On 2/28/22 15:32, Andrew Haley wrote:
I think all we'd need is a set of capabilities bound to a scope local at thread startup, and I guess it'd default to "all capabilities". Trusted code could then override any of those capabilities. We'd have to make sure that capabilities were inherited by threads, and we'd have to think very carefully about thread pools. The problem there is that while it would (I guess) make sense to prevent all code executing in thread pools from calling System.exit(), there's an obvious compatibility problem if it can't.
Although... there certainly is some potential profit in restricted thread pools, which have no compatibility problems because it'd be a new feature. I think this solves the problem Alan Bateman raised too. Sure, you wouldn't be able to use the default thread pool, but that's no big deal, I would have thought. -- Andrew Haley (he/him) Java Platform Lead Engineer Red Hat UK Ltd. <https://www.redhat.com> https://keybase.io/andrewhaley EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671