Page History

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation, but also by ensuring that privileged blocks contain only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; this increases the potential attack surface exposed to an attacker. Consequently, privileged blocks are forbidden to must not contain superfluous code.

...

This is a violation of the principle of least privilege because a caller who does may not have the required privileges can indirectly also load the specified library provided the security policy allows doing so. This transfers the burden of ensuring security to the administrator who implements the security policy.

...

This compliant solution moves the call to {{System.loadLibrary()}} outside the {{doPrivileged()}} block. Any operations on the file descriptor {{f\[0\]}} mustshould also occur outside the privileged block to make it easier to audit privileged code. However, {{f\[0\]}} shouldmust not leak out to untrusted code (see [SEC00-J. Do not allow doPrivileged() blocks to leak sensitive information outside a trust boundary]). As a result, the "operations on the file" must not allow {{f\[0\]}} to escape out of {{changePassword()}}. Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.

...

...

...