8338411: Implement JEP 486: Permanently Disable the Security Manager

make/modules/java.base/Copy.gmk

@@ -123,46 +123,6 @@ TARGETS += $(JVMCFG)
 
 ################################################################################
 
-POLICY_SRC := $(TOPDIR)/src/java.base/share/conf/security/java.policy
-POLICY_DST := $(CONF_DST_DIR)/security/java.policy
-
-POLICY_SRC_LIST := $(POLICY_SRC)
-
-$(POLICY_DST): $(POLICY_SRC_LIST)
-	$(call MakeTargetDir)
-	$(RM) $@ [email protected]
-	$(foreach f, $(POLICY_SRC_LIST), $(CAT) $(f) >> [email protected];)
-	$(MV) [email protected] $@
-
-TARGETS += $(POLICY_DST)
-
-################################################################################
-
-DEF_POLICY_SRC := $(TOPDIR)/src/java.base/share/lib/security/default.policy
-DEF_POLICY_DST := $(LIB_DST_DIR)/security/default.policy
-
-DEF_POLICY_SRC_LIST := $(DEF_POLICY_SRC)
-DEF_POLICY_SRC_LIST += $(CUSTOM_POLICY_SRC_LIST)
-
-ifeq ($(call isTargetOs, windows), true)
-  DEF_POLICY_SRC_LIST += $(TOPDIR)/src/java.base/$(OPENJDK_TARGET_OS)/lib/security/default.policy
-endif
-
-# Allow imported modules to modify the java.policy
-ifneq ($(IMPORT_MODULES_CONF), )
-  DEF_POLICY_SRC_LIST += $(wildcard $(IMPORT_MODULES_CONF)/java.base/security/java.policy.extra)
-endif
-
-$(DEF_POLICY_DST): $(DEF_POLICY_SRC_LIST)
-	$(call MakeTargetDir)
-	$(RM) $@ [email protected]
-	$(foreach f, $(DEF_POLICY_SRC_LIST), $(CAT) $(f) >> [email protected];)
-	$(MV) [email protected] $@
-
-TARGETS += $(DEF_POLICY_DST)
-
-################################################################################
-
 # CACERTS_FILE is optionally set in configure to override the default cacerts
 # which is otherwise generated in Gendata-java.base.gmk
 CACERTS_DST := $(LIB_DST_DIR)/security/cacerts

make/modules/java.rmi/Launcher.gmk

@@ -31,5 +31,4 @@ include LauncherCommon.gmk
 
 $(eval $(call SetupBuildLauncher, rmiregistry, \
     MAIN_CLASS := sun.rmi.registry.RegistryImpl, \
-    JAVA_ARGS := -Djava.security.manager=allow, \
 ))

src/hotspot/share/classfile/dictionary.cpp

@@ -347,68 +347,6 @@ void Dictionary::check_package_access(InstanceKlass* klass,
 
   assert(class_loader() != nullptr, "Should not call this");
   assert(protection_domain() != nullptr, "Should not call this");
-
-  if (!java_lang_System::allow_security_manager()) {
-    // No need for any further checking. Package access always allowed.
-    return;
-  }
-
-  if (is_in_package_access_cache(THREAD, klass->name(), protection_domain)) {
-    // No need to check again.
-    return;
-  }
-
-  // We only have to call checkPackageAccess if there's a security manager installed.
-  if (java_lang_System::has_security_manager()) {
-
-    // This handle and the class_loader handle passed in keeps this class from
-    // being unloaded through several GC points.
-    // The class_loader handle passed in is the initiating loader.
-    Handle mirror(THREAD, klass->java_mirror());
-
-    // Now we have to call back to java to check if the initating class has access
-    InstanceKlass* system_loader = vmClasses::ClassLoader_klass();
-    JavaValue result(T_VOID);
-    JavaCalls::call_special(&result,
-                           class_loader,
-                           system_loader,
-                           vmSymbols::checkPackageAccess_name(),
-                           vmSymbols::class_protectiondomain_signature(),
-                           mirror,
-                           protection_domain,
-                           THREAD);
-
-    LogTarget(Debug, protectiondomain) lt;
-    if (lt.is_enabled()) {
-      ResourceMark rm(THREAD);
-      // Print out trace information
-      LogStream ls(lt);
-      ls.print_cr("Checking package access");
-      ls.print("class loader: ");
-      class_loader()->print_value_on(&ls);
-      ls.print(" protection domain: ");
-      protection_domain()->print_value_on(&ls);
-      ls.print(" loading: "); klass->print_value_on(&ls);
-      if (HAS_PENDING_EXCEPTION) {
-        ls.print_cr(" DENIED !!!!!!!!!!!!!!!!!!!!!");
-      } else {
-        ls.print_cr(" granted");
-      }
-    }
-
-    if (HAS_PENDING_EXCEPTION) return;
-  }
-
-  // If no exception has been thrown, we have checked that the protection_domain can access
-  // this klass. Always add it to the cache (even if no SecurityManager is installed yet).
-  //
-  // This ensures that subsequent calls to Dictionary::find(THREAD, klass->name(), protection_domain)
-  // will always succeed. I.e., a new SecurityManager installed in the future cannot retroactively
-  // revoke the granted access.
-  {
-    MutexLocker mu(THREAD, SystemDictionary_lock);
-    add_to_package_access_cache(THREAD, klass, protection_domain);
-  }
 }
 
 // During class loading we may have cached a protection domain that has

src/hotspot/share/classfile/javaClasses.cpp

@@ -1599,7 +1599,6 @@ oop java_lang_Thread_Constants::get_VTHREAD_GROUP() {
 int java_lang_Thread::_holder_offset;
 int java_lang_Thread::_name_offset;
 int java_lang_Thread::_contextClassLoader_offset;
-int java_lang_Thread::_inheritedAccessControlContext_offset;
 int java_lang_Thread::_eetop_offset;
 int java_lang_Thread::_jvmti_thread_state_offset;
 int java_lang_Thread::_jvmti_VTMS_transition_disable_count_offset;
@@ -1616,7 +1615,6 @@ JFR_ONLY(int java_lang_Thread::_jfr_epoch_offset;)
   macro(_holder_offset,        k, "holder", thread_fieldholder_signature, false); \
   macro(_name_offset,          k, vmSymbols::name_name(), string_signature, false); \
   macro(_contextClassLoader_offset, k, vmSymbols::contextClassLoader_name(), classloader_signature, false); \
-  macro(_inheritedAccessControlContext_offset, k, vmSymbols::inheritedAccessControlContext_name(), accesscontrolcontext_signature, false); \
   macro(_eetop_offset,         k, "eetop", long_signature, false); \
   macro(_interrupted_offset,   k, "interrupted", bool_signature, false); \
   macro(_interruptLock_offset, k, "interruptLock", object_signature, false); \
@@ -1793,10 +1791,6 @@ oop java_lang_Thread::context_class_loader(oop java_thread) {
   return java_thread->obj_field(_contextClassLoader_offset);
 }
 
-oop java_lang_Thread::inherited_access_control_context(oop java_thread) {
-  return java_thread->obj_field(_inheritedAccessControlContext_offset);
-}
-
 
 jlong java_lang_Thread::stackSize(oop java_thread) {
   GET_FIELDHOLDER_FIELD(java_thread, stackSize, 0);
@@ -4782,17 +4776,11 @@ oop java_lang_ClassLoader::unnamedModule(oop loader) {
 int java_lang_System::_static_in_offset;
 int java_lang_System::_static_out_offset;
 int java_lang_System::_static_err_offset;
-int java_lang_System::_static_security_offset;
-int java_lang_System::_static_allow_security_offset;
-int java_lang_System::_static_never_offset;
 
 #define SYSTEM_FIELDS_DO(macro) \
   macro(_static_in_offset,  k, "in",  input_stream_signature, true); \
   macro(_static_out_offset, k, "out", print_stream_signature, true); \
-  macro(_static_err_offset, k, "err", print_stream_signature, true); \
-  macro(_static_security_offset, k, "security", security_manager_signature, true); \
-  macro(_static_allow_security_offset, k, "allowSecurityManager", int_signature, true); \
-  macro(_static_never_offset, k, "NEVER", int_signature, true)
+  macro(_static_err_offset, k, "err", print_stream_signature, true);
 
 void java_lang_System::compute_offsets() {
   InstanceKlass* k = vmClasses::System_klass();
@@ -4802,21 +4790,12 @@ void java_lang_System::compute_offsets() {
 // This field tells us that a security manager can never be installed so we
 // can completely skip populating the ProtectionDomainCacheTable.
 bool java_lang_System::allow_security_manager() {
-  static int initialized = false;
-  static bool allowed = true; // default
-  if (!initialized) {
-    oop base = vmClasses::System_klass()->static_field_base_raw();
-    int never = base->int_field(_static_never_offset);
-    allowed = (base->int_field(_static_allow_security_offset) != never);
-    initialized = true;
-  }
-  return allowed;
+  return false;
 }
 
 // This field tells us that a security manager is installed.
 bool java_lang_System::has_security_manager() {
-  oop base = vmClasses::System_klass()->static_field_base_raw();
-  return base->obj_field(_static_security_offset) != nullptr;
+  return false;
 }
 
 #if INCLUDE_CDS

src/hotspot/share/classfile/javaClasses.hpp

@@ -358,7 +358,6 @@ class java_lang_Thread : AllStatic {
   static int _holder_offset;
   static int _name_offset;
   static int _contextClassLoader_offset;
-  static int _inheritedAccessControlContext_offset;
   static int _eetop_offset;
   static int _jvmti_thread_state_offset;
   static int _jvmti_VTMS_transition_disable_count_offset;
@@ -405,8 +404,6 @@ class java_lang_Thread : AllStatic {
   static void set_daemon(oop java_thread);
   // Context ClassLoader
   static oop context_class_loader(oop java_thread);
-  // Control context
-  static oop inherited_access_control_context(oop java_thread);
   // Stack size hint
   static jlong stackSize(oop java_thread);
   // Thread ID

src/hotspot/share/classfile/vmSymbols.hpp

@@ -439,10 +439,8 @@ class SerializeClosure;
   template(getProperty_name,                          "getProperty")                              \
   template(context_name,                              "context")                                  \
   template(contextClassLoader_name,                   "contextClassLoader")                       \
-  template(inheritedAccessControlContext_name,        "inheritedAccessControlContext")            \
   template(getClassContext_name,                      "getClassContext")                          \
   template(wait_name,                                 "wait0")                                    \
-  template(checkPackageAccess_name,                   "checkPackageAccess")                       \
   template(forName_name,                              "forName")                                  \
   template(forName0_name,                             "forName0")                                 \
   template(isJavaIdentifierStart_name,                "isJavaIdentifierStart")                    \

src/hotspot/share/include/jvm.h

@@ -723,13 +723,6 @@ JNIEXPORT jbyte JNICALL JVM_ConstantPoolGetTagAt
 JNIEXPORT jobjectArray JNICALL
 JVM_GetMethodParameters(JNIEnv *env, jobject method);
 
-/*
- * java.security.*
- */
-
-JNIEXPORT jobject JNICALL
-JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls);
-
 /*
  * Ensure that code doing a stackwalk and using javaVFrame::locals() to
  * get the value will see a materialized value and not a scalar-replaced
@@ -741,9 +734,6 @@ JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls);
 JNIEXPORT void JNICALL
 JVM_EnsureMaterializedForStackWalk_func(JNIEnv* env, jobject vthread, jobject value);
 
-JNIEXPORT jobject JNICALL
-JVM_GetStackAccessControlContext(JNIEnv *env, jclass cls);
-
 /*
  * Signal support, used to implement the shutdown sequence.  Every VM must
  * support JVM_SIGINT and JVM_SIGTERM, raising the former for user interrupts

src/hotspot/share/prims/jvm.cpp

@@ -1269,87 +1269,6 @@ JVM_ENTRY(jobject, JVM_GetProtectionDomain(JNIEnv *env, jclass cls))
 JVM_END
 
 
-// Returns the inherited_access_control_context field of the running thread.
-JVM_ENTRY(jobject, JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls))
-  oop result = java_lang_Thread::inherited_access_control_context(thread->threadObj());
-  return JNIHandles::make_local(THREAD, result);
-JVM_END
-
-JVM_ENTRY(jobject, JVM_GetStackAccessControlContext(JNIEnv *env, jclass cls))
-  if (!UsePrivilegedStack) return nullptr;
-
-  ResourceMark rm(THREAD);
-  GrowableArray<Handle>* local_array = new GrowableArray<Handle>(12);
-  JvmtiVMObjectAllocEventCollector oam;
-
-  // count the protection domains on the execution stack. We collapse
-  // duplicate consecutive protection domains into a single one, as
-  // well as stopping when we hit a privileged frame.
-
-  oop previous_protection_domain = nullptr;
-  Handle privileged_context(thread, nullptr);
-  bool is_privileged = false;
-  oop protection_domain = nullptr;
-
-  // Iterate through Java frames
-  vframeStream vfst(thread);
-  for(; !vfst.at_end(); vfst.next()) {
-    // get method of frame
-    Method* method = vfst.method();
-
-    // stop at the first privileged frame
-    if (method->method_holder() == vmClasses::AccessController_klass() &&
-      method->name() == vmSymbols::executePrivileged_name())
-    {
-      // this frame is privileged
-      is_privileged = true;
-
-      javaVFrame *priv = vfst.asJavaVFrame();       // executePrivileged
-
-      StackValueCollection* locals = priv->locals();
-      StackValue* ctx_sv = locals->at(1); // AccessControlContext context
-      StackValue* clr_sv = locals->at(2); // Class<?> caller
-      assert(!ctx_sv->obj_is_scalar_replaced(), "found scalar-replaced object");
-      assert(!clr_sv->obj_is_scalar_replaced(), "found scalar-replaced object");
-      privileged_context    = ctx_sv->get_obj();
-      Handle caller         = clr_sv->get_obj();
-
-      Klass *caller_klass = java_lang_Class::as_Klass(caller());
-      protection_domain  = caller_klass->protection_domain();
-    } else {
-      protection_domain = method->method_holder()->protection_domain();
-    }
-
-    if ((previous_protection_domain != protection_domain) && (protection_domain != nullptr)) {
-      local_array->push(Handle(thread, protection_domain));
-      previous_protection_domain = protection_domain;
-    }
-
-    if (is_privileged) break;
-  }
-
-
-  // either all the domains on the stack were system domains, or
-  // we had a privileged system domain
-  if (local_array->is_empty()) {
-    if (is_privileged && privileged_context.is_null()) return nullptr;
-
-    oop result = java_security_AccessControlContext::create(objArrayHandle(), is_privileged, privileged_context, CHECK_NULL);
-    return JNIHandles::make_local(THREAD, result);
-  }
-
-  objArrayOop context = oopFactory::new_objArray(vmClasses::ProtectionDomain_klass(),
-                                                 local_array->length(), CHECK_NULL);
-  objArrayHandle h_context(thread, context);
-  for (int index = 0; index < local_array->length(); index++) {
-    h_context->obj_at_put(index, local_array->at(index)());
-  }
-
-  oop result = java_security_AccessControlContext::create(h_context, is_privileged, privileged_context, CHECK_NULL);
-
-  return JNIHandles::make_local(THREAD, result);
-JVM_END
-
 class ScopedValueBindingsResolver {
 public:
   InstanceKlass* Carrier_klass;

src/hotspot/share/runtime/globals.hpp

@@ -681,9 +681,6 @@ const int ObjectAlignmentInBytes = 8;
   develop(bool, PrintCodeCacheExtension, false,                             \
           "Print extension of code cache")                                  \
                                                                             \
-  develop(bool, UsePrivilegedStack, true,                                   \
-          "Enable the security JVM functions")                              \
-                                                                            \
   product(bool, ClassUnloading, true,                                       \
           "Do unloading of classes")                                        \
                                                                             \