1 /*
2 * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.invoke.util;
27
28 import java.lang.reflect.Modifier;
29 import static java.lang.reflect.Modifier.*;
30 import java.lang.reflect.Module;
31 import java.util.Objects;
32 import jdk.internal.reflect.Reflection;
33
34 /**
35 * This class centralizes information about the JVM's linkage access control.
36 * @author jrose
37 */
38 public class VerifyAccess {
39
40 private VerifyAccess() { } // cannot instantiate
41
42 private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
43 private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
44 private static final int PACKAGE_ONLY = 0;
45 private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
46 private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
47 private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
48 private static final boolean ALLOW_NESTMATE_ACCESS = false;
49
50 /**
51 * Evaluate the JVM linkage rules for access to the given method
52 * on behalf of a caller class which proposes to perform the access.
53 * Return true if the caller class has privileges to invoke a method
54 * or access a field with the given properties.
55 * This requires an accessibility check of the referencing class,
56 * plus an accessibility check of the member within the class,
57 * which depends on the member's modifier flags.
58 * <p>
59 * The relevant properties include the defining class ({@code defc})
60 * of the member, and its modifier flags ({@code mods}).
61 * Also relevant is the class used to make the initial symbolic reference
62 * to the member ({@code refc}). If this latter class is not distinguished,
63 * the defining class should be passed for both arguments ({@code defc == refc}).
64 * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
65 * A field or method R is accessible to a class or interface D if
66 * and only if any of the following conditions is true:<ul>
67 * <li>R is public.
68 * <li>R is protected and is declared in a class C, and D is either
69 * a subclass of C or C itself. Furthermore, if R is not
70 * static, then the symbolic reference to R must contain a
71 * symbolic reference to a class T, such that T is either a
72 * subclass of D, a superclass of D or D itself.
73 * <li>R is either protected or has default access (that is,
74 * neither public nor protected nor private), and is declared
75 * by a class in the same runtime package as D.
76 * <li>R is private and is declared in D.
77 * </ul>
78 * This discussion of access control omits a related restriction
79 * on the target of a protected field access or method invocation
80 * (the target must be of class D or a subtype of D). That
81 * requirement is checked as part of the verification process
82 * (5.4.1); it is not part of link-time access control.
83 * @param refc the class used in the symbolic reference to the proposed member
84 * @param defc the class in which the proposed member is actually defined
85 * @param mods modifier flags for the proposed member
86 * @param lookupClass the class for which the access check is being made
87 * @return true iff the accessing class can access such a member
88 */
89 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class
90 Class<?> defc, // actual def class
91 int mods, // actual member mods
92 Class<?> lookupClass,
93 int allowedModes) {
94 if (allowedModes == 0) return false;
95 assert((allowedModes & PUBLIC) != 0 &&
96 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
97 // The symbolic reference class (refc) must always be fully verified.
98 if (!isClassAccessible(refc, lookupClass, allowedModes)) {
99 return false;
100 }
101 // Usually refc and defc are the same, but verify defc also in case they differ.
102 if (defc == lookupClass &&
103 (allowedModes & PRIVATE) != 0)
104 return true; // easy check; all self-access is OK
105 switch (mods & ALL_ACCESS_MODES) {
106 case PUBLIC:
107 return true; // already checked above
108 case PROTECTED:
109 assert !defc.isInterface(); // protected members aren't allowed in interfaces
110 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
111 isSamePackage(defc, lookupClass))
112 return true;
113 if ((allowedModes & PROTECTED) == 0)
114 return false;
115 // Protected members are accessible by subclasses, which does not include interfaces.
116 // Interfaces are types, not classes. They should not have access to
117 // protected members in j.l.Object, even though it is their superclass.
118 if ((mods & STATIC) != 0 &&
119 !isRelatedClass(refc, lookupClass))
120 return false;
121 if ((allowedModes & PROTECTED) != 0 &&
122 isSubClass(lookupClass, defc))
123 return true;
124 return false;
125 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access.
126 assert !defc.isInterface(); // package-private members aren't allowed in interfaces
127 return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
128 isSamePackage(defc, lookupClass));
129 case PRIVATE:
130 // Loosened rules for privates follows access rules for inner classes.
131 return (ALLOW_NESTMATE_ACCESS &&
132 (allowedModes & PRIVATE) != 0 &&
133 isSamePackageMember(defc, lookupClass));
134 default:
135 throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
136 }
137 }
138
139 static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
140 return (refc == lookupClass ||
141 isSubClass(refc, lookupClass) ||
142 isSubClass(lookupClass, refc));
143 }
144
145 static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
146 return defc.isAssignableFrom(lookupClass) &&
147 !lookupClass.isInterface(); // interfaces are types, not classes.
148 }
149
150 static int getClassModifiers(Class<?> c) {
151 // This would return the mask stored by javac for the source-level modifiers.
152 // return c.getModifiers();
153 // But what we need for JVM access checks are the actual bits from the class header.
154 // ...But arrays and primitives are synthesized with their own odd flags:
155 if (c.isArray() || c.isPrimitive())
156 return c.getModifiers();
157 return Reflection.getClassAccessFlags(c);
158 }
159
160 /**
161 * Evaluate the JVM linkage rules for access to the given class on behalf of caller.
162 * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
163 * A class or interface C is accessible to a class or interface D
164 * if and only if any of the following conditions are true:<ul>
165 * <li>C is public and in the same module as D.
166 * <li>D is in a module that reads the module containing C, C is public and in a
167 * package that is exported to the module that contains D.
168 * <li>C and D are members of the same runtime package.
169 * </ul>
170 * @param refc the symbolic reference class to which access is being checked (C)
171 * @param lookupClass the class performing the lookup (D)
172 */
173 public static boolean isClassAccessible(Class<?> refc, Class<?> lookupClass,
174 int allowedModes) {
175 if (allowedModes == 0) return false;
176 assert((allowedModes & PUBLIC) != 0 &&
177 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED)) == 0);
178 int mods = getClassModifiers(refc);
179 if (isPublic(mods)) {
180
181 Module lookupModule = lookupClass.getModule();
182 Module refModule = refc.getModule();
183
184 // early VM startup case, java.base not defined
185 if (lookupModule == null) {
186 assert refModule == null;
187 return true;
188 }
189
190 // trivially allow
191 if ((allowedModes & MODULE_ALLOWED) != 0 &&
192 (lookupModule == refModule))
193 return true;
194
195 // check readability when UNCONDITIONAL not allowed
196 if (((allowedModes & UNCONDITIONAL_ALLOWED) != 0)
197 || lookupModule.canRead(refModule)) {
198
199 // check that refc is in an exported package
200 if ((allowedModes & MODULE_ALLOWED) != 0) {
201 if (refModule.isExported(refc.getPackageName(), lookupModule))
202 return true;
203 } else {
204 // exported unconditionally
205 if (refModule.isExported(refc.getPackageName()))
206 return true;
207 }
208
209 // not exported but allow access during VM initialization
210 // because java.base does not have its exports setup
211 if (!jdk.internal.misc.VM.isModuleSystemInited())
212 return true;
213 }
214
215 // public class not accessible to lookupClass
216 return false;
217 }
218 if ((allowedModes & PACKAGE_ALLOWED) != 0 &&
219 isSamePackage(lookupClass, refc))
220 return true;
221 return false;
222 }
223
224 /**
225 * Decide if the given method type, attributed to a member or symbolic
226 * reference of a given reference class, is really visible to that class.
227 * @param type the supposed type of a member or symbolic reference of refc
228 * @param refc the class attempting to make the reference
229 */
230 public static boolean isTypeVisible(Class<?> type, Class<?> refc) {
231 if (type == refc) {
232 return true; // easy check
233 }
234 while (type.isArray()) type = type.getComponentType();
235 if (type.isPrimitive() || type == Object.class) {
236 return true;
237 }
238 ClassLoader typeLoader = type.getClassLoader();
239 ClassLoader refcLoader = refc.getClassLoader();
240 if (typeLoader == refcLoader) {
241 return true;
242 }
243 if (refcLoader == null && typeLoader != null) {
244 return false;
245 }
246 if (typeLoader == null && type.getName().startsWith("java.")) {
247 // Note: The API for actually loading classes, ClassLoader.defineClass,
248 // guarantees that classes with names beginning "java." cannot be aliased,
249 // because class loaders cannot load them directly.
250 return true;
251 }
252
253 // Do it the hard way: Look up the type name from the refc loader.
254 //
255 // Force the refc loader to report and commit to a particular binding for this type name (type.getName()).
256 //
257 // In principle, this query might force the loader to load some unrelated class,
258 // which would cause this query to fail (and the original caller to give up).
259 // This would be wasted effort, but it is expected to be very rare, occurring
260 // only when an attacker is attempting to create a type alias.
261 // In the normal case, one class loader will simply delegate to the other,
262 // and the same type will be visible through both, with no extra loading.
263 //
264 // It is important to go through Class.forName instead of ClassLoader.loadClass
265 // because Class.forName goes through the JVM system dictionary, which records
266 // the class lookup once for all. This means that even if a not-well-behaved class loader
267 // would "change its mind" about the meaning of the name, the Class.forName request
268 // will use the result cached in the JVM system dictionary. Note that the JVM system dictionary
269 // will record the first successful result. Unsuccessful results are not stored.
270 //
271 // We use doPrivileged in order to allow an unprivileged caller to ask an arbitrary
272 // class loader about the binding of the proposed name (type.getName()).
273 // The looked up type ("res") is compared for equality against the proposed
274 // type ("type") and then is discarded. Thus, the worst that can happen to
275 // the "child" class loader is that it is bothered to load and report a class
276 // that differs from "type"; this happens once due to JVM system dictionary
277 // memoization. And the caller never gets to look at the alternate type binding
278 // ("res"), whether it exists or not.
279 final String name = type.getName();
280 Class<?> res = java.security.AccessController.doPrivileged(
281 new java.security.PrivilegedAction<>() {
282 public Class<?> run() {
283 try {
284 return Class.forName(name, false, refcLoader);
285 } catch (ClassNotFoundException | LinkageError e) {
286 return null; // Assume the class is not found
287 }
288 }
289 });
290 return (type == res);
291 }
292
293 /**
294 * Decide if the given method type, attributed to a member or symbolic
295 * reference of a given reference class, is really visible to that class.
296 * @param type the supposed type of a member or symbolic reference of refc
297 * @param refc the class attempting to make the reference
298 */
299 public static boolean isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc) {
300 for (int n = -1, max = type.parameterCount(); n < max; n++) {
301 Class<?> ptype = (n < 0 ? type.returnType() : type.parameterType(n));
302 if (!isTypeVisible(ptype, refc))
303 return false;
304 }
305 return true;
306 }
307
308 /**
309 * Tests if two classes are in the same module.
310 * @param class1 a class
311 * @param class2 another class
312 * @return whether they are in the same module
313 */
314 public static boolean isSameModule(Class<?> class1, Class<?> class2) {
315 return class1.getModule() == class2.getModule();
316 }
317
318 /**
319 * Test if two classes have the same class loader and package qualifier.
320 * @param class1 a class
321 * @param class2 another class
322 * @return whether they are in the same package
323 */
324 public static boolean isSamePackage(Class<?> class1, Class<?> class2) {
325 assert(!class1.isArray() && !class2.isArray());
326 if (class1 == class2)
327 return true;
328 if (class1.getClassLoader() != class2.getClassLoader())
329 return false;
330 return Objects.equals(class1.getPackageName(), class2.getPackageName());
331 }
332
333 /** Return the package name for this class.
334 */
335 public static String getPackageName(Class<?> cls) {
336 assert (!cls.isArray());
337 String name = cls.getName();
338 int dot = name.lastIndexOf('.');
339 if (dot < 0) return "";
340 return name.substring(0, dot);
341 }
342
343 /**
344 * Test if two classes are defined as part of the same package member (top-level class).
345 * If this is true, they can share private access with each other.
346 * @param class1 a class
347 * @param class2 another class
348 * @return whether they are identical or nested together
349 */
350 public static boolean isSamePackageMember(Class<?> class1, Class<?> class2) {
351 if (class1 == class2)
352 return true;
353 if (!isSamePackage(class1, class2))
354 return false;
355 if (getOutermostEnclosingClass(class1) != getOutermostEnclosingClass(class2))
356 return false;
357 return true;
358 }
359
360 private static Class<?> getOutermostEnclosingClass(Class<?> c) {
361 Class<?> pkgmem = c;
362 for (Class<?> enc = c; (enc = enc.getEnclosingClass()) != null; )
363 pkgmem = enc;
364 return pkgmem;
365 }
366
367 private static boolean loadersAreRelated(ClassLoader loader1, ClassLoader loader2,
368 boolean loader1MustBeParent) {
369 if (loader1 == loader2 || loader1 == null
370 || (loader2 == null && !loader1MustBeParent)) {
371 return true;
372 }
373 for (ClassLoader scan2 = loader2;
374 scan2 != null; scan2 = scan2.getParent()) {
375 if (scan2 == loader1) return true;
376 }
377 if (loader1MustBeParent) return false;
378 // see if loader2 is a parent of loader1:
379 for (ClassLoader scan1 = loader1;
380 scan1 != null; scan1 = scan1.getParent()) {
381 if (scan1 == loader2) return true;
382 }
383 return false;
384 }
385
386 /**
387 * Is the class loader of parentClass identical to, or an ancestor of,
388 * the class loader of childClass?
389 * @param parentClass a class
390 * @param childClass another class, which may be a descendent of the first class
391 * @return whether parentClass precedes or equals childClass in class loader order
392 */
393 public static boolean classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass) {
394 return loadersAreRelated(parentClass.getClassLoader(), childClass.getClassLoader(), true);
395 }
396 }