stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8040059: Change default policy for extensions to no permission

Browse Source 
Reviewed-by: alanb, mullan, erikj
This commit is contained in:
Mandy Chung 2014-05-09 09:04:41 -07:00
parent 70bf57509c
commit fc6f28f9ad
14 changed files with 142 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
jdk/make/CopyFiles.gmk
View File

@ -367,8 +367,24 @@ COPY_FILES += $(PROPS_DST)
POLICY_SRC := $(JDK_TOPDIR)/src/share/lib/security/java.policy
POLICY_DST := $(JDK_OUTPUTDIR)/lib/security/java.policy
$(POLICY_DST): $(POLICY_SRC)
$(call install-file)
POLICY_SRC_LIST :=
ifeq ($(OPENJDK_TARGET_OS), windows)
POLICY_SRC_LIST += $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS)/lib/security/java.policy
endif
ifndef OPENJDK
ifneq (, $(filter $(OPENJDK_TARGET_OS), windows solaris))
POLICY_SRC_LIST += $(JDK_TOPDIR)/src/closed/$(OPENJDK_TARGET_OS)/lib/security/java.policy
endif
endif
POLICY_SRC_LIST += $(POLICY_SRC)
$(POLICY_DST): $(POLICY_SRC_LIST)
$(MKDIR) -p $(@D)
$(RM) $@ $@.tmp
$(foreach f,$(POLICY_SRC_LIST),$(CAT) $(f) >> $@.tmp;)
$(MV) $@.tmp $@
COPY_FILES += $(POLICY_DST)

22
jdk/src/share/classes/jdk/nio/zipfs/ZipFileSystem.java
View File

@ -41,6 +41,8 @@ import java.nio.file.attribute.*;
import java.nio.file.spi.*;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.*;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
@ -110,7 +112,9 @@ class ZipFileSystem extends FileSystem {
}
// sm and existence check
zfpath.getFileSystem().provider().checkAccess(zfpath, AccessMode.READ);
if (!Files.isWritable(zfpath))
boolean writeable = AccessController.doPrivileged(
(PrivilegedAction<Boolean>) () -> Files.isWritable(zfpath));
if (!writeable)
this.readOnly = true;
this.zc = ZipCoder.get(nameEncoding);
this.defaultdir = new ZipPath(this, getBytes(defaultDir));
@ -262,9 +266,13 @@ class ZipFileSystem extends FileSystem {
}
beginWrite(); // lock and sync
try {
sync();
ch.close(); // close the ch just in case no update
} finally { // and sync dose not close the ch
AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
sync(); return null;
});
ch.close(); // close the ch just in case no update
} catch (PrivilegedActionException e) { // and sync dose not close the ch
throw (IOException)e.getException();
} finally {
endWrite();
}
@ -281,8 +289,10 @@ class ZipFileSystem extends FileSystem {
synchronized (tmppaths) {
for (Path p: tmppaths) {
try {
Files.deleteIfExists(p);
} catch (IOException x) {
AccessController.doPrivileged(
(PrivilegedExceptionAction<Boolean>)() -> Files.deleteIfExists(p));
} catch (PrivilegedActionException e) {
IOException x = (IOException)e.getException();
if (ioe == null)
ioe = x;
else

36
jdk/src/share/lib/security/java.policy
View File

@ -1,7 +1,39 @@
// permissions required by each component
grant codeBase "file:${java.home}/lib/ext/zipfs.jar" {
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
permission java.lang.RuntimePermission "fileSystemProvider";
permission java.util.PropertyPermission "*", "read";
};
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/cldrdata.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.text.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${{java.ext.dirs}}/*" {
grant codeBase "file:${java.home}/lib/ext/localedata.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.text.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${java.home}/lib/ext/dnsns.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/nashorn.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
permission java.security.AllPermission;
};

3
jdk/src/windows/lib/security/java.policy Normal file
View File

@ -0,0 +1,3 @@
grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
permission java.security.AllPermission;
};

4
jdk/test/TEST.groups
View File

@ -97,7 +97,8 @@ jdk_io = \
jdk_nio = \
java/nio \
sun/nio
sun/nio \
jdk/nio
jdk_net = \
java/net \
@ -203,7 +204,6 @@ jdk_other = \
com/sun/jndi \
com/sun/corba \
lib/testlibrary \
jdk/nio/zipfs \
sample
#

5
jdk/test/jdk/nio/zipfs/Basic.java
View File

@ -31,8 +31,11 @@ import java.io.IOException;
/**
*
* @test
* @bug 8038500
* @bug 8038500 8040059
* @summary Basic test for zip provider
*
* @run main Basic
* @run main/othervm/policy=test.policy Basic
*/
public class Basic {

5
jdk/test/jdk/nio/zipfs/PathOps.java
View File

@ -29,8 +29,11 @@ import java.io.IOException;
/**
*
* @test
* @bug 8038500
* @bug 8038500 8040059
* @summary Tests path operations for zip provider.
*
* @run main PathOps
* @run main/othervm/policy=test.policy.readonly PathOps
*/
public class PathOps {

7
jdk/test/jdk/nio/zipfs/ZFSTests.java
View File

@ -22,8 +22,11 @@
*/
/* @test
@bug 7156873
@summary ZipFileSystem regression tests
* @bug 7156873 8040059
* @summary ZipFileSystem regression tests
*
* @run main ZFSTests
* @run main/othervm/policy=test.policy ZFSTests
*/

4
jdk/test/jdk/nio/zipfs/ZipFSTester.java
View File

@ -40,8 +40,10 @@ import static java.nio.file.StandardCopyOption.*;
*
* @test
* @bug 6990846 7009092 7009085 7015391 7014948 7005986 7017840 7007596
* 7157656 8002390 7012868 7012856 8015728 8038500
* 7157656 8002390 7012868 7012856 8015728 8038500 8040059
* @summary Test Zip filesystem provider
* @run main ZipFSTester
* @run main/othervm/policy=test.policy ZipFSTester
*/
public class ZipFSTester {

16
jdk/test/jdk/nio/zipfs/test.policy Normal file
View File

@ -0,0 +1,16 @@
grant codeBase "file:${java.home}/lib/ext/zipfs.jar" {
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
permission java.lang.RuntimePermission "fileSystemProvider";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
};
grant {
permission java.io.FilePermission "<<ALL FILES>>","read,write,delete";
permission java.util.PropertyPermission "test.jdk","read";
permission java.util.PropertyPermission "test.src","read";
permission java.util.PropertyPermission "user.dir","read";
};

12
jdk/test/jdk/nio/zipfs/test.policy.readonly Normal file
View File

@ -0,0 +1,12 @@
grant codeBase "file:${java.home}/lib/ext/zipfs.jar" {
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
permission java.lang.RuntimePermission "fileSystemProvider";
permission java.util.PropertyPermission "*", "read";
};
grant {
permission java.io.FilePermission "<<ALL FILES>>","read";
permission java.util.PropertyPermission "test.jdk","read";
permission java.util.PropertyPermission "test.src","read";
permission java.util.PropertyPermission "user.dir","read";
};

22
jdk/test/lib/security/java.policy/Ext_AllPolicy.java
View File

@ -30,12 +30,24 @@ import java.io.*;
import java.security.*;
public class Ext_AllPolicy {
public static void main (String[] args) {
FilePermission mine = new FilePermission("/tmp/bar", "read");
SecurityManager sm = System.getSecurityManager();
public static void main (String[] args) {
boolean allPerms = args.length == 1 && args[0].equals("AllPermission");
FilePermission mine = new FilePermission("/tmp/bar", "read");
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(mine);
if (sm != null) {
try {
sm.checkPermission(mine);
if (!allPerms) {
// Default has no privilege.
throw new RuntimeException(mine + " expected to deny access");
}
} catch (AccessControlException e) {
if (allPerms) {
// expected all permissions granted
throw e;
}
}
}
}
}

7
jdk/test/lib/security/java.policy/Ext_AllPolicy.sh
View File

@ -22,7 +22,7 @@
#
# @test
# @bug 4215035
# @bug 4215035 8040059
# @summary standard extensions path is hard-coded in default system policy file
#
# @build Ext_AllPolicy
@ -81,6 +81,9 @@ ${COMPILEJAVA}${FS}bin${FS}jar ${TESTTOOLVMOPTS} -cvf Ext_AllPolicy.jar Ext_AllP
rm Ext_AllPolicy.class
${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} \
-Djava.security.manager -Djava.ext.dirs="${TESTCLASSES}" Ext_AllPolicy
-Djava.security.manager -Djava.ext.dirs="${TESTCLASSES}" Ext_AllPolicy || exit 10
${TESTJAVA}${FS}bin${FS}java ${TESTVMOPTS} \
-Djava.security.policy=${TESTSRC}${FS}test.policy \
-Djava.security.manager -Djava.ext.dirs="${TESTCLASSES}" Ext_AllPolicy AllPermission
exit $?

3
jdk/test/lib/security/java.policy/test.policy Normal file
View File

@ -0,0 +1,3 @@
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};