1 /* 2 * Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.invoke.util; 27 28 import java.lang.reflect.Modifier; 29 import static java.lang.reflect.Modifier.*; 30 import sun.reflect.Reflection; 31 32 /** 33 * This class centralizes information about the JVM's linkage access control. 34 * @author jrose 35 */ 36 public class VerifyAccess { 37 VerifyAccess()38 private VerifyAccess() { } // cannot instantiate 39 40 private static final int PACKAGE_ONLY = 0; 41 private static final int PACKAGE_ALLOWED = java.lang.invoke.MethodHandles.Lookup.PACKAGE; 42 private static final int PROTECTED_OR_PACKAGE_ALLOWED = (PACKAGE_ALLOWED|PROTECTED); 43 private static final int ALL_ACCESS_MODES = (PUBLIC|PRIVATE|PROTECTED|PACKAGE_ONLY); 44 private static final boolean ALLOW_NESTMATE_ACCESS = false; 45 46 /** 47 * Evaluate the JVM linkage rules for access to the given method 48 * on behalf of a caller class which proposes to perform the access. 49 * Return true if the caller class has privileges to invoke a method 50 * or access a field with the given properties. 51 * This requires an accessibility check of the referencing class, 52 * plus an accessibility check of the member within the class, 53 * which depends on the member's modifier flags. 54 * <p> 55 * The relevant properties include the defining class ({@code defc}) 56 * of the member, and its modifier flags ({@code mods}). 57 * Also relevant is the class used to make the initial symbolic reference 58 * to the member ({@code refc}). If this latter class is not distinguished, 59 * the defining class should be passed for both arguments ({@code defc == refc}). 60 * <h3>JVM Specification, 5.4.4 "Access Control"</h3> 61 * A field or method R is accessible to a class or interface D if 62 * and only if any of the following conditions is true:<ul> 63 * <li>R is public. 64 * <li>R is protected and is declared in a class C, and D is either 65 * a subclass of C or C itself. Furthermore, if R is not 66 * static, then the symbolic reference to R must contain a 67 * symbolic reference to a class T, such that T is either a 68 * subclass of D, a superclass of D or D itself. 69 * <li>R is either protected or has default access (that is, 70 * neither public nor protected nor private), and is declared 71 * by a class in the same runtime package as D. 72 * <li>R is private and is declared in D. 73 * </ul> 74 * This discussion of access control omits a related restriction 75 * on the target of a protected field access or method invocation 76 * (the target must be of class D or a subtype of D). That 77 * requirement is checked as part of the verification process 78 * (5.4.1); it is not part of link-time access control. 79 * @param refc the class used in the symbolic reference to the proposed member 80 * @param defc the class in which the proposed member is actually defined 81 * @param mods modifier flags for the proposed member 82 * @param lookupClass the class for which the access check is being made 83 * @return true iff the the accessing class can access such a member 84 */ isMemberAccessible(Class<?> refc, Class<?> defc, int mods, Class<?> lookupClass, int allowedModes)85 public static boolean isMemberAccessible(Class<?> refc, // symbolic ref class 86 Class<?> defc, // actual def class 87 int mods, // actual member mods 88 Class<?> lookupClass, 89 int allowedModes) { 90 if (allowedModes == 0) return false; 91 assert((allowedModes & PUBLIC) != 0 && 92 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED)) == 0); 93 // The symbolic reference class (refc) must always be fully verified. 94 if (!isClassAccessible(refc, lookupClass, allowedModes)) { 95 return false; 96 } 97 // Usually refc and defc are the same, but verify defc also in case they differ. 98 if (defc == lookupClass && 99 (allowedModes & PRIVATE) != 0) 100 return true; // easy check; all self-access is OK 101 switch (mods & ALL_ACCESS_MODES) { 102 case PUBLIC: 103 return true; // already checked above 104 case PROTECTED: 105 assert !defc.isInterface(); // protected members aren't allowed in interfaces 106 if ((allowedModes & PROTECTED_OR_PACKAGE_ALLOWED) != 0 && 107 isSamePackage(defc, lookupClass)) 108 return true; 109 if ((allowedModes & PROTECTED) == 0) 110 return false; 111 // Protected members are accessible by subclasses, which does not include interfaces. 112 // Interfaces are types, not classes. They should not have access to 113 // protected members in j.l.Object, even though it is their superclass. 114 if ((mods & STATIC) != 0 && 115 !isRelatedClass(refc, lookupClass)) 116 return false; 117 if ((allowedModes & PROTECTED) != 0 && 118 isSubClass(lookupClass, defc)) 119 return true; 120 return false; 121 case PACKAGE_ONLY: // That is, zero. Unmarked member is package-only access. 122 assert !defc.isInterface(); // package-private members aren't allowed in interfaces 123 return ((allowedModes & PACKAGE_ALLOWED) != 0 && 124 isSamePackage(defc, lookupClass)); 125 case PRIVATE: 126 // Loosened rules for privates follows access rules for inner classes. 127 return (ALLOW_NESTMATE_ACCESS && 128 (allowedModes & PRIVATE) != 0 && 129 isSamePackageMember(defc, lookupClass)); 130 default: 131 throw new IllegalArgumentException("bad modifiers: "+Modifier.toString(mods)); 132 } 133 } 134 isRelatedClass(Class<?> refc, Class<?> lookupClass)135 static boolean isRelatedClass(Class<?> refc, Class<?> lookupClass) { 136 return (refc == lookupClass || 137 isSubClass(refc, lookupClass) || 138 isSubClass(lookupClass, refc)); 139 } 140 isSubClass(Class<?> lookupClass, Class<?> defc)141 static boolean isSubClass(Class<?> lookupClass, Class<?> defc) { 142 return defc.isAssignableFrom(lookupClass) && 143 !lookupClass.isInterface(); // interfaces are types, not classes. 144 } 145 146 // Android-removed: Use public API instead of getClassModifiers() to check if public. 147 /* 148 static int getClassModifiers(Class<?> c) { 149 // This would return the mask stored by javac for the source-level modifiers. 150 // return c.getModifiers(); 151 // But what we need for JVM access checks are the actual bits from the class header. 152 // ...But arrays and primitives are synthesized with their own odd flags: 153 if (c.isArray() || c.isPrimitive()) 154 return c.getModifiers(); 155 return Reflection.getClassAccessFlags(c); 156 } 157 */ 158 159 /** 160 * Evaluate the JVM linkage rules for access to the given class on behalf of caller. 161 * <h3>JVM Specification, 5.4.4 "Access Control"</h3> 162 * A class or interface C is accessible to a class or interface D 163 * if and only if either of the following conditions are true:<ul> 164 * <li>C is public. 165 * <li>C and D are members of the same runtime package. 166 * </ul> 167 * @param refc the symbolic reference class to which access is being checked (C) 168 * @param lookupClass the class performing the lookup (D) 169 */ isClassAccessible(Class<?> refc, Class<?> lookupClass, int allowedModes)170 public static boolean isClassAccessible(Class<?> refc, Class<?> lookupClass, 171 int allowedModes) { 172 if (allowedModes == 0) return false; 173 // Android-changed: Use public API instead of getClassModifiers() to check if public. 174 /* 175 assert((allowedModes & PUBLIC) != 0 && 176 (allowedModes & ~(ALL_ACCESS_MODES|PACKAGE_ALLOWED)) == 0); 177 int mods = getClassModifiers(refc); 178 if (isPublic(mods)) 179 */ 180 if (Modifier.isPublic(refc.getModifiers())) 181 return true; 182 if ((allowedModes & PACKAGE_ALLOWED) != 0 && 183 isSamePackage(lookupClass, refc)) 184 return true; 185 return false; 186 } 187 188 /** 189 * Decide if the given method type, attributed to a member or symbolic 190 * reference of a given reference class, is really visible to that class. 191 * @param type the supposed type of a member or symbolic reference of refc 192 * @param refc the class attempting to make the reference 193 */ isTypeVisible(Class<?> type, Class<?> refc)194 public static boolean isTypeVisible(Class<?> type, Class<?> refc) { 195 if (type == refc) return true; // easy check 196 while (type.isArray()) type = type.getComponentType(); 197 if (type.isPrimitive() || type == Object.class) return true; 198 ClassLoader parent = type.getClassLoader(); 199 if (parent == null) return true; 200 ClassLoader child = refc.getClassLoader(); 201 if (child == null) return false; 202 if (parent == child || loadersAreRelated(parent, child, true)) 203 return true; 204 // Do it the hard way: Look up the type name from the refc loader. 205 try { 206 Class<?> res = child.loadClass(type.getName()); 207 return (type == res); 208 } catch (ClassNotFoundException ex) { 209 return false; 210 } 211 } 212 213 /** 214 * Decide if the given method type, attributed to a member or symbolic 215 * reference of a given reference class, is really visible to that class. 216 * @param type the supposed type of a member or symbolic reference of refc 217 * @param refc the class attempting to make the reference 218 */ isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc)219 public static boolean isTypeVisible(java.lang.invoke.MethodType type, Class<?> refc) { 220 for (int n = -1, max = type.parameterCount(); n < max; n++) { 221 Class<?> ptype = (n < 0 ? type.returnType() : type.parameterType(n)); 222 if (!isTypeVisible(ptype, refc)) 223 return false; 224 } 225 return true; 226 } 227 228 /** 229 * Test if two classes have the same class loader and package qualifier. 230 * @param class1 a class 231 * @param class2 another class 232 * @return whether they are in the same package 233 */ isSamePackage(Class<?> class1, Class<?> class2)234 public static boolean isSamePackage(Class<?> class1, Class<?> class2) { 235 // Android-changed: Throw IAE (instead of asserting) if called with array classes. 236 // assert(!class1.isArray() && !class2.isArray()); 237 if (class1.isArray() || class2.isArray()) { 238 throw new IllegalArgumentException(); 239 } 240 241 if (class1 == class2) 242 return true; 243 if (class1.getClassLoader() != class2.getClassLoader()) 244 return false; 245 String name1 = class1.getName(), name2 = class2.getName(); 246 int dot = name1.lastIndexOf('.'); 247 if (dot != name2.lastIndexOf('.')) 248 return false; 249 for (int i = 0; i < dot; i++) { 250 if (name1.charAt(i) != name2.charAt(i)) 251 return false; 252 } 253 return true; 254 } 255 256 /** Return the package name for this class. 257 */ getPackageName(Class<?> cls)258 public static String getPackageName(Class<?> cls) { 259 assert(!cls.isArray()); 260 String name = cls.getName(); 261 int dot = name.lastIndexOf('.'); 262 if (dot < 0) return ""; 263 return name.substring(0, dot); 264 } 265 266 /** 267 * Test if two classes are defined as part of the same package member (top-level class). 268 * If this is true, they can share private access with each other. 269 * @param class1 a class 270 * @param class2 another class 271 * @return whether they are identical or nested together 272 */ isSamePackageMember(Class<?> class1, Class<?> class2)273 public static boolean isSamePackageMember(Class<?> class1, Class<?> class2) { 274 if (class1 == class2) 275 return true; 276 if (!isSamePackage(class1, class2)) 277 return false; 278 if (getOutermostEnclosingClass(class1) != getOutermostEnclosingClass(class2)) 279 return false; 280 return true; 281 } 282 getOutermostEnclosingClass(Class<?> c)283 private static Class<?> getOutermostEnclosingClass(Class<?> c) { 284 Class<?> pkgmem = c; 285 for (Class<?> enc = c; (enc = enc.getEnclosingClass()) != null; ) 286 pkgmem = enc; 287 return pkgmem; 288 } 289 loadersAreRelated(ClassLoader loader1, ClassLoader loader2, boolean loader1MustBeParent)290 private static boolean loadersAreRelated(ClassLoader loader1, ClassLoader loader2, 291 boolean loader1MustBeParent) { 292 if (loader1 == loader2 || loader1 == null 293 || (loader2 == null && !loader1MustBeParent)) { 294 return true; 295 } 296 for (ClassLoader scan2 = loader2; 297 scan2 != null; scan2 = scan2.getParent()) { 298 if (scan2 == loader1) return true; 299 } 300 if (loader1MustBeParent) return false; 301 // see if loader2 is a parent of loader1: 302 for (ClassLoader scan1 = loader1; 303 scan1 != null; scan1 = scan1.getParent()) { 304 if (scan1 == loader2) return true; 305 } 306 return false; 307 } 308 309 /** 310 * Is the class loader of parentClass identical to, or an ancestor of, 311 * the class loader of childClass? 312 * @param parentClass a class 313 * @param childClass another class, which may be a descendent of the first class 314 * @return whether parentClass precedes or equals childClass in class loader order 315 */ classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass)316 public static boolean classLoaderIsAncestor(Class<?> parentClass, Class<?> childClass) { 317 return loadersAreRelated(parentClass.getClassLoader(), childClass.getClassLoader(), true); 318 } 319 } 320