Review request: 8040059 Change default policy for extensions to no permission

Sean Mullan sean.mullan at oracle.com
Wed Apr 23 20:10:30 UTC 2014


Just a few comments:

1. When you write a test that uses the jtreg /policy option, the policy 
file overrides the system policy file. If the test depends on a standard 
extension, then you may get SecurityExceptions unless additional perms 
are granted. Thus, there are quite a few tests that define their own 
policy files and duplicate the grant statement for extensions from the 
system policy:

     grant codeBase "file:${{java.ext.dirs}}/*" {
         permission java.security.AllPermission;
     }

These tests should be modified to only grant the necessary permissions. 
However, ideally I think that a better solution would be to add a jtreg 
/policy option that doesn't override the system policy file, but rather 
appends to it, for example, using "==" :

     @run main/othervm/policy==test.policy

(this is the reverse behavior of the java.security.policy system 
property, so it might be a little confusing, so maybe it is better to 
add a new option)

2. test/lib/security/java.policy/Ext_AllPolicy.java

I think you should also add a check for AllPermission.

3. jdk/nio/zipfs/ZipFileSystem.java

If I understand the changes, the previous code would throw 
SecurityExceptions when run under a SecurityManager? It's not 
specifically related to this bug, is it?

4. lib/security/java.policy

     grant codeBase "file:${java.home}/lib/ext/zipfs.jar" {
         permission java.io.FilePermission "<<ALL FILES>>", 
"read,write,delete";

Hmm, granting that likely means you are just a hop away from getting 
AllPermission ... not sure what to advise here, but there are several 
cases like this for certain permissions (ex: RuntimePermission 
"createClassLoader" is another one).

--Sean

On 04/22/2014 03:39 PM, Mandy Chung wrote:
> This change proposes to remove granting all permissions for extensions
> as the default and implements the principle of least privilege.In JDK 9,
> we want to reduce the privileges of as many system classes as possible.
>
> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8040059/webrev.00/
>
> This patch has reduced the zipfs, localedata and cldrdata to grant the
> permissions they require.  It grants AllPermission to other jar files in
> the lib/ext directory shipped with JDK and this change is intended to
> enable the component teams to identify the minimum permissions and fix
> any issue, if any.
>
> Libraries installed in the extensions directory depending on
> AllPermission granted by default are impacted.   Making this change as
> early in JDK 9 allows us to identify any customer impacted by this change.
>
> Mandy


More information about the security-dev mailing list