Running with a security manager?
David Holmes
david.holmes at oracle.com
Sun Mar 11 22:44:21 UTC 2018
On 10/03/2018 10:43 PM, Weijun Wang wrote:
> If you set policy or secure in the @run line then jtreg will automatically add necessary permissions to your existing policy file to make it running.
I tried this for secure (which still fails) and then checked the jtreg
code - it only does that for policy:
if (policyFN != null) {
// add permission to read JTwork/classes by adding a grant
entry
newPolicyFN = addGrantEntry(policyFN);
javaProps.put("java.security.policy",
overrideSysPolicy ? "=" + newPolicyFN :
newPolicyFN);
}
if (secureCN != null) {
javaProps.put("java.security.manager", secureCN);
}
else if (policyFN != null) {
javaProps.put("java.security.manager", "default");
}
So I simply defined an empty policy file and set /policy=empty.policy
and that appeared to achieve what I wanted.
But on further study of the options code is seems the above replaces the
system policy, which isn't really what I wanted. There an undocumented
/java.security.policy option which allows for overriding the system
policy or combining with them. If you specify:
/java.security.policy=my.policy
then overrideSysPolicy remains false and the policies presumably
combine. Whereas if you specify:
/java.security.policy==my.policy
then overrideSysPolicy is set true and my.policy will be the only
policy. This mirrors the behaviour of the java.security.policy property.
I use the former so that my empty policy, augmented with the permissions
jtreg added for itself, is then combined with the system default policy.
Thanks,
David
> --Max
>
>> On Mar 10, 2018, at 7:06 PM, David Holmes <david.holmes at oracle.com> wrote:
>>
>> On 10/03/2018 9:03 PM, David Holmes wrote:
>>> Thanks for all the responses.
>>> On 10/03/2018 6:10 PM, Weijun Wang wrote:
>>>> Or you can set policy to an empty file (maybe with a comment line). Unfortunately both secure and policy must have an argument.
>>> Right. My issue is what policy do I have to set to make jtreg itself work, regardless of what the test may or may not need? This seems to be a problem to me - I don't know what permissions jtreg requires be added to any policy.
>>> Mandy's suggestion of just setting the security manager within the test may be the way to go.
>>
>> No that requires I have a security manager to pass in. I just want to enable the default security manager! This should not be that hard to do! :(
>>
>> David
>>
>>> Thanks,
>>> David
>>>> --Max
>>>>
>>>>> On Mar 10, 2018, at 2:37 PM, mandy chung <mandy.chung at oracle.com> wrote:
>>>>>
>>>>> If you need to grant permission, you can do this:
>>>>>
>>>>> * @run main/othervm/java.security.policy=<policy file> TestReflectionAPI
>>>>>
>>>>> If no policy needed, you can set security manager (System::setSecurityManager) at the beginning of the test and run in othervm mode:
>>>>> * @run main/othervm TestReflectionAPI
>>>>>
>>>>> Mandy
>>>>>
>>>>> On 3/9/18 8:16 PM, David Holmes wrote:
>>>>>> I want to run a test with a default security manager present. So I added it to the @run:
>>>>>>
>>>>>> @run main/othervm -Djava.security.manager TestReflectionAPI
>>>>>>
>>>>>> But this breaks jtreg:
>>>>>>
>>>>>> Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/export/users/dh198349/valhalla/repos/valhalla-exp/open/test/hotspot/jtreg/JTwork/runtime/Nestmates/reflectionAPI/TestReflectionAPI.d/main.2.jta" "read")
>>>>>> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>>>>>> at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
>>>>>> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
>>>>>> at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:674)
>>>>>> at java.base/java.io.FileInputStream.<init>(FileInputStream.java:147)
>>>>>> at java.base/java.io.FileInputStream.<init>(FileInputStream.java:113)
>>>>>> at java.base/java.io.FileReader.<init>(FileReader.java:58)
>>>>>> at com.sun.javatest.regtest.agent.MainWrapper.main(MainWrapper.java:46)
>>>>>>
>>>>>> So I presume I need some kind of policy file that gives jtreg necessary permissions while trying to leave the actual test code with the normal default permissions.
>>>>>>
>>>>>> How do I do that?
>>>>>>
>>>>>> Thanks,
>>>>>> David
>>>>>
>>>>
>
More information about the jtreg-use
mailing list