P.S. Sorry, I just realised I used the word “process” in 1 and 2 with different meanings. In 1 I meant an OS process running Java; in 2 I merely meant a Java mechanism (as opposed to an OS mechanism).
> On 12 May 2021, at 22:49, Ron Pressler <ron.press...@oracle.com> wrote: > > > >> On 12 May 2021, at 22:41, Peter Tribble <peter.trib...@gmail.com> wrote: >> >> >> Let me give a concrete example: >> >> Parsing and rendering a PDF file that may contain references to fonts or >> other resources. >> We know exactly where the files are installed, so wish to allow the >> rendering routine access >> to the fonts it will need. But not to any other files, and not (normally) to >> network resources at >> all. Note that we trust the code, but not necessarily the document it's >> parsing. (Although the >> document itself may be perfectly well formed - document formats often allow >> embedding >> references to 3rd-party objects, undesirable as that may be.) >> > > Thank you. Let me ask you this, then: > > 1. Would allowing access to certain files and no network for the *entire* > application be > sufficient? Consider that you can run some code in a separate Java process > with OS protections. > If not, why not? > > 2. Would turning such access on and off for the entire application through > some Java process > be sufficient? > > 3. Would controlling such access on a per-thread basis be sufficient? > > Please don’t read 2 or 3 as some concrete proposals; I’m just trying to > understand the requirements. > > — Ron >
