I found "Enable the operating system's restricted environment (native sandbox)" is added to Java control panel at 8u51. But I could not find any documents.
What is native sandbox?
I know about sandbox itself and java's Permission/SecurityManager. Is there difference between old java specific sandbox and native sandbox? –
Harlequinade
I found some explanation in release notes. Is it added? oracle.com/technetwork/java/javase/8u51-relnotes-2587590.html –
Harlequinade
I've been puzzling over this same question over on the InfoSec Se forum. security.stackexchange.com/questions/100289/… . And after searching Google till I'm blue in the face, trying to figure out what exactly the "restricted environment" within Windows the capability is supposed to be taking advantage of (low integrity/ Protected Mode in Vista & later? AppContainer / Enhanced Protected Mode in Windows 8 and later? Something else?), and even firing up Process Explorer & ProcMon to try to actually see .... –
Disqualification
...signs of how the security characteristics Java processes changed when the setting was flipped on or off. The result: Honestly, I don't think know anything for sure beyond what I knew when I started. Been driving me batty. –
Disqualification
From the official Release Notes for JDK 8 and JDK 8 Update Releases we know that:
- Native sandbox is available on Windows platform only.
Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting
deployment.security.use.native.sandboxproperty to true indeployment.propertiesfile.Native sandbox is disabled by default.
When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.
Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.
Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the Class-Path manifest attribute, will run in native sandbox.
In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files.
Custom preloader will be disabled in certain cases when native sandbox is enabled:
- Custom preloader will be disabled when sandbox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized, Java VM restarts with native sandbox enabled and the custom preloader will be used.
- For all-permission applications, custom preloader will be disabled if it is located in the JNLP file with sandbox permission, until user agrees to run application from the Security Dialog, which grants unrestricted access (privileged) to application.
There is, at the moment, no more documention than this. To sum up, in the Java platform, the native sandbox is a specific Windows feature, which use a set of API from the operating system to improve the sandboxing.
The Windows Store Apps should use the same set of API. There is an article about this : Windows Store Apps live in the Sandbox. It says:
Being in the Sandbox also means the app has no direct access to any other app or service running outside of the app’s sandbox. Access to other apps or services is facilitated by Windows itself with a defined set of APIs with in the runtime environment.
© 2022 - 2024 — McMap. All rights reserved.