SecurityManager environments

Jason Tedor jason at
Thu Apr 6 20:26:20 UTC 2017

This is correct, thank you for pointing it Uwe, but actually Reto's example
will fail before the setAccessible call because we do not even allow
accessDeclaredMembers (again, except for Lucene, for the RAM usage
estimator). :)

On Thu, Apr 6, 2017 at 2:32 PM Uwe Schindler <uschindler at> wrote:


Elasticsearch does not allow setAccessible() anywhere in its code (by
security policy), except some places in trusted libraries like Apache
Lucene for mmap unmapping support (but those must use doPrivileged for
that), but plugins and Elasticsearch’s core cannot call setAccessible. See
also Dalibor Topic’s post with the paper about SecurityManager usage, if
you allow “suppressAccessChecks” permission to code you’re f*ked up.



Uwe Schindler

uschindler at

ASF Member, Apache Lucene PMC / Committer

Bremen, Germany

From: Reto Merz [mailto:reto.merz at]
Sent: Thursday, April 6, 2017 6:53 PM
To: Uwe Schindler <uschindler at>; 'Alan Bateman' <
Alan.Bateman at>
Cc: jigsaw-dev at
Subject: Re: SecurityManager environments

We use the same approach like Elasticsearch (walk through stack trace and
check caller).
Note that this does not work in any case. For example this will bypass
sure, in Java 9 this would also need --add-opens to make reflection work:

    Method halt0 =
Class.forName("java.lang.Shutdown").getDeclaredMethod("halt0", int.class);
    halt0.invoke(halt0, 0);

But we can life with that because in our case we just want to find
erroneous code.
It is impossible to protect a JVM from malicious code (which is executed
within the JVM) anyway.


Von: Uwe Schindler <uschindler at <mailto:uschindler at> >
An: 'Alan Bateman' <Alan.Bateman at <mailto:Alan.Bateman at>
>, 'Reto Merz' <reto.merz at <mailto:reto.merz at> >
Kopie: <jigsaw-dev at <mailto:jigsaw-dev at> >
Gesendet: 06.04.2017 16:25
Betreff: RE: SecurityManager environments


> > >> To be honest, we don't see a lot of security manager
> > >> usage on the server side these days.
> >
> > I'm really surprised about that. How can a app server or servlet
> > like JBoss Tomcat etc guarantee that System.exit does not shut down
> > the JVM?
> AFAIK the app servers have to provide a way to run with a security
> manager but I don't know how many app server run it by default.
> The System.exit example is a good example that has come up a few times.
> There is at least one IDE that used to run with a SM so that it could
> block plugins from calling System.exit. That use case is one that
> probably needs a specific API.

Elasticsearch Server also blocks System.exit, so plugins or scripts running
inside the query cannot shut down the server (it also blocks many other
stuff for sandboxing everything). The main problem with implementing the
exitVM permission is to make it work that you can still exit on your own ��
If you forbid exiting the VM, you cannot do it on your own. (cannot be done
in a policy file, because the exit permission is given by default).

This is by the way a good use case for the new StackWalker API!: The
Elasticsearch (and Apache Lucene's Test Runner) SecurityManager do
Thread.currentThread().getStackTrace() and then walk down the stack and
only allow exiting if the right class/package is on the stack trace right
before the  System/Runtime.exit() call. E.g.,


I agree some improvements to SecurityManager around that would be good. It
is really hard to implement that (only allow existing from a specific
class/method), as you need to inspect stack, otherwise you cannot exit on
your own... The code here is still known as "Uwe Schindler" algorithm in
the community, originating from Apache Lucene and was just forked in
Elasticsearch. They made a Maven package out of it (SecureSM is taking a
list of packages that are allowed to exit the VM): <


More information about the jigsaw-dev mailing list