On Fri, 2019-07-19 at 17:40 +0100, Alan Bateman wrote: > On 19/07/2019 16:21, Claes Redestad wrote: > > On 2019-07-19 17:07, Severin Gehwolf wrote: > > > Do you have objections, to go with that, Claes? > > > > > > http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8228434/01/webrev/ > > > > While I think the privilegedGetProperty alternative would work just > > fine regardless of security settings, I don't object to this if you're > > more comfortable with it. > privilegedGetProperty will work for the Sockets test because its policy > file allows the test lib classes to read all properties: > > grant codeBase "file:${test.classes}/../../../../test/lib/-" { > permission java.util.PropertyPermission "*", "read"; > permission java.io.FilePermission "/etc/release", "read"; > permission java.io.FilePermission "<<ALL FILES>>", "execute"; > };
Yes. > There might be other tests with policy files where this is not the case. My issue is with finding those tests :-/ If we know the set of *all* tests affected by the breakage we could do approach 2. Approach 1 (or 3) seems safer. > Severin - how about a combination of the two approaches, meaning add > Docker.DOCKER_COMMAND as per the first version but use > privilegedGetProperty to read the value. That way only container tests > using a SM and their own policy files will need to grant the permission > to read this property. Sure, fine with me. Here you go: http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8228434/02/webrev/ Thoughts? Thanks, Severin
