[rfc][icedtea-web][policyeditor] Reflection and Exec permissions

Jiri Vanek jvanek at redhat.com
Tue Mar 25 18:57:48 UTC 2014 

On 03/25/2014 02:39 PM, Andrew Azores wrote:
> On 03/25/2014 05:30 AM, Jiri Vanek wrote:
>> On 03/24/2014 09:05 PM, Andrew Azores wrote:
>>> Hi,
>>>
>>> This patch just adds Reflection and Exec permission options to PolicyEditor.
>>>
>>> Thanks,
>>>
>>
>> Looks good. Just not sure if it is enough:
>>
>> eg:
>> java.lang.NullPointerException
>> at geogebra.i.x.a(Unknown Source)
>> at geogebra.gui.a.a.a(Unknown Source)
>> at geogebra.gui.a.a.a(Unknown Source)
>> at geogebra.GeoGebra.a(Unknown Source)
>> at geogebra.GeoGebra.a(Unknown Source)
>> at geogebra.GeoGebra.main(Unknown Source)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:616)
>> at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
>> at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:911)
>>
>> I think he class for name is not allowed by your permission.
>
> Aha! Thanks for catching this. [0] suggests there's only one permission needed for reflection, but [1] proves otherwise (and makes sense).
>

Hmm still the same exception. It is geogebra which is causing this.

> [0] http://docs.oracle.com/javase/7/docs/api/java/lang/reflect/ReflectPermission.html
> [1] http://docs.oracle.com/javase/7/docs/api/java/lang/Class.html#forName%28java.lang.String,%20boolean,%20java.lang.ClassLoader%29
>
>> For exec - are supported both runtimelexec and process builder?
>
> According to the documentation, they both go through SecurityManager#checkExec, which checks for "execute" action on the given file. So if granting <<ALL FILES>> as the target, it should allow executing anything (which sounds so, so scary - but that's why this is optional! :) )
hmhmh.. No granularity needed in policy editor level imho. Just allow all.
>
>>
>> J.
>
>
> New patch adds the ClassLoader permission, as well as a bunch of others I figured might as well be added because they're likely to be needed in conjunction with it and each other. PolicyEditor doesn't really have a way to make a single checkbox handle multiple permissions, at least not right now, so the Reflection stuff is split up into four different permissions basically, but I think that's probably actually better anyway. It's just a little more cluttered looking. Maybe a future enhancement would be to add labels separating the checkboxes into groups eg File Access, Java Reflection, System Utility?

This should be fixed. Eg all checkboxes from family of "allow unowned code execution" should be gathered under one :((

Not needed to do now, but later 100% needed fix.
>
> Thanks,
>

More information about the distro-pkg-dev mailing list