1. /*
  2. * @(#)RuntimePermission.java 1.37 00/02/02
  3. *
  4. * Copyright 1997-2000 Sun Microsystems, Inc. All Rights Reserved.
  5. *
  6. * This software is the proprietary information of Sun Microsystems, Inc.
  7. * Use is subject to license terms.
  8. *
  9. */
  10. package java.lang;
  11. import java.security.*;
  12. import java.util.Enumeration;
  13. import java.util.Hashtable;
  14. import java.util.StringTokenizer;
  15. /**
  16. * This class is for runtime permissions. A RuntimePermission
  17. * contains a name (also referred to as a "target name") but
  18. * no actions list; you either have the named permission
  19. * or you don't.
  20. *
  21. * <P>
  22. * The target name is the name of the runtime permission (see below). The
  23. * naming convention follows the hierarchical property naming convention.
  24. * Also, an asterisk
  25. * may appear at the end of the name, following a ".", or by itself, to
  26. * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,
  27. * "*loadLibrary" or "a*b" is not valid.
  28. * <P>
  29. * The following table lists all the possible RuntimePermission target names,
  30. * and for each provides a description of what the permission allows
  31. * and a discussion of the risks of granting code the permission.
  32. * <P>
  33. *
  34. * <table border=1 cellpadding=5>
  35. * <tr>
  36. * <th>Permission Target Name</th>
  37. * <th>What the Permission Allows</th>
  38. * <th>Risks of Allowing this Permission</th>
  39. * </tr>
  40. *
  41. * <tr>
  42. * <td>createClassLoader</td>
  43. * <td>Creation of a class loader</td>
  44. * <td>This is an extremely dangerous permission to grant.
  45. * Malicious applications that can instantiate their own class
  46. * loaders could then load their own rogue classes into the system.
  47. * These newly loaded classes could be placed into any protection
  48. * domain by the class loader, thereby automatically granting the
  49. * classes the permissions for that domain.</td>
  50. * </tr>
  51. *
  52. * <tr>
  53. * <td>getClassLoader</td>
  54. * <td>Retrieval of a class loader (e.g., the class loader for the calling
  55. * class)</td>
  56. * <td>This would grant an attacker permission to get the
  57. * class loader for a particular class. This is dangerous because
  58. * having access to a class's class loader allows the attacker to
  59. * load other classes available to that class loader. The attacker
  60. * would typically otherwise not have access to those classes.</td>
  61. * </tr>
  62. *
  63. * <tr>
  64. * <td>setContextClassLoader</td>
  65. * <td>Setting of the context class loader used by a thread</td>
  66. * <td>The context class loader is used by system code and extensions
  67. * when they need to lookup resources that might not exist in the system
  68. * class loader. Granting setContextClassLoader permission would allow
  69. * code to change which context class loader is used
  70. * for a particular thread, including system threads.</td>
  71. * </tr>
  72. *
  73. * <tr>
  74. * <td>setSecurityManager</td>
  75. * <td>Setting of the security manager (possibly replacing an existing one)
  76. * </td>
  77. * <td>The security manager is a class that allows
  78. * applications to implement a security policy. Granting the setSecurityManager
  79. * permission would allow code to change which security manager is used by
  80. * installing a different, possibly less restrictive security manager,
  81. * thereby bypassing checks that would have been enforced by the original
  82. * security manager.</td>
  83. * </tr>
  84. *
  85. * <tr>
  86. * <td>createSecurityManager</td>
  87. * <td>Creation of a new security manager</td>
  88. * <td>This gives code access to protected, sensitive methods that may
  89. * disclose information about other classes or the execution stack.</td>
  90. * </tr>
  91. *
  92. * <tr>
  93. * <td>exitVM</td>
  94. * <td>Halting of the Java Virtual Machine</td>
  95. * <td>This allows an attacker to mount a denial-of-service attack
  96. * by automatically forcing the virtual machine to halt.</td>
  97. * </tr>
  98. *
  99. * <tr>
  100. * <td>shutdownHooks</td>
  101. * <td>Registration and cancellation of virtual-machine shutdown hooks</td>
  102. * <td>This allows an attacker to register a malicious shutdown
  103. * hook that interferes with the clean shutdown of the virtual machine.</td>
  104. * </tr>
  105. *
  106. * <tr>
  107. * <td>setFactory</td>
  108. * <td>Setting of the socket factory used by ServerSocket or Socket,
  109. * or of the stream handler factory used by URL</td>
  110. * <td>This allows code to set the actual implementation
  111. * for the socket, server socket, stream handler, or RMI socket factory.
  112. * An attacker may set a faulty implementation which mangles the data
  113. * stream.</td>
  114. * </tr>
  115. *
  116. * <tr>
  117. * <td>setIO</td>
  118. * <td>Setting of System.out, System.in, and System.err</td>
  119. * <td>This allows changing the value of the standard system streams.
  120. * An attacker may change System.in to monitor and
  121. * steal user input, or may set System.err to a "null" OutputSteam,
  122. * which would hide any error messages sent to System.err. </td>
  123. * </tr>
  124. *
  125. * <tr>
  126. * <td>modifyThread</td>
  127. * <td>Modification of threads, e.g., via calls to Thread <code>stop</code>,
  128. * <code>suspend</code>, <code>resume</code>, <code>setPriority</code>,
  129. * and <code>setName</code> methods</td>
  130. * <td>This allows an attacker to start or suspend any thread
  131. * in the system.</td>
  132. * </tr>
  133. *
  134. * <tr>
  135. * <td>stopThread</td>
  136. * <td>Stopping of threads via calls to the Thread <code>stop</code>
  137. * method</td>
  138. * <td>This allows code to stop any thread in the system provided that it is
  139. * already granted permission to access that thread.
  140. * This poses as a threat, because that code may corrupt the system by
  141. * killing existing threads.</td>
  142. * </tr>
  143. *
  144. * <tr>
  145. * <td>modifyThreadGroup</td>
  146. * <td>modification of thread groups, e.g., via calls to ThreadGroup
  147. * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
  148. * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
  149. * and <code>suspend</code> methods</td>
  150. * <td>This allows an attacker to create thread groups and
  151. * set their run priority.</td>
  152. * </tr>
  153. *
  154. * <tr>
  155. * <td>getProtectionDomain</td>
  156. * <td>Retrieval of the ProtectionDomain for a class</td>
  157. * <td>This allows code to obtain policy information
  158. * for a particular code source. While obtaining policy information
  159. * does not compromise the security of the system, it does give
  160. * attackers additional information, such as local file names for
  161. * example, to better aim an attack.</td>
  162. * </tr>
  163. *
  164. * <tr>
  165. * <td>readFileDescriptor</td>
  166. * <td>Reading of file descriptors</td>
  167. * <td>This would allow code to read the particular file associated
  168. with the file descriptor read. This is dangerous if the file contains
  169. confidential data.</td>
  170. * </tr>
  171. *
  172. * <tr>
  173. * <td>writeFileDescriptor</td>
  174. * <td>Writing to file descriptors</td>
  175. * <td>This allows code to write to a particular file associated
  176. with the descriptor. This is dangerous because it may allow malicous
  177. code to plant viruses or at the very least, fill up your entire disk.</td>
  178. * </tr>
  179. *
  180. * <tr>
  181. * <td>loadLibrary.{library name}</td>
  182. * <td>Dynamic linking of the specified library</td>
  183. * <td>It is dangerous to allow an applet permission to load native code
  184. * libraries, because the Java security architecture is not designed to and
  185. * does not prevent malicious behavior at the level of native code.</td>
  186. * </tr>
  187. *
  188. * <tr>
  189. * <td>accessClassInPackage.{package name}</td>
  190. * <td>Access to the specified package via a class loader's
  191. * <code>loadClass</code> method when that class loader calls
  192. * the SecurityManager <code>checkPackageAcesss</code> method</td>
  193. * <td>This gives code access to classes in packages
  194. * to which it normally does not have access. Malicious code
  195. * may use these classes to help in its attempt to compromise
  196. * security in the system.</td>
  197. * </tr>
  198. *
  199. * <tr>
  200. * <td>defineClassInPackage.{package name}</td>
  201. * <td>Definition of classes in the specified package, via a class
  202. * loader's <code>defineClass</code> method when that class loader calls
  203. * the SecurityManager <code>checkPackageDefinition</code> method.</td>
  204. * <td>This grants code permission to define a class
  205. * in a particular package. This is dangerous because malicious
  206. * code with this permission may define rogue classes in
  207. * trusted packages like <code>java.security</code> or <code>java.lang</code>,
  208. * for example.</td>
  209. * </tr>
  210. *
  211. * <tr>
  212. * <td>accessDeclaredMembers</td>
  213. * <td>Access to the declared members of a class</td>
  214. * <td>This grants code permission to query a class for its public,
  215. * protected, default (package) access, and private fields and/or
  216. * methods. Although the code would have
  217. * access to the private and protected field and method names, it would not
  218. * have access to the private/protected field data and would not be able
  219. * to invoke any private methods. Nevertheless, malicious code
  220. * may use this information to better aim an attack.
  221. * Additionally, it may invoke any public methods and/or access public fields
  222. * in the class. This could be dangerous if
  223. * the code would normally not be able to invoke those methods and/or
  224. * access the fields because
  225. * it can't cast the object to the class/interface with those methods
  226. * and fields.
  227. </td>
  228. * </tr>
  229. * <tr>
  230. * <td>queuePrintJob</td>
  231. * <td>Initiation of a print job request</td>
  232. * <td>This could print sensitive information to a printer,
  233. * or simply waste paper.</td>
  234. * </tr>
  235. *
  236. * </table>
  237. *
  238. * @see java.security.BasicPermission
  239. * @see java.security.Permission
  240. * @see java.security.Permissions
  241. * @see java.security.PermissionCollection
  242. * @see java.lang.SecurityManager
  243. *
  244. * @version 1.37 00/02/02
  245. *
  246. * @author Marianne Mueller
  247. * @author Roland Schemers
  248. */
  249. public final class RuntimePermission extends BasicPermission {
  250. /**
  251. * Creates a new RuntimePermission with the specified name.
  252. * The name is the symbolic name of the RuntimePermission, such as
  253. * "exit", "setFactory", etc. An asterisk
  254. * may appear at the end of the name, following a ".", or by itself, to
  255. * signify a wildcard match.
  256. *
  257. * @param name the name of the RuntimePermission.
  258. */
  259. public RuntimePermission(String name)
  260. {
  261. super(name);
  262. }
  263. /**
  264. * Creates a new RuntimePermission object with the specified name.
  265. * The name is the symbolic name of the RuntimePermission, and the
  266. * actions String is currently unused and should be null. This
  267. * constructor exists for use by the <code>Policy</code> object
  268. * to instantiate new Permission objects.
  269. *
  270. * @param name the name of the RuntimePermission.
  271. * @param actions should be null.
  272. */
  273. public RuntimePermission(String name, String actions)
  274. {
  275. super(name, actions);
  276. }
  277. }