In other words, are modern GNU/Linux or JVM (ideally Java 11+) able to prevent a Java process from executing other processes?
Issues such as Log4Shell and Spring4Shell seem possible because the JVM allows a Java application to execute other programs.
At the OS level, I imagine it may be possible with some process isolation, jails etc. Are there complete examples about that?
How about the JVM itself? With the Security Manager gone in recent versions, what options exist to harden a Java Virtual Machine?
I'm not sure there's a good way to do that. As discussed in Prevent forking in a child process, you can set
RLIMIT_NPROC
limit.However, don't do that for your java app - you will break it. Threads are just a special type of a process on Linux and if you restrict nproc you won't be able to create new threads.
Observe this behavior on a running java application
Then on the stdout of the java app
I tried this for a production app running in a docker container.
Note that nproc limit isn't enforced if you the process is running as root.
Morever, it's quite easy to reproduce it with a simple Clojure REPL (or JShell variant of it):
Resources: