1 /*
   2  * Copyright (c) 2008, 2018, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.invoke.util;
  27 
  28 import java.lang.reflect.Modifier;
  29 import static java.lang.reflect.Modifier.*;
  30 import java.util.Objects;
  31 import jdk.internal.reflect.Reflection;
  32 
  33 /**
  34  * This class centralizes information about the JVM's linkage access control.
  35  * @author jrose
  36  */
  37 public class VerifyAccess {
  38 
  39     private VerifyAccess() { }  // cannot instantiate
  40 
  41     private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
  42     private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
  43     private static final int PACKAGE_ONLY = 0;
  44     private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
  45     private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
  46     private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
  47 
  48     /**
  49      * Evaluate the JVM linkage rules for access to the given method
  50      * on behalf of a caller class which proposes to perform the access.
  51      * Return true if the caller class has privileges to invoke a method
  52      * or access a field with the given properties.
  53      * This requires an accessibility check of the referencing class,
  54      * plus an accessibility check of the member within the class,
  55      * which depends on the member's modifier flags.
  56      * <p>
  57      * The relevant properties include the defining class ({@code defc})
  58      * of the member, and its modifier flags ({@code mods}).
  59      * Also relevant is the class used to make the initial symbolic reference
  60      * to the member ({@code refc}).  If this latter class is not distinguished,
  61      * the defining class should be passed for both arguments ({@code defc == refc}).
  62      * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
  63      * A field or method R is accessible to a class or interface D if
  64      * and only if any of the following is true:
  65      * <ul>
  66      * <li>R is public.</li>
  67      * <li>R is protected and is declared in a class C, and D is either
  68      *     a subclass of C or C itself. Furthermore, if R is not static,
  69      *     then the symbolic reference to R must contain a symbolic
  70      *     reference to a class T, such that T is either a subclass of D,
  71      *     a superclass of D, or D itself.
  72      *     <p>During verification, it was also required that, even if T is
  73      *     a superclass of D, the target reference of a protected instance
  74      *     field access or method invocation must be an instance of D or a
  75      *     subclass of D (4.10.1.8).</p></li>
  76      * <li>R is either protected or has default access (that is, neither
  77      *     public nor protected nor private), and is declared by a class
  78      *     in the same run-time package as D.</li>
  79      * <li>R is private and is declared in D by a class or interface
  80      *     belonging to the same nest as D.</li>
  81      * </ul>
  82      * If a referenced field or method is not accessible, access checking
  83      * throws an IllegalAccessError. If an exception is thrown while
  84      * attempting to determine the nest host of a class or interface,
  85      * access checking fails for the same reason.
  86      *
  87      * @param refc the class used in the symbolic reference to the proposed member
  88      * @param defc the class in which the proposed member is actually defined
  89      * @param mods modifier flags for the proposed member
  90      * @param lookupClass the class for which the access check is being made
  91      * @param prevLookupClass the class for which the access check is being made
  92      * @param allowedModes allowed modes
  93      * @return true iff the accessing class can access such a member
  94      */
  95     public static boolean isMemberAccessible(Class<?> refc,  // symbolic ref class
  96                                              Class<?> defc,  // actual def class
  97                                              int      mods,  // actual member mods
  98                                              Class<?> lookupClass,
  99                                              Class<?> prevLookupClass,
 100                                              int      allowedModes) {
 101         if (allowedModes == 0)  return false;
 102         assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
 103         // The symbolic reference class (refc) must always be fully verified.
 104         if (!isClassAccessible(refc, lookupClass, prevLookupClass, allowedModes)) {
 105             return false;
 106         }
 107         // Usually refc and defc are the same, but verify defc also in case they differ.
 108         if (defc == lookupClass  &&
 109             (allowedModes & PRIVATE) != 0)
 110             return true;        // easy check; all self-access is OK with a private lookup
 111 
 112         switch (mods & ALL_ACCESS_MODES) {
 113         case PUBLIC:
 114             assert (allowedModes & PUBLIC) != 0 || (allowedModes & UNCONDITIONAL_ALLOWED) != 0;
 115             return true;  // already checked above
 116         case PROTECTED:
 117             assert !defc.isInterface(); // protected members aren't allowed in interfaces
 118             if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
 119                 isSamePackage(defc, lookupClass))
 120                 return true;
 121             if ((allowedModes & PROTECTED) == 0)
 122                 return false;
 123             // Protected members are accessible by subclasses, which does not include interfaces.
 124             // Interfaces are types, not classes. They should not have access to
 125             // protected members in j.l.Object, even though it is their superclass.
 126             if ((mods & STATIC) != 0 &&
 127                 !isRelatedClass(refc, lookupClass))
 128                 return false;
 129             if ((allowedModes & PROTECTED) != 0 &&
 130                 isSubClass(lookupClass, defc))
 131                 return true;
 132             return false;
 133         case PACKAGE_ONLY:  // That is, zero.  Unmarked member is package-only access.
 134             assert !defc.isInterface(); // package-private members aren't allowed in interfaces
 135             return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
 136                     isSamePackage(defc, lookupClass));
 137         case PRIVATE:
 138             // Rules for privates follows access rules for nestmates.
 139             boolean canAccess = ((allowedModes & PRIVATE) != 0 &&
 140                                  Reflection.areNestMates(defc, lookupClass));
 141             // for private methods the selected method equals the
 142             // resolved method - so refc == defc
 143             assert (canAccess && refc == defc) || !canAccess;
 144             return canAccess;
 145         default:
 146             throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
 147         }
 148     }
 149 
 150     static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
 151         return (refc == lookupClass ||
 152                 isSubClass(refc, lookupClass) ||
 153                 isSubClass(lookupClass, refc));
 154     }
 155 
 156     static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
 157         return defc.isAssignableFrom(lookupClass) &&
 158                !lookupClass.isInterface(); // interfaces are types, not classes.
 159     }
 160 
 161     static int getClassModifiers(Class<?> c) {
 162         // This would return the mask stored by javac for the source-level modifiers.
 163         //   return c.getModifiers();
 164         // But what we need for JVM access checks are the actual bits from the class header.
 165         // ...But arrays and primitives are synthesized with their own odd flags:
 166         if (c.isArray() || c.isPrimitive())
 167             return c.getModifiers();
 168         return Reflection.getClassAccessFlags(c);
 169     }
 170 
 171     /**
 172      * Evaluate the JVM linkage rules for access to the given class on behalf of caller.
 173      * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
 174      * A class or interface C is accessible to a class or interface D
 175      * if and only if any of the following conditions are true:<ul>
 176      * <li>C is public and in the same module as D.
 177      * <li>D is in a module that reads the module containing C, C is public and in a
 178      * package that is exported to the module that contains D.
 179      * <li>C and D are members of the same runtime package.
 180      * </ul>
 181      *
 182      * @param refc the symbolic reference class to which access is being checked (C)
 183      * @param lookupClass the class performing the lookup (D)
 184      * @param prevLookupClass the class from which the lookup was teleported or null
 185      * @param allowedModes allowed modes
 186      */
 187     public static boolean isClassAccessible(Class<?> refc,
 188                                             Class<?> lookupClass,
 189                                             Class<?> prevLookupClass,
 190                                             int allowedModes) {
 191         if (allowedModes == 0)  return false;
 192         assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
 193 
 194         if ((allowedModes & PACKAGE_ALLOWED) != 0 &&
 195             isSamePackage(lookupClass, refc))
 196             return true;
 197 
 198         int mods = getClassModifiers(refc);
 199         if (isPublic(mods)) {
 200 
 201             Module lookupModule = lookupClass.getModule();
 202             Module refModule = refc.getModule();
 203 
 204             // early VM startup case, java.base not defined
 205             if (lookupModule == null) {
 206                 assert refModule == null;
 207                 return true;
 208             }
 209 
 210             // allow access to public types in all unconditionally exported packages
 211             if ((allowedModes & UNCONDITIONAL_ALLOWED) != 0) {
 212                 return refModule.isExported(refc.getPackageName());
 213             }
 214 
 215             if (lookupModule == refModule && prevLookupClass == null) {
 216                 // allow access to all public types in lookupModule
 217                 if ((allowedModes & MODULE_ALLOWED) != 0)
 218                     return true;
 219 
 220                 assert (allowedModes & PUBLIC) != 0;
 221                 return refModule.isExported(refc.getPackageName());
 222             }
 223 
 224             // cross-module access
 225             // 1. refc is in different module from lookupModule, or
 226             // 2. refc is in lookupModule and a different module from prevLookupModule
 227             Module prevLookupModule = prevLookupClass != null ? prevLookupClass.getModule()
 228                                                               : lookupModule;
 229             assert refModule != lookupModule || refModule != prevLookupModule;
 230             if (isModuleAccessible(refc, lookupModule, prevLookupModule))
 231                 return true;
 232 
 233             // not exported but allow access during VM initialization
 234             // because java.base does not have its exports setup
 235             if (!jdk.internal.misc.VM.isModuleSystemInited())
 236                 return true;
 237 
 238             // public class not accessible to lookupClass
 239             return false;
 240         }
 241 
 242         return false;
 243     }
 244 
 245     /*
 246      * A class or interface C in m is accessible to m1 and m2 if and only if
 247      * both m1 and m2 read m and m exports the package of C at least to
 248      * both m1 and m2.
 249      */
 250     public static boolean isModuleAccessible(Class<?> refc,  Module m1, Module m2) {
 251         Module refModule = refc.getModule();
 252         assert refModule != m1 || refModule != m2;
 253         int mods = getClassModifiers(refc);
 254         if (isPublic(mods)) {
 255             if (m1.canRead(refModule) && m2.canRead(refModule)) {
 256                 String pn = refc.getPackageName();
 257 
 258                 // refc is exported package to at least both m1 and m2
 259                 if (refModule.isExported(pn, m1) && refModule.isExported(pn, m2))
 260                     return true;
 261             }
 262         }
 263         return false;
 264     }
 265 
 266     /**
 267      * Decide if the given method type, attributed to a member or symbolic
 268      * reference of a given reference class, is really visible to that class.
 269      * @param type the supposed type of a member or symbolic reference of refc
 270      * @param refc the class attempting to make the reference
 271      */
 272     public static boolean isTypeVisible(Class<?> type, Class<?> refc) {
 273         if (type == refc) {
 274             return true;  // easy check
 275         }
 276         while (type.isArray())  type = type.getComponentType();
 277         if (type.isPrimitive() || type == Object.class) {
 278             return true;
 279         }
 280         ClassLoader typeLoader = type.getClassLoader();
 281         ClassLoader refcLoader = refc.getClassLoader();
 282         if (typeLoader == refcLoader) {
 283             return true;
 284         }
 285         if (refcLoader == null && typeLoader != null) {
 286             return false;
 287         }
 288         if (typeLoader == null && type.getName().startsWith("java.")) {
 289             // Note:  The API for actually loading classes, ClassLoader.defineClass,
 290             // guarantees that classes with names beginning "java." cannot be aliased,
 291             // because class loaders cannot load them directly.
 292             return true;
 293         }
 294 
 295         // Do it the hard way:  Look up the type name from the refc loader.
 296         //
 297         // Force the refc loader to report and commit to a particular binding for this type name (type.getName()).
 298         //
 299         // In principle, this query might force the loader to load some unrelated class,
 300         // which would cause this query to fail (and the original caller to give up).
 301         // This would be wasted effort, but it is expected to be very rare, occurring
 302         // only when an attacker is attempting to create a type alias.
 303         // In the normal case, one class loader will simply delegate to the other,
 304         // and the same type will be visible through both, with no extra loading.
 305         //
 306         // It is important to go through Class.forName instead of ClassLoader.loadClass
 307         // because Class.forName goes through the JVM system dictionary, which records
 308         // the class lookup once for all. This means that even if a not-well-behaved class loader
 309         // would "change its mind" about the meaning of the name, the Class.forName request
 310         // will use the result cached in the JVM system dictionary. Note that the JVM system dictionary
 311         // will record the first successful result. Unsuccessful results are not stored.
 312         //
 313         // We use doPrivileged in order to allow an unprivileged caller to ask an arbitrary
 314         // class loader about the binding of the proposed name (type.getName()).
 315         // The looked up type ("res") is compared for equality against the proposed
 316         // type ("type") and then is discarded.  Thus, the worst that can happen to
 317         // the "child" class loader is that it is bothered to load and report a class
 318         // that differs from "type"; this happens once due to JVM system dictionary
 319         // memoization.  And the caller never gets to look at the alternate type binding
 320         // ("res"), whether it exists or not.
 321         final String name = type.getName();
 322         Class<?> res = java.security.AccessController.doPrivileged(
 323                 new java.security.PrivilegedAction<>() {
 324                     public Class<?> run() {
 325                         try {
 326                             return Class.forName(name, false, refcLoader);
 327                         } catch (ClassNotFoundException | LinkageError e) {
 328                             return null; // Assume the class is not found
 329                         }
 330                     }
 331             });
 332         return (type == res);
 333     }
 334 
 335     /**
 336      * Decide if the given method type, attributed to a member or symbolic
 337      * reference of a given reference class, is really visible to that class.
 338      * @param type the supposed type of a member or symbolic reference of refc
 339      * @param refc the class attempting to make the reference
 340      */
 341     public static boolean isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc) {
 342         if (!isTypeVisible(type.returnType(), refc)) {
 343             return false;
 344         }
 345         for (int n = 0, max = type.parameterCount(); n < max; n++) {
 346             if (!isTypeVisible(type.parameterType(n), refc)) {
 347                 return false;
 348             }
 349         }
 350         return true;
 351     }
 352 
 353     /**
 354      * Tests if two classes are in the same module.
 355      * @param class1 a class
 356      * @param class2 another class
 357      * @return whether they are in the same module
 358      */
 359     public static boolean isSameModule(Class<?> class1, Class<?> class2) {
 360         return class1.getModule() == class2.getModule();
 361     }
 362 
 363     /**
 364      * Test if two classes have the same class loader and package qualifier.
 365      * @param class1 a class
 366      * @param class2 another class
 367      * @return whether they are in the same package
 368      */
 369     public static boolean isSamePackage(Class<?> class1, Class<?> class2) {
 370         if (class1 == class2)
 371             return true;
 372         if (class1.getClassLoader() != class2.getClassLoader())
 373             return false;
 374         return Objects.equals(class1.getPackageName(), class2.getPackageName());
 375     }
 376 
 377     /**
 378      * Test if two classes are defined as part of the same package member (top-level class).
 379      * If this is true, they can share private access with each other.
 380      * @param class1 a class
 381      * @param class2 another class
 382      * @return whether they are identical or nested together
 383      */
 384     public static boolean isSamePackageMember(Class<?> class1, Class<?> class2) {
 385         if (class1 == class2)
 386             return true;
 387         if (!isSamePackage(class1, class2))
 388             return false;
 389         if (getOutermostEnclosingClass(class1) != getOutermostEnclosingClass(class2))
 390             return false;
 391         return true;
 392     }
 393 
 394     private static Class<?> getOutermostEnclosingClass(Class<?> c) {
 395         Class<?> pkgmem = c;
 396         for (Class<?> enc = c; (enc = enc.getEnclosingClass()) != null; )
 397             pkgmem = enc;
 398         return pkgmem;
 399     }
 400 
 401     private static boolean loadersAreRelated(ClassLoader loader1, ClassLoader loader2,
 402                                              boolean loader1MustBeParent) {
 403         if (loader1 == loader2 || loader1 == null
 404                 || (loader2 == null && !loader1MustBeParent)) {
 405             return true;
 406         }
 407         for (ClassLoader scan2 = loader2;
 408                 scan2 != null; scan2 = scan2.getParent()) {
 409             if (scan2 == loader1)  return true;
 410         }
 411         if (loader1MustBeParent)  return false;
 412         // see if loader2 is a parent of loader1:
 413         for (ClassLoader scan1 = loader1;
 414                 scan1 != null; scan1 = scan1.getParent()) {
 415             if (scan1 == loader2)  return true;
 416         }
 417         return false;
 418     }
 419 
 420     /**
 421      * Is the class loader of parentClass identical to, or an ancestor of,
 422      * the class loader of childClass?
 423      * @param parentClass a class
 424      * @param childClass another class, which may be a descendent of the first class
 425      * @return whether parentClass precedes or equals childClass in class loader order
 426      */
 427     public static boolean classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass) {
 428         return loadersAreRelated(parentClass.getClassLoader(), childClass.getClassLoader(), true);
 429     }
 430 }