Summary

The required permission for DCmd VM.start_java_debugging will be changed from monitor to control.

Problem

The DCmd VM.start_java_debugging provides the ability to enable to connect to the VM with a debbugger. As the task of debugging provides the debugger with more than only monitoring capablilities, e.g. fields and data in the VM can be modified, a permission of type "control" seems more suitable. The onjcmd option was introduced with JDK-8214892 and it had been backported to OpenJDK update release 11.0.3. So this permission rectification shall be backported to OpenJDK 11 updates as well to match upstream.

Solution

The permission needs to be changed in the coding for diagnostic commands in hotspot.

Specification

The (simple) patch looks like this:

diff --git a/src/hotspot/share/services/diagnosticCommand.hpp b/src/hotspot/share/services/diagnosticCommand.hpp
--- a/src/hotspot/share/services/diagnosticCommand.hpp
+++ b/src/hotspot/share/services/diagnosticCommand.hpp
@@ -880,7 +880,7 @@
return "High: Switches the VM into Java debug mode.";
}
static const JavaPermission permission() {
- JavaPermission p = { "java.lang.management.ManagementPermission", "monitor", NULL };
+ JavaPermission p = { "java.lang.management.ManagementPermission", "control", NULL };
return p;
}
static int num_arguments() { return 0; }