Fri, 09 Aug 2013 20:48:44 +0530
8022707: Revisit all doPrivileged blocks
Reviewed-by: jlaskey, hannesw
1.1 --- a/make/project.properties Thu Aug 08 11:20:14 2013 -0300 1.2 +++ b/make/project.properties Fri Aug 09 20:48:44 2013 +0530 1.3 @@ -222,11 +222,16 @@ 1.4 run.test.user.language=tr 1.5 run.test.user.country=TR 1.6 1.7 -# -XX:+PrintCompilation -XX:+UnlockDiagnosticVMOptions -XX:+PrintNMethods 1.8 -run.test.jvmargs.main=-server -Xmx${run.test.xmx} -XX:+TieredCompilation -ea -Dfile.encoding=UTF-8 -Duser.language=${run.test.user.language} -Duser.country=${run.test.user.country} -XX:+HeapDumpOnOutOfMemoryError 1.9 +run.test.jvmargs.common=-server -Xmx${run.test.xmx} -XX:+TieredCompilation -Dfile.encoding=UTF-8 -Duser.language=${run.test.user.language} -Duser.country=${run.test.user.country} -XX:+HeapDumpOnOutOfMemoryError 1.10 + 1.11 +#-XX:-UseCompressedKlassPointers -XX:+PrintHeapAtGC -XX:ClassMetaspaceSize=300M 1.12 +# -XX:+PrintCompilation -XX:+UnlockDiagnosticVMOptions -XX:+PrintNMethods 1.13 + 1.14 +# turn on assertions for tests 1.15 +run.test.jvmargs.main=${run.test.jvmargs.common} -ea 1.16 1.17 #-XX:-UseCompressedKlassPointers -XX:+PrintHeapAtGC -XX:ClassMetaspaceSize=300M 1.18 -run.test.jvmargs.octane.main=-Xms${run.test.xms} ${run.test.jvmargs.main} 1.19 +run.test.jvmargs.octane.main=-Xms${run.test.xms} ${run.test.jvmargs.common} 1.20 1.21 run.test.jvmsecurityargs=-Xverify:all -Djava.security.properties=${basedir}/make/java.security.override -Djava.security.manager -Djava.security.policy=${basedir}/build/nashorn.policy 1.22
2.1 --- a/src/jdk/nashorn/api/scripting/NashornScriptEngine.java Thu Aug 08 11:20:14 2013 -0300 2.2 +++ b/src/jdk/nashorn/api/scripting/NashornScriptEngine.java Fri Aug 09 20:48:44 2013 +0530 2.3 @@ -36,10 +36,13 @@ 2.4 import java.lang.reflect.Modifier; 2.5 import java.net.URL; 2.6 import java.nio.charset.Charset; 2.7 +import java.security.AccessControlContext; 2.8 import java.security.AccessController; 2.9 +import java.security.Permissions; 2.10 import java.security.PrivilegedAction; 2.11 import java.security.PrivilegedActionException; 2.12 import java.security.PrivilegedExceptionAction; 2.13 +import java.security.ProtectionDomain; 2.14 import java.text.MessageFormat; 2.15 import java.util.Locale; 2.16 import java.util.ResourceBundle; 2.17 @@ -71,6 +74,14 @@ 2.18 */ 2.19 2.20 public final class NashornScriptEngine extends AbstractScriptEngine implements Compilable, Invocable { 2.21 + private static AccessControlContext createPermAccCtxt(final String permName) { 2.22 + final Permissions perms = new Permissions(); 2.23 + perms.add(new RuntimePermission(permName)); 2.24 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 2.25 + } 2.26 + 2.27 + private static final AccessControlContext CREATE_CONTEXT_ACC_CTXT = createPermAccCtxt(Context.NASHORN_CREATE_CONTEXT); 2.28 + private static final AccessControlContext CREATE_GLOBAL_ACC_CTXT = createPermAccCtxt(Context.NASHORN_CREATE_GLOBAL); 2.29 2.30 private final ScriptEngineFactory factory; 2.31 private final Context nashornContext; 2.32 @@ -84,16 +95,9 @@ 2.33 2.34 private static final String MESSAGES_RESOURCE = "jdk.nashorn.api.scripting.resources.Messages"; 2.35 2.36 - // Without do privileged, under security manager messages can not be loaded. 2.37 private static final ResourceBundle MESSAGES_BUNDLE; 2.38 static { 2.39 - MESSAGES_BUNDLE = AccessController.doPrivileged( 2.40 - new PrivilegedAction<ResourceBundle>() { 2.41 - @Override 2.42 - public ResourceBundle run() { 2.43 - return ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault()); 2.44 - } 2.45 - }); 2.46 + MESSAGES_BUNDLE = ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault()); 2.47 } 2.48 2.49 private static String getMessage(final String msgId, final String... args) { 2.50 @@ -128,7 +132,7 @@ 2.51 throw e; 2.52 } 2.53 } 2.54 - }); 2.55 + }, CREATE_CONTEXT_ACC_CTXT); 2.56 2.57 // create new global object 2.58 this.global = createNashornGlobal(); 2.59 @@ -340,7 +344,7 @@ 2.60 throw e; 2.61 } 2.62 } 2.63 - }); 2.64 + }, CREATE_GLOBAL_ACC_CTXT); 2.65 2.66 nashornContext.initGlobal(newGlobal); 2.67 2.68 @@ -362,10 +366,8 @@ 2.69 } 2.70 2.71 private void evalEngineScript() throws ScriptException { 2.72 - evalSupportScript("resources/engine.js", NashornException.ENGINE_SCRIPT_SOURCE_NAME); 2.73 - } 2.74 - 2.75 - private void evalSupportScript(final String script, final String name) throws ScriptException { 2.76 + final String script = "resources/engine.js"; 2.77 + final String name = NashornException.ENGINE_SCRIPT_SOURCE_NAME; 2.78 try { 2.79 final InputStream is = AccessController.doPrivileged( 2.80 new PrivilegedExceptionAction<InputStream>() { 2.81 @@ -380,6 +382,9 @@ 2.82 eval(isr); 2.83 } 2.84 } catch (final PrivilegedActionException | IOException e) { 2.85 + if (Context.DEBUG) { 2.86 + e.printStackTrace(); 2.87 + } 2.88 throw new ScriptException(e); 2.89 } finally { 2.90 put(ScriptEngine.FILENAME, null);
3.1 --- a/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java Thu Aug 08 11:20:14 2013 -0300 3.2 +++ b/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java Fri Aug 09 20:48:44 2013 +0530 3.3 @@ -30,6 +30,7 @@ 3.4 import java.util.List; 3.5 import javax.script.ScriptEngine; 3.6 import javax.script.ScriptEngineFactory; 3.7 +import jdk.nashorn.internal.runtime.Context; 3.8 import jdk.nashorn.internal.runtime.Version; 3.9 3.10 /** 3.11 @@ -136,7 +137,14 @@ 3.12 3.13 @Override 3.14 public ScriptEngine getScriptEngine() { 3.15 - return new NashornScriptEngine(this, getAppClassLoader()); 3.16 + try { 3.17 + return new NashornScriptEngine(this, getAppClassLoader()); 3.18 + } catch (final RuntimeException e) { 3.19 + if (Context.DEBUG) { 3.20 + e.printStackTrace(); 3.21 + } 3.22 + throw e; 3.23 + } 3.24 } 3.25 3.26 /** 3.27 @@ -178,7 +186,7 @@ 3.28 private static void checkConfigPermission() { 3.29 final SecurityManager sm = System.getSecurityManager(); 3.30 if (sm != null) { 3.31 - sm.checkPermission(new RuntimePermission("nashorn.setConfig")); 3.32 + sm.checkPermission(new RuntimePermission(Context.NASHORN_SET_CONFIG)); 3.33 } 3.34 } 3.35
4.1 --- a/src/jdk/nashorn/api/scripting/ScriptObjectMirror.java Thu Aug 08 11:20:14 2013 -0300 4.2 +++ b/src/jdk/nashorn/api/scripting/ScriptObjectMirror.java Fri Aug 09 20:48:44 2013 +0530 4.3 @@ -25,14 +25,17 @@ 4.4 4.5 package jdk.nashorn.api.scripting; 4.6 4.7 +import java.security.AccessControlContext; 4.8 import java.security.AccessController; 4.9 +import java.security.Permissions; 4.10 import java.security.PrivilegedAction; 4.11 +import java.security.ProtectionDomain; 4.12 import java.util.AbstractMap; 4.13 import java.util.ArrayList; 4.14 import java.util.Collection; 4.15 import java.util.Collections; 4.16 +import java.util.Iterator; 4.17 import java.util.LinkedHashSet; 4.18 -import java.util.Iterator; 4.19 import java.util.List; 4.20 import java.util.Map; 4.21 import java.util.Set; 4.22 @@ -49,6 +52,14 @@ 4.23 * netscape.javascript.JSObject interface. 4.24 */ 4.25 public final class ScriptObjectMirror extends JSObject implements Bindings { 4.26 + private static AccessControlContext getContextAccCtxt() { 4.27 + final Permissions perms = new Permissions(); 4.28 + perms.add(new RuntimePermission(Context.NASHORN_GET_CONTEXT)); 4.29 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 4.30 + } 4.31 + 4.32 + private static final AccessControlContext GET_CONTEXT_ACC_CTXT = getContextAccCtxt(); 4.33 + 4.34 private final ScriptObject sobj; 4.35 private final ScriptObject global; 4.36 4.37 @@ -144,7 +155,7 @@ 4.38 public Context run() { 4.39 return Context.getContext(); 4.40 } 4.41 - }); 4.42 + }, GET_CONTEXT_ACC_CTXT); 4.43 return wrap(context.eval(global, s, null, null, false), global); 4.44 } 4.45 });
5.1 --- a/src/jdk/nashorn/internal/objects/Global.java Thu Aug 08 11:20:14 2013 -0300 5.2 +++ b/src/jdk/nashorn/internal/objects/Global.java Fri Aug 09 20:48:44 2013 +0530 5.3 @@ -35,8 +35,6 @@ 5.4 import java.lang.invoke.MethodHandles; 5.5 import java.lang.ref.SoftReference; 5.6 import java.lang.reflect.Field; 5.7 -import java.security.AccessController; 5.8 -import java.security.PrivilegedAction; 5.9 import java.util.Arrays; 5.10 import java.util.LinkedHashMap; 5.11 import java.util.List; 5.12 @@ -420,7 +418,7 @@ 5.13 // security check first 5.14 final SecurityManager sm = System.getSecurityManager(); 5.15 if (sm != null) { 5.16 - sm.checkPermission(new RuntimePermission("nashorn.newGlobal")); 5.17 + sm.checkPermission(new RuntimePermission(Context.NASHORN_CREATE_GLOBAL)); 5.18 } 5.19 5.20 // null check on context 5.21 @@ -1780,19 +1778,13 @@ 5.22 } 5.23 5.24 private static void copyOptions(final ScriptObject options, final ScriptEnvironment scriptEnv) { 5.25 - AccessController.doPrivileged(new PrivilegedAction<Void>() { 5.26 - @Override 5.27 - public Void run() { 5.28 - for (Field f : scriptEnv.getClass().getFields()) { 5.29 - try { 5.30 - options.set(f.getName(), f.get(scriptEnv), false); 5.31 - } catch (final IllegalArgumentException | IllegalAccessException exp) { 5.32 - throw new RuntimeException(exp); 5.33 - } 5.34 - } 5.35 - return null; 5.36 + for (Field f : scriptEnv.getClass().getFields()) { 5.37 + try { 5.38 + options.set(f.getName(), f.get(scriptEnv), false); 5.39 + } catch (final IllegalArgumentException | IllegalAccessException exp) { 5.40 + throw new RuntimeException(exp); 5.41 } 5.42 - }); 5.43 + } 5.44 } 5.45 5.46 private void initTypedArray() {
6.1 --- a/src/jdk/nashorn/internal/objects/NativeDebug.java Thu Aug 08 11:20:14 2013 -0300 6.2 +++ b/src/jdk/nashorn/internal/objects/NativeDebug.java Fri Aug 09 20:48:44 2013 +0530 6.3 @@ -72,7 +72,7 @@ 6.4 public static Object getContext(final Object self) { 6.5 final SecurityManager sm = System.getSecurityManager(); 6.6 if (sm != null) { 6.7 - sm.checkPermission(new RuntimePermission("nashorn.getContext")); 6.8 + sm.checkPermission(new RuntimePermission(Context.NASHORN_GET_CONTEXT)); 6.9 } 6.10 return Global.getThisContext(); 6.11 }
7.1 --- a/src/jdk/nashorn/internal/runtime/Context.java Thu Aug 08 11:20:14 2013 -0300 7.2 +++ b/src/jdk/nashorn/internal/runtime/Context.java Fri Aug 09 20:48:44 2013 +0530 7.3 @@ -64,6 +64,31 @@ 7.4 * This class manages the global state of execution. Context is immutable. 7.5 */ 7.6 public final class Context { 7.7 + // nashorn specific security runtime access permission names 7.8 + /** 7.9 + * Permission needed to pass arbitrary nashorn command line options when creating Context. 7.10 + */ 7.11 + public static final String NASHORN_SET_CONFIG = "nashorn.setConfig"; 7.12 + 7.13 + /** 7.14 + * Permission needed to create Nashorn Context instance. 7.15 + */ 7.16 + public static final String NASHORN_CREATE_CONTEXT = "nashorn.createContext"; 7.17 + 7.18 + /** 7.19 + * Permission needed to create Nashorn Global instance. 7.20 + */ 7.21 + public static final String NASHORN_CREATE_GLOBAL = "nashorn.createGlobal"; 7.22 + 7.23 + /** 7.24 + * Permission to get current Nashorn Context from thread local storage. 7.25 + */ 7.26 + public static final String NASHORN_GET_CONTEXT = "nashorn.getContext"; 7.27 + 7.28 + /** 7.29 + * Permission to use Java reflection/jsr292 from script code. 7.30 + */ 7.31 + public static final String NASHORN_JAVA_REFLECTION = "nashorn.JavaReflection"; 7.32 7.33 /** 7.34 * ContextCodeInstaller that has the privilege of installing classes in the Context. 7.35 @@ -139,7 +164,7 @@ 7.36 public static Context getContext() { 7.37 final SecurityManager sm = System.getSecurityManager(); 7.38 if (sm != null) { 7.39 - sm.checkPermission(new RuntimePermission("nashorn.getContext")); 7.40 + sm.checkPermission(new RuntimePermission(NASHORN_GET_CONTEXT)); 7.41 } 7.42 return getContextTrusted(); 7.43 } 7.44 @@ -204,7 +229,20 @@ 7.45 7.46 private static final ClassLoader myLoader = Context.class.getClassLoader(); 7.47 private static final StructureLoader sharedLoader; 7.48 - private static final AccessControlContext NO_PERMISSIONS_CONTEXT; 7.49 + 7.50 + private static AccessControlContext createNoPermAccCtxt() { 7.51 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) }); 7.52 + } 7.53 + 7.54 + private static AccessControlContext createPermAccCtxt(final String permName) { 7.55 + final Permissions perms = new Permissions(); 7.56 + perms.add(new RuntimePermission(permName)); 7.57 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 7.58 + } 7.59 + 7.60 + private static final AccessControlContext NO_PERMISSIONS_ACC_CTXT = createNoPermAccCtxt(); 7.61 + private static final AccessControlContext CREATE_LOADER_ACC_CTXT = createPermAccCtxt("createClassLoader"); 7.62 + private static final AccessControlContext CREATE_GLOBAL_ACC_CTXT = createPermAccCtxt(NASHORN_CREATE_GLOBAL); 7.63 7.64 static { 7.65 sharedLoader = AccessController.doPrivileged(new PrivilegedAction<StructureLoader>() { 7.66 @@ -212,8 +250,7 @@ 7.67 public StructureLoader run() { 7.68 return new StructureLoader(myLoader, null); 7.69 } 7.70 - }); 7.71 - NO_PERMISSIONS_CONTEXT = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) }); 7.72 + }, CREATE_LOADER_ACC_CTXT); 7.73 } 7.74 7.75 /** 7.76 @@ -254,7 +291,7 @@ 7.77 public Context(final Options options, final ErrorManager errors, final PrintWriter out, final PrintWriter err, final ClassLoader appLoader) { 7.78 final SecurityManager sm = System.getSecurityManager(); 7.79 if (sm != null) { 7.80 - sm.checkPermission(new RuntimePermission("nashorn.createContext")); 7.81 + sm.checkPermission(new RuntimePermission(NASHORN_CREATE_CONTEXT)); 7.82 } 7.83 7.84 this.env = new ScriptEnvironment(options, out, err); 7.85 @@ -516,7 +553,7 @@ 7.86 @Override 7.87 public ScriptObject run() { 7.88 try { 7.89 - return createGlobal(); 7.90 + return newGlobal(); 7.91 } catch (final RuntimeException e) { 7.92 if (Context.DEBUG) { 7.93 e.printStackTrace(); 7.94 @@ -524,7 +561,9 @@ 7.95 throw e; 7.96 } 7.97 } 7.98 - }); 7.99 + }, CREATE_GLOBAL_ACC_CTXT); 7.100 + // initialize newly created Global instance 7.101 + initGlobal(newGlobal); 7.102 setGlobalTrusted(newGlobal); 7.103 7.104 final Object[] wrapped = args == null? ScriptRuntime.EMPTY_ARRAY : ScriptObjectMirror.wrapArray(args, oldGlobal); 7.105 @@ -577,7 +616,7 @@ 7.106 sm.checkPackageAccess(fullName.substring(0, index)); 7.107 return null; 7.108 } 7.109 - }, NO_PERMISSIONS_CONTEXT); 7.110 + }, NO_PERMISSIONS_ACC_CTXT); 7.111 } 7.112 } 7.113 } 7.114 @@ -856,7 +895,7 @@ 7.115 public ScriptLoader run() { 7.116 return new ScriptLoader(sharedLoader, Context.this); 7.117 } 7.118 - }); 7.119 + }, CREATE_LOADER_ACC_CTXT); 7.120 } 7.121 7.122 private long getUniqueScriptId() {
8.1 --- a/src/jdk/nashorn/internal/runtime/ECMAErrors.java Thu Aug 08 11:20:14 2013 -0300 8.2 +++ b/src/jdk/nashorn/internal/runtime/ECMAErrors.java Fri Aug 09 20:48:44 2013 +0530 8.3 @@ -25,8 +25,6 @@ 8.4 8.5 package jdk.nashorn.internal.runtime; 8.6 8.7 -import java.security.AccessController; 8.8 -import java.security.PrivilegedAction; 8.9 import java.text.MessageFormat; 8.10 import java.util.Locale; 8.11 import java.util.ResourceBundle; 8.12 @@ -40,16 +38,9 @@ 8.13 public final class ECMAErrors { 8.14 private static final String MESSAGES_RESOURCE = "jdk.nashorn.internal.runtime.resources.Messages"; 8.15 8.16 - // Without do privileged, under security manager messages can not be loaded. 8.17 private static final ResourceBundle MESSAGES_BUNDLE; 8.18 static { 8.19 - MESSAGES_BUNDLE = AccessController.doPrivileged( 8.20 - new PrivilegedAction<ResourceBundle>() { 8.21 - @Override 8.22 - public ResourceBundle run() { 8.23 - return ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault()); 8.24 - } 8.25 - }); 8.26 + MESSAGES_BUNDLE = ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault()); 8.27 } 8.28 8.29 /** We assume that compiler generates script classes into the known package. */
9.1 --- a/src/jdk/nashorn/internal/runtime/Logging.java Thu Aug 08 11:20:14 2013 -0300 9.2 +++ b/src/jdk/nashorn/internal/runtime/Logging.java Fri Aug 09 20:48:44 2013 +0530 9.3 @@ -25,6 +25,11 @@ 9.4 9.5 package jdk.nashorn.internal.runtime; 9.6 9.7 +import java.security.AccessControlContext; 9.8 +import java.security.AccessController; 9.9 +import java.security.Permissions; 9.10 +import java.security.PrivilegedAction; 9.11 +import java.security.ProtectionDomain; 9.12 import java.util.HashMap; 9.13 import java.util.Locale; 9.14 import java.util.Map; 9.15 @@ -35,6 +40,7 @@ 9.16 import java.util.logging.Level; 9.17 import java.util.logging.LogRecord; 9.18 import java.util.logging.Logger; 9.19 +import java.util.logging.LoggingPermission; 9.20 9.21 /** 9.22 * Logging system for getting loggers for arbitrary subsystems as 9.23 @@ -50,12 +56,20 @@ 9.24 9.25 private static final Logger disabledLogger = Logger.getLogger("disabled"); 9.26 9.27 + private static AccessControlContext createLoggerControlAccCtxt() { 9.28 + final Permissions perms = new Permissions(); 9.29 + perms.add(new LoggingPermission("control", null)); 9.30 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 9.31 + } 9.32 + 9.33 static { 9.34 - try { 9.35 - Logging.disabledLogger.setLevel(Level.OFF); 9.36 - } catch (final SecurityException e) { 9.37 - //ignored 9.38 - } 9.39 + AccessController.doPrivileged(new PrivilegedAction<Void>() { 9.40 + @Override 9.41 + public Void run() { 9.42 + Logging.disabledLogger.setLevel(Level.OFF); 9.43 + return null; 9.44 + } 9.45 + }, createLoggerControlAccCtxt()); 9.46 } 9.47 9.48 /** Maps logger name to loggers. Names are typically per package */
10.1 --- a/src/jdk/nashorn/internal/runtime/linker/ClassAndLoader.java Thu Aug 08 11:20:14 2013 -0300 10.2 +++ b/src/jdk/nashorn/internal/runtime/linker/ClassAndLoader.java Fri Aug 09 20:48:44 2013 +0530 10.3 @@ -27,8 +27,11 @@ 10.4 10.5 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError; 10.6 10.7 +import java.security.AccessControlContext; 10.8 import java.security.AccessController; 10.9 +import java.security.Permissions; 10.10 import java.security.PrivilegedAction; 10.11 +import java.security.ProtectionDomain; 10.12 import java.util.Collection; 10.13 import java.util.Iterator; 10.14 import java.util.LinkedHashMap; 10.15 @@ -43,6 +46,16 @@ 10.16 * used to determine if one loader can see the other loader's classes. 10.17 */ 10.18 final class ClassAndLoader { 10.19 + static AccessControlContext createPermAccCtxt(final String... permNames) { 10.20 + final Permissions perms = new Permissions(); 10.21 + for (final String permName : permNames) { 10.22 + perms.add(new RuntimePermission(permName)); 10.23 + } 10.24 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 10.25 + } 10.26 + 10.27 + private static final AccessControlContext GET_LOADER_ACC_CTXT = createPermAccCtxt("getClassLoader"); 10.28 + 10.29 private final Class<?> representativeClass; 10.30 // Don't access this directly; most of the time, use getRetrievedLoader(), or if you know what you're doing, 10.31 // getLoader(). 10.32 @@ -116,7 +129,7 @@ 10.33 public ClassAndLoader run() { 10.34 return getDefiningClassAndLoaderPrivileged(types); 10.35 } 10.36 - }); 10.37 + }, GET_LOADER_ACC_CTXT); 10.38 } 10.39 10.40 static ClassAndLoader getDefiningClassAndLoaderPrivileged(final Class<?>[] types) {
11.1 --- a/src/jdk/nashorn/internal/runtime/linker/JavaAdapterBytecodeGenerator.java Thu Aug 08 11:20:14 2013 -0300 11.2 +++ b/src/jdk/nashorn/internal/runtime/linker/JavaAdapterBytecodeGenerator.java Fri Aug 09 20:48:44 2013 +0530 11.3 @@ -49,6 +49,7 @@ 11.4 import java.lang.reflect.Constructor; 11.5 import java.lang.reflect.Method; 11.6 import java.lang.reflect.Modifier; 11.7 +import java.security.AccessControlContext; 11.8 import java.security.AccessController; 11.9 import java.security.PrivilegedAction; 11.10 import java.util.Arrays; 11.11 @@ -868,6 +869,8 @@ 11.12 } 11.13 } 11.14 11.15 + private static final AccessControlContext GET_DECLARED_MEMBERS_ACC_CTXT = ClassAndLoader.createPermAccCtxt("accessDeclaredMembers"); 11.16 + 11.17 /** 11.18 * Creates a collection of methods that are not final, but we still never allow them to be overridden in adapters, 11.19 * as explicitly declaring them automatically is a bad idea. Currently, this means {@code Object.finalize()} and 11.20 @@ -886,7 +889,7 @@ 11.21 throw new AssertionError(e); 11.22 } 11.23 } 11.24 - }); 11.25 + }, GET_DECLARED_MEMBERS_ACC_CTXT); 11.26 } 11.27 11.28 private String getCommonSuperClass(final String type1, final String type2) {
12.1 --- a/src/jdk/nashorn/internal/runtime/linker/JavaAdapterClassLoader.java Thu Aug 08 11:20:14 2013 -0300 12.2 +++ b/src/jdk/nashorn/internal/runtime/linker/JavaAdapterClassLoader.java Fri Aug 09 20:48:44 2013 +0530 12.3 @@ -25,6 +25,7 @@ 12.4 12.5 package jdk.nashorn.internal.runtime.linker; 12.6 12.7 +import java.security.AccessControlContext; 12.8 import java.security.AccessController; 12.9 import java.security.AllPermission; 12.10 import java.security.CodeSigner; 12.11 @@ -46,6 +47,7 @@ 12.12 @SuppressWarnings("javadoc") 12.13 final class JavaAdapterClassLoader { 12.14 private static final ProtectionDomain GENERATED_PROTECTION_DOMAIN = createGeneratedProtectionDomain(); 12.15 + private static final AccessControlContext CREATE_LOADER_ACC_CTXT = ClassAndLoader.createPermAccCtxt("createClassLoader"); 12.16 12.17 private final String className; 12.18 private volatile byte[] classBytes; 12.19 @@ -77,7 +79,7 @@ 12.20 throw new AssertionError(e); // cannot happen 12.21 } 12.22 } 12.23 - }); 12.24 + }, CREATE_LOADER_ACC_CTXT); 12.25 } 12.26 12.27 // Note that the adapter class is created in the protection domain of the class/interface being
13.1 --- a/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java Thu Aug 08 11:20:14 2013 -0300 13.2 +++ b/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java Fri Aug 09 20:48:44 2013 +0530 13.3 @@ -31,9 +31,9 @@ 13.4 import java.lang.invoke.MethodHandles; 13.5 import java.lang.invoke.MethodType; 13.6 import java.lang.reflect.Modifier; 13.7 +import java.security.AccessControlContext; 13.8 import java.security.AccessController; 13.9 import java.security.PrivilegedAction; 13.10 -import java.security.PrivilegedExceptionAction; 13.11 import java.util.ArrayList; 13.12 import java.util.Arrays; 13.13 import java.util.Collections; 13.14 @@ -70,6 +70,11 @@ 13.15 13.16 @SuppressWarnings("javadoc") 13.17 public final class JavaAdapterFactory { 13.18 + // context with permissions needs for AdapterInfo creation 13.19 + private static final AccessControlContext CREATE_ADAPTER_INFO_ACC_CTXT = 13.20 + ClassAndLoader.createPermAccCtxt("createClassLoader", "getClassLoader", 13.21 + "accessDeclaredMembers", "accessClassInPackage.jdk.nashorn.internal.runtime"); 13.22 + 13.23 /** 13.24 * A mapping from an original Class object to AdapterInfo representing the adapter for the class it represents. 13.25 */ 13.26 @@ -124,17 +129,10 @@ 13.27 */ 13.28 public static MethodHandle getConstructor(final Class<?> sourceType, final Class<?> targetType) throws Exception { 13.29 final StaticClass adapterClass = getAdapterClassFor(new Class<?>[] { targetType }, null); 13.30 - return AccessController.doPrivileged(new PrivilegedExceptionAction<MethodHandle>() { 13.31 - @Override 13.32 - public MethodHandle run() throws Exception { 13.33 - // NOTE: we use publicLookup(), but none of our adapter constructors are caller sensitive, so this is 13.34 - // okay, we won't artificially limit access. 13.35 - return MH.bindTo(Bootstrap.getLinkerServices().getGuardedInvocation(new LinkRequestImpl( 13.36 - NashornCallSiteDescriptor.get(MethodHandles.publicLookup(), "dyn:new", 13.37 - MethodType.methodType(targetType, StaticClass.class, sourceType), 0), false, 13.38 - adapterClass, null)).getInvocation(), adapterClass); 13.39 - } 13.40 - }); 13.41 + return MH.bindTo(Bootstrap.getLinkerServices().getGuardedInvocation(new LinkRequestImpl( 13.42 + NashornCallSiteDescriptor.get(MethodHandles.publicLookup(), "dyn:new", 13.43 + MethodType.methodType(targetType, StaticClass.class, sourceType), 0), false, 13.44 + adapterClass, null)).getInvocation(), adapterClass); 13.45 } 13.46 13.47 /** 13.48 @@ -171,7 +169,7 @@ 13.49 return (List)Collections.singletonList(clazz); 13.50 } 13.51 13.52 - /** 13.53 + /** 13.54 * For a given class, create its adapter class and associated info. 13.55 * @param type the class for which the adapter is created 13.56 * @return the adapter info for the class. 13.57 @@ -190,12 +188,19 @@ 13.58 } 13.59 superClass = t; 13.60 } else { 13.61 + if (interfaces.size() > 65535) { 13.62 + throw new IllegalArgumentException("interface limit exceeded"); 13.63 + } 13.64 + 13.65 interfaces.add(t); 13.66 } 13.67 + 13.68 if(!Modifier.isPublic(mod)) { 13.69 return new AdapterInfo(AdaptationResult.Outcome.ERROR_NON_PUBLIC_CLASS, t.getCanonicalName()); 13.70 } 13.71 } 13.72 + 13.73 + 13.74 final Class<?> effectiveSuperClass = superClass == null ? Object.class : superClass; 13.75 return AccessController.doPrivileged(new PrivilegedAction<AdapterInfo>() { 13.76 @Override 13.77 @@ -206,7 +211,7 @@ 13.78 return new AdapterInfo(e.getAdaptationResult()); 13.79 } 13.80 } 13.81 - }); 13.82 + }, CREATE_ADAPTER_INFO_ACC_CTXT); 13.83 } 13.84 13.85 private static class AdapterInfo {
14.1 --- a/src/jdk/nashorn/internal/runtime/linker/ReflectionCheckLinker.java Thu Aug 08 11:20:14 2013 -0300 14.2 +++ b/src/jdk/nashorn/internal/runtime/linker/ReflectionCheckLinker.java Fri Aug 09 20:48:44 2013 +0530 14.3 @@ -88,6 +88,6 @@ 14.4 } 14.5 14.6 private static void checkReflectionPermission(final SecurityManager sm) { 14.7 - sm.checkPermission(new RuntimePermission("nashorn.JavaReflection")); 14.8 + sm.checkPermission(new RuntimePermission(Context.NASHORN_JAVA_REFLECTION)); 14.9 } 14.10 }
15.1 --- a/src/jdk/nashorn/internal/runtime/options/Options.java Thu Aug 08 11:20:14 2013 -0300 15.2 +++ b/src/jdk/nashorn/internal/runtime/options/Options.java Fri Aug 09 20:48:44 2013 +0530 15.3 @@ -26,8 +26,11 @@ 15.4 package jdk.nashorn.internal.runtime.options; 15.5 15.6 import java.io.PrintWriter; 15.7 +import java.security.AccessControlContext; 15.8 import java.security.AccessController; 15.9 +import java.security.Permissions; 15.10 import java.security.PrivilegedAction; 15.11 +import java.security.ProtectionDomain; 15.12 import java.text.MessageFormat; 15.13 import java.util.ArrayList; 15.14 import java.util.Collection; 15.15 @@ -39,6 +42,7 @@ 15.16 import java.util.Locale; 15.17 import java.util.Map; 15.18 import java.util.MissingResourceException; 15.19 +import java.util.PropertyPermission; 15.20 import java.util.ResourceBundle; 15.21 import java.util.StringTokenizer; 15.22 import java.util.TimeZone; 15.23 @@ -51,6 +55,15 @@ 15.24 * Manages global runtime options. 15.25 */ 15.26 public final class Options { 15.27 + // permission to just read nashorn.* System properties 15.28 + private static AccessControlContext createPropertyReadAccCtxt() { 15.29 + final Permissions perms = new Permissions(); 15.30 + perms.add(new PropertyPermission("nashorn.*", "read")); 15.31 + return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) }); 15.32 + } 15.33 + 15.34 + private static final AccessControlContext READ_PROPERTY_ACC_CTXT = createPropertyReadAccCtxt(); 15.35 + 15.36 /** Resource tag. */ 15.37 private final String resource; 15.38 15.39 @@ -144,7 +157,7 @@ 15.40 return false; 15.41 } 15.42 } 15.43 - }); 15.44 + }, READ_PROPERTY_ACC_CTXT); 15.45 } 15.46 15.47 /** 15.48 @@ -171,7 +184,7 @@ 15.49 return defValue; 15.50 } 15.51 } 15.52 - }); 15.53 + }, READ_PROPERTY_ACC_CTXT); 15.54 } 15.55 15.56 /** 15.57 @@ -198,7 +211,7 @@ 15.58 return defValue; 15.59 } 15.60 } 15.61 - }); 15.62 + }, READ_PROPERTY_ACC_CTXT); 15.63 } 15.64 15.65 /** 15.66 @@ -567,15 +580,7 @@ 15.67 private static String definePropPrefix; 15.68 15.69 static { 15.70 - // Without do privileged, under security manager messages can not be 15.71 - // loaded. 15.72 - Options.bundle = AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() { 15.73 - @Override 15.74 - public ResourceBundle run() { 15.75 - return ResourceBundle.getBundle(Options.MESSAGES_RESOURCE, Locale.getDefault()); 15.76 - } 15.77 - }); 15.78 - 15.79 + Options.bundle = ResourceBundle.getBundle(Options.MESSAGES_RESOURCE, Locale.getDefault()); 15.80 Options.validOptions = new TreeSet<>(); 15.81 Options.usage = new HashMap<>(); 15.82
16.1 --- a/src/jdk/nashorn/tools/Shell.java Thu Aug 08 11:20:14 2013 -0300 16.2 +++ b/src/jdk/nashorn/tools/Shell.java Fri Aug 09 20:48:44 2013 +0530 16.3 @@ -34,8 +34,6 @@ 16.4 import java.io.OutputStream; 16.5 import java.io.PrintStream; 16.6 import java.io.PrintWriter; 16.7 -import java.security.AccessController; 16.8 -import java.security.PrivilegedAction; 16.9 import java.util.List; 16.10 import java.util.Locale; 16.11 import java.util.ResourceBundle; 16.12 @@ -68,18 +66,7 @@ 16.13 /** 16.14 * Shell message bundle. 16.15 */ 16.16 - private static ResourceBundle bundle; 16.17 - 16.18 - static { 16.19 - // Without do privileged, under security manager messages can not be 16.20 - // loaded. 16.21 - bundle = AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() { 16.22 - @Override 16.23 - public ResourceBundle run() { 16.24 - return ResourceBundle.getBundle(MESSAGE_RESOURCE, Locale.getDefault()); 16.25 - } 16.26 - }); 16.27 - } 16.28 + private static final ResourceBundle bundle = ResourceBundle.getBundle(MESSAGE_RESOURCE, Locale.getDefault()); 16.29 16.30 /** 16.31 * Exit code for command line tool - successful