[GR-8891] Introduce permission for accessing native code.

PullRequest: graal/1189

sdk/src/org.graalvm.launcher/src/org/graalvm/launcher/AbstractLanguageLauncher.java

@@ -99,11 +99,7 @@ final void launch(List<String> args, Map<String, String> defaultOptions, boolean
         } else {
             builder = Context.newBuilder(getDefaultLanguages()).options(polyglotOptions);
         }
-        if (!isAOT()) {
-            builder.allowHostAccess(true);
-        }
-        builder.allowCreateThread(true);
-        builder.allowIO(true);
+        builder.allowAllAccess(true);
 
         launch(builder);
     }

sdk/src/org.graalvm.launcher/src/org/graalvm/launcher/PolyglotLauncher.java

@@ -169,11 +169,7 @@ private void launch(String[] args) {
             return;
         }
         Context.Builder contextBuilder = Context.newBuilder().options(options).in(System.in).out(System.out).err(System.err);
-        if (!isAOT()) {
-            contextBuilder.allowHostAccess(true);
-        }
-        contextBuilder.allowCreateThread(true);
-        contextBuilder.allowIO(true);
+        contextBuilder.allowAllAccess(true);
 
         if (version) {
             printVersion(Engine.newBuilder().options(options).build());

sdk/src/org.graalvm.polyglot/src/org/graalvm/polyglot/Context.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -672,6 +672,7 @@ public final class Builder {
         private Map<String, String[]> arguments;
         private Predicate<String> hostClassFilter;
         private Boolean allowHostAccess;
+        private Boolean allowNativeAccess;
         private Boolean allowCreateThread;
         private boolean allowAllAccess;
         private Boolean allowIO;
@@ -750,6 +751,16 @@ public Builder allowHostAccess(boolean enabled) {
             return this;
         }
 
+        /**
+         * Allows guest languages to access the native interface.
+         *
+         * @since 1.0
+         */
+        public Builder allowNativeAccess(boolean enabled) {
+            this.allowNativeAccess = enabled;
+            return this;
+        }
+
         /**
          * If <code>true</code> allows guest languages to create new threads. Default is
          * <code>false</code>. If {@link #allowAllAccess(boolean) all access} is set to
@@ -932,6 +943,9 @@ public Context build() {
             if (allowHostAccess == null) {
                 allowHostAccess = allowAllAccess;
             }
+            if (allowNativeAccess == null) {
+                allowNativeAccess = allowAllAccess;
+            }
             if (allowCreateThread == null) {
                 allowCreateThread = allowAllAccess;
             }
@@ -958,11 +972,11 @@ public Context build() {
                 }
                 engineBuilder.setBoundEngine(true);
                 engine = engineBuilder.build();
-                return engine.impl.createContext(null, null, null, allowHostAccess, allowCreateThread, allowIO,
+                return engine.impl.createContext(null, null, null, allowHostAccess, allowNativeAccess, allowCreateThread, allowIO,
                                 allowHostClassLoading,
                                 hostClassFilter, Collections.emptyMap(), arguments == null ? Collections.emptyMap() : arguments, onlyLanguages, customFileSystem);
             } else {
-                return engine.impl.createContext(out, err, in, allowHostAccess, allowCreateThread, allowIO,
+                return engine.impl.createContext(out, err, in, allowHostAccess, allowNativeAccess, allowCreateThread, allowIO,
                                 allowHostClassLoading,
                                 hostClassFilter, options == null ? Collections.emptyMap() : options, arguments == null ? Collections.emptyMap() : arguments, onlyLanguages, customFileSystem);
             }

sdk/src/org.graalvm.polyglot/src/org/graalvm/polyglot/impl/AbstractPolyglotImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -260,7 +260,7 @@ protected AbstractEngineImpl(AbstractPolyglotImpl impl) {
 
         public abstract OptionDescriptors getOptions();
 
-        public abstract Context createContext(OutputStream out, OutputStream err, InputStream in, boolean allowHostAccess,
+        public abstract Context createContext(OutputStream out, OutputStream err, InputStream in, boolean allowHostAccess, boolean allowNativeAccess,
                         boolean allowCreateThread, boolean allowHostIO, boolean allowHostClassLoading, Predicate<String> classFilter, Map<String, String> options, Map<String, String[]> arguments,
                         String[] onlyLanguages, FileSystem fileSystem);
 

substratevm/src/org.graalvm.polyglot.nativeapi/src/org/graalvm/polyglot/nativeapi/PolyglotNativeAPI.java

@@ -116,12 +116,14 @@ public static PolyglotStatus poly_create_engine(PolyglotIsolateThread thread, Po
     @CEntryPoint(name = "poly_create_context", documentation = {
                     "Creates a context within an polyglot engine.",
                     "Context holds all of the program data. Each context is by default isolated from all other contexts",
-                    "with respect to program data and evaluation semantics."
+                    "with respect to program data and evaluation semantics.",
+                    "Note: context allows access to all resources in embedded programs; ",
+                    "in the future this will be restricted and replaced with finer grained APIs."
     })
     public static PolyglotStatus poly_create_context(PolyglotIsolateThread thread, PolyglotEngine engine, PolyglotContextPointer context) {
         return withHandledErrors(() -> {
             Engine jEngine = ObjectHandles.getGlobal().get(engine);
-            Context c = Context.newBuilder().engine(jEngine).build();
+            Context c = Context.newBuilder().engine(jEngine).allowAllAccess(true).build();
             context.write(createHandle(c));
         });
     }

tools/src/com.oracle.truffle.tools.chromeinspector.test/src/com/oracle/truffle/tools/chromeinspector/test/InspectorTester.java

@@ -161,7 +161,7 @@ public void run() {
             try {
                 contextId = engine.getInstruments().get(InspectorTestInstrument.ID).lookup(Long.class);
                 inspect.setMessageListener(this);
-                context = Context.newBuilder().engine(engine).build();
+                context = Context.newBuilder().engine(engine).allowAllAccess(true).build();
                 initialized.release();
                 Source source = null;
                 CompletableFuture<Value> valueFuture = null;

truffle/CHANGELOG.md

@@ -19,6 +19,8 @@ This changelog summarizes major changes between Truffle versions relevant to lan
 * Added [Breakpoint.Kind](http://www.graalvm.org/truffle/javadoc/com/oracle/truffle/api/debug/Breakpoint.Kind.html) to distinguish different breakpoint kinds.
 * Added [ResultVerifier.getDefaultResultVerifier](http://www.graalvm.org/truffle/javadoc/org/graalvm/polyglot/tck/ResultVerifier.html#getDefaultResultVerifier--).
 * Added [addToHostClassPath](http://www.graalvm.org/truffle/javadoc/com/oracle/truffle/api/TruffleLanguage.Env.html#getPolyglotBindings--) method that can be used to allow guest language users to add to the host class path.
+* Added new permission TruffleLanguage.Env#isNativeAccessAllowed to control access to the Truffle NFI.
+* Changed default permissions in language launchers to full access. The embedding API still defaults to restricted access.
 
 ## Version 0.33
 

truffle/src/com.oracle.truffle.api.vm/src/com/oracle/truffle/api/vm/PolyglotContextImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -109,6 +109,7 @@ static final class SingleContextState {
     Predicate<String> classFilter;  // effectively final
     boolean hostAccessAllowed;      // effectively final
     boolean hostClassLoadingAllowed;      // effectively final
+    boolean nativeAccessAllowed;    // effectively final
     @CompilationFinal boolean createThreadAllowed;
 
     // map from class to language index
@@ -138,6 +139,7 @@ private PolyglotContextImpl() {
                     OutputStream err,
                     InputStream in,
                     boolean hostAccessAllowed,
+                    boolean nativeAccessAllowed,
                     boolean createThreadAllowed,
                     boolean hostClassLoadingAllowed,
                     Predicate<String> classFilter,
@@ -149,7 +151,7 @@ private PolyglotContextImpl() {
         this.parent = null;
         this.engine = engine;
         this.fileSystem = fileSystem;
-        patchInstance(out, err, in, hostAccessAllowed, createThreadAllowed, hostClassLoadingAllowed, classFilter, applicationArguments, allowedPublicLanguages);
+        patchInstance(out, err, in, hostAccessAllowed, nativeAccessAllowed, createThreadAllowed, hostClassLoadingAllowed, classFilter, applicationArguments, allowedPublicLanguages);
         Collection<PolyglotLanguage> languages = engine.idToLanguage.values();
         this.contexts = new PolyglotLanguageContext[languages.size() + 1];
         PolyglotLanguageContext hostContext = new PolyglotLanguageContext(this, engine.hostLanguage, null, applicationArguments.get(PolyglotEngineImpl.HOST_LANGUAGE_ID),
@@ -218,6 +220,7 @@ static void disposeStaticContext(PolyglotContextImpl context) {
         this.parent = creator.context;
         this.hostAccessAllowed = parent.hostAccessAllowed;
         this.hostClassLoadingAllowed = parent.hostClassLoadingAllowed;
+        this.nativeAccessAllowed = parent.nativeAccessAllowed;
         this.createThreadAllowed = parent.createThreadAllowed;
         this.applicationArguments = parent.applicationArguments;
         this.classFilter = parent.classFilter;
@@ -993,10 +996,11 @@ PolyglotThreadInfo getCurrentThreadInfo() {
     }
 
     boolean patch(OutputStream newOut, OutputStream newErr, InputStream newIn, boolean newHostAccessAllowed,
-                    boolean newCreateThreadAllowed, boolean newHostClassLoadingAllowed, Predicate<String> newClassFilter,
+                    boolean newNativeAccessAllowed, boolean newCreateThreadAllowed, boolean newHostClassLoadingAllowed, Predicate<String> newClassFilter,
                     Map<String, String> newOptions, Map<String, String[]> newApplicationArguments, Set<String> newAllowedPublicLanguages, FileSystem newFileSystem) {
         CompilerAsserts.neverPartOfCompilation();
-        patchInstance(newOut, newErr, newIn, newHostAccessAllowed, newCreateThreadAllowed, newHostClassLoadingAllowed, newClassFilter, newApplicationArguments, newAllowedPublicLanguages);
+        patchInstance(newOut, newErr, newIn, newHostAccessAllowed, newNativeAccessAllowed, newCreateThreadAllowed, newHostClassLoadingAllowed, newClassFilter, newApplicationArguments,
+                        newAllowedPublicLanguages);
         ((FileSystems.PreInitializeContextFileSystem) fileSystem).patchDelegate(newFileSystem);
         final Map<String, Map<String, String>> optionsByLanguage = new HashMap<>();
         for (String optionKey : newOptions.keySet()) {
@@ -1024,9 +1028,10 @@ boolean patch(OutputStream newOut, OutputStream newErr, InputStream newIn, boole
     }
 
     private void patchInstance(OutputStream newOut, OutputStream newErr, InputStream newIn, boolean newHostAccessAllowed,
-                    boolean newCreateThreadAllowed, boolean newHostClassLoadingAllowed, Predicate<String> newClassFilter,
+                    boolean newNativeAccessAllowed, boolean newCreateThreadAllowed, boolean newHostClassLoadingAllowed, Predicate<String> newClassFilter,
                     Map<String, String[]> newApplicationArguments, Set<String> newAllowedPublicLanguages) {
         this.hostAccessAllowed = newHostAccessAllowed;
+        this.nativeAccessAllowed = newNativeAccessAllowed;
         this.createThreadAllowed = newCreateThreadAllowed;
         this.hostClassLoadingAllowed = newHostClassLoadingAllowed;
         this.applicationArguments = newApplicationArguments;
@@ -1076,6 +1081,7 @@ static PolyglotContextImpl preInitialize(final PolyglotEngineImpl engine) {
                         false,
                         false,
                         false,
+                        false,
                         null,
                         Collections.emptyMap(),
                         Collections.emptyMap(),

truffle/src/com.oracle.truffle.api.vm/src/com/oracle/truffle/api/vm/PolyglotEngine.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1013,6 +1013,12 @@ public boolean isHostAccessAllowed(Object vmObject, Env env) {
             return false;
         }
 
+        @Override
+        public boolean isNativeAccessAllowed(Object vmObject, Env env) {
+            // now way to specify access rights with legacy PolyglotEngine
+            return true;
+        }
+
         @Override
         public Object lookupHostSymbol(Object vmObject, Env env, String symbolName) {
             return null;

truffle/src/com.oracle.truffle.api.vm/src/com/oracle/truffle/api/vm/PolyglotEngineImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -874,7 +874,7 @@ public String getImplementationName() {
     @Override
     @SuppressWarnings({"all"})
     public synchronized Context createContext(OutputStream out, OutputStream err, InputStream in, boolean allowHostAccess,
-                    boolean allowCreateThread, boolean allowHostIO, boolean allowHostClassLoading,
+                    boolean allowNativeAccess, boolean allowCreateThread, boolean allowHostIO, boolean allowHostClassLoading,
                     Predicate<String> classFilter, Map<String, String> options, Map<String, String[]> arguments, String[] onlyLanguages, FileSystem fileSystem) {
         checkState();
         if (boundEngine && preInitializedContext == null && !contexts.isEmpty()) {
@@ -899,7 +899,7 @@ public synchronized Context createContext(OutputStream out, OutputStream err, In
         if (contextImpl != null) {
             boolean patchResult;
             try {
-                patchResult = contextImpl.patch(out, err, in, allowHostAccess, allowCreateThread, allowHostClassLoading, classFilter, options, arguments, allowedLanguages, fs);
+                patchResult = contextImpl.patch(out, err, in, allowHostAccess, allowNativeAccess, allowCreateThread, allowHostClassLoading, classFilter, options, arguments, allowedLanguages, fs);
             } catch (RuntimeException re) {
                 contextImpl.closeImpl(false, false);
                 PolyglotContextImpl.disposeStaticContext(null);
@@ -912,7 +912,8 @@ public synchronized Context createContext(OutputStream out, OutputStream err, In
             }
         }
         if (contextImpl == null) {
-            contextImpl = new PolyglotContextImpl(this, out, err, in, allowHostAccess, allowCreateThread, allowHostClassLoading, classFilter, options, arguments, allowedLanguages, fs);
+            contextImpl = new PolyglotContextImpl(this, out, err, in, allowHostAccess, allowNativeAccess, allowCreateThread, allowHostClassLoading, classFilter, options, arguments, allowedLanguages,
+                            fs);
             addContext(contextImpl);
         }
         Context api = impl.getAPIAccess().newContext(contextImpl);

truffle/src/com.oracle.truffle.api.vm/src/com/oracle/truffle/api/vm/PolyglotImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -551,6 +551,12 @@ public boolean isHostAccessAllowed(Object vmObject, Env env) {
             return context.context.hostAccessAllowed;
         }
 
+        @Override
+        public boolean isNativeAccessAllowed(Object vmObject, Env env) {
+            PolyglotLanguageContext context = (PolyglotLanguageContext) vmObject;
+            return context.context.nativeAccessAllowed;
+        }
+
         @Override
         @TruffleBoundary
         public void exportSymbol(Object vmObject, String symbolName, Object value) {

truffle/src/com.oracle.truffle.api/src/com/oracle/truffle/api/TruffleLanguage.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1520,6 +1520,17 @@ public Throwable asHostException(Throwable exception) {
             return AccessAPI.engineAccess().asHostException(exception);
         }
 
+        /**
+         * Returns <code>true</code> if access to native code is generally allowed. If this method
+         * returns <code>false</code> then loading native libraries with the Truffle NFI will fail.
+         *
+         * @since 1.0
+         */
+        @TruffleBoundary
+        public boolean isNativeAccessAllowed() {
+            return AccessAPI.engineAccess().isNativeAccessAllowed(vmObject, this);
+        }
+
         /**
          * Allows it to be determined if this {@link org.graalvm.polyglot.Context} can execute code
          * written in a language with a given MIME type.

truffle/src/com.oracle.truffle.api/src/com/oracle/truffle/api/impl/Accessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -227,6 +227,8 @@ public final void detachOutputConsumer(DispatchOutputStream dos, OutputStream ou
 
         public abstract boolean isHostAccessAllowed(Object vmObject, Env env);
 
+        public abstract boolean isNativeAccessAllowed(Object vmObject, Env env);
+
         public abstract Object createInternalContext(Object vmObject, Map<String, Object> config, TruffleContext spiContext);
 
         public abstract void initializeInternalContext(Object vmObject, Object contextImpl);