Java > Open Source Codes > java > lang > RuntimePermission


1 /*
2  * @(#)RuntimePermission.java 1.53 04/04/20
3  *
4  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6  */
7
8 package java.lang;
9
10 import java.security.*;
11 import java.util.Enumeration ;
12 import java.util.Hashtable ;
13 import java.util.StringTokenizer ;
14
15 /**
16  * This class is for runtime permissions. A RuntimePermission
17  * contains a name (also referred to as a "target name") but
18  * no actions list; you either have the named permission
19  * or you don't.
20  *
21  * <P>
22  * The target name is the name of the runtime permission (see below). The
23  * naming convention follows the hierarchical property naming convention.
24  * Also, an asterisk
25  * may appear at the end of the name, following a ".", or by itself, to
26  * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,
27  * "*loadLibrary" or "a*b" is not valid.
28  * <P>
29  * The following table lists all the possible RuntimePermission target names,
30  * and for each provides a description of what the permission allows
31  * and a discussion of the risks of granting code the permission.
32  * <P>
33  *
34  * <table border=1 cellpadding=5 summary="permission target name,
35  * what the target allows,and associated risks">
36  * <tr>
37  * <th>Permission Target Name</th>
38  * <th>What the Permission Allows</th>
39  * <th>Risks of Allowing this Permission</th>
40  * </tr>
41  *
42  * <tr>
43  * <td>createClassLoader</td>
44  * <td>Creation of a class loader</td>
45  * <td>This is an extremely dangerous permission to grant.
46  * Malicious applications that can instantiate their own class
47  * loaders could then load their own rogue classes into the system.
48  * These newly loaded classes could be placed into any protection
49  * domain by the class loader, thereby automatically granting the
50  * classes the permissions for that domain.</td>
51  * </tr>
52  *
53  * <tr>
54  * <td>getClassLoader</td>
55  * <td>Retrieval of a class loader (e.g., the class loader for the calling
56  * class)</td>
57  * <td>This would grant an attacker permission to get the
58  * class loader for a particular class. This is dangerous because
59  * having access to a class's class loader allows the attacker to
60  * load other classes available to that class loader. The attacker
61  * would typically otherwise not have access to those classes.</td>
62  * </tr>
63  *
64  * <tr>
65  * <td>setContextClassLoader</td>
66  * <td>Setting of the context class loader used by a thread</td>
67  * <td>The context class loader is used by system code and extensions
68  * when they need to lookup resources that might not exist in the system
69  * class loader. Granting setContextClassLoader permission would allow
70  * code to change which context class loader is used
71  * for a particular thread, including system threads.</td>
72  * </tr>
73  *
74  * <tr>
75  * <td>enableContextClassLoaderOverride</td>
76  * <td>Subclass implementation of the thread context class loader methods</td>
77  * <td>The context class loader is used by system code and extensions
78  * when they need to lookup resources that might not exist in the system
79  * class loader. Granting enableContextClassLoaderOverride permission would allow
80  * a subclass of Thread to override the methods that are used
81  * to get or set the context class loader for a particular thread.</td>
82  * </tr>
83  *
84  * <tr>
85  * <td>setSecurityManager</td>
86  * <td>Setting of the security manager (possibly replacing an existing one)
87  * </td>
88  * <td>The security manager is a class that allows
89  * applications to implement a security policy. Granting the setSecurityManager
90  * permission would allow code to change which security manager is used by
91  * installing a different, possibly less restrictive security manager,
92  * thereby bypassing checks that would have been enforced by the original
93  * security manager.</td>
94  * </tr>
95  *
96  * <tr>
97  * <td>createSecurityManager</td>
98  * <td>Creation of a new security manager</td>
99  * <td>This gives code access to protected, sensitive methods that may
100  * disclose information about other classes or the execution stack.</td>
101  * </tr>
102  *
103  * <tr>
104  * <td>getenv.{variable name}</td>
105  * <td>Reading of the value of the specified environment variable</td>
106  * <td>This would allow code to read the value, or determine the
107  * existence, of a particular environment variable. This is
108  * dangerous if the variable contains confidential data.</td>
109  * </tr>
110  *
111  * <tr>
112  * <td>exitVM</td>
113  * <td>Halting of the Java Virtual Machine</td>
114  * <td>This allows an attacker to mount a denial-of-service attack
115  * by automatically forcing the virtual machine to halt.
116  * Note: The "exitVM" permission is automatically granted to all code
117  * loaded from the application class path, thus enabling applications
118  * to terminate themselves.</td>
119  * </tr>
120  *
121  * <tr>
122  * <td>shutdownHooks</td>
123  * <td>Registration and cancellation of virtual-machine shutdown hooks</td>
124  * <td>This allows an attacker to register a malicious shutdown
125  * hook that interferes with the clean shutdown of the virtual machine.</td>
126  * </tr>
127  *
128  * <tr>
129  * <td>setFactory</td>
130  * <td>Setting of the socket factory used by ServerSocket or Socket,
131  * or of the stream handler factory used by URL</td>
132  * <td>This allows code to set the actual implementation
133  * for the socket, server socket, stream handler, or RMI socket factory.
134  * An attacker may set a faulty implementation which mangles the data
135  * stream.</td>
136  * </tr>
137  *
138  * <tr>
139  * <td>setIO</td>
140  * <td>Setting of System.out, System.in, and System.err</td>
141  * <td>This allows changing the value of the standard system streams.
142  * An attacker may change System.in to monitor and
143  * steal user input, or may set System.err to a "null" OutputStream,
144  * which would hide any error messages sent to System.err. </td>
145  * </tr>
146  *
147  * <tr>
148  * <td>modifyThread</td>
149  * <td>Modification of threads, e.g., via calls to Thread
150  * <tt>interrupt</tt>, <tt>stop</tt>, <tt>suspend</tt>,
151  * <tt>resume</tt>, <tt>setDaemon</tt>, <tt>setPriority</tt>,
152  * <tt>setName</tt> and <tt>setUncaughtExceptionHandler</tt>
153  * methods</td>
154  * <td>This allows an attacker to modify the behaviour of
155  * any thread in the system.</td>
156  * </tr>
157  *
158  * <tr>
159  * <td>stopThread</td>
160  * <td>Stopping of threads via calls to the Thread <code>stop</code>
161  * method</td>
162  * <td>This allows code to stop any thread in the system provided that it is
163  * already granted permission to access that thread.
164  * This poses as a threat, because that code may corrupt the system by
165  * killing existing threads.</td>
166  * </tr>
167  *
168  * <tr>
169  * <td>modifyThreadGroup</td>
170  * <td>modification of thread groups, e.g., via calls to ThreadGroup
171  * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
172  * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
173  * and <code>suspend</code> methods</td>
174  * <td>This allows an attacker to create thread groups and
175  * set their run priority.</td>
176  * </tr>
177  *
178  * <tr>
179  * <td>getProtectionDomain</td>
180  * <td>Retrieval of the ProtectionDomain for a class</td>
181  * <td>This allows code to obtain policy information
182  * for a particular code source. While obtaining policy information
183  * does not compromise the security of the system, it does give
184  * attackers additional information, such as local file names for
185  * example, to better aim an attack.</td>
186  * </tr>
187  *
188  * <tr>
189  * <td>readFileDescriptor</td>
190  * <td>Reading of file descriptors</td>
191  * <td>This would allow code to read the particular file associated
192  * with the file descriptor read. This is dangerous if the file
193  * contains confidential data.</td>
194  * </tr>
195  *
196  * <tr>
197  * <td>writeFileDescriptor</td>
198  * <td>Writing to file descriptors</td>
199  * <td>This allows code to write to a particular file associated
200  * with the descriptor. This is dangerous because it may allow
201  * malicious code to plant viruses or at the very least, fill up
202  * your entire disk.</td>
203  * </tr>
204  *
205  * <tr>
206  * <td>loadLibrary.{library name}</td>
207  * <td>Dynamic linking of the specified library</td>
208  * <td>It is dangerous to allow an applet permission to load native code
209  * libraries, because the Java security architecture is not designed to and
210  * does not prevent malicious behavior at the level of native code.</td>
211  * </tr>
212  *
213  * <tr>
214  * <td>accessClassInPackage.{package name}</td>
215  * <td>Access to the specified package via a class loader's
216  * <code>loadClass</code> method when that class loader calls
217  * the SecurityManager <code>checkPackageAccess</code> method</td>
218  * <td>This gives code access to classes in packages
219  * to which it normally does not have access. Malicious code
220  * may use these classes to help in its attempt to compromise
221  * security in the system.</td>
222  * </tr>
223  *
224  * <tr>
225  * <td>defineClassInPackage.{package name}</td>
226  * <td>Definition of classes in the specified package, via a class
227  * loader's <code>defineClass</code> method when that class loader calls
228  * the SecurityManager <code>checkPackageDefinition</code> method.</td>
229  * <td>This grants code permission to define a class
230  * in a particular package. This is dangerous because malicious
231  * code with this permission may define rogue classes in
232  * trusted packages like <code>java.security</code> or <code>java.lang</code>,
233  * for example.</td>
234  * </tr>
235  *
236  * <tr>
237  * <td>accessDeclaredMembers</td>
238  * <td>Access to the declared members of a class</td>
239  * <td>This grants code permission to query a class for its public,
240  * protected, default (package) access, and private fields and/or
241  * methods. Although the code would have
242  * access to the private and protected field and method names, it would not
243  * have access to the private/protected field data and would not be able
244  * to invoke any private methods. Nevertheless, malicious code
245  * may use this information to better aim an attack.
246  * Additionally, it may invoke any public methods and/or access public fields
247  * in the class. This could be dangerous if
248  * the code would normally not be able to invoke those methods and/or
249  * access the fields because
250  * it can't cast the object to the class/interface with those methods
251  * and fields.
252 </td>
253  * </tr>
254  * <tr>
255  * <td>queuePrintJob</td>
256  * <td>Initiation of a print job request</td>
257  * <td>This could print sensitive information to a printer,
258  * or simply waste paper.</td>
259  * </tr>
260  *
261  * <tr>
262  * <td>getStackTrace</td>
263  * <td>Retrieval of the stack trace information of another thread.</td>
264  * <td>This allows retrieval of the stack trace information of
265  * another thread. This might allow malicious code to monitor the
266  * execution of threads and discover vulnerabilities in applications.</td>
267  * </tr>
268  *
269  * <tr>
270  * <td>setDefaultUncaughtExceptionHandler</td>
271  * <td>Setting the default handler to be used when a thread
272  * terminates abruptly due to an uncaught exception</td>
273  * <td>This allows an attacker to register a malicious
274  * uncaught exception handler that could interfere with termination
275  * of a thread</td>
276  * </tr>
277  *
278  * <tr>
279  * <td>preferences</td>
280  * <td>Represents the permission required to get access to the
281  * java.util.prefs.Preferences implementations user or system root
282  * which in turn allows retrieval or update operations within the
283  * Preferences persistent backing store.) </td>
284  * <td>This permission allows the user to read from or write to the
285  * preferences backing store if the user running the code has
286  * sufficient OS privileges to read/write to that backing store.
287  * The actual backing store may reside within a traditional filesystem
288  * directory or within a registry depending on the platform OS</td>
289  * </tr>
290
291  * </table>
292  *
293  * @see java.security.BasicPermission
294  * @see java.security.Permission
295  * @see java.security.Permissions
296  * @see java.security.PermissionCollection
297  * @see java.lang.SecurityManager
298  *
299  * @version 1.53 04/04/20
300  *
301  * @author Marianne Mueller
302  * @author Roland Schemers
303  */
304
305 public final class RuntimePermission extends BasicPermission {
306
307     private static final long serialVersionUID = 7399184964622342223L;
308
309     /**
310      * Creates a new RuntimePermission with the specified name.
311      * The name is the symbolic name of the RuntimePermission, such as
312      * "exit", "setFactory", etc. An asterisk
313      * may appear at the end of the name, following a ".", or by itself, to
314      * signify a wildcard match.
315      *
316      * @param name the name of the RuntimePermission.
317      */
318
319     public RuntimePermission(String name)
320     {
321     super(name);
322     }
323
324     /**
325      * Creates a new RuntimePermission object with the specified name.
326      * The name is the symbolic name of the RuntimePermission, and the
327      * actions String is currently unused and should be null.
328      *
329      * @param name the name of the RuntimePermission.
330      * @param actions should be null.
331      */
332
333     public RuntimePermission(String name, String actions)
334     {
335     super(name, actions);
336     }
337 }
338

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags