Each module should have an associated security policy. Here's the requirements.

1. Each code source (i.e. resource root) should be configurable separately.
2. A check should be in place to prevent modules from installing or changing security policies for code sources outside of that module. This could be achieved by implementing this as a simple permission list for each resource root, plus a "default" permission list for the module as a whole, either inside module.xml or in a separate permissions file.

The class loader should probably use SecureClassLoader#getPermissions(CodeSource) to publish the permissions back to the security manager; this approach needs to be tested.