1 /*
2 * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang;
27
28 import java.security.*;
29 import java.lang.module.ModuleFinder;
30
31 /**
32 * This class is for runtime permissions. A {@code RuntimePermission}
33 * contains a name (also referred to as a "target name") but no actions
34 * list; you either have the named permission or you don't.
35 * <p>
36 * The target name is the name of the runtime permission (see below). The
37 * naming convention follows the hierarchical property naming convention.
38 * Also, an asterisk may appear at the end of the name, following a ".",
39 * or by itself, to signify a wildcard match. For example: "loadLibrary.*"
40 * and "*" signify a wildcard match, while "*loadLibrary" and "a*b" do not.
41 * <p>
42 * The following table lists the standard {@code RuntimePermission}
43 * target names, and for each provides a description of what the permission
44 * allows and a discussion of the risks of granting code the permission.
45 *
46 * <table class="striped">
47 * <caption style="display:none">permission target name,
48 * what the target allows, and associated risks</caption>
49 * <thead>
50 * <tr>
51 * <th scope="col">Permission Target Name</th>
52 * <th scope="col">What the Permission Allows</th>
53 * <th scope="col">Risks of Allowing this Permission</th>
54 * </tr>
55 * </thead>
56 * <tbody>
57 *
58 * <tr>
59 * <th scope="row">createClassLoader</th>
60 * <td>Creation of a class loader</td>
61 * <td>This is an extremely dangerous permission to grant.
62 * Malicious applications that can instantiate their own class
63 * loaders could then load their own rogue classes into the system.
64 * These newly loaded classes could be placed into any protection
65 * domain by the class loader, thereby automatically granting the
66 * classes the permissions for that domain.</td>
67 * </tr>
68 *
69 * <tr>
70 * <th scope="row">getClassLoader</th>
71 * <td>Retrieval of a class loader (e.g., the class loader for the calling
72 * class)</td>
73 * <td>This would grant an attacker permission to get the
74 * class loader for a particular class. This is dangerous because
75 * having access to a class's class loader allows the attacker to
76 * load other classes available to that class loader. The attacker
77 * would typically otherwise not have access to those classes.</td>
78 * </tr>
79 *
80 * <tr>
81 * <th scope="row">setContextClassLoader</th>
82 * <td>Setting of the context class loader used by a thread</td>
83 * <td>The context class loader is used by system code and extensions
84 * when they need to lookup resources that might not exist in the system
85 * class loader. Granting setContextClassLoader permission would allow
86 * code to change which context class loader is used
87 * for a particular thread, including system threads.</td>
88 * </tr>
89 *
90 * <tr>
91 * <th scope="row">enableContextClassLoaderOverride</th>
92 * <td>Subclass implementation of the thread context class loader methods</td>
93 * <td>The context class loader is used by system code and extensions
94 * when they need to lookup resources that might not exist in the system
95 * class loader. Granting enableContextClassLoaderOverride permission would allow
96 * a subclass of Thread to override the methods that are used
97 * to get or set the context class loader for a particular thread.</td>
98 * </tr>
99 *
100 * <tr>
101 * <th scope="row">closeClassLoader</th>
102 * <td>Closing of a ClassLoader</td>
103 * <td>Granting this permission allows code to close any URLClassLoader
104 * that it has a reference to.</td>
105 * </tr>
106 *
107 * <tr>
108 * <th scope="row">setSecurityManager</th>
109 * <td>Setting of the security manager (possibly replacing an existing one)
110 * </td>
111 * <td>The security manager is a class that allows
112 * applications to implement a security policy. Granting the setSecurityManager
113 * permission would allow code to change which security manager is used by
114 * installing a different, possibly less restrictive security manager,
115 * thereby bypassing checks that would have been enforced by the original
116 * security manager.</td>
117 * </tr>
118 *
119 * <tr>
120 * <th scope="row">createSecurityManager</th>
121 * <td>Creation of a new security manager</td>
122 * <td>This gives code access to protected, sensitive methods that may
123 * disclose information about other classes or the execution stack.</td>
124 * </tr>
125 *
126 * <tr>
127 * <th scope="row">getenv.{variable name}</th>
128 * <td>Reading of the value of the specified environment variable</td>
129 * <td>This would allow code to read the value, or determine the
130 * existence, of a particular environment variable. This is
131 * dangerous if the variable contains confidential data.</td>
132 * </tr>
133 *
134 * <tr>
135 * <th scope="row">exitVM.{exit status}</th>
136 * <td>Halting of the Java Virtual Machine with the specified exit status</td>
137 * <td>This allows an attacker to mount a denial-of-service attack
138 * by automatically forcing the virtual machine to halt.
139 * Note: The "exitVM.*" permission is automatically granted to all code
140 * loaded from the application class path, thus enabling applications
141 * to terminate themselves. Also, the "exitVM" permission is equivalent to
142 * "exitVM.*".</td>
143 * </tr>
144 *
145 * <tr>
146 * <th scope="row">shutdownHooks</th>
147 * <td>Registration and cancellation of virtual-machine shutdown hooks</td>
148 * <td>This allows an attacker to register a malicious shutdown
149 * hook that interferes with the clean shutdown of the virtual machine.</td>
150 * </tr>
151 *
152 * <tr>
153 * <th scope="row">setFactory</th>
154 * <td>Setting of the socket factory used by ServerSocket or Socket,
155 * or of the stream handler factory used by URL</td>
156 * <td>This allows code to set the actual implementation
157 * for the socket, server socket, stream handler, or RMI socket factory.
158 * An attacker may set a faulty implementation which mangles the data
159 * stream.</td>
160 * </tr>
161 *
162 * <tr>
163 * <th scope="row">setIO</th>
164 * <td>Setting of System.out, System.in, and System.err</td>
165 * <td>This allows changing the value of the standard system streams.
166 * An attacker may change System.in to monitor and
167 * steal user input, or may set System.err to a "null" OutputStream,
168 * which would hide any error messages sent to System.err. </td>
169 * </tr>
170 *
171 * <tr>
172 * <th scope="row">modifyThread</th>
173 * <td>Modification of threads, e.g., via calls to Thread
174 * {@code interrupt, stop, suspend, resume, setDaemon, setPriority,
175 * setName} and {@code setUncaughtExceptionHandler}
176 * methods</td>
177 * <td>This allows an attacker to modify the behaviour of
178 * any thread in the system.</td>
179 * </tr>
180 *
181 * <tr>
182 * <th scope="row">stopThread</th>
183 * <td>Stopping of threads via calls to the Thread {@code stop}
184 * method</td>
185 * <td>This allows code to stop any thread in the system provided that it is
186 * already granted permission to access that thread.
187 * This poses as a threat, because that code may corrupt the system by
188 * killing existing threads.</td>
189 * </tr>
190 *
191 * <tr>
192 * <th scope="row">modifyThreadGroup</th>
193 * <td>modification of thread groups, e.g., via calls to ThreadGroup
194 * {@code destroy}, {@code getParent}, {@code resume},
195 * {@code setDaemon}, {@code setMaxPriority}, {@code stop},
196 * and {@code suspend} methods</td>
197 * <td>This allows an attacker to create thread groups and
198 * set their run priority.</td>
199 * </tr>
200 *
201 * <tr>
202 * <th scope="row">getProtectionDomain</th>
203 * <td>Retrieval of the ProtectionDomain for a class</td>
204 * <td>This allows code to obtain policy information
205 * for a particular code source. While obtaining policy information
206 * does not compromise the security of the system, it does give
207 * attackers additional information, such as local file names for
208 * example, to better aim an attack.</td>
209 * </tr>
210 *
211 * <tr>
212 * <th scope="row">getFileSystemAttributes</th>
213 * <td>Retrieval of file system attributes</td>
214 * <td>This allows code to obtain file system information such as disk usage
215 * or disk space available to the caller. This is potentially dangerous
216 * because it discloses information about the system hardware
217 * configuration and some information about the caller's privilege to
218 * write files.</td>
219 * </tr>
220 *
221 * <tr>
222 * <th scope="row">readFileDescriptor</th>
223 * <td>Reading of file descriptors</td>
224 * <td>This would allow code to read the particular file associated
225 * with the file descriptor read. This is dangerous if the file
226 * contains confidential data.</td>
227 * </tr>
228 *
229 * <tr>
230 * <th scope="row">writeFileDescriptor</th>
231 * <td>Writing to file descriptors</td>
232 * <td>This allows code to write to a particular file associated
233 * with the descriptor. This is dangerous because it may allow
234 * malicious code to plant viruses or at the very least, fill up
235 * your entire disk.</td>
236 * </tr>
237 *
238 * <tr>
239 * <th scope="row">loadLibrary.{library name}</th>
240 * <td>Dynamic linking of the specified library</td>
241 * <td>It is dangerous to allow an applet permission to load native code
242 * libraries, because the Java security architecture is not designed to and
243 * does not prevent malicious behavior at the level of native code.</td>
244 * </tr>
245 *
246 * <tr>
247 * <th scope="row">accessClassInPackage.{package name}</th>
248 * <td>Access to the specified package via a class loader's
249 * {@code loadClass} method when that class loader calls
250 * the SecurityManager {@code checkPackageAccess} method</td>
251 * <td>This gives code access to classes in packages
252 * to which it normally does not have access. Malicious code
253 * may use these classes to help in its attempt to compromise
254 * security in the system.</td>
255 * </tr>
256 *
257 * <tr>
258 * <th scope="row">defineClassInPackage.{package name}</th>
259 * <td>Definition of classes in the specified package, via a class
260 * loader's {@code defineClass} method when that class loader calls
261 * the SecurityManager {@code checkPackageDefinition} method.</td>
262 * <td>This grants code permission to define a class
263 * in a particular package. This is dangerous because malicious
264 * code with this permission may define rogue classes in
265 * trusted packages like {@code java.security} or {@code java.lang},
266 * for example.</td>
267 * </tr>
268 *
269 * <tr>
270 * <th scope="row">defineClass</th>
271 * <td>Define a class with
272 * {@link java.lang.invoke.MethodHandles.Lookup#defineClass(byte[])
273 * Lookup.defineClass}.</td>
274 * <td>This grants code with a suitably privileged {@code Lookup} object
275 * permission to define classes in the same package as the {@code Lookup}'s
276 * lookup class. </td>
277 * </tr>
278 *
279 * <tr>
280 * <th scope="row">accessDeclaredMembers</th>
281 * <td>Access to the declared members of a class</td>
282 * <td>This grants code permission to query a class for its public,
283 * protected, default (package) access, and private fields and/or
284 * methods. Although the code would have
285 * access to the private and protected field and method names, it would not
286 * have access to the private/protected field data and would not be able
287 * to invoke any private methods. Nevertheless, malicious code
288 * may use this information to better aim an attack.
289 * Additionally, it may invoke any public methods and/or access public fields
290 * in the class. This could be dangerous if
291 * the code would normally not be able to invoke those methods and/or
292 * access the fields because
293 * it can't cast the object to the class/interface with those methods
294 * and fields.</td>
295 * </tr>
296 * <tr>
297 * <th scope="row">queuePrintJob</th>
298 * <td>Initiation of a print job request</td>
299 * <td>This could print sensitive information to a printer,
300 * or simply waste paper.</td>
301 * </tr>
302 *
303 * <tr>
304 * <th scope="row">getStackTrace</th>
305 * <td>Retrieval of the stack trace information of another thread.</td>
306 * <td>This allows retrieval of the stack trace information of
307 * another thread. This might allow malicious code to monitor the
308 * execution of threads and discover vulnerabilities in applications.</td>
309 * </tr>
310 *
311 * <tr>
312 * <th scope="row">getStackWalkerWithClassReference</th>
313 * <td>Get a stack walker that can retrieve stack frames with class reference.</td>
314 * <td>This allows retrieval of Class objects from stack walking.
315 * This might allow malicious code to access Class objects on the stack
316 * outside its own context.</td>
317 * </tr>
318 *
319 * <tr>
320 * <th scope="row">setDefaultUncaughtExceptionHandler</th>
321 * <td>Setting the default handler to be used when a thread
322 * terminates abruptly due to an uncaught exception</td>
323 * <td>This allows an attacker to register a malicious
324 * uncaught exception handler that could interfere with termination
325 * of a thread</td>
326 * </tr>
327 *
328 * <tr>
329 * <th scope="row">preferences</th>
330 * <td>Represents the permission required to get access to the
331 * java.util.prefs.Preferences implementations user or system root
332 * which in turn allows retrieval or update operations within the
333 * Preferences persistent backing store.) </td>
334 * <td>This permission allows the user to read from or write to the
335 * preferences backing store if the user running the code has
336 * sufficient OS privileges to read/write to that backing store.
337 * The actual backing store may reside within a traditional filesystem
338 * directory or within a registry depending on the platform OS</td>
339 * </tr>
340 *
341 * <tr>
342 * <th scope="row">manageProcess</th>
343 * <td>Native process termination and information about processes
344 * {@link ProcessHandle}.</td>
345 * <td>Allows code to identify and terminate processes that it did not create.</td>
346 * </tr>
347 *
348 * <tr>
349 * <th scope="row">localeServiceProvider</th>
350 * <td>This {@code RuntimePermission} is required to be granted to
351 * classes which subclass and implement
352 * {@code java.util.spi.LocaleServiceProvider}. The permission is
353 * checked during invocation of the abstract base class constructor.
354 * This permission ensures trust in classes which implement this
355 * security-sensitive provider mechanism. </td>
356 * <td>See <a href= "../util/spi/LocaleServiceProvider.html">
357 * {@code java.util.spi.LocaleServiceProvider}</a> for more
358 * information.</td>
359 * </tr>
360 *
361 * <tr>
362 * <th scope="row">loggerFinder</th>
363 * <td>This {@code RuntimePermission} is required to be granted to
364 * classes which subclass or call methods on
365 * {@code java.lang.System.LoggerFinder}. The permission is
366 * checked during invocation of the abstract base class constructor, as
367 * well as on the invocation of its public methods.
368 * This permission ensures trust in classes which provide loggers
369 * to system classes.</td>
370 * <td>See {@link java.lang.System.LoggerFinder java.lang.System.LoggerFinder}
371 * for more information.</td>
372 * </tr>
373 *
374 * <tr>
375 * <th scope="row">accessSystemModules</th>
376 * <td>Access system modules in the runtime image.</td>
377 * <td>This grants the permission to access resources in the
378 * {@linkplain ModuleFinder#ofSystem system modules} in the runtime image.</td>
379 * </tr>
380 *
381 * </tbody>
382 * </table>
383 *
384 * @implNote
385 * Implementations may define additional target names, but should use naming
386 * conventions such as reverse domain name notation to avoid name clashes.
387 *
388 * @see java.security.BasicPermission
389 * @see java.security.Permission
390 * @see java.security.Permissions
391 * @see java.security.PermissionCollection
392 * @see java.lang.SecurityManager
393 *
394 *
395 * @author Marianne Mueller
396 * @author Roland Schemers
397 * @since 1.2
398 */
399
400 public final class RuntimePermission extends BasicPermission {
401
402 @java.io.Serial
403 private static final long serialVersionUID = 7399184964622342223L;
404
405 /**
406 * Creates a new RuntimePermission with the specified name.
407 * The name is the symbolic name of the RuntimePermission, such as
408 * "exit", "setFactory", etc. An asterisk
409 * may appear at the end of the name, following a ".", or by itself, to
410 * signify a wildcard match.
411 *
412 * @param name the name of the RuntimePermission.
413 *
414 * @throws NullPointerException if {@code name} is {@code null}.
415 * @throws IllegalArgumentException if {@code name} is empty.
416 */
417
418 public RuntimePermission(String name)
419 {
420 super(name);
421 }
422
423 /**
424 * Creates a new RuntimePermission object with the specified name.
425 * The name is the symbolic name of the RuntimePermission, and the
426 * actions String is currently unused and should be null.
427 *
428 * @param name the name of the RuntimePermission.
429 * @param actions should be null.
430 *
431 * @throws NullPointerException if {@code name} is {@code null}.
432 * @throws IllegalArgumentException if {@code name} is empty.
433 */
434
435 public RuntimePermission(String name, String actions)
436 {
437 super(name, actions);
438 }
439 }
--- EOF ---