[jira] [Commented] (LUCENE-4352) only the test runner should be able to System.exit

Mon, 03 Sep 2012 08:24:09 -0700 

    [ 
https://issues.apache.org/jira/browse/LUCENE-4352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447314#comment-13447314
 ] 

Uwe Schindler commented on LUCENE-4352:
---------------------------------------

I played a little bit around and the above javadoc behaves exactly as proposed: 
Code from the default classloader can always call System.exit/System.halt. I 
played around and removed the RuntimePermission at all to verify this, Lucene 
tests still passed with:

{noformat}
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "setIO";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "getStackTrace";
  permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
  permission java.lang.RuntimePermission "shutdownHooks";
{noformat}

So theoretically we can restrict a lot of stuff (like calling Thread.stop(), 
which is deprecated) or setting another SecurityManager that circumvents our 
HighSecurity(tm) environment (LOL), but not System.exit().

There is only one possibility that I will check now: We currently pass:

{code:xml}
<sysproperty key="java.security.manager" value="java.lang.SecurityManager" />
{code}

If the test VM calls System.exit(), the SecurityManager's method checkExit() is 
in all cases invoked and can jump in... So we can provide a custom 
SecurityManger from the test framework that passes everything to the default 
manager (so enforcing our Policy), but on checkExit(int), it will inspect the 
stack trace like the preflex-RW codec does in Mike's hack and look for the 
test-runners "exit" signature to allow exit only for this case; in all other 
cases throw SecurityException.
                
> only the test runner should be able to System.exit
> --------------------------------------------------
>
>                 Key: LUCENE-4352
>                 URL: https://issues.apache.org/jira/browse/LUCENE-4352
>             Project: Lucene - Core
>          Issue Type: Bug
>            Reporter: Robert Muir
>
> All others should get SecurityException

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to