1. /*

  2.  * @(#)RuntimePermission.java	1.34 01/11/29

  3.  *

  4.  * Copyright 2002 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.lang;

  9. 

  10. import java.security.*;

  11. import java.util.Enumeration;

  12. import java.util.Hashtable;

  13. import java.util.StringTokenizer;

  14. 

  15. /**

  16.  * This class is for runtime permissions. A RuntimePermission

  17.  * contains a name (also referred to as a "target name") but

  18.  * no actions list; you either have the named permission

  19.  * or you don't.

  20.  *

  21.  * <P>

  22.  * The target name is the name of the runtime permission (see below). The

  23.  * naming convention follows the  hierarchical property naming convention.

  24.  * Also, an asterisk

  25.  * may appear at the end of the name, following a ".", or by itself, to

  26.  * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,

  27.  * "*loadLibrary" or "a*b" is not valid.

  28.  * <P>

  29.  * The following table lists all the possible RuntimePermission target names,

  30.  * and for each provides a description of what the permission allows

  31.  * and a discussion of the risks of granting code the permission.

  32.  * <P>

  33.  *

  34.  * <table border=1 cellpadding=5>

  35.  * <tr>

  36.  * <th>Permission Target Name</th>

  37.  * <th>What the Permission Allows</th>

  38.  * <th>Risks of Allowing this Permission</th>

  39.  * </tr>

  40.  *

  41.  * <tr>

  42.  *   <td>createClassLoader</td>

  43.  *   <td>Creation of a class loader</td>

  44.  *   <td>This is an extremely dangerous permission to grant.

  45.  * Malicious applications that can instantiate their own class

  46.  * loaders could then load their own rogue classes into the system.

  47.  * These newly loaded classes could be placed into any protection

  48.  * domain by the class loader, thereby automatically granting the

  49.  * classes the permissions for that domain.</td>

  50.  * </tr>

  51.  *

  52.  * <tr>

  53.  *   <td>getClassLoader</td>

  54.  *   <td>Retrieval of a class loader (e.g., the class loader for the calling

  55.  * class)</td>

  56.  *   <td>This would grant an attacker permission to get the

  57.  * class loader for a particular class. This is dangerous because

  58.  * having access to a class's class loader allows the attacker to

  59.  * load other classes available to that class loader. The attacker

  60.  * would typically otherwise not have access to those classes.</td>

  61.  * </tr>

  62.  *

  63.  * <tr>

  64.  *   <td>setContextClassLoader</td>

  65.  *   <td>Setting of the context class loader used by a thread</td>

  66.  *   <td>The context class loader is used by system code and extensions

  67.  * when they need to lookup resources that might not exist in the system

  68.  * class loader. Granting setContextClassLoader permission would allow

  69.  * code to change which context class loader is used

  70.  * for a particular thread, including system threads.</td>

  71.  * </tr>

  72.  *

  73.  * <tr>

  74.  *   <td>setSecurityManager</td>

  75.  *   <td>Setting of the security manager (possibly replacing an existing one)

  76.  * </td>

  77.  *   <td>The security manager is a class that allows 

  78.  * applications to implement a security policy. Granting the setSecurityManager

  79.  * permission would allow code to change which security manager is used by

  80.  * installing a different, possibly less restrictive security manager,

  81.  * thereby bypassing checks that would have been enforced by the original

  82.  * security manager.</td>

  83.  * </tr>

  84.  *

  85.  * <tr>

  86.  *   <td>createSecurityManager</td>

  87.  *   <td>Creation of a new security manager</td>

  88.  *   <td>This gives code access to protected, sensitive methods that may

  89.  * disclose information about other classes or the execution stack.</td>

  90.  * </tr>

  91.  *

  92.  * <tr>

  93.  *   <td>exitVM</td>

  94.  *   <td>Halting of the Java Virtual Machine</td>

  95.  *   <td>This allows an attacker to mount a denial-of-service attack

  96.  * by automatically forcing the virtual machine to halt.</td>

  97.  * </tr>

  98.  *

  99.  * <tr>

  100.  *   <td>setFactory</td>

  101.  *   <td>Setting of the socket factory used by ServerSocket or Socket,

  102.  * or of the stream handler factory used by URL</td>

  103.  *   <td>This allows code to set the actual implementation

  104.  * for the socket, server socket, stream handler, or RMI socket factory.

  105.  * An attacker may set a faulty implementation which mangles the data

  106.  * stream.</td>

  107.  * </tr>

  108.  *

  109.  * <tr>

  110.  *   <td>setIO</td>

  111.  *   <td>Setting of System.out, System.in, and System.err</td>

  112.  *   <td>This allows changing the value of the standard system streams.

  113.  * An attacker may change System.in to monitor and

  114.  * steal user input, or may set System.err to a "null" OutputSteam,

  115.  * which would hide any error messages sent to System.err. </td>

  116.  * </tr>

  117.  *

  118.  * <tr>

  119.  *   <td>modifyThread</td>

  120.  *   <td>Modification of threads, e.g., via calls to Thread <code>stop</code>,

  121.  * <code>suspend</code>, <code>resume</code>, <code>setPriority</code>,

  122.  * and <code>setName</code> methods</td>

  123.  *   <td>This allows an attacker to start or suspend any thread

  124.  * in the system.</td>

  125.  * </tr>

  126.  *

  127.  * <tr>

  128.  *   <td>stopThread</td>

  129.  *   <td>Stopping of threads via calls to the Thread <code>stop</code>

  130.  * method</td>

  131.  *   <td>This allows code to stop any thread in the system provided that it is

  132.  * already granted permission to access that thread.

  133.  * This poses as a threat, because that code may corrupt the system by

  134.  * killing existing threads.</td>

  135.  * </tr>

  136.  *

  137.  * <tr>

  138.  *   <td>modifyThreadGroup</td>

  139.  *   <td>modification of thread groups, e.g., via calls to ThreadGroup

  140.  * <code>destroy</code>, <code>resume</code>, <code>setDaemon</code>,

  141.  * <code>setMaxPriority</code>, <code>stop</code>, and <code>suspend</code>

  142.  * methods</td>

  143.  *   <td>This allows an attacker to create thread groups and

  144.  * set their run priority.</td>

  145.  * </tr>

  146.  *

  147.  * <tr>

  148.  *   <td>getProtectionDomain</td>

  149.  *   <td>Retrieval of the ProtectionDomain for a class</td>

  150.  *   <td>This allows code to obtain policy information

  151.  * for a particular code source. While obtaining policy information

  152.  * does not compromise the security of the system, it does give

  153.  * attackers additional information, such as local file names for

  154.  * example, to better aim an attack.</td>

  155.  * </tr>

  156.  *

  157.  * <tr>

  158.  *   <td>readFileDescriptor</td>

  159.  *   <td>Reading of file descriptors</td>

  160.  *   <td>This would allow code to read the particular file associated

  161. with the file descriptor read. This is dangerous if the file contains

  162. confidential data.</td>

  163.  * </tr>

  164.  *

  165.  * <tr>

  166.  *   <td>writeFileDescriptor</td>

  167.  *   <td>Writing to file descriptors</td>

  168.  *   <td>This allows code to write to a particular file associated

  169. with the descriptor. This is dangerous because it may allow malicous

  170. code to plant viruses or at the very least, fill up your entire disk.</td>

  171.  * </tr>

  172.  *

  173.  * <tr>

  174.  *   <td>loadLibrary.{library name}</td>

  175.  *   <td>Dynamic linking of the specified library</td>

  176.  *   <td>It is dangerous to allow an applet permission to load native code

  177.  * libraries, because the Java security architecture is not designed to and

  178.  * does not prevent malicious behavior at the level of native code.</td>

  179.  * </tr>

  180.  *

  181.  * <tr>

  182.  *   <td>accessClassInPackage.{package name}</td>

  183.  *   <td>Access to the specified package via a class loader's

  184.  * <code>loadClass</code> method when that class loader calls

  185.  * the SecurityManager <code>checkPackageAcesss</code> method</td>

  186.  *   <td>This gives code access to classes in packages

  187.  * to which it normally does not have access. Malicious code

  188.  * may use these classes to help in its attempt to compromise

  189.  * security in the system.</td>

  190.  * </tr>

  191.  *

  192.  * <tr>

  193.  *   <td>defineClassInPackage.{package name}</td>

  194.  *   <td>Definition of classes in the specified package, via a class

  195.  * loader's <code>defineClass</code> method when that class loader calls

  196.  * the SecurityManager <code>checkPackageDefinition</code> method.</td>

  197.  *   <td>This grants code permission to define a class

  198.  * in a particular package. This is dangerous because malicious

  199.  * code with this permission may define rogue classes in

  200.  * trusted packages like <code>java.security</code> or <code>java.lang</code>,

  201.  * for example.</td>

  202.  * </tr>

  203.  *

  204.  * <tr>

  205.  *   <td>accessDeclaredMembers</td>

  206.  *   <td>Access to the declared members of a class</td>

  207.  *   <td>This grants code permission to query a class for its public,

  208.  * protected, default (package) access, and private fields and/or

  209.  * methods. Although the code would have

  210.  * access to the private and protected field and method names, it would not

  211.  * have access to the private/protected field data and would not be able

  212.  * to invoke any private methods. Nevertheless, malicious code

  213.  * may use this information to better aim an attack.

  214.  * Additionally, it may invoke any public methods and/or access public fields

  215.  * in the class.  This could be dangerous if

  216.  * the code would normally not be able to invoke those methods and/or

  217.  * access the fields  because

  218.  * it can't cast the object to the class/interface with those methods

  219.  * and fields.

  220. </td>

  221.  * </tr>

  222.  * <tr>

  223.  *   <td>queuePrintJob</td>

  224.  *   <td>Initiation of a print job request</td>

  225.  *   <td>This could print sensitive information to a printer,

  226.  * or simply waste paper.</td>

  227.  * </tr>

  228.  *

  229.  * </table>

  230.  *

  231.  * @see java.security.BasicPermission

  232.  * @see java.security.Permission

  233.  * @see java.security.Permissions

  234.  * @see java.security.PermissionCollection

  235.  * @see java.lang.SecurityManager

  236.  *

  237.  * @version 1.34 01/11/29

  238.  *

  239.  * @author Marianne Mueller

  240.  * @author Roland Schemers

  241.  */

  242. 

  243. public final class RuntimePermission extends BasicPermission {

  244. 

  245.     /**

  246.      * Creates a new RuntimePermission with the specified name.

  247.      * The name is the symbolic name of the RuntimePermission, such as

  248.      * "exit", "setFactory", etc. An asterisk

  249.      * may appear at the end of the name, following a ".", or by itself, to

  250.      * signify a wildcard match.

  251.      *

  252.      * @param name the name of the RuntimePermission.

  253.      */

  254. 

  255.     public RuntimePermission(String name)

  256.     {

  257. 	super(name);

  258.     }

  259. 

  260.     /**

  261.      * Creates a new RuntimePermission object with the specified name.

  262.      * The name is the symbolic name of the RuntimePermission, and the

  263.      * actions String is currently unused and should be null. This

  264.      * constructor exists for use by the <code>Policy</code> object

  265.      * to instantiate new Permission objects.

  266.      *

  267.      * @param name the name of the RuntimePermission.

  268.      * @param actions should be null.

  269.      */

  270. 

  271.     public RuntimePermission(String name, String actions)

  272.     {

  273. 	super(name, actions);

  274.     }

  275. }