As shown by running this new Mauve test:
calling setPolicy has no effect on the default SecurityManager implementation provided by GNU Classapath.
This is because VMAccessController creates ProtectionDomain objects using the two argument constructor which uses static permissions. The four argument constructor should be used instead so the policy is consulted.
Fixing this requires changes in a VM class which seems to have local copies in most Classpath VMs (at least CACAO, gij and jamvm). This metabug thus tracks fixing the issue separately in both gcj and Classpath's reference copy.
Patched in both GNU Classpath and JamVM.
* CACAO: http://server.complang.tuwien.ac.at/cgi-bin/bugzilla/show_bug.cgi?id=152
Above should say 'Patched in both GNU Classpath and GCJ' :-)