1. /*

  2.  * @(#)RuntimePermission.java	1.53 04/04/20

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.lang;

  9. 

  10. import java.security.*;

  11. import java.util.Enumeration;

  12. import java.util.Hashtable;

  13. import java.util.StringTokenizer;

  14. 

  15. /**

  16.  * This class is for runtime permissions. A RuntimePermission

  17.  * contains a name (also referred to as a "target name") but

  18.  * no actions list; you either have the named permission

  19.  * or you don't.

  20.  *

  21.  * <P>

  22.  * The target name is the name of the runtime permission (see below). The

  23.  * naming convention follows the  hierarchical property naming convention.

  24.  * Also, an asterisk

  25.  * may appear at the end of the name, following a ".", or by itself, to

  26.  * signify a wildcard match. For example: "loadLibrary.*" or "*" is valid,

  27.  * "*loadLibrary" or "a*b" is not valid.

  28.  * <P>

  29.  * The following table lists all the possible RuntimePermission target names,

  30.  * and for each provides a description of what the permission allows

  31.  * and a discussion of the risks of granting code the permission.

  32.  * <P>

  33.  *

  34.  * <table border=1 cellpadding=5 summary="permission target name, 

  35.  *  what the target allows,and associated risks">

  36.  * <tr>

  37.  * <th>Permission Target Name</th>

  38.  * <th>What the Permission Allows</th>

  39.  * <th>Risks of Allowing this Permission</th>

  40.  * </tr>

  41.  *

  42.  * <tr>

  43.  *   <td>createClassLoader</td>

  44.  *   <td>Creation of a class loader</td>

  45.  *   <td>This is an extremely dangerous permission to grant.

  46.  * Malicious applications that can instantiate their own class

  47.  * loaders could then load their own rogue classes into the system.

  48.  * These newly loaded classes could be placed into any protection

  49.  * domain by the class loader, thereby automatically granting the

  50.  * classes the permissions for that domain.</td>

  51.  * </tr>

  52.  *

  53.  * <tr>

  54.  *   <td>getClassLoader</td>

  55.  *   <td>Retrieval of a class loader (e.g., the class loader for the calling

  56.  * class)</td>

  57.  *   <td>This would grant an attacker permission to get the

  58.  * class loader for a particular class. This is dangerous because

  59.  * having access to a class's class loader allows the attacker to

  60.  * load other classes available to that class loader. The attacker

  61.  * would typically otherwise not have access to those classes.</td>

  62.  * </tr>

  63.  *

  64.  * <tr>

  65.  *   <td>setContextClassLoader</td>

  66.  *   <td>Setting of the context class loader used by a thread</td>

  67.  *   <td>The context class loader is used by system code and extensions

  68.  * when they need to lookup resources that might not exist in the system

  69.  * class loader. Granting setContextClassLoader permission would allow

  70.  * code to change which context class loader is used

  71.  * for a particular thread, including system threads.</td>

  72.  * </tr>

  73.  *

  74.  * <tr>

  75.  *   <td>enableContextClassLoaderOverride</td>

  76.  *   <td>Subclass implementation of the thread context class loader methods</td>

  77.  *   <td>The context class loader is used by system code and extensions

  78.  * when they need to lookup resources that might not exist in the system

  79.  * class loader. Granting enableContextClassLoaderOverride permission would allow

  80.  * a subclass of Thread to override the methods that are used

  81.  * to get or set the context class loader for a particular thread.</td>

  82.  * </tr>

  83.  *

  84.  * <tr>

  85.  *   <td>setSecurityManager</td>

  86.  *   <td>Setting of the security manager (possibly replacing an existing one)

  87.  * </td>

  88.  *   <td>The security manager is a class that allows 

  89.  * applications to implement a security policy. Granting the setSecurityManager

  90.  * permission would allow code to change which security manager is used by

  91.  * installing a different, possibly less restrictive security manager,

  92.  * thereby bypassing checks that would have been enforced by the original

  93.  * security manager.</td>

  94.  * </tr>

  95.  *

  96.  * <tr>

  97.  *   <td>createSecurityManager</td>

  98.  *   <td>Creation of a new security manager</td>

  99.  *   <td>This gives code access to protected, sensitive methods that may

  100.  * disclose information about other classes or the execution stack.</td>

  101.  * </tr>

  102.  *

  103.  * <tr>

  104.  *   <td>getenv.{variable name}</td>

  105.  *   <td>Reading of the value of the specified environment variable</td>

  106.  *   <td>This would allow code to read the value, or determine the

  107.  *       existence, of a particular environment variable.  This is

  108.  *       dangerous if the variable contains confidential data.</td>

  109.  * </tr>

  110.  *

  111.  * <tr>

  112.  *   <td>exitVM</td>

  113.  *   <td>Halting of the Java Virtual Machine</td>

  114.  *   <td>This allows an attacker to mount a denial-of-service attack

  115.  * by automatically forcing the virtual machine to halt.

  116.  * Note: The "exitVM" permission is automatically granted to all code

  117.  * loaded from the application class path, thus enabling applications

  118.  * to terminate themselves.</td>

  119.  * </tr>

  120.  *

  121.  * <tr>

  122.  *   <td>shutdownHooks</td>

  123.  *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>

  124.  *   <td>This allows an attacker to register a malicious shutdown

  125.  * hook that interferes with the clean shutdown of the virtual machine.</td>

  126.  * </tr>

  127.  *

  128.  * <tr>

  129.  *   <td>setFactory</td>

  130.  *   <td>Setting of the socket factory used by ServerSocket or Socket,

  131.  * or of the stream handler factory used by URL</td>

  132.  *   <td>This allows code to set the actual implementation

  133.  * for the socket, server socket, stream handler, or RMI socket factory.

  134.  * An attacker may set a faulty implementation which mangles the data

  135.  * stream.</td>

  136.  * </tr>

  137.  *

  138.  * <tr>

  139.  *   <td>setIO</td>

  140.  *   <td>Setting of System.out, System.in, and System.err</td>

  141.  *   <td>This allows changing the value of the standard system streams.

  142.  * An attacker may change System.in to monitor and

  143.  * steal user input, or may set System.err to a "null" OutputStream,

  144.  * which would hide any error messages sent to System.err. </td>

  145.  * </tr>

  146.  *

  147.  * <tr>

  148.  *   <td>modifyThread</td>

  149.  *   <td>Modification of threads, e.g., via calls to Thread

  150.  * <tt>interrupt</tt>, <tt>stop</tt>, <tt>suspend</tt>,

  151.  * <tt>resume</tt>, <tt>setDaemon</tt>, <tt>setPriority</tt>,

  152.  * <tt>setName</tt> and <tt>setUncaughtExceptionHandler</tt>

  153.  * methods</td> 

  154.  * <td>This allows an attacker to modify the behaviour of

  155.  * any thread in the system.</td>

  156.  * </tr>

  157.  *

  158.  * <tr>

  159.  *   <td>stopThread</td>

  160.  *   <td>Stopping of threads via calls to the Thread <code>stop</code>

  161.  * method</td>

  162.  *   <td>This allows code to stop any thread in the system provided that it is

  163.  * already granted permission to access that thread.

  164.  * This poses as a threat, because that code may corrupt the system by

  165.  * killing existing threads.</td>

  166.  * </tr>

  167.  *

  168.  * <tr>

  169.  *   <td>modifyThreadGroup</td>

  170.  *   <td>modification of thread groups, e.g., via calls to ThreadGroup

  171.  * <code>destroy</code>, <code>getParent</code>, <code>resume</code>, 

  172.  * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>, 

  173.  * and <code>suspend</code> methods</td>

  174.  *   <td>This allows an attacker to create thread groups and

  175.  * set their run priority.</td>

  176.  * </tr>

  177.  *

  178.  * <tr>

  179.  *   <td>getProtectionDomain</td>

  180.  *   <td>Retrieval of the ProtectionDomain for a class</td>

  181.  *   <td>This allows code to obtain policy information

  182.  * for a particular code source. While obtaining policy information

  183.  * does not compromise the security of the system, it does give

  184.  * attackers additional information, such as local file names for

  185.  * example, to better aim an attack.</td>

  186.  * </tr>

  187.  *

  188.  * <tr>

  189.  *   <td>readFileDescriptor</td>

  190.  *   <td>Reading of file descriptors</td>

  191.  *   <td>This would allow code to read the particular file associated

  192.  *       with the file descriptor read. This is dangerous if the file

  193.  *       contains confidential data.</td>

  194.  * </tr>

  195.  *

  196.  * <tr>

  197.  *   <td>writeFileDescriptor</td>

  198.  *   <td>Writing to file descriptors</td>

  199.  *   <td>This allows code to write to a particular file associated

  200.  *       with the descriptor. This is dangerous because it may allow

  201.  *       malicious code to plant viruses or at the very least, fill up

  202.  *       your entire disk.</td>

  203.  * </tr>

  204.  *

  205.  * <tr>

  206.  *   <td>loadLibrary.{library name}</td>

  207.  *   <td>Dynamic linking of the specified library</td>

  208.  *   <td>It is dangerous to allow an applet permission to load native code

  209.  * libraries, because the Java security architecture is not designed to and

  210.  * does not prevent malicious behavior at the level of native code.</td>

  211.  * </tr>

  212.  *

  213.  * <tr>

  214.  *   <td>accessClassInPackage.{package name}</td>

  215.  *   <td>Access to the specified package via a class loader's

  216.  * <code>loadClass</code> method when that class loader calls

  217.  * the SecurityManager <code>checkPackageAccess</code> method</td>

  218.  *   <td>This gives code access to classes in packages

  219.  * to which it normally does not have access. Malicious code

  220.  * may use these classes to help in its attempt to compromise

  221.  * security in the system.</td>

  222.  * </tr>

  223.  *

  224.  * <tr>

  225.  *   <td>defineClassInPackage.{package name}</td>

  226.  *   <td>Definition of classes in the specified package, via a class

  227.  * loader's <code>defineClass</code> method when that class loader calls

  228.  * the SecurityManager <code>checkPackageDefinition</code> method.</td>

  229.  *   <td>This grants code permission to define a class

  230.  * in a particular package. This is dangerous because malicious

  231.  * code with this permission may define rogue classes in

  232.  * trusted packages like <code>java.security</code> or <code>java.lang</code>,

  233.  * for example.</td>

  234.  * </tr>

  235.  *

  236.  * <tr>

  237.  *   <td>accessDeclaredMembers</td>

  238.  *   <td>Access to the declared members of a class</td>

  239.  *   <td>This grants code permission to query a class for its public,

  240.  * protected, default (package) access, and private fields and/or

  241.  * methods. Although the code would have

  242.  * access to the private and protected field and method names, it would not

  243.  * have access to the private/protected field data and would not be able

  244.  * to invoke any private methods. Nevertheless, malicious code

  245.  * may use this information to better aim an attack.

  246.  * Additionally, it may invoke any public methods and/or access public fields

  247.  * in the class.  This could be dangerous if

  248.  * the code would normally not be able to invoke those methods and/or

  249.  * access the fields  because

  250.  * it can't cast the object to the class/interface with those methods

  251.  * and fields.

  252. </td>

  253.  * </tr>

  254.  * <tr>

  255.  *   <td>queuePrintJob</td>

  256.  *   <td>Initiation of a print job request</td>

  257.  *   <td>This could print sensitive information to a printer,

  258.  * or simply waste paper.</td>

  259.  * </tr>

  260.  *

  261.  * <tr>

  262.  *   <td>getStackTrace</td>

  263.  *   <td>Retrieval of the stack trace information of another thread.</td>

  264.  *   <td>This allows retrieval of the stack trace information of 

  265.  * another thread.  This might allow malicious code to monitor the 

  266.  * execution of threads and discover vulnerabilities in applications.</td>

  267.  * </tr>

  268.  *

  269.  * <tr>

  270.  *   <td>setDefaultUncaughtExceptionHandler</td>

  271.  *   <td>Setting the default handler to be used when a thread

  272.  *   terminates abruptly due to an uncaught exception</td>

  273.  *   <td>This allows an attacker to register a malicious

  274.  *   uncaught exception handler that could interfere with termination

  275.  *   of a thread</td>

  276.  * </tr>

  277.  *

  278.  * <tr>

  279.  *   <td>preferences</td>

  280.  *   <td>Represents the permission required to get access to the

  281.  *   java.util.prefs.Preferences implementations user or system root

  282.  *   which in turn allows retrieval or update operations within the

  283.  *   Preferences persistent backing store.) </td>

  284.  *   <td>This permission allows the user to read from or write to the

  285.  *   preferences backing store if the user running the code has 

  286.  *   sufficient OS privileges to read/write to that backing store.

  287.  *   The actual backing store may reside within a traditional filesystem

  288.  *   directory or within a registry depending on the platform OS</td>

  289.  * </tr>

  290. 

  291.  * </table>

  292.  *

  293.  * @see java.security.BasicPermission

  294.  * @see java.security.Permission

  295.  * @see java.security.Permissions

  296.  * @see java.security.PermissionCollection

  297.  * @see java.lang.SecurityManager

  298.  *

  299.  * @version 1.53 04/04/20

  300.  *

  301.  * @author Marianne Mueller

  302.  * @author Roland Schemers

  303.  */

  304. 

  305. public final class RuntimePermission extends BasicPermission {

  306. 

  307.     private static final long serialVersionUID = 7399184964622342223L;

  308. 

  309.     /**

  310.      * Creates a new RuntimePermission with the specified name.

  311.      * The name is the symbolic name of the RuntimePermission, such as

  312.      * "exit", "setFactory", etc. An asterisk

  313.      * may appear at the end of the name, following a ".", or by itself, to

  314.      * signify a wildcard match.

  315.      *

  316.      * @param name the name of the RuntimePermission.

  317.      */

  318. 

  319.     public RuntimePermission(String name)

  320.     {

  321. 	super(name);

  322.     }

  323. 

  324.     /**

  325.      * Creates a new RuntimePermission object with the specified name.

  326.      * The name is the symbolic name of the RuntimePermission, and the

  327.      * actions String is currently unused and should be null.

  328.      *

  329.      * @param name the name of the RuntimePermission.

  330.      * @param actions should be null.

  331.      */

  332. 

  333.     public RuntimePermission(String name, String actions)

  334.     {

  335. 	super(name, actions);

  336.     }

  337. }