Skip to content

Commit 50f9043

Browse files
rjernstChrisHegarty
rjernst
authored and
ChrisHegarty
committed
8297451: ProcessHandleImpl should assert privilege when modifying reaper thread
Reviewed-by: chegar, alanb
1 parent 99d3840 commit 50f9043

File tree

2 files changed

+36
-7
lines changed

2 files changed

+36
-7
lines changed

src/java.base/share/classes/java/lang/ProcessHandleImpl.java

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ final class ProcessHandleImpl implements ProcessHandle {
100100
ThreadFactory threadFactory = grimReaper -> {
101101
Thread t = InnocuousThread.newSystemThread("process reaper", grimReaper,
102102
stackSize, Thread.MAX_PRIORITY);
103-
t.setDaemon(true);
103+
privilegedThreadSetDaemon(t, true);
104104
return t;
105105
};
106106

@@ -115,6 +115,22 @@ private static class ExitCompletion extends CompletableFuture<Integer> {
115115
}
116116
}
117117

118+
@SuppressWarnings("removal")
119+
private static void privilegedThreadSetName(Thread thread, String name) {
120+
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
121+
thread.setName(name);
122+
return null;
123+
});
124+
}
125+
126+
@SuppressWarnings("removal")
127+
private static void privilegedThreadSetDaemon(Thread thread, boolean on) {
128+
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
129+
thread.setDaemon(on);
130+
return null;
131+
});
132+
}
133+
118134
/**
119135
* Returns a CompletableFuture that completes with process exit status when
120136
* the process completes.
@@ -140,8 +156,9 @@ static CompletableFuture<Integer> completion(long pid, boolean shouldReap) {
140156
processReaperExecutor.execute(new Runnable() {
141157
// Use inner class to avoid lambda stack overhead
142158
public void run() {
143-
String threadName = Thread.currentThread().getName();
144-
Thread.currentThread().setName("process reaper (pid " + pid + ")");
159+
Thread t = Thread.currentThread();
160+
String threadName = t.getName();
161+
privilegedThreadSetName(t, "process reaper (pid " + pid + ")");
145162
try {
146163
int exitValue = waitForProcessExit0(pid, shouldReap);
147164
if (exitValue == NOT_A_CHILD) {
@@ -172,7 +189,7 @@ public void run() {
172189
completions.remove(pid, newCompletion);
173190
} finally {
174191
// Restore thread name
175-
Thread.currentThread().setName(threadName);
192+
privilegedThreadSetName(t, threadName);
176193
}
177194
}
178195
});

test/jdk/java/lang/ProcessBuilder/SecurityManagerClinit.java

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424

2525
/*
2626
* @test
27-
* @bug 6980747
27+
* @bug 6980747 8297451
2828
* @summary Check that Process-related classes have the proper
2929
* doPrivileged blocks, and can be initialized with an adversarial
3030
* security manager.
@@ -52,6 +52,17 @@ public boolean implies(ProtectionDomain pd, Permission p) {
5252
}
5353
}
5454

55+
// Security manager that unconditionally performs Thread Modify Access checks.
56+
@SuppressWarnings("removal")
57+
private static class TMACSecurityManager extends SecurityManager {
58+
static final RuntimePermission MODIFY_THREAD_PERMISSION =
59+
new RuntimePermission("modifyThread");
60+
@Override
61+
public void checkAccess(Thread thread) {
62+
checkPermission(MODIFY_THREAD_PERMISSION);
63+
}
64+
}
65+
5566
public static void main(String[] args) throws Throwable {
5667
String javaExe =
5768
System.getProperty("java.home") +
@@ -60,10 +71,11 @@ public static void main(String[] args) throws Throwable {
6071
final SimplePolicy policy =
6172
new SimplePolicy
6273
(new FilePermission("<<ALL FILES>>", "execute"),
63-
new RuntimePermission("setSecurityManager"));
74+
new RuntimePermission("setSecurityManager"),
75+
new RuntimePermission("modifyThread"));
6476
Policy.setPolicy(policy);
6577

66-
System.setSecurityManager(new SecurityManager());
78+
System.setSecurityManager(new TMACSecurityManager());
6779

6880
try {
6981
String[] cmd = { javaExe, "-version" };

0 commit comments

Comments
 (0)