(github.com)

16 points pfirmst | 1 comments | 19 Nov 24 23:51 UTC | HN request time: 0s | source

Show context

pfirmst ◴[19 Nov 24 23:51 UTC] No.42189343[source]▶

Looking for interested parties to assist maintaining a fork of OpenJDK with authorization. Note this isn't for sandboxing untrusted code but instead only allow loading trusted code and automate generation of principle of least privilege policy files for auditing with user Principal's and Code Signer's.

replies(2): >>42190229 #>>42190244 #

mdaniel ◴[20 Nov 24 02:16 UTC] No.42190244[source]▶

>>42189343 #

Since I am not the target audience for this, pardon me if this seems like a silly question, but wouldn't just using a custom ClassLoader or even an Agent get this done, without having to full-on fork the JDK?

replies(2): >>42193507 #>>42202170 #

1. pfirmst ◴[21 Nov 24 08:13 UTC] No.42202170[source]▶

>>42190244 #

It requires low level hooks and support from within the JVM, using agents is brittle and difficult to secure, the simplest solution is just to fork. I did spend some time investigating these methods before making the decision.

https://github.com/pfirmstone/HighPerformanceSecurity

↑

OpenJDK Authorization