Mercurial > hg > openjdk > jigsaw > jdk
changeset 6369:3a825f6cbc71
7169888: Narrowing resource definitions in JMX RMI connector
Summary: CPU bug, we can't put offending calls outside doPrivileged, but narrow granted permissions.
Reviewed-by: ahgross, fparain
author | dsamersoff |
---|---|
date | Fri, 22 Jun 2012 18:19:48 +0400 |
parents | 263f15439f4b |
children | 90498c1cc87c |
files | src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java |
diffstat | 1 files changed, 48 insertions(+), 41 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java Fri Jun 22 16:22:22 2012 +0400 +++ b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java Fri Jun 22 18:19:48 2012 +0400 @@ -25,6 +25,30 @@ package javax.management.remote.rmi; +import java.io.IOException; +import java.rmi.MarshalledObject; +import java.rmi.UnmarshalException; +import java.rmi.server.Unreferenced; +import java.security.AccessControlContext; +import java.security.AccessController; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Permissions; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; +import java.security.ProtectionDomain; +import java.util.Arrays; +import java.util.Collections; +import java.util.Map; +import java.util.Set; + +import javax.management.*; +import javax.management.remote.JMXServerErrorException; +import javax.management.remote.NotificationResult; +import javax.management.remote.TargetedNotification; +import javax.security.auth.Subject; + import static com.sun.jmx.mbeanserver.Util.cast; import com.sun.jmx.remote.internal.ServerCommunicatorAdmin; import com.sun.jmx.remote.internal.ServerNotifForwarder; @@ -35,44 +59,6 @@ import com.sun.jmx.remote.util.EnvHelp; import com.sun.jmx.remote.util.OrderClassLoaders; -import java.io.IOException; -import java.rmi.MarshalledObject; -import java.rmi.UnmarshalException; -import java.rmi.server.Unreferenced; -import java.security.AccessControlContext; -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; -import java.util.Arrays; -import java.util.Collections; -import java.util.Map; -import java.util.Set; - -import javax.management.Attribute; -import javax.management.AttributeList; -import javax.management.AttributeNotFoundException; -import javax.management.InstanceAlreadyExistsException; -import javax.management.InstanceNotFoundException; -import javax.management.IntrospectionException; -import javax.management.InvalidAttributeValueException; -import javax.management.ListenerNotFoundException; -import javax.management.MBeanException; -import javax.management.MBeanInfo; -import javax.management.MBeanRegistrationException; -import javax.management.MBeanServer; -import javax.management.NotCompliantMBeanException; -import javax.management.NotificationFilter; -import javax.management.ObjectInstance; -import javax.management.ObjectName; -import javax.management.QueryExp; -import javax.management.ReflectionException; -import javax.management.RuntimeOperationsException; -import javax.management.remote.JMXServerErrorException; -import javax.management.remote.NotificationResult; -import javax.management.remote.TargetedNotification; -import javax.security.auth.Subject; - /** * <p>Implementation of the {@link RMIConnection} interface. User * code will not usually reference this class.</p> @@ -143,6 +129,7 @@ this.mbeanServer = rmiServer.getMBeanServer(); final ClassLoader dcl = defaultClassLoader; + this.classLoaderWithRepository = AccessController.doPrivileged( new PrivilegedAction<ClassLoaderWithRepository>() { @@ -151,13 +138,29 @@ mbeanServer.getClassLoaderRepository(), dcl); } - }); + }, + + withPermissions( new MBeanPermission("*", "getClassLoaderRepository"), + new RuntimePermission("createClassLoader")) + ); + serverCommunicatorAdmin = new RMIServerCommunicatorAdmin(EnvHelp.getServerConnectionTimeout(env)); this.env = env; } + private static AccessControlContext withPermissions(Permission ... perms){ + Permissions col = new Permissions(); + + for (Permission thePerm : perms ) { + col.add(thePerm); + } + + final ProtectionDomain pd = new ProtectionDomain(null, col); + return new AccessControlContext( new ProtectionDomain[] { pd }); + } + private synchronized ServerNotifForwarder getServerNotifFwd() { // Lazily created when first use. Mainly when // addNotificationListener is first called. @@ -1330,7 +1333,9 @@ public ClassLoader run() throws InstanceNotFoundException { return mbeanServer.getClassLoader(name); } - }); + }, + withPermissions(new MBeanPermission("*", "getClassLoader")) + ); } catch (PrivilegedActionException pe) { throw (InstanceNotFoundException) extractException(pe); } @@ -1345,7 +1350,9 @@ public Object run() throws InstanceNotFoundException { return mbeanServer.getClassLoaderFor(name); } - }); + }, + withPermissions(new MBeanPermission("*", "getClassLoaderFor")) + ); } catch (PrivilegedActionException pe) { throw (InstanceNotFoundException) extractException(pe); }