FW: SecurityManager.checkPackageAccess for qualified exports

[Langer, Christoph]

Hi Sean,

thanks for your response.

> >
> > *Implementation Note:***
> >
> > This implementation also restricts all non-exported packages of modules
> > loaded bythe platform class loader
> >
> <http://download.java.net/java/jdk9/docs/api/java/lang/ClassLoader.html#
> getPlatformClassLoader-->or
> > its ancestors. A "non-exported package" refers to a package that is not
> > exported to all modules. Specifically, it refers to a package that
> > either is not exported at all by its containing module or is exported in
> > a qualified fashion by its containing module.
> >
> > Reading this, I'm wondering whether the implementation should implicitly
> > grant package access for modules that a package in question was exported
> > to in a qualified fashion? Now one ends up having to additionally add
> > specific permissions which can easily be forgot.
> 
> It was considered. In particular, the security permission check that is
> done when loading classes of non-exported packages is essentially
> equivalent to the module access check. However, in other package access
> checking cases, the SecurityManager check does a full stack walk and
> checks that every relevant ProtectionDomain on the stack has permission
> to access the non-exported package. The module access check only checks
> if the source module has access. There was some concern that this may
> not be sufficient to guard against all possible attack scenarios.

I think the package access check walking down the whole stack is fine and should be done here, not just the module access check.

However, frames originating out of a module that the package was exported to should have the permission to access the package. Such that when I would run in a privileged section there, I would get package access. And if I wouldn't run privileged then all the calling frames would be checked and the check might not be passed. Wouldn't that be the right way?

Best regards
Christoph