Review request: 8040059 Change default policy for extensions to no permission

Sean Mullan sean.mullan at oracle.com
Wed Apr 23 15:19:20 UTC 2014


On 04/22/2014 06:36 PM, Mandy Chung wrote:
> Thanks for bringing up this question.  I missed to mention the open
> question to follow up how we want to build the system java.policy. There
> are platform-specific jar file and also different jar files in Oracle
> JDK build.  I currently list them all in java.policy in this initial
> patch.  One solution is to have one version of java.policy for each OS.
> However this will suffer from the maintenance burden and also
> error-prone as the current java.security file.  I'd like to get the
> feedback from the security team before attempting to modify the makefiles.

We had a similar issue with the java.security file where Oracle-specific 
packages were being added to the package.access/definition properties in 
the OpenJDK java.security files; thus polluting the source code with 
packages that were Oracle-specific.

I fixed this in JDK 8:
https://bugs.openjdk.java.net/browse/JDK-8007292

Basically it involved keeping a list of the non-OpenJDK packages that 
were to be restricted in the closed repo, and creating a Java program 
that appended these to the properties in the java.security file when the 
build included the closed sources.

--Sean


More information about the security-dev mailing list