RFR: 8159752: Grant de-privileged module permissions by default with java.security.policy override option

[Tim Bell]

The Makefile changes look fine.

Tim

On 07/15/16 04:51, Sean Mullan wrote:
> Adding build-dev for review since there is one change to a Makefile in 
> the webrev below.
>
> Thanks,
> Sean
>
> On 07/14/2016 04:05 PM, Sean Mullan wrote:
>> Please review this change to the default Policy provider implementation
>> to grant de-privileged module permissions by default even when the
>> java.security.policy override option is specified or when the
>> Policy.getInstance API is used:
>>
>> http://cr.openjdk.java.net/~mullan/webrevs/8159752/webrev.00/
>>
>> A new system-wide policy file located in
>> ${java.home}/lib/security/default.policy has been created. It contains
>> grant statements containing the permissions that need to be granted to
>> de-privileged modules. These grant statements were previously located in
>> the ${java.home}/conf/security/java.policy file and have been relocated
>> to the default.policy file.
>>
>> The default.policy file is now always loaded by the default Policy
>> provider implementation (sun/security/provider/PolicyFile). It is loaded
>> if the java.security.policy '=' or '==' option is specified, and also if
>> the application uses the Policy.getInstance methods and specifies the
>> "JavaPolicy" type. If the default.policy file cannot be loaded, an
>> InternalError is thrown, on the basis that the runtime cannot operate
>> correctly unless these permissions are granted.
>>
>> The rationale for making this change is that the runtime should be
>> responsible for granting the permissions it needs to operate correctly.
>> We should not expect users to have to determine or copy and paste these
>> permissions into their own policy files.
>>
>> Thanks,
>> Sean