1. /*

  2.  * @(#)RuntimePermission.java	1.44 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.lang;

  9. 

  10. import java.security.*;

  11. import java.util.Enumeration;

  12. import java.util.Hashtable;

  13. import java.util.StringTokenizer;

  14. 

  15. /**

  16.  * This class is for runtime permissions. A RuntimePermission

  17.  * contains a name (also referred to as a "target name") but

  18.  * no actions list; you either have the named permission

  19.  * or you don't.

  20.  *

  21.  * <P>

  22.  * The target name is the name of the runtime permission (see below). The

  23.  * naming convention follows the  hierarchical property naming convention.

  24.  * Also, an asterisk

  25.  * may appear at the end of the name, following a ".", or by itself, to

  26.  * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,

  27.  * "*loadLibrary" or "a*b" is not valid.

  28.  * <P>

  29.  * The following table lists all the possible RuntimePermission target names,

  30.  * and for each provides a description of what the permission allows

  31.  * and a discussion of the risks of granting code the permission.

  32.  * <P>

  33.  *

  34.  * <table border=1 cellpadding=5 summary="permission target name, 

  35.  *  what the target allows,and associated risks">

  36.  * <tr>

  37.  * <th>Permission Target Name</th>

  38.  * <th>What the Permission Allows</th>

  39.  * <th>Risks of Allowing this Permission</th>

  40.  * </tr>

  41.  *

  42.  * <tr>

  43.  *   <td>createClassLoader</td>

  44.  *   <td>Creation of a class loader</td>

  45.  *   <td>This is an extremely dangerous permission to grant.

  46.  * Malicious applications that can instantiate their own class

  47.  * loaders could then load their own rogue classes into the system.

  48.  * These newly loaded classes could be placed into any protection

  49.  * domain by the class loader, thereby automatically granting the

  50.  * classes the permissions for that domain.</td>

  51.  * </tr>

  52.  *

  53.  * <tr>

  54.  *   <td>getClassLoader</td>

  55.  *   <td>Retrieval of a class loader (e.g., the class loader for the calling

  56.  * class)</td>

  57.  *   <td>This would grant an attacker permission to get the

  58.  * class loader for a particular class. This is dangerous because

  59.  * having access to a class's class loader allows the attacker to

  60.  * load other classes available to that class loader. The attacker

  61.  * would typically otherwise not have access to those classes.</td>

  62.  * </tr>

  63.  *

  64.  * <tr>

  65.  *   <td>setContextClassLoader</td>

  66.  *   <td>Setting of the context class loader used by a thread</td>

  67.  *   <td>The context class loader is used by system code and extensions

  68.  * when they need to lookup resources that might not exist in the system

  69.  * class loader. Granting setContextClassLoader permission would allow

  70.  * code to change which context class loader is used

  71.  * for a particular thread, including system threads.</td>

  72.  * </tr>

  73.  *

  74.  * <tr>

  75.  *   <td>setSecurityManager</td>

  76.  *   <td>Setting of the security manager (possibly replacing an existing one)

  77.  * </td>

  78.  *   <td>The security manager is a class that allows 

  79.  * applications to implement a security policy. Granting the setSecurityManager

  80.  * permission would allow code to change which security manager is used by

  81.  * installing a different, possibly less restrictive security manager,

  82.  * thereby bypassing checks that would have been enforced by the original

  83.  * security manager.</td>

  84.  * </tr>

  85.  *

  86.  * <tr>

  87.  *   <td>createSecurityManager</td>

  88.  *   <td>Creation of a new security manager</td>

  89.  *   <td>This gives code access to protected, sensitive methods that may

  90.  * disclose information about other classes or the execution stack.</td>

  91.  * </tr>

  92.  *

  93.  * <tr>

  94.  *   <td>exitVM</td>

  95.  *   <td>Halting of the Java Virtual Machine</td>

  96.  *   <td>This allows an attacker to mount a denial-of-service attack

  97.  * by automatically forcing the virtual machine to halt.

  98.  * Note: The "exitVM" permission is automatically granted to all code

  99.  * loaded from the application class path, thus enabling applications

  100.  * to terminate themselves.</td>

  101.  * </tr>

  102.  *

  103.  * <tr>

  104.  *   <td>shutdownHooks</td>

  105.  *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>

  106.  *   <td>This allows an attacker to register a malicious shutdown

  107.  * hook that interferes with the clean shutdown of the virtual machine.</td>

  108.  * </tr>

  109.  *

  110.  * <tr>

  111.  *   <td>setFactory</td>

  112.  *   <td>Setting of the socket factory used by ServerSocket or Socket,

  113.  * or of the stream handler factory used by URL</td>

  114.  *   <td>This allows code to set the actual implementation

  115.  * for the socket, server socket, stream handler, or RMI socket factory.

  116.  * An attacker may set a faulty implementation which mangles the data

  117.  * stream.</td>

  118.  * </tr>

  119.  *

  120.  * <tr>

  121.  *   <td>setIO</td>

  122.  *   <td>Setting of System.out, System.in, and System.err</td>

  123.  *   <td>This allows changing the value of the standard system streams.

  124.  * An attacker may change System.in to monitor and

  125.  * steal user input, or may set System.err to a "null" OutputSteam,

  126.  * which would hide any error messages sent to System.err. </td>

  127.  * </tr>

  128.  *

  129.  * <tr>

  130.  *   <td>modifyThread</td>

  131.  *   <td>Modification of threads, e.g., via calls to Thread <code>stop</code>,

  132.  * <code>suspend</code>, <code>resume</code>, <code>setPriority</code>,

  133.  * and <code>setName</code> methods</td>

  134.  *   <td>This allows an attacker to start or suspend any thread

  135.  * in the system.</td>

  136.  * </tr>

  137.  *

  138.  * <tr>

  139.  *   <td>stopThread</td>

  140.  *   <td>Stopping of threads via calls to the Thread <code>stop</code>

  141.  * method</td>

  142.  *   <td>This allows code to stop any thread in the system provided that it is

  143.  * already granted permission to access that thread.

  144.  * This poses as a threat, because that code may corrupt the system by

  145.  * killing existing threads.</td>

  146.  * </tr>

  147.  *

  148.  * <tr>

  149.  *   <td>modifyThreadGroup</td>

  150.  *   <td>modification of thread groups, e.g., via calls to ThreadGroup

  151.  * <code>destroy</code>, <code>getParent</code>, <code>resume</code>, 

  152.  * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>, 

  153.  * and <code>suspend</code> methods</td>

  154.  *   <td>This allows an attacker to create thread groups and

  155.  * set their run priority.</td>

  156.  * </tr>

  157.  *

  158.  * <tr>

  159.  *   <td>getProtectionDomain</td>

  160.  *   <td>Retrieval of the ProtectionDomain for a class</td>

  161.  *   <td>This allows code to obtain policy information

  162.  * for a particular code source. While obtaining policy information

  163.  * does not compromise the security of the system, it does give

  164.  * attackers additional information, such as local file names for

  165.  * example, to better aim an attack.</td>

  166.  * </tr>

  167.  *

  168.  * <tr>

  169.  *   <td>readFileDescriptor</td>

  170.  *   <td>Reading of file descriptors</td>

  171.  *   <td>This would allow code to read the particular file associated

  172.  *       with the file descriptor read. This is dangerous if the file

  173.  *       contains confidential data.</td>

  174.  * </tr>

  175.  *

  176.  * <tr>

  177.  *   <td>writeFileDescriptor</td>

  178.  *   <td>Writing to file descriptors</td>

  179.  *   <td>This allows code to write to a particular file associated

  180.  *       with the descriptor. This is dangerous because it may allow

  181.  *       malicious code to plant viruses or at the very least, fill up

  182.  *       your entire disk.</td>

  183.  * </tr>

  184.  *

  185.  * <tr>

  186.  *   <td>loadLibrary.{library name}</td>

  187.  *   <td>Dynamic linking of the specified library</td>

  188.  *   <td>It is dangerous to allow an applet permission to load native code

  189.  * libraries, because the Java security architecture is not designed to and

  190.  * does not prevent malicious behavior at the level of native code.</td>

  191.  * </tr>

  192.  *

  193.  * <tr>

  194.  *   <td>accessClassInPackage.{package name}</td>

  195.  *   <td>Access to the specified package via a class loader's

  196.  * <code>loadClass</code> method when that class loader calls

  197.  * the SecurityManager <code>checkPackageAcesss</code> method</td>

  198.  *   <td>This gives code access to classes in packages

  199.  * to which it normally does not have access. Malicious code

  200.  * may use these classes to help in its attempt to compromise

  201.  * security in the system.</td>

  202.  * </tr>

  203.  *

  204.  * <tr>

  205.  *   <td>defineClassInPackage.{package name}</td>

  206.  *   <td>Definition of classes in the specified package, via a class

  207.  * loader's <code>defineClass</code> method when that class loader calls

  208.  * the SecurityManager <code>checkPackageDefinition</code> method.</td>

  209.  *   <td>This grants code permission to define a class

  210.  * in a particular package. This is dangerous because malicious

  211.  * code with this permission may define rogue classes in

  212.  * trusted packages like <code>java.security</code> or <code>java.lang</code>,

  213.  * for example.</td>

  214.  * </tr>

  215.  *

  216.  * <tr>

  217.  *   <td>accessDeclaredMembers</td>

  218.  *   <td>Access to the declared members of a class</td>

  219.  *   <td>This grants code permission to query a class for its public,

  220.  * protected, default (package) access, and private fields and/or

  221.  * methods. Although the code would have

  222.  * access to the private and protected field and method names, it would not

  223.  * have access to the private/protected field data and would not be able

  224.  * to invoke any private methods. Nevertheless, malicious code

  225.  * may use this information to better aim an attack.

  226.  * Additionally, it may invoke any public methods and/or access public fields

  227.  * in the class.  This could be dangerous if

  228.  * the code would normally not be able to invoke those methods and/or

  229.  * access the fields  because

  230.  * it can't cast the object to the class/interface with those methods

  231.  * and fields.

  232. </td>

  233.  * </tr>

  234.  * <tr>

  235.  *   <td>queuePrintJob</td>

  236.  *   <td>Initiation of a print job request</td>

  237.  *   <td>This could print sensitive information to a printer,

  238.  * or simply waste paper.</td>

  239.  * </tr>

  240.  *

  241.  * </table>

  242.  *

  243.  * @see java.security.BasicPermission

  244.  * @see java.security.Permission

  245.  * @see java.security.Permissions

  246.  * @see java.security.PermissionCollection

  247.  * @see java.lang.SecurityManager

  248.  *

  249.  * @version 1.44 03/01/23

  250.  *

  251.  * @author Marianne Mueller

  252.  * @author Roland Schemers

  253.  */

  254. 

  255. public final class RuntimePermission extends BasicPermission {

  256. 

  257.     /**

  258.      * Creates a new RuntimePermission with the specified name.

  259.      * The name is the symbolic name of the RuntimePermission, such as

  260.      * "exit", "setFactory", etc. An asterisk

  261.      * may appear at the end of the name, following a ".", or by itself, to

  262.      * signify a wildcard match.

  263.      *

  264.      * @param name the name of the RuntimePermission.

  265.      */

  266. 

  267.     public RuntimePermission(String name)

  268.     {

  269. 	super(name);

  270.     }

  271. 

  272.     /**

  273.      * Creates a new RuntimePermission object with the specified name.

  274.      * The name is the symbolic name of the RuntimePermission, and the

  275.      * actions String is currently unused and should be null.

  276.      *

  277.      * @param name the name of the RuntimePermission.

  278.      * @param actions should be null.

  279.      */

  280. 

  281.     public RuntimePermission(String name, String actions)

  282.     {

  283. 	super(name, actions);

  284.     }

  285. }