Disallowing the dynamic loading of agents by default

mark.reinhold at oracle.com mark.reinhold at oracle.com
Mon Apr 3 23:19:32 UTC 2017 

2017/4/2 23:28:02 -0700, chris at hazelcast.com:
> First of all, I understand the idea behind this change and I think it
> certainly makes sense but from my impression the default is wrong, as
> Volker already pointed out.
> 
> Over the last few days I (with the help of others) put together a
> document ...

Thanks -- that's useful data.

> Looking at APM, as Martijn, mentioned, I don’t see a lot of impact, as
> most APMs should be added right from the start of the JVM. On the
> other hand, however, it seems that there is a lot of tools (probably
> more on the “devops” side of things), that are commonly added at
> runtime in case of a problem or error. Those tools would be greatly
> affected by the change and would require to commonly deactivate the
> new restriction which renders it kind of useless.

>From your document it looks like it's mainly profilers that might need
to transform core JDK classes.  Do you have any sense as to whether the
other types of agents can still be effective if they cannot transform
core classes, an option that Andrew suggested?

> That said it looks like the main group being affected by this change
> is not developers, as you seem to have mentioned in the initial mail,
> but operations. Furthermore I’m not sure I agree with “if you have to
> tell customers to put additional flags on CL, one more is no problem”
> (as it sounded below). Normally you have to explain / fight over every
> single command line parameter that has to be set with the customers
> operations team (except those parameters are GC configs ;-). That
> means it’ll be really hard to explain why to deactivate something that
> undercuts the system security / integrity, as it will be put.

That's a fair point.

> Most interestingly, as the document points out, there will be ways to
> undermine the change by creating a remote thread (on Windows) or
> ptrace on Linux. There are certainly ways on each of the operating
> systems but it’ll make things even more insecure.

I think this is a red herring.  If you have the power to ptrace a Java
process then you can likely already do anything, and there's not much we
can do to stop you.

- Mark

More information about the jigsaw-dev mailing list