Valerie Peng efa54ce543 8043406: Change default policy for JCE providers to run with as few privileges as possible
Provide default permissions for crypto providers

Reviewed-by: mullan, vinnie
2014-07-10 22:44:58 +00:00

96 lines
5.1 KiB
Groff

//
// Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
// DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
//
// This code is free software; you can redistribute it and/or modify it
// under the terms of the GNU General Public License version 2 only, as
// published by the Free Software Foundation.
//
// This code is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
// FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
// version 2 for more details (a copy is included in the LICENSE file that
// accompanied this code).
//
// You should have received a copy of the GNU General Public License version
// 2 along with this work; if not, write to the Free Software Foundation,
// Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
//
// Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
// or visit www.oracle.com if you need additional information or have any
// questions.
//
grant {
permission java.net.URLPermission "http://127.0.0.1:12567/a/b/-", "DELETE,GET:X-Foo,Y-Foo";
permission java.net.URLPermission "https://127.0.0.1:12568/a/c/-", "POST:*";
// needed for HttpServer
permission "java.net.SocketPermission" "localhost:1024-", "listen,resolve,accept";
permission "java.util.PropertyPermission" "test.src", "read";
permission java.io.FilePermission "${test.src}/../../../com/sun/net/httpserver/testkeys", "read";
//permission "java.util.logging.LoggingPermission" "control";
//permission "java.io.FilePermission" "/tmp/-", "read,write";
permission "java.lang.RuntimePermission" "modifyThread";
permission "java.lang.RuntimePermission" "setFactory";
};
// Normal permissions that aren't granted when run under jtreg
grant codeBase "file:${java.home}/lib/ext/ucrypto.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2ucrypto";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto";
permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto";
permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto";
permission java.io.FilePermission "${java.home}/lib/security/ucrypto-solaris.cfg", "read";
};
grant codeBase "file:${java.home}/lib/ext/sunec.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "loadLibrary.sunec";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.SunEC";
permission java.security.SecurityPermission "clearProviderProperties.SunEC";
permission java.security.SecurityPermission "removeProviderProperty.SunEC";
};
grant codeBase "file:${java.home}/lib/ext/sunjce_provider.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.security.SecurityPermission "clearProviderProperties.SunJCE";
permission java.security.SecurityPermission "removeProviderProperty.SunJCE";
};
grant codeBase "file:${java.home}/lib/ext/sunpkcs11.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.*";
permission java.security.SecurityPermission "clearProviderProperties.*";
permission java.security.SecurityPermission "removeProviderProperty.*";
permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler";
permission java.security.SecurityPermission "authProvider.*";
// Needed for reading PKCS11 config file and NSS library check
permission java.io.FilePermission "<<ALL FILES>>", "read";
};
grant codeBase "file:${java.home}/lib/ext/sunmscapi.jar" {
Permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "putProviderProperty.SunMSCAPI";
permission java.security.SecurityPermission "clearProviderProperties.SunMSCAPI";
permission java.security.SecurityPermission "removeProviderProperty.SunMSCAPI";
};
grant codeBase "file:${{java.home}}/jre/lib/rt.jar" {
permission java.security.AllPermission;
};