RFR 8043406: Change default policy for JCE providers to run with as few privileges,as possible
Sean Mullan
sean.mullan at oracle.com
Wed Jul 9 01:27:38 UTC 2014
On 7/8/14, 5:33 PM, Valerie Peng wrote:
>
> I modified the ProviderConfig class to skip providers when the
> corresponding provider class failed during initiation time (e.g. lacking
> certain permission). Thus, for tests which do not need/use crypto
> providers, their test policy don't have to contain the entries for
> crypto providers.
Ok, thanks for the explanation, that sounds good to me.
--Sean
>
> Thanks,
> Valerie
>
> On 7/8/2014 2:19 PM, Sean Mullan wrote:
>> Looks good, although do you know why you were able to remove the grant
>> AllPermission from so many of the test policy files without granting
>> additional specific permissions?
>>
>> --Sean
>>
>> On 07/07/2014 05:14 PM, Valerie Peng wrote:
>>>
>>> Updated the webrev to include the updates of test policy files.
>>> Also changed the ProviderConfig class to ignore provider instantiation
>>> failures, so that we don't need to include the entries for crypto
>>> providers in the test policy files when the tests themselves do not
>>> use/depend on functionality from crypto providers.
>>>
>>> http://cr.openjdk.java.net/~valeriep/8043406/webrev.02/
>>>
>>> Thanks,
>>> Valerie
>>>
>>> On 6/26/2014 2:33 PM, Valerie Peng wrote:
>>>>
>>>> Updated the webrev in place (still at webrev.01), now that Mandy has
>>>> putback'ed her fix for the ClassLoader.loadLibrary issue.
>>>>
>>>> Thanks,
>>>> Valerie
>>>>
>>>> On 6/20/2014 3:30 PM, Valerie Peng wrote:
>>>>>
>>>>> Webrev is updated at:
>>>>> http://cr.openjdk.java.net/~valeriep/8043406/webrev.01
>>>>> Sure, I will file a bug after Mandy's confirmation.
>>>>> Thanks,
>>>>> Valerie
>>>>>
>>>>> On 6/20/2014 8:46 AM, Sean Mullan wrote:
>>>>>> 36 // Needed by Runtime.loadLibrary(String) call
>>>>>> 37 permission java.io.FilePermission "<<ALL FILES>>", "read";
>>>>>>
>>>>>> It seems like this is due to a bug in Runtime.loadLibrary, since you
>>>>>> have already granted the provider the permission to load the
>>>>>> library. I think possibly the call to ClassLoader.loadLibrary should
>>>>>> be inside a doPrivileged. The workaround is ok for now, but can you
>>>>>> file a separate bug for this?
>>>>>>
>>>>>> --Sean
>>>>>>
>>>>>> On 06/18/2014 06:51 PM, Valerie Peng wrote:
>>>>>>> Sean,
>>>>>>>
>>>>>>> Not sure if you can get to reviewing this before your vacation.
>>>>>>> If not, I will find someone else to help...
>>>>>>>
>>>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8043406/webrev.00/
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Valerie
More information about the security-dev
mailing list