1 /*
  2  * Copyright (c) 2008, 2021, Oracle and/or its affiliates. All rights reserved.
  3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  4  *
  5  * This code is free software; you can redistribute it and/or modify it
  6  * under the terms of the GNU General Public License version 2 only, as
  7  * published by the Free Software Foundation.  Oracle designates this
  8  * particular file as subject to the "Classpath" exception as provided
  9  * by Oracle in the LICENSE file that accompanied this code.
 10  *
 11  * This code is distributed in the hope that it will be useful, but WITHOUT
 12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 14  * version 2 for more details (a copy is included in the LICENSE file that
 15  * accompanied this code).
 16  *
 17  * You should have received a copy of the GNU General Public License version
 18  * 2 along with this work; if not, write to the Free Software Foundation,
 19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 20  *
 21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 22  * or visit www.oracle.com if you need additional information or have any
 23  * questions.
 24  */
 25 
 26 package sun.invoke.util;
 27 
 28 import java.lang.reflect.Modifier;
 29 import static java.lang.reflect.Modifier.*;
 30 import jdk.internal.reflect.Reflection;
 31 
 32 /**
 33  * This class centralizes information about the JVM's linkage access control.
 34  * @author jrose
 35  */
 36 public class VerifyAccess {
 37 
 38     private VerifyAccess() { }  // cannot instantiate
 39 
 40     private static final int UNCONDITIONAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.UNCONDITIONAL;
 41     private static final int ORIGINAL_ALLOWED = java.lang.invoke.MethodHandles.Lookup.ORIGINAL;
 42     private static final int MODULE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.MODULE;
 43     private static final int PACKAGE_ONLY = 0;
 44     private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE;
 45     private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED);
 46     private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY);
 47 
 48     /**
 49      * Evaluate the JVM linkage rules for access to the given method
 50      * on behalf of a caller class which proposes to perform the access.
 51      * Return true if the caller class has privileges to invoke a method
 52      * or access a field with the given properties.
 53      * This requires an accessibility check of the referencing class,
 54      * plus an accessibility check of the member within the class,
 55      * which depends on the member's modifier flags.
 56      * <p>
 57      * The relevant properties include the defining class ({@code defc})
 58      * of the member, and its modifier flags ({@code mods}).
 59      * Also relevant is the class used to make the initial symbolic reference
 60      * to the member ({@code refc}).  If this latter class is not distinguished,
 61      * the defining class should be passed for both arguments ({@code defc == refc}).
 62      * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
 63      * A field or method R is accessible to a class or interface D if
 64      * and only if any of the following is true:
 65      * <ul>
 66      * <li>R is public.</li>
 67      * <li>R is protected and is declared in a class C, and D is either
 68      *     a subclass of C or C itself. Furthermore, if R is not static,
 69      *     then the symbolic reference to R must contain a symbolic
 70      *     reference to a class T, such that T is either a subclass of D,
 71      *     a superclass of D, or D itself.
 72      *     <p>During verification, it was also required that, even if T is
 73      *     a superclass of D, the target reference of a protected instance
 74      *     field access or method invocation must be an instance of D or a
 75      *     subclass of D (4.10.1.8).</p></li>
 76      * <li>R is either protected or has default access (that is, neither
 77      *     public nor protected nor private), and is declared by a class
 78      *     in the same run-time package as D.</li>
 79      * <li>R is private and is declared in D by a class or interface
 80      *     belonging to the same nest as D.</li>
 81      * </ul>
 82      * If a referenced field or method is not accessible, access checking
 83      * throws an IllegalAccessError. If an exception is thrown while
 84      * attempting to determine the nest host of a class or interface,
 85      * access checking fails for the same reason.
 86      *
 87      * @param refc the class used in the symbolic reference to the proposed member
 88      * @param defc the class in which the proposed member is actually defined
 89      * @param mods modifier flags for the proposed member
 90      * @param lookupClass the class for which the access check is being made
 91      * @param prevLookupClass the class for which the access check is being made
 92      * @param allowedModes allowed modes
 93      * @return true iff the accessing class can access such a member
 94      */
 95     public static boolean isMemberAccessible(Class<?> refc,  // symbolic ref class
 96                                              Class<?> defc,  // actual def class
 97                                              int      mods,  // actual member mods
 98                                              Class<?> lookupClass,
 99                                              Class<?> prevLookupClass,
100                                              int      allowedModes) {
101         if (allowedModes == 0)  return false;
102         assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED|ORIGINAL_ALLOWED)) == 0);
103         // The symbolic reference class (refc) must always be fully verified.
104         if (!isClassAccessible(refc, lookupClass, prevLookupClass, allowedModes)) {
105             return false;
106         }
107         // Usually refc and defc are the same, but verify defc also in case they differ.
108         if (defc == lookupClass  &&
109             (allowedModes & PRIVATE) != 0)
110             return true;        // easy check; all self-access is OK with a private lookup
111 
112         switch (mods & ALL_ACCESS_MODES) {
113         case PUBLIC:
114             assert (allowedModes & PUBLIC) != 0 || (allowedModes & UNCONDITIONAL_ALLOWED) != 0;
115             return true;  // already checked above
116         case PROTECTED:
117             assert !defc.isInterface(); // protected members aren't allowed in interfaces
118             if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 &&
119                 isSamePackage(defc, lookupClass))
120                 return true;
121             if ((allowedModes & PROTECTED) == 0)
122                 return false;
123             // Protected members are accessible by subclasses, which does not include interfaces.
124             // Interfaces are types, not classes. They should not have access to
125             // protected members in j.l.Object, even though it is their superclass.
126             if ((mods & STATIC) != 0 &&
127                 !isRelatedClass(refc, lookupClass))
128                 return false;
129             if ((allowedModes & PROTECTED) != 0 &&
130                 isSubClass(lookupClass, defc))
131                 return true;
132             return false;
133         case PACKAGE_ONLY:  // That is, zero.  Unmarked member is package-only access.
134             assert !defc.isInterface(); // package-private members aren't allowed in interfaces
135             return ((allowedModes & PACKAGE_ALLOWED) != 0 &&
136                     isSamePackage(defc, lookupClass));
137         case PRIVATE:
138             // Rules for privates follows access rules for nestmates.
139             boolean canAccess = ((allowedModes & PRIVATE) != 0 &&
140                                  Reflection.areNestMates(defc, lookupClass));
141             // for private methods the selected method equals the
142             // resolved method - so refc == defc
143             assert (canAccess && refc == defc) || !canAccess;
144             return canAccess;
145         default:
146             throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods));
147         }
148     }
149 
150     static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) {
151         return (refc == lookupClass ||
152                 isSubClass(refc, lookupClass) ||
153                 isSubClass(lookupClass, refc));
154     }
155 
156     static boolean isSubClass(Class<?> lookupClass, Class<?> defc) {
157         return defc.isAssignableFrom(lookupClass) &&
158                !lookupClass.isInterface(); // interfaces are types, not classes.
159     }
160 
161     static int getClassModifiers(Class<?> c) {
162         // This would return the mask stored by javac for the source-level modifiers.
163         //   return c.getModifiers();
164         // But what we need for JVM access checks are the actual bits from the class header.
165         // ...But arrays and primitives are synthesized with their own odd flags:
166         if (c.isArray() || c.isPrimitive())
167             return c.getModifiers();
168         return Reflection.getClassAccessFlags(c);
169     }
170 
171     /**
172      * Evaluate the JVM linkage rules for access to the given class on behalf of caller.
173      * <h3>JVM Specification, 5.4.4 "Access Control"</h3>
174      * A class or interface C is accessible to a class or interface D
175      * if and only if any of the following conditions are true:<ul>
176      * <li>C is public and in the same module as D.
177      * <li>D is in a module that reads the module containing C, C is public and in a
178      * package that is exported to the module that contains D.
179      * <li>C and D are members of the same runtime package.
180      * </ul>
181      *
182      * @param refc the symbolic reference class to which access is being checked (C)
183      * @param lookupClass the class performing the lookup (D)
184      * @param prevLookupClass the class from which the lookup was teleported or null
185      * @param allowedModes allowed modes
186      */
187     public static boolean isClassAccessible(Class<?> refc,
188                                             Class<?> lookupClass,
189                                             Class<?> prevLookupClass,
190                                             int allowedModes) {
191         if (allowedModes == 0)  return false;
192         assert((allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED|MODULE_ALLOWED|UNCONDITIONAL_ALLOWED|ORIGINAL_ALLOWED)) == 0);
193 
194         if ((allowedModes & PACKAGE_ALLOWED) != 0 &&
195             isSamePackage(lookupClass, refc))
196             return true;
197 
198         int mods = getClassModifiers(refc);
199         if (isPublic(mods)) {
200 
201             Module lookupModule = lookupClass.getModule();
202             Module refModule = refc.getModule();
203 
204             // early VM startup case, java.base not defined
205             if (lookupModule == null) {
206                 assert refModule == null;
207                 return true;
208             }
209 
210             // allow access to public types in all unconditionally exported packages
211             if ((allowedModes & UNCONDITIONAL_ALLOWED) != 0) {
212                 return refModule.isExported(refc.getPackageName());
213             }
214 
215             if (lookupModule == refModule && prevLookupClass == null) {
216                 // allow access to all public types in lookupModule
217                 if ((allowedModes & MODULE_ALLOWED) != 0)
218                     return true;
219 
220                 assert (allowedModes & PUBLIC) != 0;
221                 return refModule.isExported(refc.getPackageName());
222             }
223 
224             // cross-module access
225             // 1. refc is in different module from lookupModule, or
226             // 2. refc is in lookupModule and a different module from prevLookupModule
227             Module prevLookupModule = prevLookupClass != null ? prevLookupClass.getModule()
228                                                               : null;
229             assert refModule != lookupModule || refModule != prevLookupModule;
230             if (isModuleAccessible(refc, lookupModule, prevLookupModule))
231                 return true;
232 
233             // not exported but allow access during VM initialization
234             // because java.base does not have its exports setup
235             if (!jdk.internal.misc.VM.isModuleSystemInited())
236                 return true;
237 
238             // public class not accessible to lookupClass
239             return false;
240         }
241 
242         return false;
243     }
244 
245     /*
246      * Tests if a class or interface REFC is accessible to m1 and m2 where m2
247      * may be null.
248      *
249      * A class or interface REFC in m is accessible to m1 and m2 if and only if
250      * both m1 and m2 read m and m exports the package of REFC at least to
251      * both m1 and m2.
252      */
253     public static boolean isModuleAccessible(Class<?> refc,  Module m1, Module m2) {
254         Module refModule = refc.getModule();
255         assert refModule != m1 || refModule != m2;
256         int mods = getClassModifiers(refc);
257         if (isPublic(mods)) {
258             if (m1.canRead(refModule) && (m2 == null || m2.canRead(refModule))) {
259                 String pn = refc.getPackageName();
260 
261                 // refc is exported package to at least both m1 and m2
262                 if (refModule.isExported(pn, m1) && (m2 == null || refModule.isExported(pn, m2)))
263                     return true;
264             }
265         }
266         return false;
267     }
268 
269     /**
270      * Decide if the given method type, attributed to a member or symbolic
271      * reference of a given reference class, is really visible to that class.
272      * @param type the supposed type of a member or symbolic reference of refc
273      * @param refc the class attempting to make the reference
274      */
275     public static boolean isTypeVisible(Class<?> type, Class<?> refc) {
276         if (type == refc) {
277             return true;  // easy check
278         }
279         while (type.isArray())  type = type.getComponentType();
280         if (type.isPrimitive() || type == Object.class) {
281             return true;
282         }
283         ClassLoader typeLoader = type.getClassLoader();
284         ClassLoader refcLoader = refc.getClassLoader();
285         if (typeLoader == refcLoader) {
286             return true;
287         }
288         if (refcLoader == null && typeLoader != null) {
289             return false;
290         }
291         if (typeLoader == null && type.getName().startsWith("java.")) {
292             // Note:  The API for actually loading classes, ClassLoader.defineClass,
293             // guarantees that classes with names beginning "java." cannot be aliased,
294             // because class loaders cannot load them directly.
295             return true;
296         }
297 
298         // Do it the hard way:  Look up the type name from the refc loader.
299         //
300         // Force the refc loader to report and commit to a particular binding for this type name (type.getName()).
301         //
302         // In principle, this query might force the loader to load some unrelated class,
303         // which would cause this query to fail (and the original caller to give up).
304         // This would be wasted effort, but it is expected to be very rare, occurring
305         // only when an attacker is attempting to create a type alias.
306         // In the normal case, one class loader will simply delegate to the other,
307         // and the same type will be visible through both, with no extra loading.
308         //
309         // It is important to go through Class.forName instead of ClassLoader.loadClass
310         // because Class.forName goes through the JVM system dictionary, which records
311         // the class lookup once for all. This means that even if a not-well-behaved class loader
312         // would "change its mind" about the meaning of the name, the Class.forName request
313         // will use the result cached in the JVM system dictionary. Note that the JVM system dictionary
314         // will record the first successful result. Unsuccessful results are not stored.
315         //
316         // We use doPrivileged in order to allow an unprivileged caller to ask an arbitrary
317         // class loader about the binding of the proposed name (type.getName()).
318         // The looked up type ("res") is compared for equality against the proposed
319         // type ("type") and then is discarded.  Thus, the worst that can happen to
320         // the "child" class loader is that it is bothered to load and report a class
321         // that differs from "type"; this happens once due to JVM system dictionary
322         // memoization.  And the caller never gets to look at the alternate type binding
323         // ("res"), whether it exists or not.
324         final String name = type.getName();
325         @SuppressWarnings("removal")
326         Class<?> res = java.security.AccessController.doPrivileged(
327                 new java.security.PrivilegedAction<>() {
328                     public Class<?> run() {
329                         try {
330                             return Class.forName(name, false, refcLoader);
331                         } catch (ClassNotFoundException | LinkageError e) {
332                             return null; // Assume the class is not found
333                         }
334                     }
335             });
336         return (type == res);
337     }
338 
339     /**
340      * Decide if the given method type, attributed to a member or symbolic
341      * reference of a given reference class, is really visible to that class.
342      * @param type the supposed type of a member or symbolic reference of refc
343      * @param refc the class attempting to make the reference
344      */
345     public static boolean isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc) {
346         if (!isTypeVisible(type.returnType(), refc)) {
347             return false;
348         }
349         for (int n = 0, max = type.parameterCount(); n < max; n++) {
350             if (!isTypeVisible(type.parameterType(n), refc)) {
351                 return false;
352             }
353         }
354         return true;
355     }
356 
357     /**
358      * Tests if two classes are in the same module.
359      * @param class1 a class
360      * @param class2 another class
361      * @return whether they are in the same module
362      */
363     public static boolean isSameModule(Class<?> class1, Class<?> class2) {
364         return class1.getModule() == class2.getModule();
365     }
366 
367     /**
368      * Test if two classes have the same class loader and package qualifier.
369      * @param class1 a class
370      * @param class2 another class
371      * @return whether they are in the same package
372      */
373     public static boolean isSamePackage(Class<?> class1, Class<?> class2) {
374         if (class1 == class2)
375             return true;
376         if (class1.getClassLoader() != class2.getClassLoader())
377             return false;
378         return class1.getPackageName() == class2.getPackageName();
379     }
380 
381     /**
382      * Test if two classes are defined as part of the same package member (top-level class).
383      * If this is true, they can share private access with each other.
384      * @param class1 a class
385      * @param class2 another class
386      * @return whether they are identical or nested together
387      */
388     public static boolean isSamePackageMember(Class<?> class1, Class<?> class2) {
389         if (class1 == class2)
390             return true;
391         if (!isSamePackage(class1, class2))
392             return false;
393         if (getOutermostEnclosingClass(class1) != getOutermostEnclosingClass(class2))
394             return false;
395         return true;
396     }
397 
398     private static Class<?> getOutermostEnclosingClass(Class<?> c) {
399         Class<?> pkgmem = c;
400         for (Class<?> enc = c; (enc = enc.getEnclosingClass()) != null; )
401             pkgmem = enc;
402         return pkgmem;
403     }
404 
405     private static boolean loadersAreRelated(ClassLoader loader1, ClassLoader loader2,
406                                              boolean loader1MustBeParent) {
407         if (loader1 == loader2 || loader1 == null
408                 || (loader2 == null && !loader1MustBeParent)) {
409             return true;
410         }
411         for (ClassLoader scan2 = loader2;
412                 scan2 != null; scan2 = scan2.getParent()) {
413             if (scan2 == loader1)  return true;
414         }
415         if (loader1MustBeParent)  return false;
416         // see if loader2 is a parent of loader1:
417         for (ClassLoader scan1 = loader1;
418                 scan1 != null; scan1 = scan1.getParent()) {
419             if (scan1 == loader2)  return true;
420         }
421         return false;
422     }
423 
424     /**
425      * Is the class loader of parentClass identical to, or an ancestor of,
426      * the class loader of childClass?
427      * @param parentClass a class
428      * @param childClass another class, which may be a descendent of the first class
429      * @return whether parentClass precedes or equals childClass in class loader order
430      */
431     public static boolean classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass) {
432         return loadersAreRelated(parentClass.getClassLoader(), childClass.getClassLoader(), true);
433     }
434 }