Java default SecurityManager policy

Question

I am a beginner of SecurityManager. I have been trying to use a Java SecurityManager to sandbox some untrusted code (supposed to be very simple code, like calculate the weight etc.) in linux. I use the command java -Djava.security.manager to run the .class file.

One thing that confused me is: someone says default policy of SecurityManager allows almost every action, and you need to write your own policy to deny some risky action (such as read/write file from your disk); while some others says default policy actually deny every risky action and if you need to permit some risky action, you can write your own policy to that action.

My question is:

1. Which is right? (I failed to find out the default policy file)
2. In my case, do I really need to write my own security policy? Or what is the advantage of writing your own security policy?

ps. I actually want to deny all risky action. So, if the default policy is to deny every risky action, I think I will use the default SecurityManager.

Answer 1

The default security policy is pretty tight. You can look at your default java policy at java.home/lib/security/java.policy

Everything which is not included in the grant { ... }; block which applies to all domains, such as java.io.FilePermissions, is not granted to the arbitrary code you run.

Java security policy files don't support 'deny' configuration, only grants. That's part of the reason it makes sense to start out with a relatively strict file on top of which users can add in user or application policy files.

Reference: http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html