On 5/12/17 3:26 AM, Langer, Christoph wrote:
Adding security-dev… Any comments?
-----------------------------------------------------------------------------
Hi all,
while playing with the security manager (using -Djava.security.manager)
in Java 9 and testing platform modules that we have added specifically
in our build, I came across the following thing:
As we are using some stuff from jdk.internal, I get the
AccessControlException: “exception access denied
("java.lang.RuntimePermission"
"accessClassInPackage.jdk.internal.misc")” in several places, even if my
code runs priviledged. I figured that I need to grant permission
“permission java.lang.RuntimePermission
"accessClassInPackage.jdk.internal.misc"” to my module. I was looking
around where this restriction comes from and learned the following in
the documentation of SecurityManager.checkPackageAccess:
*Implementation Note:***
This implementation also restricts all non-exported packages of modules
loaded bythe platform class loader
<http://download.java.net/java/jdk9/docs/api/java/lang/ClassLoader.html#getPlatformClassLoader-->or
its ancestors. A "non-exported package" refers to a package that is not
exported to all modules. Specifically, it refers to a package that
either is not exported at all by its containing module or is exported in
a qualified fashion by its containing module.
Reading this, I’m wondering whether the implementation should implicitly
grant package access for modules that a package in question was exported
to in a qualified fashion? Now one ends up having to additionally add
specific permissions which can easily be forgot.
It was considered. In particular, the security permission check that is
done when loading classes of non-exported packages is essentially
equivalent to the module access check. However, in other package access
checking cases, the SecurityManager check does a full stack walk and
checks that every relevant ProtectionDomain on the stack has permission
to access the non-exported package. The module access check only checks
if the source module has access. There was some concern that this may
not be sufficient to guard against all possible attack scenarios.
--Sean
Any comments? Shouldn’t that be improved?
Best regards
Christoph
