1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/src/jdk/internal/dynalink/beans/CheckRestrictedPackageInternal.java Thu Feb 14 13:22:26 2013 +0100 1.3 @@ -0,0 +1,252 @@ 1.4 +/* 1.5 + * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved. 1.6 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.7 + * 1.8 + * This code is free software; you can redistribute it and/or modify it 1.9 + * under the terms of the GNU General Public License version 2 only, as 1.10 + * published by the Free Software Foundation. Oracle designates this 1.11 + * particular file as subject to the "Classpath" exception as provided 1.12 + * by Oracle in the LICENSE file that accompanied this code. 1.13 + * 1.14 + * This code is distributed in the hope that it will be useful, but WITHOUT 1.15 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 1.16 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 1.17 + * version 2 for more details (a copy is included in the LICENSE file that 1.18 + * accompanied this code). 1.19 + * 1.20 + * You should have received a copy of the GNU General Public License version 1.21 + * 2 along with this work; if not, write to the Free Software Foundation, 1.22 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 1.23 + * 1.24 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 1.25 + * or visit www.oracle.com if you need additional information or have any 1.26 + * questions. 1.27 + */ 1.28 + 1.29 +/* 1.30 + * This file is available under and governed by the GNU General Public 1.31 + * License version 2 only, as published by the Free Software Foundation. 1.32 + * However, the following notice accompanied the original version of this 1.33 + * file, and Oracle licenses the original version of this file under the BSD 1.34 + * license: 1.35 + */ 1.36 +/* 1.37 + Copyright 2009-2013 Attila Szegedi 1.38 + 1.39 + Licensed under both the Apache License, Version 2.0 (the "Apache License") 1.40 + and the BSD License (the "BSD License"), with licensee being free to 1.41 + choose either of the two at their discretion. 1.42 + 1.43 + You may not use this file except in compliance with either the Apache 1.44 + License or the BSD License. 1.45 + 1.46 + If you choose to use this file in compliance with the Apache License, the 1.47 + following notice applies to you: 1.48 + 1.49 + You may obtain a copy of the Apache License at 1.50 + 1.51 + http://www.apache.org/licenses/LICENSE-2.0 1.52 + 1.53 + Unless required by applicable law or agreed to in writing, software 1.54 + distributed under the License is distributed on an "AS IS" BASIS, 1.55 + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 1.56 + implied. See the License for the specific language governing 1.57 + permissions and limitations under the License. 1.58 + 1.59 + If you choose to use this file in compliance with the BSD License, the 1.60 + following notice applies to you: 1.61 + 1.62 + Redistribution and use in source and binary forms, with or without 1.63 + modification, are permitted provided that the following conditions are 1.64 + met: 1.65 + * Redistributions of source code must retain the above copyright 1.66 + notice, this list of conditions and the following disclaimer. 1.67 + * Redistributions in binary form must reproduce the above copyright 1.68 + notice, this list of conditions and the following disclaimer in the 1.69 + documentation and/or other materials provided with the distribution. 1.70 + * Neither the name of the copyright holder nor the names of 1.71 + contributors may be used to endorse or promote products derived from 1.72 + this software without specific prior written permission. 1.73 + 1.74 + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 1.75 + IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 1.76 + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 1.77 + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER 1.78 + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 1.79 + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 1.80 + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 1.81 + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 1.82 + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 1.83 + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 1.84 + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 1.85 +*/ 1.86 + 1.87 +package jdk.internal.dynalink.beans; 1.88 + 1.89 +import java.io.ByteArrayOutputStream; 1.90 +import java.io.IOException; 1.91 +import java.io.InputStream; 1.92 +import java.lang.invoke.MethodHandle; 1.93 +import java.lang.invoke.MethodHandles; 1.94 +import java.lang.reflect.Method; 1.95 +import java.security.AccessController; 1.96 +import java.security.Permissions; 1.97 +import java.security.PrivilegedAction; 1.98 +import java.security.ProtectionDomain; 1.99 +import java.security.SecureClassLoader; 1.100 + 1.101 +/** 1.102 + * A utility class to check whether a given class is in a package with restricted access e.g. "sun.*". These packages 1.103 + * are normally listed in the security property "package.access" for most JRE implementations, although we fortunately 1.104 + * don't rely on it but solely on {@link SecurityManager#checkPackageAccess(String)}). 1.105 + * 1.106 + * This class accomplishes the check in a fashion that works reliably even if Dynalink itself (and all the code on the 1.107 + * stack that led to the invocation) has the permission to access the restricted package. 1.108 + * 1.109 + * If Dynalink has a broad set of privileges (notably, it is loaded from boot or extension class path), then it loads 1.110 + * the {@link RestrictedPackageTester} class into a isolated secure class loader that gives it no permissions 1.111 + * whatsoever, and uses this completely unprivileged class to subsequently invoke 1.112 + * {@link SecurityManager#checkPackageAccess(String)}. This will reliably throw a {@link SecurityException} for every 1.113 + * restricted package even if Dynalink and other code on the stack have the requisite {@code "accessClassInPackage.*"} 1.114 + * {@link RuntimePermission} privilege. 1.115 + * 1.116 + * On the other hand, if Dynalink does not have a broad set of privileges normally granted by the boot or extension 1.117 + * class path, it will probably lack the privilege to create a new secure class loader into which to load the tester 1.118 + * class. In this case, it will invoke {@link SecurityManager#checkPackageAccess(String)} itself with the reasoning that 1.119 + * it will also be sufficient to discover whether a package is restricted or not. 1.120 + * 1.121 + * The rationale for this design is that if Dynalink is running as part of a privileged classpath - boot or extension 1.122 + * class path, it will have all privileges, so a security manager's package access check might succeed if all other code 1.123 + * on the stack when requesting linking with a particular restricted class is also privileged. A subsequent linking 1.124 + * request from less privileged code would then also succeed in requesting methods in privileged package. On the other 1.125 + * hand, if Dynalink is privileged, it will be able to delegate the package access check to the unprivileged class and 1.126 + * narrow the access based on its result. Finally, if Dynalink itself is unprivileged, it will not be able to load the 1.127 + * unprivileged class, but then it will also fail the security manager's package access. 1.128 + * 1.129 + * With this design, Dynalink effectively restrains itself from giving unauthorized access to restricted packages from 1.130 + * classes doing the linking in case it itself has access to those packages. The only way to defeat it would be to 1.131 + * selectively give Dynalink some {@code "accessClassInPackage.*"} permissions while denying it the privilege to 1.132 + * manipulate class loaders. 1.133 + */ 1.134 +class CheckRestrictedPackageInternal { 1.135 + private static final MethodHandle PACKAGE_ACCESS_CHECK = getPackageAccessCheckMethod(); 1.136 + private static final String TESTER_CLASS_NAME = "jdk.internal.dynalink.beans.RestrictedPackageTester"; 1.137 + 1.138 + /** 1.139 + * Returns true if the specified package has restricted access. 1.140 + * @param pkgName the name of the package to check. 1.141 + * @return true if the specified package has restricted access, false otherwise. 1.142 + * @throws NullPointerException if pkgName is null, or if there is {@link System#getSecurityManager()} returns null 1.143 + * as this method is only expected to be invoked in the presence of a security manager. 1.144 + */ 1.145 + static boolean isRestrictedPackageName(String pkgName) { 1.146 + try { 1.147 + if(PACKAGE_ACCESS_CHECK != null) { 1.148 + // If we were able to load our unprivileged tester class, use it to check package access 1.149 + try { 1.150 + PACKAGE_ACCESS_CHECK.invokeExact(pkgName); 1.151 + } catch(Error|RuntimeException e) { 1.152 + throw e; 1.153 + } catch(Throwable t) { 1.154 + throw new RuntimeException(t); 1.155 + } 1.156 + } else { 1.157 + // If we didn't have sufficient permissions to load our unprivileged tester class, we're definitely not 1.158 + // running in a privileged class path, so invoking SecurityManager.checkPackageAccess() directly should 1.159 + // have the same effect as going through an unprivileged tester. 1.160 + System.getSecurityManager().checkPackageAccess(pkgName); 1.161 + } 1.162 + return false; 1.163 + } catch(SecurityException e) { 1.164 + return true; 1.165 + } 1.166 + } 1.167 + 1.168 + private static MethodHandle getPackageAccessCheckMethod() { 1.169 + try { 1.170 + return AccessController.doPrivileged(new PrivilegedAction<MethodHandle>() { 1.171 + @Override 1.172 + public MethodHandle run() { 1.173 + return getPackageAccessCheckMethodInternal(); 1.174 + } 1.175 + }); 1.176 + } catch(SecurityException e) { 1.177 + // We don't have sufficient privileges to load our tester class into a separate protection domain, so just 1.178 + // return null so isRestrictedPackageName() will default to itself invoking 1.179 + // SecurityManager.checkPackageAccess(). 1.180 + return null; 1.181 + } 1.182 + } 1.183 + 1.184 + static MethodHandle getPackageAccessCheckMethodInternal() { 1.185 + try { 1.186 + // Can't use MethodHandles.lookup().findStatic() -- even though both this class and the loaded class are in 1.187 + // the same package, findStatic() will throw an IllegalAccessException since they have different class 1.188 + // loaders. That's why we have to use unreflect with a setAccessible(true)... 1.189 + final Method m = getTesterClass().getDeclaredMethod("checkPackageAccess", String.class); 1.190 + m.setAccessible(true); 1.191 + return MethodHandles.lookup().unreflect(m); 1.192 + } catch(IllegalAccessException|NoSuchMethodException e) { 1.193 + throw new AssertionError(e); 1.194 + } 1.195 + } 1.196 + 1.197 + private static Class<?> getTesterClass() { 1.198 + final ClassLoader loader = getTesterClassLoader(); 1.199 + try { 1.200 + final Class<?> checkerClass = Class.forName(TESTER_CLASS_NAME, true, loader); 1.201 + // Sanity check to ensure we didn't accidentally pick up the class from elsewhere 1.202 + if(checkerClass.getClassLoader() != loader) { 1.203 + throw new AssertionError(TESTER_CLASS_NAME + " was loaded from a different class loader"); 1.204 + } 1.205 + return checkerClass; 1.206 + } catch(ClassNotFoundException e) { 1.207 + throw new AssertionError(e); 1.208 + } 1.209 + } 1.210 + 1.211 + private static ClassLoader getTesterClassLoader() { 1.212 + // We deliberately override loadClass instead of findClass so that we don't give a chance to finding this 1.213 + // class already loaded anywhere else. Not that there's a big possibility for this, especially since the parent 1.214 + // class loader is the bootstrap class loader, but still... 1.215 + return new SecureClassLoader(null) { 1.216 + 1.217 + @Override 1.218 + protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException { 1.219 + if(name.equals(TESTER_CLASS_NAME)) { 1.220 + final byte[] bytes = getTesterClassBytes(); 1.221 + // Define the class with a protection domain that grants no permissions. 1.222 + Class<?> clazz = defineClass(name, bytes, 0, bytes.length, new ProtectionDomain(null, 1.223 + new Permissions())); 1.224 + if(resolve) { 1.225 + resolveClass(clazz); 1.226 + } 1.227 + return clazz; 1.228 + } else { 1.229 + return super.loadClass(name, resolve); 1.230 + } 1.231 + } 1.232 + }; 1.233 + } 1.234 + 1.235 + private static byte[] getTesterClassBytes() { 1.236 + try { 1.237 + final InputStream in = CheckRestrictedPackage.class.getResourceAsStream("RestrictedPackageTester.class"); 1.238 + try { 1.239 + final ByteArrayOutputStream out = new ByteArrayOutputStream(2048); 1.240 + for(;;) { 1.241 + final int b = in.read(); 1.242 + if(b == -1) { 1.243 + break; 1.244 + } 1.245 + out.write(b); 1.246 + } 1.247 + return out.toByteArray(); 1.248 + } finally { 1.249 + in.close(); 1.250 + } 1.251 + } catch(IOException e) { 1.252 + throw new RuntimeException(e); 1.253 + } 1.254 + } 1.255 +}