jdk/src/java.base/share/lib/security/default.policy
author mullan
Fri, 21 Oct 2016 09:02:57 -0400
changeset 41603 bb9d97b4c21b
parent 41556 0c49ded763a8
child 41812 16d830c87e7b
permissions -rw-r--r--
8168313: Tighten permissions granted to jdk.crypto.pkcs11 module Reviewed-by: ascarpino

//
// Permissions required by modules stored in a run-time image and loaded
// by the platform class loader.
//
// NOTE that this file is not intended to be modified. If additional
// permissions need to be granted to the modules in this file, it is
// recommended that they be configured in a separate policy file or
// ${java.home}/conf/security/java.policy.
//

grant codeBase "jrt:/java.activation" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.compiler" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.corba" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.scripting" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.security.jgss" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.smartcardio" {
    permission javax.smartcardio.CardPermission "*", "*";
    permission java.lang.RuntimePermission "loadLibrary.j2pcsc";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.sun.security.*";
    permission java.util.PropertyPermission "*", "read";
    // needed for looking up native PC/SC library
    permission java.io.FilePermission "<<ALL FILES>>","read";
    permission java.security.SecurityPermission "putProviderProperty.SunPCSC";
    permission java.security.SecurityPermission
                   "clearProviderProperties.SunPCSC";
    permission java.security.SecurityPermission
                   "removeProviderProperty.SunPCSC";
};

grant codeBase "jrt:/java.sql" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.sql.rowset" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/java.xml.bind" {
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.xml.internal.*";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.istack.internal";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.istack.internal.*";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.util.PropertyPermission "*", "read";
};

grant codeBase "jrt:/java.xml.crypto" {
    permission java.util.PropertyPermission "*", "read";
    permission java.security.SecurityPermission "putProviderProperty.XMLDSig";
    permission java.security.SecurityPermission
                   "clearProviderProperties.XMLDSig";
    permission java.security.SecurityPermission
                   "removeProviderProperty.XMLDSig";
    permission java.security.SecurityPermission
                   "com.sun.org.apache.xml.internal.security.register";
    permission java.security.SecurityPermission
                   "getProperty.jdk.xml.dsig.secureValidationPolicy";
};

grant codeBase "jrt:/java.xml.ws" {
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.xml.internal.*";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.istack.internal";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.istack.internal.*";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.com.sun.org.apache.xerces.internal.*";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.util.PropertyPermission "*", "read";
};

grant codeBase "jrt:/jdk.charsets" {
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "sun.nio.cs.map", "read";
    permission java.lang.RuntimePermission "charsetProvider";
    permission java.lang.RuntimePermission
                   "accessClassInPackage.jdk.internal.misc";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.cs";
};

grant codeBase "jrt:/jdk.crypto.ec" {
    permission java.lang.RuntimePermission
                   "accessClassInPackage.sun.security.*";
    permission java.lang.RuntimePermission "loadLibrary.sunec";
    permission java.security.SecurityPermission "putProviderProperty.SunEC";
    permission java.security.SecurityPermission "clearProviderProperties.SunEC";
    permission java.security.SecurityPermission "removeProviderProperty.SunEC";
};

grant codeBase "jrt:/jdk.crypto.pkcs11" {
    permission java.lang.RuntimePermission
                   "accessClassInPackage.sun.security.*";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
    permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
    permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.security.SecurityPermission "putProviderProperty.*";
    permission java.security.SecurityPermission "clearProviderProperties.*";
    permission java.security.SecurityPermission "removeProviderProperty.*";
    permission java.security.SecurityPermission
                   "getProperty.auth.login.defaultCallbackHandler";
    permission java.security.SecurityPermission "authProvider.*";
    // Needed for reading PKCS11 config file and NSS library check
    permission java.io.FilePermission "<<ALL FILES>>", "read";
};

grant codeBase "jrt:/jdk.dynalink" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.le" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.jsobject" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.localedata" {
    permission java.lang.RuntimePermission "accessClassInPackage.sun.text.*";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.util.*";
    permission java.util.PropertyPermission "*", "read";
};

grant codeBase "jrt:/jdk.naming.dns" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.scripting.nashorn" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.scripting.nashorn.shell" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.security.auth" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.security.jgss" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.zipfs" {
    permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
    permission java.lang.RuntimePermission "fileSystemProvider";
    permission java.util.PropertyPermission "*", "read";
};