RuntimePermission.java revision 12519:9d6f8c37e857 
1276789Sdim/*
2276789Sdim * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
3276789Sdim * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4276789Sdim *
5276789Sdim * This code is free software; you can redistribute it and/or modify it
6276789Sdim * under the terms of the GNU General Public License version 2 only, as
7276789Sdim * published by the Free Software Foundation.  Oracle designates this
8276789Sdim * particular file as subject to the "Classpath" exception as provided
9276789Sdim * by Oracle in the LICENSE file that accompanied this code.
10276789Sdim *
11276789Sdim * This code is distributed in the hope that it will be useful, but WITHOUT
12276789Sdim * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13276789Sdim * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14276789Sdim * version 2 for more details (a copy is included in the LICENSE file that
15276789Sdim * accompanied this code).
16276789Sdim *
17276789Sdim * You should have received a copy of the GNU General Public License version
18276789Sdim * 2 along with this work; if not, write to the Free Software Foundation,
19276789Sdim * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20276789Sdim *
21276789Sdim * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22276789Sdim * or visit www.oracle.com if you need additional information or have any
23276789Sdim * questions.
24276789Sdim */
25276789Sdim
26276789Sdimpackage java.lang;
27276789Sdim
28276789Sdimimport java.security.*;
29276789Sdimimport java.util.Enumeration;
30276789Sdimimport java.util.Hashtable;
31276789Sdimimport java.util.StringTokenizer;
32276789Sdim
33276789Sdim/**
34276789Sdim * This class is for runtime permissions. A RuntimePermission
35276789Sdim * contains a name (also referred to as a "target name") but
36276789Sdim * no actions list; you either have the named permission
37276789Sdim * or you don't.
38276789Sdim *
39276789Sdim * <P>
40276789Sdim * The target name is the name of the runtime permission (see below). The
41276789Sdim * naming convention follows the  hierarchical property naming convention.
42276789Sdim * Also, an asterisk
43276789Sdim * may appear at the end of the name, following a ".", or by itself, to
44276789Sdim * signify a wildcard match. For example: "loadLibrary.*" and "*" signify a
45276789Sdim * wildcard match, while "*loadLibrary" and "a*b" do not.
46276789Sdim * <P>
47276789Sdim * The following table lists all the possible RuntimePermission target names,
48276789Sdim * and for each provides a description of what the permission allows
49276789Sdim * and a discussion of the risks of granting code the permission.
50276789Sdim *
51276789Sdim * <table border=1 cellpadding=5 summary="permission target name,
52276789Sdim *  what the target allows,and associated risks">
53276789Sdim * <tr>
54276789Sdim * <th>Permission Target Name</th>
55276789Sdim * <th>What the Permission Allows</th>
56276789Sdim * <th>Risks of Allowing this Permission</th>
57276789Sdim * </tr>
58276789Sdim *
59276789Sdim * <tr>
60276789Sdim *   <td>createClassLoader</td>
61276789Sdim *   <td>Creation of a class loader</td>
62276789Sdim *   <td>This is an extremely dangerous permission to grant.
63276789Sdim * Malicious applications that can instantiate their own class
64276789Sdim * loaders could then load their own rogue classes into the system.
65276789Sdim * These newly loaded classes could be placed into any protection
66276789Sdim * domain by the class loader, thereby automatically granting the
67276789Sdim * classes the permissions for that domain.</td>
68276789Sdim * </tr>
69276789Sdim *
70276789Sdim * <tr>
71276789Sdim *   <td>getClassLoader</td>
72276789Sdim *   <td>Retrieval of a class loader (e.g., the class loader for the calling
73276789Sdim * class)</td>
74276789Sdim *   <td>This would grant an attacker permission to get the
75276789Sdim * class loader for a particular class. This is dangerous because
76321369Sdim * having access to a class's class loader allows the attacker to
77321369Sdim * load other classes available to that class loader. The attacker
78327952Sdim * would typically otherwise not have access to those classes.</td>
79321369Sdim * </tr>
80321369Sdim *
81321369Sdim * <tr>
82327952Sdim *   <td>setContextClassLoader</td>
83327952Sdim *   <td>Setting of the context class loader used by a thread</td>
84321369Sdim *   <td>The context class loader is used by system code and extensions
85327952Sdim * when they need to lookup resources that might not exist in the system
86 * class loader. Granting setContextClassLoader permission would allow
87 * code to change which context class loader is used
88 * for a particular thread, including system threads.</td>
89 * </tr>
90 *
91 * <tr>
92 *   <td>enableContextClassLoaderOverride</td>
93 *   <td>Subclass implementation of the thread context class loader methods</td>
94 *   <td>The context class loader is used by system code and extensions
95 * when they need to lookup resources that might not exist in the system
96 * class loader. Granting enableContextClassLoaderOverride permission would allow
97 * a subclass of Thread to override the methods that are used
98 * to get or set the context class loader for a particular thread.</td>
99 * </tr>
100 *
101 * <tr>
102 *   <td>closeClassLoader</td>
103 *   <td>Closing of a ClassLoader</td>
104 *   <td>Granting this permission allows code to close any URLClassLoader
105 * that it has a reference to.</td>
106 * </tr>
107 *
108 * <tr>
109 *   <td>setSecurityManager</td>
110 *   <td>Setting of the security manager (possibly replacing an existing one)
111 * </td>
112 *   <td>The security manager is a class that allows
113 * applications to implement a security policy. Granting the setSecurityManager
114 * permission would allow code to change which security manager is used by
115 * installing a different, possibly less restrictive security manager,
116 * thereby bypassing checks that would have been enforced by the original
117 * security manager.</td>
118 * </tr>
119 *
120 * <tr>
121 *   <td>createSecurityManager</td>
122 *   <td>Creation of a new security manager</td>
123 *   <td>This gives code access to protected, sensitive methods that may
124 * disclose information about other classes or the execution stack.</td>
125 * </tr>
126 *
127 * <tr>
128 *   <td>getenv.{variable name}</td>
129 *   <td>Reading of the value of the specified environment variable</td>
130 *   <td>This would allow code to read the value, or determine the
131 *       existence, of a particular environment variable.  This is
132 *       dangerous if the variable contains confidential data.</td>
133 * </tr>
134 *
135 * <tr>
136 *   <td>exitVM.{exit status}</td>
137 *   <td>Halting of the Java Virtual Machine with the specified exit status</td>
138 *   <td>This allows an attacker to mount a denial-of-service attack
139 * by automatically forcing the virtual machine to halt.
140 * Note: The "exitVM.*" permission is automatically granted to all code
141 * loaded from the application class path, thus enabling applications
142 * to terminate themselves. Also, the "exitVM" permission is equivalent to
143 * "exitVM.*".</td>
144 * </tr>
145 *
146 * <tr>
147 *   <td>shutdownHooks</td>
148 *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>
149 *   <td>This allows an attacker to register a malicious shutdown
150 * hook that interferes with the clean shutdown of the virtual machine.</td>
151 * </tr>
152 *
153 * <tr>
154 *   <td>setFactory</td>
155 *   <td>Setting of the socket factory used by ServerSocket or Socket,
156 * or of the stream handler factory used by URL</td>
157 *   <td>This allows code to set the actual implementation
158 * for the socket, server socket, stream handler, or RMI socket factory.
159 * An attacker may set a faulty implementation which mangles the data
160 * stream.</td>
161 * </tr>
162 *
163 * <tr>
164 *   <td>setIO</td>
165 *   <td>Setting of System.out, System.in, and System.err</td>
166 *   <td>This allows changing the value of the standard system streams.
167 * An attacker may change System.in to monitor and
168 * steal user input, or may set System.err to a "null" OutputStream,
169 * which would hide any error messages sent to System.err. </td>
170 * </tr>
171 *
172 * <tr>
173 *   <td>modifyThread</td>
174 *   <td>Modification of threads, e.g., via calls to Thread
175 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority,
176 * setName} and {@code setUncaughtExceptionHandler}
177 * methods</td>
178 * <td>This allows an attacker to modify the behaviour of
179 * any thread in the system.</td>
180 * </tr>
181 *
182 * <tr>
183 *   <td>stopThread</td>
184 *   <td>Stopping of threads via calls to the Thread <code>stop</code>
185 * method</td>
186 *   <td>This allows code to stop any thread in the system provided that it is
187 * already granted permission to access that thread.
188 * This poses as a threat, because that code may corrupt the system by
189 * killing existing threads.</td>
190 * </tr>
191 *
192 * <tr>
193 *   <td>modifyThreadGroup</td>
194 *   <td>modification of thread groups, e.g., via calls to ThreadGroup
195 * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
196 * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
197 * and <code>suspend</code> methods</td>
198 *   <td>This allows an attacker to create thread groups and
199 * set their run priority.</td>
200 * </tr>
201 *
202 * <tr>
203 *   <td>getProtectionDomain</td>
204 *   <td>Retrieval of the ProtectionDomain for a class</td>
205 *   <td>This allows code to obtain policy information
206 * for a particular code source. While obtaining policy information
207 * does not compromise the security of the system, it does give
208 * attackers additional information, such as local file names for
209 * example, to better aim an attack.</td>
210 * </tr>
211 *
212 * <tr>
213 *   <td>getFileSystemAttributes</td>
214 *   <td>Retrieval of file system attributes</td>
215 *   <td>This allows code to obtain file system information such as disk usage
216 *       or disk space available to the caller.  This is potentially dangerous
217 *       because it discloses information about the system hardware
218 *       configuration and some information about the caller's privilege to
219 *       write files.</td>
220 * </tr>
221 *
222 * <tr>
223 *   <td>readFileDescriptor</td>
224 *   <td>Reading of file descriptors</td>
225 *   <td>This would allow code to read the particular file associated
226 *       with the file descriptor read. This is dangerous if the file
227 *       contains confidential data.</td>
228 * </tr>
229 *
230 * <tr>
231 *   <td>writeFileDescriptor</td>
232 *   <td>Writing to file descriptors</td>
233 *   <td>This allows code to write to a particular file associated
234 *       with the descriptor. This is dangerous because it may allow
235 *       malicious code to plant viruses or at the very least, fill up
236 *       your entire disk.</td>
237 * </tr>
238 *
239 * <tr>
240 *   <td>loadLibrary.{library name}</td>
241 *   <td>Dynamic linking of the specified library</td>
242 *   <td>It is dangerous to allow an applet permission to load native code
243 * libraries, because the Java security architecture is not designed to and
244 * does not prevent malicious behavior at the level of native code.</td>
245 * </tr>
246 *
247 * <tr>
248 *   <td>accessClassInPackage.{package name}</td>
249 *   <td>Access to the specified package via a class loader's
250 * <code>loadClass</code> method when that class loader calls
251 * the SecurityManager <code>checkPackageAccess</code> method</td>
252 *   <td>This gives code access to classes in packages
253 * to which it normally does not have access. Malicious code
254 * may use these classes to help in its attempt to compromise
255 * security in the system.</td>
256 * </tr>
257 *
258 * <tr>
259 *   <td>defineClassInPackage.{package name}</td>
260 *   <td>Definition of classes in the specified package, via a class
261 * loader's <code>defineClass</code> method when that class loader calls
262 * the SecurityManager <code>checkPackageDefinition</code> method.</td>
263 *   <td>This grants code permission to define a class
264 * in a particular package. This is dangerous because malicious
265 * code with this permission may define rogue classes in
266 * trusted packages like <code>java.security</code> or <code>java.lang</code>,
267 * for example.</td>
268 * </tr>
269 *
270 * <tr>
271 *   <td>accessDeclaredMembers</td>
272 *   <td>Access to the declared members of a class</td>
273 *   <td>This grants code permission to query a class for its public,
274 * protected, default (package) access, and private fields and/or
275 * methods. Although the code would have
276 * access to the private and protected field and method names, it would not
277 * have access to the private/protected field data and would not be able
278 * to invoke any private methods. Nevertheless, malicious code
279 * may use this information to better aim an attack.
280 * Additionally, it may invoke any public methods and/or access public fields
281 * in the class.  This could be dangerous if
282 * the code would normally not be able to invoke those methods and/or
283 * access the fields  because
284 * it can't cast the object to the class/interface with those methods
285 * and fields.
286</td>
287 * </tr>
288 * <tr>
289 *   <td>queuePrintJob</td>
290 *   <td>Initiation of a print job request</td>
291 *   <td>This could print sensitive information to a printer,
292 * or simply waste paper.</td>
293 * </tr>
294 *
295 * <tr>
296 *   <td>getStackTrace</td>
297 *   <td>Retrieval of the stack trace information of another thread.</td>
298 *   <td>This allows retrieval of the stack trace information of
299 * another thread.  This might allow malicious code to monitor the
300 * execution of threads and discover vulnerabilities in applications.</td>
301 * </tr>
302 *
303 * <tr>
304 *   <td>setDefaultUncaughtExceptionHandler</td>
305 *   <td>Setting the default handler to be used when a thread
306 *   terminates abruptly due to an uncaught exception</td>
307 *   <td>This allows an attacker to register a malicious
308 *   uncaught exception handler that could interfere with termination
309 *   of a thread</td>
310 * </tr>
311 *
312 * <tr>
313 *   <td>preferences</td>
314 *   <td>Represents the permission required to get access to the
315 *   java.util.prefs.Preferences implementations user or system root
316 *   which in turn allows retrieval or update operations within the
317 *   Preferences persistent backing store.) </td>
318 *   <td>This permission allows the user to read from or write to the
319 *   preferences backing store if the user running the code has
320 *   sufficient OS privileges to read/write to that backing store.
321 *   The actual backing store may reside within a traditional filesystem
322 *   directory or within a registry depending on the platform OS</td>
323 * </tr>
324 *
325 * <tr>
326 *   <td>usePolicy</td>
327 *   <td>Granting this permission disables the Java Plug-In's default
328 *   security prompting behavior.</td>
329 *   <td>For more information, refer to Java Plug-In's guides, <a href=
330 *   "../../../technotes/guides/plugin/developer_guide/security.html">
331 *   Applet Security Basics</a> and <a href=
332 *   "../../../technotes/guides/plugin/developer_guide/rsa_how.html#use">
333 *   usePolicy Permission</a>.</td>
334 * </tr>
335 * <tr>
336 *   <td>manageProcess</td>
337 *   <td>Native process termination and information about processes
338 *       {@link ProcessHandle}.</td>
339 *   <td>Allows code to identify and terminate processes that it did not create.</td>
340 * </tr>
341 *
342 * <tr>
343 *   <td>localeServiceProvider</td>
344 *   <td>This {@code RuntimePermission} is required to be granted to
345 *   classes which subclass and implement
346 *   {@code java.util.spi.LocaleServiceProvider}. The permission is
347 *   checked during invocation of the abstract base class constructor.
348 *   This permission ensures trust in classes which implement this
349 *   security-sensitive provider mechanism. </td>
350 *   <td>See <a href= "../util/spi/LocaleServiceProvider.html">
351 *   {@code java.util.spi.LocaleServiceProvider}</a> for more
352 *   information.</td>
353 * </tr>
354 * </table>
355 *
356 * @see java.security.BasicPermission
357 * @see java.security.Permission
358 * @see java.security.Permissions
359 * @see java.security.PermissionCollection
360 * @see java.lang.SecurityManager
361 *
362 *
363 * @author Marianne Mueller
364 * @author Roland Schemers
365 */
366
367public final class RuntimePermission extends BasicPermission {
368
369    private static final long serialVersionUID = 7399184964622342223L;
370
371    /**
372     * Creates a new RuntimePermission with the specified name.
373     * The name is the symbolic name of the RuntimePermission, such as
374     * "exit", "setFactory", etc. An asterisk
375     * may appear at the end of the name, following a ".", or by itself, to
376     * signify a wildcard match.
377     *
378     * @param name the name of the RuntimePermission.
379     *
380     * @throws NullPointerException if <code>name</code> is <code>null</code>.
381     * @throws IllegalArgumentException if <code>name</code> is empty.
382     */
383
384    public RuntimePermission(String name)
385    {
386        super(name);
387    }
388
389    /**
390     * Creates a new RuntimePermission object with the specified name.
391     * The name is the symbolic name of the RuntimePermission, and the
392     * actions String is currently unused and should be null.
393     *
394     * @param name the name of the RuntimePermission.
395     * @param actions should be null.
396     *
397     * @throws NullPointerException if <code>name</code> is <code>null</code>.
398     * @throws IllegalArgumentException if <code>name</code> is empty.
399     */
400
401    public RuntimePermission(String name, String actions)
402    {
403        super(name, actions);
404    }
405}
406