Add missing permissions to CustomSecurityManager needed for IBM JVMs (#7513)

dougqh · web-flow · commit 8638837466c9 · 2024-08-27T08:02:45.000+02:00
* Adding missing permissions needed for IBM JVMs
* Adding more properties needed by IBM JVMs
* Grant setIO by default, so IBM will pass
* Adding in access IBM properties
* Unblocking IBM Java 8
* Adding file properties
* Adding access to JAVABIDI
* Adding IBM specific properties to isIbmProperty
* Adding bugLevel used by IBM
* Adding IBM shutdown timeout to minimal
* Adding another IBM property
* Adding access to IBM tools file
diff --git a/dd-java-agent/src/test/java/jvmbootstraptest/CustomSecurityManager.java b/dd-java-agent/src/test/java/jvmbootstraptest/CustomSecurityManager.java
@@ -101,6 +101,9 @@ final boolean checkRuntimePermission(RuntimePermission perm, Object ctx, String
 
       case "enableContextClassLoaderOverride":
         return checkRuntimeContextClassLoader(perm, ctx);
+
+      case "setIO":
+        return checkRuntimeSetIO(perm, ctx);
     }
 
     if (name.startsWith("accessClassInPackage.")) {
@@ -295,6 +298,14 @@ protected final boolean defaultCheckRuntimeContextClassLoader(
     return false;
   }
 
+  protected boolean checkRuntimeSetIO(RuntimePermission perm, Object ctx) {
+    return defaultCheckRuntimeSetIO(perm, ctx);
+  }
+
+  protected final boolean defaultCheckRuntimeSetIO(RuntimePermission perm, Object ctx) {
+    return true;
+  }
+
   protected boolean checkOtherRuntimePermission(
       RuntimePermission perm, Object ctx, String permName) {
     return defaultOtherRuntimePermission(perm, ctx, permName);
@@ -346,7 +357,8 @@ protected final boolean defaultCheckFileReadPermission(
         || isDevFile(filePath)
         || isEtcFile(filePath)
         || isTimeZoneDb(filePath)
-        || isNetProperties(filePath);
+        || isNetProperties(filePath)
+        || isIbmFile(filePath);
   }
 
   protected boolean checkFileWritePermission(FilePermission perm, Object ctx, String filePath) {
@@ -375,6 +387,10 @@ protected static final boolean isClassFile(String filePath) {
     return filePath.endsWith(".class");
   }
 
+  protected static final boolean isIbmFile(String filePath) {
+    return filePath.endsWith("/tmp/.com_ibm_tools_attach");
+  }
+
   protected static final boolean isLibraryFile(String filePath) {
     return filePath.endsWith(".dylib") || filePath.endsWith(".so") || filePath.endsWith(".dll");
   }
@@ -518,6 +534,9 @@ protected final boolean minimalCheckPropertyReadPermission(
       PropertyPermission perm, Object ctx, String property) {
     switch (property) {
       case "sun.boot.class.path":
+      case "sun.reflect.noInflation":
+      case "sun.reflect.inflationThreshold":
+      case "sun.nio.cs.bugLevel":
       case "java.system.class.loader":
       case "java.protocol.handler.pkgs":
       case "java.vm.specification.version":
@@ -533,6 +552,7 @@ protected final boolean minimalCheckPropertyReadPermission(
       case "java.ext.dirs":
       case "java.version":
       case "java.home":
+      case "file.encoding":
       case "sun.boot.library.path":
       case "sun.jnu.encoding":
       case "jdk.module.main":
@@ -543,6 +563,12 @@ protected final boolean minimalCheckPropertyReadPermission(
       case "jdk.jar.maxSignatureFileSize":
       case "jdk.util.zip.disableZip64ExtraFieldValidation":
       case "user.dir":
+      case "ibm.java9.forceCommonCleanerShutdown":
+      case "com.ibm.dbgmalloc":
+      case "com.ibm.tools.attach.shutdown_timeout":
+      case "ibm.system.encoding":
+      case "os.name":
+      case "JAVABIDI":
         return true;
     }
 
@@ -579,9 +605,11 @@ protected static final boolean isBuiltinProperty(String propertyName) {
         || isUserLocaleProperty(propertyName)
         || isGraalProperty(propertyName)
         || isAzulProperty(propertyName)
+        || isIbmProperty(propertyName)
         || isProxyProperty(propertyName)
         || isReflectProperty(propertyName)
-        || isAppleProperty(propertyName);
+        || isAppleProperty(propertyName)
+        || isFileProperty(propertyName);
   }
 
   protected static final boolean isSunProperty(String propertyName) {
@@ -604,6 +632,10 @@ protected static final boolean isOsProperty(String propertyName) {
     return propertyName.startsWith("os.") || propertyName.equals("path.separator");
   }
 
+  protected static final boolean isFileProperty(String propertyName) {
+    return propertyName.startsWith("file.");
+  }
+
   protected static final boolean isUserLocaleProperty(String propertyName) {
     return propertyName.startsWith("user.");
   }
@@ -616,6 +648,16 @@ protected static final boolean isAzulProperty(String propertyName) {
     return propertyName.startsWith("com.azul.");
   }
 
+  protected static final boolean isIbmProperty(String propertyName) {
+    // IBM specific properties w/o IBM in the name
+    switch (propertyName) {
+      case "file.encoding":
+      case "JAVABIDI":
+        return true;
+    }
+    return propertyName.startsWith("ibm.") || propertyName.startsWith("com.ibm.");
+  }
+
   protected static final boolean isAppleProperty(String propertyName) {
     return propertyName.startsWith("apple.");
   }
