RFR: JDK-8210274: Source Launcher should work with a security manager

Jonathan Gibbons jonathan.gibbons at oracle.com
Tue Sep 11 19:44:32 UTC 2018


Thanks for all the feedback.  I'll add the extra test case you suggest.

-- Jon

On 09/11/2018 12:34 PM, Alan Bateman wrote:
> On 11/09/2018 19:42, Jonathan Gibbons wrote:
>> :
>> As regards the interaction between Source Launcher and the use of a 
>> security manager, I see 3 possibilities:
>> 1. Specifically support it, as provided in this webrev
>> 2. No code change, but update JEP 330 to specify the behavior
>> 3. Explicitly reject the combination of Source Launcher and the 
>> security manager.
> Since you've started into this then it's probably best to just 
> continue with #1 and get it done. My main point here was the test in 
> the webrev sets the security manager on the command line and I think 
> you also need another test that sets in the test main method.
>>> Is there any way (spi.ToolProvider or some means) for untrusted code 
>>> to indirectly run the source launcher? This question is important 
>>> because the updated source launcher could be abused to probe 
>>> anywhere on the file system.
>> Untrusted code can only run the source launcher by breaking 
>> encapsulation on the command line.  The source launcher is a 
>> combination of native code in the launcher itself and a class in an 
>> unexported package of jdk.compiler.  Even if you could access the 
>> source launcher, the compilation command line (i.e. the args for the 
>> internal call to javac) is highly constrained, and so it is difficult 
>> to see how the source launcher could be abused.
> Thanks, the question had to be asked because the privileged block in 
> the source launcher main means it can access any file.
>>> What are the implications for uses of javax.tools and 
>>> com.sun.tools.javac.Main in code running with a security manager? 
>>> Maybe that is a separate project but I would have expected to see 
>>> privileged blocks in places that need permissions.
>> The intent was to stay clear (in this changeset) of all other ways of 
>> invoking javac, meaning javax.tools, com.sun.tools.javac.Main and 
>> spi.ToolProvider. While there are relatively few ways to invoke 
>> javac, these ways all permit the use of annotation processors and 
>> other callbacks, and so we would need privileged blocks in all places 
>> where callbacks could re-enter javac.
> That is what I was wondering about it. I don't see a queue at the door 
> of developers looking to run javac with a security manager but at the 
> same time it is possible to configure many app servers with JSP 
> support to run with a security manager. I assume they must have 
> historically granted at least some permissions to "tools.jar" for this 
> to work.
>> If we were to drop the support for a security manager from the source 
>> launcher, would you still consider it worthwhile to update the policy 
>> file to enumerate the privileges required to run javac? Setting aside 
>> the updates for the Source Launcher tests, I think the work to 
>> improve all the other tests to function better when a security 
>> manager is involved is also worth while.
> It took a lot of work in JDK 9 to identify the minimum permissions 
> needed by several modules. The java.xml.bind and java.xml.ws modules 
> took a lot of effort because of the callbacks and missing privileged 
> blocks. It does take a lot of effort and testing to be confident. So 
> my personal view (and not my call) is that it's probably not high 
> priority to do the same for jdk.compiler at this time.
> -Alan

More information about the compiler-dev mailing list