Re: RFR 8168091: jlink should check security permission early when programmatic access is used
+1 Mandy > On Oct 18, 2016, at 9:28 AM, Sundararajan Athijegannathan > wrote: > > Okay, removed shell script and using a security policy. Rest of the stuff is > same as previous webrev. > > http://cr.openjdk.java.net/~sundar/8168091/webrev.02/ > > -Sundar > > On 18/10/16, 7:40 PM, Mandy Chung wrote: >> When policy tag is set, jtreg will generate the policy for the test to >> include the policy for jtreg. Since the test does not set it, maybe jtreg >> does not generate it (sounds like a bug). What is -Djava.security.policy >> set to in the jtreg test log? >> >> This may be a possible workaround: >> @run main/othervm -Djava.security.manager JLinkToolProviderTest >> >> Otherwise, the change looks good. >> >> Mandy >> >>> On Oct 17, 2016, at 10:26 PM, Sundararajan >>> Athijegannathan wrote: >>> >>> Hi, >>> >>> Thanks for your review. I've updated webrev with jdk.tools.jlink -> >>> jdk.tools.jlink.internal refactoring. But, when I attempted to get rid of >>> shell script in the test with your suggestion, I got: >>> >>> Exception in thread "main" java.security.AccessControlException: access >>> denied ("java.io.FilePermission" >>> "/Users/SATHIJEG/src/jdk9-dev/jdk/test/tools/jlink/JTwork/tools/jlink/JLinkToolProviderTest.d/main.0.jta" >>> "read") >>> at java.security.AccessControlContext.checkPermission( >>> java.base@9-internal/AccessControlContext.java:471 >>> ) >>> at java.security.AccessController.checkPermission( >>> java.base@9-internal/AccessController.java:894 >>> ) >>> at java.lang.SecurityManager.checkPermission( >>> java.base@9-internal/SecurityManager.java:548 >>> ) >>> at java.lang.SecurityManager.checkRead( >>> java.base@9-internal/SecurityManager.java:887 >>> ) >>> at java.io.FileInputStream.( >>> java.base@9-internal/FileInputStream.java:127 >>> ) >>> at java.io.FileInputStream.( >>> java.base@9-internal/FileInputStream.java:93 >>> ) >>> at java.io.FileReader.( >>> java.base@9-internal/FileReader.java:58 >>> ) >>> at com.sun.javatest.regtest.agent.MainWrapper.main(MainWrapper.java:46) >>> >>> >>> Looks like I've to give AllPermission to all code in jtreg itself and leave >>> the test only as sandbox! => I've to have use a complicated policy file. >>> Shell script avoids all that.. >>> >>> Updated webrev: http://cr.openjdk.java.net/~sundar/8168091/webrev.01/ >>> >>> Thanks, >>> -Sundar >>> >>> On 18/10/16, 3:33 AM, Mandy Chung wrote: > On Oct 17, 2016, at 10:23 AM, Sundararajan > Athijegannathan > wrote: > > Please review > http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ > for > > https://bugs.openjdk.java.net/browse/JDK-8168091 The shell test can be removed and use @run main/othervm/secure=java.lang.SecurityManager You may want to move the classes in jdk.tools.jlink package to jdk.tools.jlink.internal since they are now internal. Mandy
Re: RFR 8168091: jlink should check security permission early when programmatic access is used
Okay, removed shell script and using a security policy. Rest of the stuff is same as previous webrev. http://cr.openjdk.java.net/~sundar/8168091/webrev.02/ -Sundar On 18/10/16, 7:40 PM, Mandy Chung wrote: When policy tag is set, jtreg will generate the policy for the test to include the policy for jtreg. Since the test does not set it, maybe jtreg does not generate it (sounds like a bug). What is -Djava.security.policy set to in the jtreg test log? This may be a possible workaround: @run main/othervm -Djava.security.manager JLinkToolProviderTest Otherwise, the change looks good. Mandy On Oct 17, 2016, at 10:26 PM, Sundararajan Athijegannathan wrote: Hi, Thanks for your review. I've updated webrev with jdk.tools.jlink -> jdk.tools.jlink.internal refactoring. But, when I attempted to get rid of shell script in the test with your suggestion, I got: Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/Users/SATHIJEG/src/jdk9-dev/jdk/test/tools/jlink/JTwork/tools/jlink/JLinkToolProviderTest.d/main.0.jta" "read") at java.security.AccessControlContext.checkPermission( java.base@9-internal/AccessControlContext.java:471 ) at java.security.AccessController.checkPermission( java.base@9-internal/AccessController.java:894 ) at java.lang.SecurityManager.checkPermission( java.base@9-internal/SecurityManager.java:548 ) at java.lang.SecurityManager.checkRead( java.base@9-internal/SecurityManager.java:887 ) at java.io.FileInputStream.( java.base@9-internal/FileInputStream.java:127 ) at java.io.FileInputStream.( java.base@9-internal/FileInputStream.java:93 ) at java.io.FileReader.( java.base@9-internal/FileReader.java:58 ) at com.sun.javatest.regtest.agent.MainWrapper.main(MainWrapper.java:46) Looks like I've to give AllPermission to all code in jtreg itself and leave the test only as sandbox! => I've to have use a complicated policy file. Shell script avoids all that.. Updated webrev: http://cr.openjdk.java.net/~sundar/8168091/webrev.01/ Thanks, -Sundar On 18/10/16, 3:33 AM, Mandy Chung wrote: On Oct 17, 2016, at 10:23 AM, Sundararajan Athijegannathan wrote: Please review http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ for https://bugs.openjdk.java.net/browse/JDK-8168091 The shell test can be removed and use @run main/othervm/secure=java.lang.SecurityManager You may want to move the classes in jdk.tools.jlink package to jdk.tools.jlink.internal since they are now internal. Mandy
Re: RFR 8168091: jlink should check security permission early when programmatic access is used
When policy tag is set, jtreg will generate the policy for the test to include the policy for jtreg. Since the test does not set it, maybe jtreg does not generate it (sounds like a bug). What is -Djava.security.policy set to in the jtreg test log? This may be a possible workaround: @run main/othervm -Djava.security.manager JLinkToolProviderTest Otherwise, the change looks good. Mandy > On Oct 17, 2016, at 10:26 PM, Sundararajan Athijegannathan > wrote: > > Hi, > > Thanks for your review. I've updated webrev with jdk.tools.jlink -> > jdk.tools.jlink.internal refactoring. But, when I attempted to get rid of > shell script in the test with your suggestion, I got: > > Exception in thread "main" java.security.AccessControlException: access > denied ("java.io.FilePermission" > "/Users/SATHIJEG/src/jdk9-dev/jdk/test/tools/jlink/JTwork/tools/jlink/JLinkToolProviderTest.d/main.0.jta" > "read") > at java.security.AccessControlContext.checkPermission( > java.base@9-internal/AccessControlContext.java:471 > ) > at java.security.AccessController.checkPermission( > java.base@9-internal/AccessController.java:894 > ) > at java.lang.SecurityManager.checkPermission( > java.base@9-internal/SecurityManager.java:548 > ) > at java.lang.SecurityManager.checkRead( > java.base@9-internal/SecurityManager.java:887 > ) > at java.io.FileInputStream.( > java.base@9-internal/FileInputStream.java:127 > ) > at java.io.FileInputStream.( > java.base@9-internal/FileInputStream.java:93 > ) > at java.io.FileReader.( > java.base@9-internal/FileReader.java:58 > ) > at com.sun.javatest.regtest.agent.MainWrapper.main(MainWrapper.java:46) > > > Looks like I've to give AllPermission to all code in jtreg itself and leave > the test only as sandbox! => I've to have use a complicated policy file. > Shell script avoids all that.. > > Updated webrev: http://cr.openjdk.java.net/~sundar/8168091/webrev.01/ > > Thanks, > -Sundar > > On 18/10/16, 3:33 AM, Mandy Chung wrote: >>> On Oct 17, 2016, at 10:23 AM, Sundararajan Athijegannathan >>> >>> wrote: >>> >>> Please review >>> http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ >>> for >>> >>> https://bugs.openjdk.java.net/browse/JDK-8168091 >> The shell test can be removed and use >>@run main/othervm/secure=java.lang.SecurityManager >> >> You may want to move the classes in jdk.tools.jlink package to >> jdk.tools.jlink.internal since they are now internal. >> >> Mandy >>
Re: RFR 8168091: jlink should check security permission early when programmatic access is used
Hi, Thanks for your review. I've updated webrev with jdk.tools.jlink -> jdk.tools.jlink.internal refactoring. But, when I attempted to get rid of shell script in the test with your suggestion, I got: Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/Users/SATHIJEG/src/jdk9-dev/jdk/test/tools/jlink/JTwork/tools/jlink/JLinkToolProviderTest.d/main.0.jta" "read") at java.security.AccessControlContext.checkPermission(java.base@9-internal/AccessControlContext.java:471) at java.security.AccessController.checkPermission(java.base@9-internal/AccessController.java:894) at java.lang.SecurityManager.checkPermission(java.base@9-internal/SecurityManager.java:548) at java.lang.SecurityManager.checkRead(java.base@9-internal/SecurityManager.java:887) at java.io.FileInputStream.(java.base@9-internal/FileInputStream.java:127) at java.io.FileInputStream.(java.base@9-internal/FileInputStream.java:93) at java.io.FileReader.(java.base@9-internal/FileReader.java:58) at com.sun.javatest.regtest.agent.MainWrapper.main(MainWrapper.java:46) Looks like I've to give AllPermission to all code in jtreg itself and leave the test only as sandbox! => I've to have use a complicated policy file. Shell script avoids all that.. Updated webrev: http://cr.openjdk.java.net/~sundar/8168091/webrev.01/ Thanks, -Sundar On 18/10/16, 3:33 AM, Mandy Chung wrote: On Oct 17, 2016, at 10:23 AM, Sundararajan Athijegannathan wrote: Please review http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ for https://bugs.openjdk.java.net/browse/JDK-8168091 The shell test can be removed and use @run main/othervm/secure=java.lang.SecurityManager You may want to move the classes in jdk.tools.jlink package to jdk.tools.jlink.internal since they are now internal. Mandy
Re: RFR 8168091: jlink should check security permission early when programmatic access is used
> On Oct 17, 2016, at 10:23 AM, Sundararajan Athijegannathan > wrote: > > Please review http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ for > https://bugs.openjdk.java.net/browse/JDK-8168091 The shell test can be removed and use @run main/othervm/secure=java.lang.SecurityManager You may want to move the classes in jdk.tools.jlink package to jdk.tools.jlink.internal since they are now internal. Mandy
Re: RFR 8168091: jlink should check security permission early when programmatic access is used
+1 > On Oct 17, 2016, at 2:23 PM, Sundararajan Athijegannathan > wrote: > > Please review http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ for > https://bugs.openjdk.java.net/browse/JDK-8168091 > > Thanks, > > -Sundar >
RFR 8168091: jlink should check security permission early when programmatic access is used
Please review http://cr.openjdk.java.net/~sundar/8168091/webrev.00/ for https://bugs.openjdk.java.net/browse/JDK-8168091 Thanks, -Sundar