Proper getStackAccessControlContext implementation

Author: lazar-mitrovic

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java

@@ -28,9 +28,7 @@
 
 import java.net.URL;
 import java.security.AccessControlContext;
-import java.security.AccessControlException;
 import java.security.CodeSource;
-import java.security.DomainCombiner;
 import java.security.Permission;
 import java.security.PermissionCollection;
 import java.security.Permissions;
@@ -41,6 +39,8 @@
 import java.security.ProtectionDomain;
 import java.security.Provider;
 import java.security.SecureRandom;
+import java.util.Deque;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicReference;
@@ -51,6 +51,7 @@
 import org.graalvm.word.Pointer;
 
 import com.oracle.svm.core.SubstrateOptions;
+import com.oracle.svm.core.SubstrateUtil;
 import com.oracle.svm.core.annotate.Alias;
 import com.oracle.svm.core.annotate.AutomaticFeature;
 import com.oracle.svm.core.annotate.Delete;
@@ -62,6 +63,7 @@
 import com.oracle.svm.core.annotate.TargetElement;
 import com.oracle.svm.core.log.Log;
 import com.oracle.svm.core.option.SubstrateOptionsParser;
+import com.oracle.svm.core.thread.Target_java_lang_Thread;
 import com.oracle.svm.core.util.VMError;
 import com.oracle.svm.util.ReflectionUtil;
 
@@ -80,102 +82,108 @@
 final class Target_java_security_AccessController {
 
     @Substitute
-    private static <T> T doPrivileged(PrivilegedAction<T> action) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    public static <T> T doPrivileged(PrivilegedAction<T> action) throws Throwable {
+        return AccessControllerUtil.executePrivileged(action, null, Target_jdk_internal_reflect_Reflection.getCallerClass());
     }
 
     @Substitute
-    private static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    public static <T> T doPrivileged(PrivilegedAction<T> action, AccessControlContext context) throws Throwable {
+        Class<?> caller = Target_jdk_internal_reflect_Reflection.getCallerClass();
+        AccessControlContext acc = AccessControllerUtil.checkContext(context, caller);
+        return AccessControllerUtil.executePrivileged(action, acc, caller);
     }
 
     @Substitute
-    private static <T> T doPrivileged(PrivilegedAction<T> action, AccessControlContext context) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    public static <T> T doPrivileged(PrivilegedExceptionAction<T> action) throws Throwable {
+        Class<?> caller = Target_jdk_internal_reflect_Reflection.getCallerClass();
+        return AccessControllerUtil.executePrivileged(action, null, caller);
     }
 
     @Substitute
-    private static <T> T doPrivileged(PrivilegedAction<T> action, AccessControlContext context, Permission... perms) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    static <T> T doPrivileged(PrivilegedExceptionAction<T> action, AccessControlContext context) throws Throwable {
+        Class<?> caller = Target_jdk_internal_reflect_Reflection.getCallerClass();
+        AccessControlContext acc = AccessControllerUtil.checkContext(context, caller);
+        return AccessControllerUtil.executePrivileged(action, acc, caller);
     }
 
     @Substitute
-    private static <T> T doPrivileged(PrivilegedExceptionAction<T> action) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    static AccessControlContext getStackAccessControlContext() {
+        return StackAccessControlContextVisitor.getFromStack();
     }
 
     @Substitute
-    private static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
-        }
+    static AccessControlContext getInheritedAccessControlContext() {
+        return SubstrateUtil.cast(Thread.currentThread(), Target_java_lang_Thread.class).inheritedAccessControlContext;
     }
 
-    @Substitute
-    private static <T> T doPrivilegedWithCombiner(PrivilegedExceptionAction<T> action, AccessControlContext context, Permission... perms) throws Throwable {
+}
+
+@InternalVMMethod
+class AccessControllerUtil {
+
+    static final AccessControlContext NO_CONTEXT_SINGLETON;
+    static final ThreadLocal<Deque<AccessControlContext>> accStack = ThreadLocal.withInitial(LinkedList::new);
+
+    static {
         try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
+            NO_CONTEXT_SINGLETON = ReflectionUtil.lookupConstructor(AccessControlContext.class, ProtectionDomain[].class, boolean.class).newInstance(new ProtectionDomain[0], true);
+        } catch (ReflectiveOperationException ex) {
+            throw VMError.shouldNotReachHere(ex);
         }
     }
 
-    @Substitute
-    private static <T> T doPrivileged(PrivilegedExceptionAction<T> action, AccessControlContext context) throws Throwable {
-        try {
-            return action.run();
-        } catch (Throwable ex) {
-            throw AccessControllerUtil.wrapCheckedException(ex);
+    /* From JDK15's AccessController */
+    static AccessControlContext checkContext(AccessControlContext context,
+                    Class<?> caller) {
+        // check if caller is authorized to create context
+        if (System.getSecurityManager() != null &&
+                        context != null && !SubstrateUtil.cast(context, Target_java_security_AccessControlContext.class).isAuthorized &&
+                        context != NO_CONTEXT_SINGLETON) {
+            ProtectionDomain callerPD = caller.getProtectionDomain();
+            if (callerPD != null && !callerPD.implies(SecurityConstants.CREATE_ACC_PERMISSION)) {
+                return NO_CONTEXT_SINGLETON;
+            }
         }
+        return context;
     }
 
-    @Substitute
-    private static void checkPermission(Permission perm) throws AccessControlException {
-    }
+    /* From JDK15's AccessController */
+    @SuppressWarnings("unused")
+    static <T> T executePrivileged(PrivilegedAction<T> action, AccessControlContext context, Class<?> caller) throws Throwable {
+        if (action == null) {
+            throw new NullPointerException("Null action");
+        }
 
-    @Substitute
-    private static AccessControlContext getContext() {
-        return AccessControllerUtil.NO_CONTEXT_SINGLETON;
-    }
+        accStack.get().push(context);
 
-    @Substitute
-    private static AccessControlContext createWrapper(DomainCombiner combiner, Class<?> caller, AccessControlContext parent, AccessControlContext context, Permission[] perms) {
-        return AccessControllerUtil.NO_CONTEXT_SINGLETON;
+        try {
+            return action.run();
+        } catch (Throwable ex) {
+            throw wrapCheckedException(ex);
+        } finally {
+            if (context != null) {
+                accStack.get().pop();
+            }
+        }
     }
-}
 
-@InternalVMMethod
-class AccessControllerUtil {
+    /* From JDK15's AccessController */
+    @SuppressWarnings("unused")
+    static <T> T executePrivileged(PrivilegedExceptionAction<T> action, AccessControlContext context, Class<?> caller) throws Throwable {
+        if (action == null) {
+            throw new NullPointerException("Null action");
+        }
 
-    static final AccessControlContext NO_CONTEXT_SINGLETON;
+        accStack.get().push(context);
 
-    static {
         try {
-            NO_CONTEXT_SINGLETON = ReflectionUtil.lookupConstructor(AccessControlContext.class, ProtectionDomain[].class, boolean.class).newInstance(new ProtectionDomain[0], true);
-        } catch (ReflectiveOperationException ex) {
-            throw VMError.shouldNotReachHere(ex);
+            return action.run();
+        } catch (Throwable ex) {
+            throw wrapCheckedException(ex);
+        } finally {
+            if (context != null) {
+                accStack.get().pop();
+            }
         }
     }
 
@@ -204,9 +212,14 @@ private static Object replaceAccessControlContext(Object obj) {
 }
 
 @TargetClass(java.security.AccessControlContext.class)
+@SuppressWarnings({"unused"})
 final class Target_java_security_AccessControlContext {
-
     @Alias protected boolean isPrivileged;
+    @Alias protected boolean isAuthorized;
+
+    @Alias
+    Target_java_security_AccessControlContext(ProtectionDomain[] context, AccessControlContext privilegedContext) {
+    }
 }
 
 @TargetClass(SecurityManager.class)

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/StackTraceUtils.java

@@ -24,6 +24,9 @@
  */
 package com.oracle.svm.core.jdk;
 
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.ProtectionDomain;
 import java.util.ArrayList;
 
 import com.oracle.svm.core.thread.JavaContinuations;
@@ -33,7 +36,10 @@
 import org.graalvm.word.Pointer;
 
 import com.oracle.svm.core.SubstrateOptions;
+import com.oracle.svm.core.SubstrateUtil;
+import com.oracle.svm.core.annotate.NeverInline;
 import com.oracle.svm.core.code.FrameInfoQueryResult;
+import com.oracle.svm.core.snippets.KnownIntrinsics;
 import com.oracle.svm.core.stack.JavaStackFrameVisitor;
 import com.oracle.svm.core.stack.JavaStackWalker;
 
@@ -274,3 +280,67 @@ public boolean visitFrame(final FrameInfoQueryResult frameInfo) {
         return true;
     }
 }
+
+/* Reimplementation of JVM_GetStackAccessControlContext from JDK15 */
+class StackAccessControlContextVisitor extends JavaStackFrameVisitor {
+    final ArrayList<ProtectionDomain> localArray;
+    boolean isPrivileged;
+    ProtectionDomain previousProtectionDomain;
+    AccessControlContext privilegedContext;
+
+    StackAccessControlContextVisitor() {
+        localArray = new ArrayList<>();
+        isPrivileged = false;
+        privilegedContext = null;
+    }
+
+    @Override
+    public boolean visitFrame(final FrameInfoQueryResult frameInfo) {
+        if (!StackTraceUtils.shouldShowFrame(frameInfo, true, false, false)) {
+            return true;
+        }
+
+        Class<?> clazz = frameInfo.getSourceClass();
+        String method = frameInfo.getSourceMethodName();
+
+        ProtectionDomain protectionDomain = clazz.getProtectionDomain();
+        if (clazz.equals(AccessController.class) && method.equals("doPrivileged")) {
+            isPrivileged = true;
+            privilegedContext = AccessControllerUtil.accStack.get().peek();
+        }
+
+        if ((previousProtectionDomain == null || !previousProtectionDomain.equals(protectionDomain)) && (protectionDomain != null)) {
+            localArray.add(protectionDomain);
+            previousProtectionDomain = protectionDomain;
+        }
+
+        FrameInfoQueryResult caller = frameInfo.getCaller();
+        if (clazz.equals(Thread.class) && method.equals("<init>") &&
+                        caller != null && caller.getSourceClass() != null && !caller.getSourceClass().equals(clazz)) {
+            return false; // Required since Thread.<init> resides in main thread.
+        }
+
+        return !isPrivileged;
+    }
+
+    @NeverInline("Starting a stack walk in the caller frame")
+    public static AccessControlContext getFromStack() {
+        StackAccessControlContextVisitor visitor = new StackAccessControlContextVisitor();
+        JavaStackWalker.walkCurrentThread(KnownIntrinsics.readCallerStackPointer(), visitor);
+        Target_java_security_AccessControlContext wrapper;
+
+        if (visitor.localArray.isEmpty()) {
+            if (visitor.isPrivileged && visitor.privilegedContext == null) {
+                return null;
+            }
+            wrapper = new Target_java_security_AccessControlContext(null, visitor.privilegedContext);
+            wrapper.isPrivileged = visitor.isPrivileged;
+        } else {
+            wrapper = new Target_java_security_AccessControlContext(visitor.localArray.toArray(new ProtectionDomain[0]), visitor.privilegedContext);
+            wrapper.isPrivileged = visitor.privilegedContext != null;
+        }
+
+        wrapper.isAuthorized = true;
+        return SubstrateUtil.cast(wrapper, AccessControlContext.class);
+    }
+}

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_jdk_internal_reflect_Reflection.java

@@ -36,7 +36,7 @@ public final class Target_jdk_internal_reflect_Reflection {
 
     @Substitute
     @NeverInline("Starting a stack walk in the caller frame")
-    private static Class<?> getCallerClass() {
+    static Class<?> getCallerClass() {
         return StackTraceUtils.getCallerClass(KnownIntrinsics.readCallerStackPointer(), true);
     }
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/JavaThreads.java

@@ -28,6 +28,8 @@
 import static com.oracle.svm.core.snippets.KnownIntrinsics.readCallerStackPointer;
 
 import java.lang.Thread.UncaughtExceptionHandler;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -636,7 +638,6 @@ public static void dispatchUncaughtException(Thread thread, Throwable throwable)
      * with these unsupported features removed:
      * <ul>
      * <li>No security manager: using the ContextClassLoader of the parent.</li>
-     * <li>Not implemented: inheritedAccessControlContext.</li>
      * <li>Not implemented: inheritableThreadLocals.</li>
      * </ul>
      */
@@ -645,7 +646,8 @@ static void initializeNewThread(
                     ThreadGroup groupArg,
                     Runnable target,
                     String name,
-                    long stackSize) {
+                    long stackSize,
+                    AccessControlContext acc) {
         if (name == null) {
             throw new NullPointerException("name cannot be null");
         }
@@ -671,6 +673,8 @@ static void initializeNewThread(
 
         tjlt.contextClassLoader = parent.getContextClassLoader();
 
+        tjlt.inheritedAccessControlContext = acc != null ? acc : AccessController.getContext();
+
         /* Set thread ID */
         tjlt.tid = Target_java_lang_Thread.nextThreadID();
     }

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/Target_java_lang_Thread.java

@@ -125,7 +125,7 @@ public final class Target_java_lang_Thread {
      * inherit a (more or less random) access control context.
      */
     @Alias @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
-    private AccessControlContext inheritedAccessControlContext;
+    public AccessControlContext inheritedAccessControlContext;
 
     @Alias @TargetElement(onlyWith = NotLoomJDK.class) //
     @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Custom, declClass = ThreadStatusRecomputation.class) //
@@ -250,7 +250,7 @@ private void init(ThreadGroup groupArg, Runnable targetArg, String nameArg, long
         this.unsafeParkEvent = new AtomicReference<>();
         this.sleepParkEvent = new AtomicReference<>();
         /* Initialize the rest of the Thread object. */
-        JavaThreads.initializeNewThread(this, groupArg, targetArg, nameArg, stackSizeArg);
+        JavaThreads.initializeNewThread(this, groupArg, targetArg, nameArg, stackSizeArg, null);
     }
 
     @Alias
@@ -272,8 +272,8 @@ private Target_java_lang_Thread(
         /* Injected Target_java_lang_Thread instance field initialization. */
         this.unsafeParkEvent = new AtomicReference<>();
         this.sleepParkEvent = new AtomicReference<>();
-        /* Initialize the rest of the Thread object, ignoring `acc` and `inheritThreadLocals`. */
-        JavaThreads.initializeNewThread(this, g, target, name, stackSize);
+        /* Initialize the rest of the Thread object, ignoring `inheritThreadLocals`. */
+        JavaThreads.initializeNewThread(this, g, target, name, stackSize, acc);
     }
 
     @Substitute
@@ -294,8 +294,8 @@ private Target_java_lang_Thread(
 
         checkCharacteristics(characteristics);
 
-        /* Initialize the rest of the Thread object, ignoring `acc` and `characteristics`. */
-        JavaThreads.initializeNewThread(this, g, target, name, stackSize);
+        /* Initialize the rest of the Thread object, ignoring `characteristics`. */
+        JavaThreads.initializeNewThread(this, g, target, name, stackSize, acc);
     }
 
     /**