1
/*
2
 * Copyright (c) 2008, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.invoke.util;
27

28
import java.lang.reflect.Modifier;
29
import static java.lang.reflect.Modifier.*;
30
import jdk.internal.reflect.Reflection;
31

32
/**
33
 * This class centralizes information about the JVM's linkage access control.
34
 * @author jrose
35
 */
36
public class VerifyAccess {
37

38
    private VerifyAccess() { }  // cannot instantiate
39

40
    private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
41
    private static final int ORIGINAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.ORIGINAL;
42
    private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
43
    private static final int PACKAGE_ONLY = 0;
44
    private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
45
    private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
46
    private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
47

48
    /**
49
     * Evaluate the JVM linkage rules for access to the given method
50
     * on behalf of a caller class which proposes to perform the access.
51
     * Return true if the caller class has privileges to invoke a method
52
     * or access a field with the given properties.
53
     * This requires an accessibility check of the referencing class,
54
     * plus an accessibility check of the member within the class,
55
     * which depends on the member's modifier flags.
56
     * <p>
57
     * The relevant properties include the defining class ({@code defc})
58
     * of the member, and its modifier flags ({@code mods}).
59
     * Also relevant is the class used to make the initial symbolic reference
60
     * to the member ({@code refc}).  If this latter class is not distinguished,
61
     * the defining class should be passed for both arguments ({@code defc == refc}).
62
     * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
63
     * A field or method R is accessible to a class or interface D if
64
     * and only if any of the following is true:
65
     * <ul>
66
     * <li>R is public.</li>
67
     * <li>R is protected and is declared in a class C, and D is either
68
     *     a subclass of C or C itself. Furthermore, if R is not static,
69
     *     then the symbolic reference to R must contain a symbolic
70
     *     reference to a class T, such that T is either a subclass of D,
71
     *     a superclass of D, or D itself.
72
     *     <p>During verification, it was also required that, even if T is
73
     *     a superclass of D, the target reference of a protected instance
74
     *     field access or method invocation must be an instance of D or a
75
     *     subclass of D (4.10.1.8).</p></li>
76
     * <li>R is either protected or has default access (that is, neither
77
     *     public nor protected nor private), and is declared by a class
78
     *     in the same run-time package as D.</li>
79
     * <li>R is private and is declared in D by a class or interface
80
     *     belonging to the same nest as D.</li>
81
     * </ul>
82
     * If a referenced field or method is not accessible, access checking
83
     * throws an IllegalAccessError. If an exception is thrown while
84
     * attempting to determine the nest host of a class or interface,
85
     * access checking fails for the same reason.
86
     *
87
     * @param refc the class used in the symbolic reference to the proposed member
88
     * @param defc the class in which the proposed member is actually defined
89
     * @param mods modifier flags for the proposed member
90
     * @param lookupClass the class for which the access check is being made
91
     * @param prevLookupClass the class for which the access check is being made
92
     * @param allowedModes allowed modes
93
     * @return true iff the accessing class can access such a member
94
     */
95
    public static boolean isMemberAccessible(Class<?> refc,  // symbolic ref class
96
                                             Class<?> defc,  // actual def class
97
                                             int      mods,  // actual member mods
98
                                             Class<?> lookupClass,
99
                                             Class<?> prevLookupClass,
100
                                             int      allowedModes) {
101
        if (allowedModes == 0)  return false;
102
        assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED|ORIGINAL_ALLOWED)) == 0);
103
        // The symbolic reference class (refc) must always be fully verified.
104
        if (!isClassAccessible(refc, lookupClass, prevLookupClass, allowedModes)) {
105
            return false;
106
        }
107
        // Usually refc and defc are the same, but verify defc also in case they differ.
108
        if (defc == lookupClass  &&
109
            (allowedModes & PRIVATE) != 0)
110
            return true;        // easy check; all self-access is OK with a private lookup
111

112
        switch (mods & ALL_ACCESS_MODES) {
113
        case PUBLIC:
114
            assert (allowedModes & PUBLIC) != 0 || (allowedModes & UNCONDITIONAL_ALLOWED) != 0;
115
            return true;  // already checked above
116
        case PROTECTED:
117
            assert !defc.isInterface(); // protected members aren't allowed in interfaces
118
            if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
119
                isSamePackage(defc, lookupClass))
120
                return true;
121
            if ((allowedModes & PROTECTED) == 0)
122
                return false;
123
            // Protected members are accessible by subclasses, which does not include interfaces.
124
            // Interfaces are types, not classes. They should not have access to
125
            // protected members in j.l.Object, even though it is their superclass.
126
            if ((mods & STATIC) != 0 &&
127
                !isRelatedClass(refc, lookupClass))
128
                return false;
129
            if ((allowedModes & PROTECTED) != 0 &&
130
                isSubClass(lookupClass, defc))
131
                return true;
132
            return false;
133
        case PACKAGE_ONLY:  // That is, zero.  Unmarked member is package-only access.
134
            assert !defc.isInterface(); // package-private members aren't allowed in interfaces
135
            return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
136
                    isSamePackage(defc, lookupClass));
137
        case PRIVATE:
138
            // Rules for privates follows access rules for nestmates.
139
            boolean canAccess = ((allowedModes & PRIVATE) != 0 &&
140
                                 Reflection.areNestMates(defc, lookupClass));
141
            // for private methods the selected method equals the
142
            // resolved method - so refc == defc
143
            assert (canAccess && refc == defc) || !canAccess;
144
            return canAccess;
145
        default:
146
            throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
147
        }
148
    }
149

150
    static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
151
        return (refc == lookupClass ||
152
                isSubClass(refc, lookupClass) ||
153
                isSubClass(lookupClass, refc));
154
    }
155

156
    static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
157
        return defc.isAssignableFrom(lookupClass) &&
158
               !lookupClass.isInterface(); // interfaces are types, not classes.
159
    }
160

161
    static int getClassModifiers(Class<?> c) {
162
        // This would return the mask stored by javac for the source-level modifiers.
163
        //   return c.getModifiers();
164
        // But what we need for JVM access checks are the actual bits from the class header.
165
        // ...But arrays and primitives are synthesized with their own odd flags:
166
        if (c.isArray() || c.isPrimitive())
167
            return c.getModifiers();
168
        return Reflection.getClassAccessFlags(c);
169
    }
170

171
    /**
172
     * Evaluate the JVM linkage rules for access to the given class on behalf of caller.
173
     * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
174
     * A class or interface C is accessible to a class or interface D
175
     * if and only if any of the following conditions are true:<ul>
176
     * <li>C is public and in the same module as D.
177
     * <li>D is in a module that reads the module containing C, C is public and in a
178
     * package that is exported to the module that contains D.
179
     * <li>C and D are members of the same runtime package.
180
     * </ul>
181
     *
182
     * @param refc the symbolic reference class to which access is being checked (C)
183
     * @param lookupClass the class performing the lookup (D)
184
     * @param prevLookupClass the class from which the lookup was teleported or null
185
     * @param allowedModes allowed modes
186
     */
187
    public static boolean isClassAccessible(Class<?> refc,
188
                                            Class<?> lookupClass,
189
                                            Class<?> prevLookupClass,
190
                                            int allowedModes) {
191
        if (allowedModes == 0)  return false;
192
        assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED|ORIGINAL_ALLOWED)) == 0);
193

194
        if ((allowedModes & PACKAGE_ALLOWED) != 0 &&
195
            isSamePackage(lookupClass, refc))
196
            return true;
197

198
        int mods = getClassModifiers(refc);
199
        if (isPublic(mods)) {
200

201
            Module lookupModule = lookupClass.getModule();
202
            Module refModule = refc.getModule();
203

204
            // early VM startup case, java.base not defined
205
            if (lookupModule == null) {
206
                assert refModule == null;
207
                return true;
208
            }
209

210
            // allow access to public types in all unconditionally exported packages
211
            if ((allowedModes & UNCONDITIONAL_ALLOWED) != 0) {
212
                return refModule.isExported(refc.getPackageName());
213
            }
214

215
            if (lookupModule == refModule && prevLookupClass == null) {
216
                // allow access to all public types in lookupModule
217
                if ((allowedModes & MODULE_ALLOWED) != 0)
218
                    return true;
219

220
                assert (allowedModes & PUBLIC) != 0;
221
                return refModule.isExported(refc.getPackageName());
222
            }
223

224
            // cross-module access
225
            // 1. refc is in different module from lookupModule, or
226
            // 2. refc is in lookupModule and a different module from prevLookupModule
227
            Module prevLookupModule = prevLookupClass != null ? prevLookupClass.getModule()
228
                                                              : null;
229
            assert refModule != lookupModule || refModule != prevLookupModule;
230
            if (isModuleAccessible(refc, lookupModule, prevLookupModule))
231
                return true;
232

233
            // not exported but allow access during VM initialization
234
            // because java.base does not have its exports setup
235
            if (!jdk.internal.misc.VM.isModuleSystemInited())
236
                return true;
237

238
            // public class not accessible to lookupClass
239
            return false;
240
        }
241

242
        return false;
243
    }
244

245
    /*
246
     * Tests if a class or interface REFC is accessible to m1 and m2 where m2
247
     * may be null.
248
     *
249
     * A class or interface REFC in m is accessible to m1 and m2 if and only if
250
     * both m1 and m2 read m and m exports the package of REFC at least to
251
     * both m1 and m2.
252
     */
253
    public static boolean isModuleAccessible(Class<?> refc,  Module m1, Module m2) {
254
        Module refModule = refc.getModule();
255
        assert refModule != m1 || refModule != m2;
256
        int mods = getClassModifiers(refc);
257
        if (isPublic(mods)) {
258
            if (m1.canRead(refModule) && (m2 == null || m2.canRead(refModule))) {
259
                String pn = refc.getPackageName();
260

261
                // refc is exported package to at least both m1 and m2
262
                if (refModule.isExported(pn, m1) && (m2 == null || refModule.isExported(pn, m2)))
263
                    return true;
264
            }
265
        }
266
        return false;
267
    }
268

269
    /**
270
     * Decide if the given method type, attributed to a member or symbolic
271
     * reference of a given reference class, is really visible to that class.
272
     * @param type the supposed type of a member or symbolic reference of refc
273
     * @param refc the class attempting to make the reference
274
     */
275
    public static boolean isTypeVisible(Class<?> type, Class<?> refc) {
276
        if (type == refc) {
277
            return true;  // easy check
278
        }
279
        while (type.isArray())  type = type.getComponentType();
280
        if (type.isPrimitive() || type == Object.class) {
281
            return true;
282
        }
283
        ClassLoader typeLoader = type.getClassLoader();
284
        ClassLoader refcLoader = refc.getClassLoader();
285
        if (typeLoader == refcLoader) {
286
            return true;
287
        }
288
        if (refcLoader == null && typeLoader != null) {
289
            return false;
290
        }
291
        if (typeLoader == null && type.getName().startsWith("java.")) {
292
            // Note:  The API for actually loading classes, ClassLoader.defineClass,
293
            // guarantees that classes with names beginning "java." cannot be aliased,
294
            // because class loaders cannot load them directly.
295
            return true;
296
        }
297

298
        // Do it the hard way:  Look up the type name from the refc loader.
299
        //
300
        // Force the refc loader to report and commit to a particular binding for this type name (type.getName()).
301
        //
302
        // In principle, this query might force the loader to load some unrelated class,
303
        // which would cause this query to fail (and the original caller to give up).
304
        // This would be wasted effort, but it is expected to be very rare, occurring
305
        // only when an attacker is attempting to create a type alias.
306
        // In the normal case, one class loader will simply delegate to the other,
307
        // and the same type will be visible through both, with no extra loading.
308
        //
309
        // It is important to go through Class.forName instead of ClassLoader.loadClass
310
        // because Class.forName goes through the JVM system dictionary, which records
311
        // the class lookup once for all. This means that even if a not-well-behaved class loader
312
        // would "change its mind" about the meaning of the name, the Class.forName request
313
        // will use the result cached in the JVM system dictionary. Note that the JVM system dictionary
314
        // will record the first successful result. Unsuccessful results are not stored.
315
        //
316
        // We use doPrivileged in order to allow an unprivileged caller to ask an arbitrary
317
        // class loader about the binding of the proposed name (type.getName()).
318
        // The looked up type ("res") is compared for equality against the proposed
319
        // type ("type") and then is discarded.  Thus, the worst that can happen to
320
        // the "child" class loader is that it is bothered to load and report a class
321
        // that differs from "type"; this happens once due to JVM system dictionary
322
        // memoization.  And the caller never gets to look at the alternate type binding
323
        // ("res"), whether it exists or not.
324
        final String name = type.getName();
325
        @SuppressWarnings("removal")
326
        Class<?> res = java.security.AccessController.doPrivileged(
327
                new java.security.PrivilegedAction<>() {
328
                    public Class<?> run() {
329
                        try {
330
                            return Class.forName(name, false, refcLoader);
331
                        } catch (ClassNotFoundException | LinkageError e) {
332
                            return null; // Assume the class is not found
333
                        }
334
                    }
335
            });
336
        return (type == res);
337
    }
338

339
    /**
340
     * Decide if the given method type, attributed to a member or symbolic
341
     * reference of a given reference class, is really visible to that class.
342
     * @param type the supposed type of a member or symbolic reference of refc
343
     * @param refc the class attempting to make the reference
344
     */
345
    public static boolean isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc) {
346
        if (!isTypeVisible(type.returnType(), refc)) {
347
            return false;
348
        }
349
        for (int n = 0, max = type.parameterCount(); n < max; n++) {
350
            if (!isTypeVisible(type.parameterType(n), refc)) {
351
                return false;
352
            }
353
        }
354
        return true;
355
    }
356

357
    /**
358
     * Tests if two classes are in the same module.
359
     * @param class1 a class
360
     * @param class2 another class
361
     * @return whether they are in the same module
362
     */
363
    public static boolean isSameModule(Class<?> class1, Class<?> class2) {
364
        return class1.getModule() == class2.getModule();
365
    }
366

367
    /**
368
     * Test if two classes have the same class loader and package qualifier.
369
     * @param class1 a class
370
     * @param class2 another class
371
     * @return whether they are in the same package
372
     */
373
    public static boolean isSamePackage(Class<?> class1, Class<?> class2) {
374
        if (class1 == class2)
375
            return true;
376
        if (class1.getClassLoader() != class2.getClassLoader())
377
            return false;
378
        return class1.getPackageName() == class2.getPackageName();
379
    }
380

381
    /**
382
     * Test if two classes are defined as part of the same package member (top-level class).
383
     * If this is true, they can share private access with each other.
384
     * @param class1 a class
385
     * @param class2 another class
386
     * @return whether they are identical or nested together
387
     */
388
    public static boolean isSamePackageMember(Class<?> class1, Class<?> class2) {
389
        if (class1 == class2)
390
            return true;
391
        if (!isSamePackage(class1, class2))
392
            return false;
393
        if (getOutermostEnclosingClass(class1) != getOutermostEnclosingClass(class2))
394
            return false;
395
        return true;
396
    }
397

398
    private static Class<?> getOutermostEnclosingClass(Class<?> c) {
399
        Class<?> pkgmem = c;
400
        for (Class<?> enc = c; (enc = enc.getEnclosingClass()) != null; )
401
            pkgmem = enc;
402
        return pkgmem;
403
    }
404

405
    private static boolean loadersAreRelated(ClassLoader loader1, ClassLoader loader2,
406
                                             boolean loader1MustBeParent) {
407
        if (loader1 == loader2 || loader1 == null
408
                || (loader2 == null && !loader1MustBeParent)) {
409
            return true;
410
        }
411
        for (ClassLoader scan2 = loader2;
412
                scan2 != null; scan2 = scan2.getParent()) {
413
            if (scan2 == loader1)  return true;
414
        }
415
        if (loader1MustBeParent)  return false;
416
        // see if loader2 is a parent of loader1:
417
        for (ClassLoader scan1 = loader1;
418
                scan1 != null; scan1 = scan1.getParent()) {
419
            if (scan1 == loader2)  return true;
420
        }
421
        return false;
422
    }
423

424
    /**
425
     * Is the class loader of parentClass identical to, or an ancestor of,
426
     * the class loader of childClass?
427
     * @param parentClass a class
428
     * @param childClass another class, which may be a descendent of the first class
429
     * @return whether parentClass precedes or equals childClass in class loader order
430
     */
431
    public static boolean classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass) {
432
        return loadersAreRelated(parentClass.getClassLoader(), childClass.getClassLoader(), true);
433
    }
434
}
435

436