java.lang.Object
java.lang.SecurityManager
org.elasticsearch.secure_sm.SecureSM
Extension of SecurityManager that works around a few design flaws in Java Security.
There are a few major problems that require custom SecurityManager logic to fix:
exitVMpermission is implicitly granted to all code by the default Policy implementation. For a server app, this is not wanted.- ThreadGroups are not enforced by default, instead only system threads are
protected out of box by
modifyThread/modifyThreadGroup. Applications are encouraged to override the logic here to implement a stricter policy. - System threads are not even really protected, because if the system uses
ThreadPools,
modifyThreadis abused by itsshutdownchecks. This means a thread must havemodifyThreadto even terminate its own pool, leaving system threads unprotected.
exitVM calls, and provides a whitelist where calls
from exit are allowed.
Additionally it enforces threadgroup security with the following rules:
modifyThreadandmodifyThreadGroupare required for any thread access checks: with these permissions, access is granted as long as the thread group is the same or an ancestor (sourceGroup.parentOf(targetGroup) == true).- code without these permissions can do very little, except to interrupt itself. It may not even create new threads.
- very special cases (like test runners) that have
ThreadPermissioncan violate threadgroup security rules.
If java security debugging (java.security.debug) is enabled, and this SecurityManager
is installed, it will emit additional debugging information when threadgroup access checks fail.
- See Also:
-
Constructor Summary
ConstructorsConstructorDescriptionSecureSM()Creates a new security manager where no packages can exit nor halt the virtual machine.Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine. -
Method Summary
Modifier and TypeMethodDescriptionvoidvoidvoidcheckExit(int status) protected voidprotected voidstatic SecureSMCreates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine.protected voidinnerCheckExit(int status) The "Uwe Schindler" algorithm.Methods inherited from class java.lang.SecurityManager
checkAccept, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPermission, checkPermission, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup
-
Constructor Details
-
SecureSM
public SecureSM()Creates a new security manager where no packages can exit nor halt the virtual machine. -
SecureSM
Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.- Parameters:
classesThatCanExit- the list of classes that can exit or halt the virtual machine
-
-
Method Details
-
createTestSecureSM
Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine. The packages that can exit are:org.apache.maven.surefire.booter.com.carrotsearch.ant.tasks.junit4.org.eclipse.internal.junit.runner.com.intellij.rt.execution.junit.
- Returns:
- an instance of SecureSM where test packages can halt or exit the virtual machine
-
checkAccess
- Overrides:
checkAccessin classSecurityManager
-
checkAccess
- Overrides:
checkAccessin classSecurityManager
-
checkThreadAccess
-
checkThreadGroupAccess
-
checkExit
public void checkExit(int status) - Overrides:
checkExitin classSecurityManager
-
innerCheckExit
protected void innerCheckExit(int status) The "Uwe Schindler" algorithm.- Parameters:
status- the exit status
-