1 /* 2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.lang; 27 28 import java.security.*; 29 import java.lang.module.ModuleFinder; 30 31 /** 32 * This class is for runtime permissions. A {@code RuntimePermission} 33 * contains a name (also referred to as a "target name") but no actions 34 * list; you either have the named permission or you don't. 35 * <p> 36 * The target name is the name of the runtime permission (see below). The 37 * naming convention follows the hierarchical property naming convention. 38 * Also, an asterisk may appear at the end of the name, following a ".", 39 * or by itself, to signify a wildcard match. For example: "loadLibrary.*" 40 * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not. 41 * <p> 42 * The following table lists the standard {@code RuntimePermission} 43 * target names, and for each provides a description of what the permission 44 * allows and a discussion of the risks of granting code the permission. 45 * 46 * <table border=1 cellpadding=5 summary="permission target name, 47 * what the target allows,and associated risks"> 48 * <tr> 49 * <th>Permission Target Name</th> 50 * <th>What the Permission Allows</th> 51 * <th>Risks of Allowing this Permission</th> 52 * </tr> 53 * 54 * <tr> 55 * <td>createClassLoader</td> 56 * <td>Creation of a class loader</td> 57 * <td>This is an extremely dangerous permission to grant. 58 * Malicious applications that can instantiate their own class 59 * loaders could then load their own rogue classes into the system. 60 * These newly loaded classes could be placed into any protection 61 * domain by the class loader, thereby automatically granting the 62 * classes the permissions for that domain.</td> 63 * </tr> 64 * 65 * <tr> 66 * <td>getClassLoader</td> 67 * <td>Retrieval of a class loader (e.g., the class loader for the calling 68 * class)</td> 69 * <td>This would grant an attacker permission to get the 70 * class loader for a particular class. This is dangerous because 71 * having access to a class's class loader allows the attacker to 72 * load other classes available to that class loader. The attacker 73 * would typically otherwise not have access to those classes.</td> 74 * </tr> 75 * 76 * <tr> 77 * <td>setContextClassLoader</td> 78 * <td>Setting of the context class loader used by a thread</td> 79 * <td>The context class loader is used by system code and extensions 80 * when they need to lookup resources that might not exist in the system 81 * class loader. Granting setContextClassLoader permission would allow 82 * code to change which context class loader is used 83 * for a particular thread, including system threads.</td> 84 * </tr> 85 * 86 * <tr> 87 * <td>enableContextClassLoaderOverride</td> 88 * <td>Subclass implementation of the thread context class loader methods</td> 89 * <td>The context class loader is used by system code and extensions 90 * when they need to lookup resources that might not exist in the system 91 * class loader. Granting enableContextClassLoaderOverride permission would allow 92 * a subclass of Thread to override the methods that are used 93 * to get or set the context class loader for a particular thread.</td> 94 * </tr> 95 * 96 * <tr> 97 * <td>closeClassLoader</td> 98 * <td>Closing of a ClassLoader</td> 99 * <td>Granting this permission allows code to close any URLClassLoader 100 * that it has a reference to.</td> 101 * </tr> 102 * 103 * <tr> 104 * <td>setSecurityManager</td> 105 * <td>Setting of the security manager (possibly replacing an existing one) 106 * </td> 107 * <td>The security manager is a class that allows 108 * applications to implement a security policy. Granting the setSecurityManager 109 * permission would allow code to change which security manager is used by 110 * installing a different, possibly less restrictive security manager, 111 * thereby bypassing checks that would have been enforced by the original 112 * security manager.</td> 113 * </tr> 114 * 115 * <tr> 116 * <td>createSecurityManager</td> 117 * <td>Creation of a new security manager</td> 118 * <td>This gives code access to protected, sensitive methods that may 119 * disclose information about other classes or the execution stack.</td> 120 * </tr> 121 * 122 * <tr> 123 * <td>getenv.{variable name}</td> 124 * <td>Reading of the value of the specified environment variable</td> 125 * <td>This would allow code to read the value, or determine the 126 * existence, of a particular environment variable. This is 127 * dangerous if the variable contains confidential data.</td> 128 * </tr> 129 * 130 * <tr> 131 * <td>exitVM.{exit status}</td> 132 * <td>Halting of the Java Virtual Machine with the specified exit status</td> 133 * <td>This allows an attacker to mount a denial-of-service attack 134 * by automatically forcing the virtual machine to halt. 135 * Note: The "exitVM.*" permission is automatically granted to all code 136 * loaded from the application class path, thus enabling applications 137 * to terminate themselves. Also, the "exitVM" permission is equivalent to 138 * "exitVM.*".</td> 139 * </tr> 140 * 141 * <tr> 142 * <td>shutdownHooks</td> 143 * <td>Registration and cancellation of virtual-machine shutdown hooks</td> 144 * <td>This allows an attacker to register a malicious shutdown 145 * hook that interferes with the clean shutdown of the virtual machine.</td> 146 * </tr> 147 * 148 * <tr> 149 * <td>setFactory</td> 150 * <td>Setting of the socket factory used by ServerSocket or Socket, 151 * or of the stream handler factory used by URL</td> 152 * <td>This allows code to set the actual implementation 153 * for the socket, server socket, stream handler, or RMI socket factory. 154 * An attacker may set a faulty implementation which mangles the data 155 * stream.</td> 156 * </tr> 157 * 158 * <tr> 159 * <td>setIO</td> 160 * <td>Setting of System.out, System.in, and System.err</td> 161 * <td>This allows changing the value of the standard system streams. 162 * An attacker may change System.in to monitor and 163 * steal user input, or may set System.err to a "null" OutputStream, 164 * which would hide any error messages sent to System.err. </td> 165 * </tr> 166 * 167 * <tr> 168 * <td>modifyThread</td> 169 * <td>Modification of threads, e.g., via calls to Thread 170 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority, 171 * setName} and {@code setUncaughtExceptionHandler} 172 * methods</td> 173 * <td>This allows an attacker to modify the behaviour of 174 * any thread in the system.</td> 175 * </tr> 176 * 177 * <tr> 178 * <td>stopThread</td> 179 * <td>Stopping of threads via calls to the Thread <code>stop</code> 180 * method</td> 181 * <td>This allows code to stop any thread in the system provided that it is 182 * already granted permission to access that thread. 183 * This poses as a threat, because that code may corrupt the system by 184 * killing existing threads.</td> 185 * </tr> 186 * 187 * <tr> 188 * <td>modifyThreadGroup</td> 189 * <td>modification of thread groups, e.g., via calls to ThreadGroup 190 * <code>destroy</code>, <code>getParent</code>, <code>resume</code>, 191 * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>, 192 * and <code>suspend</code> methods</td> 193 * <td>This allows an attacker to create thread groups and 194 * set their run priority.</td> 195 * </tr> 196 * 197 * <tr> 198 * <td>getProtectionDomain</td> 199 * <td>Retrieval of the ProtectionDomain for a class</td> 200 * <td>This allows code to obtain policy information 201 * for a particular code source. While obtaining policy information 202 * does not compromise the security of the system, it does give 203 * attackers additional information, such as local file names for 204 * example, to better aim an attack.</td> 205 * </tr> 206 * 207 * <tr> 208 * <td>getFileSystemAttributes</td> 209 * <td>Retrieval of file system attributes</td> 210 * <td>This allows code to obtain file system information such as disk usage 211 * or disk space available to the caller. This is potentially dangerous 212 * because it discloses information about the system hardware 213 * configuration and some information about the caller's privilege to 214 * write files.</td> 215 * </tr> 216 * 217 * <tr> 218 * <td>readFileDescriptor</td> 219 * <td>Reading of file descriptors</td> 220 * <td>This would allow code to read the particular file associated 221 * with the file descriptor read. This is dangerous if the file 222 * contains confidential data.</td> 223 * </tr> 224 * 225 * <tr> 226 * <td>writeFileDescriptor</td> 227 * <td>Writing to file descriptors</td> 228 * <td>This allows code to write to a particular file associated 229 * with the descriptor. This is dangerous because it may allow 230 * malicious code to plant viruses or at the very least, fill up 231 * your entire disk.</td> 232 * </tr> 233 * 234 * <tr> 235 * <td>loadLibrary.{library name}</td> 236 * <td>Dynamic linking of the specified library</td> 237 * <td>It is dangerous to allow an applet permission to load native code 238 * libraries, because the Java security architecture is not designed to and 239 * does not prevent malicious behavior at the level of native code.</td> 240 * </tr> 241 * 242 * <tr> 243 * <td>accessClassInPackage.{package name}</td> 244 * <td>Access to the specified package via a class loader's 245 * <code>loadClass</code> method when that class loader calls 246 * the SecurityManager <code>checkPackageAccess</code> method</td> 247 * <td>This gives code access to classes in packages 248 * to which it normally does not have access. Malicious code 249 * may use these classes to help in its attempt to compromise 250 * security in the system.</td> 251 * </tr> 252 * 253 * <tr> 254 * <td>defineClassInPackage.{package name}</td> 255 * <td>Definition of classes in the specified package, via a class 256 * loader's <code>defineClass</code> method when that class loader calls 257 * the SecurityManager <code>checkPackageDefinition</code> method.</td> 258 * <td>This grants code permission to define a class 259 * in a particular package. This is dangerous because malicious 260 * code with this permission may define rogue classes in 261 * trusted packages like <code>java.security</code> or <code>java.lang</code>, 262 * for example.</td> 263 * </tr> 264 * 265 * <tr> 266 * <td>defineClass</td> 267 * <td>Define a class with 268 * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[]) 269 * Lookup.defineClass}.</td> 270 * <td>This grants code with a suitably privileged {@code Lookup} object 271 * permission to define classes in the same package as the {@code Lookup}'s 272 * lookup class. </td> 273 * </tr> 274 * 275 * <tr> 276 * <td>accessDeclaredMembers</td> 277 * <td>Access to the declared members of a class</td> 278 * <td>This grants code permission to query a class for its public, 279 * protected, default (package) access, and private fields and/or 280 * methods. Although the code would have 281 * access to the private and protected field and method names, it would not 282 * have access to the private/protected field data and would not be able 283 * to invoke any private methods. Nevertheless, malicious code 284 * may use this information to better aim an attack. 285 * Additionally, it may invoke any public methods and/or access public fields 286 * in the class. This could be dangerous if 287 * the code would normally not be able to invoke those methods and/or 288 * access the fields because 289 * it can't cast the object to the class/interface with those methods 290 * and fields. 291 </td> 292 * </tr> 293 * <tr> 294 * <td>queuePrintJob</td> 295 * <td>Initiation of a print job request</td> 296 * <td>This could print sensitive information to a printer, 297 * or simply waste paper.</td> 298 * </tr> 299 * 300 * <tr> 301 * <td>getStackTrace</td> 302 * <td>Retrieval of the stack trace information of another thread.</td> 303 * <td>This allows retrieval of the stack trace information of 304 * another thread. This might allow malicious code to monitor the 305 * execution of threads and discover vulnerabilities in applications.</td> 306 * </tr> 307 * 308 * <tr> 309 * <td>getStackWalkerWithClassReference</td> 310 * <td>Get a stack walker that can retrieve stack frames with class reference.</td> 311 * <td>This allows retrieval of Class objects from stack walking. 312 * This might allow malicious code to access Class objects on the stack 313 * outside its own context.</td> 314 * </tr> 315 * 316 * <tr> 317 * <td>setDefaultUncaughtExceptionHandler</td> 318 * <td>Setting the default handler to be used when a thread 319 * terminates abruptly due to an uncaught exception</td> 320 * <td>This allows an attacker to register a malicious 321 * uncaught exception handler that could interfere with termination 322 * of a thread</td> 323 * </tr> 324 * 325 * <tr> 326 * <td>preferences</td> 327 * <td>Represents the permission required to get access to the 328 * java.util.prefs.Preferences implementations user or system root 329 * which in turn allows retrieval or update operations within the 330 * Preferences persistent backing store.) </td> 331 * <td>This permission allows the user to read from or write to the 332 * preferences backing store if the user running the code has 333 * sufficient OS privileges to read/write to that backing store. 334 * The actual backing store may reside within a traditional filesystem 335 * directory or within a registry depending on the platform OS</td> 336 * </tr> 337 * 338 * <tr> 339 * <td>usePolicy</td> 340 * <td>Granting this permission disables the Java Plug-In's default 341 * security prompting behavior.</td> 342 * <td>For more information, refer to the <a href= 343 * "../../../technotes/guides/deploy/index.html">deployment guide</a>. 344 * </td> 345 * </tr> 346 * <tr> 347 * <td>manageProcess</td> 348 * <td>Native process termination and information about processes 349 * {@link ProcessHandle}.</td> 350 * <td>Allows code to identify and terminate processes that it did not create.</td> 351 * </tr> 352 * 353 * <tr> 354 * <td>localeServiceProvider</td> 355 * <td>This {@code RuntimePermission} is required to be granted to 356 * classes which subclass and implement 357 * {@code java.util.spi.LocaleServiceProvider}. The permission is 358 * checked during invocation of the abstract base class constructor. 359 * This permission ensures trust in classes which implement this 360 * security-sensitive provider mechanism. </td> 361 * <td>See <a href= "../util/spi/LocaleServiceProvider.html"> 362 * {@code java.util.spi.LocaleServiceProvider}</a> for more 363 * information.</td> 364 * </tr> 365 * 366 * <tr> 367 * <td>loggerFinder</td> 368 * <td>This {@code RuntimePermission} is required to be granted to 369 * classes which subclass or call methods on 370 * {@code java.lang.System.LoggerFinder}. The permission is 371 * checked during invocation of the abstract base class constructor, as 372 * well as on the invocation of its public methods. 373 * This permission ensures trust in classes which provide loggers 374 * to system classes.</td> 375 * <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder} 376 * for more information.</td> 377 * </tr> 378 * 379 * <tr> 380 * <td>accessSystemModules</td> 381 * <td>Access system modules in the runtime image.</td> 382 * <td>This grants the permission to access resources in the 383 * {@linkplain ModuleFinder#ofSystem system modules} in the runtime image.</td> 384 * </tr> 385 * 386 * </table> 387 * 388 * @implNote 389 * Implementations may define additional target names, but should use naming 390 * conventions such as reverse domain name notation to avoid name clashes. 391 * 392 * @see java.security.BasicPermission 393 * @see java.security.Permission 394 * @see java.security.Permissions 395 * @see java.security.PermissionCollection 396 * @see java.lang.SecurityManager 397 * 398 * 399 * @author Marianne Mueller 400 * @author Roland Schemers 401 */ 402 403 public final class RuntimePermission extends BasicPermission { 404 405 private static final long serialVersionUID = 7399184964622342223L; 406 407 /** 408 * Creates a new RuntimePermission with the specified name. 409 * The name is the symbolic name of the RuntimePermission, such as 410 * "exit", "setFactory", etc. An asterisk 411 * may appear at the end of the name, following a ".", or by itself, to 412 * signify a wildcard match. 413 * 414 * @param name the name of the RuntimePermission. 415 * 416 * @throws NullPointerException if <code>name</code> is <code>null</code>. 417 * @throws IllegalArgumentException if <code>name</code> is empty. 418 */ 419 420 public RuntimePermission(String name) 421 { 422 super(name); 423 } 424 425 /** 426 * Creates a new RuntimePermission object with the specified name. 427 * The name is the symbolic name of the RuntimePermission, and the 428 * actions String is currently unused and should be null. 429 * 430 * @param name the name of the RuntimePermission. 431 * @param actions should be null. 432 * 433 * @throws NullPointerException if <code>name</code> is <code>null</code>. 434 * @throws IllegalArgumentException if <code>name</code> is empty. 435 */ 436 437 public RuntimePermission(String name, String actions) 438 { 439 super(name, actions); 440 } 441 }