8022707: Revisit all doPrivileged blocks
authorsundar
Fri, 09 Aug 2013 20:48:44 +0530
changeset 19459 79e75274df99
parent 19458 32cc3fd726ea
child 19460 1b6d8e7b1cdf
8022707: Revisit all doPrivileged blocks Reviewed-by: jlaskey, hannesw
nashorn/make/project.properties
nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java
nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
nashorn/src/jdk/nashorn/api/scripting/ScriptObjectMirror.java
nashorn/src/jdk/nashorn/internal/objects/Global.java
nashorn/src/jdk/nashorn/internal/objects/NativeDebug.java
nashorn/src/jdk/nashorn/internal/runtime/Context.java
nashorn/src/jdk/nashorn/internal/runtime/ECMAErrors.java
nashorn/src/jdk/nashorn/internal/runtime/Logging.java
nashorn/src/jdk/nashorn/internal/runtime/linker/ClassAndLoader.java
nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterBytecodeGenerator.java
nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterClassLoader.java
nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java
nashorn/src/jdk/nashorn/internal/runtime/linker/ReflectionCheckLinker.java
nashorn/src/jdk/nashorn/internal/runtime/options/Options.java
nashorn/src/jdk/nashorn/tools/Shell.java
--- a/nashorn/make/project.properties	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/make/project.properties	Fri Aug 09 20:48:44 2013 +0530
@@ -222,11 +222,16 @@
 run.test.user.language=tr
 run.test.user.country=TR
 
-#  -XX:+PrintCompilation -XX:+UnlockDiagnosticVMOptions -XX:+PrintNMethods
-run.test.jvmargs.main=-server -Xmx${run.test.xmx} -XX:+TieredCompilation -ea -Dfile.encoding=UTF-8 -Duser.language=${run.test.user.language} -Duser.country=${run.test.user.country} -XX:+HeapDumpOnOutOfMemoryError
+run.test.jvmargs.common=-server -Xmx${run.test.xmx} -XX:+TieredCompilation -Dfile.encoding=UTF-8 -Duser.language=${run.test.user.language} -Duser.country=${run.test.user.country} -XX:+HeapDumpOnOutOfMemoryError
+
+#-XX:-UseCompressedKlassPointers -XX:+PrintHeapAtGC -XX:ClassMetaspaceSize=300M
+# -XX:+PrintCompilation -XX:+UnlockDiagnosticVMOptions -XX:+PrintNMethods
+
+# turn on assertions for tests
+run.test.jvmargs.main=${run.test.jvmargs.common} -ea
 
 #-XX:-UseCompressedKlassPointers -XX:+PrintHeapAtGC -XX:ClassMetaspaceSize=300M  
-run.test.jvmargs.octane.main=-Xms${run.test.xms} ${run.test.jvmargs.main}
+run.test.jvmargs.octane.main=-Xms${run.test.xms} ${run.test.jvmargs.common}
 
 run.test.jvmsecurityargs=-Xverify:all -Djava.security.properties=${basedir}/make/java.security.override -Djava.security.manager -Djava.security.policy=${basedir}/build/nashorn.policy
 
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngine.java	Fri Aug 09 20:48:44 2013 +0530
@@ -36,10 +36,13 @@
 import java.lang.reflect.Modifier;
 import java.net.URL;
 import java.nio.charset.Charset;
+import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
 import java.text.MessageFormat;
 import java.util.Locale;
 import java.util.ResourceBundle;
@@ -71,6 +74,14 @@
  */
 
 public final class NashornScriptEngine extends AbstractScriptEngine implements Compilable, Invocable {
+    private static AccessControlContext createPermAccCtxt(final String permName) {
+        final Permissions perms = new Permissions();
+        perms.add(new RuntimePermission(permName));
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    private static final AccessControlContext CREATE_CONTEXT_ACC_CTXT = createPermAccCtxt(Context.NASHORN_CREATE_CONTEXT);
+    private static final AccessControlContext CREATE_GLOBAL_ACC_CTXT  = createPermAccCtxt(Context.NASHORN_CREATE_GLOBAL);
 
     private final ScriptEngineFactory factory;
     private final Context             nashornContext;
@@ -84,16 +95,9 @@
 
     private static final String MESSAGES_RESOURCE = "jdk.nashorn.api.scripting.resources.Messages";
 
-    // Without do privileged, under security manager messages can not be loaded.
     private static final ResourceBundle MESSAGES_BUNDLE;
     static {
-        MESSAGES_BUNDLE = AccessController.doPrivileged(
-        new PrivilegedAction<ResourceBundle>() {
-            @Override
-            public ResourceBundle run() {
-                return ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault());
-            }
-        });
+        MESSAGES_BUNDLE = ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault());
     }
 
     private static String getMessage(final String msgId, final String... args) {
@@ -128,7 +132,7 @@
                     throw e;
                 }
             }
-        });
+        }, CREATE_CONTEXT_ACC_CTXT);
 
         // create new global object
         this.global = createNashornGlobal();
@@ -340,7 +344,7 @@
                     throw e;
                 }
             }
-        });
+        }, CREATE_GLOBAL_ACC_CTXT);
 
         nashornContext.initGlobal(newGlobal);
 
@@ -362,10 +366,8 @@
     }
 
     private void evalEngineScript() throws ScriptException {
-        evalSupportScript("resources/engine.js", NashornException.ENGINE_SCRIPT_SOURCE_NAME);
-    }
-
-    private void evalSupportScript(final String script, final String name) throws ScriptException {
+        final String script = "resources/engine.js";
+        final String name   = NashornException.ENGINE_SCRIPT_SOURCE_NAME;
         try {
             final InputStream is = AccessController.doPrivileged(
                     new PrivilegedExceptionAction<InputStream>() {
@@ -380,6 +382,9 @@
                 eval(isr);
             }
         } catch (final PrivilegedActionException | IOException e) {
+            if (Context.DEBUG) {
+                e.printStackTrace();
+            }
             throw new ScriptException(e);
         } finally {
             put(ScriptEngine.FILENAME, null);
--- a/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java	Fri Aug 09 20:48:44 2013 +0530
@@ -30,6 +30,7 @@
 import java.util.List;
 import javax.script.ScriptEngine;
 import javax.script.ScriptEngineFactory;
+import jdk.nashorn.internal.runtime.Context;
 import jdk.nashorn.internal.runtime.Version;
 
 /**
@@ -136,7 +137,14 @@
 
     @Override
     public ScriptEngine getScriptEngine() {
-        return new NashornScriptEngine(this, getAppClassLoader());
+        try {
+            return new NashornScriptEngine(this, getAppClassLoader());
+        } catch (final RuntimeException e) {
+            if (Context.DEBUG) {
+                e.printStackTrace();
+            }
+            throw e;
+        }
     }
 
     /**
@@ -178,7 +186,7 @@
     private static void checkConfigPermission() {
         final SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new RuntimePermission("nashorn.setConfig"));
+            sm.checkPermission(new RuntimePermission(Context.NASHORN_SET_CONFIG));
         }
     }
 
--- a/nashorn/src/jdk/nashorn/api/scripting/ScriptObjectMirror.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/api/scripting/ScriptObjectMirror.java	Fri Aug 09 20:48:44 2013 +0530
@@ -25,14 +25,17 @@
 
 package jdk.nashorn.api.scripting;
 
+import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
 import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.AbstractMap;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Iterator;
 import java.util.LinkedHashSet;
-import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -49,6 +52,14 @@
  * netscape.javascript.JSObject interface.
  */
 public final class ScriptObjectMirror extends JSObject implements Bindings {
+    private static AccessControlContext getContextAccCtxt() {
+        final Permissions perms = new Permissions();
+        perms.add(new RuntimePermission(Context.NASHORN_GET_CONTEXT));
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    private static final AccessControlContext GET_CONTEXT_ACC_CTXT = getContextAccCtxt();
+
     private final ScriptObject sobj;
     private final ScriptObject global;
 
@@ -144,7 +155,7 @@
                             public Context run() {
                                 return Context.getContext();
                             }
-                        });
+                        }, GET_CONTEXT_ACC_CTXT);
                 return wrap(context.eval(global, s, null, null, false), global);
             }
         });
--- a/nashorn/src/jdk/nashorn/internal/objects/Global.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/objects/Global.java	Fri Aug 09 20:48:44 2013 +0530
@@ -35,8 +35,6 @@
 import java.lang.invoke.MethodHandles;
 import java.lang.ref.SoftReference;
 import java.lang.reflect.Field;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -420,7 +418,7 @@
         // security check first
         final SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new RuntimePermission("nashorn.newGlobal"));
+            sm.checkPermission(new RuntimePermission(Context.NASHORN_CREATE_GLOBAL));
         }
 
         // null check on context
@@ -1780,19 +1778,13 @@
     }
 
     private static void copyOptions(final ScriptObject options, final ScriptEnvironment scriptEnv) {
-        AccessController.doPrivileged(new PrivilegedAction<Void>() {
-            @Override
-            public Void run() {
-                for (Field f : scriptEnv.getClass().getFields()) {
-                    try {
-                        options.set(f.getName(), f.get(scriptEnv), false);
-                    } catch (final IllegalArgumentException | IllegalAccessException exp) {
-                        throw new RuntimeException(exp);
-                    }
-                }
-                return null;
+        for (Field f : scriptEnv.getClass().getFields()) {
+            try {
+                options.set(f.getName(), f.get(scriptEnv), false);
+            } catch (final IllegalArgumentException | IllegalAccessException exp) {
+                throw new RuntimeException(exp);
             }
-        });
+        }
     }
 
     private void initTypedArray() {
--- a/nashorn/src/jdk/nashorn/internal/objects/NativeDebug.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/objects/NativeDebug.java	Fri Aug 09 20:48:44 2013 +0530
@@ -72,7 +72,7 @@
     public static Object getContext(final Object self) {
         final SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new RuntimePermission("nashorn.getContext"));
+            sm.checkPermission(new RuntimePermission(Context.NASHORN_GET_CONTEXT));
         }
         return Global.getThisContext();
     }
--- a/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/Context.java	Fri Aug 09 20:48:44 2013 +0530
@@ -64,6 +64,31 @@
  * This class manages the global state of execution. Context is immutable.
  */
 public final class Context {
+    // nashorn specific security runtime access permission names
+    /**
+     * Permission needed to pass arbitrary nashorn command line options when creating Context.
+     */
+    public static final String NASHORN_SET_CONFIG      = "nashorn.setConfig";
+
+    /**
+     * Permission needed to create Nashorn Context instance.
+     */
+    public static final String NASHORN_CREATE_CONTEXT  = "nashorn.createContext";
+
+    /**
+     * Permission needed to create Nashorn Global instance.
+     */
+    public static final String NASHORN_CREATE_GLOBAL   = "nashorn.createGlobal";
+
+    /**
+     * Permission to get current Nashorn Context from thread local storage.
+     */
+    public static final String NASHORN_GET_CONTEXT     = "nashorn.getContext";
+
+    /**
+     * Permission to use Java reflection/jsr292 from script code.
+     */
+    public static final String NASHORN_JAVA_REFLECTION = "nashorn.JavaReflection";
 
     /**
      * ContextCodeInstaller that has the privilege of installing classes in the Context.
@@ -139,7 +164,7 @@
     public static Context getContext() {
         final SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new RuntimePermission("nashorn.getContext"));
+            sm.checkPermission(new RuntimePermission(NASHORN_GET_CONTEXT));
         }
         return getContextTrusted();
     }
@@ -204,7 +229,20 @@
 
     private static final ClassLoader myLoader = Context.class.getClassLoader();
     private static final StructureLoader sharedLoader;
-    private static final AccessControlContext NO_PERMISSIONS_CONTEXT;
+
+    private static AccessControlContext createNoPermAccCtxt() {
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) });
+    }
+
+    private static AccessControlContext createPermAccCtxt(final String permName) {
+        final Permissions perms = new Permissions();
+        perms.add(new RuntimePermission(permName));
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    private static final AccessControlContext NO_PERMISSIONS_ACC_CTXT = createNoPermAccCtxt();
+    private static final AccessControlContext CREATE_LOADER_ACC_CTXT  = createPermAccCtxt("createClassLoader");
+    private static final AccessControlContext CREATE_GLOBAL_ACC_CTXT  = createPermAccCtxt(NASHORN_CREATE_GLOBAL);
 
     static {
         sharedLoader = AccessController.doPrivileged(new PrivilegedAction<StructureLoader>() {
@@ -212,8 +250,7 @@
             public StructureLoader run() {
                 return new StructureLoader(myLoader, null);
             }
-        });
-        NO_PERMISSIONS_CONTEXT = new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) });
+        }, CREATE_LOADER_ACC_CTXT);
     }
 
     /**
@@ -254,7 +291,7 @@
     public Context(final Options options, final ErrorManager errors, final PrintWriter out, final PrintWriter err, final ClassLoader appLoader) {
         final SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new RuntimePermission("nashorn.createContext"));
+            sm.checkPermission(new RuntimePermission(NASHORN_CREATE_CONTEXT));
         }
 
         this.env       = new ScriptEnvironment(options, out, err);
@@ -516,7 +553,7 @@
            @Override
            public ScriptObject run() {
                try {
-                   return createGlobal();
+                   return newGlobal();
                } catch (final RuntimeException e) {
                    if (Context.DEBUG) {
                        e.printStackTrace();
@@ -524,7 +561,9 @@
                    throw e;
                }
            }
-        });
+        }, CREATE_GLOBAL_ACC_CTXT);
+        // initialize newly created Global instance
+        initGlobal(newGlobal);
         setGlobalTrusted(newGlobal);
 
         final Object[] wrapped = args == null? ScriptRuntime.EMPTY_ARRAY :  ScriptObjectMirror.wrapArray(args, oldGlobal);
@@ -577,7 +616,7 @@
                         sm.checkPackageAccess(fullName.substring(0, index));
                         return null;
                     }
-                }, NO_PERMISSIONS_CONTEXT);
+                }, NO_PERMISSIONS_ACC_CTXT);
             }
         }
     }
@@ -856,7 +895,7 @@
                 public ScriptLoader run() {
                     return new ScriptLoader(sharedLoader, Context.this);
                 }
-             });
+             }, CREATE_LOADER_ACC_CTXT);
     }
 
     private long getUniqueScriptId() {
--- a/nashorn/src/jdk/nashorn/internal/runtime/ECMAErrors.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/ECMAErrors.java	Fri Aug 09 20:48:44 2013 +0530
@@ -25,8 +25,6 @@
 
 package jdk.nashorn.internal.runtime;
 
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.text.MessageFormat;
 import java.util.Locale;
 import java.util.ResourceBundle;
@@ -40,16 +38,9 @@
 public final class ECMAErrors {
     private static final String MESSAGES_RESOURCE = "jdk.nashorn.internal.runtime.resources.Messages";
 
-    // Without do privileged, under security manager messages can not be loaded.
     private static final ResourceBundle MESSAGES_BUNDLE;
     static {
-        MESSAGES_BUNDLE = AccessController.doPrivileged(
-        new PrivilegedAction<ResourceBundle>() {
-            @Override
-            public ResourceBundle run() {
-                return ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault());
-            }
-        });
+        MESSAGES_BUNDLE = ResourceBundle.getBundle(MESSAGES_RESOURCE, Locale.getDefault());
     }
 
     /** We assume that compiler generates script classes into the known package. */
--- a/nashorn/src/jdk/nashorn/internal/runtime/Logging.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/Logging.java	Fri Aug 09 20:48:44 2013 +0530
@@ -25,6 +25,11 @@
 
 package jdk.nashorn.internal.runtime;
 
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
@@ -35,6 +40,7 @@
 import java.util.logging.Level;
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
+import java.util.logging.LoggingPermission;
 
 /**
  * Logging system for getting loggers for arbitrary subsystems as
@@ -50,12 +56,20 @@
 
     private static final Logger disabledLogger = Logger.getLogger("disabled");
 
+    private static AccessControlContext createLoggerControlAccCtxt() {
+        final Permissions perms = new Permissions();
+        perms.add(new LoggingPermission("control", null));
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
     static {
-        try {
-            Logging.disabledLogger.setLevel(Level.OFF);
-        } catch (final SecurityException e) {
-            //ignored
-        }
+        AccessController.doPrivileged(new PrivilegedAction<Void>() {
+            @Override
+            public Void run() {
+                Logging.disabledLogger.setLevel(Level.OFF);
+                return null;
+            }
+        }, createLoggerControlAccCtxt());
     }
 
     /** Maps logger name to loggers. Names are typically per package */
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/ClassAndLoader.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/ClassAndLoader.java	Fri Aug 09 20:48:44 2013 +0530
@@ -27,8 +27,11 @@
 
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 
+import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
 import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
@@ -43,6 +46,16 @@
  * used to determine if one loader can see the other loader's classes.
  */
 final class ClassAndLoader {
+    static AccessControlContext createPermAccCtxt(final String... permNames) {
+        final Permissions perms = new Permissions();
+        for (final String permName : permNames) {
+            perms.add(new RuntimePermission(permName));
+        }
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    private static final AccessControlContext GET_LOADER_ACC_CTXT = createPermAccCtxt("getClassLoader");
+
     private final Class<?> representativeClass;
     // Don't access this directly; most of the time, use getRetrievedLoader(), or if you know what you're doing,
     // getLoader().
@@ -116,7 +129,7 @@
             public ClassAndLoader run() {
                 return getDefiningClassAndLoaderPrivileged(types);
             }
-        });
+        }, GET_LOADER_ACC_CTXT);
     }
 
     static ClassAndLoader getDefiningClassAndLoaderPrivileged(final Class<?>[] types) {
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterBytecodeGenerator.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterBytecodeGenerator.java	Fri Aug 09 20:48:44 2013 +0530
@@ -49,6 +49,7 @@
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Arrays;
@@ -868,6 +869,8 @@
         }
     }
 
+    private static final AccessControlContext GET_DECLARED_MEMBERS_ACC_CTXT = ClassAndLoader.createPermAccCtxt("accessDeclaredMembers");
+
     /**
      * Creates a collection of methods that are not final, but we still never allow them to be overridden in adapters,
      * as explicitly declaring them automatically is a bad idea. Currently, this means {@code Object.finalize()} and
@@ -886,7 +889,7 @@
                     throw new AssertionError(e);
                 }
             }
-        });
+        }, GET_DECLARED_MEMBERS_ACC_CTXT);
     }
 
     private String getCommonSuperClass(final String type1, final String type2) {
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterClassLoader.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterClassLoader.java	Fri Aug 09 20:48:44 2013 +0530
@@ -25,6 +25,7 @@
 
 package jdk.nashorn.internal.runtime.linker;
 
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.AllPermission;
 import java.security.CodeSigner;
@@ -46,6 +47,7 @@
 @SuppressWarnings("javadoc")
 final class JavaAdapterClassLoader {
     private static final ProtectionDomain GENERATED_PROTECTION_DOMAIN = createGeneratedProtectionDomain();
+    private static final AccessControlContext CREATE_LOADER_ACC_CTXT = ClassAndLoader.createPermAccCtxt("createClassLoader");
 
     private final String className;
     private volatile byte[] classBytes;
@@ -77,7 +79,7 @@
                     throw new AssertionError(e); // cannot happen
                 }
             }
-        });
+        }, CREATE_LOADER_ACC_CTXT);
     }
 
     // Note that the adapter class is created in the protection domain of the class/interface being
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/JavaAdapterFactory.java	Fri Aug 09 20:48:44 2013 +0530
@@ -31,9 +31,9 @@
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
-import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -70,6 +70,11 @@
 
 @SuppressWarnings("javadoc")
 public final class JavaAdapterFactory {
+    // context with permissions needs for AdapterInfo creation
+    private static final AccessControlContext CREATE_ADAPTER_INFO_ACC_CTXT =
+        ClassAndLoader.createPermAccCtxt("createClassLoader", "getClassLoader",
+            "accessDeclaredMembers", "accessClassInPackage.jdk.nashorn.internal.runtime");
+
     /**
      * A mapping from an original Class object to AdapterInfo representing the adapter for the class it represents.
      */
@@ -124,17 +129,10 @@
      */
     public static MethodHandle getConstructor(final Class<?> sourceType, final Class<?> targetType) throws Exception {
         final StaticClass adapterClass = getAdapterClassFor(new Class<?>[] { targetType }, null);
-        return AccessController.doPrivileged(new PrivilegedExceptionAction<MethodHandle>() {
-            @Override
-            public MethodHandle run() throws Exception {
-                // NOTE: we use publicLookup(), but none of our adapter constructors are caller sensitive, so this is
-                // okay, we won't artificially limit access.
-                return  MH.bindTo(Bootstrap.getLinkerServices().getGuardedInvocation(new LinkRequestImpl(
-                        NashornCallSiteDescriptor.get(MethodHandles.publicLookup(),  "dyn:new",
-                                MethodType.methodType(targetType, StaticClass.class, sourceType), 0), false,
-                                adapterClass, null)).getInvocation(), adapterClass);
-            }
-        });
+        return MH.bindTo(Bootstrap.getLinkerServices().getGuardedInvocation(new LinkRequestImpl(
+                NashornCallSiteDescriptor.get(MethodHandles.publicLookup(),  "dyn:new",
+                        MethodType.methodType(targetType, StaticClass.class, sourceType), 0), false,
+                        adapterClass, null)).getInvocation(), adapterClass);
     }
 
     /**
@@ -171,7 +169,7 @@
         return (List)Collections.singletonList(clazz);
     }
 
-    /**
+   /**
      * For a given class, create its adapter class and associated info.
      * @param type the class for which the adapter is created
      * @return the adapter info for the class.
@@ -190,12 +188,19 @@
                 }
                 superClass = t;
             } else {
+                if (interfaces.size() > 65535) {
+                    throw new IllegalArgumentException("interface limit exceeded");
+                }
+
                 interfaces.add(t);
             }
+
             if(!Modifier.isPublic(mod)) {
                 return new AdapterInfo(AdaptationResult.Outcome.ERROR_NON_PUBLIC_CLASS, t.getCanonicalName());
             }
         }
+
+
         final Class<?> effectiveSuperClass = superClass == null ? Object.class : superClass;
         return AccessController.doPrivileged(new PrivilegedAction<AdapterInfo>() {
             @Override
@@ -206,7 +211,7 @@
                     return new AdapterInfo(e.getAdaptationResult());
                 }
             }
-        });
+        }, CREATE_ADAPTER_INFO_ACC_CTXT);
     }
 
     private static class AdapterInfo {
--- a/nashorn/src/jdk/nashorn/internal/runtime/linker/ReflectionCheckLinker.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/linker/ReflectionCheckLinker.java	Fri Aug 09 20:48:44 2013 +0530
@@ -88,6 +88,6 @@
     }
 
     private static void checkReflectionPermission(final SecurityManager sm) {
-        sm.checkPermission(new RuntimePermission("nashorn.JavaReflection"));
+        sm.checkPermission(new RuntimePermission(Context.NASHORN_JAVA_REFLECTION));
     }
 }
--- a/nashorn/src/jdk/nashorn/internal/runtime/options/Options.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/internal/runtime/options/Options.java	Fri Aug 09 20:48:44 2013 +0530
@@ -26,8 +26,11 @@
 package jdk.nashorn.internal.runtime.options;
 
 import java.io.PrintWriter;
+import java.security.AccessControlContext;
 import java.security.AccessController;
+import java.security.Permissions;
 import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -39,6 +42,7 @@
 import java.util.Locale;
 import java.util.Map;
 import java.util.MissingResourceException;
+import java.util.PropertyPermission;
 import java.util.ResourceBundle;
 import java.util.StringTokenizer;
 import java.util.TimeZone;
@@ -51,6 +55,15 @@
  * Manages global runtime options.
  */
 public final class Options {
+    // permission to just read nashorn.* System properties
+    private static AccessControlContext createPropertyReadAccCtxt() {
+        final Permissions perms = new Permissions();
+        perms.add(new PropertyPermission("nashorn.*", "read"));
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    private static final AccessControlContext READ_PROPERTY_ACC_CTXT = createPropertyReadAccCtxt();
+
     /** Resource tag. */
     private final String resource;
 
@@ -144,7 +157,7 @@
                             return false;
                         }
                     }
-                });
+                }, READ_PROPERTY_ACC_CTXT);
     }
 
     /**
@@ -171,7 +184,7 @@
                             return defValue;
                         }
                     }
-                });
+                }, READ_PROPERTY_ACC_CTXT);
     }
 
     /**
@@ -198,7 +211,7 @@
                             return defValue;
                         }
                     }
-                });
+                }, READ_PROPERTY_ACC_CTXT);
     }
 
     /**
@@ -567,15 +580,7 @@
     private static String definePropPrefix;
 
     static {
-        // Without do privileged, under security manager messages can not be
-        // loaded.
-        Options.bundle = AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() {
-            @Override
-            public ResourceBundle run() {
-                return ResourceBundle.getBundle(Options.MESSAGES_RESOURCE, Locale.getDefault());
-            }
-        });
-
+        Options.bundle = ResourceBundle.getBundle(Options.MESSAGES_RESOURCE, Locale.getDefault());
         Options.validOptions = new TreeSet<>();
         Options.usage        = new HashMap<>();
 
--- a/nashorn/src/jdk/nashorn/tools/Shell.java	Thu Aug 08 11:20:14 2013 -0300
+++ b/nashorn/src/jdk/nashorn/tools/Shell.java	Fri Aug 09 20:48:44 2013 +0530
@@ -34,8 +34,6 @@
 import java.io.OutputStream;
 import java.io.PrintStream;
 import java.io.PrintWriter;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.util.List;
 import java.util.Locale;
 import java.util.ResourceBundle;
@@ -68,18 +66,7 @@
     /**
      * Shell message bundle.
      */
-    private static ResourceBundle bundle;
-
-    static {
-        // Without do privileged, under security manager messages can not be
-        // loaded.
-        bundle = AccessController.doPrivileged(new PrivilegedAction<ResourceBundle>() {
-            @Override
-            public ResourceBundle run() {
-                return ResourceBundle.getBundle(MESSAGE_RESOURCE, Locale.getDefault());
-            }
-        });
-    }
+    private static final ResourceBundle bundle = ResourceBundle.getBundle(MESSAGE_RESOURCE, Locale.getDefault());
 
     /**
      * Exit code for command line tool - successful