RuntimePermission.java revision 12519:9d6f8c37e857
1276789Sdim/* 2276789Sdim * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. 3276789Sdim * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4276789Sdim * 5276789Sdim * This code is free software; you can redistribute it and/or modify it 6276789Sdim * under the terms of the GNU General Public License version 2 only, as 7276789Sdim * published by the Free Software Foundation. Oracle designates this 8276789Sdim * particular file as subject to the "Classpath" exception as provided 9276789Sdim * by Oracle in the LICENSE file that accompanied this code. 10276789Sdim * 11276789Sdim * This code is distributed in the hope that it will be useful, but WITHOUT 12276789Sdim * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13276789Sdim * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14276789Sdim * version 2 for more details (a copy is included in the LICENSE file that 15276789Sdim * accompanied this code). 16276789Sdim * 17276789Sdim * You should have received a copy of the GNU General Public License version 18276789Sdim * 2 along with this work; if not, write to the Free Software Foundation, 19276789Sdim * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20276789Sdim * 21276789Sdim * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22276789Sdim * or visit www.oracle.com if you need additional information or have any 23276789Sdim * questions. 24276789Sdim */ 25276789Sdim 26276789Sdimpackage java.lang; 27276789Sdim 28276789Sdimimport java.security.*; 29276789Sdimimport java.util.Enumeration; 30276789Sdimimport java.util.Hashtable; 31276789Sdimimport java.util.StringTokenizer; 32276789Sdim 33276789Sdim/** 34276789Sdim * This class is for runtime permissions. A RuntimePermission 35276789Sdim * contains a name (also referred to as a "target name") but 36276789Sdim * no actions list; you either have the named permission 37276789Sdim * or you don't. 38276789Sdim * 39276789Sdim * <P> 40276789Sdim * The target name is the name of the runtime permission (see below). The 41276789Sdim * naming convention follows the hierarchical property naming convention. 42276789Sdim * Also, an asterisk 43276789Sdim * may appear at the end of the name, following a ".", or by itself, to 44276789Sdim * signify a wildcard match. For example: "loadLibrary.*" and "*" signify a 45276789Sdim * wildcard match, while "*loadLibrary" and "a*b" do not. 46276789Sdim * <P> 47276789Sdim * The following table lists all the possible RuntimePermission target names, 48276789Sdim * and for each provides a description of what the permission allows 49276789Sdim * and a discussion of the risks of granting code the permission. 50276789Sdim * 51276789Sdim * <table border=1 cellpadding=5 summary="permission target name, 52276789Sdim * what the target allows,and associated risks"> 53276789Sdim * <tr> 54276789Sdim * <th>Permission Target Name</th> 55276789Sdim * <th>What the Permission Allows</th> 56276789Sdim * <th>Risks of Allowing this Permission</th> 57276789Sdim * </tr> 58276789Sdim * 59276789Sdim * <tr> 60276789Sdim * <td>createClassLoader</td> 61276789Sdim * <td>Creation of a class loader</td> 62276789Sdim * <td>This is an extremely dangerous permission to grant. 63276789Sdim * Malicious applications that can instantiate their own class 64276789Sdim * loaders could then load their own rogue classes into the system. 65276789Sdim * These newly loaded classes could be placed into any protection 66276789Sdim * domain by the class loader, thereby automatically granting the 67276789Sdim * classes the permissions for that domain.</td> 68276789Sdim * </tr> 69276789Sdim * 70276789Sdim * <tr> 71276789Sdim * <td>getClassLoader</td> 72276789Sdim * <td>Retrieval of a class loader (e.g., the class loader for the calling 73276789Sdim * class)</td> 74276789Sdim * <td>This would grant an attacker permission to get the 75276789Sdim * class loader for a particular class. This is dangerous because 76321369Sdim * having access to a class's class loader allows the attacker to 77321369Sdim * load other classes available to that class loader. The attacker 78327952Sdim * would typically otherwise not have access to those classes.</td> 79321369Sdim * </tr> 80321369Sdim * 81321369Sdim * <tr> 82327952Sdim * <td>setContextClassLoader</td> 83327952Sdim * <td>Setting of the context class loader used by a thread</td> 84321369Sdim * <td>The context class loader is used by system code and extensions 85327952Sdim * when they need to lookup resources that might not exist in the system 86 * class loader. Granting setContextClassLoader permission would allow 87 * code to change which context class loader is used 88 * for a particular thread, including system threads.</td> 89 * </tr> 90 * 91 * <tr> 92 * <td>enableContextClassLoaderOverride</td> 93 * <td>Subclass implementation of the thread context class loader methods</td> 94 * <td>The context class loader is used by system code and extensions 95 * when they need to lookup resources that might not exist in the system 96 * class loader. Granting enableContextClassLoaderOverride permission would allow 97 * a subclass of Thread to override the methods that are used 98 * to get or set the context class loader for a particular thread.</td> 99 * </tr> 100 * 101 * <tr> 102 * <td>closeClassLoader</td> 103 * <td>Closing of a ClassLoader</td> 104 * <td>Granting this permission allows code to close any URLClassLoader 105 * that it has a reference to.</td> 106 * </tr> 107 * 108 * <tr> 109 * <td>setSecurityManager</td> 110 * <td>Setting of the security manager (possibly replacing an existing one) 111 * </td> 112 * <td>The security manager is a class that allows 113 * applications to implement a security policy. Granting the setSecurityManager 114 * permission would allow code to change which security manager is used by 115 * installing a different, possibly less restrictive security manager, 116 * thereby bypassing checks that would have been enforced by the original 117 * security manager.</td> 118 * </tr> 119 * 120 * <tr> 121 * <td>createSecurityManager</td> 122 * <td>Creation of a new security manager</td> 123 * <td>This gives code access to protected, sensitive methods that may 124 * disclose information about other classes or the execution stack.</td> 125 * </tr> 126 * 127 * <tr> 128 * <td>getenv.{variable name}</td> 129 * <td>Reading of the value of the specified environment variable</td> 130 * <td>This would allow code to read the value, or determine the 131 * existence, of a particular environment variable. This is 132 * dangerous if the variable contains confidential data.</td> 133 * </tr> 134 * 135 * <tr> 136 * <td>exitVM.{exit status}</td> 137 * <td>Halting of the Java Virtual Machine with the specified exit status</td> 138 * <td>This allows an attacker to mount a denial-of-service attack 139 * by automatically forcing the virtual machine to halt. 140 * Note: The "exitVM.*" permission is automatically granted to all code 141 * loaded from the application class path, thus enabling applications 142 * to terminate themselves. Also, the "exitVM" permission is equivalent to 143 * "exitVM.*".</td> 144 * </tr> 145 * 146 * <tr> 147 * <td>shutdownHooks</td> 148 * <td>Registration and cancellation of virtual-machine shutdown hooks</td> 149 * <td>This allows an attacker to register a malicious shutdown 150 * hook that interferes with the clean shutdown of the virtual machine.</td> 151 * </tr> 152 * 153 * <tr> 154 * <td>setFactory</td> 155 * <td>Setting of the socket factory used by ServerSocket or Socket, 156 * or of the stream handler factory used by URL</td> 157 * <td>This allows code to set the actual implementation 158 * for the socket, server socket, stream handler, or RMI socket factory. 159 * An attacker may set a faulty implementation which mangles the data 160 * stream.</td> 161 * </tr> 162 * 163 * <tr> 164 * <td>setIO</td> 165 * <td>Setting of System.out, System.in, and System.err</td> 166 * <td>This allows changing the value of the standard system streams. 167 * An attacker may change System.in to monitor and 168 * steal user input, or may set System.err to a "null" OutputStream, 169 * which would hide any error messages sent to System.err. </td> 170 * </tr> 171 * 172 * <tr> 173 * <td>modifyThread</td> 174 * <td>Modification of threads, e.g., via calls to Thread 175 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority, 176 * setName} and {@code setUncaughtExceptionHandler} 177 * methods</td> 178 * <td>This allows an attacker to modify the behaviour of 179 * any thread in the system.</td> 180 * </tr> 181 * 182 * <tr> 183 * <td>stopThread</td> 184 * <td>Stopping of threads via calls to the Thread <code>stop</code> 185 * method</td> 186 * <td>This allows code to stop any thread in the system provided that it is 187 * already granted permission to access that thread. 188 * This poses as a threat, because that code may corrupt the system by 189 * killing existing threads.</td> 190 * </tr> 191 * 192 * <tr> 193 * <td>modifyThreadGroup</td> 194 * <td>modification of thread groups, e.g., via calls to ThreadGroup 195 * <code>destroy</code>, <code>getParent</code>, <code>resume</code>, 196 * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>, 197 * and <code>suspend</code> methods</td> 198 * <td>This allows an attacker to create thread groups and 199 * set their run priority.</td> 200 * </tr> 201 * 202 * <tr> 203 * <td>getProtectionDomain</td> 204 * <td>Retrieval of the ProtectionDomain for a class</td> 205 * <td>This allows code to obtain policy information 206 * for a particular code source. While obtaining policy information 207 * does not compromise the security of the system, it does give 208 * attackers additional information, such as local file names for 209 * example, to better aim an attack.</td> 210 * </tr> 211 * 212 * <tr> 213 * <td>getFileSystemAttributes</td> 214 * <td>Retrieval of file system attributes</td> 215 * <td>This allows code to obtain file system information such as disk usage 216 * or disk space available to the caller. This is potentially dangerous 217 * because it discloses information about the system hardware 218 * configuration and some information about the caller's privilege to 219 * write files.</td> 220 * </tr> 221 * 222 * <tr> 223 * <td>readFileDescriptor</td> 224 * <td>Reading of file descriptors</td> 225 * <td>This would allow code to read the particular file associated 226 * with the file descriptor read. This is dangerous if the file 227 * contains confidential data.</td> 228 * </tr> 229 * 230 * <tr> 231 * <td>writeFileDescriptor</td> 232 * <td>Writing to file descriptors</td> 233 * <td>This allows code to write to a particular file associated 234 * with the descriptor. This is dangerous because it may allow 235 * malicious code to plant viruses or at the very least, fill up 236 * your entire disk.</td> 237 * </tr> 238 * 239 * <tr> 240 * <td>loadLibrary.{library name}</td> 241 * <td>Dynamic linking of the specified library</td> 242 * <td>It is dangerous to allow an applet permission to load native code 243 * libraries, because the Java security architecture is not designed to and 244 * does not prevent malicious behavior at the level of native code.</td> 245 * </tr> 246 * 247 * <tr> 248 * <td>accessClassInPackage.{package name}</td> 249 * <td>Access to the specified package via a class loader's 250 * <code>loadClass</code> method when that class loader calls 251 * the SecurityManager <code>checkPackageAccess</code> method</td> 252 * <td>This gives code access to classes in packages 253 * to which it normally does not have access. Malicious code 254 * may use these classes to help in its attempt to compromise 255 * security in the system.</td> 256 * </tr> 257 * 258 * <tr> 259 * <td>defineClassInPackage.{package name}</td> 260 * <td>Definition of classes in the specified package, via a class 261 * loader's <code>defineClass</code> method when that class loader calls 262 * the SecurityManager <code>checkPackageDefinition</code> method.</td> 263 * <td>This grants code permission to define a class 264 * in a particular package. This is dangerous because malicious 265 * code with this permission may define rogue classes in 266 * trusted packages like <code>java.security</code> or <code>java.lang</code>, 267 * for example.</td> 268 * </tr> 269 * 270 * <tr> 271 * <td>accessDeclaredMembers</td> 272 * <td>Access to the declared members of a class</td> 273 * <td>This grants code permission to query a class for its public, 274 * protected, default (package) access, and private fields and/or 275 * methods. Although the code would have 276 * access to the private and protected field and method names, it would not 277 * have access to the private/protected field data and would not be able 278 * to invoke any private methods. Nevertheless, malicious code 279 * may use this information to better aim an attack. 280 * Additionally, it may invoke any public methods and/or access public fields 281 * in the class. This could be dangerous if 282 * the code would normally not be able to invoke those methods and/or 283 * access the fields because 284 * it can't cast the object to the class/interface with those methods 285 * and fields. 286</td> 287 * </tr> 288 * <tr> 289 * <td>queuePrintJob</td> 290 * <td>Initiation of a print job request</td> 291 * <td>This could print sensitive information to a printer, 292 * or simply waste paper.</td> 293 * </tr> 294 * 295 * <tr> 296 * <td>getStackTrace</td> 297 * <td>Retrieval of the stack trace information of another thread.</td> 298 * <td>This allows retrieval of the stack trace information of 299 * another thread. This might allow malicious code to monitor the 300 * execution of threads and discover vulnerabilities in applications.</td> 301 * </tr> 302 * 303 * <tr> 304 * <td>setDefaultUncaughtExceptionHandler</td> 305 * <td>Setting the default handler to be used when a thread 306 * terminates abruptly due to an uncaught exception</td> 307 * <td>This allows an attacker to register a malicious 308 * uncaught exception handler that could interfere with termination 309 * of a thread</td> 310 * </tr> 311 * 312 * <tr> 313 * <td>preferences</td> 314 * <td>Represents the permission required to get access to the 315 * java.util.prefs.Preferences implementations user or system root 316 * which in turn allows retrieval or update operations within the 317 * Preferences persistent backing store.) </td> 318 * <td>This permission allows the user to read from or write to the 319 * preferences backing store if the user running the code has 320 * sufficient OS privileges to read/write to that backing store. 321 * The actual backing store may reside within a traditional filesystem 322 * directory or within a registry depending on the platform OS</td> 323 * </tr> 324 * 325 * <tr> 326 * <td>usePolicy</td> 327 * <td>Granting this permission disables the Java Plug-In's default 328 * security prompting behavior.</td> 329 * <td>For more information, refer to Java Plug-In's guides, <a href= 330 * "../../../technotes/guides/plugin/developer_guide/security.html"> 331 * Applet Security Basics</a> and <a href= 332 * "../../../technotes/guides/plugin/developer_guide/rsa_how.html#use"> 333 * usePolicy Permission</a>.</td> 334 * </tr> 335 * <tr> 336 * <td>manageProcess</td> 337 * <td>Native process termination and information about processes 338 * {@link ProcessHandle}.</td> 339 * <td>Allows code to identify and terminate processes that it did not create.</td> 340 * </tr> 341 * 342 * <tr> 343 * <td>localeServiceProvider</td> 344 * <td>This {@code RuntimePermission} is required to be granted to 345 * classes which subclass and implement 346 * {@code java.util.spi.LocaleServiceProvider}. The permission is 347 * checked during invocation of the abstract base class constructor. 348 * This permission ensures trust in classes which implement this 349 * security-sensitive provider mechanism. </td> 350 * <td>See <a href= "../util/spi/LocaleServiceProvider.html"> 351 * {@code java.util.spi.LocaleServiceProvider}</a> for more 352 * information.</td> 353 * </tr> 354 * </table> 355 * 356 * @see java.security.BasicPermission 357 * @see java.security.Permission 358 * @see java.security.Permissions 359 * @see java.security.PermissionCollection 360 * @see java.lang.SecurityManager 361 * 362 * 363 * @author Marianne Mueller 364 * @author Roland Schemers 365 */ 366 367public final class RuntimePermission extends BasicPermission { 368 369 private static final long serialVersionUID = 7399184964622342223L; 370 371 /** 372 * Creates a new RuntimePermission with the specified name. 373 * The name is the symbolic name of the RuntimePermission, such as 374 * "exit", "setFactory", etc. An asterisk 375 * may appear at the end of the name, following a ".", or by itself, to 376 * signify a wildcard match. 377 * 378 * @param name the name of the RuntimePermission. 379 * 380 * @throws NullPointerException if <code>name</code> is <code>null</code>. 381 * @throws IllegalArgumentException if <code>name</code> is empty. 382 */ 383 384 public RuntimePermission(String name) 385 { 386 super(name); 387 } 388 389 /** 390 * Creates a new RuntimePermission object with the specified name. 391 * The name is the symbolic name of the RuntimePermission, and the 392 * actions String is currently unused and should be null. 393 * 394 * @param name the name of the RuntimePermission. 395 * @param actions should be null. 396 * 397 * @throws NullPointerException if <code>name</code> is <code>null</code>. 398 * @throws IllegalArgumentException if <code>name</code> is empty. 399 */ 400 401 public RuntimePermission(String name, String actions) 402 { 403 super(name, actions); 404 } 405} 406