1 /*
2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang;
27
28 import java.security.*;
29 import java.lang.module.ModuleFinder;
30
31 /**
32 * This class is for runtime permissions. A {@code RuntimePermission}
33 * contains a name (also referred to as a "target name") but no actions
34 * list; you either have the named permission or you don't.
35 * <p>
36 * The target name is the name of the runtime permission (see below). The
37 * naming convention follows the hierarchical property naming convention.
38 * Also, an asterisk may appear at the end of the name, following a ".",
39 * or by itself, to signify a wildcard match. For example: "loadLibrary.*"
40 * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not.
41 * <p>
42 * The following table lists the standard {@code RuntimePermission}
43 * target names, and for each provides a description of what the permission
44 * allows and a discussion of the risks of granting code the permission.
45 *
46 * <table border=1 cellpadding=5 summary="permission target name,
47 * what the target allows,and associated risks">
48 * <tr>
49 * <th>Permission Target Name</th>
50 * <th>What the Permission Allows</th>
51 * <th>Risks of Allowing this Permission</th>
52 * </tr>
53 *
54 * <tr>
55 * <td>createClassLoader</td>
56 * <td>Creation of a class loader</td>
57 * <td>This is an extremely dangerous permission to grant.
58 * Malicious applications that can instantiate their own class
59 * loaders could then load their own rogue classes into the system.
60 * These newly loaded classes could be placed into any protection
61 * domain by the class loader, thereby automatically granting the
62 * classes the permissions for that domain.</td>
63 * </tr>
64 *
65 * <tr>
66 * <td>getClassLoader</td>
67 * <td>Retrieval of a class loader (e.g., the class loader for the calling
68 * class)</td>
69 * <td>This would grant an attacker permission to get the
70 * class loader for a particular class. This is dangerous because
71 * having access to a class's class loader allows the attacker to
72 * load other classes available to that class loader. The attacker
73 * would typically otherwise not have access to those classes.</td>
74 * </tr>
75 *
76 * <tr>
77 * <td>setContextClassLoader</td>
78 * <td>Setting of the context class loader used by a thread</td>
79 * <td>The context class loader is used by system code and extensions
80 * when they need to lookup resources that might not exist in the system
81 * class loader. Granting setContextClassLoader permission would allow
82 * code to change which context class loader is used
83 * for a particular thread, including system threads.</td>
84 * </tr>
85 *
86 * <tr>
87 * <td>enableContextClassLoaderOverride</td>
88 * <td>Subclass implementation of the thread context class loader methods</td>
89 * <td>The context class loader is used by system code and extensions
90 * when they need to lookup resources that might not exist in the system
91 * class loader. Granting enableContextClassLoaderOverride permission would allow
92 * a subclass of Thread to override the methods that are used
93 * to get or set the context class loader for a particular thread.</td>
94 * </tr>
95 *
96 * <tr>
97 * <td>closeClassLoader</td>
98 * <td>Closing of a ClassLoader</td>
99 * <td>Granting this permission allows code to close any URLClassLoader
100 * that it has a reference to.</td>
101 * </tr>
102 *
103 * <tr>
104 * <td>setSecurityManager</td>
105 * <td>Setting of the security manager (possibly replacing an existing one)
106 * </td>
107 * <td>The security manager is a class that allows
108 * applications to implement a security policy. Granting the setSecurityManager
109 * permission would allow code to change which security manager is used by
110 * installing a different, possibly less restrictive security manager,
111 * thereby bypassing checks that would have been enforced by the original
112 * security manager.</td>
113 * </tr>
114 *
115 * <tr>
116 * <td>createSecurityManager</td>
117 * <td>Creation of a new security manager</td>
118 * <td>This gives code access to protected, sensitive methods that may
119 * disclose information about other classes or the execution stack.</td>
120 * </tr>
121 *
122 * <tr>
123 * <td>getenv.{variable name}</td>
124 * <td>Reading of the value of the specified environment variable</td>
125 * <td>This would allow code to read the value, or determine the
126 * existence, of a particular environment variable. This is
127 * dangerous if the variable contains confidential data.</td>
128 * </tr>
129 *
130 * <tr>
131 * <td>exitVM.{exit status}</td>
132 * <td>Halting of the Java Virtual Machine with the specified exit status</td>
133 * <td>This allows an attacker to mount a denial-of-service attack
134 * by automatically forcing the virtual machine to halt.
135 * Note: The "exitVM.*" permission is automatically granted to all code
136 * loaded from the application class path, thus enabling applications
137 * to terminate themselves. Also, the "exitVM" permission is equivalent to
138 * "exitVM.*".</td>
139 * </tr>
140 *
141 * <tr>
142 * <td>shutdownHooks</td>
143 * <td>Registration and cancellation of virtual-machine shutdown hooks</td>
144 * <td>This allows an attacker to register a malicious shutdown
145 * hook that interferes with the clean shutdown of the virtual machine.</td>
146 * </tr>
147 *
148 * <tr>
149 * <td>setFactory</td>
150 * <td>Setting of the socket factory used by ServerSocket or Socket,
151 * or of the stream handler factory used by URL</td>
152 * <td>This allows code to set the actual implementation
153 * for the socket, server socket, stream handler, or RMI socket factory.
154 * An attacker may set a faulty implementation which mangles the data
155 * stream.</td>
156 * </tr>
157 *
158 * <tr>
159 * <td>setIO</td>
160 * <td>Setting of System.out, System.in, and System.err</td>
161 * <td>This allows changing the value of the standard system streams.
162 * An attacker may change System.in to monitor and
163 * steal user input, or may set System.err to a "null" OutputStream,
164 * which would hide any error messages sent to System.err. </td>
165 * </tr>
166 *
167 * <tr>
168 * <td>modifyThread</td>
169 * <td>Modification of threads, e.g., via calls to Thread
170 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority,
171 * setName} and {@code setUncaughtExceptionHandler}
172 * methods</td>
173 * <td>This allows an attacker to modify the behaviour of
174 * any thread in the system.</td>
175 * </tr>
176 *
177 * <tr>
178 * <td>stopThread</td>
179 * <td>Stopping of threads via calls to the Thread <code>stop</code>
180 * method</td>
181 * <td>This allows code to stop any thread in the system provided that it is
182 * already granted permission to access that thread.
183 * This poses as a threat, because that code may corrupt the system by
184 * killing existing threads.</td>
185 * </tr>
186 *
187 * <tr>
188 * <td>modifyThreadGroup</td>
189 * <td>modification of thread groups, e.g., via calls to ThreadGroup
190 * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
191 * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
192 * and <code>suspend</code> methods</td>
193 * <td>This allows an attacker to create thread groups and
194 * set their run priority.</td>
195 * </tr>
196 *
197 * <tr>
198 * <td>getProtectionDomain</td>
199 * <td>Retrieval of the ProtectionDomain for a class</td>
200 * <td>This allows code to obtain policy information
201 * for a particular code source. While obtaining policy information
202 * does not compromise the security of the system, it does give
203 * attackers additional information, such as local file names for
204 * example, to better aim an attack.</td>
205 * </tr>
206 *
207 * <tr>
208 * <td>getFileSystemAttributes</td>
209 * <td>Retrieval of file system attributes</td>
210 * <td>This allows code to obtain file system information such as disk usage
211 * or disk space available to the caller. This is potentially dangerous
212 * because it discloses information about the system hardware
213 * configuration and some information about the caller's privilege to
214 * write files.</td>
215 * </tr>
216 *
217 * <tr>
218 * <td>readFileDescriptor</td>
219 * <td>Reading of file descriptors</td>
220 * <td>This would allow code to read the particular file associated
221 * with the file descriptor read. This is dangerous if the file
222 * contains confidential data.</td>
223 * </tr>
224 *
225 * <tr>
226 * <td>writeFileDescriptor</td>
227 * <td>Writing to file descriptors</td>
228 * <td>This allows code to write to a particular file associated
229 * with the descriptor. This is dangerous because it may allow
230 * malicious code to plant viruses or at the very least, fill up
231 * your entire disk.</td>
232 * </tr>
233 *
234 * <tr>
235 * <td>loadLibrary.{library name}</td>
236 * <td>Dynamic linking of the specified library</td>
237 * <td>It is dangerous to allow an applet permission to load native code
238 * libraries, because the Java security architecture is not designed to and
239 * does not prevent malicious behavior at the level of native code.</td>
240 * </tr>
241 *
242 * <tr>
243 * <td>accessClassInPackage.{package name}</td>
244 * <td>Access to the specified package via a class loader's
245 * <code>loadClass</code> method when that class loader calls
246 * the SecurityManager <code>checkPackageAccess</code> method</td>
247 * <td>This gives code access to classes in packages
248 * to which it normally does not have access. Malicious code
249 * may use these classes to help in its attempt to compromise
250 * security in the system.</td>
251 * </tr>
252 *
253 * <tr>
254 * <td>defineClassInPackage.{package name}</td>
255 * <td>Definition of classes in the specified package, via a class
256 * loader's <code>defineClass</code> method when that class loader calls
257 * the SecurityManager <code>checkPackageDefinition</code> method.</td>
258 * <td>This grants code permission to define a class
259 * in a particular package. This is dangerous because malicious
260 * code with this permission may define rogue classes in
261 * trusted packages like <code>java.security</code> or <code>java.lang</code>,
262 * for example.</td>
263 * </tr>
264 *
265 * <tr>
266 * <td>defineClass</td>
267 * <td>Define a class with
268 * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[])
269 * Lookup.defineClass}.</td>
270 * <td>This grants code with a suitably privileged {@code Lookup} object
271 * permission to define classes in the same package as the {@code Lookup}'s
272 * lookup class. </td>
273 * </tr>
274 *
275 * <tr>
276 * <td>accessDeclaredMembers</td>
277 * <td>Access to the declared members of a class</td>
278 * <td>This grants code permission to query a class for its public,
279 * protected, default (package) access, and private fields and/or
280 * methods. Although the code would have
281 * access to the private and protected field and method names, it would not
282 * have access to the private/protected field data and would not be able
283 * to invoke any private methods. Nevertheless, malicious code
284 * may use this information to better aim an attack.
285 * Additionally, it may invoke any public methods and/or access public fields
286 * in the class. This could be dangerous if
287 * the code would normally not be able to invoke those methods and/or
288 * access the fields because
289 * it can't cast the object to the class/interface with those methods
290 * and fields.
291 </td>
292 * </tr>
293 * <tr>
294 * <td>queuePrintJob</td>
295 * <td>Initiation of a print job request</td>
296 * <td>This could print sensitive information to a printer,
297 * or simply waste paper.</td>
298 * </tr>
299 *
300 * <tr>
301 * <td>getStackTrace</td>
302 * <td>Retrieval of the stack trace information of another thread.</td>
303 * <td>This allows retrieval of the stack trace information of
304 * another thread. This might allow malicious code to monitor the
305 * execution of threads and discover vulnerabilities in applications.</td>
306 * </tr>
307 *
308 * <tr>
309 * <td>getStackWalkerWithClassReference</td>
310 * <td>Get a stack walker that can retrieve stack frames with class reference.</td>
311 * <td>This allows retrieval of Class objects from stack walking.
312 * This might allow malicious code to access Class objects on the stack
313 * outside its own context.</td>
314 * </tr>
315 *
316 * <tr>
317 * <td>setDefaultUncaughtExceptionHandler</td>
318 * <td>Setting the default handler to be used when a thread
319 * terminates abruptly due to an uncaught exception</td>
320 * <td>This allows an attacker to register a malicious
321 * uncaught exception handler that could interfere with termination
322 * of a thread</td>
323 * </tr>
324 *
325 * <tr>
326 * <td>preferences</td>
327 * <td>Represents the permission required to get access to the
328 * java.util.prefs.Preferences implementations user or system root
329 * which in turn allows retrieval or update operations within the
330 * Preferences persistent backing store.) </td>
331 * <td>This permission allows the user to read from or write to the
332 * preferences backing store if the user running the code has
333 * sufficient OS privileges to read/write to that backing store.
334 * The actual backing store may reside within a traditional filesystem
335 * directory or within a registry depending on the platform OS</td>
336 * </tr>
337 *
338 * <tr>
339 * <td>usePolicy</td>
340 * <td>Granting this permission disables the Java Plug-In's default
341 * security prompting behavior.</td>
342 * <td>For more information, refer to the <a href=
343 * "../../../technotes/guides/deploy/index.html">deployment guide</a>.
344 * </td>
345 * </tr>
346 * <tr>
347 * <td>manageProcess</td>
348 * <td>Native process termination and information about processes
349 * {@link ProcessHandle}.</td>
350 * <td>Allows code to identify and terminate processes that it did not create.</td>
351 * </tr>
352 *
353 * <tr>
354 * <td>localeServiceProvider</td>
355 * <td>This {@code RuntimePermission} is required to be granted to
356 * classes which subclass and implement
357 * {@code java.util.spi.LocaleServiceProvider}. The permission is
358 * checked during invocation of the abstract base class constructor.
359 * This permission ensures trust in classes which implement this
360 * security-sensitive provider mechanism. </td>
361 * <td>See <a href= "../util/spi/LocaleServiceProvider.html">
362 * {@code java.util.spi.LocaleServiceProvider}</a> for more
363 * information.</td>
364 * </tr>
365 *
366 * <tr>
367 * <td>loggerFinder</td>
368 * <td>This {@code RuntimePermission} is required to be granted to
369 * classes which subclass or call methods on
370 * {@code java.lang.System.LoggerFinder}. The permission is
371 * checked during invocation of the abstract base class constructor, as
372 * well as on the invocation of its public methods.
373 * This permission ensures trust in classes which provide loggers
374 * to system classes.</td>
375 * <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder}
376 * for more information.</td>
377 * </tr>
378 *
379 * <tr>
380 * <td>accessSystemModules</td>
381 * <td>Access system modules in the runtime image.</td>
382 * <td>This grants the permission to access resources in the
383 * {@linkplain ModuleFinder#ofSystem system modules} in the runtime image.</td>
384 * </tr>
385 *
386 * </table>
387 *
388 * @implNote
389 * Implementations may define additional target names, but should use naming
390 * conventions such as reverse domain name notation to avoid name clashes.
391 *
392 * @see java.security.BasicPermission
393 * @see java.security.Permission
394 * @see java.security.Permissions
395 * @see java.security.PermissionCollection
396 * @see java.lang.SecurityManager
397 *
398 *
399 * @author Marianne Mueller
400 * @author Roland Schemers
401 */
402
403 public final class RuntimePermission extends BasicPermission {
404
405 private static final long serialVersionUID = 7399184964622342223L;
406
407 /**
408 * Creates a new RuntimePermission with the specified name.
409 * The name is the symbolic name of the RuntimePermission, such as
410 * "exit", "setFactory", etc. An asterisk
411 * may appear at the end of the name, following a ".", or by itself, to
412 * signify a wildcard match.
413 *
414 * @param name the name of the RuntimePermission.
415 *
416 * @throws NullPointerException if <code>name</code> is <code>null</code>.
417 * @throws IllegalArgumentException if <code>name</code> is empty.
418 */
419
420 public RuntimePermission(String name)
421 {
422 super(name);
423 }
424
425 /**
426 * Creates a new RuntimePermission object with the specified name.
427 * The name is the symbolic name of the RuntimePermission, and the
428 * actions String is currently unused and should be null.
429 *
430 * @param name the name of the RuntimePermission.
431 * @param actions should be null.
432 *
433 * @throws NullPointerException if <code>name</code> is <code>null</code>.
434 * @throws IllegalArgumentException if <code>name</code> is empty.
435 */
436
437 public RuntimePermission(String name, String actions)
438 {
439 super(name, actions);
440 }
441 }