JEP411: Missing use-case: Monitoring / restricting libraries
Alan Bateman
Alan.Bateman at oracle.com
Mon May 31 07:59:26 UTC 2021
On 31/05/2021 08:11, Peter Firmstone wrote:
> :
>
> I think also that many more people are using SecurityManager than
> OpenJDK realises, and they're not using it how OpenJDK recommends
> either, (AllPermission granted to trusted code, and sandbox untrusted
> code model of Applets is not how we use it) people are using POLP,
> it's just that no one reports back to OpenJDK because they are only
> editing policy files, it will work with any library out there now,
> there's nothing to write back about. It's pretty clear that OpenJDK
> devs don't use it, but they do have to manage doPrivileged and
> preserving context across tasks and threads.
>
> And there are static analysis tools in Spotbugs to identify
> doPrivileged bugs, but someone has recently suggested removing them
> thanks to this JEP? Does OpenJDK use static analysis. I think if you
> did you'd find plenty of latent bugs.
I don't think the SM is approachable by most developers. I've sat
through several embarrassing sessions at conferences over the years
where a speaker attempted to get something non-trivial to work with the
SM enabled. More often than not they had to deal with libraries that had
never been run with a SM before and it was whack-a-mole to get them to
run. As you know, any library or framework with callbacks means careful
use of doPrivileged to avoid needing to grant permissions to every
component on the stack. You mention capturing and re-asserting contexts
across threads, this is just way too complex for most developers. My
guess is that if we had enabled the SM by default 20 years ago then it
would be a different discussion today. This is not to say that there
isn't some usage, the flurry of mails here over the last month does show
that there is some usage. The SM survey in 2018 showed that there was
some usage too.
I can't speak for all OpenJDK contributors but Oracle contributors do a
massive amount of analysis and static analysis before proposing to
deprecate or removing anything. It's often much harder to remove
something that add it and I don't think anyone has proposed deprecating
or removing anything without a strong case.
-Alan
More information about the security-dev
mailing list