will notice that each layer has an entry called "Redirect Locations" which specifies the location of the redirect areas for the read-only and read-write sublayers. You must add the rules to the read-only sublayer. First, create a Multi-String registry value named "IsolationRules" in each of the layers. Each isolation rule occupies a single line in the multi-string, and has a general form of "Processes named x running from layer x are blocked from accessing objects named (x,x,x) found in layer x." The individual fields within the rule are separated with a tab character. (You won't be able to create them directly in regedit, but can create them in notepad and then paste them into regedit.)
 
The rules that we create for our two layers look like the following:
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FSLX\Parameters\FSL – and the coinciding read-only sublayer folder, for example:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FSLX\Parameters\FSL\5
 
Below is the full list of keys to add to the isolation multi-string named “Isolationrules”
 
NOTE: Replace the [location] with the word BASE or with the appropriate layer GUID.
 
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC*       *            [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\SOFTWARE\Classes\CLSID\{CAFEEFAC*    *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}*           *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}* *            [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}*         *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}*            *            [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}*         *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}* *            [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin*        *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\SOFTWARE\Classes\JavaPlugin*     *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\JavaSoft\Java Plug-in\*   *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\*    *            [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002            \REGISTRY\MACHINE\Software\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}*        *           [REGISTRY LOCATION]
*.exe    [PROCESS LOCATION]           0x0002 \REGISTRY\USER\S-1-5-*\Software\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}*    *            [REGISTRY LOCATION]
 
 

 

NOTE: Be sure when copying the isolation rules that all spaces in each line are actually Tabs, not spaces. Also, please note that each rule should start a new line.
These registry settings should be built into the package before distributing in order for this to work globally.
 
 
 


Article URL http://www.symantec.com/docs/HOWTO75050


Terms of use for this information are found in Legal Notices