[rfc][icedtea-web][policyeditor] Reflection and Exec permissions

Andrew Azores aazores at redhat.com
Tue Mar 25 13:39:03 UTC 2014 

On 03/25/2014 05:30 AM, Jiri Vanek wrote:
> On 03/24/2014 09:05 PM, Andrew Azores wrote:
>> Hi,
>>
>> This patch just adds Reflection and Exec permission options to 
>> PolicyEditor.
>>
>> Thanks,
>>
>
> Looks good. Just not sure if it is enough:
>
> eg:
> java.lang.NullPointerException
>     at geogebra.i.x.a(Unknown Source)
>     at geogebra.gui.a.a.a(Unknown Source)
>     at geogebra.gui.a.a.a(Unknown Source)
>     at geogebra.GeoGebra.a(Unknown Source)
>     at geogebra.GeoGebra.a(Unknown Source)
>     at geogebra.GeoGebra.main(Unknown Source)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:616)
>     at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
>     at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:911)
>
> I think he class for name is not allowed by your permission.

Aha! Thanks for catching this. [0] suggests there's only one permission 
needed for reflection, but [1] proves otherwise (and makes sense).

[0] 
http://docs.oracle.com/javase/7/docs/api/java/lang/reflect/ReflectPermission.html
[1] 
http://docs.oracle.com/javase/7/docs/api/java/lang/Class.html#forName%28java.lang.String,%20boolean,%20java.lang.ClassLoader%29

> For exec - are supported both runtimelexec and process builder?

According to the documentation, they both go through 
SecurityManager#checkExec, which checks for "execute" action on the 
given file. So if granting <<ALL FILES>> as the target, it should allow 
executing anything (which sounds so, so scary - but that's why this is 
optional! :) )

>
> J.


New patch adds the ClassLoader permission, as well as a bunch of others 
I figured might as well be added because they're likely to be needed in 
conjunction with it and each other. PolicyEditor doesn't really have a 
way to make a single checkbox handle multiple permissions, at least not 
right now, so the Reflection stuff is split up into four different 
permissions basically, but I think that's probably actually better 
anyway. It's just a little more cluttered looking. Maybe a future 
enhancement would be to add labels separating the checkboxes into groups 
eg File Access, Java Reflection, System Utility?

Thanks,

-- 
Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: policyeditor-reflection-exec-2.patch
Type: text/x-patch
Size: 7586 bytes
Desc: not available
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140325/bbcf5c1f/policyeditor-reflection-exec-2.patch>

More information about the distro-pkg-dev mailing list