RFR 8043406: Change default policy for JCE providers to run with as few privileges,as possible

Mandy Chung mandy.chung at oracle.com
Fri Jun 20 23:57:26 UTC 2014


On 6/20/2014 3:30 PM, Valerie Peng wrote:
>
> Webrev is updated at: 
> http://cr.openjdk.java.net/~valeriep/8043406/webrev.01

Thanks Valerie.   Good to see the security providers granting only the 
permissions it requires.

Looks okay to me.

> Sure, I will file a bug after Mandy's confirmation.

Yes please file a bug and it does look like a bug in the loadLibrary.  
I'll look into it.  It'd be helpful if you can include a stack trace in 
the JBS issue without granting FilePermission to access all files.

Thanks
Mandy

> Thanks,
> Valerie
>
> On 6/20/2014 8:46 AM, Sean Mullan wrote:
>>   36         // Needed by Runtime.loadLibrary(String) call
>>   37         permission java.io.FilePermission "<<ALL FILES>>", "read";
>>
>> It seems like this is due to a bug in Runtime.loadLibrary, since you 
>> have already granted the provider the permission to load the library. 
>> I think possibly the call to ClassLoader.loadLibrary should be inside 
>> a doPrivileged. The workaround is ok for now, but can you file a 
>> separate bug for this?
>>
>> --Sean
>>
>> On 06/18/2014 06:51 PM, Valerie Peng wrote:
>>> Sean,
>>>
>>> Not sure if you can get to reviewing this before your vacation.
>>> If not, I will find someone else to help...
>>>
>>> Webrev: http://cr.openjdk.java.net/~valeriep/8043406/webrev.00/
>>>
>>> Thanks,
>>> Valerie




More information about the security-dev mailing list