Mercurial > hg > graal-compiler

changeset 14125:e09829e6680f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
implement initial security model for Graal (JBS:GRAAL-22)
author Doug Simon <doug.simon@oracle.com>
date Mon, 10 Mar 2014 18:14:24 +0100
parents 7ad529321294
children 976f44f08fb3
files graal/com.oracle.graal.api.runtime/src/com/oracle/graal/api/runtime/Graal.java graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/HotSpotGraalRuntime.java graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/replacements/HotSpotReplacementsUtil.java
diffstat 3 files changed, 35 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/graal/com.oracle.graal.api.runtime/src/com/oracle/graal/api/runtime/Graal.java	Mon Mar 10 16:26:10 2014 +0100
+++ b/graal/com.oracle.graal.api.runtime/src/com/oracle/graal/api/runtime/Graal.java	Mon Mar 10 18:14:24 2014 +0100
@@ -22,13 +22,26 @@
  */
 package com.oracle.graal.api.runtime;
 
+import java.lang.reflect.*;
+
+import sun.reflect.*;
+
 public class Graal {
 
     private static GraalRuntime runtime;
 
     private static native GraalRuntime initializeRuntime();
 
+    public static final java.security.Permission ACCESS_PERMISSION = new ReflectPermission("allowGraalAccess");
+
     public static GraalRuntime getRuntime() {
+        Class cc = Reflection.getCallerClass();
+        if (cc.getClassLoader() != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                sm.checkPermission(ACCESS_PERMISSION);
+            }
+        }
         return runtime;
     }
 
@@ -41,6 +54,13 @@
     }
 
     public static <T> T getRequiredCapability(Class<T> clazz) {
+        Class cc = Reflection.getCallerClass();
+        if (cc.getClassLoader() != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                sm.checkPermission(ACCESS_PERMISSION);
+            }
+        }
         T t = getRuntime().getCapability(clazz);
         if (t == null) {
             String javaHome = System.getProperty("java.home");
--- a/graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/HotSpotGraalRuntime.java	Mon Mar 10 16:26:10 2014 +0100
+++ b/graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/HotSpotGraalRuntime.java	Mon Mar 10 18:14:24 2014 +0100
@@ -30,6 +30,7 @@
 import java.util.*;
 
 import sun.misc.*;
+import sun.reflect.*;
 
 import com.oracle.graal.api.code.*;
 import com.oracle.graal.api.meta.*;
@@ -59,10 +60,21 @@
      * Gets the singleton {@link HotSpotGraalRuntime} object.
      */
     public static HotSpotGraalRuntime runtime() {
+        Class cc = Reflection.getCallerClass();
+        if (cc != null && cc.getClassLoader() != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                sm.checkPermission(Graal.ACCESS_PERMISSION);
+            }
+        }
         assert instance != null;
         return instance;
     }
 
+    static {
+        Reflection.registerFieldsToFilter(HotSpotGraalRuntime.class, new String[]{"instance"});
+    }
+
     /**
      * Do deferred initialization.
      */
--- a/graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/replacements/HotSpotReplacementsUtil.java	Mon Mar 10 16:26:10 2014 +0100
+++ b/graal/com.oracle.graal.hotspot/src/com/oracle/graal/hotspot/replacements/HotSpotReplacementsUtil.java	Mon Mar 10 18:14:24 2014 +0100
@@ -46,6 +46,9 @@
  */
 public class HotSpotReplacementsUtil {
 
+    // Must be @Fold as the security checks in HotSpotGraalRuntime.runtime()
+    // don't work well inside snippets
+    @Fold
     public static HotSpotVMConfig config() {
         return runtime().getConfig();
     }