Disable security manager in java.lang.System

- Throw an error on initialization if java.security.manager attempts to add a security manager - configure setSecurityManager to always throw an UnsupportedOperationException - getSecurityManager will always return null since a security manager can't be set Signed-off-by: Theresa Mammarella <[email protected]>
eclipse-openj9 · Nov 22, 2024 · fc9e6eb · fc9e6eb
1 parent 2bf463b
commit fc9e6eb
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties b/jcl/src/java.base/share/classes/com/ibm/oti/util/ExternalMessages-MasterIndex.properties
@@ -355,6 +355,7 @@ K0633="{0} is not a valid AccessMode."
 K0634="{0}.{1}({2}) is static. Expected instance field."
 K0635="{0}.{1}({2}) is non-static. Expected static field."
 K0636="No such field: {0}.{1}({2})"
+K0637="A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported."
 
 #java.lang.invoke.MethodHandles
 K0637=The value of {0}: {1} must be in a range from 0 to {2}
@@ -482,6 +483,7 @@ K0A02="Bootstrap method returned null."
 K0B00="The Security Manager is deprecated and will be removed in a future release"
 K0B01="Library name must not contain a file path: {0}"
 K0B02="Enabling a SecurityManager currently unsupported when -XX:+EnableCRIUSupport is specified"
+K0B03="Setting a Security Manager is not supported"
 
 #java.lang.Throwable
 K0C00="Non-standard List class not permitted in suppressedExceptions serial stream"

diff --git a/jcl/src/java.base/share/classes/java/lang/System.java b/jcl/src/java.base/share/classes/java/lang/System.java
@@ -1265,6 +1265,9 @@ static void checkTmpDir() {
 
 /*[IF JAVA_SPEC_VERSION >= 9]*/
 static void initSecurityManager(ClassLoader applicationClassLoader) {
+	/*[IF JAVA_SPEC_VERSION >= 24]*/
+	boolean throwErrorOnInit = false;
+	/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	String javaSecurityManager = internalGetProperties().getProperty("java.security.manager"); //$NON-NLS-1$
 	if (null == javaSecurityManager) {
 		/*[IF JAVA_SPEC_VERSION >= 18]*/
@@ -1273,14 +1276,21 @@ static void initSecurityManager(ClassLoader applicationClassLoader) {
 		/* Do nothing. */
 		/*[ENDIF] JAVA_SPEC_VERSION >= 18 */
 	} else if ("allow".equals(javaSecurityManager)) { //$NON-NLS-1$
+		/*[IF JAVA_SPEC_VERSION >= 24]*/
+		throwErrorOnInit = true;
+		/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 		/* Do nothing. */
+		/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	} else if ("disallow".equals(javaSecurityManager)) { //$NON-NLS-1$
 		/*[IF JAVA_SPEC_VERSION > 11]*/
 		throwUOEFromSetSM = true;
 		/*[ELSE] JAVA_SPEC_VERSION > 11 */
 		/* Do nothing. */
 		/*[ENDIF] JAVA_SPEC_VERSION > 11 */
 	} else {
+		/*[IF JAVA_SPEC_VERSION >= 24]*/
+		throwErrorOnInit = true;
+		/*[ELSE] JAVA_SPEC_VERSION >= 24 */
 		/*[IF JAVA_SPEC_VERSION >= 17]*/
 		initialErr.println("WARNING: A command line option has enabled the Security Manager"); //$NON-NLS-1$
 		initialErr.println("WARNING: The Security Manager is deprecated and will be removed in a future release"); //$NON-NLS-1$
@@ -1297,7 +1307,14 @@ static void initSecurityManager(ClassLoader applicationClassLoader) {
 				throw new Error(Msg.getString("K0631", e.toString()), e); //$NON-NLS-1$
 			}
 		}
+		/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 	}
+	/*[IF JAVA_SPEC_VERSION >= 24]*/
+	if (throwErrorOnInit) {
+		/*[MSG "K0637", "A command line option has attempted to allow or enable the Security Manager. Enabling a Security Manager is not supported."]*/
+		throw new Error(Msg.getString("K0637")); //$NON-NLS-1$
+	}
+	/*[ENDIF] JAVA_SPEC_VERSION >= 24 */
 }
 /*[ENDIF] JAVA_SPEC_VERSION >= 9 */
 
@@ -1315,17 +1332,25 @@ static boolean allowSecurityManager() {
  *
  * @param		s			the new security manager
  *
+/*[IF JAVA_SPEC_VERSION > 24]
+ * @throws		UnsupportedOperationException	always
+/*[ELSE] JAVA_SPEC_VERSION > 24
  * @throws		SecurityException 	if the security manager has already been set and its checkPermission method doesn't allow it to be replaced.
 /*[IF JAVA_SPEC_VERSION > 11]
  * @throws		UnsupportedOperationException 	if s is non-null and a special token "disallow" has been set for system property "java.security.manager"
  * 												which indicates that a security manager is not allowed to be set dynamically.
 /*[ENDIF] JAVA_SPEC_VERSION > 11
+/*[ENDIF] JAVA_SPEC_VERSION > 24
  */
 /*[IF JAVA_SPEC_VERSION >= 17]*/
 @Deprecated(since="17", forRemoval=true)
 @CallerSensitive
 /*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public static void setSecurityManager(final SecurityManager s) {
+/*[IF JAVA_SPEC_VERSION >= 24]*/
+	/*[MSG "K0B03", "Setting a Security Manager is not supported"]*/
+	throw new UnsupportedOperationException(Msg.getString("K0B03")); //$NON-NLS-1$
+/*[ELSE] JAVA_SPEC_VERSION >= 24*/
 /*[IF CRIU_SUPPORT]*/
 	if (openj9.internal.criu.InternalCRIUSupport.isCRIUSupportEnabled()) {
 		/*[MSG "K0B02", "Enabling a SecurityManager currently unsupported when -XX:+EnableCRIUSupport is specified"]*/
@@ -1403,6 +1428,7 @@ public Void run() {
 		currentSecurity.checkPermission(com.ibm.oti.util.RuntimePermissions.permissionSetSecurityManager);
 	}
 	security = s;
+/*[ENDIF] JAVA_SPEC_VERSION >= 24*/
 }
 
 /**