[rfc][icedtea-web][policyeditor] Reflection and Exec permissions

Jiri Vanek jvanek at redhat.com
Wed Mar 26 14:17:24 UTC 2014

On 03/26/2014 03:03 PM, Andrew Azores wrote:
> On 03/26/2014 05:06 AM, Jiri Vanek wrote:
>> On 03/25/2014 08:34 PM, Andrew Azores wrote:
>>> On 03/25/2014 02:57 PM, Jiri Vanek wrote:
>>>> On 03/25/2014 02:39 PM, Andrew Azores wrote:
>>>>> On 03/25/2014 05:30 AM, Jiri Vanek wrote:
>>>>>> On 03/24/2014 09:05 PM, Andrew Azores wrote:
>>>>>>> Hi,
>>>>>>> This patch just adds Reflection and Exec permission options to PolicyEditor.
>>>>>>> Thanks,
>>>>>> Looks good. Just not sure if it is enough:
>>>>>> eg:
>>>>>> java.lang.NullPointerException
>>>>>> at geogebra.i.x.a(Unknown Source)
>>>>>> at geogebra.gui.a.a.a(Unknown Source)
>>>>>> at geogebra.gui.a.a.a(Unknown Source)
>>>>>> at geogebra.GeoGebra.a(Unknown Source)
>>>>>> at geogebra.GeoGebra.a(Unknown Source)
>>>>>> at geogebra.GeoGebra.main(Unknown Source)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke(Method.java:616)
>>>>>> at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:571)
>>>>>> at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:911)
>>>>>> I think he class for name is not allowed by your permission.
>>>>> Aha! Thanks for catching this. [0] suggests there's only one permission needed for reflection,
>>>>> but [1] proves otherwise (and makes sense).
>>>> Hmm still the same exception. It is geogebra which is causing this.
>>> Do you have exact reproduction steps?
>> yes, lunch geogebra from our testcases and sue any sandbox combination :) - or try to tune it to
>> run:)
> Ah I see, it's failing as soon as it starts basically. Maybe I should have tried before asking for
> detailed steps ;)
> Why do you think it's being denied on a classForName call though? Not saying it isn't, but I don't
> see what indicates that in particular? According to the docs for Class.forName, the permission
> required is a RuntimePermission with "getClassLoader" target and no actions, and that's what the Get
> ClassLoader permission in PolicyEditor is granting. I mean, the NPE is happening somewhere after
> some GUI package stuff is going on apparently, so how do we know it isn't a missing AWT permission
> instead? Maybe there should be a catch-all AWT permission available as well, actually, even if that
> isn't the problem here.
I was trying all current pemissions in polici editor (with this patch included) .Non made geogebra 
run :(

Anyway I dont know what is causing to fail. If you dont know, then ok to push.

More information about the distro-pkg-dev mailing list