1. /*
  2. * @(#)RuntimePermission.java 1.53 04/04/20
  3. *
  4. * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
  5. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
  6. */
  7. package java.lang;
  8. import java.security.*;
  9. import java.util.Enumeration;
  10. import java.util.Hashtable;
  11. import java.util.StringTokenizer;
  12. /**
  13. * This class is for runtime permissions. A RuntimePermission
  14. * contains a name (also referred to as a "target name") but
  15. * no actions list; you either have the named permission
  16. * or you don't.
  17. *
  18. * <P>
  19. * The target name is the name of the runtime permission (see below). The
  20. * naming convention follows the hierarchical property naming convention.
  21. * Also, an asterisk
  22. * may appear at the end of the name, following a ".", or by itself, to
  23. * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,
  24. * "*loadLibrary" or "a*b" is not valid.
  25. * <P>
  26. * The following table lists all the possible RuntimePermission target names,
  27. * and for each provides a description of what the permission allows
  28. * and a discussion of the risks of granting code the permission.
  29. * <P>
  30. *
  31. * <table border=1 cellpadding=5 summary="permission target name,
  32. * what the target allows,and associated risks">
  33. * <tr>
  34. * <th>Permission Target Name</th>
  35. * <th>What the Permission Allows</th>
  36. * <th>Risks of Allowing this Permission</th>
  37. * </tr>
  38. *
  39. * <tr>
  40. * <td>createClassLoader</td>
  41. * <td>Creation of a class loader</td>
  42. * <td>This is an extremely dangerous permission to grant.
  43. * Malicious applications that can instantiate their own class
  44. * loaders could then load their own rogue classes into the system.
  45. * These newly loaded classes could be placed into any protection
  46. * domain by the class loader, thereby automatically granting the
  47. * classes the permissions for that domain.</td>
  48. * </tr>
  49. *
  50. * <tr>
  51. * <td>getClassLoader</td>
  52. * <td>Retrieval of a class loader (e.g., the class loader for the calling
  53. * class)</td>
  54. * <td>This would grant an attacker permission to get the
  55. * class loader for a particular class. This is dangerous because
  56. * having access to a class's class loader allows the attacker to
  57. * load other classes available to that class loader. The attacker
  58. * would typically otherwise not have access to those classes.</td>
  59. * </tr>
  60. *
  61. * <tr>
  62. * <td>setContextClassLoader</td>
  63. * <td>Setting of the context class loader used by a thread</td>
  64. * <td>The context class loader is used by system code and extensions
  65. * when they need to lookup resources that might not exist in the system
  66. * class loader. Granting setContextClassLoader permission would allow
  67. * code to change which context class loader is used
  68. * for a particular thread, including system threads.</td>
  69. * </tr>
  70. *
  71. * <tr>
  72. * <td>enableContextClassLoaderOverride</td>
  73. * <td>Subclass implementation of the thread context class loader methods</td>
  74. * <td>The context class loader is used by system code and extensions
  75. * when they need to lookup resources that might not exist in the system
  76. * class loader. Granting enableContextClassLoaderOverride permission would allow
  77. * a subclass of Thread to override the methods that are used
  78. * to get or set the context class loader for a particular thread.</td>
  79. * </tr>
  80. *
  81. * <tr>
  82. * <td>setSecurityManager</td>
  83. * <td>Setting of the security manager (possibly replacing an existing one)
  84. * </td>
  85. * <td>The security manager is a class that allows
  86. * applications to implement a security policy. Granting the setSecurityManager
  87. * permission would allow code to change which security manager is used by
  88. * installing a different, possibly less restrictive security manager,
  89. * thereby bypassing checks that would have been enforced by the original
  90. * security manager.</td>
  91. * </tr>
  92. *
  93. * <tr>
  94. * <td>createSecurityManager</td>
  95. * <td>Creation of a new security manager</td>
  96. * <td>This gives code access to protected, sensitive methods that may
  97. * disclose information about other classes or the execution stack.</td>
  98. * </tr>
  99. *
  100. * <tr>
  101. * <td>getenv.{variable name}</td>
  102. * <td>Reading of the value of the specified environment variable</td>
  103. * <td>This would allow code to read the value, or determine the
  104. * existence, of a particular environment variable. This is
  105. * dangerous if the variable contains confidential data.</td>
  106. * </tr>
  107. *
  108. * <tr>
  109. * <td>exitVM</td>
  110. * <td>Halting of the Java Virtual Machine</td>
  111. * <td>This allows an attacker to mount a denial-of-service attack
  112. * by automatically forcing the virtual machine to halt.
  113. * Note: The "exitVM" permission is automatically granted to all code
  114. * loaded from the application class path, thus enabling applications
  115. * to terminate themselves.</td>
  116. * </tr>
  117. *
  118. * <tr>
  119. * <td>shutdownHooks</td>
  120. * <td>Registration and cancellation of virtual-machine shutdown hooks</td>
  121. * <td>This allows an attacker to register a malicious shutdown
  122. * hook that interferes with the clean shutdown of the virtual machine.</td>
  123. * </tr>
  124. *
  125. * <tr>
  126. * <td>setFactory</td>
  127. * <td>Setting of the socket factory used by ServerSocket or Socket,
  128. * or of the stream handler factory used by URL</td>
  129. * <td>This allows code to set the actual implementation
  130. * for the socket, server socket, stream handler, or RMI socket factory.
  131. * An attacker may set a faulty implementation which mangles the data
  132. * stream.</td>
  133. * </tr>
  134. *
  135. * <tr>
  136. * <td>setIO</td>
  137. * <td>Setting of System.out, System.in, and System.err</td>
  138. * <td>This allows changing the value of the standard system streams.
  139. * An attacker may change System.in to monitor and
  140. * steal user input, or may set System.err to a "null" OutputStream,
  141. * which would hide any error messages sent to System.err. </td>
  142. * </tr>
  143. *
  144. * <tr>
  145. * <td>modifyThread</td>
  146. * <td>Modification of threads, e.g., via calls to Thread
  147. * <tt>interrupt</tt>, <tt>stop</tt>, <tt>suspend</tt>,
  148. * <tt>resume</tt>, <tt>setDaemon</tt>, <tt>setPriority</tt>,
  149. * <tt>setName</tt> and <tt>setUncaughtExceptionHandler</tt>
  150. * methods</td>
  151. * <td>This allows an attacker to modify the behaviour of
  152. * any thread in the system.</td>
  153. * </tr>
  154. *
  155. * <tr>
  156. * <td>stopThread</td>
  157. * <td>Stopping of threads via calls to the Thread <code>stop</code>
  158. * method</td>
  159. * <td>This allows code to stop any thread in the system provided that it is
  160. * already granted permission to access that thread.
  161. * This poses as a threat, because that code may corrupt the system by
  162. * killing existing threads.</td>
  163. * </tr>
  164. *
  165. * <tr>
  166. * <td>modifyThreadGroup</td>
  167. * <td>modification of thread groups, e.g., via calls to ThreadGroup
  168. * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
  169. * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
  170. * and <code>suspend</code> methods</td>
  171. * <td>This allows an attacker to create thread groups and
  172. * set their run priority.</td>
  173. * </tr>
  174. *
  175. * <tr>
  176. * <td>getProtectionDomain</td>
  177. * <td>Retrieval of the ProtectionDomain for a class</td>
  178. * <td>This allows code to obtain policy information
  179. * for a particular code source. While obtaining policy information
  180. * does not compromise the security of the system, it does give
  181. * attackers additional information, such as local file names for
  182. * example, to better aim an attack.</td>
  183. * </tr>
  184. *
  185. * <tr>
  186. * <td>readFileDescriptor</td>
  187. * <td>Reading of file descriptors</td>
  188. * <td>This would allow code to read the particular file associated
  189. * with the file descriptor read. This is dangerous if the file
  190. * contains confidential data.</td>
  191. * </tr>
  192. *
  193. * <tr>
  194. * <td>writeFileDescriptor</td>
  195. * <td>Writing to file descriptors</td>
  196. * <td>This allows code to write to a particular file associated
  197. * with the descriptor. This is dangerous because it may allow
  198. * malicious code to plant viruses or at the very least, fill up
  199. * your entire disk.</td>
  200. * </tr>
  201. *
  202. * <tr>
  203. * <td>loadLibrary.{library name}</td>
  204. * <td>Dynamic linking of the specified library</td>
  205. * <td>It is dangerous to allow an applet permission to load native code
  206. * libraries, because the Java security architecture is not designed to and
  207. * does not prevent malicious behavior at the level of native code.</td>
  208. * </tr>
  209. *
  210. * <tr>
  211. * <td>accessClassInPackage.{package name}</td>
  212. * <td>Access to the specified package via a class loader's
  213. * <code>loadClass</code> method when that class loader calls
  214. * the SecurityManager <code>checkPackageAccess</code> method</td>
  215. * <td>This gives code access to classes in packages
  216. * to which it normally does not have access. Malicious code
  217. * may use these classes to help in its attempt to compromise
  218. * security in the system.</td>
  219. * </tr>
  220. *
  221. * <tr>
  222. * <td>defineClassInPackage.{package name}</td>
  223. * <td>Definition of classes in the specified package, via a class
  224. * loader's <code>defineClass</code> method when that class loader calls
  225. * the SecurityManager <code>checkPackageDefinition</code> method.</td>
  226. * <td>This grants code permission to define a class
  227. * in a particular package. This is dangerous because malicious
  228. * code with this permission may define rogue classes in
  229. * trusted packages like <code>java.security</code> or <code>java.lang</code>,
  230. * for example.</td>
  231. * </tr>
  232. *
  233. * <tr>
  234. * <td>accessDeclaredMembers</td>
  235. * <td>Access to the declared members of a class</td>
  236. * <td>This grants code permission to query a class for its public,
  237. * protected, default (package) access, and private fields and/or
  238. * methods. Although the code would have
  239. * access to the private and protected field and method names, it would not
  240. * have access to the private/protected field data and would not be able
  241. * to invoke any private methods. Nevertheless, malicious code
  242. * may use this information to better aim an attack.
  243. * Additionally, it may invoke any public methods and/or access public fields
  244. * in the class. This could be dangerous if
  245. * the code would normally not be able to invoke those methods and/or
  246. * access the fields because
  247. * it can't cast the object to the class/interface with those methods
  248. * and fields.
  249. </td>
  250. * </tr>
  251. * <tr>
  252. * <td>queuePrintJob</td>
  253. * <td>Initiation of a print job request</td>
  254. * <td>This could print sensitive information to a printer,
  255. * or simply waste paper.</td>
  256. * </tr>
  257. *
  258. * <tr>
  259. * <td>getStackTrace</td>
  260. * <td>Retrieval of the stack trace information of another thread.</td>
  261. * <td>This allows retrieval of the stack trace information of
  262. * another thread. This might allow malicious code to monitor the
  263. * execution of threads and discover vulnerabilities in applications.</td>
  264. * </tr>
  265. *
  266. * <tr>
  267. * <td>setDefaultUncaughtExceptionHandler</td>
  268. * <td>Setting the default handler to be used when a thread
  269. * terminates abruptly due to an uncaught exception</td>
  270. * <td>This allows an attacker to register a malicious
  271. * uncaught exception handler that could interfere with termination
  272. * of a thread</td>
  273. * </tr>
  274. *
  275. * <tr>
  276. * <td>preferences</td>
  277. * <td>Represents the permission required to get access to the
  278. * java.util.prefs.Preferences implementations user or system root
  279. * which in turn allows retrieval or update operations within the
  280. * Preferences persistent backing store.) </td>
  281. * <td>This permission allows the user to read from or write to the
  282. * preferences backing store if the user running the code has
  283. * sufficient OS privileges to read/write to that backing store.
  284. * The actual backing store may reside within a traditional filesystem
  285. * directory or within a registry depending on the platform OS</td>
  286. * </tr>
  287. * </table>
  288. *
  289. * @see java.security.BasicPermission
  290. * @see java.security.Permission
  291. * @see java.security.Permissions
  292. * @see java.security.PermissionCollection
  293. * @see java.lang.SecurityManager
  294. *
  295. * @version 1.53 04/04/20
  296. *
  297. * @author Marianne Mueller
  298. * @author Roland Schemers
  299. */
  300. public final class RuntimePermission extends BasicPermission {
  301. private static final long serialVersionUID = 7399184964622342223L;
  302. /**
  303. * Creates a new RuntimePermission with the specified name.
  304. * The name is the symbolic name of the RuntimePermission, such as
  305. * "exit", "setFactory", etc. An asterisk
  306. * may appear at the end of the name, following a ".", or by itself, to
  307. * signify a wildcard match.
  308. *
  309. * @param name the name of the RuntimePermission.
  310. */
  311. public RuntimePermission(String name)
  312. {
  313. super(name);
  314. }
  315. /**
  316. * Creates a new RuntimePermission object with the specified name.
  317. * The name is the symbolic name of the RuntimePermission, and the
  318. * actions String is currently unused and should be null.
  319. *
  320. * @param name the name of the RuntimePermission.
  321. * @param actions should be null.
  322. */
  323. public RuntimePermission(String name, String actions)
  324. {
  325. super(name, actions);
  326. }
  327. }