Review request: 8040059 Change default policy for extensions to no permission
Sean Mullan
sean.mullan at oracle.com
Wed Apr 23 15:19:20 UTC 2014
On 04/22/2014 06:36 PM, Mandy Chung wrote:
> Thanks for bringing up this question. I missed to mention the open
> question to follow up how we want to build the system java.policy. There
> are platform-specific jar file and also different jar files in Oracle
> JDK build. I currently list them all in java.policy in this initial
> patch. One solution is to have one version of java.policy for each OS.
> However this will suffer from the maintenance burden and also
> error-prone as the current java.security file. I'd like to get the
> feedback from the security team before attempting to modify the makefiles.
We had a similar issue with the java.security file where Oracle-specific
packages were being added to the package.access/definition properties in
the OpenJDK java.security files; thus polluting the source code with
packages that were Oracle-specific.
I fixed this in JDK 8:
https://bugs.openjdk.java.net/browse/JDK-8007292
Basically it involved keeping a list of the non-OpenJDK packages that
were to be restricted in the closed repo, and creating a Java program
that appended these to the properties in the java.security file when the
build included the closed sources.
--Sean
More information about the security-dev
mailing list