RFR: (XS) 8162916:Test sun/security/krb5/auto/UnboundSSL.java fails
Artem Smotrakov
artem.smotrakov at oracle.com
Wed Aug 17 17:18:48 UTC 2016
Sorry, my bad, I didn't notice '9-na' label.
I suppose that code from ext directory should have all permissions:
artem at artem-laptop:$ cat ~/jdk/jdk1.8.0_92b14/jre/lib/security/java.policy
// Standard extensions get all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};
// default permissions granted to all domains
...
I am wondering if it would be better it the test didn't override the
default policy.
Artem
On 08/17/2016 10:12 AM, Seán Coffey wrote:
> Hi Artem,
>
> Sorry - should have said that this is for jdk8u-dev. The bug is marked
> 9-na. The provider loading changes made in this area for 9 mean that
> it's not affected.
>
> Regards,
> Sean.
>
> On 17/08/16 18:10, Artem Smotrakov wrote:
>> Hi Sean,
>>
>> If I remember correctly, there is no ext directory in JDK 9 any more.
>>
>> I don't see in jtr file that "java.ext.dirs" system property is
>> passed to the test. If I understand correctly,
>> "file:${{java.ext.dirs}}/*" becomes "file:/*" which seems to grand
>> all permissions to all the code. It doesn't look correct for this test.
>>
>> It looks like the test overrides the default policy, please see in
>> jtr file
>>
>> -Djava.security.policy==/export/home/gtee/scripts/Results/workDir/scratch_2/unbound.ssl.policy_new
>> \\
>>
>> If I recall correctly, there should be a way to specify a policy file
>> in @run without overriding the default one. May be it is "@run
>> main/othervm/java.security.policy=unbound.ssl.policy_new"
>>
>> Artem
>>
>>
>> On 08/17/2016 09:53 AM, Seán Coffey wrote:
>>> A recently added test case lacks sufficient permissions to read a
>>> conf file when running with security manager.
>>>
>>> bug report : https://bugs.openjdk.java.net/browse/JDK-8162916
>>>
>>> proposed patch :
>>> diff --git a/test/sun/security/krb5/auto/unbound.ssl.policy
>>> b/test/sun/security/krb5/auto/unbound.ssl.policy
>>> --- a/test/sun/security/krb5/auto/unbound.ssl.policy
>>> +++ b/test/sun/security/krb5/auto/unbound.ssl.policy
>>> @@ -1,7 +1,13 @@
>>> +// Standard extensions get all permissions by default
>>> +
>>> +grant codeBase "file:${{java.ext.dirs}}/*" {
>>> + permission java.security.AllPermission;
>>> +};
>>> +
>>> grant {
>>> permission java.util.PropertyPermission "*", "read,write";
>>> permission java.net.SocketPermission "*:*",
>>> "listen,resolve,accept,connect";
>>> - permission java.io.FilePermission "*", "read,write,delete";
>>> + permission java.io.FilePermission "<<ALL FILES>>",
>>> "read,write,delete";
>>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>>> permission java.lang.reflect.ReflectPermission
>>> "suppressAccessChecks";
>>> permission java.lang.RuntimePermission "accessClassInPackage.*";
>>>
>>
>
More information about the security-dev
mailing list