Disallowing the dynamic loading of agents by default

Gregg Wonderly greggwon at cox.net
Tue Apr 4 14:58:46 UTC 2017 

> On Apr 4, 2017, at 4:36 AM, Andrew Dinn <adinn at redhat.com> wrote:
> 
> On 03/04/17 21:56, John Rose wrote:
>> On Apr 3, 2017, at 12:03 PM, Gregg Wonderly <greggwon at cox.net>
>> wrote:
>>> 
>>> Alan, it is exactly this kind of comment from the team which just
>>> tears apart the whole view that you might actually be considering
>>> what everyone in the Java community needs.
>> 
>> I think *this* comment is unfair to Alan.  I read Alan as saying 
>> "don't assume that users can rely on an SM present".  If I'm right, 
>> that is a far cry from tearing the community into parts.  I think
>> you would admit that not everyone uses SM.  So you didn't ding Alan 
>> (who is doing really heroic work for the community) for simply 
>> reminding us that a SM-based approach would not serve the whole
>> community equally.  Did you impute some other motive to him?
> 
> Thank you for posting this, John. I am hoping that Gregg simply misread
> Alan's post because it definitely didn't merit the response it received.

Alan said:

> The issue here is nothing to do with the security manager, assume no security manager in the picture.

But, I always have a security manager in the picture.  It’s how I always grant access to various pieces of the JDK features to my application.  It’s how I limit/grant access to the details that I care about my users being exposed to by using my software.  So, saying that a SecurityManager doesn’t matter, when this is clearly a JVM security issue, just doesn’t fly for me.   As I’ve already said, a command line argument can feel like a permission, but it is like AllPermission.  It doesn’t help me manage what I am opening my users to.  If I have to use the AllPermission for my users to deploy, and they are on a network, I’ve now opened them up to network penetration by other agents!  That’s absolutely not acceptable to me.

There should be a Permission mechanism at a high granularity of control, and grants to Jar files (which have been mentioned in another recent thread dealing with which modules can have agents inserted/active) make it possible to directly control all exposure from all paths of penetration.

Gregg

More information about the jigsaw-dev mailing list