This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug java/20704] New: CNI code is called/loaded without any security checks
- From: "mark at gcc dot gnu dot org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: 31 Mar 2005 17:05:17 -0000
- Subject: [Bug java/20704] New: CNI code is called/loaded without any security checks
- Reply-to: gcc-bugzilla at gcc dot gnu dot org
Classes using native CNI methods are loaded without any extra security checks.
When a class uses native JNI methods it needs to make sure the appropriate
library containing the JNI functions are loaded. Which means that at a certain
point the call chain must have had a RuntimePermission("loadLibrary") because
Runtime.loadLibrary() has to be called. For classes using CNI native methods no
such requirement is needed which means that "CNI native code" can be called
through such classes without a security check for the RuntimePermission being done.
A "solution" could be to have the static initializer of such classes using CNI
native code make a security check themselves for RuntimePermission("loadLibrary").
This does mean we need some way to simulate the "trusted" way of calling
Runtime.loadLibrary() through a PrivilegedAction (which means the class itself
needs to have the RuntimePermission, but the rest of the call chain doesn't).
--
Summary: CNI code is called/loaded without any security checks
Product: gcc
Version: 4.0.0
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: java
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: mark at gcc dot gnu dot org
CC: gcc-bugs at gcc dot gnu dot org,java-prs at gcc dot gnu
dot org
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=20704