Disallowing the dynamic loading of agents by default

Alan Bateman Alan.Bateman at oracle.com
Sun Mar 19 09:27:02 UTC 2023


On 19/03/2023 02:51, Yasumasa Suenaga wrote:
> :
>
> Can we change flag type of EnableDynamicAgentLoading to `manageable` 
> from `product`? If so, we can use JVMTI agent without rebooting system 
> when we encountered some troubles in production system.

If manageable then it could be enabled at run-time with 
HotSpotDiagnosticMXBean.setVMOption (or jcmd VM.set_flag), so I think 
wouldn't change anything. The main issue with JVMTI agents loaded into a 
running VM is that they can do anything. Even if their capabilities were 
reduced (and many debugging capabilities are only available in the 
onload phase) it can still use JNI and bypass access control. So I think 
a difficult security vs. serviceability trade-off here.

-Alan.


More information about the jigsaw-dev mailing list