public inbox for java-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug java/20704] New: CNI code is called/loaded without any security checks
@ 2005-03-31 22:47 mark at gcc dot gnu dot org
2005-03-31 22:51 ` [Bug libgcj/20704] " pinskia at gcc dot gnu dot org
0 siblings, 1 reply; 2+ messages in thread
From: mark at gcc dot gnu dot org @ 2005-03-31 22:47 UTC (permalink / raw)
To: java-prs
Classes using native CNI methods are loaded without any extra security checks.
When a class uses native JNI methods it needs to make sure the appropriate
library containing the JNI functions are loaded. Which means that at a certain
point the call chain must have had a RuntimePermission("loadLibrary") because
Runtime.loadLibrary() has to be called. For classes using CNI native methods no
such requirement is needed which means that "CNI native code" can be called
through such classes without a security check for the RuntimePermission being done.
A "solution" could be to have the static initializer of such classes using CNI
native code make a security check themselves for RuntimePermission("loadLibrary").
This does mean we need some way to simulate the "trusted" way of calling
Runtime.loadLibrary() through a PrivilegedAction (which means the class itself
needs to have the RuntimePermission, but the rest of the call chain doesn't).
--
Summary: CNI code is called/loaded without any security checks
Product: gcc
Version: 4.0.0
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: java
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: mark at gcc dot gnu dot org
CC: gcc-bugs at gcc dot gnu dot org,java-prs at gcc dot gnu
dot org
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20704
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libgcj/20704] CNI code is called/loaded without any security checks
2005-03-31 22:47 [Bug java/20704] New: CNI code is called/loaded without any security checks mark at gcc dot gnu dot org
@ 2005-03-31 22:51 ` pinskia at gcc dot gnu dot org
0 siblings, 0 replies; 2+ messages in thread
From: pinskia at gcc dot gnu dot org @ 2005-03-31 22:51 UTC (permalink / raw)
To: java-prs
------- Additional Comments From pinskia at gcc dot gnu dot org 2005-03-31 17:30 -------
Confirmed.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Component|java |libgcj
Ever Confirmed| |1
Last reconfirmed|0000-00-00 00:00:00 |2005-03-31 17:30:04
date| |
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20704
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-03-31 17:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-03-31 22:47 [Bug java/20704] New: CNI code is called/loaded without any security checks mark at gcc dot gnu dot org
2005-03-31 22:51 ` [Bug libgcj/20704] " pinskia at gcc dot gnu dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).