also responsible for marking certain classes as signed classes. Hence, an untrusted class is typically not allowed to create a class loader. This method is only called by the constructor of the ClassLoader class: if you can create a class loader or if you obtain a reference to a previously created class loader, you can use it. To succeed, the current protection domain must have a runtime permission with the name createClassLoader . public void checkExecString cmd This method is used to prevent execution of arbitrary system commands by untrusted classes −− an untrusted class cannot, for example, execute a separate process that removes all the files on your disk. [4] To succeed, the current protection domain must have a file permission with a name that matches the given command and an action of execute. [4] The separate process would not need to be written in Java, of course, so there would be no security manager around to enforce the prohibition about deleting files. public void checkLinkString lib System commands arent the only code that is out of reach of the security manager −− any native C language code that is executed by the virtual machine cannot be protected by the security manager or, in fact, by any aspect of the Java sandbox. Native code is executed by linking a shared library into the virtual machine; this method prevents an untrusted class from linking in such libraries. It may seem as if this check is very important. It is, but only to a point: the programmatic binding from Java to C is such that Java code cannot just call an arbitrary C function −− the C function must have a very specialized name that will not exist in an arbitrary library. So any C function that the untrusted class would like to call must reside in a library that youve downloaded and placed on your machine −− and if the programs author can convince you to do that, then you dont really have a secure system anyway and the author could find a different line of attack against you. To succeed, the current protection domain must have a runtime permission with the name loadLibrary.lib . public void checkExitint status Next, there is the continuing processing of the virtual machine itself. This method prevents an untrusted class from shutting down the virtual machine. This method also prevents an untrusted class from changing whether or not all finalizers are run when the virtual machine does exit. This means that an untrusted class −− and in particular, an applet −− cannot guarantee that all the finalize methods of all the objects will be called before the system exits which cannot be guaranteed in any case, since the browser can be terminated from the operating system without an opportunity to run the finalizers anyway. When you install a security manager via the command−line argument, all code trusted or not is able to exit the virtual machine. In the appletviewer or the Java Plug−in, the current protection domain must have the runtime permission named exitVM in order for this call to succeed. public void checkPermissionPermission p public void checkPermissionPermission p, Object context Check to see if the current thread has the given permission. This method is used when you write your own permission classes, as well examine in Chapter 5. It is also used directly by the Java API when it Chapter 4. The Security Manager needs to test for runtime permissions. This method succeeds if the current protection domain has been granted the given permission.

4.3.4 Methods Protecting Program Threads

Java depends heavily on threads for its execution; in a simple Java program that uses images and audio, there may be a dozen or more threads that are created automatically for the user depending on the particular implementation of the virtual machine. These are system−level threads responsible for garbage collection, the various input and output needs of the graphical interface, threads to fetch images, etc. An untrusted class cannot manipulate any of these threads because doing so would prevent the Java virtual machine from running properly, affecting other applets and possibly even the browser itself. The security manager protects threads with these methods: public void checkAccessThread g Check if the program is allowed to change the state of the given thread. This call succeeds if the current protection domain has a runtime permission with the name modifyThread . public void checkAccessThreadGroup g Check if the program is allowed to change the state of the given thread group and the threads that it holds. This call succeeds if the current protection domain has a runtime permission with the name modifyThreadGroup . public ThreadGroup getThreadGroup Supply a default thread group for newly created threads to belong to. Table 4−4 shows the methods of the Java API that are affected by the policy set in the checkAccess methods. By default, a thread is able to manipulate any other thread except for threads in the root thread group; it is able to manipulate any thread group except for the root thread group. Table 4−4. Security Manager Methods Protecting Thread Access Method Called By Rationale checkAccessThread g Thread.stop Thread.interrupt Thread.suspend Thread.resume Thread.setPriority Thread.setName Thread.setDaemon Thread.setClassLoader Thread Untrusted classes may only manipulate threads that they have created. checkAccessThreadGroup g ThreadGroup ThreadGroup.setDaemon ThreadGroup.setMaxPriority ThreadGroup.stop ThreadGroup.suspend ThreadGroup.resume ThreadGroup.destroy ThreadGroup.interrupt Untrusted classes can only affect thread groups that they have created. getThreadGroup Thread Threads of untrusted classes must belong to specified groups. checkPermissionPermission p Thread.stop Stopping a thread could corrupt state of the virtual machine. Unlike the other public methods of the security manager, the getThreadGroup method is not responsible for deciding whether access to a particular resource should be granted or not, and it does not throw a security exception under any circumstances. The point of this method is to determine the default thread group that a particular thread should belong to. When a thread is constructed and does not ask to be placed into a particular thread group, the getThreadGroup method of the security manager is used to find a thread group to which the thread should be assigned. By default, this is the thread group of the calling thread. The getThreadGroup method can be used to create a hierarchy of thread groups. One popular use of this method is to segregate applets loaded from different sites into their own thread group; in a server, it could be used to segregate the threads assigned to different clients into different thread groups. Doing so requires some cooperation with the class loader since it forms a natural boundary between different applets or different clients. However, a full hierarchy of thread groups does not mesh well with Javas default thread permission model, so we wont discuss that option in the main text. In Appendix D, we discuss the implementation of a different security manager that uses this notion of a thread group hierarchy. The Thread class also calls the checkPermission method of the security manager whenever the stop method is called since stopping a thread is an inherently dangerous operation which has led the stop method to become deprecated. For backward compatibility, this permission is normally granted even to untrusted classes, but an end user may change her environment so that the security manager throws an exception whenever the stop method is called.

4.3.5 Methods Protecting System Resources

The Java−enabled browser has access to certain system−level resources to which untrusted classes should not be granted access. The next set of methods outlined in Table 4−5 in the SecurityManager class handles those system−level resources. Table 4−5. Security Manager Protections of System Resources Method Called By Rationale checkPrintJobAccess Toolkit.getPrintJob Untrusted classes cant initiate print jobs. checkSystemClipboardAccess Toolkit.getSystemClipboard Untrusted classes cant read the system clipboard. checkAwtEventQueueAccess EventQueue.getEventQueue Untrusted classes cant manipulate window events. checkPropertiesAccess System.getProperties System.setProperties Untrusted classes cant see or set system properties. checkPropertyAccess System.getProperty Untrusted classes cant get a particular system property. checkPropertyAccess Locale.setDefault Cant change the locale unless the user.language property can be read. 68