1 /*
  2  * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  4  *
  5  * This code is free software; you can redistribute it and/or modify it
  6  * under the terms of the GNU General Public License version 2 only, as
  7  * published by the Free Software Foundation.  Oracle designates this
  8  * particular file as subject to the "Classpath" exception as provided
  9  * by Oracle in the LICENSE file that accompanied this code.
 10  *
 11  * This code is distributed in the hope that it will be useful, but WITHOUT
 12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 14  * version 2 for more details (a copy is included in the LICENSE file that
 15  * accompanied this code).
 16  *
 17  * You should have received a copy of the GNU General Public License version
 18  * 2 along with this work; if not, write to the Free Software Foundation,
 19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 20  *
 21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 22  * or visit www.oracle.com if you need additional information or have any
 23  * questions.
 24  */
 25 
 26 package java.lang;
 27 
 28 import java.security.*;
 29 import java.lang.module.ModuleFinder;
 30 
 31 /**
 32  * This class is for runtime permissions. A {@code RuntimePermission}
 33  * contains a name (also referred to as a "target name") but no actions
 34  * list; you either have the named permission or you don't.
 35  * <p>
 36  * The target name is the name of the runtime permission (see below). The
 37  * naming convention follows the  hierarchical property naming convention.
 38  * Also, an asterisk may appear at the end of the name, following a ".",
 39  * or by itself, to signify a wildcard match. For example: "loadLibrary.*"
 40  * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not.
 41  * <p>
 42  * The following table lists the standard {@code RuntimePermission}
 43  * target names, and for each provides a description of what the permission
 44  * allows and a discussion of the risks of granting code the permission.
 45  *
 46  * <table class="striped">
 47  * <caption style="display:none">permission target name,
 48  *  what the target allows, and associated risks</caption>
 49  * <thead>
 50  * <tr>
 51  * <th scope="col">Permission Target Name</th>
 52  * <th scope="col">What the Permission Allows</th>
 53  * <th scope="col">Risks of Allowing this Permission</th>
 54  * </tr>
 55  * </thead>
 56  * <tbody>
 57  *
 58  * <tr>
 59  *   <th scope="row">createClassLoader</th>
 60  *   <td>Creation of a class loader</td>
 61  *   <td>This is an extremely dangerous permission to grant.
 62  * Malicious applications that can instantiate their own class
 63  * loaders could then load their own rogue classes into the system.
 64  * These newly loaded classes could be placed into any protection
 65  * domain by the class loader, thereby automatically granting the
 66  * classes the permissions for that domain.</td>
 67  * </tr>
 68  *
 69  * <tr>
 70  *   <th scope="row">getClassLoader</th>
 71  *   <td>Retrieval of a class loader (e.g., the class loader for the calling
 72  * class)</td>
 73  *   <td>This would grant an attacker permission to get the
 74  * class loader for a particular class. This is dangerous because
 75  * having access to a class's class loader allows the attacker to
 76  * load other classes available to that class loader. The attacker
 77  * would typically otherwise not have access to those classes.</td>
 78  * </tr>
 79  *
 80  * <tr>
 81  *   <th scope="row">setContextClassLoader</th>
 82  *   <td>Setting of the context class loader used by a thread</td>
 83  *   <td>The context class loader is used by system code and extensions
 84  * when they need to lookup resources that might not exist in the system
 85  * class loader. Granting setContextClassLoader permission would allow
 86  * code to change which context class loader is used
 87  * for a particular thread, including system threads.</td>
 88  * </tr>
 89  *
 90  * <tr>
 91  *   <th scope="row">enableContextClassLoaderOverride</th>
 92  *   <td>Subclass implementation of the thread context class loader methods</td>
 93  *   <td>The context class loader is used by system code and extensions
 94  * when they need to lookup resources that might not exist in the system
 95  * class loader. Granting enableContextClassLoaderOverride permission would allow
 96  * a subclass of Thread to override the methods that are used
 97  * to get or set the context class loader for a particular thread.</td>
 98  * </tr>
 99  *
100  * <tr>
101  *   <th scope="row">closeClassLoader</th>
102  *   <td>Closing of a ClassLoader</td>
103  *   <td>Granting this permission allows code to close any URLClassLoader
104  * that it has a reference to.</td>
105  * </tr>
106  *
107  * <tr>
108  *   <th scope="row">setSecurityManager</th>
109  *   <td>Setting of the security manager (possibly replacing an existing one)
110  * </td>
111  *   <td>The security manager is a class that allows
112  * applications to implement a security policy. Granting the setSecurityManager
113  * permission would allow code to change which security manager is used by
114  * installing a different, possibly less restrictive security manager,
115  * thereby bypassing checks that would have been enforced by the original
116  * security manager.</td>
117  * </tr>
118  *
119  * <tr>
120  *   <th scope="row">createSecurityManager</th>
121  *   <td>Creation of a new security manager</td>
122  *   <td>This gives code access to protected, sensitive methods that may
123  * disclose information about other classes or the execution stack.</td>
124  * </tr>
125  *
126  * <tr>
127  *   <th scope="row">getenv.{variable name}</th>
128  *   <td>Reading of the value of the specified environment variable</td>
129  *   <td>This would allow code to read the value, or determine the
130  *       existence, of a particular environment variable.  This is
131  *       dangerous if the variable contains confidential data.</td>
132  * </tr>
133  *
134  * <tr>
135  *   <th scope="row">exitVM.{exit status}</th>
136  *   <td>Halting of the Java Virtual Machine with the specified exit status</td>
137  *   <td>This allows an attacker to mount a denial-of-service attack
138  * by automatically forcing the virtual machine to halt.
139  * Note: The "exitVM.*" permission is automatically granted to all code
140  * loaded from the application class path, thus enabling applications
141  * to terminate themselves. Also, the "exitVM" permission is equivalent to
142  * "exitVM.*".</td>
143  * </tr>
144  *
145  * <tr>
146  *   <th scope="row">shutdownHooks</th>
147  *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>
148  *   <td>This allows an attacker to register a malicious shutdown
149  * hook that interferes with the clean shutdown of the virtual machine.</td>
150  * </tr>
151  *
152  * <tr>
153  *   <th scope="row">setFactory</th>
154  *   <td>Setting of the socket factory used by ServerSocket or Socket,
155  * or of the stream handler factory used by URL</td>
156  *   <td>This allows code to set the actual implementation
157  * for the socket, server socket, stream handler, or RMI socket factory.
158  * An attacker may set a faulty implementation which mangles the data
159  * stream.</td>
160  * </tr>
161  *
162  * <tr>
163  *   <th scope="row">setIO</th>
164  *   <td>Setting of System.out, System.in, and System.err</td>
165  *   <td>This allows changing the value of the standard system streams.
166  * An attacker may change System.in to monitor and
167  * steal user input, or may set System.err to a "null" OutputStream,
168  * which would hide any error messages sent to System.err. </td>
169  * </tr>
170  *
171  * <tr>
172  *   <th scope="row">modifyThread</th>
173  *   <td>Modification of threads, e.g., via calls to Thread
174  * {@code interrupt, stop, suspend, resume, setDaemon, setPriority,
175  * setName} and {@code setUncaughtExceptionHandler}
176  * methods</td>
177  * <td>This allows an attacker to modify the behaviour of
178  * any thread in the system.</td>
179  * </tr>
180  *
181  * <tr>
182  *   <th scope="row">stopThread</th>
183  *   <td>Stopping of threads via calls to the Thread {@code stop}
184  * method</td>
185  *   <td>This allows code to stop any thread in the system provided that it is
186  * already granted permission to access that thread.
187  * This poses as a threat, because that code may corrupt the system by
188  * killing existing threads.</td>
189  * </tr>
190  *
191  * <tr>
192  *   <th scope="row">modifyThreadGroup</th>
193  *   <td>modification of thread groups, e.g., via calls to ThreadGroup
194  * {@code destroy}, {@code getParent}, {@code resume},
195  * {@code setDaemon}, {@code setMaxPriority}, {@code stop},
196  * and {@code suspend} methods</td>
197  *   <td>This allows an attacker to create thread groups and
198  * set their run priority.</td>
199  * </tr>
200  *
201  * <tr>
202  *   <th scope="row">getProtectionDomain</th>
203  *   <td>Retrieval of the ProtectionDomain for a class</td>
204  *   <td>This allows code to obtain policy information
205  * for a particular code source. While obtaining policy information
206  * does not compromise the security of the system, it does give
207  * attackers additional information, such as local file names for
208  * example, to better aim an attack.</td>
209  * </tr>
210  *
211  * <tr>
212  *   <th scope="row">getFileSystemAttributes</th>
213  *   <td>Retrieval of file system attributes</td>
214  *   <td>This allows code to obtain file system information such as disk usage
215  *       or disk space available to the caller.  This is potentially dangerous
216  *       because it discloses information about the system hardware
217  *       configuration and some information about the caller's privilege to
218  *       write files.</td>
219  * </tr>
220  *
221  * <tr>
222  *   <th scope="row">readFileDescriptor</th>
223  *   <td>Reading of file descriptors</td>
224  *   <td>This would allow code to read the particular file associated
225  *       with the file descriptor read. This is dangerous if the file
226  *       contains confidential data.</td>
227  * </tr>
228  *
229  * <tr>
230  *   <th scope="row">writeFileDescriptor</th>
231  *   <td>Writing to file descriptors</td>
232  *   <td>This allows code to write to a particular file associated
233  *       with the descriptor. This is dangerous because it may allow
234  *       malicious code to plant viruses or at the very least, fill up
235  *       your entire disk.</td>
236  * </tr>
237  *
238  * <tr>
239  *   <th scope="row">loadLibrary.{library name}</th>
240  *   <td>Dynamic linking of the specified library</td>
241  *   <td>It is dangerous to allow an applet permission to load native code
242  * libraries, because the Java security architecture is not designed to and
243  * does not prevent malicious behavior at the level of native code.</td>
244  * </tr>
245  *
246  * <tr>
247  *   <th scope="row">accessClassInPackage.{package name}</th>
248  *   <td>Access to the specified package via a class loader's
249  * {@code loadClass} method when that class loader calls
250  * the SecurityManager {@code checkPackageAccess} method</td>
251  *   <td>This gives code access to classes in packages
252  * to which it normally does not have access. Malicious code
253  * may use these classes to help in its attempt to compromise
254  * security in the system.</td>
255  * </tr>
256  *
257  * <tr>
258  *   <th scope="row">defineClassInPackage.{package name}</th>
259  *   <td>Definition of classes in the specified package, via a class
260  * loader's {@code defineClass} method when that class loader calls
261  * the SecurityManager {@code checkPackageDefinition} method.</td>
262  *   <td>This grants code permission to define a class
263  * in a particular package. This is dangerous because malicious
264  * code with this permission may define rogue classes in
265  * trusted packages like {@code java.security} or {@code java.lang},
266  * for example.</td>
267  * </tr>
268  *
269  * <tr>
270  *   <th scope="row">defineClass</th>
271  *   <td>Define a class with
272  * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[])
273  * Lookup.defineClass}.</td>
274  *   <td>This grants code with a suitably privileged {@code Lookup} object
275  * permission to define classes in the same package as the {@code Lookup}'s
276  * lookup class. </td>
277  * </tr>
278  *
279  * <tr>
280  *   <th scope="row">accessDeclaredMembers</th>
281  *   <td>Access to the declared members of a class</td>
282  *   <td>This grants code permission to query a class for its public,
283  * protected, default (package) access, and private fields and/or
284  * methods. Although the code would have
285  * access to the private and protected field and method names, it would not
286  * have access to the private/protected field data and would not be able
287  * to invoke any private methods. Nevertheless, malicious code
288  * may use this information to better aim an attack.
289  * Additionally, it may invoke any public methods and/or access public fields
290  * in the class.  This could be dangerous if
291  * the code would normally not be able to invoke those methods and/or
292  * access the fields  because
293  * it can't cast the object to the class/interface with those methods
294  * and fields.</td>
295  * </tr>
296  * <tr>
297  *   <th scope="row">queuePrintJob</th>
298  *   <td>Initiation of a print job request</td>
299  *   <td>This could print sensitive information to a printer,
300  * or simply waste paper.</td>
301  * </tr>
302  *
303  * <tr>
304  *   <th scope="row">getStackTrace</th>
305  *   <td>Retrieval of the stack trace information of another thread.</td>
306  *   <td>This allows retrieval of the stack trace information of
307  * another thread.  This might allow malicious code to monitor the
308  * execution of threads and discover vulnerabilities in applications.</td>
309  * </tr>
310  *
311  * <tr>
312  *   <th scope="row">getStackWalkerWithClassReference</th>
313  *   <td>Get a stack walker that can retrieve stack frames with class reference.</td>
314  *   <td>This allows retrieval of Class objects from stack walking.
315  *   This might allow malicious code to access Class objects on the stack
316  *   outside its own context.</td>
317  * </tr>
318  *
319  * <tr>
320  *   <th scope="row">setDefaultUncaughtExceptionHandler</th>
321  *   <td>Setting the default handler to be used when a thread
322  *   terminates abruptly due to an uncaught exception</td>
323  *   <td>This allows an attacker to register a malicious
324  *   uncaught exception handler that could interfere with termination
325  *   of a thread</td>
326  * </tr>
327  *
328  * <tr>
329  *   <th scope="row">preferences</th>
330  *   <td>Represents the permission required to get access to the
331  *   java.util.prefs.Preferences implementations user or system root
332  *   which in turn allows retrieval or update operations within the
333  *   Preferences persistent backing store.) </td>
334  *   <td>This permission allows the user to read from or write to the
335  *   preferences backing store if the user running the code has
336  *   sufficient OS privileges to read/write to that backing store.
337  *   The actual backing store may reside within a traditional filesystem
338  *   directory or within a registry depending on the platform OS</td>
339  * </tr>
340  *
341  * <tr>
342  *   <th scope="row">manageProcess</th>
343  *   <td>Native process termination and information about processes
344  *       {@link ProcessHandle}.</td>
345  *   <td>Allows code to identify and terminate processes that it did not create.</td>
346  * </tr>
347  *
348  * <tr>
349  *   <th scope="row">localeServiceProvider</th>
350  *   <td>This {@code RuntimePermission} is required to be granted to
351  *   classes which subclass and implement
352  *   {@code java.util.spi.LocaleServiceProvider}. The permission is
353  *   checked during invocation of the abstract base class constructor.
354  *   This permission ensures trust in classes which implement this
355  *   security-sensitive provider mechanism. </td>
356  *   <td>See <a href= "../util/spi/LocaleServiceProvider.html">
357  *   {@code java.util.spi.LocaleServiceProvider}</a> for more
358  *   information.</td>
359  * </tr>
360  *
361  * <tr>
362  *   <th scope="row">loggerFinder</th>
363  *   <td>This {@code RuntimePermission} is required to be granted to
364  *   classes which subclass or call methods on
365  *   {@code java.lang.System.LoggerFinder}. The permission is
366  *   checked during invocation of the abstract base class constructor, as
367  *   well as on the invocation of its public methods.
368  *   This permission ensures trust in classes which provide loggers
369  *   to system classes.</td>
370  *   <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder}
371  *   for more information.</td>
372  * </tr>
373  *
374  * <tr>
375  *   <th scope="row">accessSystemModules</th>
376  *   <td>Access system modules in the runtime image.</td>
377  *   <td>This grants the permission to access resources in the
378  *   {@linkplain ModuleFinder#ofSystem system modules} in the runtime image.</td>
379  * </tr>
380  *
381  * <tr>
382  *   <th scope="row">inetAddressResolverProvider</th>
383  *   <td>This {@code RuntimePermission} is required to be granted to
384  *   classes which subclass and implement {@code java.net.spi.InetAddressResolverProvider}.
385  *   The permission is checked during invocation of the abstract base class constructor.
386  *   This permission ensures trust in classes which provide resolvers used by
387  *   {@link java.net.InetAddress} hostname and address resolution methods.</td>
388  *   <td>See {@link java.net.spi.InetAddressResolverProvider} for more information.</td>
389  * </tr>
390  *
391  * </tbody>
392  * </table>
393  *
394  * @implNote
395  * Implementations may define additional target names, but should use naming
396  * conventions such as reverse domain name notation to avoid name clashes.
397  *
398  * @see java.security.BasicPermission
399  * @see java.security.Permission
400  * @see java.security.Permissions
401  * @see java.security.PermissionCollection
402  * @see java.lang.SecurityManager
403  *
404  *
405  * @author Marianne Mueller
406  * @author Roland Schemers
407  * @since 1.2
408  */
409 
410 public final class RuntimePermission extends BasicPermission {
411 
412     @java.io.Serial
413     private static final long serialVersionUID = 7399184964622342223L;
414 
415     /**
416      * Creates a new RuntimePermission with the specified name.
417      * The name is the symbolic name of the RuntimePermission, such as
418      * "exit", "setFactory", etc. An asterisk
419      * may appear at the end of the name, following a ".", or by itself, to
420      * signify a wildcard match.
421      *
422      * @param name the name of the RuntimePermission.
423      *
424      * @throws NullPointerException if {@code name} is {@code null}.
425      * @throws IllegalArgumentException if {@code name} is empty.
426      */
427 
428     public RuntimePermission(String name)
429     {
430         super(name);
431     }
432 
433     /**
434      * Creates a new RuntimePermission object with the specified name.
435      * The name is the symbolic name of the RuntimePermission, and the
436      * actions String is currently unused and should be null.
437      *
438      * @param name the name of the RuntimePermission.
439      * @param actions should be null.
440      *
441      * @throws NullPointerException if {@code name} is {@code null}.
442      * @throws IllegalArgumentException if {@code name} is empty.
443      */
444 
445     public RuntimePermission(String name, String actions)
446     {
447         super(name, actions);
448     }
449 }