[Bug java/20704] New: CNI code is called/loaded without any security checks

mark at gcc dot gnu dot org gcc-bugzilla@gcc.gnu.org
Thu Mar 31 22:47:00 GMT 2005

Classes using native CNI methods are loaded without any extra security checks.
When a class uses native JNI methods it needs to make sure the appropriate
library  containing the JNI functions are loaded. Which means that at a certain
point the call chain must have had a RuntimePermission("loadLibrary") because
Runtime.loadLibrary() has to be called. For classes using CNI native methods no
such requirement is needed which means that "CNI native code" can be called
through such classes without a security check for the RuntimePermission being done.

A "solution" could be to have the static initializer of such classes using CNI
native code make a security check themselves for RuntimePermission("loadLibrary").
This does mean we need some way to simulate the "trusted" way of calling
Runtime.loadLibrary() through a PrivilegedAction (which means the class itself
needs to have the RuntimePermission, but the rest of the call chain doesn't).

           Summary: CNI code is called/loaded without any security checks
           Product: gcc
           Version: 4.0.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: java
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: mark at gcc dot gnu dot org
                CC: gcc-bugs at gcc dot gnu dot org,java-prs at gcc dot gnu
                    dot org


More information about the Java-prs mailing list