8331671: Implement JEP 472: Prepare to Restrict the Use of JNI #19213
Conversation
|
👋 Welcome back mcimadamore! A progress list of the required criteria for merging this PR into |
|
❗ This change is not yet ready to be integrated. |
|
@mcimadamore The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
openjdk
bot
added
security
| jdk.accessibility \ | ||
| jdk.charsets \ | ||
| jdk.attach \ |
There was a problem hiding this comment.
The list of allowed modules has been rewritten from scratch, by looking at the set of modules containing at least one native method declaration.
There was a problem hiding this comment.
Should I understand this list to be the set of modules exempt from needing to specific that native access is allowed ?
ie they always have native access without any warnings, and further that any attempt to enable warnings, or to disable native access for these modules is ignored ?
There was a problem hiding this comment.
Yes, this was added via JDK-8327218. The changes in this PR are just trimming down the list to only the modules that have native code.
| Klass* klass = vmClasses::ClassLoader_klass(); | ||
| Handle name_arg = java_lang_String::create_from_str(jni_name, CHECK_NULL); | ||
| Handle jni_class(THREAD, method->method_holder()->java_mirror()); |
There was a problem hiding this comment.
This is the biggest change in this PR. That is, we need to pass enough arguments to ClassLoader::findNative so that the method can start a restricted check accordingly.
| if (!EnableNativeAccess.isNativeAccessEnabled(target)) { | ||
| if (ModuleBootstrap.hasEnableNativeAccessFlag()) { | ||
| ModuleBootstrap.IllegalNativeAccess illegalNativeAccess = ModuleBootstrap.illegalNativeAccess(); | ||
| if (illegalNativeAccess != ModuleBootstrap.IllegalNativeAccess.ALLOW && |
There was a problem hiding this comment.
There are some changes in this code:
- this code is no-op if
--illegal-native-accessis set toallow - we also attach the location of the problematic class to the warning message, using
CodeSource - we use the "initial error stream" to emit the warning, similarly to what is done for other runtime warnings
| ClassLoader.getSystemClassLoader().getUnnamedModule(); | ||
| class Holder { | ||
| static final JavaLangAccess JLA = SharedSecrets.getJavaLangAccess(); | ||
| if (VM.isModuleSystemInited()) { |
There was a problem hiding this comment.
If we call this code too early, we can see cases where module is null.
| @@ -58,7 +58,7 @@ public class FileManager { | |||
| loadOSXLibrary(); | |||
| } | |||
|
|
|||
| @SuppressWarnings("removal") | |||
| @SuppressWarnings({"removal", "restricted"}) | |||
There was a problem hiding this comment.
There are several of these changes. One option might have been to just disable restricted warnings when building. But on a deeper look, I realized that in all these places we already disabled deprecation warnings for the use of security manager, so I also added a new suppression instead.
| * questions. | ||
| */ | ||
|
|
||
| module panama_jni_load_module { |
There was a problem hiding this comment.
This module setup is a bit convoluted, but I wanted to make sure that we got separate warnings for System.loadLibrary and binding of the native method, and that warning on the use of the native method was not generated (typically, all three operations occur in the same module).
Webrevs
|
Use initial error stream
| Holder.JLA.ensureNativeAccess(module, owner, methodName, currentClass); | ||
| if (module != null) { | ||
| // not in init phase | ||
| Holder.JLA.ensureNativeAccess(module, owner, methodName, currentClass); |
There was a problem hiding this comment.
In an earlier iteration I had a call to VM::isModuleSystemInited, but I discovered that caused a performance regression, since that method involves a volatile access. Perhaps we should rethink that part of the init code to use stable fields, but it's probably better done separately.
|
Build changes look good. |
Improve warning for JNI methods, similar to what's described in JEP 472 Beef up tests
src/java.base/share/classes/jdk/internal/module/ModuleBootstrap.java
Outdated
Show resolved
Hide resolved
|
Hello Maurizio, in the current mainline, we have code in where |
The options are additive - e.g. the enable-native-access in the manifest will add up to the enable-native-access in the command line, so effectively it will be as if you were running with --enable-native-access=M1,M2,ALL-UNNAMED |
src/java.base/share/classes/java/lang/foreign/package-info.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Have you looked into / thought about how this will work for jpackaged apps ?
I suspect that both the existing FFM usage and this will be options the application packager will need to supply when building the jpackaged app - the end user cannot pass in command line VM options.
Seems there should be some testing of this as some kind of native access could be a common case for jpackaged apps.
| jdk.accessibility \ | ||
| jdk.charsets \ | ||
| jdk.attach \ |
There was a problem hiding this comment.
Should I understand this list to be the set of modules exempt from needing to specific that native access is allowed ?
ie they always have native access without any warnings, and further that any attempt to enable warnings, or to disable native access for these modules is ignored ?
| @@ -58,7 +58,7 @@ public class FileManager { | |||
| loadOSXLibrary(); | |||
| } | |||
|
|
|||
| @SuppressWarnings("removal") | |||
| @SuppressWarnings({"removal", "restricted"}) | |||
I don't see any tests in test/jdk/tools/jpackage that creates an application that uses JNI code. Seems like a good idea to add this via another PR and it specify --java-options so that the application launcher enables native access. It could test jpackage using jlink too. |
These are all good suggestions. I have not looked into jpackage, but yes, I would expect that the jpackage user would need to provide extra options when packaging the application. The same is true for creating JDK image jlink (which we use in the jextract build) - although, in that case the end user also has the possibility to pass options on the command line. |
|
|
It would be good to document how jpackage users packaging apps with native access will be affected by this change. Primarily that they need to pass |
There was a problem hiding this comment.
I tested this with JavaFX and everything is working as I would expect. Without any options, I get the expected warnings, one time per modules for the three javafx.* modules that use JNI. If I pass the --enable-native-access options at runtime, listing those three modules, there is no warning. Further, I confirm that if I pass that option to jlink or jpackage when creating a custom runtime, there is no warning.
Great! What about jpackage without a custom runtime, wondering if --java-options can be tested. |
Yes, pointing to an existing runtime works, too. In either mode (jpackage using an existing Java runtime vs running jlink to create a new one), the options specified by |
This PR implements JEP 472, by restricting the use of JNI in the following ways:
System::loadandSystem::loadLibraryare now restricted methodsRuntime::loadandRuntime::loadLibraryare now restricted methodsnativemethod declaration to a native implementation is now considered a restricted operationThis PR slightly changes the way in which the JDK deals with restricted methods, even for FFM API calls. In Java 22, the single
--enable-native-accesswas used both to specify a set of modules for which native access should be allowed and to specify whether illegal native access (that is, native access occurring from a module not specified by--enable-native-access) should be treated as an error or a warning. More specifically, an error is only issued if the--enable-native-access flagis used at least once.Here, a new flag is introduced, namely
illegal-native-access=allow/warn/deny, which is used to specify what should happen when access to a restricted method and/or functionality is found outside the set of modules specified with--enable-native-access. The default policy iswarn, but users can selectallowto suppress the warnings, ordenyto causeIllegalCallerExceptionto be thrown. This aligns the treatment of restricted methods with other mechanisms, such as--illegal-accessand the more recent--sun-misc-unsafe-memory-access.Some changes were required in the package-info javadoc for
java.lang.foreign, to reflect the changes in the command line flags described above.Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/19213/head:pull/19213$ git checkout pull/19213Update a local copy of the PR:
$ git checkout pull/19213$ git pull https://git.openjdk.org/jdk.git pull/19213/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 19213View PR using the GUI difftool:
$ git pr show -t 19213Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/19213.diff
Webrev
Link to Webrev Comment