--- a/nashorn/src/jdk/internal/dynalink/beans/SandboxClassLoader.java Tue Aug 06 17:12:37 2013 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,228 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
- Copyright 2009-2013 Attila Szegedi
-
- Licensed under both the Apache License, Version 2.0 (the "Apache License")
- and the BSD License (the "BSD License"), with licensee being free to
- choose either of the two at their discretion.
-
- You may not use this file except in compliance with either the Apache
- License or the BSD License.
-
- If you choose to use this file in compliance with the Apache License, the
- following notice applies to you:
-
- You may obtain a copy of the Apache License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied. See the License for the specific language governing
- permissions and limitations under the License.
-
- If you choose to use this file in compliance with the BSD License, the
- following notice applies to you:
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are
- met:
- * Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- * Neither the name of the copyright holder nor the names of
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
- BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink.beans;
-
-import static jdk.internal.org.objectweb.asm.Opcodes.ACC_PUBLIC;
-import static jdk.internal.org.objectweb.asm.Opcodes.ASM4;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.Permissions;
-import java.security.ProtectionDomain;
-import java.security.SecureClassLoader;
-import java.security.SecureRandom;
-import jdk.internal.org.objectweb.asm.ClassReader;
-import jdk.internal.org.objectweb.asm.ClassVisitor;
-import jdk.internal.org.objectweb.asm.ClassWriter;
-import jdk.internal.org.objectweb.asm.MethodVisitor;
-
-/**
- * A utility class that can load a class with specified name into an isolated zero-permissions protection domain. It can
- * be used to load classes that perform security-sensitive operations with no privileges at all, therefore ensuring such
- * operations will only succeed if they would require no permissions, as well as to make sure that if these operations
- * bind some part of the security execution context to their results, the bound security context is completely
- * unprivileged. Such measures serve as firebreaks against accidental privilege escalation.
- */
-final class SandboxClassLoader {
- private final String className;
- private final String randomizedClassName;
-
- private SandboxClassLoader(String className) {
- this.className = className;
- final String simpleClassName = className.substring(className.lastIndexOf('.') + 1);
- this.randomizedClassName = "randomPackage" + Long.toHexString(new SecureRandom().nextLong()) + "." + simpleClassName;
- }
-
- /**
- * Load the named class into a zero-permissions protection domain. Even if the class is already loaded into the
- * Dynalink's class loader, an independent class is created from the same bytecode, thus the returned class will
- * never be identical with the one that might already be loaded. The class to be loaded is supposed to be package
- * private and have no public constructors. This is not a functional requirement, but it is enforced to ensure that
- * the original class was made adequately inaccessible. The returned class will be public and its constructors will
- * be changed to public. The only permission given to the returned class will be
- * {@code accessClassInPackage.jdk.internal.dynalink.beans.sandbox}. That package should be used solely to define
- * SPI interfaces implemented by the loaded class.
- * @param className the fully qualified name of the class to load
- * @return the loaded class, renamed to a random package, made public, its constructors made public, and lacking any
- * permissions except access to the sandbox package.
- * @throws SecurityException if the calling code lacks the {@code createClassLoader} runtime permission. This
- * normally means that Dynalink itself is running as untrusted code, and whatever functionality was meant to be
- * isolated into an unprivileged class is likely okay to be used directly too.
- */
- static Class<?> loadClass(String className) throws SecurityException {
- return new SandboxClassLoader(className).loadClass();
- }
-
- private Class<?> loadClass() throws SecurityException {
- final ClassLoader loader = createClassLoader();
- try {
- final Class<?> clazz = Class.forName(randomizedClassName, true, loader);
- // Sanity check to ensure we didn't accidentally pick up the class from elsewhere
- if(clazz.getClassLoader() != loader) {
- throw new AssertionError(randomizedClassName + " was loaded from a different class loader");
- }
- return clazz;
- } catch(ClassNotFoundException e) {
- throw new AssertionError(e);
- }
- }
-
- private ClassLoader createClassLoader() throws SecurityException {
- final String lclassName = this.randomizedClassName;
- // We deliberately override loadClass instead of findClass so that we don't give a chance to finding this
- // class already loaded anywhere else. We use this class' loader as the parent class loader as the loaded class
- // needs to be able to access implemented interfaces from the sandbox package.
- return new SecureClassLoader(getClass().getClassLoader()) {
- @Override
- protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
- if(name.equals(lclassName)) {
- final byte[] bytes = getClassBytes();
- // Define the class with a protection domain that grants (almost) no permissions.
- Class<?> clazz = defineClass(name, bytes, 0, bytes.length, createMinimalPermissionsDomain());
- if(resolve) {
- resolveClass(clazz);
- }
- return clazz;
- }
-
- final int i = name.lastIndexOf('.');
- if (i != -1) {
- final SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPackageAccess(name.substring(0, i));
- }
- }
- return super.loadClass(name, resolve);
- }
- };
- }
-
- /**
- * Create a no-permissions protection domain. Except, it's not really a no-permissions protection domain, since we
- * need to give the protection domain the permission to access the sandbox package where the interop interfaces are
- * defined.
- * @return a new (almost) no-permission protection domain.
- */
- private static ProtectionDomain createMinimalPermissionsDomain() {
- final Permissions p = new Permissions();
- p.add(new RuntimePermission("accessClassInPackage.jdk.internal.dynalink.beans.sandbox"));
- return new ProtectionDomain(null, p);
- }
-
- private byte[] getClassBytes() {
- try(final InputStream in = getClass().getResourceAsStream("/" + className.replace('.', '/') + ".class")) {
- final ClassReader cr = new ClassReader(in);
- final ClassWriter cw = new ClassWriter(cr, 0);
- cr.accept(new ClassVisitor(ASM4, cw) {
- @Override
- public void visit(int version, int access, String name, String signature, String superName,
- String[] interfaces) {
- // Rename the class to its random name, and make it public (otherwise we won't be able to
- // instantiate it). The privileged template class is package-private.
- if((access & ACC_PUBLIC) != 0) {
- throw new IllegalArgumentException("Class " + className + " must be package-private");
- }
- super.visit(version, access | ACC_PUBLIC, randomizedClassName.replace('.', '/'),
- signature, superName, interfaces);
- }
-
- @Override
- public MethodVisitor visitMethod(int access, String name, String desc, String signature,
- String[] exceptions) {
- // Make the constructor(s) public (otherwise we won't be able to instantiate the class). The
- // privileged template's constructor(s) should not be public.
- final boolean isCtor = "<init>".equals(name);
- if(isCtor && ((access & ACC_PUBLIC) != 0)) {
- throw new IllegalArgumentException("Class " + className + " must have no public constructors");
- }
- return super.visitMethod(isCtor ? (access | ACC_PUBLIC) : access, name, desc, signature,
- exceptions);
- }
- }, 0);
- return cw.toByteArray();
- } catch(IOException e) {
- throw new RuntimeException(e);
- }
- }
-}