RFR(M) 8189116: Give the jdk.internal.vm.compiler.management only the permissions it really needs to expose the bean

mandy chung mandy.chung at oracle.com
Fri Nov 10 19:58:04 UTC 2017

On 11/10/17 1:55 AM, Jaroslav Tulach wrote:
> Hi.
> I believe I have a fix for JDK-8189116 - the
> jdk.internal.vm.compiler.management needs only few permissions as shown in my
> webrev: http://cr.openjdk.java.net/~jtulach/8189116/webrev.01/

The change looks fine.  This mainly depends on the test coverage and 
also code inspection to find security-sensitive operations.
> I have executed all the tests I found and it seems none of them regressed.

You ran jdk_svc that should cover the management tests.   I assume you 
also run Graal tests.
> Also the Graal Compiler MX bean is properly exposed when the built JDK is
> launched with
> ./build/linux-x64/jdk/bin/java -XX:+UnlockExperimentalVMOptions -XX:
> +EnableJVMCI -XX:+UseJVMCICompiler -jar ...

You can also try running the above command with -Djava.security.manager 
as a sanity test (the application may need additional permissions) - 
just a sanity test.  Is there a way you can access Graal MBean in a VM 
with security manager enabled (locally is fine) to make sure it can be 
accessed as expected?

This is good to go as long as you verify the access to Graal MBean with 
security manager on.

More information about the core-libs-dev mailing list