/*

 * Copyright (c) 1995, 2019, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package java.lang;

import java.lang.module.ModuleDescriptor;

import java.lang.module.ModuleDescriptor.Exports;

import java.lang.module.ModuleDescriptor.Opens;

import java.lang.reflect.Member;

import java.io.FileDescriptor;

import java.io.File;

import java.io.FilePermission;

import java.net.InetAddress;

import java.net.SocketPermission;

import java.security.AccessControlContext;

import java.security.AccessController;

import java.security.Permission;

import java.security.PrivilegedAction;

import java.security.Security;

import java.security.SecurityPermission;

import java.util.HashSet;

import java.util.Map;

import java.util.Objects;

import java.util.PropertyPermission;

import java.util.Set;

import java.util.concurrent.ConcurrentHashMap;

import jdk.internal.module.ModuleLoaderMap;

import jdk.internal.reflect.CallerSensitive;

import sun.security.util.SecurityConstants;

/**

 * The security manager is a class that allows

 * applications to implement a security policy. It allows an

 * application to determine, before performing a possibly unsafe or

 * sensitive operation, what the operation is and whether

 * it is being attempted in a security context that allows the

 * operation to be performed. The

 * application can allow or disallow the operation.

 * <p>

 * The {@code SecurityManager} class contains many methods with

 * names that begin with the word {@code check}. These methods

 * are called by various methods in the Java libraries before those

 * methods perform certain potentially sensitive operations. The

 * invocation of such a {@code check} method typically looks like this:

 * <blockquote><pre>

 *     SecurityManager security = System.getSecurityManager();

 *     if (security != null) {

 *         security.check<i>XXX</i>(argument, &nbsp;.&nbsp;.&nbsp;.&nbsp;);

 *     }

 * </pre></blockquote>

 * <p>

 * The security manager is thereby given an opportunity to prevent

 * completion of the operation by throwing an exception. A security

 * manager routine simply returns if the operation is permitted, but

 * throws a {@code SecurityException} if the operation is not

 * permitted.

 * <p>

 * Environments using a security manager will typically set the security

 * manager at startup. In the JDK implementation, this is done by setting

 * the system property {@code java.security.manager} on the command line to

 * the class name of the security manager. It can also be set to the empty

 * String ("") or the special token "{@code default}" to use the

 * default {@code java.lang.SecurityManager}. If a class name is specified,

 * it must be {@code java.lang.SecurityManager} or a public subclass and have

 * a public no-arg constructor. The class is loaded by the

 * {@linkplain ClassLoader#getSystemClassLoader() built-in system class loader}

 * if it is not {@code java.lang.SecurityManager}. If the

 * {@code java.security.manager} system property is not set, the default value

 * is {@code null}, which means a security manager will not be set at startup.

 * <p>

 * The Java run-time may also allow, but is not required to allow, the security

 * manager to be set dynamically by invoking the

 * {@link System#setSecurityManager(SecurityManager) setSecurityManager} method.

 * In the JDK implementation, if the Java virtual machine is started with

 * the {@code java.security.manager} system property set to the special token

 * "{@code disallow}" then a security manager will not be set at startup and

 * cannot be set dynamically (the

 * {@link System#setSecurityManager(SecurityManager) setSecurityManager}

 * method will throw an {@code UnsupportedOperationException}). If the

 * {@code java.security.manager} system property is not set or is set to the

 * special token "{@code allow}", then a security manager will not be set at

 * startup but can be set dynamically. Finally, if the

 * {@code java.security.manager} system property is set to the class name of

 * the security manager, or to the empty String ("") or the special token

 * "{@code default}", then a security manager is set at startup (as described

 * previously) and can also be subsequently replaced (or disabled) dynamically

 * (subject to the policy of the currently installed security manager). The

 * following table illustrates the behavior of the JDK implementation for the

 * different settings of the {@code java.security.manager} system property:

 * <table class="striped">

 * <caption style="display:none">property value,

 *  the SecurityManager set at startup,

 *  can dynamically set a SecurityManager

 * </caption>

 * <thead>

 * <tr>

 * <th scope="col">Property Value</th>

 * <th scope="col">The SecurityManager set at startup</th>

 * <th scope="col">System.setSecurityManager run-time behavior</th>

 * </tr>

 * </thead>

 * <tbody>

 *

 * <tr>

 *   <th scope="row">null</th>

 *   <td>None</td>

 *   <td>Success or throws {@code SecurityException} if not permitted by

 * the currently installed security manager</td>

 * </tr>

 *

 * <tr>

 *   <th scope="row">empty String ("")</th>

 *   <td>{@code java.lang.SecurityManager}</td>

 *   <td>Success or throws {@code SecurityException} if not permitted by

 * the currently installed security manager</td>

 * </tr>

 *

 * <tr>

 *   <th scope="row">"default"</th>

 *   <td>{@code java.lang.SecurityManager}</td>

 *   <td>Success or throws {@code SecurityException} if not permitted by

 * the currently installed security manager</td>

 * </tr>

 *

 * <tr>

 *   <th scope="row">"disallow"</th>

 *   <td>None</td>

 *   <td>Always throws {@code UnsupportedOperationException}</td>

 * </tr>

 *

 * <tr>

 *   <th scope="row">"allow"</th>

 *   <td>None</td>

 *   <td>Success or throws {@code SecurityException} if not permitted by

 * the currently installed security manager</td>

 * </tr>

 *

 * <tr>

 *   <th scope="row">a class name</th>

 *   <td>the named class</td>

 *   <td>Success or throws {@code SecurityException} if not permitted by

 * the currently installed security manager</td>

 * </tr>

 *

 * </tbody>

 * </table>

 * <p> A future release of the JDK may change the default value of the

 * {@code java.security.manager} system property to "{@code disallow}".

 * <p>

 * The current security manager is returned by the

 * {@link System#getSecurityManager() getSecurityManager} method.

 * <p>

 * The special method

 * {@link SecurityManager#checkPermission(java.security.Permission)}

 * determines whether an access request indicated by a specified

 * permission should be granted or denied. The

 * default implementation calls

 *

 * <pre>

 *   AccessController.checkPermission(perm);

 * </pre>

 *

 * <p>

 * If a requested access is allowed,

 * {@code checkPermission} returns quietly. If denied, a

 * {@code SecurityException} is thrown.

 * <p>

 * The default implementation of each of the other

 * {@code check} methods in {@code SecurityManager} is to

 * call the {@code SecurityManager checkPermission} method

 * to determine if the calling thread has permission to perform the requested

 * operation.

 * <p>

 * Note that the {@code checkPermission} method with

 * just a single permission argument always performs security checks

 * within the context of the currently executing thread.

 * Sometimes a security check that should be made within a given context

 * will actually need to be done from within a

 * <i>different</i> context (for example, from within a worker thread).

 * The {@link SecurityManager#getSecurityContext getSecurityContext} method

 * and the {@link SecurityManager#checkPermission(java.security.Permission,

 * java.lang.Object) checkPermission}

 * method that includes a context argument are provided

 * for this situation. The

 * {@code getSecurityContext} method returns a "snapshot"

 * of the current calling context. (The default implementation

 * returns an AccessControlContext object.) A sample call is

 * the following:

 *

 * <pre>

 *   Object context = null;

 *   SecurityManager sm = System.getSecurityManager();

 *   if (sm != null) context = sm.getSecurityContext();

 * </pre>

 *

 * <p>

 * The {@code checkPermission} method

 * that takes a context object in addition to a permission

 * makes access decisions based on that context,

 * rather than on that of the current execution thread.

 * Code within a different context can thus call that method,

 * passing the permission and the

 * previously-saved context object. A sample call, using the

 * SecurityManager {@code sm} obtained as in the previous example,

 * is the following:

 *

 * <pre>

 *   if (sm != null) sm.checkPermission(permission, context);

 * </pre>

 *

 * <p>Permissions fall into these categories: File, Socket, Net,

 * Security, Runtime, Property, AWT, Reflect, and Serializable.

 * The classes managing these various

 * permission categories are {@code java.io.FilePermission},

 * {@code java.net.SocketPermission},

 * {@code java.net.NetPermission},

 * {@code java.security.SecurityPermission},

 * {@code java.lang.RuntimePermission},

 * {@code java.util.PropertyPermission},

 * {@code java.awt.AWTPermission},

 * {@code java.lang.reflect.ReflectPermission}, and

 * {@code java.io.SerializablePermission}.

 *

 * <p>All but the first two (FilePermission and SocketPermission) are

 * subclasses of {@code java.security.BasicPermission}, which itself

 * is an abstract subclass of the

 * top-level class for permissions, which is

 * {@code java.security.Permission}. BasicPermission defines the

 * functionality needed for all permissions that contain a name

 * that follows the hierarchical property naming convention

 * (for example, "exitVM", "setFactory", "queuePrintJob", etc).

 * An asterisk

 * may appear at the end of the name, following a ".", or by itself, to

 * signify a wildcard match. For example: "a.*" or "*" is valid,

 * "*a" or "a*b" is not valid.

 *

 * <p>FilePermission and SocketPermission are subclasses of the

 * top-level class for permissions

 * ({@code java.security.Permission}). Classes like these

 * that have a more complicated name syntax than that used by

 * BasicPermission subclass directly from Permission rather than from

 * BasicPermission. For example,

 * for a {@code java.io.FilePermission} object, the permission name is

 * the path name of a file (or directory).

 *

 * <p>Some of the permission classes have an "actions" list that tells

 * the actions that are permitted for the object.  For example,

 * for a {@code java.io.FilePermission} object, the actions list

 * (such as "read, write") specifies which actions are granted for the

 * specified file (or for files in the specified directory).

 *

 * <p>Other permission classes are for "named" permissions -

 * ones that contain a name but no actions list; you either have the

 * named permission or you don't.

 *

 * <p>Note: There is also a {@code java.security.AllPermission}

 * permission that implies all permissions. It exists to simplify the work

 * of system administrators who might need to perform multiple

 * tasks that require all (or numerous) permissions.

 * <p>

 * See {@extLink security_guide_permissions

 * Permissions in the Java Development Kit (JDK)}

 * for permission-related information.

 * This document includes a table listing the various SecurityManager

 * {@code check} methods and the permission(s) the default

 * implementation of each such method requires.

 * It also contains a table of the methods

 * that require permissions, and for each such method tells

 * which permission it requires.

 *

 * @author  Arthur van Hoff

 * @author  Roland Schemers

 *

 * @see     java.lang.ClassLoader

 * @see     java.lang.SecurityException

 * @see     java.lang.System#getSecurityManager() getSecurityManager

 * @see     java.lang.System#setSecurityManager(java.lang.SecurityManager)

 *  setSecurityManager

 * @see     java.security.AccessController AccessController

 * @see     java.security.AccessControlContext AccessControlContext

 * @see     java.security.AccessControlException AccessControlException

 * @see     java.security.Permission

 * @see     java.security.BasicPermission

 * @see     java.io.FilePermission

 * @see     java.net.SocketPermission

 * @see     java.util.PropertyPermission

 * @see     java.lang.RuntimePermission

 * @see     java.security.Policy Policy

 * @see     java.security.SecurityPermission SecurityPermission

 * @see     java.security.ProtectionDomain

 *

 * @since   1.0

 */

public class SecurityManager {

    /*

     * Have we been initialized. Effective against finalizer attacks.

     */

    private boolean initialized = false;

    /**

     * Constructs a new {@code SecurityManager}.

     *

     * <p> If there is a security manager already installed, this method first

     * calls the security manager's {@code checkPermission} method

     * with the {@code RuntimePermission("createSecurityManager")}

     * permission to ensure the calling thread has permission to create a new

     * security manager.

     * This may result in throwing a {@code SecurityException}.

     *

     * @throws     java.lang.SecurityException if a security manager already

     *             exists and its {@code checkPermission} method

     *             doesn't allow creation of a new security manager.

     * @see        java.lang.System#getSecurityManager()

     * @see        #checkPermission(java.security.Permission) checkPermission

     * @see java.lang.RuntimePermission

     */

    public SecurityManager() {

        synchronized(SecurityManager.class) {

            SecurityManager sm = System.getSecurityManager();

            if (sm != null) {

                // ask the currently installed security manager if we

                // can create a new one.

                sm.checkPermission(new RuntimePermission

                                   ("createSecurityManager"));

            }

            initialized = true;

        }

    }

    /**

     * Returns the current execution stack as an array of classes.

     * <p>

     * The length of the array is the number of methods on the execution

     * stack. The element at index {@code 0} is the class of the

     * currently executing method, the element at index {@code 1} is

     * the class of that method's caller, and so on.

     *

     * @return  the execution stack.

     */

    protected native Class<?>[] getClassContext();

    /**

     * Creates an object that encapsulates the current execution

     * environment. The result of this method is used, for example, by the

     * three-argument {@code checkConnect} method and by the

     * two-argument {@code checkRead} method.

     * These methods are needed because a trusted method may be called

     * on to read a file or open a socket on behalf of another method.

     * The trusted method needs to determine if the other (possibly

     * untrusted) method would be allowed to perform the operation on its

     * own.

     * <p> The default implementation of this method is to return

     * an {@code AccessControlContext} object.

     *

     * @return  an implementation-dependent object that encapsulates

     *          sufficient information about the current execution environment

     *          to perform some security checks later.

     * @see     java.lang.SecurityManager#checkConnect(java.lang.String, int,

     *   java.lang.Object) checkConnect

     * @see     java.lang.SecurityManager#checkRead(java.lang.String,

     *   java.lang.Object) checkRead

     * @see     java.security.AccessControlContext AccessControlContext

     */

    public Object getSecurityContext() {

        return AccessController.getContext();

    }

    /**

     * Throws a {@code SecurityException} if the requested

     * access, specified by the given permission, is not permitted based

     * on the security policy currently in effect.

     * <p>

     * This method calls {@code AccessController.checkPermission}

     * with the given permission.

     *

     * @param     perm   the requested permission.

     * @throws    SecurityException if access is not permitted based on

     *            the current security policy.

     * @throws    NullPointerException if the permission argument is

     *            {@code null}.

     * @since     1.2

     */

    public void checkPermission(Permission perm) {

        java.security.AccessController.checkPermission(perm);

    }

    /**

     * Throws a {@code SecurityException} if the

     * specified security context is denied access to the resource

     * specified by the given permission.

     * The context must be a security

     * context returned by a previous call to

     * {@code getSecurityContext} and the access control

     * decision is based upon the configured security policy for

     * that security context.

     * <p>

     * If {@code context} is an instance of

     * {@code AccessControlContext} then the

     * {@code AccessControlContext.checkPermission} method is

     * invoked with the specified permission.

     * <p>

     * If {@code context} is not an instance of

     * {@code AccessControlContext} then a

     * {@code SecurityException} is thrown.

     *

     * @param      perm      the specified permission

     * @param      context   a system-dependent security context.

     * @throws     SecurityException  if the specified security context

     *             is not an instance of {@code AccessControlContext}

     *             (e.g., is {@code null}), or is denied access to the

     *             resource specified by the given permission.

     * @throws     NullPointerException if the permission argument is

     *             {@code null}.

     * @see        java.lang.SecurityManager#getSecurityContext()

     * @see java.security.AccessControlContext#checkPermission(java.security.Permission)

     * @since      1.2

     */

    public void checkPermission(Permission perm, Object context) {

        if (context instanceof AccessControlContext) {

            ((AccessControlContext)context).checkPermission(perm);

        } else {

            throw new SecurityException();

        }

    }

    /**

     * Throws a {@code SecurityException} if the

     * calling thread is not allowed to create a new class loader.

     * <p>

     * This method calls {@code checkPermission} with the

     * {@code RuntimePermission("createClassLoader")}

     * permission.

     * <p>

     * If you override this method, then you should make a call to

     * {@code super.checkCreateClassLoader}

     * at the point the overridden method would normally throw an

     * exception.

     *

     * @throws    SecurityException if the calling thread does not

     *             have permission

     *             to create a new class loader.

     * @see        java.lang.ClassLoader#ClassLoader()

     * @see        #checkPermission(java.security.Permission) checkPermission

     */

    public void checkCreateClassLoader() {

        checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);

    }

    /**

     * reference to the root thread group, used for the checkAccess

     * methods.

     */

    private static ThreadGroup rootGroup = getRootGroup();

    private static ThreadGroup getRootGroup() {

        ThreadGroup root =  Thread.currentThread().getThreadGroup();

        while (root.getParent() != null) {

            root = root.getParent();

        }

        return root;

    }

    /**

     * Throws a {@code SecurityException} if the

     * calling thread is not allowed to modify the thread argument.

     * <p>

     * This method is invoked for the current security manager by the

     * {@code stop}, {@code suspend}, {@code resume},

     * {@code setPriority}, {@code setName}, and

     * {@code setDaemon} methods of class {@code Thread}.

     * <p>

     * If the thread argument is a system thread (belongs to

     * the thread group with a {@code null} parent) then

     * this method calls {@code checkPermission} with the

     * {@code RuntimePermission("modifyThread")} permission.

     * If the thread argument is <i>not</i> a system thread,

     * this method just returns silently.

     * <p>

     * Applications that want a stricter policy should override this

     * method. If this method is overridden, the method that overrides

     * it should additionally check to see if the calling thread has the

     * {@code RuntimePermission("modifyThread")} permission, and