[rfc][icedtea-web][policyeditor] Reflection and Exec permissions
Andrew Azores
aazores at redhat.com
Wed Mar 26 14:03:50 UTC 2014
On 03/26/2014 05:06 AM, Jiri Vanek wrote:
> On 03/25/2014 08:34 PM, Andrew Azores wrote:
>> On 03/25/2014 02:57 PM, Jiri Vanek wrote:
>>> On 03/25/2014 02:39 PM, Andrew Azores wrote:
>>>> On 03/25/2014 05:30 AM, Jiri Vanek wrote:
>>>>> On 03/24/2014 09:05 PM, Andrew Azores wrote:
>>>>>> Hi,
>>>>>>
>>>>>> This patch just adds Reflection and Exec permission options to
>>>>>> PolicyEditor.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>
>>>>> Looks good. Just not sure if it is enough:
>>>>>
>>>>> eg:
>>>>> java.lang.NullPointerException
>>>>> at geogebra.i.x.a(Unknown Source)
>>>>> at geogebra.gui.a.a.a(Unknown Source)
>>>>> at geogebra.gui.a.a.a(Unknown Source)
>>>>> at geogebra.GeoGebra.a(Unknown Source)
>>>>> at geogebra.GeoGebra.a(Unknown Source)
>>>>> at geogebra.GeoGebra.main(Unknown Source)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> at
>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>> at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:616)
>>>>> at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
>>>>> at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:911)
>>>>>
>>>>> I think he class for name is not allowed by your permission.
>>>>
>>>> Aha! Thanks for catching this. [0] suggests there's only one
>>>> permission needed for reflection,
>>>> but [1] proves otherwise (and makes sense).
>>>>
>>>
>>> Hmm still the same exception. It is geogebra which is causing this.
>>
>> Do you have exact reproduction steps?
>
> yes, lunch geogebra from our testcases and sue any sandbox combination
> :) - or try to tune it to run:)
>
Ah I see, it's failing as soon as it starts basically. Maybe I should
have tried before asking for detailed steps ;)
Why do you think it's being denied on a classForName call though? Not
saying it isn't, but I don't see what indicates that in particular?
According to the docs for Class.forName, the permission required is a
RuntimePermission with "getClassLoader" target and no actions, and
that's what the Get ClassLoader permission in PolicyEditor is granting.
I mean, the NPE is happening somewhere after some GUI package stuff is
going on apparently, so how do we know it isn't a missing AWT permission
instead? Maybe there should be a catch-all AWT permission available as
well, actually, even if that isn't the problem here.
Thanks,
--
Andrew A
More information about the distro-pkg-dev
mailing list