J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 1997-2005 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package java.lang; |
| 27 | |
| 28 | import java.security.*; |
| 29 | import java.util.Enumeration; |
| 30 | import java.util.Hashtable; |
| 31 | import java.util.StringTokenizer; |
| 32 | |
| 33 | /** |
| 34 | * This class is for runtime permissions. A RuntimePermission |
| 35 | * contains a name (also referred to as a "target name") but |
| 36 | * no actions list; you either have the named permission |
| 37 | * or you don't. |
| 38 | * |
| 39 | * <P> |
| 40 | * The target name is the name of the runtime permission (see below). The |
| 41 | * naming convention follows the hierarchical property naming convention. |
| 42 | * Also, an asterisk |
| 43 | * may appear at the end of the name, following a ".", or by itself, to |
| 44 | * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid, |
| 45 | * "*loadLibrary" or "a*b" is not valid. |
| 46 | * <P> |
| 47 | * The following table lists all the possible RuntimePermission target names, |
| 48 | * and for each provides a description of what the permission allows |
| 49 | * and a discussion of the risks of granting code the permission. |
| 50 | * <P> |
| 51 | * |
| 52 | * <table border=1 cellpadding=5 summary="permission target name, |
| 53 | * what the target allows,and associated risks"> |
| 54 | * <tr> |
| 55 | * <th>Permission Target Name</th> |
| 56 | * <th>What the Permission Allows</th> |
| 57 | * <th>Risks of Allowing this Permission</th> |
| 58 | * </tr> |
| 59 | * |
| 60 | * <tr> |
| 61 | * <td>createClassLoader</td> |
| 62 | * <td>Creation of a class loader</td> |
| 63 | * <td>This is an extremely dangerous permission to grant. |
| 64 | * Malicious applications that can instantiate their own class |
| 65 | * loaders could then load their own rogue classes into the system. |
| 66 | * These newly loaded classes could be placed into any protection |
| 67 | * domain by the class loader, thereby automatically granting the |
| 68 | * classes the permissions for that domain.</td> |
| 69 | * </tr> |
| 70 | * |
| 71 | * <tr> |
| 72 | * <td>getClassLoader</td> |
| 73 | * <td>Retrieval of a class loader (e.g., the class loader for the calling |
| 74 | * class)</td> |
| 75 | * <td>This would grant an attacker permission to get the |
| 76 | * class loader for a particular class. This is dangerous because |
| 77 | * having access to a class's class loader allows the attacker to |
| 78 | * load other classes available to that class loader. The attacker |
| 79 | * would typically otherwise not have access to those classes.</td> |
| 80 | * </tr> |
| 81 | * |
| 82 | * <tr> |
| 83 | * <td>setContextClassLoader</td> |
| 84 | * <td>Setting of the context class loader used by a thread</td> |
| 85 | * <td>The context class loader is used by system code and extensions |
| 86 | * when they need to lookup resources that might not exist in the system |
| 87 | * class loader. Granting setContextClassLoader permission would allow |
| 88 | * code to change which context class loader is used |
| 89 | * for a particular thread, including system threads.</td> |
| 90 | * </tr> |
| 91 | * |
| 92 | * <tr> |
| 93 | * <td>enableContextClassLoaderOverride</td> |
| 94 | * <td>Subclass implementation of the thread context class loader methods</td> |
| 95 | * <td>The context class loader is used by system code and extensions |
| 96 | * when they need to lookup resources that might not exist in the system |
| 97 | * class loader. Granting enableContextClassLoaderOverride permission would allow |
| 98 | * a subclass of Thread to override the methods that are used |
| 99 | * to get or set the context class loader for a particular thread.</td> |
| 100 | * </tr> |
| 101 | * |
| 102 | * <tr> |
| 103 | * <td>setSecurityManager</td> |
| 104 | * <td>Setting of the security manager (possibly replacing an existing one) |
| 105 | * </td> |
| 106 | * <td>The security manager is a class that allows |
| 107 | * applications to implement a security policy. Granting the setSecurityManager |
| 108 | * permission would allow code to change which security manager is used by |
| 109 | * installing a different, possibly less restrictive security manager, |
| 110 | * thereby bypassing checks that would have been enforced by the original |
| 111 | * security manager.</td> |
| 112 | * </tr> |
| 113 | * |
| 114 | * <tr> |
| 115 | * <td>createSecurityManager</td> |
| 116 | * <td>Creation of a new security manager</td> |
| 117 | * <td>This gives code access to protected, sensitive methods that may |
| 118 | * disclose information about other classes or the execution stack.</td> |
| 119 | * </tr> |
| 120 | * |
| 121 | * <tr> |
| 122 | * <td>getenv.{variable name}</td> |
| 123 | * <td>Reading of the value of the specified environment variable</td> |
| 124 | * <td>This would allow code to read the value, or determine the |
| 125 | * existence, of a particular environment variable. This is |
| 126 | * dangerous if the variable contains confidential data.</td> |
| 127 | * </tr> |
| 128 | * |
| 129 | * <tr> |
| 130 | * <td>exitVM.{exit status}</td> |
| 131 | * <td>Halting of the Java Virtual Machine with the specified exit status</td> |
| 132 | * <td>This allows an attacker to mount a denial-of-service attack |
| 133 | * by automatically forcing the virtual machine to halt. |
| 134 | * Note: The "exitVM.*" permission is automatically granted to all code |
| 135 | * loaded from the application class path, thus enabling applications |
| 136 | * to terminate themselves. Also, the "exitVM" permission is equivalent to |
| 137 | * "exitVM.*".</td> |
| 138 | * </tr> |
| 139 | * |
| 140 | * <tr> |
| 141 | * <td>shutdownHooks</td> |
| 142 | * <td>Registration and cancellation of virtual-machine shutdown hooks</td> |
| 143 | * <td>This allows an attacker to register a malicious shutdown |
| 144 | * hook that interferes with the clean shutdown of the virtual machine.</td> |
| 145 | * </tr> |
| 146 | * |
| 147 | * <tr> |
| 148 | * <td>setFactory</td> |
| 149 | * <td>Setting of the socket factory used by ServerSocket or Socket, |
| 150 | * or of the stream handler factory used by URL</td> |
| 151 | * <td>This allows code to set the actual implementation |
| 152 | * for the socket, server socket, stream handler, or RMI socket factory. |
| 153 | * An attacker may set a faulty implementation which mangles the data |
| 154 | * stream.</td> |
| 155 | * </tr> |
| 156 | * |
| 157 | * <tr> |
| 158 | * <td>setIO</td> |
| 159 | * <td>Setting of System.out, System.in, and System.err</td> |
| 160 | * <td>This allows changing the value of the standard system streams. |
| 161 | * An attacker may change System.in to monitor and |
| 162 | * steal user input, or may set System.err to a "null" OutputStream, |
| 163 | * which would hide any error messages sent to System.err. </td> |
| 164 | * </tr> |
| 165 | * |
| 166 | * <tr> |
| 167 | * <td>modifyThread</td> |
| 168 | * <td>Modification of threads, e.g., via calls to Thread |
| 169 | * <tt>interrupt</tt>, <tt>stop</tt>, <tt>suspend</tt>, |
| 170 | * <tt>resume</tt>, <tt>setDaemon</tt>, <tt>setPriority</tt>, |
| 171 | * <tt>setName</tt> and <tt>setUncaughtExceptionHandler</tt> |
| 172 | * methods</td> |
| 173 | * <td>This allows an attacker to modify the behaviour of |
| 174 | * any thread in the system.</td> |
| 175 | * </tr> |
| 176 | * |
| 177 | * <tr> |
| 178 | * <td>stopThread</td> |
| 179 | * <td>Stopping of threads via calls to the Thread <code>stop</code> |
| 180 | * method</td> |
| 181 | * <td>This allows code to stop any thread in the system provided that it is |
| 182 | * already granted permission to access that thread. |
| 183 | * This poses as a threat, because that code may corrupt the system by |
| 184 | * killing existing threads.</td> |
| 185 | * </tr> |
| 186 | * |
| 187 | * <tr> |
| 188 | * <td>modifyThreadGroup</td> |
| 189 | * <td>modification of thread groups, e.g., via calls to ThreadGroup |
| 190 | * <code>destroy</code>, <code>getParent</code>, <code>resume</code>, |
| 191 | * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>, |
| 192 | * and <code>suspend</code> methods</td> |
| 193 | * <td>This allows an attacker to create thread groups and |
| 194 | * set their run priority.</td> |
| 195 | * </tr> |
| 196 | * |
| 197 | * <tr> |
| 198 | * <td>getProtectionDomain</td> |
| 199 | * <td>Retrieval of the ProtectionDomain for a class</td> |
| 200 | * <td>This allows code to obtain policy information |
| 201 | * for a particular code source. While obtaining policy information |
| 202 | * does not compromise the security of the system, it does give |
| 203 | * attackers additional information, such as local file names for |
| 204 | * example, to better aim an attack.</td> |
| 205 | * </tr> |
| 206 | * |
| 207 | * <tr> |
| 208 | * <td>getFileSystemAttributes</td> |
| 209 | * <td>Retrieval of file system attributes</td> |
| 210 | * <td>This allows code to obtain file system information such as disk usage |
| 211 | * or disk space available to the caller. This is potentially dangerous |
| 212 | * because it discloses information about the system hardware |
| 213 | * configuration and some information about the caller's privilege to |
| 214 | * write files.</td> |
| 215 | * </tr> |
| 216 | * |
| 217 | * <tr> |
| 218 | * <td>readFileDescriptor</td> |
| 219 | * <td>Reading of file descriptors</td> |
| 220 | * <td>This would allow code to read the particular file associated |
| 221 | * with the file descriptor read. This is dangerous if the file |
| 222 | * contains confidential data.</td> |
| 223 | * </tr> |
| 224 | * |
| 225 | * <tr> |
| 226 | * <td>writeFileDescriptor</td> |
| 227 | * <td>Writing to file descriptors</td> |
| 228 | * <td>This allows code to write to a particular file associated |
| 229 | * with the descriptor. This is dangerous because it may allow |
| 230 | * malicious code to plant viruses or at the very least, fill up |
| 231 | * your entire disk.</td> |
| 232 | * </tr> |
| 233 | * |
| 234 | * <tr> |
| 235 | * <td>loadLibrary.{library name}</td> |
| 236 | * <td>Dynamic linking of the specified library</td> |
| 237 | * <td>It is dangerous to allow an applet permission to load native code |
| 238 | * libraries, because the Java security architecture is not designed to and |
| 239 | * does not prevent malicious behavior at the level of native code.</td> |
| 240 | * </tr> |
| 241 | * |
| 242 | * <tr> |
| 243 | * <td>accessClassInPackage.{package name}</td> |
| 244 | * <td>Access to the specified package via a class loader's |
| 245 | * <code>loadClass</code> method when that class loader calls |
| 246 | * the SecurityManager <code>checkPackageAccess</code> method</td> |
| 247 | * <td>This gives code access to classes in packages |
| 248 | * to which it normally does not have access. Malicious code |
| 249 | * may use these classes to help in its attempt to compromise |
| 250 | * security in the system.</td> |
| 251 | * </tr> |
| 252 | * |
| 253 | * <tr> |
| 254 | * <td>defineClassInPackage.{package name}</td> |
| 255 | * <td>Definition of classes in the specified package, via a class |
| 256 | * loader's <code>defineClass</code> method when that class loader calls |
| 257 | * the SecurityManager <code>checkPackageDefinition</code> method.</td> |
| 258 | * <td>This grants code permission to define a class |
| 259 | * in a particular package. This is dangerous because malicious |
| 260 | * code with this permission may define rogue classes in |
| 261 | * trusted packages like <code>java.security</code> or <code>java.lang</code>, |
| 262 | * for example.</td> |
| 263 | * </tr> |
| 264 | * |
| 265 | * <tr> |
| 266 | * <td>accessDeclaredMembers</td> |
| 267 | * <td>Access to the declared members of a class</td> |
| 268 | * <td>This grants code permission to query a class for its public, |
| 269 | * protected, default (package) access, and private fields and/or |
| 270 | * methods. Although the code would have |
| 271 | * access to the private and protected field and method names, it would not |
| 272 | * have access to the private/protected field data and would not be able |
| 273 | * to invoke any private methods. Nevertheless, malicious code |
| 274 | * may use this information to better aim an attack. |
| 275 | * Additionally, it may invoke any public methods and/or access public fields |
| 276 | * in the class. This could be dangerous if |
| 277 | * the code would normally not be able to invoke those methods and/or |
| 278 | * access the fields because |
| 279 | * it can't cast the object to the class/interface with those methods |
| 280 | * and fields. |
| 281 | </td> |
| 282 | * </tr> |
| 283 | * <tr> |
| 284 | * <td>queuePrintJob</td> |
| 285 | * <td>Initiation of a print job request</td> |
| 286 | * <td>This could print sensitive information to a printer, |
| 287 | * or simply waste paper.</td> |
| 288 | * </tr> |
| 289 | * |
| 290 | * <tr> |
| 291 | * <td>getStackTrace</td> |
| 292 | * <td>Retrieval of the stack trace information of another thread.</td> |
| 293 | * <td>This allows retrieval of the stack trace information of |
| 294 | * another thread. This might allow malicious code to monitor the |
| 295 | * execution of threads and discover vulnerabilities in applications.</td> |
| 296 | * </tr> |
| 297 | * |
| 298 | * <tr> |
| 299 | * <td>setDefaultUncaughtExceptionHandler</td> |
| 300 | * <td>Setting the default handler to be used when a thread |
| 301 | * terminates abruptly due to an uncaught exception</td> |
| 302 | * <td>This allows an attacker to register a malicious |
| 303 | * uncaught exception handler that could interfere with termination |
| 304 | * of a thread</td> |
| 305 | * </tr> |
| 306 | * |
| 307 | * <tr> |
| 308 | * <td>preferences</td> |
| 309 | * <td>Represents the permission required to get access to the |
| 310 | * java.util.prefs.Preferences implementations user or system root |
| 311 | * which in turn allows retrieval or update operations within the |
| 312 | * Preferences persistent backing store.) </td> |
| 313 | * <td>This permission allows the user to read from or write to the |
| 314 | * preferences backing store if the user running the code has |
| 315 | * sufficient OS privileges to read/write to that backing store. |
| 316 | * The actual backing store may reside within a traditional filesystem |
| 317 | * directory or within a registry depending on the platform OS</td> |
| 318 | * </tr> |
| 319 | * |
| 320 | * <tr> |
| 321 | * <td>usePolicy</td> |
| 322 | * <td>Granting this permission disables the Java Plug-In's default |
| 323 | * security prompting behavior.</td> |
| 324 | * <td>For more information, refer to Java Plug-In's guides, <a href= |
| 325 | * "../../../technotes/guides/plugin/developer_guide/security.html"> |
| 326 | * Applet Security Basics</a> and <a href= |
| 327 | * "../../../technotes/guides/plugin/developer_guide/rsa_how.html#use"> |
| 328 | * usePolicy Permission</a>.</td> |
| 329 | * </tr> |
| 330 | * </table> |
| 331 | * |
| 332 | * @see java.security.BasicPermission |
| 333 | * @see java.security.Permission |
| 334 | * @see java.security.Permissions |
| 335 | * @see java.security.PermissionCollection |
| 336 | * @see java.lang.SecurityManager |
| 337 | * |
| 338 | * |
| 339 | * @author Marianne Mueller |
| 340 | * @author Roland Schemers |
| 341 | */ |
| 342 | |
| 343 | public final class RuntimePermission extends BasicPermission { |
| 344 | |
| 345 | private static final long serialVersionUID = 7399184964622342223L; |
| 346 | |
| 347 | /** |
| 348 | * Creates a new RuntimePermission with the specified name. |
| 349 | * The name is the symbolic name of the RuntimePermission, such as |
| 350 | * "exit", "setFactory", etc. An asterisk |
| 351 | * may appear at the end of the name, following a ".", or by itself, to |
| 352 | * signify a wildcard match. |
| 353 | * |
| 354 | * @param name the name of the RuntimePermission. |
| 355 | * |
| 356 | * @throws NullPointerException if <code>name</code> is <code>null</code>. |
| 357 | * @throws IllegalArgumentException if <code>name</code> is empty. |
| 358 | */ |
| 359 | |
| 360 | public RuntimePermission(String name) |
| 361 | { |
| 362 | super(name); |
| 363 | } |
| 364 | |
| 365 | /** |
| 366 | * Creates a new RuntimePermission object with the specified name. |
| 367 | * The name is the symbolic name of the RuntimePermission, and the |
| 368 | * actions String is currently unused and should be null. |
| 369 | * |
| 370 | * @param name the name of the RuntimePermission. |
| 371 | * @param actions should be null. |
| 372 | * |
| 373 | * @throws NullPointerException if <code>name</code> is <code>null</code>. |
| 374 | * @throws IllegalArgumentException if <code>name</code> is empty. |
| 375 | */ |
| 376 | |
| 377 | public RuntimePermission(String name, String actions) |
| 378 | { |
| 379 | super(name, actions); |
| 380 | } |
| 381 | } |