Permissions in default.policy and --patch-module

Alan Bateman Alan.Bateman at
Mon Dec 11 15:17:14 UTC 2017

On 11/12/2017 07:50, Weijun Wang wrote:
> I was just trying to run a jtreg test on a new Windows VirtualBox VM. A small code change is needed but I don't want to do a full build (it also does not have enough memory). I just copied an existing image, and the modified class was compiled on the host macOS machine.
> So this is not "really a problem", but if --patch-module can be used to patch a module, I do hope the new classes are treated exactly the same as those existing classes.
The only difference is that the classes on the patch path are in a 
different location, hence have a different CodeSource and protection domain.
> This is similar to the case of exploded build.
The classes in an exploded build are located on the file system, hence a 
file URL as the location and code source. I suspect you are asking for 
jrt URL to work for exploded builds. Yes, this could be make to work 
although the difference between exploded and images build pre-dates 
modules (you'll have the same issue in JDK 8 with policy files that 
grant permissions to JAR files in the run-time image).


More information about the security-dev mailing list