8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader

Reviewed-by: alanb, dfuchs, lancea, mkos
2015-02-06 15:42:07 -08:00 · 2015-02-06 15:42:07 -08:00 · c8528fd410
commit c8528fd410
parent 8d8f34b9a6
3 changed files with 27 additions and 4 deletions
--- a/jdk/make/src/classes/build/tools/module/boot.modules
+++ b/jdk/make/src/classes/build/tools/module/boot.modules
@ -1,7 +1,5 @@
 java.base
 java.desktop
-java.activation
-java.annotations.common
 java.compiler
 java.corba
 java.instrument
@ -18,9 +16,7 @@ java.sql
 java.sql.rowset
 java.transaction
 java.xml
-java.xml.bind
 java.xml.crypto
-java.xml.ws
 jdk.charsets
 jdk.deploy
 jdk.deploy.osx
--- a/jdk/make/src/classes/build/tools/module/ext.modules
+++ b/jdk/make/src/classes/build/tools/module/ext.modules
@ -1,3 +1,7 @@
+java.activation
+java.annotations.common
+java.xml.bind
+java.xml.ws
 jdk.crypto.ec
 jdk.crypto.mscapi
 jdk.crypto.pkcs11
--- a/jdk/src/java.base/share/conf/security/java.policy
+++ b/jdk/src/java.base/share/conf/security/java.policy
@ -55,6 +55,29 @@ grant codeBase "jrt:/jdk.crypto.pkcs11" {
        permission java.io.FilePermission "<<ALL FILES>>", "read";
 };

+grant codeBase "jrt:/java.xml.ws" {
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal";
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xerces.internal.*";
+        permission java.lang.RuntimePermission "accessDeclaredMembers";
+        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+        permission java.util.PropertyPermission "*", "read";
+};
+
+grant codeBase "jrt:/java.xml.bind" {
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*";
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal";
+        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal.*";
+        permission java.lang.RuntimePermission "accessDeclaredMembers";
+        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+        permission java.util.PropertyPermission "*", "read";
+};
+
+grant codeBase "jrt:/java.activation" {
+        permission java.security.AllPermission;
+};
+
 // default permissions granted to all domains

 grant {