1 /* 2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.lang; 27 28 import java.security.*; 29 import java.lang.module.ModuleFinder; 30 31 /** 32 * This class is for runtime permissions. A {@code RuntimePermission} 33 * contains a name (also referred to as a "target name") but no actions 34 * list; you either have the named permission or you don't. 35 * <p> 36 * The target name is the name of the runtime permission (see below). The 37 * naming convention follows the hierarchical property naming convention. 38 * Also, an asterisk may appear at the end of the name, following a ".", 39 * or by itself, to signify a wildcard match. For example: "loadLibrary.*" 40 * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not. 41 * <p> 42 * The following table lists the standard {@code RuntimePermission} 43 * target names, and for each provides a description of what the permission 44 * allows and a discussion of the risks of granting code the permission. 45 * 46 * <table class="striped"> 47 * <caption style="display:none">permission target name, 48 * what the target allows, and associated risks</caption> 49 * <thead> 50 * <tr> 51 * <th scope="col">Permission Target Name</th> 52 * <th scope="col">What the Permission Allows</th> 53 * <th scope="col">Risks of Allowing this Permission</th> 54 * </tr> 55 * </thead> 56 * <tbody> 57 * 58 * <tr> 59 * <th scope="row">createClassLoader</th> 60 * <td>Creation of a class loader</td> 61 * <td>This is an extremely dangerous permission to grant. 62 * Malicious applications that can instantiate their own class 63 * loaders could then load their own rogue classes into the system. 64 * These newly loaded classes could be placed into any protection 65 * domain by the class loader, thereby automatically granting the 66 * classes the permissions for that domain.</td> 67 * </tr> 68 * 69 * <tr> 70 * <th scope="row">getClassLoader</th> 71 * <td>Retrieval of a class loader (e.g., the class loader for the calling 72 * class)</td> 73 * <td>This would grant an attacker permission to get the 74 * class loader for a particular class. This is dangerous because 75 * having access to a class's class loader allows the attacker to 76 * load other classes available to that class loader. The attacker 77 * would typically otherwise not have access to those classes.</td> 78 * </tr> 79 * 80 * <tr> 81 * <th scope="row">setContextClassLoader</th> 82 * <td>Setting of the context class loader used by a thread</td> 83 * <td>The context class loader is used by system code and extensions 84 * when they need to lookup resources that might not exist in the system 85 * class loader. Granting setContextClassLoader permission would allow 86 * code to change which context class loader is used 87 * for a particular thread, including system threads.</td> 88 * </tr> 89 * 90 * <tr> 91 * <th scope="row">enableContextClassLoaderOverride</th> 92 * <td>Subclass implementation of the thread context class loader methods</td> 93 * <td>The context class loader is used by system code and extensions 94 * when they need to lookup resources that might not exist in the system 95 * class loader. Granting enableContextClassLoaderOverride permission would allow 96 * a subclass of Thread to override the methods that are used 97 * to get or set the context class loader for a particular thread.</td> 98 * </tr> 99 * 100 * <tr> 101 * <th scope="row">closeClassLoader</th> 102 * <td>Closing of a ClassLoader</td> 103 * <td>Granting this permission allows code to close any URLClassLoader 104 * that it has a reference to.</td> 105 * </tr> 106 * 107 * <tr> 108 * <th scope="row">setSecurityManager</th> 109 * <td>Setting of the security manager (possibly replacing an existing one) 110 * </td> 111 * <td>The security manager is a class that allows 112 * applications to implement a security policy. Granting the setSecurityManager 113 * permission would allow code to change which security manager is used by 114 * installing a different, possibly less restrictive security manager, 115 * thereby bypassing checks that would have been enforced by the original 116 * security manager.</td> 117 * </tr> 118 * 119 * <tr> 120 * <th scope="row">createSecurityManager</th> 121 * <td>Creation of a new security manager</td> 122 * <td>This gives code access to protected, sensitive methods that may 123 * disclose information about other classes or the execution stack.</td> 124 * </tr> 125 * 126 * <tr> 127 * <th scope="row">getenv.{variable name}</th> 128 * <td>Reading of the value of the specified environment variable</td> 129 * <td>This would allow code to read the value, or determine the 130 * existence, of a particular environment variable. This is 131 * dangerous if the variable contains confidential data.</td> 132 * </tr> 133 * 134 * <tr> 135 * <th scope="row">exitVM.{exit status}</th> 136 * <td>Halting of the Java Virtual Machine with the specified exit status</td> 137 * <td>This allows an attacker to mount a denial-of-service attack 138 * by automatically forcing the virtual machine to halt. 139 * Note: The "exitVM.*" permission is automatically granted to all code 140 * loaded from the application class path, thus enabling applications 141 * to terminate themselves. Also, the "exitVM" permission is equivalent to 142 * "exitVM.*".</td> 143 * </tr> 144 * 145 * <tr> 146 * <th scope="row">shutdownHooks</th> 147 * <td>Registration and cancellation of virtual-machine shutdown hooks</td> 148 * <td>This allows an attacker to register a malicious shutdown 149 * hook that interferes with the clean shutdown of the virtual machine.</td> 150 * </tr> 151 * 152 * <tr> 153 * <th scope="row">setFactory</th> 154 * <td>Setting of the socket factory used by ServerSocket or Socket, 155 * or of the stream handler factory used by URL</td> 156 * <td>This allows code to set the actual implementation 157 * for the socket, server socket, stream handler, or RMI socket factory. 158 * An attacker may set a faulty implementation which mangles the data 159 * stream.</td> 160 * </tr> 161 * 162 * <tr> 163 * <th scope="row">setIO</th> 164 * <td>Setting of System.out, System.in, and System.err</td> 165 * <td>This allows changing the value of the standard system streams. 166 * An attacker may change System.in to monitor and 167 * steal user input, or may set System.err to a "null" OutputStream, 168 * which would hide any error messages sent to System.err. </td> 169 * </tr> 170 * 171 * <tr> 172 * <th scope="row">modifyThread</th> 173 * <td>Modification of threads, e.g., via calls to Thread 174 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority, 175 * setName} and {@code setUncaughtExceptionHandler} 176 * methods</td> 177 * <td>This allows an attacker to modify the behaviour of 178 * any thread in the system.</td> 179 * </tr> 180 * 181 * <tr> 182 * <th scope="row">stopThread</th> 183 * <td>Stopping of threads via calls to the Thread {@code stop} 184 * method</td> 185 * <td>This allows code to stop any thread in the system provided that it is 186 * already granted permission to access that thread. 187 * This poses as a threat, because that code may corrupt the system by 188 * killing existing threads.</td> 189 * </tr> 190 * 191 * <tr> 192 * <th scope="row">modifyThreadGroup</th> 193 * <td>modification of thread groups, e.g., via calls to ThreadGroup 194 * {@code destroy}, {@code getParent}, {@code resume}, 195 * {@code setDaemon}, {@code setMaxPriority}, {@code stop}, 196 * and {@code suspend} methods</td> 197 * <td>This allows an attacker to create thread groups and 198 * set their run priority.</td> 199 * </tr> 200 * 201 * <tr> 202 * <th scope="row">getProtectionDomain</th> 203 * <td>Retrieval of the ProtectionDomain for a class</td> 204 * <td>This allows code to obtain policy information 205 * for a particular code source. While obtaining policy information 206 * does not compromise the security of the system, it does give 207 * attackers additional information, such as local file names for 208 * example, to better aim an attack.</td> 209 * </tr> 210 * 211 * <tr> 212 * <th scope="row">getFileSystemAttributes</th> 213 * <td>Retrieval of file system attributes</td> 214 * <td>This allows code to obtain file system information such as disk usage 215 * or disk space available to the caller. This is potentially dangerous 216 * because it discloses information about the system hardware 217 * configuration and some information about the caller's privilege to 218 * write files.</td> 219 * </tr> 220 * 221 * <tr> 222 * <th scope="row">readFileDescriptor</th> 223 * <td>Reading of file descriptors</td> 224 * <td>This would allow code to read the particular file associated 225 * with the file descriptor read. This is dangerous if the file 226 * contains confidential data.</td> 227 * </tr> 228 * 229 * <tr> 230 * <th scope="row">writeFileDescriptor</th> 231 * <td>Writing to file descriptors</td> 232 * <td>This allows code to write to a particular file associated 233 * with the descriptor. This is dangerous because it may allow 234 * malicious code to plant viruses or at the very least, fill up 235 * your entire disk.</td> 236 * </tr> 237 * 238 * <tr> 239 * <th scope="row">loadLibrary.{library name}</th> 240 * <td>Dynamic linking of the specified library</td> 241 * <td>It is dangerous to allow an applet permission to load native code 242 * libraries, because the Java security architecture is not designed to and 243 * does not prevent malicious behavior at the level of native code.</td> 244 * </tr> 245 * 246 * <tr> 247 * <th scope="row">accessClassInPackage.{package name}</th> 248 * <td>Access to the specified package via a class loader's 249 * {@code loadClass} method when that class loader calls 250 * the SecurityManager {@code checkPackageAccess} method</td> 251 * <td>This gives code access to classes in packages 252 * to which it normally does not have access. Malicious code 253 * may use these classes to help in its attempt to compromise 254 * security in the system.</td> 255 * </tr> 256 * 257 * <tr> 258 * <th scope="row">defineClassInPackage.{package name}</th> 259 * <td>Definition of classes in the specified package, via a class 260 * loader's {@code defineClass} method when that class loader calls 261 * the SecurityManager {@code checkPackageDefinition} method.</td> 262 * <td>This grants code permission to define a class 263 * in a particular package. This is dangerous because malicious 264 * code with this permission may define rogue classes in 265 * trusted packages like {@code java.security} or {@code java.lang}, 266 * for example.</td> 267 * </tr> 268 * 269 * <tr> 270 * <th scope="row">defineClass</th> 271 * <td>Define a class with 272 * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[]) 273 * Lookup.defineClass}.</td> 274 * <td>This grants code with a suitably privileged {@code Lookup} object 275 * permission to define classes in the same package as the {@code Lookup}'s 276 * lookup class. </td> 277 * </tr> 278 * 279 * <tr> 280 * <th scope="row">accessDeclaredMembers</th> 281 * <td>Access to the declared members of a class</td> 282 * <td>This grants code permission to query a class for its public, 283 * protected, default (package) access, and private fields and/or 284 * methods. Although the code would have 285 * access to the private and protected field and method names, it would not 286 * have access to the private/protected field data and would not be able 287 * to invoke any private methods. Nevertheless, malicious code 288 * may use this information to better aim an attack. 289 * Additionally, it may invoke any public methods and/or access public fields 290 * in the class. This could be dangerous if 291 * the code would normally not be able to invoke those methods and/or 292 * access the fields because 293 * it can't cast the object to the class/interface with those methods 294 * and fields. 295 </td> 296 * </tr> 297 * <tr> 298 * <th scope="row">queuePrintJob</th> 299 * <td>Initiation of a print job request</td> 300 * <td>This could print sensitive information to a printer, 301 * or simply waste paper.</td> 302 * </tr> 303 * 304 * <tr> 305 * <th scope="row">getStackTrace</th> 306 * <td>Retrieval of the stack trace information of another thread.</td> 307 * <td>This allows retrieval of the stack trace information of 308 * another thread. This might allow malicious code to monitor the 309 * execution of threads and discover vulnerabilities in applications.</td> 310 * </tr> 311 * 312 * <tr> 313 * <th scope="row">getStackWalkerWithClassReference</th> 314 * <td>Get a stack walker that can retrieve stack frames with class reference.</td> 315 * <td>This allows retrieval of Class objects from stack walking. 316 * This might allow malicious code to access Class objects on the stack 317 * outside its own context.</td> 318 * </tr> 319 * 320 * <tr> 321 * <th scope="row">setDefaultUncaughtExceptionHandler</th> 322 * <td>Setting the default handler to be used when a thread 323 * terminates abruptly due to an uncaught exception</td> 324 * <td>This allows an attacker to register a malicious 325 * uncaught exception handler that could interfere with termination 326 * of a thread</td> 327 * </tr> 328 * 329 * <tr> 330 * <th scope="row">preferences</th> 331 * <td>Represents the permission required to get access to the 332 * java.util.prefs.Preferences implementations user or system root 333 * which in turn allows retrieval or update operations within the 334 * Preferences persistent backing store.) </td> 335 * <td>This permission allows the user to read from or write to the 336 * preferences backing store if the user running the code has 337 * sufficient OS privileges to read/write to that backing store. 338 * The actual backing store may reside within a traditional filesystem 339 * directory or within a registry depending on the platform OS</td> 340 * </tr> 341 * 342 * <tr> 343 * <th scope="row">manageProcess</th> 344 * <td>Native process termination and information about processes 345 * {@link ProcessHandle}.</td> 346 * <td>Allows code to identify and terminate processes that it did not create.</td> 347 * </tr> 348 * 349 * <tr> 350 * <th scope="row">localeServiceProvider</th> 351 * <td>This {@code RuntimePermission} is required to be granted to 352 * classes which subclass and implement 353 * {@code java.util.spi.LocaleServiceProvider}. The permission is 354 * checked during invocation of the abstract base class constructor. 355 * This permission ensures trust in classes which implement this 356 * security-sensitive provider mechanism. </td> 357 * <td>See <a href= "../util/spi/LocaleServiceProvider.html"> 358 * {@code java.util.spi.LocaleServiceProvider}</a> for more 359 * information.</td> 360 * </tr> 361 * 362 * <tr> 363 * <th scope="row">loggerFinder</th> 364 * <td>This {@code RuntimePermission} is required to be granted to 365 * classes which subclass or call methods on 366 * {@code java.lang.System.LoggerFinder}. The permission is 367 * checked during invocation of the abstract base class constructor, as 368 * well as on the invocation of its public methods. 369 * This permission ensures trust in classes which provide loggers 370 * to system classes.</td> 371 * <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder} 372 * for more information.</td> 373 * </tr> 374 * 375 * <tr> 376 * <th scope="row">accessSystemModules</th> 377 * <td>Access system modules in the runtime image.</td> 378 * <td>This grants the permission to access resources in the 379 * {@linkplain ModuleFinder#ofSystem system modules} in the runtime image.</td> 380 * </tr> 381 * 382 * </tbody> 383 * </table> 384 * 385 * @implNote 386 * Implementations may define additional target names, but should use naming 387 * conventions such as reverse domain name notation to avoid name clashes. 388 * 389 * @see java.security.BasicPermission 390 * @see java.security.Permission 391 * @see java.security.Permissions 392 * @see java.security.PermissionCollection 393 * @see java.lang.SecurityManager 394 * 395 * 396 * @author Marianne Mueller 397 * @author Roland Schemers 398 * @since 1.2 399 */ 400 401 public final class RuntimePermission extends BasicPermission { 402 403 @java.io.Serial 404 private static final long serialVersionUID = 7399184964622342223L; 405 406 /** 407 * Creates a new RuntimePermission with the specified name. 408 * The name is the symbolic name of the RuntimePermission, such as 409 * "exit", "setFactory", etc. An asterisk 410 * may appear at the end of the name, following a ".", or by itself, to 411 * signify a wildcard match. 412 * 413 * @param name the name of the RuntimePermission. 414 * 415 * @throws NullPointerException if {@code name} is {@code null}. 416 * @throws IllegalArgumentException if {@code name} is empty. 417 */ 418 419 public RuntimePermission(String name) 420 { 421 super(name); 422 } 423 424 /** 425 * Creates a new RuntimePermission object with the specified name. 426 * The name is the symbolic name of the RuntimePermission, and the 427 * actions String is currently unused and should be null. 428 * 429 * @param name the name of the RuntimePermission. 430 * @param actions should be null. 431 * 432 * @throws NullPointerException if {@code name} is {@code null}. 433 * @throws IllegalArgumentException if {@code name} is empty. 434 */ 435 436 public RuntimePermission(String name, String actions) 437 { 438 super(name, actions); 439 } 440 }