1 /*
2 * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
27
28 import java.lang.reflect.Modifier;
29 import static java.lang.reflect.Modifier.*;
30 import java.util.Objects;
31 import jdk.internal.reflect.Reflection;
32
33 /**
34 * This class centralizes information about the JVM's linkage access control.
35 * @author jrose
36 */
37 public class VerifyAccess {
38
39 private VerifyAccess() { } // cannot instantiate
40
41 private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
42 private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
43 private static final int PACKAGE_ONLY = 0;
44 private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
45 private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
46 private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
47 private static final boolean ALLOW_NESTMATE_ACCESS = false;
48
49 /**
50 * Evaluate the JVM linkage rules for access to the given method
51 * on behalf of a caller class which proposes to perform the access.
52 * Return true if the caller class has privileges to invoke a method
53 * or access a field with the given properties.
54 * This requires an accessibility check of the referencing class,
55 * plus an accessibility check of the member within the class,
56 * which depends on the member's modifier flags.
57 * <p>
58 * The relevant properties include the defining class ({@code defc})
59 * of the member, and its modifier flags ({@code mods}).
60 * Also relevant is the class used to make the initial symbolic reference
61 * to the member ({@code refc}). If this latter class is not distinguished,
62 * the defining class should be passed for both arguments ({@code defc == refc}).
63 * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
64 * A field or method R is accessible to a class or interface D if
65 * and only if any of the following conditions is true:<ul>
66 * <li>R is public.
67 * <li>R is protected and is declared in a class C, and D is either
68 * a subclass of C or C itself. Furthermore, if R is not
69 * static, then the symbolic reference to R must contain a
70 * symbolic reference to a class T, such that T is either a
71 * subclass of D, a superclass of D or D itself.
72 * <li>R is either protected or has default access (that is,
73 * neither public nor protected nor private), and is declared
74 * by a class in the same runtime package as D.
75 * <li>R is private and is declared in D.
76 * </ul>
77 * This discussion of access control omits a related restriction
78 * on the target of a protected field access or method invocation
79 * (the target must be of class D or a subtype of D). That
80 * requirement is checked as part of the verification process
81 * (5.4.1); it is not part of link-time access control.
82 * @param refc the class used in the symbolic reference to the proposed member
83 * @param defc the class in which the proposed member is actually defined
84 * @param mods modifier flags for the proposed member
85 * @param lookupClass the class for which the access check is being made
86 * @return true iff the accessing class can access such a member
87 */
88 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class
89 Class<?> defc, // actual def class
90 int mods, // actual member mods
91 Class<?> lookupClass,
92 int allowedModes) {
93 if (allowedModes == 0) return false;
94 assert((allowedModes & PUBLIC) != 0 &&
95 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
96 // The symbolic reference class (refc) must always be fully verified.
97 if (!isClassAccessible(refc, lookupClass, allowedModes)) {
98 return false;
99 }
100 // Usually refc and defc are the same, but verify defc also in case they differ.
101 if (defc == lookupClass &&
102 (allowedModes & PRIVATE) != 0)
103 return true; // easy check; all self-access is OK
104 switch (mods & ALL_ACCESS_MODES) {
105 case PUBLIC:
106 return true; // already checked above
107 case PROTECTED:
108 assert !defc.isInterface(); // protected members aren't allowed in interfaces
109 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
110 isSamePackage(defc, lookupClass))
111 return true;
112 if ((allowedModes & PROTECTED) == 0)
113 return false;
114 // Protected members are accessible by subclasses, which does not include interfaces.
115 // Interfaces are types, not classes. They should not have access to
116 // protected members in j.l.Object, even though it is their superclass.
117 if ((mods & STATIC) != 0 &&
118 !isRelatedClass(refc, lookupClass))
119 return false;
120 if ((allowedModes & PROTECTED) != 0 &&
121 isSubClass(lookupClass, defc))
122 return true;
123 return false;
124 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access.
125 assert !defc.isInterface(); // package-private members aren't allowed in interfaces
126 return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
127 isSamePackage(defc, lookupClass));
128 case PRIVATE:
129 // Loosened rules for privates follows access rules for inner classes.
130 return (ALLOW_NESTMATE_ACCESS &&
131 (allowedModes & PRIVATE) != 0 &&
132 isSamePackageMember(defc, lookupClass));
133 default:
134 throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
135 }
136 }
137
138 static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
139 return (refc == lookupClass ||
140 isSubClass(refc, lookupClass) ||
141 isSubClass(lookupClass, refc));
142 }
143
144 static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
145 return defc.isAssignableFrom(lookupClass) &&
146 !lookupClass.isInterface(); // interfaces are types, not classes.
147 }
148
149 static int getClassModifiers(Class<?> c) {
150 // This would return the mask stored by javac for the source-level modifiers.
151 // return c.getModifiers();
152 // But what we need for JVM access checks are the actual bits from the class header.
153 // ...But arrays and primitives are synthesized with their own odd flags:
154 if (c.isArray() || c.isPrimitive())
155 return c.getModifiers();
|
1 /*
2 * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
27
28 import java.lang.reflect.Modifier;
29 import static java.lang.reflect.Modifier.*;
30 import java.util.Objects;
31 import jdk.internal.reflect.Reflection;
32
33 /**
34 * This class centralizes information about the JVM's linkage access control.
35 * @author jrose
36 */
37 public class VerifyAccess {
38
39 private VerifyAccess() { } // cannot instantiate
40
41 private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
42 private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
43 private static final int PACKAGE_ONLY = 0;
44 private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
45 private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
46 private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
47
48 /**
49 * Evaluate the JVM linkage rules for access to the given method
50 * on behalf of a caller class which proposes to perform the access.
51 * Return true if the caller class has privileges to invoke a method
52 * or access a field with the given properties.
53 * This requires an accessibility check of the referencing class,
54 * plus an accessibility check of the member within the class,
55 * which depends on the member's modifier flags.
56 * <p>
57 * The relevant properties include the defining class ({@code defc})
58 * of the member, and its modifier flags ({@code mods}).
59 * Also relevant is the class used to make the initial symbolic reference
60 * to the member ({@code refc}). If this latter class is not distinguished,
61 * the defining class should be passed for both arguments ({@code defc == refc}).
62 * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
63 * A field or method R is accessible to a class or interface D if
64 * and only if any of the following is true:
65 * <ul>
66 * <li>R is public.</li>
67 * <li>R is protected and is declared in a class C, and D is either
68 * a subclass of C or C itself. Furthermore, if R is not static,
69 * then the symbolic reference to R must contain a symbolic
70 * reference to a class T, such that T is either a subclass of D,
71 * a superclass of D, or D itself.
72 * <p>During verification, it was also required that, even if T is
73 * a superclass of D, the target reference of a protected instance
74 * field access or method invocation must be an instance of D or a
75 * subclass of D (4.10.1.8).</p></li>
76 * <li>R is either protected or has default access (that is, neither
77 * public nor protected nor private), and is declared by a class
78 * in the same run-time package as D.</li>
79 * <li>R is private and is declared in D by a class or interface
80 * belonging to the same nest as D.</li>
81 * </ul>
82 * If a referenced field or method is not accessible, access checking
83 * throws an IllegalAccessError. If an exception is thrown while
84 * attempting to determine the nest host of a class or interface,
85 * access checking fails for the same reason.
86 *
87 * @param refc the class used in the symbolic reference to the proposed member
88 * @param defc the class in which the proposed member is actually defined
89 * @param mods modifier flags for the proposed member
90 * @param lookupClass the class for which the access check is being made
91 * @return true iff the accessing class can access such a member
92 */
93 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class
94 Class<?> defc, // actual def class
95 int mods, // actual member mods
96 Class<?> lookupClass,
97 int allowedModes) {
98 if (allowedModes == 0) return false;
99 assert((allowedModes & PUBLIC) != 0 &&
100 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
101 // The symbolic reference class (refc) must always be fully verified.
102 if (!isClassAccessible(refc, lookupClass, allowedModes)) {
103 return false;
104 }
105 // Usually refc and defc are the same, but verify defc also in case they differ.
106 if (defc == lookupClass &&
107 (allowedModes & PRIVATE) != 0)
108 return true; // easy check; all self-access is OK with a private lookup
109
110 switch (mods & ALL_ACCESS_MODES) {
111 case PUBLIC:
112 return true; // already checked above
113 case PROTECTED:
114 assert !defc.isInterface(); // protected members aren't allowed in interfaces
115 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
116 isSamePackage(defc, lookupClass))
117 return true;
118 if ((allowedModes & PROTECTED) == 0)
119 return false;
120 // Protected members are accessible by subclasses, which does not include interfaces.
121 // Interfaces are types, not classes. They should not have access to
122 // protected members in j.l.Object, even though it is their superclass.
123 if ((mods & STATIC) != 0 &&
124 !isRelatedClass(refc, lookupClass))
125 return false;
126 if ((allowedModes & PROTECTED) != 0 &&
127 isSubClass(lookupClass, defc))
128 return true;
129 return false;
130 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access.
131 assert !defc.isInterface(); // package-private members aren't allowed in interfaces
132 return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
133 isSamePackage(defc, lookupClass));
134 case PRIVATE:
135 // Rules for privates follows access rules for nestmates.
136 boolean canAccess = ((allowedModes & PRIVATE) != 0 &&
137 Reflection.areNestMates(defc, lookupClass));
138 // FIX ME: Sanity check refc == defc. Either remove or convert to
139 // plain assert before integration.
140 myassert((canAccess && refc == defc) || !canAccess);
141 return canAccess;
142 default:
143 throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
144 }
145 }
146 static void myassert(boolean cond) {
147 if (!cond) throw new Error("Assertion failed");
148 }
149
150 static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
151 return (refc == lookupClass ||
152 isSubClass(refc, lookupClass) ||
153 isSubClass(lookupClass, refc));
154 }
155
156 static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
157 return defc.isAssignableFrom(lookupClass) &&
158 !lookupClass.isInterface(); // interfaces are types, not classes.
159 }
160
161 static int getClassModifiers(Class<?> c) {
162 // This would return the mask stored by javac for the source-level modifiers.
163 // return c.getModifiers();
164 // But what we need for JVM access checks are the actual bits from the class header.
165 // ...But arrays and primitives are synthesized with their own odd flags:
166 if (c.isArray() || c.isPrimitive())
167 return c.getModifiers();
|