> On 26 Jan 2017, at 03:32, Mandy Chung <mandy.ch...@oracle.com> wrote:
>
> (dropping jdk9-dev. security-libs is the appropriate list to review security
> permission)
>
>> On Jan 23, 2017, at 1:56 PM, Doug Simon <doug.si...@oracle.com> wrote:
>>
>> Both jdk.vm.ci and jdk.vm.compiler require a number of permissions when a
>> security manager is present. Since neither of these modules is accessible to
>> application code, it should be ok to give them all permissions. This seems
>> to be the approach for a number of other modules including
>> jdk.scripting.nashorn, jdk.dynalink, jdk.jsobject etc. Please review this
>> small change that configures this proposed permission level.
>>
>> http://cr.openjdk.java.net/~dnsimon/8145337/webrev/
>> https://bugs.openjdk.java.net/browse/JDK-8145337
>
> jdk.vm.compiler is defined by the application class loader and it’s used by
> AOT tool. I wonder why it has to run with security manager.
Without java.security.AllPermission, the policy for jdk.vm.compiler required to
get through a bootstrap (i.e., java -server -XX:+UnlockExperimentalVMOptions
-Djava.security.manager -XX:+BootstrapJVMCI -XX:+UseJVMCICompiler -version) is
show below (annotated with comments denoting the methods requiring the
permissions):
grant codeBase "jrt:/jdk.vm.compiler" {
// org.graalvm.compiler.hotspot.HotSpotGraalJVMCIServiceLocator.<init>
permission jdk.vm.ci.services.JVMCIPermission;
//
org.graalvm.compiler.hotspot.HotSpotGraalCompilerFactory.getSavedProperties
permission java.lang.RuntimePermission
"accessClassInPackage.jdk.internal.misc";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
// org.graalvm.compiler.core.common.util.ModuleAPI.<clinit>
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.jdk.internal.module";
// org.graalvm.compiler.options.OptionValue.<clinit>
permission java.util.PropertyPermission "graal.profileOptionValue", "read";
// org.graalvm.compiler.debug.Debug.<clinit>
permission java.util.PropertyPermission "*", "read,write";
// org.graalvm.compiler.core.common.UnsafeAccess.initUnsafe
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
// org.graalvm.compiler.hotspot.BootstrapWatchDog.<init>
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
// org.graalvm.compiler.hotspot.replacements.SHA2Substitutions.<clinit>
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.provider";
//
org.graalvm.compiler.nodes.graphbuilderconf.InvocationPlugins.resolveClass
permission java.lang.RuntimePermission
"accessClassInPackage.jdk.internal.reflect";
permission java.lang.RuntimePermission
"accessClassInPackage.oracle.jrockit.jfr.jdkevents";
};
There’s no guarantee that this is all the permissions required since not all
code paths are exercised during bootstrap.
> You can reference JDK tools such as jdk.compiler and jdk.jlink that are not
> granted with any permission.
Neither of those tools create code and install it in the VM. I don’t think a
fine grained SecurityManager policy makes sense for a VM compiler since it
could subvert security by compiling/installing malicious code. That is, a VM
compiler has to be a trusted component. Keep in mind that user code cannot get
to jdk.vm.compiler.
For comparison, below are all the modules currently given
java.security.AllPermission by lib/security/default.policy:
grant codeBase "jrt:/java.activation" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/java.compiler" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/java.corba" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.incubator.httpclient" {
};
grant codeBase "jrt:/java.scripting" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/java.security.jgss" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/java.sql" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/java.sql.rowset" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.dynalink" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.internal.le" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.jsobject" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.naming.dns" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.scripting.nashorn" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.scripting.nashorn.shell" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.security.auth" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.security.jgss" {
permission java.security.AllPermission;
};
