I've run into a problem trying to limit actions that the OSGi bundle can perform. According to the documents I've read, permissions for OSGi bundles should be set in OSGI-INF/permissions.perm file within bundle's JAR. However, no matter what I write in that file (and no matter if this file exists or not), bundles seem to have AllPermissions. More specifically, I start OSGi from command line with command
D:\temp\2>java -jar org.eclipse.osgi_3.3.2.R33x_v20080105.jar -console
osgi> install file:/d:/temp/2/J1.jar
The permissions.perm does not specify what the bundle may do. It specifies what the bundle wants to do: See http://www.javacodegeeks.com/2012/11/permissions-in-osgi.html
So this file seems to be there to be able to fail fast if permissions are missing. You can even leave it out if this is not necessary for you.
The real security settings have to be done on the framework. See this for felix: https://felix.apache.org/documentation/subprojects/apache-felix-framework-security.html