FW: SecurityManager.checkPackageAccess for qualified exports

Sean Mullan sean.mullan at oracle.com
Fri May 12 12:45:18 UTC 2017 

On 5/12/17 3:26 AM, Langer, Christoph wrote:
> Adding security-dev… Any comments?
> 
> -----------------------------------------------------------------------------
> 
> Hi all,
> 
> while playing with the security manager (using -Djava.security.manager) 
> in Java 9 and testing platform modules that we have added specifically 
> in our build, I came across the following thing:
> 
> As we are using some stuff from jdk.internal, I get the 
> AccessControlException: “exception access denied 
> ("java.lang.RuntimePermission" 
> "accessClassInPackage.jdk.internal.misc")” in several places, even if my 
> code runs priviledged. I figured that I need to grant permission 
> “permission java.lang.RuntimePermission 
> "accessClassInPackage.jdk.internal.misc"” to my module. I was looking 
> around where this restriction comes from and learned the following in 
> the documentation of SecurityManager.checkPackageAccess:
> 
> *Implementation Note:***
> 
> This implementation also restricts all non-exported packages of modules 
> loaded bythe platform class loader 
> <http://download.java.net/java/jdk9/docs/api/java/lang/ClassLoader.html#getPlatformClassLoader-->or 
> its ancestors. A "non-exported package" refers to a package that is not 
> exported to all modules. Specifically, it refers to a package that 
> either is not exported at all by its containing module or is exported in 
> a qualified fashion by its containing module.
> 
> Reading this, I’m wondering whether the implementation should implicitly 
> grant package access for modules that a package in question was exported 
> to in a qualified fashion? Now one ends up having to additionally add 
> specific permissions which can easily be forgot.

It was considered. In particular, the security permission check that is 
done when loading classes of non-exported packages is essentially 
equivalent to the module access check. However, in other package access 
checking cases, the SecurityManager check does a full stack walk and 
checks that every relevant ProtectionDomain on the stack has permission 
to access the non-exported package. The module access check only checks 
if the source module has access. There was some concern that this may 
not be sufficient to guard against all possible attack scenarios.

--Sean

> 
> Any comments? Shouldn’t that be improved?

> 
> Best regards
> 
> Christoph
>

More information about the security-dev mailing list