View Javadoc
1   /*
2    * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4    *
5    * This code is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU General Public License version 2 only, as
7    * published by the Free Software Foundation.  Oracle designates this
8    * particular file as subject to the "Classpath" exception as provided
9    * by Oracle in the LICENSE file that accompanied this code.
10   *
11   * This code is distributed in the hope that it will be useful, but WITHOUT
12   * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13   * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14   * version 2 for more details (a copy is included in the LICENSE file that
15   * accompanied this code).
16   *
17   * You should have received a copy of the GNU General Public License version
18   * 2 along with this work; if not, write to the Free Software Foundation,
19   * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20   *
21   * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22   * or visit www.oracle.com if you need additional information or have any
23   * questions.
24   */
25  
26  package java.lang;
27  
28  import java.security.*;
29  import java.util.Enumeration;
30  import java.util.Hashtable;
31  import java.util.StringTokenizer;
32  
33  /**
34   * This class is for runtime permissions. A RuntimePermission
35   * contains a name (also referred to as a "target name") but
36   * no actions list; you either have the named permission
37   * or you don't.
38   *
39   * <P>
40   * The target name is the name of the runtime permission (see below). The
41   * naming convention follows the  hierarchical property naming convention.
42   * Also, an asterisk
43   * may appear at the end of the name, following a ".", or by itself, to
44   * signify a wildcard match. For example: "loadLibrary.*" and "*" signify a
45   * wildcard match, while "*loadLibrary" and "a*b" do not.
46   * <P>
47   * The following table lists all the possible RuntimePermission target names,
48   * and for each provides a description of what the permission allows
49   * and a discussion of the risks of granting code the permission.
50   *
51   * <table border=1 cellpadding=5 summary="permission target name,
52   *  what the target allows,and associated risks">
53   * <tr>
54   * <th>Permission Target Name</th>
55   * <th>What the Permission Allows</th>
56   * <th>Risks of Allowing this Permission</th>
57   * </tr>
58   *
59   * <tr>
60   *   <td>createClassLoader</td>
61   *   <td>Creation of a class loader</td>
62   *   <td>This is an extremely dangerous permission to grant.
63   * Malicious applications that can instantiate their own class
64   * loaders could then load their own rogue classes into the system.
65   * These newly loaded classes could be placed into any protection
66   * domain by the class loader, thereby automatically granting the
67   * classes the permissions for that domain.</td>
68   * </tr>
69   *
70   * <tr>
71   *   <td>getClassLoader</td>
72   *   <td>Retrieval of a class loader (e.g., the class loader for the calling
73   * class)</td>
74   *   <td>This would grant an attacker permission to get the
75   * class loader for a particular class. This is dangerous because
76   * having access to a class's class loader allows the attacker to
77   * load other classes available to that class loader. The attacker
78   * would typically otherwise not have access to those classes.</td>
79   * </tr>
80   *
81   * <tr>
82   *   <td>setContextClassLoader</td>
83   *   <td>Setting of the context class loader used by a thread</td>
84   *   <td>The context class loader is used by system code and extensions
85   * when they need to lookup resources that might not exist in the system
86   * class loader. Granting setContextClassLoader permission would allow
87   * code to change which context class loader is used
88   * for a particular thread, including system threads.</td>
89   * </tr>
90   *
91   * <tr>
92   *   <td>enableContextClassLoaderOverride</td>
93   *   <td>Subclass implementation of the thread context class loader methods</td>
94   *   <td>The context class loader is used by system code and extensions
95   * when they need to lookup resources that might not exist in the system
96   * class loader. Granting enableContextClassLoaderOverride permission would allow
97   * a subclass of Thread to override the methods that are used
98   * to get or set the context class loader for a particular thread.</td>
99   * </tr>
100  *
101  * <tr>
102  *   <td>closeClassLoader</td>
103  *   <td>Closing of a ClassLoader</td>
104  *   <td>Granting this permission allows code to close any URLClassLoader
105  * that it has a reference to.</td>
106  * </tr>
107  *
108  * <tr>
109  *   <td>setSecurityManager</td>
110  *   <td>Setting of the security manager (possibly replacing an existing one)
111  * </td>
112  *   <td>The security manager is a class that allows
113  * applications to implement a security policy. Granting the setSecurityManager
114  * permission would allow code to change which security manager is used by
115  * installing a different, possibly less restrictive security manager,
116  * thereby bypassing checks that would have been enforced by the original
117  * security manager.</td>
118  * </tr>
119  *
120  * <tr>
121  *   <td>createSecurityManager</td>
122  *   <td>Creation of a new security manager</td>
123  *   <td>This gives code access to protected, sensitive methods that may
124  * disclose information about other classes or the execution stack.</td>
125  * </tr>
126  *
127  * <tr>
128  *   <td>getenv.{variable name}</td>
129  *   <td>Reading of the value of the specified environment variable</td>
130  *   <td>This would allow code to read the value, or determine the
131  *       existence, of a particular environment variable.  This is
132  *       dangerous if the variable contains confidential data.</td>
133  * </tr>
134  *
135  * <tr>
136  *   <td>exitVM.{exit status}</td>
137  *   <td>Halting of the Java Virtual Machine with the specified exit status</td>
138  *   <td>This allows an attacker to mount a denial-of-service attack
139  * by automatically forcing the virtual machine to halt.
140  * Note: The "exitVM.*" permission is automatically granted to all code
141  * loaded from the application class path, thus enabling applications
142  * to terminate themselves. Also, the "exitVM" permission is equivalent to
143  * "exitVM.*".</td>
144  * </tr>
145  *
146  * <tr>
147  *   <td>shutdownHooks</td>
148  *   <td>Registration and cancellation of virtual-machine shutdown hooks</td>
149  *   <td>This allows an attacker to register a malicious shutdown
150  * hook that interferes with the clean shutdown of the virtual machine.</td>
151  * </tr>
152  *
153  * <tr>
154  *   <td>setFactory</td>
155  *   <td>Setting of the socket factory used by ServerSocket or Socket,
156  * or of the stream handler factory used by URL</td>
157  *   <td>This allows code to set the actual implementation
158  * for the socket, server socket, stream handler, or RMI socket factory.
159  * An attacker may set a faulty implementation which mangles the data
160  * stream.</td>
161  * </tr>
162  *
163  * <tr>
164  *   <td>setIO</td>
165  *   <td>Setting of System.out, System.in, and System.err</td>
166  *   <td>This allows changing the value of the standard system streams.
167  * An attacker may change System.in to monitor and
168  * steal user input, or may set System.err to a "null" OutputStream,
169  * which would hide any error messages sent to System.err. </td>
170  * </tr>
171  *
172  * <tr>
173  *   <td>modifyThread</td>
174  *   <td>Modification of threads, e.g., via calls to Thread
175  * <tt>interrupt</tt>, <tt>stop</tt>, <tt>suspend</tt>,
176  * <tt>resume</tt>, <tt>setDaemon</tt>, <tt>setPriority</tt>,
177  * <tt>setName</tt> and <tt>setUncaughtExceptionHandler</tt>
178  * methods</td>
179  * <td>This allows an attacker to modify the behaviour of
180  * any thread in the system.</td>
181  * </tr>
182  *
183  * <tr>
184  *   <td>stopThread</td>
185  *   <td>Stopping of threads via calls to the Thread <code>stop</code>
186  * method</td>
187  *   <td>This allows code to stop any thread in the system provided that it is
188  * already granted permission to access that thread.
189  * This poses as a threat, because that code may corrupt the system by
190  * killing existing threads.</td>
191  * </tr>
192  *
193  * <tr>
194  *   <td>modifyThreadGroup</td>
195  *   <td>modification of thread groups, e.g., via calls to ThreadGroup
196  * <code>destroy</code>, <code>getParent</code>, <code>resume</code>,
197  * <code>setDaemon</code>, <code>setMaxPriority</code>, <code>stop</code>,
198  * and <code>suspend</code> methods</td>
199  *   <td>This allows an attacker to create thread groups and
200  * set their run priority.</td>
201  * </tr>
202  *
203  * <tr>
204  *   <td>getProtectionDomain</td>
205  *   <td>Retrieval of the ProtectionDomain for a class</td>
206  *   <td>This allows code to obtain policy information
207  * for a particular code source. While obtaining policy information
208  * does not compromise the security of the system, it does give
209  * attackers additional information, such as local file names for
210  * example, to better aim an attack.</td>
211  * </tr>
212  *
213  * <tr>
214  *   <td>getFileSystemAttributes</td>
215  *   <td>Retrieval of file system attributes</td>
216  *   <td>This allows code to obtain file system information such as disk usage
217  *       or disk space available to the caller.  This is potentially dangerous
218  *       because it discloses information about the system hardware
219  *       configuration and some information about the caller's privilege to
220  *       write files.</td>
221  * </tr>
222  *
223  * <tr>
224  *   <td>readFileDescriptor</td>
225  *   <td>Reading of file descriptors</td>
226  *   <td>This would allow code to read the particular file associated
227  *       with the file descriptor read. This is dangerous if the file
228  *       contains confidential data.</td>
229  * </tr>
230  *
231  * <tr>
232  *   <td>writeFileDescriptor</td>
233  *   <td>Writing to file descriptors</td>
234  *   <td>This allows code to write to a particular file associated
235  *       with the descriptor. This is dangerous because it may allow
236  *       malicious code to plant viruses or at the very least, fill up
237  *       your entire disk.</td>
238  * </tr>
239  *
240  * <tr>
241  *   <td>loadLibrary.{library name}</td>
242  *   <td>Dynamic linking of the specified library</td>
243  *   <td>It is dangerous to allow an applet permission to load native code
244  * libraries, because the Java security architecture is not designed to and
245  * does not prevent malicious behavior at the level of native code.</td>
246  * </tr>
247  *
248  * <tr>
249  *   <td>accessClassInPackage.{package name}</td>
250  *   <td>Access to the specified package via a class loader's
251  * <code>loadClass</code> method when that class loader calls
252  * the SecurityManager <code>checkPackageAccess</code> method</td>
253  *   <td>This gives code access to classes in packages
254  * to which it normally does not have access. Malicious code
255  * may use these classes to help in its attempt to compromise
256  * security in the system.</td>
257  * </tr>
258  *
259  * <tr>
260  *   <td>defineClassInPackage.{package name}</td>
261  *   <td>Definition of classes in the specified package, via a class
262  * loader's <code>defineClass</code> method when that class loader calls
263  * the SecurityManager <code>checkPackageDefinition</code> method.</td>
264  *   <td>This grants code permission to define a class
265  * in a particular package. This is dangerous because malicious
266  * code with this permission may define rogue classes in
267  * trusted packages like <code>java.security</code> or <code>java.lang</code>,
268  * for example.</td>
269  * </tr>
270  *
271  * <tr>
272  *   <td>accessDeclaredMembers</td>
273  *   <td>Access to the declared members of a class</td>
274  *   <td>This grants code permission to query a class for its public,
275  * protected, default (package) access, and private fields and/or
276  * methods. Although the code would have
277  * access to the private and protected field and method names, it would not
278  * have access to the private/protected field data and would not be able
279  * to invoke any private methods. Nevertheless, malicious code
280  * may use this information to better aim an attack.
281  * Additionally, it may invoke any public methods and/or access public fields
282  * in the class.  This could be dangerous if
283  * the code would normally not be able to invoke those methods and/or
284  * access the fields  because
285  * it can't cast the object to the class/interface with those methods
286  * and fields.
287 </td>
288  * </tr>
289  * <tr>
290  *   <td>queuePrintJob</td>
291  *   <td>Initiation of a print job request</td>
292  *   <td>This could print sensitive information to a printer,
293  * or simply waste paper.</td>
294  * </tr>
295  *
296  * <tr>
297  *   <td>getStackTrace</td>
298  *   <td>Retrieval of the stack trace information of another thread.</td>
299  *   <td>This allows retrieval of the stack trace information of
300  * another thread.  This might allow malicious code to monitor the
301  * execution of threads and discover vulnerabilities in applications.</td>
302  * </tr>
303  *
304  * <tr>
305  *   <td>setDefaultUncaughtExceptionHandler</td>
306  *   <td>Setting the default handler to be used when a thread
307  *   terminates abruptly due to an uncaught exception</td>
308  *   <td>This allows an attacker to register a malicious
309  *   uncaught exception handler that could interfere with termination
310  *   of a thread</td>
311  * </tr>
312  *
313  * <tr>
314  *   <td>preferences</td>
315  *   <td>Represents the permission required to get access to the
316  *   java.util.prefs.Preferences implementations user or system root
317  *   which in turn allows retrieval or update operations within the
318  *   Preferences persistent backing store.) </td>
319  *   <td>This permission allows the user to read from or write to the
320  *   preferences backing store if the user running the code has
321  *   sufficient OS privileges to read/write to that backing store.
322  *   The actual backing store may reside within a traditional filesystem
323  *   directory or within a registry depending on the platform OS</td>
324  * </tr>
325  *
326  * <tr>
327  *   <td>usePolicy</td>
328  *   <td>Granting this permission disables the Java Plug-In's default
329  *   security prompting behavior.</td>
330  *   <td>For more information, refer to Java Plug-In's guides, <a href=
331  *   "../../../technotes/guides/plugin/developer_guide/security.html">
332  *   Applet Security Basics</a> and <a href=
333  *   "../../../technotes/guides/plugin/developer_guide/rsa_how.html#use">
334  *   usePolicy Permission</a>.</td>
335  * </tr>
336  * </table>
337  *
338  * @see java.security.BasicPermission
339  * @see java.security.Permission
340  * @see java.security.Permissions
341  * @see java.security.PermissionCollection
342  * @see java.lang.SecurityManager
343  *
344  *
345  * @author Marianne Mueller
346  * @author Roland Schemers
347  */
348 
349 public final class RuntimePermission extends BasicPermission {
350 
351     private static final long serialVersionUID = 7399184964622342223L;
352 
353     /**
354      * Creates a new RuntimePermission with the specified name.
355      * The name is the symbolic name of the RuntimePermission, such as
356      * "exit", "setFactory", etc. An asterisk
357      * may appear at the end of the name, following a ".", or by itself, to
358      * signify a wildcard match.
359      *
360      * @param name the name of the RuntimePermission.
361      *
362      * @throws NullPointerException if <code>name</code> is <code>null</code>.
363      * @throws IllegalArgumentException if <code>name</code> is empty.
364      */
365 
366     public RuntimePermission(String name)
367     {
368         super(name);
369     }
370 
371     /**
372      * Creates a new RuntimePermission object with the specified name.
373      * The name is the symbolic name of the RuntimePermission, and the
374      * actions String is currently unused and should be null.
375      *
376      * @param name the name of the RuntimePermission.
377      * @param actions should be null.
378      *
379      * @throws NullPointerException if <code>name</code> is <code>null</code>.
380      * @throws IllegalArgumentException if <code>name</code> is empty.
381      */
382 
383     public RuntimePermission(String name, String actions)
384     {
385         super(name, actions);
386     }
387 }