1 /*
   2  * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.lang;
  27 
  28 import java.security.*;
  29 import java.util.Enumeration;
  30 import java.util.Hashtable;
  31 import java.util.StringTokenizer;
  32 
  33 /**
  34  * This class is for runtime permissions. A {@code RuntimePermission}
  35  * contains a name (also referred to as a "target name") but no actions
  36  * list; you either have the named permission or you don't.
  37  * <p>
  38  * The target name is the name of the runtime permission (see below). The
  39  * naming convention follows the  hierarchical property naming convention.
  40  * Also, an asterisk may appear at the end of the name, following a ".",
  41  * or by itself, to signify a wildcard match. For example: "loadLibrary.*"
  42  * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not.
  43  * <p>
  44  * The following table lists the standard {@code RuntimePermission}
  45  * target names, and for each provides a description of what the permission
  46  * allows and a discussion of the risks of granting code the permission.
  47  *
  48  * <table border=1 cellpadding=5 summary="permission target name,
  49  *  what the target allows,and associated risks">
  50  * <tr>
  51  * <th>Permission Target Name</th>
  52  * <th>What the Permission Allows</th>
  53  * <th>Risks of Allowing this Permission</th>
  54  * </tr>
  55  *
  56  * <tr>
  57  *   <td>createClassLoader</td>
  58  *   <td>Creation of a class loader</td>
  59  *   <td>This is an extremely dangerous permission to grant.
  60  * Malicious applications that can instantiate their own class
  61  * loaders could then load their own rogue classes into the system.
  62  * These newly loaded classes could be placed into any protection
  63  * domain by the class loader, thereby automatically granting the
  64  * classes the permissions for that domain.</td>
  65  * </tr>
  66  *
  67  * <tr>
  68  *   <td>getClassLoader</td>
  69  *   <td>Retrieval of a class loader (e.g., the class loader for the calling
  70  * class)</td>
  71  *   <td>This would grant an attacker permission to get the
  72  * class loader for a particular class. This is dangerous because
  73  * having access to a class's class loader allows the attacker to
  74  * load other classes available to that class loader. The attacker
  75  * would typically otherwise not have access to those classes.</td>
  76  * </tr>
  77  *
  78  * <tr>
  79  *   <td>setContextClassLoader</td>
  80  *   <td>Setting of the context class loader used by a thread</td>
  81  *   <td>The context class loader is used by system code and extensions
  82  * when they need to lookup resources that might not exist in the system
  83  * class loader. Granting setContextClassLoader permission would allow
  84  * code to change which context class loader is used
  85  * for a particular thread, including system threads.</td>
  86  * </tr>
  87  *
  88  * <tr>
  89  *   <td>enableContextClassLoaderOverride</td>
  90  *   <td>Subclass implementation of the thread context class loader methods</td>
  91  *   <td>The context class loader is used by system code and extensions
  92  * when they need to lookup resources that might not exist in the system
  93  * class loader. Granting enableContextClassLoaderOverride permission would allow
  94  * a subclass of Thread to override the methods that are used
  95  * to get or set the context class loader for a particular thread.</td>
  96  * </tr>
  97  *
  98  * <tr>
  99  *   <td>closeClassLoader</td>
 100  *   <td>Closing of a ClassLoader</td>
 101  *   <td>Granting this permission allows code to close any URLClassLoader
 102  * that it has a reference to.</td>
 103  * </tr>
 104  *
 105  * <tr>
 106  *   <td>setSecurityManager</td>
 107  *   <td>Setting of the security manager (possibly replacing an existing one)
 108  * </td>
 109  *   <td>The security manager is a class that allows
 110  * applications to implement a security policy. Granting the setSecurityManager
 111  * permission would allow code to change which security manager is used by
 112  * installing a different, possibly less restrictive security manager,
 113  * thereby bypassing checks that would have been enforced by the original
 114  * security manager.</td>
 115  * </tr>
 116  *
 117  * <tr>
 118  *   <td>createSecurityManager</td>
 119  *   <td>Creation of a new security manager</td>
 120  *   <td>This gives code access to protected, sensitive methods that may
 121  * disclose information about other classes or the execution stack.</td>
 122  * </tr>
 123  *
 124  * <tr>
 125  *   <td>getenv.{variable name}</td>
 126  *   <td>Reading of the value of the specified environment variable</td>
 127  *   <td>This would allow code to read the value, or determine the
 128  *       existence, of a particular environment variable.  This is
 129  *       dangerous if the variable contains confidential data.</td>
 130  * </tr>
 131  *
 132  * <tr>
 133  *   <td>exitVM.{exit status}</td>
 134  *   <td>Halting of the Java Virtual Machine with the specified exit status</td>
 135  *   <td>This allows an attacker to mount a denial-of-service attack
 136  * by automatically forcing the virtual machine to halt.
 137  * Note: The "exitVM.*" permission is automatically granted to all code
 138  * loaded from the application class path, thus enabling applications
 139  * to terminate themselves. Also, the "exitVM" permission is equivalent to
 140  * "exitVM.*".</td>
 141  * </tr>
 142  *
 143  * <tr>
 144  *   <td>shutdownHooks</td>
 145  *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>
 146  *   <td>This allows an attacker to register a malicious shutdown
 147  * hook that interferes with the clean shutdown of the virtual machine.</td>
 148  * </tr>
 149  *
 150  * <tr>
 151  *   <td>setFactory</td>
 152  *   <td>Setting of the socket factory used by ServerSocket or Socket,
 153  * or of the stream handler factory used by URL</td>
 154  *   <td>This allows code to set the actual implementation
 155  * for the socket, server socket, stream handler, or RMI socket factory.
 156  * An attacker may set a faulty implementation which mangles the data
 157  * stream.</td>
 158  * </tr>
 159  *
 160  * <tr>
 161  *   <td>setIO</td>
 162  *   <td>Setting of System.out, System.in, and System.err</td>
 163  *   <td>This allows changing the value of the standard system streams.
 164  * An attacker may change System.in to monitor and
 165  * steal user input, or may set System.err to a "null" OutputStream,
 166  * which would hide any error messages sent to System.err. </td>
 167  * </tr>
 168  *
 169  * <tr>
 170  *   <td>modifyThread</td>
 171  *   <td>Modification of threads, e.g., via calls to Thread
 172  * {@code interrupt, stop, suspend, resume, setDaemon, setPriority,
 173  * setName} and {@code setUncaughtExceptionHandler}
 174  * methods</td>
 175  * <td>This allows an attacker to modify the behaviour of
 176  * any thread in the system.</td>
 177  * </tr>
 178  *
 179  * <tr>
 180  *   <td>stopThread</td>
 181  *   <td>Stopping of threads via calls to the Thread <code>stop</code>
 182  * method</td>
 183  *   <td>This allows code to stop any thread in the system provided that it is
 184  * already granted permission to access that thread.
 185  * This poses as a threat, because that code may corrupt the system by
 186  * killing existing threads.</td>
 187  * </tr>
 188  *
 189  * <tr>
 190  *   <td>modifyThreadGroup</td>
 191  *   <td>modification of thread groups, e.g., via calls to ThreadGroup
 192  * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
 193  * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
 194  * and <code>suspend</code> methods</td>
 195  *   <td>This allows an attacker to create thread groups and
 196  * set their run priority.</td>
 197  * </tr>
 198  *
 199  * <tr>
 200  *   <td>getProtectionDomain</td>
 201  *   <td>Retrieval of the ProtectionDomain for a class</td>
 202  *   <td>This allows code to obtain policy information
 203  * for a particular code source. While obtaining policy information
 204  * does not compromise the security of the system, it does give
 205  * attackers additional information, such as local file names for
 206  * example, to better aim an attack.</td>
 207  * </tr>
 208  *
 209  * <tr>
 210  *   <td>getFileSystemAttributes</td>
 211  *   <td>Retrieval of file system attributes</td>
 212  *   <td>This allows code to obtain file system information such as disk usage
 213  *       or disk space available to the caller.  This is potentially dangerous
 214  *       because it discloses information about the system hardware
 215  *       configuration and some information about the caller's privilege to
 216  *       write files.</td>
 217  * </tr>
 218  *
 219  * <tr>
 220  *   <td>readFileDescriptor</td>
 221  *   <td>Reading of file descriptors</td>
 222  *   <td>This would allow code to read the particular file associated
 223  *       with the file descriptor read. This is dangerous if the file
 224  *       contains confidential data.</td>
 225  * </tr>
 226  *
 227  * <tr>
 228  *   <td>writeFileDescriptor</td>
 229  *   <td>Writing to file descriptors</td>
 230  *   <td>This allows code to write to a particular file associated
 231  *       with the descriptor. This is dangerous because it may allow
 232  *       malicious code to plant viruses or at the very least, fill up
 233  *       your entire disk.</td>
 234  * </tr>
 235  *
 236  * <tr>
 237  *   <td>loadLibrary.{library name}</td>
 238  *   <td>Dynamic linking of the specified library</td>
 239  *   <td>It is dangerous to allow an applet permission to load native code
 240  * libraries, because the Java security architecture is not designed to and
 241  * does not prevent malicious behavior at the level of native code.</td>
 242  * </tr>
 243  *
 244  * <tr>
 245  *   <td>accessClassInPackage.{package name}</td>
 246  *   <td>Access to the specified package via a class loader's
 247  * <code>loadClass</code> method when that class loader calls
 248  * the SecurityManager <code>checkPackageAccess</code> method</td>
 249  *   <td>This gives code access to classes in packages
 250  * to which it normally does not have access. Malicious code
 251  * may use these classes to help in its attempt to compromise
 252  * security in the system.</td>
 253  * </tr>
 254  *
 255  * <tr>
 256  *   <td>defineClassInPackage.{package name}</td>
 257  *   <td>Definition of classes in the specified package, via a class
 258  * loader's <code>defineClass</code> method when that class loader calls
 259  * the SecurityManager <code>checkPackageDefinition</code> method.</td>
 260  *   <td>This grants code permission to define a class
 261  * in a particular package. This is dangerous because malicious
 262  * code with this permission may define rogue classes in
 263  * trusted packages like <code>java.security</code> or <code>java.lang</code>,
 264  * for example.</td>
 265  * </tr>
 266  *
 267  * <tr>
 268  *   <td>accessDeclaredMembers</td>
 269  *   <td>Access to the declared members of a class</td>
 270  *   <td>This grants code permission to query a class for its public,
 271  * protected, default (package) access, and private fields and/or
 272  * methods. Although the code would have
 273  * access to the private and protected field and method names, it would not
 274  * have access to the private/protected field data and would not be able
 275  * to invoke any private methods. Nevertheless, malicious code
 276  * may use this information to better aim an attack.
 277  * Additionally, it may invoke any public methods and/or access public fields
 278  * in the class.  This could be dangerous if
 279  * the code would normally not be able to invoke those methods and/or
 280  * access the fields  because
 281  * it can't cast the object to the class/interface with those methods
 282  * and fields.
 283 </td>
 284  * </tr>
 285  * <tr>
 286  *   <td>queuePrintJob</td>
 287  *   <td>Initiation of a print job request</td>
 288  *   <td>This could print sensitive information to a printer,
 289  * or simply waste paper.</td>
 290  * </tr>
 291  *
 292  * <tr>
 293  *   <td>getStackTrace</td>
 294  *   <td>Retrieval of the stack trace information of another thread.</td>
 295  *   <td>This allows retrieval of the stack trace information of
 296  * another thread.  This might allow malicious code to monitor the
 297  * execution of threads and discover vulnerabilities in applications.</td>
 298  * </tr>
 299  *
 300  * <tr>
 301  *   <td>setDefaultUncaughtExceptionHandler</td>
 302  *   <td>Setting the default handler to be used when a thread
 303  *   terminates abruptly due to an uncaught exception</td>
 304  *   <td>This allows an attacker to register a malicious
 305  *   uncaught exception handler that could interfere with termination
 306  *   of a thread</td>
 307  * </tr>
 308  *
 309  * <tr>
 310  *   <td>preferences</td>
 311  *   <td>Represents the permission required to get access to the
 312  *   java.util.prefs.Preferences implementations user or system root
 313  *   which in turn allows retrieval or update operations within the
 314  *   Preferences persistent backing store.) </td>
 315  *   <td>This permission allows the user to read from or write to the
 316  *   preferences backing store if the user running the code has
 317  *   sufficient OS privileges to read/write to that backing store.
 318  *   The actual backing store may reside within a traditional filesystem
 319  *   directory or within a registry depending on the platform OS</td>
 320  * </tr>
 321  *
 322  * <tr>
 323  *   <td>usePolicy</td>
 324  *   <td>Granting this permission disables the Java Plug-In's default
 325  *   security prompting behavior.</td>
 326  *   <td>For more information, refer to Java Plug-In's guides, <a href=
 327  *   "../../../technotes/guides/plugin/developer_guide/security.html">
 328  *   Applet Security Basics</a> and <a href=
 329  *   "../../../technotes/guides/plugin/developer_guide/rsa_how.html#use">
 330  *   usePolicy Permission</a>.</td>
 331  * </tr>
 332  * <tr>
 333  *   <td>manageProcess</td>
 334  *   <td>Native process termination and information about processes
 335  *       {@link ProcessHandle}.</td>
 336  *   <td>Allows code to identify and terminate processes that it did not create.</td>
 337  * </tr>
 338  *
 339  * <tr>
 340  *   <td>localeServiceProvider</td>
 341  *   <td>This {@code RuntimePermission} is required to be granted to
 342  *   classes which subclass and implement
 343  *   {@code java.util.spi.LocaleServiceProvider}. The permission is
 344  *   checked during invocation of the abstract base class constructor.
 345  *   This permission ensures trust in classes which implement this
 346  *   security-sensitive provider mechanism. </td>
 347  *   <td>See <a href= "../util/spi/LocaleServiceProvider.html">
 348  *   {@code java.util.spi.LocaleServiceProvider}</a> for more
 349  *   information.</td>
 350  * </tr>
 351  *
 352  * <tr>
 353  *   <td>loggerFinder</td>
 354  *   <td>This {@code RuntimePermission} is required to be granted to
 355  *   classes which subclass or call methods on
 356  *   {@code java.lang.System.LoggerFinder}. The permission is
 357  *   checked during invocation of the abstract base class constructor, as
 358  *   well as on the invocation of its public methods.
 359  *   This permission ensures trust in classes which provide loggers
 360  *   to JDK classes.</td>
 361  *   <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder}
 362  *   for more information.</td>
 363  * </tr>
 364  * </table>
 365  *
 366  * @implNote
 367  * Implementations may define additional target names, but should use naming
 368  * conventions such as reverse domain name notation to avoid name clashes.
 369  *
 370  * @see java.security.BasicPermission
 371  * @see java.security.Permission
 372  * @see java.security.Permissions
 373  * @see java.security.PermissionCollection
 374  * @see java.lang.SecurityManager
 375  *
 376  *
 377  * @author Marianne Mueller
 378  * @author Roland Schemers
 379  */
 380 
 381 public final class RuntimePermission extends BasicPermission {
 382 
 383     private static final long serialVersionUID = 7399184964622342223L;
 384 
 385     /**
 386      * Creates a new RuntimePermission with the specified name.
 387      * The name is the symbolic name of the RuntimePermission, such as
 388      * "exit", "setFactory", etc. An asterisk
 389      * may appear at the end of the name, following a ".", or by itself, to
 390      * signify a wildcard match.
 391      *
 392      * @param name the name of the RuntimePermission.
 393      *
 394      * @throws NullPointerException if <code>name</code> is <code>null</code>.
 395      * @throws IllegalArgumentException if <code>name</code> is empty.
 396      */
 397 
 398     public RuntimePermission(String name)
 399     {
 400         super(name);
 401     }
 402 
 403     /**
 404      * Creates a new RuntimePermission object with the specified name.
 405      * The name is the symbolic name of the RuntimePermission, and the
 406      * actions String is currently unused and should be null.
 407      *
 408      * @param name the name of the RuntimePermission.
 409      * @param actions should be null.
 410      *
 411      * @throws NullPointerException if <code>name</code> is <code>null</code>.
 412      * @throws IllegalArgumentException if <code>name</code> is empty.
 413      */
 414 
 415     public RuntimePermission(String name, String actions)
 416     {
 417         super(name, actions);
 418     }
 419 }