Disallowing the dynamic loading of agents by default
greggwon at cox.net
Tue Apr 4 14:58:46 UTC 2017
> On Apr 4, 2017, at 4:36 AM, Andrew Dinn <adinn at redhat.com> wrote:
> On 03/04/17 21:56, John Rose wrote:
>> On Apr 3, 2017, at 12:03 PM, Gregg Wonderly <greggwon at cox.net>
>>> Alan, it is exactly this kind of comment from the team which just
>>> tears apart the whole view that you might actually be considering
>>> what everyone in the Java community needs.
>> I think *this* comment is unfair to Alan. I read Alan as saying
>> "don't assume that users can rely on an SM present". If I'm right,
>> that is a far cry from tearing the community into parts. I think
>> you would admit that not everyone uses SM. So you didn't ding Alan
>> (who is doing really heroic work for the community) for simply
>> reminding us that a SM-based approach would not serve the whole
>> community equally. Did you impute some other motive to him?
> Thank you for posting this, John. I am hoping that Gregg simply misread
> Alan's post because it definitely didn't merit the response it received.
> The issue here is nothing to do with the security manager, assume no security manager in the picture.
But, I always have a security manager in the picture. It’s how I always grant access to various pieces of the JDK features to my application. It’s how I limit/grant access to the details that I care about my users being exposed to by using my software. So, saying that a SecurityManager doesn’t matter, when this is clearly a JVM security issue, just doesn’t fly for me. As I’ve already said, a command line argument can feel like a permission, but it is like AllPermission. It doesn’t help me manage what I am opening my users to. If I have to use the AllPermission for my users to deploy, and they are on a network, I’ve now opened them up to network penetration by other agents! That’s absolutely not acceptable to me.
There should be a Permission mechanism at a high granularity of control, and grants to Jar files (which have been mentioned in another recent thread dealing with which modules can have agents inserted/active) make it possible to directly control all exposure from all paths of penetration.
More information about the jigsaw-dev