8168313: Tighten permissions granted to jdk.crypto.pkcs11 module

Reviewed-by: ascarpino

jdk/src/java.base/share/classes/module-info.java

@@ -240,8 +240,7 @@ module java.base {
         java.xml.ws;
     exports sun.security.action to
         java.desktop,
-        java.security.jgss,
-        jdk.crypto.pkcs11;
+        java.security.jgss;
     exports sun.security.internal.interfaces to
         jdk.crypto.pkcs11;
     exports sun.security.internal.spec to

jdk/src/java.base/share/lib/security/default.policy

@@ -111,11 +111,11 @@ grant codeBase "jrt:/jdk.crypto.ec" {
 grant codeBase "jrt:/jdk.crypto.pkcs11" {
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.*";
-    permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
     permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
-    // needs "security.pkcs11.allowSingleThreadedModules"
-    permission java.util.PropertyPermission "*", "read";
+    permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
     permission java.security.SecurityPermission "putProviderProperty.*";
     permission java.security.SecurityPermission "clearProviderProperties.*";
     permission java.security.SecurityPermission "removeProviderProperty.*";

jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/Config.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,6 @@ import java.util.*;
 
 import java.security.*;
 
-import sun.security.action.GetPropertyAction;
 import sun.security.util.PropertyExpander;
 
 import sun.security.pkcs11.wrapper.*;
@@ -58,15 +57,30 @@ final class Config {
     // will accept single threaded modules regardless of the setting in their
     // config files.
     private static final boolean staticAllowSingleThreadedModules;
+    private static final String osName;
+    private static final String osArch;
 
     static {
-        String p = "sun.security.pkcs11.allowSingleThreadedModules";
-        String s = AccessController.doPrivileged(new GetPropertyAction(p));
-        if ("false".equalsIgnoreCase(s)) {
+        List<String> props = AccessController.doPrivileged(
+            new PrivilegedAction<>() {
+                @Override
+                public List<String> run() {
+                    return List.of(
+                        System.getProperty(
+                            "sun.security.pkcs11.allowSingleThreadedModules",
+                            "true"),
+                        System.getProperty("os.name"),
+                        System.getProperty("os.arch"));
+                }
+            }
+        );
+        if ("false".equalsIgnoreCase(props.get(0))) {
             staticAllowSingleThreadedModules = false;
         } else {
             staticAllowSingleThreadedModules = true;
         }
+        osName = props.get(1);
+        osArch = props.get(2);
     }
 
     private final static boolean DEBUG = false;
@@ -650,8 +664,6 @@ final class Config {
             // replace "/$ISA/" with "/sparcv9/" on 64-bit Solaris SPARC
             // and with "/amd64/" on Solaris AMD64.
             // On all other platforms, just turn it into a "/"
-            String osName = System.getProperty("os.name", "");
-            String osArch = System.getProperty("os.arch", "");
             String prefix = lib.substring(0, i);
             String suffix = lib.substring(i + 5);
             if (osName.equals("SunOS") && osArch.equals("sparcv9")) {

jdk/src/jdk.crypto.pkcs11/share/classes/sun/security/pkcs11/wrapper/Constants.java

@@ -58,7 +58,7 @@ package sun.security.pkcs11.wrapper;
  */
 public class Constants {
 
-    public static final String NEWLINE = System.getProperty("line.separator");
+    public static final String NEWLINE = System.lineSeparator();
 
     public static final String INDENT = "  ";