From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2698 invoked by alias); 25 Dec 2010 01:15:06 -0000 Received: (qmail 2677 invoked by uid 22791); 25 Dec 2010 01:15:04 -0000 X-SWARE-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_HK_NAME_DR,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sat, 25 Dec 2010 01:14:56 +0000 Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oBP1Es3Q010434 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 24 Dec 2010 20:14:54 -0500 Received: from rivendell.middle-earth.co.uk (ovpn-113-57.phx2.redhat.com [10.3.113.57]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id oBP1Eop3015733 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 24 Dec 2010 20:14:52 -0500 Date: Sat, 25 Dec 2010 01:15:00 -0000 From: Dr Andrew John Hughes To: mauve-patches@sourceware.org Subject: FYI: Test if Policy.implies(Permission) is called for domains with AllPermission Message-ID: <20101225011449.GA28846@rivendell.middle-earth.co.uk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-IsSubscribed: yes Mailing-List: contact mauve-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: mauve-patches-owner@sourceware.org X-SW-Source: 2010/txt/msg00003.txt.bz2 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-length: 1067 I found the following issue when trying to work out why OpenJDK would only pass some permission checks to the Policy object and Classpath VMs would pass them all, causing tests using gnu.testlet.TestSecurityManager to fail. It turns out OpenJDK doesn't bother to check the policy if the domain already has AllPermission (as it obviously already has permission regardless of what the policy says). This adds a Mauve test to check for this behaviour. I'm also committing a patch to Classpath to implement this behaviour. 2010-12-24 Andrew John Hughes * gnu/testlet/java/security/ProtectionDomain/Implies.java: Check if Policy.implies(Permission) is called if the protection domain is already known to have AllPermission. -- Andrew :) Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Support Free Java! Contribute to GNU Classpath and IcedTea http://www.gnu.org/software/classpath http://icedtea.classpath.org PGP Key: 94EFD9D8 (http://subkeys.pgp.net) Fingerprint = F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=diff Content-length: 2821 Index: gnu/testlet/java/security/ProtectionDomain/Implies.java =================================================================== RCS file: gnu/testlet/java/security/ProtectionDomain/Implies.java diff -N gnu/testlet/java/security/ProtectionDomain/Implies.java --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ gnu/testlet/java/security/ProtectionDomain/Implies.java 25 Dec 2010 01:08:41 -0000 @@ -0,0 +1,73 @@ +// Copyright (C) 2010 Red Hat, Inc. +// Written by Andrew John Hughes + +// This file is part of Mauve. + +// Mauve is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2, or (at your option) +// any later version. + +// Mauve is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License +// along with Mauve; see the file COPYING. If not, write to +// the Free Software Foundation, 59 Temple Place - Suite 330, +// Boston, MA 02111-1307, USA. + +// Tags: JDK1.4 + +package gnu.testlet.java.security.ProtectionDomain; + +import gnu.testlet.Testlet; +import gnu.testlet.TestHarness; + +import java.security.AllPermission; +import java.security.CodeSource; +import java.security.Permission; +import java.security.Permissions; +import java.security.PermissionCollection; +import java.security.Policy; +import java.security.ProtectionDomain; +import java.security.SecurityPermission; + +/** + * Tests whether Policy.implies(Permission) is called + * when the domain has AllPermission as one of its permissions. + */ +public class Implies implements Testlet +{ + + private boolean called = false; + + public void test(TestHarness harness) + { + Policy.setPolicy(new Policy() + { + public boolean implies(ProtectionDomain domain, + Permission perm) + { + if (perm.getName().equals("TestPermission")) + called = true; + return true; + } + public void refresh() {} + public PermissionCollection getPermissions(CodeSource codesource) + { + return null; + } + }); + + System.setSecurityManager(new SecurityManager()); + PermissionCollection coll = new Permissions(); + coll.add(new AllPermission()); + ProtectionDomain pd = new ProtectionDomain(null, coll, + Implies.class.getClassLoader(), null); + pd.implies(new SecurityPermission("TestPermission")); + harness.check(!called, "Policy was not checked due to AllPermission"); + } + +} --cWoXeonUoKmBZSoM--