'Re: [ipv6] RFR: 8224256: test/jdk/java/security/SecureClassLoader/DefineClass.java'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-net-dev
Subject:    Re: [ipv6] RFR: 8224256: test/jdk/java/security/SecureClassLoader/DefineClass.java
From:       Arthur Eubanks <aeubanks () google ! com>
Date:       2019-05-23 2:36:26
Message-ID: CAPW48sr_n-GuHunAZVMAryjZ7XdV66PabBMWUNfe4i9_sMnvYQ () mail ! gmail ! com
[Download RAW message or body]

Looks like this test is now failing, I'll take a look tomorrow, sorry about
this.

On Wed, May 22, 2019, 12:48 PM Sean Mullan <sean.mullan@oracle.com> wrote:

> On 5/22/19 3:33 PM, Arthur Eubanks wrote:
> >
> >
> > On Wed, May 22, 2019 at 12:12 PM Sean Mullan <sean.mullan@oracle.com
> > <mailto:sean.mullan@oracle.com>> wrote:
> >
> >     On 5/22/19 1:28 PM, Arthur Eubanks wrote:
> >      > On Wed, May 22, 2019 at 7:13 AM Daniel Fuchs
> >     <daniel.fuchs@oracle.com <mailto:daniel.fuchs@oracle.com>
> >      > <mailto:daniel.fuchs@oracle.com
> >     <mailto:daniel.fuchs@oracle.com>>> wrote:
> >      >
> >      >     Hi Arthur,
> >      >
> >      >         18 // For IPSupport
> >      >         19 grant {
> >      >         20     permission java.net.SocketPermission "localhost:0",
> >      >     "listen,resolve";
> >      >         21     permission java.util.PropertyPermission
> >      >     "java.net.preferIPv4Stack", "read";
> >      >         22 };
> >      >
> >      >     It might be better if these permissions were granted to the
> >      >     library only.
> >      >
> >      > Done.
> >
> >     Have you tested that with jtreg? I believe it may not work because of
> >     the way the SecurityManager is enabled inside the test (rather than
> >     using the jtreg java.security.policy option). You may find that you
> >     also
> >     need to grant those permissions to jtreg.jar since it is higher in
> the
> >     call stack. If that is the case, you are probably better off granting
> >     the permissions to all code, or restructuring the test to use the
> jtreg
> >     java.security.policy option, where jtreg installs its own
> >     SecurityManager to grant itself the proper permissions. However, that
> >     will require some code changes and granting some additional
> permissions
> >     to the test that are needed (for adding a security provider, etc)
> >     before
> >     it currently enables a SM. And that is probably more than you want
> >     to do
> >     for this fix.
> >
> >     --Sean
> >
> > Tried it directly with jtreg
> > $ ~/jtreg/build/images/jtreg/bin/jtreg -jdk:./images/jdk/
> > ../test/jdk/java/security/SecureClassLoader/DefineClass.java
> > and it passes. Verified that removing the newly added permissions makes
> > it fail again.
> > There was some discussion on IPSupport and SecurityManagers when
> > IPSupport was first introduced:
> > https://markmail.org/message/vvemfm367ja3qllj
>
> Ok, the fix looks good then to me.
>
> --Sean
>

[Attachment #3 (text/html)]

<div dir="auto">Looks like this test is now failing, I&#39;ll take a  look tomorrow, \
sorry about this.  </div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, May 22, 2019, 12:48 PM Sean Mullan &lt;<a \
href="mailto:sean.mullan@oracle.com" target="_blank" \
rel="noreferrer">sean.mullan@oracle.com</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">On 5/22/19 3:33 PM, Arthur Eubanks wrote:<br> &gt; <br>
&gt; <br>
&gt; On Wed, May 22, 2019 at 12:12 PM Sean Mullan &lt;<a \
href="mailto:sean.mullan@oracle.com" rel="noreferrer noreferrer" \
target="_blank">sean.mullan@oracle.com</a> <br> &gt; &lt;mailto:<a \
href="mailto:sean.mullan@oracle.com" rel="noreferrer noreferrer" \
target="_blank">sean.mullan@oracle.com</a>&gt;&gt; wrote:<br> &gt; <br>
&gt;        On 5/22/19 1:28 PM, Arthur Eubanks wrote:<br>
&gt;         &gt; On Wed, May 22, 2019 at 7:13 AM Daniel Fuchs<br>
&gt;        &lt;<a href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a> &lt;mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a>&gt;<br> &gt;         &gt; &lt;mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a><br> &gt;        &lt;mailto:<a \
href="mailto:daniel.fuchs@oracle.com" rel="noreferrer noreferrer" \
target="_blank">daniel.fuchs@oracle.com</a>&gt;&gt;&gt; wrote:<br> &gt;         \
&gt;<br> &gt;         &gt;        Hi Arthur,<br>
&gt;         &gt;<br>
&gt;         &gt;              18 // For IPSupport<br>
&gt;         &gt;              19 grant {<br>
&gt;         &gt;              20        permission java.net.SocketPermission \
&quot;localhost:0&quot;,<br> &gt;         &gt;        &quot;listen,resolve&quot;;<br>
&gt;         &gt;              21        permission java.util.PropertyPermission<br>
&gt;         &gt;        &quot;java.net.preferIPv4Stack&quot;, &quot;read&quot;;<br>
&gt;         &gt;              22 };<br>
&gt;         &gt;<br>
&gt;         &gt;        It might be better if these permissions were granted to \
the<br> &gt;         &gt;        library only.<br>
&gt;         &gt;<br>
&gt;         &gt; Done.<br>
&gt; <br>
&gt;        Have you tested that with jtreg? I believe it may not work because of<br>
&gt;        the way the SecurityManager is enabled inside the test (rather than<br>
&gt;        using the jtreg java.security.policy option). You may find that you<br>
&gt;        also<br>
&gt;        need to grant those permissions to jtreg.jar since it is higher in \
the<br> &gt;        call stack. If that is the case, you are probably better off \
granting<br> &gt;        the permissions to all code, or restructuring the test to \
use the jtreg<br> &gt;        java.security.policy option, where jtreg installs its \
own<br> &gt;        SecurityManager to grant itself the proper permissions. However, \
that<br> &gt;        will require some code changes and granting some additional \
permissions<br> &gt;        to the test that are needed (for adding a security \
provider, etc)<br> &gt;        before<br>
&gt;        it currently enables a SM. And that is probably more than you want<br>
&gt;        to do<br>
&gt;        for this fix.<br>
&gt; <br>
&gt;        --Sean<br>
&gt; <br>
&gt; Tried it directly with jtreg<br>
&gt; $  ~/jtreg/build/images/jtreg/bin/jtreg -jdk:./images/jdk/ <br>
&gt; ../test/jdk/java/security/SecureClassLoader/DefineClass.java<br>
&gt; and it passes. Verified that removing the newly added permissions makes <br>
&gt; it fail again.<br>
&gt; There was some discussion on IPSupport and SecurityManagers when <br>
&gt; IPSupport was first introduced: <br>
&gt; <a href="https://markmail.org/message/vvemfm367ja3qllj" rel="noreferrer \
noreferrer noreferrer" \
target="_blank">https://markmail.org/message/vvemfm367ja3qllj</a><br> <br>
Ok, the fix looks good then to me.<br>
<br>
--Sean<br>
</blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic