RFR (XS) 8230415 : Avoid redundant permission checking in FilePermissionCollection and SocketPermissionCollection

Ivan Gerasimov ivan.gerasimov at oracle.com
Mon Sep 30 18:42:03 UTC 2019


Thank you Sean for reviewing!

With kind regards,

Ivan


On 9/27/19 7:20 AM, Sean Mullan wrote:
> Hi Ivan,
>
> The fix looks good. Good catch.
>
> --Sean
>
> On 8/30/19 7:32 PM, Ivan Gerasimov wrote:
>> Hello!
>>
>> In the two implementations of 
>> PermissionCollection.implies(Permission), all the permissions are 
>> traversed, and their corresponding bit mask are checked.
>>
>> For example, here's a snippet from FilePermission.java:
>>
>>          int desired = fperm.getMask();
>>          int effective = 0;
>>          int needed = desired;
>>
>>          for (Permission perm : perms.values()) {
>>              FilePermission fp = (FilePermission)perm;
>>              if (((needed & fp.getMask()) != 0) && 
>> fp.impliesIgnoreMask(fperm)) {
>>                  effective |= fp.getMask();
>>                  if ((effective & desired) == desired) {
>>                      return true;
>>                  }
>>                  needed = (desired ^ effective);// <<< should be 
>> (desired & ~effective)
>>              }
>>          }
>>
>> Here, if a permission's mask `fp.getMask()` intersects with `needed`, 
>> but does not fully cover all the needed bits, the variable `needed` 
>> is updated as XOR of desired and effective. This can raise a 
>> not-really-needed bits in the `needed` mask, so that for all 
>> subsequent permissions from the collection with that unneeded bits in 
>> the mask, an expensive fp.impliesIgnoreMask(fperm) will be executed.
>>
>> The fix does not change the behavior, but helps avoid unnecessary 
>> calls to impliesIgnoreMask().
>>
>> Would you please help review a trivial fix?
>>
>> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8230415
>> WEBREV: http://cr.openjdk.java.net/~igerasim/8230415/00/webrev/
>>
>> Thanks in advance!
>>
>
-- 
With kind regards,
Ivan Gerasimov



More information about the security-dev mailing list