author | weijun |
Tue, 12 Jul 2016 09:41:49 +0800 | |
changeset 39633 | 9dc7586be5f0 |
parent 39041 | 347b1b47ce21 |
child 39827 | 21a9b8df49f5 |
permissions | -rw-r--r-- |
24364
da8afb112f5d
8040059: Change default policy for extensions to no permission
mchung
parents:
22339
diff
changeset
|
1 |
// permissions required by each component |
36511 | 2 |
|
3 |
grant codeBase "jrt:/java.activation" { |
|
28967
7a1ceff4aea2
8068682: Deprivilege/move java.corba to the ext class loader
msheppar
parents:
28849
diff
changeset
|
4 |
permission java.security.AllPermission; |
7a1ceff4aea2
8068682: Deprivilege/move java.corba to the ext class loader
msheppar
parents:
28849
diff
changeset
|
5 |
}; |
7a1ceff4aea2
8068682: Deprivilege/move java.corba to the ext class loader
msheppar
parents:
28849
diff
changeset
|
6 |
|
36511 | 7 |
grant codeBase "jrt:/java.corba" { |
32144
fa1b56b9ad5c
8133347: Add makefiles support and basic session, persistence history navigation with jline
sundar
parents:
31268
diff
changeset
|
8 |
permission java.security.AllPermission; |
fa1b56b9ad5c
8133347: Add makefiles support and basic session, persistence history navigation with jline
sundar
parents:
31268
diff
changeset
|
9 |
}; |
fa1b56b9ad5c
8133347: Add makefiles support and basic session, persistence history navigation with jline
sundar
parents:
31268
diff
changeset
|
10 |
|
37795 | 11 |
grant codeBase "jrt:/java.compiler" { |
12 |
permission java.security.AllPermission; |
|
13 |
}; |
|
14 |
||
37797 | 15 |
grant codeBase "jrt:/jdk.charsets" { |
16 |
permission java.io.FilePermission "${java.home}/-", "read"; |
|
17 |
permission java.util.PropertyPermission "os.name", "read"; |
|
18 |
permission java.util.PropertyPermission "sun.nio.cs.map", "read"; |
|
19 |
permission java.lang.RuntimePermission "charsetProvider"; |
|
20 |
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; |
|
21 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.cs"; |
|
22 |
}; |
|
23 |
||
27565 | 24 |
grant codeBase "jrt:/jdk.crypto.ucrypto" { |
27182 | 25 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; |
26 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; |
|
27 |
permission java.lang.RuntimePermission "loadLibrary.j2ucrypto"; |
|
28 |
// need "com.oracle.security.ucrypto.debug" for debugging |
|
29 |
permission java.util.PropertyPermission "*", "read"; |
|
30 |
permission java.security.SecurityPermission "putProviderProperty.OracleUcrypto"; |
|
31 |
permission java.security.SecurityPermission "clearProviderProperties.OracleUcrypto"; |
|
32 |
permission java.security.SecurityPermission "removeProviderProperty.OracleUcrypto"; |
|
39633
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
39041
diff
changeset
|
33 |
// Needed for reading Ucrypto config file |
9dc7586be5f0
8130302: jarsigner and keytool -providerClass needs be re-examined for modules
weijun
parents:
39041
diff
changeset
|
34 |
permission java.io.FilePermission "<<ALL FILES>>", "read"; |
27182 | 35 |
}; |
36 |
||
38752
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
37 |
grant codeBase "jrt:/java.sql" { |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
38 |
permission java.security.AllPermission; |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
39 |
}; |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
40 |
|
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
41 |
grant codeBase "jrt:/java.sql.rowset" { |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
42 |
permission java.security.AllPermission; |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
43 |
}; |
6f676cd6021e
8154189: Deprivilege java.sql and java.sql.rowset module
lancea
parents:
38377
diff
changeset
|
44 |
|
27565 | 45 |
grant codeBase "jrt:/jdk.crypto.ec" { |
25408
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
46 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
47 |
permission java.lang.RuntimePermission "loadLibrary.sunec"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
48 |
permission java.util.PropertyPermission "*", "read"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
49 |
permission java.security.SecurityPermission "putProviderProperty.SunEC"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
50 |
permission java.security.SecurityPermission "clearProviderProperties.SunEC"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
51 |
permission java.security.SecurityPermission "removeProviderProperty.SunEC"; |
24364
da8afb112f5d
8040059: Change default policy for extensions to no permission
mchung
parents:
22339
diff
changeset
|
52 |
}; |
da8afb112f5d
8040059: Change default policy for extensions to no permission
mchung
parents:
22339
diff
changeset
|
53 |
|
27565 | 54 |
grant codeBase "jrt:/jdk.crypto.pkcs11" { |
25408
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
55 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; |
31268
63fcde3b5c3b
8087157: PKCS11 provider not instantiated with security manager
valeriep
parents:
28967
diff
changeset
|
56 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; |
25408
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
57 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
58 |
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
59 |
// needs "security.pkcs11.allowSingleThreadedModules" |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
60 |
permission java.util.PropertyPermission "*", "read"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
61 |
permission java.security.SecurityPermission "putProviderProperty.*"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
62 |
permission java.security.SecurityPermission "clearProviderProperties.*"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
63 |
permission java.security.SecurityPermission "removeProviderProperty.*"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
64 |
permission java.security.SecurityPermission "getProperty.auth.login.defaultCallbackHandler"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
65 |
permission java.security.SecurityPermission "authProvider.*"; |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
66 |
// Needed for reading PKCS11 config file and NSS library check |
27563093d2d2
8043406: Change default policy for JCE providers to run with as few privileges as possible
valeriep
parents:
24364
diff
changeset
|
67 |
permission java.io.FilePermission "<<ALL FILES>>", "read"; |
2 | 68 |
}; |
69 |
||
36511 | 70 |
grant codeBase "jrt:/jdk.dynalink" { |
71 |
permission java.security.AllPermission; |
|
72 |
}; |
|
73 |
||
74 |
grant codeBase "jrt:/jdk.internal.le" { |
|
75 |
permission java.security.AllPermission; |
|
76 |
}; |
|
77 |
||
78 |
grant codeBase "jrt:/jdk.jsobject" { |
|
79 |
permission java.security.AllPermission; |
|
80 |
}; |
|
81 |
||
82 |
grant codeBase "jrt:/jdk.localedata" { |
|
83 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.text.*"; |
|
84 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*"; |
|
28849
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
85 |
permission java.util.PropertyPermission "*", "read"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
86 |
}; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
87 |
|
36511 | 88 |
grant codeBase "jrt:/jdk.naming.dns" { |
89 |
permission java.security.AllPermission; |
|
90 |
}; |
|
91 |
||
38377 | 92 |
grant codeBase "jrt:/java.scripting" { |
93 |
permission java.security.AllPermission; |
|
94 |
}; |
|
95 |
||
36511 | 96 |
grant codeBase "jrt:/jdk.scripting.nashorn" { |
97 |
permission java.security.AllPermission; |
|
98 |
}; |
|
99 |
||
100 |
grant codeBase "jrt:/jdk.scripting.nashorn.shell" { |
|
101 |
permission java.security.AllPermission; |
|
102 |
}; |
|
103 |
||
39041 | 104 |
grant codeBase "jrt:/java.smartcardio" { |
105 |
permission javax.smartcardio.CardPermission "*", "*"; |
|
106 |
permission java.lang.RuntimePermission "loadLibrary.j2pcsc"; |
|
107 |
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*"; |
|
108 |
permission java.util.PropertyPermission "*", "read"; |
|
109 |
// needed for looking up native PC/SC library |
|
110 |
permission java.io.FilePermission "<<ALL FILES>>","read"; |
|
111 |
permission java.security.SecurityPermission "putProviderProperty.SunPCSC"; |
|
112 |
permission java.security.SecurityPermission "clearProviderProperties.SunPCSC"; |
|
113 |
permission java.security.SecurityPermission "removeProviderProperty.SunPCSC"; |
|
114 |
}; |
|
115 |
||
28849
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
116 |
grant codeBase "jrt:/java.xml.bind" { |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
117 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
118 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
119 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal.*"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
120 |
permission java.lang.RuntimePermission "accessDeclaredMembers"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
121 |
permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
122 |
permission java.util.PropertyPermission "*", "read"; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
123 |
}; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
124 |
|
36511 | 125 |
grant codeBase "jrt:/java.xml.ws" { |
126 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.*"; |
|
127 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal"; |
|
128 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.istack.internal.*"; |
|
129 |
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xerces.internal.*"; |
|
130 |
permission java.lang.RuntimePermission "accessDeclaredMembers"; |
|
131 |
permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; |
|
132 |
permission java.util.PropertyPermission "*", "read"; |
|
133 |
}; |
|
134 |
||
135 |
grant codeBase "jrt:/jdk.zipfs" { |
|
136 |
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; |
|
137 |
permission java.lang.RuntimePermission "fileSystemProvider"; |
|
138 |
permission java.util.PropertyPermission "*", "read"; |
|
28849
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
139 |
}; |
ccf9d86e52ec
8057645: Deprivilege JAX-WS, JAXB, JAF to extension class loader
mchung
parents:
27565
diff
changeset
|
140 |
|
2 | 141 |
// default permissions granted to all domains |
142 |
||
22339 | 143 |
grant { |
144 |
// allows anyone to listen on dynamic ports |
|
145 |
permission java.net.SocketPermission "localhost:0", "listen"; |
|
2 | 146 |
|
22339 | 147 |
// "standard" properies that can be read by anyone |
2 | 148 |
|
22339 | 149 |
permission java.util.PropertyPermission "java.version", "read"; |
150 |
permission java.util.PropertyPermission "java.vendor", "read"; |
|
151 |
permission java.util.PropertyPermission "java.vendor.url", "read"; |
|
152 |
permission java.util.PropertyPermission "java.class.version", "read"; |
|
153 |
permission java.util.PropertyPermission "os.name", "read"; |
|
154 |
permission java.util.PropertyPermission "os.version", "read"; |
|
155 |
permission java.util.PropertyPermission "os.arch", "read"; |
|
156 |
permission java.util.PropertyPermission "file.separator", "read"; |
|
157 |
permission java.util.PropertyPermission "path.separator", "read"; |
|
158 |
permission java.util.PropertyPermission "line.separator", "read"; |
|
2 | 159 |
|
22339 | 160 |
permission java.util.PropertyPermission "java.specification.version", "read"; |
161 |
permission java.util.PropertyPermission "java.specification.vendor", "read"; |
|
162 |
permission java.util.PropertyPermission "java.specification.name", "read"; |
|
2 | 163 |
|
22339 | 164 |
permission java.util.PropertyPermission "java.vm.specification.version", "read"; |
165 |
permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; |
|
166 |
permission java.util.PropertyPermission "java.vm.specification.name", "read"; |
|
167 |
permission java.util.PropertyPermission "java.vm.version", "read"; |
|
168 |
permission java.util.PropertyPermission "java.vm.vendor", "read"; |
|
169 |
permission java.util.PropertyPermission "java.vm.name", "read"; |
|
2 | 170 |
}; |
171 |