1 /*
2 * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang;
27
28 import java.lang.module.ModuleDescriptor;
29 import java.lang.module.ModuleDescriptor.Exports;
30 import java.lang.module.ModuleDescriptor.Opens;
31 import java.lang.module.ModuleReference;
32 import java.lang.reflect.Member;
33 import java.io.FileDescriptor;
34 import java.io.File;
35 import java.io.FilePermission;
36 import java.net.InetAddress;
37 import java.net.SocketPermission;
38 import java.security.AccessControlContext;
39 import java.security.AccessController;
40 import java.security.Permission;
41 import java.security.PrivilegedAction;
42 import java.security.Security;
43 import java.security.SecurityPermission;
44 import java.util.HashSet;
45 import java.util.Map;
46 import java.util.Objects;
47 import java.util.PropertyPermission;
48 import java.util.Set;
49 import java.util.concurrent.ConcurrentHashMap;
50 import java.util.stream.Collectors;
51
52 import jdk.internal.module.ModuleBootstrap;
53 import jdk.internal.module.ModuleLoaderMap;
54 import jdk.internal.reflect.CallerSensitive;
55 import sun.security.util.SecurityConstants;
56
57 /**
58 * The security manager is a class that allows
59 * applications to implement a security policy. It allows an
60 * application to determine, before performing a possibly unsafe or
61 * sensitive operation, what the operation is and whether
62 * it is being attempted in a security context that allows the
63 * operation to be performed. The
64 * application can allow or disallow the operation.
65 * <p>
66 * The <code>SecurityManager</code> class contains many methods with
67 * names that begin with the word <code>check</code>. These methods
68 * are called by various methods in the Java libraries before those
69 * methods perform certain potentially sensitive operations. The
70 * invocation of such a <code>check</code> method typically looks like this:
71 * <blockquote><pre>
72 * SecurityManager security = System.getSecurityManager();
73 * if (security != null) {
74 * security.check<i>XXX</i>(argument, . . . );
75 * }
76 * </pre></blockquote>
77 * <p>
78 * The security manager is thereby given an opportunity to prevent
79 * completion of the operation by throwing an exception. A security
80 * manager routine simply returns if the operation is permitted, but
81 * throws a <code>SecurityException</code> if the operation is not
82 * permitted.
83 * <p>
84 * The current security manager is set by the
85 * <code>setSecurityManager</code> method in class
86 * <code>System</code>. The current security manager is obtained
87 * by the <code>getSecurityManager</code> method.
88 * <p>
89 * The special method
90 * {@link SecurityManager#checkPermission(java.security.Permission)}
91 * determines whether an access request indicated by a specified
92 * permission should be granted or denied. The
93 * default implementation calls
94 *
95 * <pre>
96 * AccessController.checkPermission(perm);
97 * </pre>
98 *
99 * <p>
100 * If a requested access is allowed,
101 * <code>checkPermission</code> returns quietly. If denied, a
102 * <code>SecurityException</code> is thrown.
103 * <p>
104 * The default implementation of each of the other
105 * <code>check</code> methods in <code>SecurityManager</code> is to
106 * call the <code>SecurityManager checkPermission</code> method
107 * to determine if the calling thread has permission to perform the requested
108 * operation.
109 * <p>
110 * Note that the <code>checkPermission</code> method with
111 * just a single permission argument always performs security checks
112 * within the context of the currently executing thread.
113 * Sometimes a security check that should be made within a given context
114 * will actually need to be done from within a
115 * <i>different</i> context (for example, from within a worker thread).
116 * The {@link SecurityManager#getSecurityContext getSecurityContext} method
117 * and the {@link SecurityManager#checkPermission(java.security.Permission,
118 * java.lang.Object) checkPermission}
119 * method that includes a context argument are provided
120 * for this situation. The
121 * <code>getSecurityContext</code> method returns a "snapshot"
122 * of the current calling context. (The default implementation
123 * returns an AccessControlContext object.) A sample call is
124 * the following:
125 *
126 * <pre>
127 * Object context = null;
128 * SecurityManager sm = System.getSecurityManager();
129 * if (sm != null) context = sm.getSecurityContext();
130 * </pre>
131 *
132 * <p>
133 * The <code>checkPermission</code> method
134 * that takes a context object in addition to a permission
135 * makes access decisions based on that context,
136 * rather than on that of the current execution thread.
137 * Code within a different context can thus call that method,
138 * passing the permission and the
139 * previously-saved context object. A sample call, using the
140 * SecurityManager <code>sm</code> obtained as in the previous example,
141 * is the following:
142 *
143 * <pre>
144 * if (sm != null) sm.checkPermission(permission, context);
145 * </pre>
146 *
147 * <p>Permissions fall into these categories: File, Socket, Net,
148 * Security, Runtime, Property, AWT, Reflect, and Serializable.
149 * The classes managing these various
150 * permission categories are <code>java.io.FilePermission</code>,
151 * <code>java.net.SocketPermission</code>,
152 * <code>java.net.NetPermission</code>,
153 * <code>java.security.SecurityPermission</code>,
154 * <code>java.lang.RuntimePermission</code>,
155 * <code>java.util.PropertyPermission</code>,
156 * <code>java.awt.AWTPermission</code>,
157 * <code>java.lang.reflect.ReflectPermission</code>, and
158 * <code>java.io.SerializablePermission</code>.
159 *
160 * <p>All but the first two (FilePermission and SocketPermission) are
161 * subclasses of <code>java.security.BasicPermission</code>, which itself
162 * is an abstract subclass of the
163 * top-level class for permissions, which is
164 * <code>java.security.Permission</code>. BasicPermission defines the
165 * functionality needed for all permissions that contain a name
166 * that follows the hierarchical property naming convention
167 * (for example, "exitVM", "setFactory", "queuePrintJob", etc).
168 * An asterisk
169 * may appear at the end of the name, following a ".", or by itself, to
170 * signify a wildcard match. For example: "a.*" or "*" is valid,
171 * "*a" or "a*b" is not valid.
172 *
173 * <p>FilePermission and SocketPermission are subclasses of the
174 * top-level class for permissions
175 * (<code>java.security.Permission</code>). Classes like these
176 * that have a more complicated name syntax than that used by
177 * BasicPermission subclass directly from Permission rather than from
178 * BasicPermission. For example,
179 * for a <code>java.io.FilePermission</code> object, the permission name is
180 * the path name of a file (or directory).
181 *
182 * <p>Some of the permission classes have an "actions" list that tells
183 * the actions that are permitted for the object. For example,
184 * for a <code>java.io.FilePermission</code> object, the actions list
185 * (such as "read, write") specifies which actions are granted for the
186 * specified file (or for files in the specified directory).
187 *
188 * <p>Other permission classes are for "named" permissions -
189 * ones that contain a name but no actions list; you either have the
190 * named permission or you don't.
191 *
192 * <p>Note: There is also a <code>java.security.AllPermission</code>
193 * permission that implies all permissions. It exists to simplify the work
194 * of system administrators who might need to perform multiple
195 * tasks that require all (or numerous) permissions.
196 * <p>
197 * See {@extLink security_guide_permissions
198 * Permissions in the Java Development Kit (JDK)}
199 * for permission-related information.
200 * This document includes a table listing the various SecurityManager
201 * <code>check</code> methods and the permission(s) the default
202 * implementation of each such method requires.
203 * It also contains a table of the methods
204 * that require permissions, and for each such method tells
205 * which permission it requires.
206 *
207 * @author Arthur van Hoff
208 * @author Roland Schemers
209 *
210 * @see java.lang.ClassLoader
211 * @see java.lang.SecurityException
212 * @see java.lang.System#getSecurityManager() getSecurityManager
213 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager)
214 * setSecurityManager
215 * @see java.security.AccessController AccessController
216 * @see java.security.AccessControlContext AccessControlContext
217 * @see java.security.AccessControlException AccessControlException
218 * @see java.security.Permission
219 * @see java.security.BasicPermission
220 * @see java.io.FilePermission
221 * @see java.net.SocketPermission
222 * @see java.util.PropertyPermission
223 * @see java.lang.RuntimePermission
224 * @see java.awt.AWTPermission
225 * @see java.security.Policy Policy
226 * @see java.security.SecurityPermission SecurityPermission
227 * @see java.security.ProtectionDomain
228 *
229 * @since 1.0
230 */
231 public class SecurityManager {
232
233 /*
234 * Have we been initialized. Effective against finalizer attacks.
235 */
236 private boolean initialized = false;
237
238 /**
239 * Constructs a new <code>SecurityManager</code>.
240 *
241 * <p> If there is a security manager already installed, this method first
242 * calls the security manager's <code>checkPermission</code> method
243 * with the <code>RuntimePermission("createSecurityManager")</code>
244 * permission to ensure the calling thread has permission to create a new
245 * security manager.
246 * This may result in throwing a <code>SecurityException</code>.
247 *
248 * @exception java.lang.SecurityException if a security manager already
249 * exists and its <code>checkPermission</code> method
250 * doesn't allow creation of a new security manager.
251 * @see java.lang.System#getSecurityManager()
252 * @see #checkPermission(java.security.Permission) checkPermission
253 * @see java.lang.RuntimePermission
254 */
255 public SecurityManager() {
256 synchronized(SecurityManager.class) {
257 SecurityManager sm = System.getSecurityManager();
258 if (sm != null) {
259 // ask the currently installed security manager if we
260 // can create a new one.
261 sm.checkPermission(new RuntimePermission
262 ("createSecurityManager"));
263 }
264 initialized = true;
265 }
266 }
267
268 /**
269 * Returns the current execution stack as an array of classes.
270 * <p>
271 * The length of the array is the number of methods on the execution
272 * stack. The element at index <code>0</code> is the class of the
273 * currently executing method, the element at index <code>1</code> is
274 * the class of that method's caller, and so on.
275 *
276 * @return the execution stack.
277 */
278 protected native Class<?>[] getClassContext();
279
280 /**
281 * Creates an object that encapsulates the current execution
282 * environment. The result of this method is used, for example, by the
283 * three-argument <code>checkConnect</code> method and by the
284 * two-argument <code>checkRead</code> method.
285 * These methods are needed because a trusted method may be called
286 * on to read a file or open a socket on behalf of another method.
287 * The trusted method needs to determine if the other (possibly
288 * untrusted) method would be allowed to perform the operation on its
289 * own.
290 * <p> The default implementation of this method is to return
291 * an <code>AccessControlContext</code> object.
292 *
293 * @return an implementation-dependent object that encapsulates
294 * sufficient information about the current execution environment
295 * to perform some security checks later.
296 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int,
297 * java.lang.Object) checkConnect
298 * @see java.lang.SecurityManager#checkRead(java.lang.String,
299 * java.lang.Object) checkRead
300 * @see java.security.AccessControlContext AccessControlContext
301 */
302 public Object getSecurityContext() {
303 return AccessController.getContext();
304 }
305
306 /**
307 * Throws a <code>SecurityException</code> if the requested
308 * access, specified by the given permission, is not permitted based
309 * on the security policy currently in effect.
310 * <p>
311 * This method calls <code>AccessController.checkPermission</code>
312 * with the given permission.
313 *
314 * @param perm the requested permission.
315 * @exception SecurityException if access is not permitted based on
316 * the current security policy.
317 * @exception NullPointerException if the permission argument is
318 * <code>null</code>.
319 * @since 1.2
320 */
321 public void checkPermission(Permission perm) {
322 java.security.AccessController.checkPermission(perm);
323 }
324
325 /**
326 * Throws a <code>SecurityException</code> if the
327 * specified security context is denied access to the resource
328 * specified by the given permission.
329 * The context must be a security
330 * context returned by a previous call to
331 * <code>getSecurityContext</code> and the access control
332 * decision is based upon the configured security policy for
333 * that security context.
334 * <p>
335 * If <code>context</code> is an instance of
336 * <code>AccessControlContext</code> then the
337 * <code>AccessControlContext.checkPermission</code> method is
338 * invoked with the specified permission.
339 * <p>
340 * If <code>context</code> is not an instance of
341 * <code>AccessControlContext</code> then a
342 * <code>SecurityException</code> is thrown.
343 *
344 * @param perm the specified permission
345 * @param context a system-dependent security context.
346 * @exception SecurityException if the specified security context
347 * is not an instance of <code>AccessControlContext</code>
348 * (e.g., is <code>null</code>), or is denied access to the
349 * resource specified by the given permission.
350 * @exception NullPointerException if the permission argument is
351 * <code>null</code>.
352 * @see java.lang.SecurityManager#getSecurityContext()
353 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
354 * @since 1.2
355 */
356 public void checkPermission(Permission perm, Object context) {
357 if (context instanceof AccessControlContext) {
358 ((AccessControlContext)context).checkPermission(perm);
359 } else {
360 throw new SecurityException();
361 }
362 }
363
364 /**
365 * Throws a <code>SecurityException</code> if the
366 * calling thread is not allowed to create a new class loader.
367 * <p>
368 * This method calls <code>checkPermission</code> with the
369 * <code>RuntimePermission("createClassLoader")</code>
370 * permission.
371 * <p>
372 * If you override this method, then you should make a call to
373 * <code>super.checkCreateClassLoader</code>
374 * at the point the overridden method would normally throw an
375 * exception.
376 *
377 * @exception SecurityException if the calling thread does not
378 * have permission
379 * to create a new class loader.
380 * @see java.lang.ClassLoader#ClassLoader()
381 * @see #checkPermission(java.security.Permission) checkPermission
382 */
383 public void checkCreateClassLoader() {
384 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);
385 }
386
387 /**
388 * reference to the root thread group, used for the checkAccess
389 * methods.
390 */
391
392 private static ThreadGroup rootGroup = getRootGroup();
393
394 private static ThreadGroup getRootGroup() {
395 ThreadGroup root = Thread.currentThread().getThreadGroup();
396 while (root.getParent() != null) {
397 root = root.getParent();
398 }
399 return root;
400 }
401
402 /**
403 * Throws a <code>SecurityException</code> if the
404 * calling thread is not allowed to modify the thread argument.
405 * <p>
406 * This method is invoked for the current security manager by the
407 * <code>stop</code>, <code>suspend</code>, <code>resume</code>,
408 * <code>setPriority</code>, <code>setName</code>, and
409 * <code>setDaemon</code> methods of class <code>Thread</code>.
410 * <p>
411 * If the thread argument is a system thread (belongs to
412 * the thread group with a <code>null</code> parent) then
413 * this method calls <code>checkPermission</code> with the
414 * <code>RuntimePermission("modifyThread")</code> permission.
415 * If the thread argument is <i>not</i> a system thread,
416 * this method just returns silently.
417 * <p>
418 * Applications that want a stricter policy should override this
419 * method. If this method is overridden, the method that overrides
420 * it should additionally check to see if the calling thread has the
421 * <code>RuntimePermission("modifyThread")</code> permission, and
422 * if so, return silently. This is to ensure that code granted
423 * that permission (such as the JDK itself) is allowed to
424 * manipulate any thread.
425 * <p>
426 * If this method is overridden, then
427 * <code>super.checkAccess</code> should
428 * be called by the first statement in the overridden method, or the
429 * equivalent security check should be placed in the overridden method.
430 *
431 * @param t the thread to be checked.
432 * @exception SecurityException if the calling thread does not have
433 * permission to modify the thread.
434 * @exception NullPointerException if the thread argument is
435 * <code>null</code>.
436 * @see java.lang.Thread#resume() resume
437 * @see java.lang.Thread#setDaemon(boolean) setDaemon
438 * @see java.lang.Thread#setName(java.lang.String) setName
439 * @see java.lang.Thread#setPriority(int) setPriority
440 * @see java.lang.Thread#stop() stop
441 * @see java.lang.Thread#suspend() suspend
442 * @see #checkPermission(java.security.Permission) checkPermission
443 */
444 public void checkAccess(Thread t) {
445 if (t == null) {
446 throw new NullPointerException("thread can't be null");
447 }
448 if (t.getThreadGroup() == rootGroup) {
449 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION);
450 } else {
451 // just return
452 }
453 }
454 /**
455 * Throws a <code>SecurityException</code> if the
456 * calling thread is not allowed to modify the thread group argument.
457 * <p>
458 * This method is invoked for the current security manager when a
459 * new child thread or child thread group is created, and by the
460 * <code>setDaemon</code>, <code>setMaxPriority</code>,
461 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and
462 * <code>destroy</code> methods of class <code>ThreadGroup</code>.
463 * <p>
464 * If the thread group argument is the system thread group (
465 * has a <code>null</code> parent) then
466 * this method calls <code>checkPermission</code> with the
467 * <code>RuntimePermission("modifyThreadGroup")</code> permission.
468 * If the thread group argument is <i>not</i> the system thread group,
469 * this method just returns silently.
470 * <p>
471 * Applications that want a stricter policy should override this
472 * method. If this method is overridden, the method that overrides
473 * it should additionally check to see if the calling thread has the
474 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and
475 * if so, return silently. This is to ensure that code granted
476 * that permission (such as the JDK itself) is allowed to
477 * manipulate any thread.
478 * <p>
479 * If this method is overridden, then
480 * <code>super.checkAccess</code> should
481 * be called by the first statement in the overridden method, or the
482 * equivalent security check should be placed in the overridden method.
483 *
484 * @param g the thread group to be checked.
485 * @exception SecurityException if the calling thread does not have
486 * permission to modify the thread group.
487 * @exception NullPointerException if the thread group argument is
488 * <code>null</code>.
489 * @see java.lang.ThreadGroup#destroy() destroy
490 * @see java.lang.ThreadGroup#resume() resume
491 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon
492 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority
493 * @see java.lang.ThreadGroup#stop() stop
494 * @see java.lang.ThreadGroup#suspend() suspend
495 * @see #checkPermission(java.security.Permission) checkPermission
496 */
497 public void checkAccess(ThreadGroup g) {
498 if (g == null) {
499 throw new NullPointerException("thread group can't be null");
500 }
501 if (g == rootGroup) {
502 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION);
503 } else {
504 // just return
505 }
506 }
507
508 /**
509 * Throws a <code>SecurityException</code> if the
510 * calling thread is not allowed to cause the Java Virtual Machine to
511 * halt with the specified status code.
512 * <p>
513 * This method is invoked for the current security manager by the
514 * <code>exit</code> method of class <code>Runtime</code>. A status
515 * of <code>0</code> indicates success; other values indicate various
516 * errors.
517 * <p>
518 * This method calls <code>checkPermission</code> with the
519 * <code>RuntimePermission("exitVM."+status)</code> permission.
520 * <p>
521 * If you override this method, then you should make a call to
522 * <code>super.checkExit</code>
523 * at the point the overridden method would normally throw an
524 * exception.
525 *
526 * @param status the exit status.
527 * @exception SecurityException if the calling thread does not have
528 * permission to halt the Java Virtual Machine with
529 * the specified status.
530 * @see java.lang.Runtime#exit(int) exit
531 * @see #checkPermission(java.security.Permission) checkPermission
532 */
533 public void checkExit(int status) {
534 checkPermission(new RuntimePermission("exitVM."+status));
535 }
536
537 /**
538 * Throws a <code>SecurityException</code> if the
539 * calling thread is not allowed to create a subprocess.
540 * <p>
541 * This method is invoked for the current security manager by the
542 * <code>exec</code> methods of class <code>Runtime</code>.
543 * <p>
544 * This method calls <code>checkPermission</code> with the
545 * <code>FilePermission(cmd,"execute")</code> permission
546 * if cmd is an absolute path, otherwise it calls
547 * <code>checkPermission</code> with
548 * <code>FilePermission("<<ALL FILES>>","execute")</code>.
549 * <p>
550 * If you override this method, then you should make a call to
551 * <code>super.checkExec</code>
552 * at the point the overridden method would normally throw an
553 * exception.
554 *
555 * @param cmd the specified system command.
556 * @exception SecurityException if the calling thread does not have
557 * permission to create a subprocess.
558 * @exception NullPointerException if the <code>cmd</code> argument is
559 * <code>null</code>.
560 * @see java.lang.Runtime#exec(java.lang.String)
561 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[])
562 * @see java.lang.Runtime#exec(java.lang.String[])
563 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[])
564 * @see #checkPermission(java.security.Permission) checkPermission
565 */
566 public void checkExec(String cmd) {
567 File f = new File(cmd);
568 if (f.isAbsolute()) {
569 checkPermission(new FilePermission(cmd,
570 SecurityConstants.FILE_EXECUTE_ACTION));
571 } else {
572 checkPermission(new FilePermission("<<ALL FILES>>",
573 SecurityConstants.FILE_EXECUTE_ACTION));
574 }
575 }
576
577 /**
578 * Throws a <code>SecurityException</code> if the
579 * calling thread is not allowed to dynamic link the library code
580 * specified by the string argument file. The argument is either a
581 * simple library name or a complete filename.
582 * <p>
583 * This method is invoked for the current security manager by
584 * methods <code>load</code> and <code>loadLibrary</code> of class
585 * <code>Runtime</code>.
586 * <p>
587 * This method calls <code>checkPermission</code> with the
588 * <code>RuntimePermission("loadLibrary."+lib)</code> permission.
589 * <p>
590 * If you override this method, then you should make a call to
591 * <code>super.checkLink</code>
592 * at the point the overridden method would normally throw an
593 * exception.
594 *
595 * @param lib the name of the library.
596 * @exception SecurityException if the calling thread does not have
597 * permission to dynamically link the library.
598 * @exception NullPointerException if the <code>lib</code> argument is
599 * <code>null</code>.
600 * @see java.lang.Runtime#load(java.lang.String)
601 * @see java.lang.Runtime#loadLibrary(java.lang.String)
602 * @see #checkPermission(java.security.Permission) checkPermission
603 */
604 public void checkLink(String lib) {
605 if (lib == null) {
606 throw new NullPointerException("library can't be null");
607 }
608 checkPermission(new RuntimePermission("loadLibrary."+lib));
609 }
610
611 /**
612 * Throws a <code>SecurityException</code> if the
613 * calling thread is not allowed to read from the specified file
614 * descriptor.
615 * <p>
616 * This method calls <code>checkPermission</code> with the
617 * <code>RuntimePermission("readFileDescriptor")</code>
618 * permission.
619 * <p>
620 * If you override this method, then you should make a call to
621 * <code>super.checkRead</code>
622 * at the point the overridden method would normally throw an
623 * exception.
624 *
625 * @param fd the system-dependent file descriptor.
626 * @exception SecurityException if the calling thread does not have
627 * permission to access the specified file descriptor.
628 * @exception NullPointerException if the file descriptor argument is
629 * <code>null</code>.
630 * @see java.io.FileDescriptor
631 * @see #checkPermission(java.security.Permission) checkPermission
632 */
633 public void checkRead(FileDescriptor fd) {
634 if (fd == null) {
635 throw new NullPointerException("file descriptor can't be null");
636 }
637 checkPermission(new RuntimePermission("readFileDescriptor"));
638 }
639
640 /**
641 * Throws a <code>SecurityException</code> if the
642 * calling thread is not allowed to read the file specified by the
643 * string argument.
644 * <p>
645 * This method calls <code>checkPermission</code> with the
646 * <code>FilePermission(file,"read")</code> permission.
647 * <p>
648 * If you override this method, then you should make a call to
649 * <code>super.checkRead</code>
650 * at the point the overridden method would normally throw an
651 * exception.
652 *
653 * @param file the system-dependent file name.
654 * @exception SecurityException if the calling thread does not have
655 * permission to access the specified file.
656 * @exception NullPointerException if the <code>file</code> argument is
657 * <code>null</code>.
658 * @see #checkPermission(java.security.Permission) checkPermission
659 */
660 public void checkRead(String file) {
661 checkPermission(new FilePermission(file,
662 SecurityConstants.FILE_READ_ACTION));
663 }
664
665 /**
666 * Throws a <code>SecurityException</code> if the
667 * specified security context is not allowed to read the file
668 * specified by the string argument. The context must be a security
669 * context returned by a previous call to
670 * <code>getSecurityContext</code>.
671 * <p> If <code>context</code> is an instance of
672 * <code>AccessControlContext</code> then the
673 * <code>AccessControlContext.checkPermission</code> method will
674 * be invoked with the <code>FilePermission(file,"read")</code> permission.
675 * <p> If <code>context</code> is not an instance of
676 * <code>AccessControlContext</code> then a
677 * <code>SecurityException</code> is thrown.
678 * <p>
679 * If you override this method, then you should make a call to
680 * <code>super.checkRead</code>
681 * at the point the overridden method would normally throw an
682 * exception.
683 *
684 * @param file the system-dependent filename.
685 * @param context a system-dependent security context.
686 * @exception SecurityException if the specified security context
687 * is not an instance of <code>AccessControlContext</code>
688 * (e.g., is <code>null</code>), or does not have permission
689 * to read the specified file.
690 * @exception NullPointerException if the <code>file</code> argument is
691 * <code>null</code>.
692 * @see java.lang.SecurityManager#getSecurityContext()
693 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
694 */
695 public void checkRead(String file, Object context) {
696 checkPermission(
697 new FilePermission(file, SecurityConstants.FILE_READ_ACTION),
698 context);
699 }
700
701 /**
702 * Throws a <code>SecurityException</code> if the
703 * calling thread is not allowed to write to the specified file
704 * descriptor.
705 * <p>
706 * This method calls <code>checkPermission</code> with the
707 * <code>RuntimePermission("writeFileDescriptor")</code>
708 * permission.
709 * <p>
710 * If you override this method, then you should make a call to
711 * <code>super.checkWrite</code>
712 * at the point the overridden method would normally throw an
713 * exception.
714 *
715 * @param fd the system-dependent file descriptor.
716 * @exception SecurityException if the calling thread does not have
717 * permission to access the specified file descriptor.
718 * @exception NullPointerException if the file descriptor argument is
719 * <code>null</code>.
720 * @see java.io.FileDescriptor
721 * @see #checkPermission(java.security.Permission) checkPermission
722 */
723 public void checkWrite(FileDescriptor fd) {
724 if (fd == null) {
725 throw new NullPointerException("file descriptor can't be null");
726 }
727 checkPermission(new RuntimePermission("writeFileDescriptor"));
728
729 }
730
731 /**
732 * Throws a <code>SecurityException</code> if the
733 * calling thread is not allowed to write to the file specified by
734 * the string argument.
735 * <p>
736 * This method calls <code>checkPermission</code> with the
737 * <code>FilePermission(file,"write")</code> permission.
738 * <p>
739 * If you override this method, then you should make a call to
740 * <code>super.checkWrite</code>
741 * at the point the overridden method would normally throw an
742 * exception.
743 *
744 * @param file the system-dependent filename.
745 * @exception SecurityException if the calling thread does not
746 * have permission to access the specified file.
747 * @exception NullPointerException if the <code>file</code> argument is
748 * <code>null</code>.
749 * @see #checkPermission(java.security.Permission) checkPermission
750 */
751 public void checkWrite(String file) {
752 checkPermission(new FilePermission(file,
753 SecurityConstants.FILE_WRITE_ACTION));
754 }
755
756 /**
757 * Throws a <code>SecurityException</code> if the
758 * calling thread is not allowed to delete the specified file.
759 * <p>
760 * This method is invoked for the current security manager by the
761 * <code>delete</code> method of class <code>File</code>.
762 * <p>
763 * This method calls <code>checkPermission</code> with the
764 * <code>FilePermission(file,"delete")</code> permission.
765 * <p>
766 * If you override this method, then you should make a call to
767 * <code>super.checkDelete</code>
768 * at the point the overridden method would normally throw an
769 * exception.
770 *
771 * @param file the system-dependent filename.
772 * @exception SecurityException if the calling thread does not
773 * have permission to delete the file.
774 * @exception NullPointerException if the <code>file</code> argument is
775 * <code>null</code>.
776 * @see java.io.File#delete()
777 * @see #checkPermission(java.security.Permission) checkPermission
778 */
779 public void checkDelete(String file) {
780 checkPermission(new FilePermission(file,
781 SecurityConstants.FILE_DELETE_ACTION));
782 }
783
784 /**
785 * Throws a <code>SecurityException</code> if the
786 * calling thread is not allowed to open a socket connection to the
787 * specified host and port number.
788 * <p>
789 * A port number of <code>-1</code> indicates that the calling
790 * method is attempting to determine the IP address of the specified
791 * host name.
792 * <p>
793 * This method calls <code>checkPermission</code> with the
794 * <code>SocketPermission(host+":"+port,"connect")</code> permission if
795 * the port is not equal to -1. If the port is equal to -1, then
796 * it calls <code>checkPermission</code> with the
797 * <code>SocketPermission(host,"resolve")</code> permission.
798 * <p>
799 * If you override this method, then you should make a call to
800 * <code>super.checkConnect</code>
801 * at the point the overridden method would normally throw an
802 * exception.
803 *
804 * @param host the host name port to connect to.
805 * @param port the protocol port to connect to.
806 * @exception SecurityException if the calling thread does not have
807 * permission to open a socket connection to the specified
808 * <code>host</code> and <code>port</code>.
809 * @exception NullPointerException if the <code>host</code> argument is
810 * <code>null</code>.
811 * @see #checkPermission(java.security.Permission) checkPermission
812 */
813 public void checkConnect(String host, int port) {
814 if (host == null) {
815 throw new NullPointerException("host can't be null");
816 }
817 if (!host.startsWith("[") && host.indexOf(':') != -1) {
818 host = "[" + host + "]";
819 }
820 if (port == -1) {
821 checkPermission(new SocketPermission(host,
822 SecurityConstants.SOCKET_RESOLVE_ACTION));
823 } else {
824 checkPermission(new SocketPermission(host+":"+port,
825 SecurityConstants.SOCKET_CONNECT_ACTION));
826 }
827 }
828
829 /**
830 * Throws a <code>SecurityException</code> if the
831 * specified security context is not allowed to open a socket
832 * connection to the specified host and port number.
833 * <p>
834 * A port number of <code>-1</code> indicates that the calling
835 * method is attempting to determine the IP address of the specified
836 * host name.
837 * <p> If <code>context</code> is not an instance of
838 * <code>AccessControlContext</code> then a
839 * <code>SecurityException</code> is thrown.
840 * <p>
841 * Otherwise, the port number is checked. If it is not equal
842 * to -1, the <code>context</code>'s <code>checkPermission</code>
843 * method is called with a
844 * <code>SocketPermission(host+":"+port,"connect")</code> permission.
845 * If the port is equal to -1, then
846 * the <code>context</code>'s <code>checkPermission</code> method
847 * is called with a
848 * <code>SocketPermission(host,"resolve")</code> permission.
849 * <p>
850 * If you override this method, then you should make a call to
851 * <code>super.checkConnect</code>
852 * at the point the overridden method would normally throw an
853 * exception.
854 *
855 * @param host the host name port to connect to.
856 * @param port the protocol port to connect to.
857 * @param context a system-dependent security context.
858 * @exception SecurityException if the specified security context
859 * is not an instance of <code>AccessControlContext</code>
860 * (e.g., is <code>null</code>), or does not have permission
861 * to open a socket connection to the specified
862 * <code>host</code> and <code>port</code>.
863 * @exception NullPointerException if the <code>host</code> argument is
864 * <code>null</code>.
865 * @see java.lang.SecurityManager#getSecurityContext()
866 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
867 */
868 public void checkConnect(String host, int port, Object context) {
869 if (host == null) {
870 throw new NullPointerException("host can't be null");
871 }
872 if (!host.startsWith("[") && host.indexOf(':') != -1) {
873 host = "[" + host + "]";
874 }
875 if (port == -1)
876 checkPermission(new SocketPermission(host,
877 SecurityConstants.SOCKET_RESOLVE_ACTION),
878 context);
879 else
880 checkPermission(new SocketPermission(host+":"+port,
881 SecurityConstants.SOCKET_CONNECT_ACTION),
882 context);
883 }
884
885 /**
886 * Throws a <code>SecurityException</code> if the
887 * calling thread is not allowed to wait for a connection request on
888 * the specified local port number.
889 * <p>
890 * This method calls <code>checkPermission</code> with the
891 * <code>SocketPermission("localhost:"+port,"listen")</code>.
892 * <p>
893 * If you override this method, then you should make a call to
894 * <code>super.checkListen</code>
895 * at the point the overridden method would normally throw an
896 * exception.
897 *
898 * @param port the local port.
899 * @exception SecurityException if the calling thread does not have
900 * permission to listen on the specified port.
901 * @see #checkPermission(java.security.Permission) checkPermission
902 */
903 public void checkListen(int port) {
904 checkPermission(new SocketPermission("localhost:"+port,
905 SecurityConstants.SOCKET_LISTEN_ACTION));
906 }
907
908 /**
909 * Throws a <code>SecurityException</code> if the
910 * calling thread is not permitted to accept a socket connection from
911 * the specified host and port number.
912 * <p>
913 * This method is invoked for the current security manager by the
914 * <code>accept</code> method of class <code>ServerSocket</code>.
915 * <p>
916 * This method calls <code>checkPermission</code> with the
917 * <code>SocketPermission(host+":"+port,"accept")</code> permission.
918 * <p>
919 * If you override this method, then you should make a call to
920 * <code>super.checkAccept</code>
921 * at the point the overridden method would normally throw an
922 * exception.
923 *
924 * @param host the host name of the socket connection.
925 * @param port the port number of the socket connection.
926 * @exception SecurityException if the calling thread does not have
927 * permission to accept the connection.
928 * @exception NullPointerException if the <code>host</code> argument is
929 * <code>null</code>.
930 * @see java.net.ServerSocket#accept()
931 * @see #checkPermission(java.security.Permission) checkPermission
932 */
933 public void checkAccept(String host, int port) {
934 if (host == null) {
935 throw new NullPointerException("host can't be null");
936 }
937 if (!host.startsWith("[") && host.indexOf(':') != -1) {
938 host = "[" + host + "]";
939 }
940 checkPermission(new SocketPermission(host+":"+port,
941 SecurityConstants.SOCKET_ACCEPT_ACTION));
942 }
943
944 /**
945 * Throws a <code>SecurityException</code> if the
946 * calling thread is not allowed to use
947 * (join/leave/send/receive) IP multicast.
948 * <p>
949 * This method calls <code>checkPermission</code> with the
950 * <code>java.net.SocketPermission(maddr.getHostAddress(),
951 * "accept,connect")</code> permission.
952 * <p>
953 * If you override this method, then you should make a call to
954 * <code>super.checkMulticast</code>
955 * at the point the overridden method would normally throw an
956 * exception.
957 *
958 * @param maddr Internet group address to be used.
959 * @exception SecurityException if the calling thread is not allowed to
960 * use (join/leave/send/receive) IP multicast.
961 * @exception NullPointerException if the address argument is
962 * <code>null</code>.
963 * @since 1.1
964 * @see #checkPermission(java.security.Permission) checkPermission
965 */
966 public void checkMulticast(InetAddress maddr) {
967 String host = maddr.getHostAddress();
968 if (!host.startsWith("[") && host.indexOf(':') != -1) {
969 host = "[" + host + "]";
970 }
971 checkPermission(new SocketPermission(host,
972 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
973 }
974
975 /**
976 * Throws a <code>SecurityException</code> if the
977 * calling thread is not allowed to use
978 * (join/leave/send/receive) IP multicast.
979 * <p>
980 * This method calls <code>checkPermission</code> with the
981 * <code>java.net.SocketPermission(maddr.getHostAddress(),
982 * "accept,connect")</code> permission.
983 * <p>
984 * If you override this method, then you should make a call to
985 * <code>super.checkMulticast</code>
986 * at the point the overridden method would normally throw an
987 * exception.
988 *
989 * @param maddr Internet group address to be used.
990 * @param ttl value in use, if it is multicast send.
991 * Note: this particular implementation does not use the ttl
992 * parameter.
993 * @exception SecurityException if the calling thread is not allowed to
994 * use (join/leave/send/receive) IP multicast.
995 * @exception NullPointerException if the address argument is
996 * <code>null</code>.
997 * @since 1.1
998 * @deprecated Use #checkPermission(java.security.Permission) instead
999 * @see #checkPermission(java.security.Permission) checkPermission
1000 */
1001 @Deprecated(since="1.4")
1002 public void checkMulticast(InetAddress maddr, byte ttl) {
1003 String host = maddr.getHostAddress();
1004 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1005 host = "[" + host + "]";
1006 }
1007 checkPermission(new SocketPermission(host,
1008 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1009 }
1010
1011 /**
1012 * Throws a <code>SecurityException</code> if the
1013 * calling thread is not allowed to access or modify the system
1014 * properties.
1015 * <p>
1016 * This method is used by the <code>getProperties</code> and
1017 * <code>setProperties</code> methods of class <code>System</code>.
1018 * <p>
1019 * This method calls <code>checkPermission</code> with the
1020 * <code>PropertyPermission("*", "read,write")</code> permission.
1021 * <p>
1022 * If you override this method, then you should make a call to
1023 * <code>super.checkPropertiesAccess</code>
1024 * at the point the overridden method would normally throw an
1025 * exception.
1026 *
1027 * @exception SecurityException if the calling thread does not have
1028 * permission to access or modify the system properties.
1029 * @see java.lang.System#getProperties()
1030 * @see java.lang.System#setProperties(java.util.Properties)
1031 * @see #checkPermission(java.security.Permission) checkPermission
1032 */
1033 public void checkPropertiesAccess() {
1034 checkPermission(new PropertyPermission("*",
1035 SecurityConstants.PROPERTY_RW_ACTION));
1036 }
1037
1038 /**
1039 * Throws a <code>SecurityException</code> if the
1040 * calling thread is not allowed to access the system property with
1041 * the specified <code>key</code> name.
1042 * <p>
1043 * This method is used by the <code>getProperty</code> method of
1044 * class <code>System</code>.
1045 * <p>
1046 * This method calls <code>checkPermission</code> with the
1047 * <code>PropertyPermission(key, "read")</code> permission.
1048 * <p>
1049 * If you override this method, then you should make a call to
1050 * <code>super.checkPropertyAccess</code>
1051 * at the point the overridden method would normally throw an
1052 * exception.
1053 *
1054 * @param key a system property key.
1055 *
1056 * @exception SecurityException if the calling thread does not have
1057 * permission to access the specified system property.
1058 * @exception NullPointerException if the <code>key</code> argument is
1059 * <code>null</code>.
1060 * @exception IllegalArgumentException if <code>key</code> is empty.
1061 *
1062 * @see java.lang.System#getProperty(java.lang.String)
1063 * @see #checkPermission(java.security.Permission) checkPermission
1064 */
1065 public void checkPropertyAccess(String key) {
1066 checkPermission(new PropertyPermission(key,
1067 SecurityConstants.PROPERTY_READ_ACTION));
1068 }
1069
1070 /**
1071 * Throws a <code>SecurityException</code> if the
1072 * calling thread is not allowed to initiate a print job request.
1073 * <p>
1074 * This method calls
1075 * <code>checkPermission</code> with the
1076 * <code>RuntimePermission("queuePrintJob")</code> permission.
1077 * <p>
1078 * If you override this method, then you should make a call to
1079 * <code>super.checkPrintJobAccess</code>
1080 * at the point the overridden method would normally throw an
1081 * exception.
1082 *
1083 * @exception SecurityException if the calling thread does not have
1084 * permission to initiate a print job request.
1085 * @since 1.1
1086 * @see #checkPermission(java.security.Permission) checkPermission
1087 */
1088 public void checkPrintJobAccess() {
1089 checkPermission(new RuntimePermission("queuePrintJob"));
1090 }
1091
1092 /*
1093 * We have an initial invalid bit (initially false) for the class
1094 * variables which tell if the cache is valid. If the underlying
1095 * java.security.Security property changes via setProperty(), the
1096 * Security class uses reflection to change the variable and thus
1097 * invalidate the cache.
1098 *
1099 * Locking is handled by synchronization to the
1100 * packageAccessLock/packageDefinitionLock objects. They are only
1101 * used in this class.
1102 *
1103 * Note that cache invalidation as a result of the property change
1104 * happens without using these locks, so there may be a delay between
1105 * when a thread updates the property and when other threads updates
1106 * the cache.
1107 */
1108 private static boolean packageAccessValid = false;
1109 private static String[] packageAccess;
1110 private static final Object packageAccessLock = new Object();
1111
1112 private static boolean packageDefinitionValid = false;
1113 private static String[] packageDefinition;
1114 private static final Object packageDefinitionLock = new Object();
1115
1116 private static String[] getPackages(String p) {
1117 String packages[] = null;
1118 if (p != null && !p.equals("")) {
1119 java.util.StringTokenizer tok =
1120 new java.util.StringTokenizer(p, ",");
1121 int n = tok.countTokens();
1122 if (n > 0) {
1123 packages = new String[n];
1124 int i = 0;
1125 while (tok.hasMoreElements()) {
1126 String s = tok.nextToken().trim();
1127 packages[i++] = s;
1128 }
1129 }
1130 }
1131
1132 if (packages == null) {
1133 packages = new String[0];
1134 }
1135 return packages;
1136 }
1137
1138 // The non-exported packages in modules defined to the boot or platform
1139 // class loaders. A non-exported package is a package that is not exported
1140 // or is only exported to specific modules.
1141 private static final Map<String, Boolean> nonExportedPkgs = new ConcurrentHashMap<>();
1142 static {
1143 addNonExportedPackages(ModuleLayer.boot());
1144 }
1145
1146 /**
1147 * Record the non-exported packages of the modules in the given layer
1148 */
1149 static void addNonExportedPackages(ModuleLayer layer) {
1150 Set<String> bootModules = ModuleLoaderMap.bootModules();
1151 Set<String> platformModules = ModuleLoaderMap.platformModules();
1152 layer.modules().stream()
1153 .map(Module::getDescriptor)
1154 .filter(md -> bootModules.contains(md.name())
1155 || platformModules.contains(md.name()))
1156 .map(SecurityManager::nonExportedPkgs)
1157 .flatMap(Set::stream)
1158 .forEach(pn -> nonExportedPkgs.put(pn, Boolean.TRUE));
1159 }
1160
1161
1162 /**
1163 * Called by java.security.Security
1164 */
1165 static void invalidatePackageAccessCache() {
1166 synchronized (packageAccessLock) {
1167 packageAccessValid = false;
1168 }
1169 synchronized (packageDefinitionLock) {
1170 packageDefinitionValid = false;
1171 }
1172 }
1173
1174 /**
1175 * Returns the non-exported packages of the specified module.
1176 */
1177 private static Set<String> nonExportedPkgs(ModuleDescriptor md) {
1178 // start with all packages in the module
1179 Set<String> pkgs = new HashSet<>(md.packages());
1180
1181 // remove the non-qualified exported packages
1182 md.exports().stream()
1183 .filter(p -> !p.isQualified())
1184 .map(Exports::source)
1185 .forEach(pkgs::remove);
1186
1187 // remove the non-qualified open packages
1188 md.opens().stream()
1189 .filter(p -> !p.isQualified())
1190 .map(Opens::source)
1191 .forEach(pkgs::remove);
1192
1193 return pkgs;
1194 }
1195
1196 /**
1197 * Throws a {@code SecurityException} if the calling thread is not allowed
1198 * to access the specified package.
1199 * <p>
1200 * During class loading, this method may be called by the {@code loadClass}
1201 * method of class loaders and by the Java Virtual Machine to ensure that
1202 * the caller is allowed to access the package of the class that is
1203 * being loaded.
1204 * <p>
1205 * This method checks if the specified package starts with or equals
1206 * any of the packages in the {@code package.access} Security Property.
1207 * An implementation may also check the package against an additional
1208 * list of restricted packages as noted below. If the package is restricted,
1209 * {@link #checkPermission(Permission)} is called with a
1210 * {@code RuntimePermission("accessClassInPackage."+pkg)} permission.
1211 * <p>
1212 * If this method is overridden, then {@code super.checkPackageAccess}
1213 * should be called as the first line in the overridden method.
1214 *
1215 * @implNote
1216 * This implementation also restricts all non-exported packages of modules
1217 * loaded by {@linkplain ClassLoader#getPlatformClassLoader
1218 * the platform class loader} or its ancestors. A "non-exported package"
1219 * refers to a package that is not exported to all modules. Specifically,
1220 * it refers to a package that either is not exported at all by its
1221 * containing module or is exported in a qualified fashion by its
1222 * containing module.
1223 *
1224 * @param pkg the package name.
1225 * @throws SecurityException if the calling thread does not have
1226 * permission to access the specified package.
1227 * @throws NullPointerException if the package name argument is
1228 * {@code null}.
1229 * @see java.lang.ClassLoader#loadClass(String, boolean) loadClass
1230 * @see java.security.Security#getProperty getProperty
1231 * @see #checkPermission(Permission) checkPermission
1232 */
1233 public void checkPackageAccess(String pkg) {
1234 Objects.requireNonNull(pkg, "package name can't be null");
1235
1236 // check if pkg is not exported to all modules
1237 if (nonExportedPkgs.containsKey(pkg)) {
1238 checkPermission(
1239 new RuntimePermission("accessClassInPackage." + pkg));
1240 return;
1241 }
1242
1243 String[] restrictedPkgs;
1244 synchronized (packageAccessLock) {
1245 /*
1246 * Do we need to update our property array?
1247 */
1248 if (!packageAccessValid) {
1249 String tmpPropertyStr =
1250 AccessController.doPrivileged(
1251 new PrivilegedAction<>() {
1252 public String run() {
1253 return Security.getProperty("package.access");
1254 }
1255 }
1256 );
1257 packageAccess = getPackages(tmpPropertyStr);
1258 packageAccessValid = true;
1259 }
1260
1261 // Using a snapshot of packageAccess -- don't care if static field
1262 // changes afterwards; array contents won't change.
1263 restrictedPkgs = packageAccess;
1264 }
1265
1266 /*
1267 * Traverse the list of packages, check for any matches.
1268 */
1269 final int plen = pkg.length();
1270 for (String restrictedPkg : restrictedPkgs) {
1271 final int rlast = restrictedPkg.length() - 1;
1272
1273 // Optimizations:
1274 //
1275 // If rlast >= plen then restrictedPkg is longer than pkg by at
1276 // least one char. This means pkg cannot start with restrictedPkg,
1277 // since restrictedPkg will be longer than pkg.
1278 //
1279 // Similarly if rlast != plen, then pkg + "." cannot be the same
1280 // as restrictedPkg, since pkg + "." will have a different length
1281 // than restrictedPkg.
1282 //
1283 if (rlast < plen && pkg.startsWith(restrictedPkg) ||
1284 // The following test is equivalent to
1285 // restrictedPkg.equals(pkg + ".") but is noticeably more
1286 // efficient:
1287 rlast == plen && restrictedPkg.startsWith(pkg) &&
1288 restrictedPkg.charAt(rlast) == '.')
1289 {
1290 checkPermission(
1291 new RuntimePermission("accessClassInPackage." + pkg));
1292 break; // No need to continue; only need to check this once
1293 }
1294 }
1295 }
1296
1297 /**
1298 * Throws a {@code SecurityException} if the calling thread is not
1299 * allowed to define classes in the specified package.
1300 * <p>
1301 * This method is called by the {@code loadClass} method of some
1302 * class loaders.
1303 * <p>
1304 * This method checks if the specified package starts with or equals
1305 * any of the packages in the {@code package.definition} Security
1306 * Property. An implementation may also check the package against an
1307 * additional list of restricted packages as noted below. If the package
1308 * is restricted, {@link #checkPermission(Permission)} is called with a
1309 * {@code RuntimePermission("defineClassInPackage."+pkg)} permission.
1310 * <p>
1311 * If this method is overridden, then {@code super.checkPackageDefinition}
1312 * should be called as the first line in the overridden method.
1313 *
1314 * @implNote
1315 * This implementation also restricts all non-exported packages of modules
1316 * loaded by {@linkplain ClassLoader#getPlatformClassLoader
1317 * the platform class loader} or its ancestors. A "non-exported package"
1318 * refers to a package that is not exported to all modules. Specifically,
1319 * it refers to a package that either is not exported at all by its
1320 * containing module or is exported in a qualified fashion by its
1321 * containing module.
1322 *
1323 * @param pkg the package name.
1324 * @throws SecurityException if the calling thread does not have
1325 * permission to define classes in the specified package.
1326 * @throws NullPointerException if the package name argument is
1327 * {@code null}.
1328 * @see java.lang.ClassLoader#loadClass(String, boolean)
1329 * @see java.security.Security#getProperty getProperty
1330 * @see #checkPermission(Permission) checkPermission
1331 */
1332 public void checkPackageDefinition(String pkg) {
1333 Objects.requireNonNull(pkg, "package name can't be null");
1334
1335 // check if pkg is not exported to all modules
1336 if (nonExportedPkgs.containsKey(pkg)) {
1337 checkPermission(
1338 new RuntimePermission("defineClassInPackage." + pkg));
1339 return;
1340 }
1341
1342 String[] pkgs;
1343 synchronized (packageDefinitionLock) {
1344 /*
1345 * Do we need to update our property array?
1346 */
1347 if (!packageDefinitionValid) {
1348 String tmpPropertyStr =
1349 AccessController.doPrivileged(
1350 new PrivilegedAction<>() {
1351 public String run() {
1352 return java.security.Security.getProperty(
1353 "package.definition");
1354 }
1355 }
1356 );
1357 packageDefinition = getPackages(tmpPropertyStr);
1358 packageDefinitionValid = true;
1359 }
1360 // Using a snapshot of packageDefinition -- don't care if static
1361 // field changes afterwards; array contents won't change.
1362 pkgs = packageDefinition;
1363 }
1364
1365 /*
1366 * Traverse the list of packages, check for any matches.
1367 */
1368 for (String restrictedPkg : pkgs) {
1369 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) {
1370 checkPermission(
1371 new RuntimePermission("defineClassInPackage." + pkg));
1372 break; // No need to continue; only need to check this once
1373 }
1374 }
1375 }
1376
1377 /**
1378 * Throws a <code>SecurityException</code> if the
1379 * calling thread is not allowed to set the socket factory used by
1380 * <code>ServerSocket</code> or <code>Socket</code>, or the stream
1381 * handler factory used by <code>URL</code>.
1382 * <p>
1383 * This method calls <code>checkPermission</code> with the
1384 * <code>RuntimePermission("setFactory")</code> permission.
1385 * <p>
1386 * If you override this method, then you should make a call to
1387 * <code>super.checkSetFactory</code>
1388 * at the point the overridden method would normally throw an
1389 * exception.
1390 *
1391 * @exception SecurityException if the calling thread does not have
1392 * permission to specify a socket factory or a stream
1393 * handler factory.
1394 *
1395 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory
1396 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory
1397 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory
1398 * @see #checkPermission(java.security.Permission) checkPermission
1399 */
1400 public void checkSetFactory() {
1401 checkPermission(new RuntimePermission("setFactory"));
1402 }
1403
1404 /**
1405 * Determines whether the permission with the specified permission target
1406 * name should be granted or denied.
1407 *
1408 * <p> If the requested permission is allowed, this method returns
1409 * quietly. If denied, a SecurityException is raised.
1410 *
1411 * <p> This method creates a <code>SecurityPermission</code> object for
1412 * the given permission target name and calls <code>checkPermission</code>
1413 * with it.
1414 *
1415 * <p> See the documentation for
1416 * <code>{@link java.security.SecurityPermission}</code> for
1417 * a list of possible permission target names.
1418 *
1419 * <p> If you override this method, then you should make a call to
1420 * <code>super.checkSecurityAccess</code>
1421 * at the point the overridden method would normally throw an
1422 * exception.
1423 *
1424 * @param target the target name of the <code>SecurityPermission</code>.
1425 *
1426 * @exception SecurityException if the calling thread does not have
1427 * permission for the requested access.
1428 * @exception NullPointerException if <code>target</code> is null.
1429 * @exception IllegalArgumentException if <code>target</code> is empty.
1430 *
1431 * @since 1.1
1432 * @see #checkPermission(java.security.Permission) checkPermission
1433 */
1434 public void checkSecurityAccess(String target) {
1435 checkPermission(new SecurityPermission(target));
1436 }
1437
1438 /**
1439 * Returns the thread group into which to instantiate any new
1440 * thread being created at the time this is being called.
1441 * By default, it returns the thread group of the current
1442 * thread. This should be overridden by a specific security
1443 * manager to return the appropriate thread group.
1444 *
1445 * @return ThreadGroup that new threads are instantiated into
1446 * @since 1.1
1447 * @see java.lang.ThreadGroup
1448 */
1449 public ThreadGroup getThreadGroup() {
1450 return Thread.currentThread().getThreadGroup();
1451 }
1452
1453 }
1454