RFR 8043406: Change default policy for JCE providers to run with as few privileges,as possible

Mandy Chung mandy.chung at oracle.com
Fri Jun 20 23:57:26 UTC 2014

On 6/20/2014 3:30 PM, Valerie Peng wrote:
> Webrev is updated at: 
> http://cr.openjdk.java.net/~valeriep/8043406/webrev.01

Thanks Valerie.   Good to see the security providers granting only the 
permissions it requires.

Looks okay to me.

> Sure, I will file a bug after Mandy's confirmation.

Yes please file a bug and it does look like a bug in the loadLibrary.  
I'll look into it.  It'd be helpful if you can include a stack trace in 
the JBS issue without granting FilePermission to access all files.


> Thanks,
> Valerie
> On 6/20/2014 8:46 AM, Sean Mullan wrote:
>>   36         // Needed by Runtime.loadLibrary(String) call
>>   37         permission java.io.FilePermission "<<ALL FILES>>", "read";
>> It seems like this is due to a bug in Runtime.loadLibrary, since you 
>> have already granted the provider the permission to load the library. 
>> I think possibly the call to ClassLoader.loadLibrary should be inside 
>> a doPrivileged. The workaround is ok for now, but can you file a 
>> separate bug for this?
>> --Sean
>> On 06/18/2014 06:51 PM, Valerie Peng wrote:
>>> Sean,
>>> Not sure if you can get to reviewing this before your vacation.
>>> If not, I will find someone else to help...
>>> Webrev: http://cr.openjdk.java.net/~valeriep/8043406/webrev.00/
>>> Thanks,
>>> Valerie

More information about the security-dev mailing list