Mark setting of sun.nio.ch.bugLevel as privileged

Motivation: Writing to a system property requires permissions. Yet the code for setting sun.nio.ch.bugLevel is not marked as privileged. In a restrictive environment (e.g., under a security policy that only grants the requisite permissions the Netty transport jar but not to application code triggering the Netty initialization), writing to this system property will not succeed even if the security policy would otherwise permit it. Modifications: This commt marks the necessary code block as privileged. This enables writing to this system property. The idea is that we are saying the Netty code is trusted, and as long as the Netty code has been granted the necessary permissions, then we will allow the caller access to these resources even though the caller itself might not have the requisite permissions. Result: The system property sun.nio.ch.bugLevel can be written to in a restrictive security environment.
netty · Aug 5, 2016 · 3262907 · 3262907
1 parent 30a293c
commit 3262907
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/transport/src/main/java/io/netty/channel/nio/NioEventLoop.java b/transport/src/main/java/io/netty/channel/nio/NioEventLoop.java
@@ -35,6 +35,8 @@
 import java.nio.channels.SelectionKey;
 import java.nio.channels.Selector;
 import java.nio.channels.spi.SelectorProvider;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.ConcurrentModificationException;
@@ -82,15 +84,19 @@ public Integer call() throws Exception {
     // - http://bugs.sun.com/view_bug.do?bug_id=6427854
     // - https://github.com/netty/netty/issues/203
     static {
-        String key = "sun.nio.ch.bugLevel";
-        try {
-            String buglevel = SystemPropertyUtil.get(key);
-            if (buglevel == null) {
-                System.setProperty(key, "");
-            }
-        } catch (SecurityException e) {
-            if (logger.isDebugEnabled()) {
-                logger.debug("Unable to get/set System Property: {}", key, e);
+        final String key = "sun.nio.ch.bugLevel";
+        final String buglevel = SystemPropertyUtil.get(key);
+        if (buglevel == null) {
+            try {
+                AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                    @Override
+                    public Void run() {
+                        System.setProperty(key, "");
+                        return null;
+                    }
+                });
+            } catch (final SecurityException e) {
+                logger.debug("Unable to get/set System Property: " + key, e);
             }
         }