8168851: Tighten permissions granted to the java.smartcardio module
Reviewed-by: vinnie, mchung
--- a/jdk/src/java.base/share/lib/security/default.policy Thu Oct 27 11:00:28 2016 +0200
+++ b/jdk/src/java.base/share/lib/security/default.policy Thu Oct 27 14:50:23 2016 -0400
@@ -32,8 +32,22 @@
permission javax.smartcardio.CardPermission "*", "*";
permission java.lang.RuntimePermission "loadLibrary.j2pcsc";
permission java.lang.RuntimePermission
- "accessClassInPackage.sun.security.*";
- permission java.util.PropertyPermission "*", "read";
+ "accessClassInPackage.sun.security.jca";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.sun.security.util";
+ permission java.util.PropertyPermission
+ "javax.smartcardio.TerminalFactory.DefaultType", "read";
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "sun.arch.data.model", "read";
+ permission java.util.PropertyPermission
+ "sun.security.smartcardio.library", "read";
+ permission java.util.PropertyPermission
+ "sun.security.smartcardio.t0GetResponse", "read";
+ permission java.util.PropertyPermission
+ "sun.security.smartcardio.t1GetResponse", "read";
+ permission java.util.PropertyPermission
+ "sun.security.smartcardio.t1StripLe", "read";
// needed for looking up native PC/SC library
permission java.io.FilePermission "<<ALL FILES>>","read";
permission java.security.SecurityPermission "putProviderProperty.SunPCSC";
--- a/jdk/test/sun/security/smartcardio/TestChannel.java Thu Oct 27 11:00:28 2016 +0200
+++ b/jdk/test/sun/security/smartcardio/TestChannel.java Thu Oct 27 14:50:23 2016 -0400
@@ -23,11 +23,12 @@
/*
* @test
- * @bug 6239117
+ * @bug 6239117 8168851
* @summary test logical channels work
* @author Andreas Sterbenz
* @modules java.smartcardio/javax.smartcardio
* @run main/manual TestChannel
+ * @run main/othervm/manual/java.security.policy==test.policy TestChannel
*/
// This test requires special hardware.
--- a/jdk/test/sun/security/smartcardio/TestControl.java Thu Oct 27 11:00:28 2016 +0200
+++ b/jdk/test/sun/security/smartcardio/TestControl.java Thu Oct 27 14:50:23 2016 -0400
@@ -23,11 +23,12 @@
/*
* @test
- * @bug 6239117 6470320
+ * @bug 6239117 6470320 8168851
* @summary test if transmitControlCommand() works
* @author Andreas Sterbenz
* @modules java.smartcardio/javax.smartcardio
* @run main/manual TestControl
+ * @run main/othervm/manual/java.security.policy==test.policy TestControl
*/
// This test requires special hardware.
--- a/jdk/test/sun/security/smartcardio/TestDefault.java Thu Oct 27 11:00:28 2016 +0200
+++ b/jdk/test/sun/security/smartcardio/TestDefault.java Thu Oct 27 14:50:23 2016 -0400
@@ -23,11 +23,12 @@
/*
* @test
- * @bug 6327047
+ * @bug 6327047 8168851
* @summary verify that TerminalFactory.getDefault() works
* @author Andreas Sterbenz
* @modules java.smartcardio/javax.smartcardio
* @run main/manual TestDefault
+ * @run main/othervm/manual/java.security.policy==test.policy TestDefault
*/
// This test requires special hardware.
--- a/jdk/test/sun/security/smartcardio/TestDirect.java Thu Oct 27 11:00:28 2016 +0200
+++ b/jdk/test/sun/security/smartcardio/TestDirect.java Thu Oct 27 14:50:23 2016 -0400
@@ -23,10 +23,11 @@
/*
* @test
- * @bug 8046343
+ * @bug 8046343 8168851
* @summary Make sure that direct protocol is available
* @modules java.smartcardio/javax.smartcardio
* @run main/manual TestDirect
+ * @run main/othervm/manual/java.security.policy==test.policy TestDirect
*/
// This test requires special hardware.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/smartcardio/test.policy Thu Oct 27 14:50:23 2016 -0400
@@ -0,0 +1,3 @@
+grant codebase "file:${test.classes}/*" {
+ permission javax.smartcardio.CardPermission "*", "connect,getBasicChannel,reset,transmitControl";
+};