RFR 8043406: Change default policy for JCE providers to run with as few privileges,as possible

Valerie Peng valerie.peng at oracle.com
Tue Jul 8 21:33:13 UTC 2014 

I modified the ProviderConfig class to skip providers when the 
corresponding provider class failed during initiation time (e.g. lacking 
certain permission). Thus, for tests which do not need/use crypto 
providers, their test policy don't have to contain the entries for 
crypto providers.

Thanks,
Valerie

On 7/8/2014 2:19 PM, Sean Mullan wrote:
> Looks good, although do you know why you were able to remove the grant 
> AllPermission from so many of the test policy files without granting 
> additional specific permissions?
>
> --Sean
>
> On 07/07/2014 05:14 PM, Valerie Peng wrote:
>>
>> Updated the webrev to include the updates of test policy files.
>> Also changed the ProviderConfig class to ignore provider instantiation
>> failures, so that we don't need to include the entries for crypto
>> providers in the test policy files when the tests themselves do not
>> use/depend on functionality from crypto providers.
>>
>> http://cr.openjdk.java.net/~valeriep/8043406/webrev.02/
>>
>> Thanks,
>> Valerie
>>
>> On 6/26/2014 2:33 PM, Valerie Peng wrote:
>>>
>>> Updated the webrev in place (still at webrev.01), now that Mandy has
>>> putback'ed her fix for the ClassLoader.loadLibrary issue.
>>>
>>> Thanks,
>>> Valerie
>>>
>>> On 6/20/2014 3:30 PM, Valerie Peng wrote:
>>>>
>>>> Webrev is updated at:
>>>> http://cr.openjdk.java.net/~valeriep/8043406/webrev.01
>>>> Sure, I will file a bug after Mandy's confirmation.
>>>> Thanks,
>>>> Valerie
>>>>
>>>> On 6/20/2014 8:46 AM, Sean Mullan wrote:
>>>>>   36         // Needed by Runtime.loadLibrary(String) call
>>>>>   37         permission java.io.FilePermission "<<ALL FILES>>", 
>>>>> "read";
>>>>>
>>>>> It seems like this is due to a bug in Runtime.loadLibrary, since you
>>>>> have already granted the provider the permission to load the
>>>>> library. I think possibly the call to ClassLoader.loadLibrary should
>>>>> be inside a doPrivileged. The workaround is ok for now, but can you
>>>>> file a separate bug for this?
>>>>>
>>>>> --Sean
>>>>>
>>>>> On 06/18/2014 06:51 PM, Valerie Peng wrote:
>>>>>> Sean,
>>>>>>
>>>>>> Not sure if you can get to reviewing this before your vacation.
>>>>>> If not, I will find someone else to help...
>>>>>>
>>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8043406/webrev.00/
>>>>>>
>>>>>> Thanks,
>>>>>> Valerie

More information about the security-dev mailing list