1 /* 2 * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.lang; 27 28 import java.lang.module.ModuleDescriptor; 29 import java.lang.module.ModuleDescriptor.Exports; 30 import java.lang.module.ModuleDescriptor.Opens; 31 import java.lang.reflect.Member; 32 import java.io.FileDescriptor; 33 import java.io.File; 34 import java.io.FilePermission; 35 import java.net.InetAddress; 36 import java.net.SocketPermission; 37 import java.security.AccessControlContext; 38 import java.security.AccessController; 39 import java.security.Permission; 40 import java.security.PrivilegedAction; 41 import java.security.Security; 42 import java.security.SecurityPermission; 43 import java.util.HashSet; 44 import java.util.Map; 45 import java.util.Objects; 46 import java.util.PropertyPermission; 47 import java.util.Set; 48 import java.util.concurrent.ConcurrentHashMap; 49 50 import jdk.internal.module.ModuleLoaderMap; 51 import jdk.internal.reflect.CallerSensitive; 52 import sun.security.util.SecurityConstants; 53 54 /** 55 * The security manager is a class that allows 56 * applications to implement a security policy. It allows an 57 * application to determine, before performing a possibly unsafe or 58 * sensitive operation, what the operation is and whether 59 * it is being attempted in a security context that allows the 60 * operation to be performed. The 61 * application can allow or disallow the operation. 62 * <p> 63 * The <code>SecurityManager</code> class contains many methods with 64 * names that begin with the word <code>check</code>. These methods 65 * are called by various methods in the Java libraries before those 66 * methods perform certain potentially sensitive operations. The 67 * invocation of such a <code>check</code> method typically looks like this: 68 * <blockquote><pre> 69 * SecurityManager security = System.getSecurityManager(); 70 * if (security != null) { 71 * security.check<i>XXX</i>(argument, . . . ); 72 * } 73 * </pre></blockquote> 74 * <p> 75 * The security manager is thereby given an opportunity to prevent 76 * completion of the operation by throwing an exception. A security 77 * manager routine simply returns if the operation is permitted, but 78 * throws a <code>SecurityException</code> if the operation is not 79 * permitted. 80 * <p> 81 * Environments using a security manager will typically set the security 82 * manager at startup. In the JDK implementation, this is done by setting 83 * the system property {@code java.security.manager} on the command line to 84 * the class name of the security manager. It can also be set to the empty 85 * String ("") or the special token "{@code default}" to use the 86 * default {@code java.lang.SecurityManager}. If a class name is specified, 87 * it must be {@code java.lang.SecurityManager} or a public subclass and have 88 * a public no-arg constructor. The class is loaded by the 89 * {@linkplain ClassLoader#getSystemClassLoader() built-in system class loader} 90 * if it is not {@code java.lang.SecurityManager}. If the 91 * {@code java.security.manager} system property is not set, the default value 92 * is {@code null}, which means a security manager will not be set at startup. 93 * <p> 94 * The Java run-time may also allow, but is not required to allow, the security 95 * manager to be set dynamically by invoking the 96 * {@link System#setSecurityManager(SecurityManager) setSecurityManager} method. 97 * In the JDK implementation, if the Java virtual machine is started with 98 * the {@code java.security.manager} system property set to the special token 99 * "{@code disallow}" then a security manager will not be set at startup and 100 * cannot be set dynamically (the 101 * {@link System#setSecurityManager(SecurityManager) setSecurityManager} 102 * method will throw an {@code UnsupportedOperationException}). If the 103 * {@code java.security.manager} system property is not set or is set to the 104 * special token "{@code allow}", then a security manager will not be set at 105 * startup but can be set dynamically. Finally, if the 106 * {@code java.security.manager} system property is set to the class name of 107 * the security manager, or to the empty String ("") or the special token 108 * "{@code default}", then a security manager is set at startup (as described 109 * previously) and can also be subsequently replaced (or disabled) dynamically 110 * (subject to the policy of the currently installed security manager). The 111 * following table illustrates the behavior of the JDK implementation for the 112 * different settings of the {@code java.security.manager} system property: 113 * <table class="striped"> 114 * <caption style="display:none">property value, 115 * the SecurityManager set at startup, 116 * can dynamically set a SecurityManager 117 * </caption> 118 * <thead> 119 * <tr> 120 * <th scope="col">Property Value</th> 121 * <th scope="col">The SecurityManager set at startup</th> 122 * <th scope="col">System.setSecurityManager run-time behavior</th> 123 * </tr> 124 * </thead> 125 * <tbody> 126 * 127 * <tr> 128 * <th scope="row">null</th> 129 * <td>None</td> 130 * <td>Success or throws {@code SecurityException} if not permitted by 131 * the currently installed security manager</td> 132 * </tr> 133 * 134 * <tr> 135 * <th scope="row">empty String ("")</th> 136 * <td>{@code java.lang.SecurityManager}</td> 137 * <td>Success or throws {@code SecurityException} if not permitted by 138 * the currently installed security manager</td> 139 * </tr> 140 * 141 * <tr> 142 * <th scope="row">"default"</th> 143 * <td>{@code java.lang.SecurityManager}</td> 144 * <td>Success or throws {@code SecurityException} if not permitted by 145 * the currently installed security manager</td> 146 * </tr> 147 * 148 * <tr> 149 * <th scope="row">"disallow"</th> 150 * <td>None</td> 151 * <td>Always throws {@code UnsupportedOperationException}</td> 152 * </tr> 153 * 154 * <tr> 155 * <th scope="row">"allow"</th> 156 * <td>None</td> 157 * <td>Success or throws {@code SecurityException} if not permitted by 158 * the currently installed security manager</td> 159 * </tr> 160 * 161 * <tr> 162 * <th scope="row">a class name</th> 163 * <td>the named class</td> 164 * <td>Success or throws {@code SecurityException} if not permitted by 165 * the currently installed security manager</td> 166 * </tr> 167 * 168 * </tbody> 169 * </table> 170 * <p> A future release of the JDK may change the default value of the 171 * {@code java.security.manager} system property to "{@code disallow}". 172 * <p> 173 * The current security manager is returned by the 174 * {@link System#getSecurityManager() getSecurityManager} method. 175 * <p> 176 * The special method 177 * {@link SecurityManager#checkPermission(java.security.Permission)} 178 * determines whether an access request indicated by a specified 179 * permission should be granted or denied. The 180 * default implementation calls 181 * 182 * <pre> 183 * AccessController.checkPermission(perm); 184 * </pre> 185 * 186 * <p> 187 * If a requested access is allowed, 188 * <code>checkPermission</code> returns quietly. If denied, a 189 * <code>SecurityException</code> is thrown. 190 * <p> 191 * The default implementation of each of the other 192 * <code>check</code> methods in <code>SecurityManager</code> is to 193 * call the <code>SecurityManager checkPermission</code> method 194 * to determine if the calling thread has permission to perform the requested 195 * operation. 196 * <p> 197 * Note that the <code>checkPermission</code> method with 198 * just a single permission argument always performs security checks 199 * within the context of the currently executing thread. 200 * Sometimes a security check that should be made within a given context 201 * will actually need to be done from within a 202 * <i>different</i> context (for example, from within a worker thread). 203 * The {@link SecurityManager#getSecurityContext getSecurityContext} method 204 * and the {@link SecurityManager#checkPermission(java.security.Permission, 205 * java.lang.Object) checkPermission} 206 * method that includes a context argument are provided 207 * for this situation. The 208 * <code>getSecurityContext</code> method returns a "snapshot" 209 * of the current calling context. (The default implementation 210 * returns an AccessControlContext object.) A sample call is 211 * the following: 212 * 213 * <pre> 214 * Object context = null; 215 * SecurityManager sm = System.getSecurityManager(); 216 * if (sm != null) context = sm.getSecurityContext(); 217 * </pre> 218 * 219 * <p> 220 * The <code>checkPermission</code> method 221 * that takes a context object in addition to a permission 222 * makes access decisions based on that context, 223 * rather than on that of the current execution thread. 224 * Code within a different context can thus call that method, 225 * passing the permission and the 226 * previously-saved context object. A sample call, using the 227 * SecurityManager <code>sm</code> obtained as in the previous example, 228 * is the following: 229 * 230 * <pre> 231 * if (sm != null) sm.checkPermission(permission, context); 232 * </pre> 233 * 234 * <p>Permissions fall into these categories: File, Socket, Net, 235 * Security, Runtime, Property, AWT, Reflect, and Serializable. 236 * The classes managing these various 237 * permission categories are <code>java.io.FilePermission</code>, 238 * <code>java.net.SocketPermission</code>, 239 * <code>java.net.NetPermission</code>, 240 * <code>java.security.SecurityPermission</code>, 241 * <code>java.lang.RuntimePermission</code>, 242 * <code>java.util.PropertyPermission</code>, 243 * <code>java.awt.AWTPermission</code>, 244 * <code>java.lang.reflect.ReflectPermission</code>, and 245 * <code>java.io.SerializablePermission</code>. 246 * 247 * <p>All but the first two (FilePermission and SocketPermission) are 248 * subclasses of <code>java.security.BasicPermission</code>, which itself 249 * is an abstract subclass of the 250 * top-level class for permissions, which is 251 * <code>java.security.Permission</code>. BasicPermission defines the 252 * functionality needed for all permissions that contain a name 253 * that follows the hierarchical property naming convention 254 * (for example, "exitVM", "setFactory", "queuePrintJob", etc). 255 * An asterisk 256 * may appear at the end of the name, following a ".", or by itself, to 257 * signify a wildcard match. For example: "a.*" or "*" is valid, 258 * "*a" or "a*b" is not valid. 259 * 260 * <p>FilePermission and SocketPermission are subclasses of the 261 * top-level class for permissions 262 * (<code>java.security.Permission</code>). Classes like these 263 * that have a more complicated name syntax than that used by 264 * BasicPermission subclass directly from Permission rather than from 265 * BasicPermission. For example, 266 * for a <code>java.io.FilePermission</code> object, the permission name is 267 * the path name of a file (or directory). 268 * 269 * <p>Some of the permission classes have an "actions" list that tells 270 * the actions that are permitted for the object. For example, 271 * for a <code>java.io.FilePermission</code> object, the actions list 272 * (such as "read, write") specifies which actions are granted for the 273 * specified file (or for files in the specified directory). 274 * 275 * <p>Other permission classes are for "named" permissions - 276 * ones that contain a name but no actions list; you either have the 277 * named permission or you don't. 278 * 279 * <p>Note: There is also a <code>java.security.AllPermission</code> 280 * permission that implies all permissions. It exists to simplify the work 281 * of system administrators who might need to perform multiple 282 * tasks that require all (or numerous) permissions. 283 * <p> 284 * See {@extLink security_guide_permissions 285 * Permissions in the Java Development Kit (JDK)} 286 * for permission-related information. 287 * This document includes a table listing the various SecurityManager 288 * <code>check</code> methods and the permission(s) the default 289 * implementation of each such method requires. 290 * It also contains a table of the methods 291 * that require permissions, and for each such method tells 292 * which permission it requires. 293 * 294 * @author Arthur van Hoff 295 * @author Roland Schemers 296 * 297 * @see java.lang.ClassLoader 298 * @see java.lang.SecurityException 299 * @see java.lang.System#getSecurityManager() getSecurityManager 300 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager) 301 * setSecurityManager 302 * @see java.security.AccessController AccessController 303 * @see java.security.AccessControlContext AccessControlContext 304 * @see java.security.AccessControlException AccessControlException 305 * @see java.security.Permission 306 * @see java.security.BasicPermission 307 * @see java.io.FilePermission 308 * @see java.net.SocketPermission 309 * @see java.util.PropertyPermission 310 * @see java.lang.RuntimePermission 311 * @see java.security.Policy Policy 312 * @see java.security.SecurityPermission SecurityPermission 313 * @see java.security.ProtectionDomain 314 * 315 * @since 1.0 316 */ 317 public class SecurityManager { 318 319 /* 320 * Have we been initialized. Effective against finalizer attacks. 321 */ 322 private boolean initialized = false; 323 324 /** 325 * Constructs a new <code>SecurityManager</code>. 326 * 327 * <p> If there is a security manager already installed, this method first 328 * calls the security manager's <code>checkPermission</code> method 329 * with the <code>RuntimePermission("createSecurityManager")</code> 330 * permission to ensure the calling thread has permission to create a new 331 * security manager. 332 * This may result in throwing a <code>SecurityException</code>. 333 * 334 * @exception java.lang.SecurityException if a security manager already 335 * exists and its <code>checkPermission</code> method 336 * doesn't allow creation of a new security manager. 337 * @see java.lang.System#getSecurityManager() 338 * @see #checkPermission(java.security.Permission) checkPermission 339 * @see java.lang.RuntimePermission 340 */ 341 public SecurityManager() { 342 synchronized(SecurityManager.class) { 343 SecurityManager sm = System.getSecurityManager(); 344 if (sm != null) { 345 // ask the currently installed security manager if we 346 // can create a new one. 347 sm.checkPermission(new RuntimePermission 348 ("createSecurityManager")); 349 } 350 initialized = true; 351 } 352 } 353 354 /** 355 * Returns the current execution stack as an array of classes. 356 * <p> 357 * The length of the array is the number of methods on the execution 358 * stack. The element at index <code>0</code> is the class of the 359 * currently executing method, the element at index <code>1</code> is 360 * the class of that method's caller, and so on. 361 * 362 * @return the execution stack. 363 */ 364 protected native Class<?>[] getClassContext(); 365 366 /** 367 * Creates an object that encapsulates the current execution 368 * environment. The result of this method is used, for example, by the 369 * three-argument <code>checkConnect</code> method and by the 370 * two-argument <code>checkRead</code> method. 371 * These methods are needed because a trusted method may be called 372 * on to read a file or open a socket on behalf of another method. 373 * The trusted method needs to determine if the other (possibly 374 * untrusted) method would be allowed to perform the operation on its 375 * own. 376 * <p> The default implementation of this method is to return 377 * an <code>AccessControlContext</code> object. 378 * 379 * @return an implementation-dependent object that encapsulates 380 * sufficient information about the current execution environment 381 * to perform some security checks later. 382 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int, 383 * java.lang.Object) checkConnect 384 * @see java.lang.SecurityManager#checkRead(java.lang.String, 385 * java.lang.Object) checkRead 386 * @see java.security.AccessControlContext AccessControlContext 387 */ 388 public Object getSecurityContext() { 389 return AccessController.getContext(); 390 } 391 392 /** 393 * Throws a <code>SecurityException</code> if the requested 394 * access, specified by the given permission, is not permitted based 395 * on the security policy currently in effect. 396 * <p> 397 * This method calls <code>AccessController.checkPermission</code> 398 * with the given permission. 399 * 400 * @param perm the requested permission. 401 * @exception SecurityException if access is not permitted based on 402 * the current security policy. 403 * @exception NullPointerException if the permission argument is 404 * <code>null</code>. 405 * @since 1.2 406 */ 407 public void checkPermission(Permission perm) { 408 java.security.AccessController.checkPermission(perm); 409 } 410 411 /** 412 * Throws a <code>SecurityException</code> if the 413 * specified security context is denied access to the resource 414 * specified by the given permission. 415 * The context must be a security 416 * context returned by a previous call to 417 * <code>getSecurityContext</code> and the access control 418 * decision is based upon the configured security policy for 419 * that security context. 420 * <p> 421 * If <code>context</code> is an instance of 422 * <code>AccessControlContext</code> then the 423 * <code>AccessControlContext.checkPermission</code> method is 424 * invoked with the specified permission. 425 * <p> 426 * If <code>context</code> is not an instance of 427 * <code>AccessControlContext</code> then a 428 * <code>SecurityException</code> is thrown. 429 * 430 * @param perm the specified permission 431 * @param context a system-dependent security context. 432 * @exception SecurityException if the specified security context 433 * is not an instance of <code>AccessControlContext</code> 434 * (e.g., is <code>null</code>), or is denied access to the 435 * resource specified by the given permission. 436 * @exception NullPointerException if the permission argument is 437 * <code>null</code>. 438 * @see java.lang.SecurityManager#getSecurityContext() 439 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 440 * @since 1.2 441 */ 442 public void checkPermission(Permission perm, Object context) { 443 if (context instanceof AccessControlContext) { 444 ((AccessControlContext)context).checkPermission(perm); 445 } else { 446 throw new SecurityException(); 447 } 448 } 449 450 /** 451 * Throws a <code>SecurityException</code> if the 452 * calling thread is not allowed to create a new class loader. 453 * <p> 454 * This method calls <code>checkPermission</code> with the 455 * <code>RuntimePermission("createClassLoader")</code> 456 * permission. 457 * <p> 458 * If you override this method, then you should make a call to 459 * <code>super.checkCreateClassLoader</code> 460 * at the point the overridden method would normally throw an 461 * exception. 462 * 463 * @exception SecurityException if the calling thread does not 464 * have permission 465 * to create a new class loader. 466 * @see java.lang.ClassLoader#ClassLoader() 467 * @see #checkPermission(java.security.Permission) checkPermission 468 */ 469 public void checkCreateClassLoader() { 470 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION); 471 } 472 473 /** 474 * reference to the root thread group, used for the checkAccess 475 * methods. 476 */ 477 478 private static ThreadGroup rootGroup = getRootGroup(); 479 480 private static ThreadGroup getRootGroup() { 481 ThreadGroup root = Thread.currentThread().getThreadGroup(); 482 while (root.getParent() != null) { 483 root = root.getParent(); 484 } 485 return root; 486 } 487 488 /** 489 * Throws a <code>SecurityException</code> if the 490 * calling thread is not allowed to modify the thread argument. 491 * <p> 492 * This method is invoked for the current security manager by the 493 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, 494 * <code>setPriority</code>, <code>setName</code>, and 495 * <code>setDaemon</code> methods of class <code>Thread</code>. 496 * <p> 497 * If the thread argument is a system thread (belongs to 498 * the thread group with a <code>null</code> parent) then 499 * this method calls <code>checkPermission</code> with the 500 * <code>RuntimePermission("modifyThread")</code> permission. 501 * If the thread argument is <i>not</i> a system thread, 502 * this method just returns silently. 503 * <p> 504 * Applications that want a stricter policy should override this 505 * method. If this method is overridden, the method that overrides 506 * it should additionally check to see if the calling thread has the 507 * <code>RuntimePermission("modifyThread")</code> permission, and 508 * if so, return silently. This is to ensure that code granted 509 * that permission (such as the JDK itself) is allowed to 510 * manipulate any thread. 511 * <p> 512 * If this method is overridden, then 513 * <code>super.checkAccess</code> should 514 * be called by the first statement in the overridden method, or the 515 * equivalent security check should be placed in the overridden method. 516 * 517 * @param t the thread to be checked. 518 * @exception SecurityException if the calling thread does not have 519 * permission to modify the thread. 520 * @exception NullPointerException if the thread argument is 521 * <code>null</code>. 522 * @see java.lang.Thread#resume() resume 523 * @see java.lang.Thread#setDaemon(boolean) setDaemon 524 * @see java.lang.Thread#setName(java.lang.String) setName 525 * @see java.lang.Thread#setPriority(int) setPriority 526 * @see java.lang.Thread#stop() stop 527 * @see java.lang.Thread#suspend() suspend 528 * @see #checkPermission(java.security.Permission) checkPermission 529 */ 530 public void checkAccess(Thread t) { 531 if (t == null) { 532 throw new NullPointerException("thread can't be null"); 533 } 534 if (t.getThreadGroup() == rootGroup) { 535 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION); 536 } else { 537 // just return 538 } 539 } 540 /** 541 * Throws a <code>SecurityException</code> if the 542 * calling thread is not allowed to modify the thread group argument. 543 * <p> 544 * This method is invoked for the current security manager when a 545 * new child thread or child thread group is created, and by the 546 * <code>setDaemon</code>, <code>setMaxPriority</code>, 547 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and 548 * <code>destroy</code> methods of class <code>ThreadGroup</code>. 549 * <p> 550 * If the thread group argument is the system thread group ( 551 * has a <code>null</code> parent) then 552 * this method calls <code>checkPermission</code> with the 553 * <code>RuntimePermission("modifyThreadGroup")</code> permission. 554 * If the thread group argument is <i>not</i> the system thread group, 555 * this method just returns silently. 556 * <p> 557 * Applications that want a stricter policy should override this 558 * method. If this method is overridden, the method that overrides 559 * it should additionally check to see if the calling thread has the 560 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and 561 * if so, return silently. This is to ensure that code granted 562 * that permission (such as the JDK itself) is allowed to 563 * manipulate any thread. 564 * <p> 565 * If this method is overridden, then 566 * <code>super.checkAccess</code> should 567 * be called by the first statement in the overridden method, or the 568 * equivalent security check should be placed in the overridden method. 569 * 570 * @param g the thread group to be checked. 571 * @exception SecurityException if the calling thread does not have 572 * permission to modify the thread group. 573 * @exception NullPointerException if the thread group argument is 574 * <code>null</code>. 575 * @see java.lang.ThreadGroup#destroy() destroy 576 * @see java.lang.ThreadGroup#resume() resume 577 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon 578 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority 579 * @see java.lang.ThreadGroup#stop() stop 580 * @see java.lang.ThreadGroup#suspend() suspend 581 * @see #checkPermission(java.security.Permission) checkPermission 582 */ 583 public void checkAccess(ThreadGroup g) { 584 if (g == null) { 585 throw new NullPointerException("thread group can't be null"); 586 } 587 if (g == rootGroup) { 588 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION); 589 } else { 590 // just return 591 } 592 } 593 594 /** 595 * Throws a <code>SecurityException</code> if the 596 * calling thread is not allowed to cause the Java Virtual Machine to 597 * halt with the specified status code. 598 * <p> 599 * This method is invoked for the current security manager by the 600 * <code>exit</code> method of class <code>Runtime</code>. A status 601 * of <code>0</code> indicates success; other values indicate various 602 * errors. 603 * <p> 604 * This method calls <code>checkPermission</code> with the 605 * <code>RuntimePermission("exitVM."+status)</code> permission. 606 * <p> 607 * If you override this method, then you should make a call to 608 * <code>super.checkExit</code> 609 * at the point the overridden method would normally throw an 610 * exception. 611 * 612 * @param status the exit status. 613 * @exception SecurityException if the calling thread does not have 614 * permission to halt the Java Virtual Machine with 615 * the specified status. 616 * @see java.lang.Runtime#exit(int) exit 617 * @see #checkPermission(java.security.Permission) checkPermission 618 */ 619 public void checkExit(int status) { 620 checkPermission(new RuntimePermission("exitVM."+status)); 621 } 622 623 /** 624 * Throws a <code>SecurityException</code> if the 625 * calling thread is not allowed to create a subprocess. 626 * <p> 627 * This method is invoked for the current security manager by the 628 * <code>exec</code> methods of class <code>Runtime</code>. 629 * <p> 630 * This method calls <code>checkPermission</code> with the 631 * <code>FilePermission(cmd,"execute")</code> permission 632 * if cmd is an absolute path, otherwise it calls 633 * <code>checkPermission</code> with 634 * <code>FilePermission("<<ALL FILES>>","execute")</code>. 635 * <p> 636 * If you override this method, then you should make a call to 637 * <code>super.checkExec</code> 638 * at the point the overridden method would normally throw an 639 * exception. 640 * 641 * @param cmd the specified system command. 642 * @exception SecurityException if the calling thread does not have 643 * permission to create a subprocess. 644 * @exception NullPointerException if the <code>cmd</code> argument is 645 * <code>null</code>. 646 * @see java.lang.Runtime#exec(java.lang.String) 647 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[]) 648 * @see java.lang.Runtime#exec(java.lang.String[]) 649 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[]) 650 * @see #checkPermission(java.security.Permission) checkPermission 651 */ 652 public void checkExec(String cmd) { 653 File f = new File(cmd); 654 if (f.isAbsolute()) { 655 checkPermission(new FilePermission(cmd, 656 SecurityConstants.FILE_EXECUTE_ACTION)); 657 } else { 658 checkPermission(new FilePermission("<<ALL FILES>>", 659 SecurityConstants.FILE_EXECUTE_ACTION)); 660 } 661 } 662 663 /** 664 * Throws a <code>SecurityException</code> if the 665 * calling thread is not allowed to dynamic link the library code 666 * specified by the string argument file. The argument is either a 667 * simple library name or a complete filename. 668 * <p> 669 * This method is invoked for the current security manager by 670 * methods <code>load</code> and <code>loadLibrary</code> of class 671 * <code>Runtime</code>. 672 * <p> 673 * This method calls <code>checkPermission</code> with the 674 * <code>RuntimePermission("loadLibrary."+lib)</code> permission. 675 * <p> 676 * If you override this method, then you should make a call to 677 * <code>super.checkLink</code> 678 * at the point the overridden method would normally throw an 679 * exception. 680 * 681 * @param lib the name of the library. 682 * @exception SecurityException if the calling thread does not have 683 * permission to dynamically link the library. 684 * @exception NullPointerException if the <code>lib</code> argument is 685 * <code>null</code>. 686 * @see java.lang.Runtime#load(java.lang.String) 687 * @see java.lang.Runtime#loadLibrary(java.lang.String) 688 * @see #checkPermission(java.security.Permission) checkPermission 689 */ 690 public void checkLink(String lib) { 691 if (lib == null) { 692 throw new NullPointerException("library can't be null"); 693 } 694 checkPermission(new RuntimePermission("loadLibrary."+lib)); 695 } 696 697 /** 698 * Throws a <code>SecurityException</code> if the 699 * calling thread is not allowed to read from the specified file 700 * descriptor. 701 * <p> 702 * This method calls <code>checkPermission</code> with the 703 * <code>RuntimePermission("readFileDescriptor")</code> 704 * permission. 705 * <p> 706 * If you override this method, then you should make a call to 707 * <code>super.checkRead</code> 708 * at the point the overridden method would normally throw an 709 * exception. 710 * 711 * @param fd the system-dependent file descriptor. 712 * @exception SecurityException if the calling thread does not have 713 * permission to access the specified file descriptor. 714 * @exception NullPointerException if the file descriptor argument is 715 * <code>null</code>. 716 * @see java.io.FileDescriptor 717 * @see #checkPermission(java.security.Permission) checkPermission 718 */ 719 public void checkRead(FileDescriptor fd) { 720 if (fd == null) { 721 throw new NullPointerException("file descriptor can't be null"); 722 } 723 checkPermission(new RuntimePermission("readFileDescriptor")); 724 } 725 726 /** 727 * Throws a <code>SecurityException</code> if the 728 * calling thread is not allowed to read the file specified by the 729 * string argument. 730 * <p> 731 * This method calls <code>checkPermission</code> with the 732 * <code>FilePermission(file,"read")</code> permission. 733 * <p> 734 * If you override this method, then you should make a call to 735 * <code>super.checkRead</code> 736 * at the point the overridden method would normally throw an 737 * exception. 738 * 739 * @param file the system-dependent file name. 740 * @exception SecurityException if the calling thread does not have 741 * permission to access the specified file. 742 * @exception NullPointerException if the <code>file</code> argument is 743 * <code>null</code>. 744 * @see #checkPermission(java.security.Permission) checkPermission 745 */ 746 public void checkRead(String file) { 747 checkPermission(new FilePermission(file, 748 SecurityConstants.FILE_READ_ACTION)); 749 } 750 751 /** 752 * Throws a <code>SecurityException</code> if the 753 * specified security context is not allowed to read the file 754 * specified by the string argument. The context must be a security 755 * context returned by a previous call to 756 * <code>getSecurityContext</code>. 757 * <p> If <code>context</code> is an instance of 758 * <code>AccessControlContext</code> then the 759 * <code>AccessControlContext.checkPermission</code> method will 760 * be invoked with the <code>FilePermission(file,"read")</code> permission. 761 * <p> If <code>context</code> is not an instance of 762 * <code>AccessControlContext</code> then a 763 * <code>SecurityException</code> is thrown. 764 * <p> 765 * If you override this method, then you should make a call to 766 * <code>super.checkRead</code> 767 * at the point the overridden method would normally throw an 768 * exception. 769 * 770 * @param file the system-dependent filename. 771 * @param context a system-dependent security context. 772 * @exception SecurityException if the specified security context 773 * is not an instance of <code>AccessControlContext</code> 774 * (e.g., is <code>null</code>), or does not have permission 775 * to read the specified file. 776 * @exception NullPointerException if the <code>file</code> argument is 777 * <code>null</code>. 778 * @see java.lang.SecurityManager#getSecurityContext() 779 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 780 */ 781 public void checkRead(String file, Object context) { 782 checkPermission( 783 new FilePermission(file, SecurityConstants.FILE_READ_ACTION), 784 context); 785 } 786 787 /** 788 * Throws a <code>SecurityException</code> if the 789 * calling thread is not allowed to write to the specified file 790 * descriptor. 791 * <p> 792 * This method calls <code>checkPermission</code> with the 793 * <code>RuntimePermission("writeFileDescriptor")</code> 794 * permission. 795 * <p> 796 * If you override this method, then you should make a call to 797 * <code>super.checkWrite</code> 798 * at the point the overridden method would normally throw an 799 * exception. 800 * 801 * @param fd the system-dependent file descriptor. 802 * @exception SecurityException if the calling thread does not have 803 * permission to access the specified file descriptor. 804 * @exception NullPointerException if the file descriptor argument is 805 * <code>null</code>. 806 * @see java.io.FileDescriptor 807 * @see #checkPermission(java.security.Permission) checkPermission 808 */ 809 public void checkWrite(FileDescriptor fd) { 810 if (fd == null) { 811 throw new NullPointerException("file descriptor can't be null"); 812 } 813 checkPermission(new RuntimePermission("writeFileDescriptor")); 814 815 } 816 817 /** 818 * Throws a <code>SecurityException</code> if the 819 * calling thread is not allowed to write to the file specified by 820 * the string argument. 821 * <p> 822 * This method calls <code>checkPermission</code> with the 823 * <code>FilePermission(file,"write")</code> permission. 824 * <p> 825 * If you override this method, then you should make a call to 826 * <code>super.checkWrite</code> 827 * at the point the overridden method would normally throw an 828 * exception. 829 * 830 * @param file the system-dependent filename. 831 * @exception SecurityException if the calling thread does not 832 * have permission to access the specified file. 833 * @exception NullPointerException if the <code>file</code> argument is 834 * <code>null</code>. 835 * @see #checkPermission(java.security.Permission) checkPermission 836 */ 837 public void checkWrite(String file) { 838 checkPermission(new FilePermission(file, 839 SecurityConstants.FILE_WRITE_ACTION)); 840 } 841 842 /** 843 * Throws a <code>SecurityException</code> if the 844 * calling thread is not allowed to delete the specified file. 845 * <p> 846 * This method is invoked for the current security manager by the 847 * <code>delete</code> method of class <code>File</code>. 848 * <p> 849 * This method calls <code>checkPermission</code> with the 850 * <code>FilePermission(file,"delete")</code> permission. 851 * <p> 852 * If you override this method, then you should make a call to 853 * <code>super.checkDelete</code> 854 * at the point the overridden method would normally throw an 855 * exception. 856 * 857 * @param file the system-dependent filename. 858 * @exception SecurityException if the calling thread does not 859 * have permission to delete the file. 860 * @exception NullPointerException if the <code>file</code> argument is 861 * <code>null</code>. 862 * @see java.io.File#delete() 863 * @see #checkPermission(java.security.Permission) checkPermission 864 */ 865 public void checkDelete(String file) { 866 checkPermission(new FilePermission(file, 867 SecurityConstants.FILE_DELETE_ACTION)); 868 } 869 870 /** 871 * Throws a <code>SecurityException</code> if the 872 * calling thread is not allowed to open a socket connection to the 873 * specified host and port number. 874 * <p> 875 * A port number of <code>-1</code> indicates that the calling 876 * method is attempting to determine the IP address of the specified 877 * host name. 878 * <p> 879 * This method calls <code>checkPermission</code> with the 880 * <code>SocketPermission(host+":"+port,"connect")</code> permission if 881 * the port is not equal to -1. If the port is equal to -1, then 882 * it calls <code>checkPermission</code> with the 883 * <code>SocketPermission(host,"resolve")</code> permission. 884 * <p> 885 * If you override this method, then you should make a call to 886 * <code>super.checkConnect</code> 887 * at the point the overridden method would normally throw an 888 * exception. 889 * 890 * @param host the host name port to connect to. 891 * @param port the protocol port to connect to. 892 * @exception SecurityException if the calling thread does not have 893 * permission to open a socket connection to the specified 894 * <code>host</code> and <code>port</code>. 895 * @exception NullPointerException if the <code>host</code> argument is 896 * <code>null</code>. 897 * @see #checkPermission(java.security.Permission) checkPermission 898 */ 899 public void checkConnect(String host, int port) { 900 if (host == null) { 901 throw new NullPointerException("host can't be null"); 902 } 903 if (!host.startsWith("[") && host.indexOf(':') != -1) { 904 host = "[" + host + "]"; 905 } 906 if (port == -1) { 907 checkPermission(new SocketPermission(host, 908 SecurityConstants.SOCKET_RESOLVE_ACTION)); 909 } else { 910 checkPermission(new SocketPermission(host+":"+port, 911 SecurityConstants.SOCKET_CONNECT_ACTION)); 912 } 913 } 914 915 /** 916 * Throws a <code>SecurityException</code> if the 917 * specified security context is not allowed to open a socket 918 * connection to the specified host and port number. 919 * <p> 920 * A port number of <code>-1</code> indicates that the calling 921 * method is attempting to determine the IP address of the specified 922 * host name. 923 * <p> If <code>context</code> is not an instance of 924 * <code>AccessControlContext</code> then a 925 * <code>SecurityException</code> is thrown. 926 * <p> 927 * Otherwise, the port number is checked. If it is not equal 928 * to -1, the <code>context</code>'s <code>checkPermission</code> 929 * method is called with a 930 * <code>SocketPermission(host+":"+port,"connect")</code> permission. 931 * If the port is equal to -1, then 932 * the <code>context</code>'s <code>checkPermission</code> method 933 * is called with a 934 * <code>SocketPermission(host,"resolve")</code> permission. 935 * <p> 936 * If you override this method, then you should make a call to 937 * <code>super.checkConnect</code> 938 * at the point the overridden method would normally throw an 939 * exception. 940 * 941 * @param host the host name port to connect to. 942 * @param port the protocol port to connect to. 943 * @param context a system-dependent security context. 944 * @exception SecurityException if the specified security context 945 * is not an instance of <code>AccessControlContext</code> 946 * (e.g., is <code>null</code>), or does not have permission 947 * to open a socket connection to the specified 948 * <code>host</code> and <code>port</code>. 949 * @exception NullPointerException if the <code>host</code> argument is 950 * <code>null</code>. 951 * @see java.lang.SecurityManager#getSecurityContext() 952 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 953 */ 954 public void checkConnect(String host, int port, Object context) { 955 if (host == null) { 956 throw new NullPointerException("host can't be null"); 957 } 958 if (!host.startsWith("[") && host.indexOf(':') != -1) { 959 host = "[" + host + "]"; 960 } 961 if (port == -1) 962 checkPermission(new SocketPermission(host, 963 SecurityConstants.SOCKET_RESOLVE_ACTION), 964 context); 965 else 966 checkPermission(new SocketPermission(host+":"+port, 967 SecurityConstants.SOCKET_CONNECT_ACTION), 968 context); 969 } 970 971 /** 972 * Throws a <code>SecurityException</code> if the 973 * calling thread is not allowed to wait for a connection request on 974 * the specified local port number. 975 * <p> 976 * This method calls <code>checkPermission</code> with the 977 * <code>SocketPermission("localhost:"+port,"listen")</code>. 978 * <p> 979 * If you override this method, then you should make a call to 980 * <code>super.checkListen</code> 981 * at the point the overridden method would normally throw an 982 * exception. 983 * 984 * @param port the local port. 985 * @exception SecurityException if the calling thread does not have 986 * permission to listen on the specified port. 987 * @see #checkPermission(java.security.Permission) checkPermission 988 */ 989 public void checkListen(int port) { 990 checkPermission(new SocketPermission("localhost:"+port, 991 SecurityConstants.SOCKET_LISTEN_ACTION)); 992 } 993 994 /** 995 * Throws a <code>SecurityException</code> if the 996 * calling thread is not permitted to accept a socket connection from 997 * the specified host and port number. 998 * <p> 999 * This method is invoked for the current security manager by the 1000 * <code>accept</code> method of class <code>ServerSocket</code>. 1001 * <p> 1002 * This method calls <code>checkPermission</code> with the 1003 * <code>SocketPermission(host+":"+port,"accept")</code> permission. 1004 * <p> 1005 * If you override this method, then you should make a call to 1006 * <code>super.checkAccept</code> 1007 * at the point the overridden method would normally throw an 1008 * exception. 1009 * 1010 * @param host the host name of the socket connection. 1011 * @param port the port number of the socket connection. 1012 * @exception SecurityException if the calling thread does not have 1013 * permission to accept the connection. 1014 * @exception NullPointerException if the <code>host</code> argument is 1015 * <code>null</code>. 1016 * @see java.net.ServerSocket#accept() 1017 * @see #checkPermission(java.security.Permission) checkPermission 1018 */ 1019 public void checkAccept(String host, int port) { 1020 if (host == null) { 1021 throw new NullPointerException("host can't be null"); 1022 } 1023 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1024 host = "[" + host + "]"; 1025 } 1026 checkPermission(new SocketPermission(host+":"+port, 1027 SecurityConstants.SOCKET_ACCEPT_ACTION)); 1028 } 1029 1030 /** 1031 * Throws a <code>SecurityException</code> if the 1032 * calling thread is not allowed to use 1033 * (join/leave/send/receive) IP multicast. 1034 * <p> 1035 * This method calls <code>checkPermission</code> with the 1036 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1037 * "accept,connect")</code> permission. 1038 * <p> 1039 * If you override this method, then you should make a call to 1040 * <code>super.checkMulticast</code> 1041 * at the point the overridden method would normally throw an 1042 * exception. 1043 * 1044 * @param maddr Internet group address to be used. 1045 * @exception SecurityException if the calling thread is not allowed to 1046 * use (join/leave/send/receive) IP multicast. 1047 * @exception NullPointerException if the address argument is 1048 * <code>null</code>. 1049 * @since 1.1 1050 * @see #checkPermission(java.security.Permission) checkPermission 1051 */ 1052 public void checkMulticast(InetAddress maddr) { 1053 String host = maddr.getHostAddress(); 1054 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1055 host = "[" + host + "]"; 1056 } 1057 checkPermission(new SocketPermission(host, 1058 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1059 } 1060 1061 /** 1062 * Throws a <code>SecurityException</code> if the 1063 * calling thread is not allowed to use 1064 * (join/leave/send/receive) IP multicast. 1065 * <p> 1066 * This method calls <code>checkPermission</code> with the 1067 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1068 * "accept,connect")</code> permission. 1069 * <p> 1070 * If you override this method, then you should make a call to 1071 * <code>super.checkMulticast</code> 1072 * at the point the overridden method would normally throw an 1073 * exception. 1074 * 1075 * @param maddr Internet group address to be used. 1076 * @param ttl value in use, if it is multicast send. 1077 * Note: this particular implementation does not use the ttl 1078 * parameter. 1079 * @exception SecurityException if the calling thread is not allowed to 1080 * use (join/leave/send/receive) IP multicast. 1081 * @exception NullPointerException if the address argument is 1082 * <code>null</code>. 1083 * @since 1.1 1084 * @deprecated Use #checkPermission(java.security.Permission) instead 1085 * @see #checkPermission(java.security.Permission) checkPermission 1086 */ 1087 @Deprecated(since="1.4") 1088 public void checkMulticast(InetAddress maddr, byte ttl) { 1089 String host = maddr.getHostAddress(); 1090 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1091 host = "[" + host + "]"; 1092 } 1093 checkPermission(new SocketPermission(host, 1094 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1095 } 1096 1097 /** 1098 * Throws a <code>SecurityException</code> if the 1099 * calling thread is not allowed to access or modify the system 1100 * properties. 1101 * <p> 1102 * This method is used by the <code>getProperties</code> and 1103 * <code>setProperties</code> methods of class <code>System</code>. 1104 * <p> 1105 * This method calls <code>checkPermission</code> with the 1106 * <code>PropertyPermission("*", "read,write")</code> permission. 1107 * <p> 1108 * If you override this method, then you should make a call to 1109 * <code>super.checkPropertiesAccess</code> 1110 * at the point the overridden method would normally throw an 1111 * exception. 1112 * 1113 * @exception SecurityException if the calling thread does not have 1114 * permission to access or modify the system properties. 1115 * @see java.lang.System#getProperties() 1116 * @see java.lang.System#setProperties(java.util.Properties) 1117 * @see #checkPermission(java.security.Permission) checkPermission 1118 */ 1119 public void checkPropertiesAccess() { 1120 checkPermission(new PropertyPermission("*", 1121 SecurityConstants.PROPERTY_RW_ACTION)); 1122 } 1123 1124 /** 1125 * Throws a <code>SecurityException</code> if the 1126 * calling thread is not allowed to access the system property with 1127 * the specified <code>key</code> name. 1128 * <p> 1129 * This method is used by the <code>getProperty</code> method of 1130 * class <code>System</code>. 1131 * <p> 1132 * This method calls <code>checkPermission</code> with the 1133 * <code>PropertyPermission(key, "read")</code> permission. 1134 * <p> 1135 * If you override this method, then you should make a call to 1136 * <code>super.checkPropertyAccess</code> 1137 * at the point the overridden method would normally throw an 1138 * exception. 1139 * 1140 * @param key a system property key. 1141 * 1142 * @exception SecurityException if the calling thread does not have 1143 * permission to access the specified system property. 1144 * @exception NullPointerException if the <code>key</code> argument is 1145 * <code>null</code>. 1146 * @exception IllegalArgumentException if <code>key</code> is empty. 1147 * 1148 * @see java.lang.System#getProperty(java.lang.String) 1149 * @see #checkPermission(java.security.Permission) checkPermission 1150 */ 1151 public void checkPropertyAccess(String key) { 1152 checkPermission(new PropertyPermission(key, 1153 SecurityConstants.PROPERTY_READ_ACTION)); 1154 } 1155 1156 /** 1157 * Throws a <code>SecurityException</code> if the 1158 * calling thread is not allowed to initiate a print job request. 1159 * <p> 1160 * This method calls 1161 * <code>checkPermission</code> with the 1162 * <code>RuntimePermission("queuePrintJob")</code> permission. 1163 * <p> 1164 * If you override this method, then you should make a call to 1165 * <code>super.checkPrintJobAccess</code> 1166 * at the point the overridden method would normally throw an 1167 * exception. 1168 * 1169 * @exception SecurityException if the calling thread does not have 1170 * permission to initiate a print job request. 1171 * @since 1.1 1172 * @see #checkPermission(java.security.Permission) checkPermission 1173 */ 1174 public void checkPrintJobAccess() { 1175 checkPermission(new RuntimePermission("queuePrintJob")); 1176 } 1177 1178 /* 1179 * We have an initial invalid bit (initially false) for the class 1180 * variables which tell if the cache is valid. If the underlying 1181 * java.security.Security property changes via setProperty(), the 1182 * Security class uses reflection to change the variable and thus 1183 * invalidate the cache. 1184 * 1185 * Locking is handled by synchronization to the 1186 * packageAccessLock/packageDefinitionLock objects. They are only 1187 * used in this class. 1188 * 1189 * Note that cache invalidation as a result of the property change 1190 * happens without using these locks, so there may be a delay between 1191 * when a thread updates the property and when other threads updates 1192 * the cache. 1193 */ 1194 private static boolean packageAccessValid = false; 1195 private static String[] packageAccess; 1196 private static final Object packageAccessLock = new Object(); 1197 1198 private static boolean packageDefinitionValid = false; 1199 private static String[] packageDefinition; 1200 private static final Object packageDefinitionLock = new Object(); 1201 1202 private static String[] getPackages(String p) { 1203 String packages[] = null; 1204 if (p != null && !p.isEmpty()) { 1205 java.util.StringTokenizer tok = 1206 new java.util.StringTokenizer(p, ","); 1207 int n = tok.countTokens(); 1208 if (n > 0) { 1209 packages = new String[n]; 1210 int i = 0; 1211 while (tok.hasMoreElements()) { 1212 String s = tok.nextToken().trim(); 1213 packages[i++] = s; 1214 } 1215 } 1216 } 1217 1218 if (packages == null) { 1219 packages = new String[0]; 1220 } 1221 return packages; 1222 } 1223 1224 // The non-exported packages in modules defined to the boot or platform 1225 // class loaders. A non-exported package is a package that is not exported 1226 // or is only exported to specific modules. 1227 private static final Map<String, Boolean> nonExportedPkgs = new ConcurrentHashMap<>(); 1228 static { 1229 addNonExportedPackages(ModuleLayer.boot()); 1230 } 1231 1232 /** 1233 * Record the non-exported packages of the modules in the given layer 1234 */ 1235 static void addNonExportedPackages(ModuleLayer layer) { 1236 Set<String> bootModules = ModuleLoaderMap.bootModules(); 1237 Set<String> platformModules = ModuleLoaderMap.platformModules(); 1238 layer.modules().stream() 1239 .map(Module::getDescriptor) 1240 .filter(md -> bootModules.contains(md.name()) 1241 || platformModules.contains(md.name())) 1242 .map(SecurityManager::nonExportedPkgs) 1243 .flatMap(Set::stream) 1244 .forEach(pn -> nonExportedPkgs.put(pn, Boolean.TRUE)); 1245 } 1246 1247 1248 /** 1249 * Called by java.security.Security 1250 */ 1251 static void invalidatePackageAccessCache() { 1252 synchronized (packageAccessLock) { 1253 packageAccessValid = false; 1254 } 1255 synchronized (packageDefinitionLock) { 1256 packageDefinitionValid = false; 1257 } 1258 } 1259 1260 /** 1261 * Returns the non-exported packages of the specified module. 1262 */ 1263 private static Set<String> nonExportedPkgs(ModuleDescriptor md) { 1264 // start with all packages in the module 1265 Set<String> pkgs = new HashSet<>(md.packages()); 1266 1267 // remove the non-qualified exported packages 1268 md.exports().stream() 1269 .filter(p -> !p.isQualified()) 1270 .map(Exports::source) 1271 .forEach(pkgs::remove); 1272 1273 // remove the non-qualified open packages 1274 md.opens().stream() 1275 .filter(p -> !p.isQualified()) 1276 .map(Opens::source) 1277 .forEach(pkgs::remove); 1278 1279 return pkgs; 1280 } 1281 1282 /** 1283 * Throws a {@code SecurityException} if the calling thread is not allowed 1284 * to access the specified package. 1285 * <p> 1286 * During class loading, this method may be called by the {@code loadClass} 1287 * method of class loaders and by the Java Virtual Machine to ensure that 1288 * the caller is allowed to access the package of the class that is 1289 * being loaded. 1290 * <p> 1291 * This method checks if the specified package starts with or equals 1292 * any of the packages in the {@code package.access} Security Property. 1293 * An implementation may also check the package against an additional 1294 * list of restricted packages as noted below. If the package is restricted, 1295 * {@link #checkPermission(Permission)} is called with a 1296 * {@code RuntimePermission("accessClassInPackage."+pkg)} permission. 1297 * <p> 1298 * If this method is overridden, then {@code super.checkPackageAccess} 1299 * should be called as the first line in the overridden method. 1300 * 1301 * @implNote 1302 * This implementation also restricts all non-exported packages of modules 1303 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1304 * the platform class loader} or its ancestors. A "non-exported package" 1305 * refers to a package that is not exported to all modules. Specifically, 1306 * it refers to a package that either is not exported at all by its 1307 * containing module or is exported in a qualified fashion by its 1308 * containing module. 1309 * 1310 * @param pkg the package name. 1311 * @throws SecurityException if the calling thread does not have 1312 * permission to access the specified package. 1313 * @throws NullPointerException if the package name argument is 1314 * {@code null}. 1315 * @see java.lang.ClassLoader#loadClass(String, boolean) loadClass 1316 * @see java.security.Security#getProperty getProperty 1317 * @see #checkPermission(Permission) checkPermission 1318 */ 1319 public void checkPackageAccess(String pkg) { 1320 Objects.requireNonNull(pkg, "package name can't be null"); 1321 1322 // check if pkg is not exported to all modules 1323 if (nonExportedPkgs.containsKey(pkg)) { 1324 checkPermission( 1325 new RuntimePermission("accessClassInPackage." + pkg)); 1326 return; 1327 } 1328 1329 String[] restrictedPkgs; 1330 synchronized (packageAccessLock) { 1331 /* 1332 * Do we need to update our property array? 1333 */ 1334 if (!packageAccessValid) { 1335 String tmpPropertyStr = 1336 AccessController.doPrivileged( 1337 new PrivilegedAction<>() { 1338 public String run() { 1339 return Security.getProperty("package.access"); 1340 } 1341 } 1342 ); 1343 packageAccess = getPackages(tmpPropertyStr); 1344 packageAccessValid = true; 1345 } 1346 1347 // Using a snapshot of packageAccess -- don't care if static field 1348 // changes afterwards; array contents won't change. 1349 restrictedPkgs = packageAccess; 1350 } 1351 1352 /* 1353 * Traverse the list of packages, check for any matches. 1354 */ 1355 final int plen = pkg.length(); 1356 for (String restrictedPkg : restrictedPkgs) { 1357 final int rlast = restrictedPkg.length() - 1; 1358 1359 // Optimizations: 1360 // 1361 // If rlast >= plen then restrictedPkg is longer than pkg by at 1362 // least one char. This means pkg cannot start with restrictedPkg, 1363 // since restrictedPkg will be longer than pkg. 1364 // 1365 // Similarly if rlast != plen, then pkg + "." cannot be the same 1366 // as restrictedPkg, since pkg + "." will have a different length 1367 // than restrictedPkg. 1368 // 1369 if (rlast < plen && pkg.startsWith(restrictedPkg) || 1370 // The following test is equivalent to 1371 // restrictedPkg.equals(pkg + ".") but is noticeably more 1372 // efficient: 1373 rlast == plen && restrictedPkg.startsWith(pkg) && 1374 restrictedPkg.charAt(rlast) == '.') 1375 { 1376 checkPermission( 1377 new RuntimePermission("accessClassInPackage." + pkg)); 1378 break; // No need to continue; only need to check this once 1379 } 1380 } 1381 } 1382 1383 /** 1384 * Throws a {@code SecurityException} if the calling thread is not 1385 * allowed to define classes in the specified package. 1386 * <p> 1387 * This method is called by the {@code loadClass} method of some 1388 * class loaders. 1389 * <p> 1390 * This method checks if the specified package starts with or equals 1391 * any of the packages in the {@code package.definition} Security 1392 * Property. An implementation may also check the package against an 1393 * additional list of restricted packages as noted below. If the package 1394 * is restricted, {@link #checkPermission(Permission)} is called with a 1395 * {@code RuntimePermission("defineClassInPackage."+pkg)} permission. 1396 * <p> 1397 * If this method is overridden, then {@code super.checkPackageDefinition} 1398 * should be called as the first line in the overridden method. 1399 * 1400 * @implNote 1401 * This implementation also restricts all non-exported packages of modules 1402 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1403 * the platform class loader} or its ancestors. A "non-exported package" 1404 * refers to a package that is not exported to all modules. Specifically, 1405 * it refers to a package that either is not exported at all by its 1406 * containing module or is exported in a qualified fashion by its 1407 * containing module. 1408 * 1409 * @param pkg the package name. 1410 * @throws SecurityException if the calling thread does not have 1411 * permission to define classes in the specified package. 1412 * @throws NullPointerException if the package name argument is 1413 * {@code null}. 1414 * @see java.lang.ClassLoader#loadClass(String, boolean) 1415 * @see java.security.Security#getProperty getProperty 1416 * @see #checkPermission(Permission) checkPermission 1417 */ 1418 public void checkPackageDefinition(String pkg) { 1419 Objects.requireNonNull(pkg, "package name can't be null"); 1420 1421 // check if pkg is not exported to all modules 1422 if (nonExportedPkgs.containsKey(pkg)) { 1423 checkPermission( 1424 new RuntimePermission("defineClassInPackage." + pkg)); 1425 return; 1426 } 1427 1428 String[] pkgs; 1429 synchronized (packageDefinitionLock) { 1430 /* 1431 * Do we need to update our property array? 1432 */ 1433 if (!packageDefinitionValid) { 1434 String tmpPropertyStr = 1435 AccessController.doPrivileged( 1436 new PrivilegedAction<>() { 1437 public String run() { 1438 return java.security.Security.getProperty( 1439 "package.definition"); 1440 } 1441 } 1442 ); 1443 packageDefinition = getPackages(tmpPropertyStr); 1444 packageDefinitionValid = true; 1445 } 1446 // Using a snapshot of packageDefinition -- don't care if static 1447 // field changes afterwards; array contents won't change. 1448 pkgs = packageDefinition; 1449 } 1450 1451 /* 1452 * Traverse the list of packages, check for any matches. 1453 */ 1454 for (String restrictedPkg : pkgs) { 1455 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) { 1456 checkPermission( 1457 new RuntimePermission("defineClassInPackage." + pkg)); 1458 break; // No need to continue; only need to check this once 1459 } 1460 } 1461 } 1462 1463 /** 1464 * Throws a <code>SecurityException</code> if the 1465 * calling thread is not allowed to set the socket factory used by 1466 * <code>ServerSocket</code> or <code>Socket</code>, or the stream 1467 * handler factory used by <code>URL</code>. 1468 * <p> 1469 * This method calls <code>checkPermission</code> with the 1470 * <code>RuntimePermission("setFactory")</code> permission. 1471 * <p> 1472 * If you override this method, then you should make a call to 1473 * <code>super.checkSetFactory</code> 1474 * at the point the overridden method would normally throw an 1475 * exception. 1476 * 1477 * @exception SecurityException if the calling thread does not have 1478 * permission to specify a socket factory or a stream 1479 * handler factory. 1480 * 1481 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory 1482 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory 1483 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory 1484 * @see #checkPermission(java.security.Permission) checkPermission 1485 */ 1486 public void checkSetFactory() { 1487 checkPermission(new RuntimePermission("setFactory")); 1488 } 1489 1490 /** 1491 * Determines whether the permission with the specified permission target 1492 * name should be granted or denied. 1493 * 1494 * <p> If the requested permission is allowed, this method returns 1495 * quietly. If denied, a SecurityException is raised. 1496 * 1497 * <p> This method creates a <code>SecurityPermission</code> object for 1498 * the given permission target name and calls <code>checkPermission</code> 1499 * with it. 1500 * 1501 * <p> See the documentation for 1502 * <code>{@link java.security.SecurityPermission}</code> for 1503 * a list of possible permission target names. 1504 * 1505 * <p> If you override this method, then you should make a call to 1506 * <code>super.checkSecurityAccess</code> 1507 * at the point the overridden method would normally throw an 1508 * exception. 1509 * 1510 * @param target the target name of the <code>SecurityPermission</code>. 1511 * 1512 * @exception SecurityException if the calling thread does not have 1513 * permission for the requested access. 1514 * @exception NullPointerException if <code>target</code> is null. 1515 * @exception IllegalArgumentException if <code>target</code> is empty. 1516 * 1517 * @since 1.1 1518 * @see #checkPermission(java.security.Permission) checkPermission 1519 */ 1520 public void checkSecurityAccess(String target) { 1521 checkPermission(new SecurityPermission(target)); 1522 } 1523 1524 /** 1525 * Returns the thread group into which to instantiate any new 1526 * thread being created at the time this is being called. 1527 * By default, it returns the thread group of the current 1528 * thread. This should be overridden by a specific security 1529 * manager to return the appropriate thread group. 1530 * 1531 * @return ThreadGroup that new threads are instantiated into 1532 * @since 1.1 1533 * @see java.lang.ThreadGroup 1534 */ 1535 public ThreadGroup getThreadGroup() { 1536 return Thread.currentThread().getThreadGroup(); 1537 } 1538 1539 }