>From e0ac0616c7afbc5009b560c0d8d67303543cb731 Mon Sep 17 00:00:00 2001 From: Gwenael Casaccio Date: Mon, 7 Jan 2013 16:10:31 +0100 Subject: [PATCH 1/2] remove security framework --- kernel/Behavior.st | 10 -- kernel/BindingDict.st | 3 +- kernel/Class.st | 18 +- kernel/ContextPart.st | 90 ---------- kernel/Metaclass.st | 5 - kernel/Object.st | 16 -- kernel/SysExcept.st | 45 ----- libgst/Makefile.am | 6 +- libgst/comp.c | 13 -- libgst/dict.c | 7 +- libgst/dict.h | 1 - libgst/files.c | 1 - libgst/gst-parse.c | 10 +- libgst/gstpriv.h | 26 --- libgst/interp.c | 18 -- libgst/opt.c | 20 +-- libgst/prims.def | 35 ---- libgst/security.c | 303 ---------------------------------- libgst/security.h | 79 --------- libgst/sym.c | 29 +--- packages.xml | 1 - packages/stinst/parser/STSymTable.st | 7 +- tests/Makefile.am | 2 +- tests/testsuite.at | 1 - 24 files changed, 18 insertions(+), 728 deletions(-) delete mode 100644 libgst/security.c delete mode 100644 libgst/security.h diff --git a/kernel/Behavior.st b/kernel/Behavior.st index 90a5441..415e62c 100644 --- a/kernel/Behavior.st +++ b/kernel/Behavior.st @@ -1292,16 +1292,6 @@ method dictionary, and iterating over the class hierarchy.'> ^'' ] - securityPolicy [ - - ^self asClass securityPolicy - ] - - securityPolicy: aSecurityPolicy [ - - self shouldNotImplement - ] - printOn: aStream in: aNamespace [ "Answer the class name when the class is referenced from aNamespace - a dummy one, since Behavior does not support names." diff --git a/kernel/BindingDict.st b/kernel/BindingDict.st index bbc2da9..cda7a92 100644 --- a/kernel/BindingDict.st +++ b/kernel/BindingDict.st @@ -264,8 +264,7 @@ more speed.'> [assoc := VariableBinding key: assoc key value: assoc value - environment: self]. - assoc makeUntrusted: environment isUntrusted]. + environment: self]]. ^super primAt: index put: assoc ] diff --git a/kernel/Class.st b/kernel/Class.st index 18918e2..b2819c2 100644 --- a/kernel/Class.st +++ b/kernel/Class.st @@ -33,7 +33,7 @@ ClassDescription subclass: Class [ - | name comment category environment classVariables sharedPools securityPolicy pragmaHandlers | + | name comment category environment classVariables sharedPools pragmaHandlers | aStream nextPutAll: (self nameIn: Smalltalk) ] - securityPolicy [ - - ^securityPolicy - ] - - securityPolicy: aSecurityPolicy [ - - securityPolicy := aSecurityPolicy withOwner: self - ] - - check: aPermission [ - - self securityPolicy isNil ifTrue: [^self isUntrusted not]. - ^self securityPolicy check: aPermission - ] - registerHandler: aBlock forPragma: pragma [ "While compiling methods, on every encounter of the pragma with the given name, call aBlock with the CompiledMethod and diff --git a/kernel/ContextPart.st b/kernel/ContextPart.st index 9f69d60..e57cec3 100644 --- a/kernel/ContextPart.st +++ b/kernel/ContextPart.st @@ -465,96 +465,6 @@ methods that can be used in inspection or debugging.'> ctx := ctx parentContext] ] - securityCheckForName: name [ - - self isUntrusted ifFalse: [^self]. - ^self - doSecurityCheckForName: name - actions: #() - target: nil - ] - - securityCheckForName: name action: action [ - - self isUntrusted ifFalse: [^self]. - ^self - doSecurityCheckForName: name - actions: {action} - target: nil - ] - - securityCheckForName: name target: target [ - - self isUntrusted ifFalse: [^self]. - ^self - doSecurityCheckForName: name - actions: #() - target: target - ] - - securityCheckForName: name actions: actions target: target [ - - self isUntrusted ifFalse: [^self]. - ^self - doSecurityCheckForName: name - actions: actions - target: target - ] - - doSecurityCheckForName: name actions: actions target: target [ - - | perm ctx | - perm := (Permission new) - name: name actions: actions; - target: target. - (self checkSecurityFor: perm) ifFalse: [(SecurityError for: perm) signal] - ] - - checkSecurityFor: perm [ - - "First of all, check against the static permissions for this - context." - - | state foundAnnotation | - (self receiver class check: perm) ifFalse: [^false]. - - "Then, check the dynamic permissions. So: - 1) check if a method was specifically denying access, - 2) look for a deeper context whose static permissions - denies access, but stop if a method is specifically - granting access." - self method isAnnotated - ifTrue: - [foundAnnotation := false. - self method attributesDo: - [:each | - | newPerm | - each selector = #permission: - ifTrue: - [newPerm := each arguments at: 1. - (newPerm implies: perm) - ifTrue: - ["Should we check if the granted permission is statically - available? Of course, you can only grant permissions if you - own them statically, so the real question is, should we - check perm or newPerm? The answer is perm (which has - already been found to be available), hence we can skip - an expensive static permission check. Suppose we have a - method that grants access to all files: it makes more sense - if it means ``grant access to all files allowed by the class - security policy'', rather than ``grant access to all files if - the security policy allows it, else do not grant access to - any file''." - - foundAnnotation := true. - state := newPerm isAllowing]]]. - foundAnnotation ifTrue: [^state]]. - - "Nope, no special regulations were found in this method. Look in the - parent context, and grant permission if the bottom is reached." - ^self parentContext isNil or: [self parentContext checkSecurityFor: perm] - ] - continue: anObject [ "Resume execution from the receiver, faking that the context on top of it in the execution chain has returned anObject. The diff --git a/kernel/Metaclass.st b/kernel/Metaclass.st index 7f601d9..7d8fcf9 100644 --- a/kernel/Metaclass.st +++ b/kernel/Metaclass.st @@ -264,10 +264,6 @@ it should be...the Smalltalk metaclass system is strange and complex.'> ifFalse: [SystemExceptions.MutationError signal: 'Cannot change shape of variable class']]. - newSuperclass isUntrusted & self class isUntrusted not - ifTrue: - [SystemExceptions.MutationError - signal: 'Cannot move trusted class below untrusted superclass']. needToRecompileMetaclasses := false. aClass classPool isNil ifTrue: [aClass setClassVariables: classVarDict] @@ -368,7 +364,6 @@ it should be...the Smalltalk metaclass system is strange and complex.'> setInstanceSpec: shape instVars: arrayOfInstVarNames size; setClassVariables: classVarDict; setSharedPools: sharedPoolNames; - makeUntrusted: theSuperclass isUntrusted; category: categoryName; yourself ] diff --git a/kernel/Object.st b/kernel/Object.st index ecf9c5b..3d18a2c 100644 --- a/kernel/Object.st +++ b/kernel/Object.st @@ -1024,14 +1024,6 @@ All classes in the system are subclasses of me.'> ] - isUntrusted [ - "Answer whether the object is to be considered untrusted." - - - - - ] - makeReadOnly: aBoolean [ "Set whether the object's indexed instance variables can be written" @@ -1040,14 +1032,6 @@ All classes in the system are subclasses of me.'> SystemExceptions.WrongClass signalOn: aBoolean mustBe: Boolean ] - makeUntrusted: aBoolean [ - "Set whether the object is to be considered untrusted." - - - - SystemExceptions.WrongClass signalOn: aBoolean mustBe: Boolean - ] - makeWeak [ "Make the object a 'weak' one. When an object is only referenced by weak objects, it is collected and the slots in the weak objects are changed to diff --git a/kernel/SysExcept.st b/kernel/SysExcept.st index d749ffa..9d38b5f 100644 --- a/kernel/SysExcept.st +++ b/kernel/SysExcept.st @@ -946,51 +946,6 @@ Error subclass: VMError [ Namespace current: SystemExceptions [ -VMError subclass: SecurityError [ - | failedPermission | - - - - - SecurityError class >> signal: aPermission [ - "Raise the exception, setting to aPermission the permission - that was tested and failed." - - - ^(self new) - failedPermission: aPermission; - signal - ] - - description [ - "Answer a textual description of the exception." - - - ^'insecure operation in an untrusted context' - ] - - failedPermission [ - "Answer the permission that was tested and that failed." - - - ^failedPermission - ] - - failedPermission: anObject [ - "Set which permission was tested and failed." - - - failedPermission := anObject - ] -] - -] - - - -Namespace current: SystemExceptions [ - VMError subclass: VerificationError [ diff --git a/libgst/Makefile.am b/libgst/Makefile.am index 4393388..8841ea4 100644 --- a/libgst/Makefile.am +++ b/libgst/Makefile.am @@ -35,8 +35,8 @@ libgst_la_SOURCES = \ sym.c dict.c oop.c opt.c \ save.c cint.c heap.c input.c \ sysdep.c callin.c xlat.c mpz.c \ - print.c alloc.c security.c re.c \ - interp.c real.c sockets.c events.c + print.c alloc.c re.c interp.c \ + real.c sockets.c events.c # definitions for genprims @@ -94,7 +94,7 @@ noinst_HEADERS = \ print.h alloc.h genprims.h gst-parse.h \ genpr-parse.h genbc.h genbc-decl.h \ genbc-impl.h genvm-parse.h genvm.h \ - security.h superop1.inl superop2.inl \ + superop1.inl superop2.inl \ sysdep/common/files.c sysdep/common/time.c sysdep/cygwin/files.c \ sysdep/cygwin/findexec.c sysdep/cygwin/mem.c sysdep/cygwin/signals.c \ sysdep/cygwin/time.c sysdep/cygwin/timer.c sysdep/posix/files.c \ diff --git a/libgst/comp.c b/libgst/comp.c index 9cc5986..6873a1a 100644 --- a/libgst/comp.c +++ b/libgst/comp.c @@ -2473,11 +2473,6 @@ install_method (OOP methodOOP, OOP classOOP, mst_Boolean untrusted) { oldMethod = _gst_identity_dictionary_at (methodDictionaryOOP, selector); - if (!IS_NIL (oldMethod) && !IS_OOP_UNTRUSTED (oldMethod)) - { - _gst_errorf ("cannot redefine a trusted method as untrusted"); - EXIT_COMPILATION (); - } } MAKE_OOP_READONLY (methodOOP, true); @@ -2666,13 +2661,6 @@ method_new (method_header header, method = (gst_compiled_method) instantiate_with (_gst_compiled_method_class, numByteCodes, &methodOOP); - if (_gst_curr_method) - MAKE_OOP_UNTRUSTED (methodOOP, _gst_curr_method->v_method.untrusted); - else - MAKE_OOP_UNTRUSTED (methodOOP, - IS_OOP_UNTRUSTED (_gst_this_context_oop) - || IS_OOP_UNTRUSTED (class)); - method->header = header; method->descriptor = methodDesc; method->literals = literals; @@ -2695,7 +2683,6 @@ method_new (method_header header, block = (gst_compiled_block) OOP_TO_OBJ (blockOOP); if (IS_NIL (block->method)) { - MAKE_OOP_UNTRUSTED (blockOOP, IS_OOP_UNTRUSTED (methodOOP)); block->method = methodOOP; block->literals = literals; } diff --git a/libgst/dict.c b/libgst/dict.c index 6d9bf9d..542c42a 100644 --- a/libgst/dict.c +++ b/libgst/dict.c @@ -674,10 +674,10 @@ static const class_definition class_info[] = { "ClassDescription", NULL, NULL, NULL }, {&_gst_class_class, &_gst_class_description_class, - GST_ISP_FIXED, true, 8, + GST_ISP_FIXED, true, 7, "Class", "name comment category environment classVariables sharedPools " - "securityPolicy pragmaHandlers", + "pragmaHandlers", NULL, NULL }, {&_gst_metaclass_class, &_gst_class_description_class, @@ -956,7 +956,7 @@ init_metaclass (OOP metaclassOOP) _gst_make_instance_variable_array (_gst_nil_oop, "superClass methodDictionary instanceSpec subClasses " "instanceVariables name comment category environment " - "classVariables sharedPools securityPolicy " + "classVariables sharedPools " "pragmaHandlers"); metaclass->instanceSpec = GST_ISP_INTMARK | GST_ISP_FIXED | @@ -991,7 +991,6 @@ init_class (OOP class_oop, const class_definition *ci) class->methodDictionary = _gst_nil_oop; class->comment = _gst_nil_oop; class->category = _gst_nil_oop; - class->securityPolicy = _gst_nil_oop; class->pragmaHandlers = _gst_nil_oop; } diff --git a/libgst/dict.h b/libgst/dict.h index f1bc693..93224c9 100644 --- a/libgst/dict.h +++ b/libgst/dict.h @@ -303,7 +303,6 @@ typedef struct gst_class OOP environment; OOP classVariables; /* dictionary of name->value pairs */ OOP sharedPools; - OOP securityPolicy; OOP pragmaHandlers; } *gst_class; diff --git a/libgst/files.c b/libgst/files.c index 724d66a..ec33933 100644 --- a/libgst/files.c +++ b/libgst/files.c @@ -239,7 +239,6 @@ static const char standard_files[] = { "FileSegment.st\0" "FileDescr.st\0" "SymLink.st\0" - "Security.st\0" "WeakObjects.st\0" "ObjMemory.st\0" diff --git a/libgst/gst-parse.c b/libgst/gst-parse.c index 922ef55..639d946 100644 --- a/libgst/gst-parse.c +++ b/libgst/gst-parse.c @@ -327,11 +327,7 @@ _gst_get_current_namespace (void) mst_Boolean _gst_untrusted_parse (void) { - if (!_gst_current_parser) - return false; - - return (_gst_current_parser->untrustedContext - || IS_OOP_UNTRUSTED (_gst_current_parser->currentClass)); + return false; } void @@ -413,7 +409,7 @@ _gst_parse_method (OOP currentClass, OOP currentCategory) incPtr = INC_SAVE_POINTER (); parser_init (&p); p.state = PARSE_METHOD; - p.untrustedContext = IS_OOP_UNTRUSTED (_gst_this_context_oop); + p.untrustedContext = false; p.current_namespace = _gst_nil_oop; _gst_set_compilation_class (currentClass); _gst_set_compilation_category (currentCategory); @@ -446,7 +442,7 @@ _gst_parse_chunks (OOP currentNamespace) _gst_current_parser = &p; incPtr = INC_SAVE_POINTER (); parser_init (&p); - p.untrustedContext = IS_OOP_UNTRUSTED (_gst_this_context_oop); + p.untrustedContext = false; if (currentNamespace) p.current_namespace = currentNamespace; p.state = PARSE_DOIT; diff --git a/libgst/gstpriv.h b/libgst/gstpriv.h index 1f2eea9..93b8042 100644 --- a/libgst/gstpriv.h +++ b/libgst/gstpriv.h @@ -219,15 +219,6 @@ #endif -/* ENABLE_SECURITY enables security checks in the primitives as well as - special marking of untrusted objects. Note that the code in the - class library to perform the security checks will be present - notwithstanding the setting of this flag, but they will be disabled - because the corresponding primitives will be made non-working. We - define it here with no configure-time options because it causes - testsuite failures. */ -#define ENABLE_SECURITY - /* OPTIMIZE disables many checks, including consistency checks at GC time and bounds checking on instance variable accesses (not on #at: and #at:put: which would violate language semantics). It can a) @@ -367,22 +358,6 @@ enum { (((oop)->flags &= ~F_READONLY), \ ((oop)->flags |= (ro) ? F_READONLY : 0)) -#ifdef ENABLE_SECURITY - -/* Answer whether an object, OOP, is untrusted. */ -#define IS_OOP_UNTRUSTED(oop) \ - (!IS_INT ((oop)) && ((oop)->flags & F_UNTRUSTED)) - -/* Set whether an object, OOP, is trusted or untrusted. */ -#define MAKE_OOP_UNTRUSTED(oop, untr) \ - (((oop)->flags &= ~F_UNTRUSTED), \ - ((oop)->flags |= (untr) ? F_UNTRUSTED : 0)) - -#else -#define IS_OOP_UNTRUSTED(oop) (false) -#define MAKE_OOP_UNTRUSTED(oop, untr) ((void)0) -#endif - /* Set whether an object, OOP, has ephemeron semantics. */ #define MAKE_OOP_EPHEMERON(oop) \ (oop)->flags |= F_EPHEMERON; @@ -608,7 +583,6 @@ extern OOP _gst_nil_oop #include "xlat.h" #include "mpz.h" #include "print.h" -#include "security.h" #include "real.h" #include "sockets.h" diff --git a/libgst/interp.c b/libgst/interp.c index 35aa325..3b74614 100644 --- a/libgst/interp.c +++ b/libgst/interp.c @@ -582,21 +582,6 @@ static void * const *dispatch_vec; #define PARENT_CONTEXT(contextOOP) \ ( ((gst_method_context) OOP_TO_OBJ (contextOOP)) ->parentContext) -/* Set whether the old context was a trusted one. Untrusted contexts - are those whose receiver or sender is untrusted. */ -#define UPDATE_CONTEXT_TRUSTFULNESS(contextOOP, parentContextOOP) \ - MAKE_OOP_UNTRUSTED (contextOOP, \ - IS_OOP_UNTRUSTED (_gst_self) | \ - IS_OOP_UNTRUSTED (parentContextOOP)); - -/* Set whether the current context is an untrusted one. Untrusted contexts - are those whose receiver or sender is untrusted. */ -#define IS_THIS_CONTEXT_UNTRUSTED() \ - (UPDATE_CONTEXT_TRUSTFULNESS(_gst_this_context_oop, \ - PARENT_CONTEXT (_gst_this_context_oop)) \ - & F_UNTRUSTED) - - /* Context management The contexts make up a linked list. Their structure is: @@ -769,8 +754,6 @@ empty_context_stack (void) context->spOffset = FROM_INT (sp - context->contextStack); context->ipOffset = FROM_INT (ip - method_base); - UPDATE_CONTEXT_TRUSTFULNESS (_gst_this_context_oop, context->parentContext); - /* Even if the JIT is active, the current context might have no attached native_ip -- in fact it has one only if we are being called from activate_new_context -- so we have to `invent' @@ -863,7 +846,6 @@ activate_new_context (int size, FROM_INT ((sp - thisContext->contextStack) - sendArgs); thisContext->ipOffset = FROM_INT (ip - method_base); - UPDATE_CONTEXT_TRUSTFULNESS (_gst_this_context_oop, thisContext->parentContext); _gst_this_context_oop = oop; return (newContext); diff --git a/libgst/opt.c b/libgst/opt.c index ed728e1..32f01f6 100644 --- a/libgst/opt.c +++ b/libgst/opt.c @@ -1231,11 +1231,7 @@ typedef struct partially_constructed_array { CHECK_LITERAL (n); \ if (IS_INT (literals[(n)]) || \ !is_a_kind_of (OOP_CLASS (literals[(n)]), _gst_lookup_key_class)) \ - return ("LookupKey expected"); \ - else if (store \ - && untrusted \ - && !IS_OOP_UNTRUSTED (literals[(n)])) \ - return ("Invalid global variable access"); + return ("LookupKey expected"); #define LIT_VARIABLE_CLASS(n) \ /* Special case classes because of super and {...} */ \ @@ -1314,7 +1310,6 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth) int size, bc_len, num_temps, stack_depth, num_literals, num_rec_vars, num_ro_rec_vars; - mst_Boolean untrusted; const char *error; gst_uchar *bp; OOP *literals, methodClass, last_used_literal; @@ -1331,7 +1326,6 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth) methodClass = GET_METHOD_CLASS (methodOOP); num_literals = NUM_METHOD_LITERALS (methodOOP); num_rec_vars = CLASS_FIXED_FIELDS (methodClass); - untrusted = IS_OOP_UNTRUSTED (methodOOP); if (is_a_kind_of (OOP_CLASS (methodOOP), _gst_compiled_method_class)) { @@ -1379,17 +1373,7 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth) else return "invalid class"; - if (untrusted) - { - OOP class_oop; - for (class_oop = methodClass; IS_OOP_UNTRUSTED (class_oop); - class_oop = SUPERCLASS (class_oop)) - ; - - num_ro_rec_vars = CLASS_FIXED_FIELDS (class_oop); - } - else - num_ro_rec_vars = 0; + num_ro_rec_vars = 0; #ifdef DEBUG_VERIFIER printf ("Verifying %O (max. stack depth = %d):\n", methodOOP, stack_depth); diff --git a/libgst/prims.def b/libgst/prims.def index ecfbed5..7e8eaaf 100644 --- a/libgst/prims.def +++ b/libgst/prims.def @@ -5169,41 +5169,6 @@ primitive VMpr_SystemDictionary_debug [succeed] } -/* Object isUntrusted */ -primitive VMpr_Object_isUntrusted [succeed] -{ - OOP oop1; - _gst_primitives_executed++; - - oop1 = STACKTOP (); - SET_STACKTOP_BOOLEAN (IS_OOP_UNTRUSTED (oop1)); - PRIM_SUCCEEDED; -} - -/* Object makeUntrusted: */ -primitive VMpr_Object_makeUntrusted [succeed,fail] -{ - OOP oop1; - OOP oop2; - _gst_primitives_executed++; - - oop2 = POP_OOP (); - oop1 = STACKTOP (); - if (oop2 == _gst_true_oop) - { - MAKE_OOP_UNTRUSTED (oop1, true); - PRIM_SUCCEEDED; - } - else if (oop2 == _gst_false_oop) - { - MAKE_OOP_UNTRUSTED (oop1, false); - PRIM_SUCCEEDED; - } - - UNPOP (1); - PRIM_FAILED; -} - /* Object isReadOnly */ primitive VMpr_Object_isReadOnly [succeed] { diff --git a/libgst/security.c b/libgst/security.c deleted file mode 100644 index f758284..0000000 --- a/libgst/security.c +++ /dev/null @@ -1,303 +0,0 @@ -/******************************** -*- C -*- **************************** - * - * Security-related routines. - * - * - ***********************************************************************/ - -/*********************************************************************** - * - * Copyright 2003, 2006 Free Software Foundation, Inc. - * Written by Paolo Bonzini. - * - * This file is part of GNU Smalltalk. - * - * GNU Smalltalk is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2, or (at your option) any later - * version. - * - * Linking GNU Smalltalk statically or dynamically with other modules is - * making a combined work based on GNU Smalltalk. Thus, the terms and - * conditions of the GNU General Public License cover the whole - * combination. - * - * In addition, as a special exception, the Free Software Foundation - * give you permission to combine GNU Smalltalk with free software - * programs or libraries that are released under the GNU LGPL and with - * independent programs running under the GNU Smalltalk virtual machine. - * - * You may copy and distribute such a system following the terms of the - * GNU GPL for GNU Smalltalk and the licenses of the other code - * concerned, provided that you include the source code of that other - * code when and as the GNU GPL requires distribution of source code. - * - * Note that people who make modified versions of GNU Smalltalk are not - * obligated to grant this special exception for their modified - * versions; it is their choice whether to do so. The GNU General - * Public License gives permission to release a modified version without - * this exception; this exception also makes it possible to release a - * modified version which carries forward this exception. - * - * GNU Smalltalk is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * GNU Smalltalk; see the file COPYING. If not, write to the Free Software - * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - ***********************************************************************/ - -#include "gstpriv.h" - -/* Answer whether the permission permissionOOP (typically found in a - SecurityPolicy object) implies the (name,target,action) tuple - (which a primitive asks to test). */ -static mst_Boolean check_against_permission (OOP permissionOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP); - -static mst_Boolean string_match (char *pattern, - char *string, - int plen, - int slen); - -static mst_Boolean permission_is_allowing (OOP permissionOOP); - -/* Answer whether the permission permissionOOP (typically found in a - SecurityPolicy object) implies the (name,target,action) tuple - (which a primitive asks to test). */ -static mst_Boolean check_against_policy (OOP policyOOP, - OOP ownerOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP); - -static mst_Boolean check_static_permission (OOP receiverOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP); - -mst_Boolean -check_against_permission (OOP permissionOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP) -{ - gst_permission perm = (gst_permission) OOP_TO_OBJ (permissionOOP); - gst_object actionArray = OOP_TO_OBJ (perm->actions); - if (perm->name != nameOOP) - return (false); - - if (!IS_NIL (perm->target) && !IS_NIL (targetOOP)) - { - mst_Boolean match_target; - match_target = (targetOOP == perm->target); - if (!match_target - && (OOP_CLASS (targetOOP) != _gst_symbol_class - || OOP_CLASS (perm->target) != _gst_symbol_class) - && (OOP_CLASS (targetOOP) == _gst_string_class - || OOP_CLASS (targetOOP) == _gst_symbol_class) - && (OOP_CLASS (perm->target) == _gst_string_class - || OOP_CLASS (perm->target) == _gst_symbol_class)) - match_target = string_match ((char *) OOP_TO_OBJ (perm->target)->data, - (char *) OOP_TO_OBJ (targetOOP)->data, - oop_num_fields (perm->target), - oop_num_fields (targetOOP)); - - if (!match_target) - return (false); - } - - if (!IS_NIL (perm->actions) && !IS_NIL (actionOOP)) - { - int n = oop_num_fields (perm->actions); - int i; - for (i = 0; ;) - { - if (actionArray->data[i] == actionOOP) - break; - - if (++i == n) - return (false); - } - } - - return (true); -} - -mst_Boolean -string_match (char *pattern, - char *string, - int plen, - int slen) -{ - int i; - - for (;;) - { - /* If the string has ended, try to match trailing *'s in the - pattern. */ - if (slen == 0) - { - while (plen > 0 && *pattern == '*') - pattern++, plen--; - - return (plen == 0); - } - - /* If the pattern has ended, fail, because we know that slen > 0. */ - if (plen == 0) - return (false); - - switch (*pattern) - { - case '*': - /* Skip multiple * wildcards, they don't matter. */ - do - pattern++, plen--; - while (*pattern == '*'); - - /* Try to be greedy at first, then try shorter matches. */ - for (i = slen; i > 0; i--) - if (string_match (pattern, string + i, plen, slen - i)) - return (true); - - /* Continue with a void match for the *'s. */ - break; - - default: - /* Not a wildcard, match a single character. */ - if (*pattern != *string) - return (false); - - /* fall through */ - - case '#': - pattern++, string++, plen--, slen--; - break; - } - } -} - -mst_Boolean -permission_is_allowing (OOP permissionOOP) -{ - gst_permission perm = (gst_permission) OOP_TO_OBJ (permissionOOP); - return perm->positive != _gst_false_oop; -} - -mst_Boolean -check_against_policy (OOP policyOOP, - OOP ownerOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP) -{ - gst_security_policy policy; - OOP *first, *last; - OOP ocOOP; - mst_Boolean result; - - if (IS_NIL (policyOOP)) - return (true); - - policy = (gst_security_policy) OOP_TO_OBJ (policyOOP); - ocOOP = dictionary_at (policy->dictionary, nameOOP); - - result = !IS_OOP_UNTRUSTED (ownerOOP); - if (IS_NIL (ocOOP)) - return result; - - first = ordered_collection_begin (ocOOP); - last = ordered_collection_end (ocOOP); - for (; first < last; first++) - if (check_against_permission (*first, nameOOP, targetOOP, actionOOP)) - result = permission_is_allowing (*first); - - return result; -} - -mst_Boolean -check_static_permission (OOP receiverOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP) -{ - OOP classOOP = _gst_get_class_object (OOP_CLASS (receiverOOP)); - gst_class class = (gst_class) OOP_TO_OBJ (classOOP); - OOP policyOOP = class->securityPolicy; - - return check_against_policy (policyOOP, classOOP, - nameOOP, targetOOP, actionOOP); -} - -mst_Boolean _gst_check_permission (OOP contextOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP) -{ - gst_method_context context; - mst_Boolean state, found_annotation; - - do - { - OOP infoOOP; - gst_method_info info; - int num_attributes, i; - - context = (gst_method_context) OOP_TO_OBJ (contextOOP); - state = check_static_permission (context->receiver, - nameOOP, targetOOP, actionOOP); - - if (!state) - break; - - infoOOP = get_method_info (context->method); - info = (gst_method_info) OOP_TO_OBJ (infoOOP); - num_attributes = NUM_INDEXABLE_FIELDS (infoOOP); - found_annotation = false; - for (i = 0; i < num_attributes; i++) - { - gst_message attr = (gst_message) OOP_TO_OBJ (info->attributes[i]); - gst_object attr_args; - OOP permissionOOP; - - if (attr->selector != _gst_permission_symbol) - continue; - - attr_args = OOP_TO_OBJ (attr->args); - permissionOOP = attr_args->data[0]; - if (check_against_permission (permissionOOP, - nameOOP, targetOOP, actionOOP)) - { - /* Should we check if the granted permission is statically - available? Of course, you can only grant permissions if you - own them statically, so the real question is, should we - check perm or newPerm? The answer is perm (which has - already been found to be available), hence we can skip - an expensive static permission check. Suppose we have a - method that grants access to all files: it makes more sense - if it means ``grant access to all files allowed by the class - security policy'', rather than ``grant access to all files if - the security policy allows it, else do not grant access to - any file''. */ - - state = permission_is_allowing (permissionOOP); - found_annotation = false; - } - } - - if (found_annotation) - break; - - contextOOP = context->parentContext; - } - while (!IS_NIL (contextOOP)); - - return (state); -} - diff --git a/libgst/security.h b/libgst/security.h deleted file mode 100644 index 8857cf7..0000000 --- a/libgst/security.h +++ /dev/null @@ -1,79 +0,0 @@ -/******************************** -*- C -*- **************************** - * - * Security-related routine definitions. - * - * - ***********************************************************************/ - -/*********************************************************************** - * - * Copyright 2003, 2006 Free Software Foundation, Inc. - * Written by Paolo Bonzini. - * - * This file is part of GNU Smalltalk. - * - * GNU Smalltalk is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2, or (at your option) any later - * version. - * - * Linking GNU Smalltalk statically or dynamically with other modules is - * making a combined work based on GNU Smalltalk. Thus, the terms and - * conditions of the GNU General Public License cover the whole - * combination. - * - * In addition, as a special exception, the Free Software Foundation - * give you permission to combine GNU Smalltalk with free software - * programs or libraries that are released under the GNU LGPL and with - * independent programs running under the GNU Smalltalk virtual machine. - * - * You may copy and distribute such a system following the terms of the - * GNU GPL for GNU Smalltalk and the licenses of the other code - * concerned, provided that you include the source code of that other - * code when and as the GNU GPL requires distribution of source code. - * - * Note that people who make modified versions of GNU Smalltalk are not - * obligated to grant this special exception for their modified - * versions; it is their choice whether to do so. The GNU General - * Public License gives permission to release a modified version without - * this exception; this exception also makes it possible to release a - * modified version which carries forward this exception. - * - * GNU Smalltalk is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * GNU Smalltalk; see the file COPYING. If not, write to the Free Software - * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - * - ***********************************************************************/ - - -#ifndef GST_SECURITY_H -#define GST_SECURITY_H - -typedef struct gst_permission -{ - OBJ_HEADER; - OOP name; - OOP actions; - OOP target; - OOP positive; -} *gst_permission; - -typedef struct gst_security_policy -{ - OBJ_HEADER; - OOP dictionary; - OOP owner; -} *gst_security_policy; - -mst_Boolean _gst_check_permission (OOP contextOOP, - OOP nameOOP, - OOP targetOOP, - OOP actionOOP) - ATTRIBUTE_HIDDEN; - -#endif /* GST_SECURITY_H */ diff --git a/libgst/sym.c b/libgst/sym.c index 6c8d1f4..bbc3e9d 100644 --- a/libgst/sym.c +++ b/libgst/sym.c @@ -245,12 +245,6 @@ intern_string_fast (const char *str, OOP *pTestOOP); found. */ static int instance_variable_index (OOP symbol); -/* This checks if the INDEX-th instance variable among those that the - current class declares is read-only. Read-only index variables are - those that are declared by a trusted super-class of an untrusted - subclass. */ -static mst_Boolean is_instance_variable_read_only (int index); - /* This looks for SYMBOL among the arguments and temporary variables that the current scope sees, and returns the entry in the symbol list for the variable if it is found. */ @@ -1002,7 +996,7 @@ _gst_find_variable (symbol_entry * se, if (index >= 0) { fill_symbol_entry (se, SCOPE_RECEIVER, - is_instance_variable_read_only (index), + false, symbol, index, 0); return (true); } @@ -1015,30 +1009,11 @@ _gst_find_variable (symbol_entry * se, index = _gst_add_forced_object (varAssoc); fill_symbol_entry (se, SCOPE_GLOBAL, - (_gst_curr_method->v_method.untrusted - && !IS_OOP_UNTRUSTED (varAssoc)), + false, varAssoc, index, 0); return (true); } -static mst_Boolean -is_instance_variable_read_only (int index) -{ - int numVars; - OOP class_oop; - - if (!_gst_curr_method->v_method.untrusted) - return (false); - - for (class_oop = _gst_curr_method->v_method.currentClass; - IS_OOP_UNTRUSTED (class_oop); - class_oop = SUPERCLASS (class_oop)) - ; - - numVars = CLASS_FIXED_FIELDS (class_oop); - return index + 1 <= numVars; -} - static int instance_variable_index (OOP symbol) { diff --git a/packages.xml b/packages.xml index 2c78064..c6d0e8c 100644 --- a/packages.xml +++ b/packages.xml @@ -146,7 +146,6 @@ Object.st Time.st FileStream.st - Security.st OrderColl.st CCallable.st CCallback.st diff --git a/packages/stinst/parser/STSymTable.st b/packages/stinst/parser/STSymTable.st index 905b5d1..abf5297 100644 --- a/packages/stinst/parser/STSymTable.st +++ b/packages/stinst/parser/STSymTable.st @@ -271,21 +271,18 @@ Object subclass: STSymbolTable [ declareEnvironment: aBehavior [ - | i canAlwaysStore inSandbox | + | i | environment := aBehavior. - inSandbox := thisContext isUntrusted. i := -1. - canAlwaysStore := aBehavior isUntrusted. aBehavior withAllSuperclasses reverseDo: [:class | - canAlwaysStore := canAlwaysStore and: [class isUntrusted]. class instVarNames do: [:iv | instVars at: iv asSymbol put: (STVariable id: (i := i + 1) scope: 0 - canStore: (canAlwaysStore or: [inSandbox not]))]]. + canStore: true)]]. self declareGlobals ] diff --git a/tests/Makefile.am b/tests/Makefile.am index f227386..8d9f2a9 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -15,7 +15,7 @@ lists.ok lists.st lists1.ok lists1.st lists2.ok lists2.st matrix.ok \ matrix.st methcall.ok methcall.st mutate.ok mutate.st nestedloop.ok \ nestedloop.st objects.ok objects.st objinst.ok \ objinst.st processes.ok processes.st prodcons.ok prodcons.st quit.ok \ -quit.st random-bench.ok random-bench.st untrusted.ok untrusted.st sets.ok \ +quit.st random-bench.ok random-bench.st sets.ok \ sets.st sieve.ok sieve.st strcat.ok strcat.st strings.ok strings.st \ pools.ok pools.st Ansi.st AnsiDB.st AnsiInit.st AnsiLoad.st AnsiRun.st \ stcompiler.st stcompiler.ok shape.st shape.ok diff --git a/tests/testsuite.at b/tests/testsuite.at index 7e33bf3..d661b3d 100644 --- a/tests/testsuite.at +++ b/tests/testsuite.at @@ -46,7 +46,6 @@ AT_DIFF_TEST([cobjects.st]) AT_DIFF_TEST([compiler.st]) AT_DIFF_TEST([fileext.st]) AT_DIFF_TEST([mutate.st]) -AT_DIFF_TEST([untrusted.st]) AT_DIFF_TEST([getopt.st]) AT_DIFF_TEST([quit.st]) AT_DIFF_TEST([pools.st]) -- 1.7.10.4 >From 2205c4cd10d7295a1b686feb09e2ae3b81ca1c82 Mon Sep 17 00:00:00 2001 From: Gwenael Casaccio Date: Mon, 7 Jan 2013 16:12:10 +0100 Subject: [PATCH 2/2] remove the Smalltalk code --- kernel/Security.st | 270 ---------------------------------------------------- 1 file changed, 270 deletions(-) delete mode 100644 kernel/Security.st diff --git a/kernel/Security.st b/kernel/Security.st deleted file mode 100644 index 93cb7f5..0000000 --- a/kernel/Security.st +++ /dev/null @@ -1,270 +0,0 @@ -"====================================================================== -| -| Security-related Class Definitions -| -| - ======================================================================" - -"====================================================================== -| -| Copyright 2003 -| Free Software Foundation, Inc. -| Written by Paolo Bonzini. -| -| This file is part of the GNU Smalltalk class library. -| -| The GNU Smalltalk class library is free software; you can redistribute it -| and/or modify it under the terms of the GNU Lesser General Public License -| as published by the Free Software Foundation; either version 2.1, or (at -| your option) any later version. -| -| The GNU Smalltalk class library is distributed in the hope that it will be -| useful, but WITHOUT ANY WARRANTY; without even the implied warranty of -| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser -| General Public License for more details. -| -| You should have received a copy of the GNU Lesser General Public License -| along with the GNU Smalltalk class library; see the file COPYING.LIB. -| If not, write to the Free Software Foundation, 59 Temple Place - Suite -| 330, Boston, MA 02110-1301, USA. -| - ======================================================================" - - - -Object subclass: Permission [ - | name actions target positive | - - - - - Permission class >> name: aSymbol target: aTarget actions: actionsArray [ - - ^(self new) - name: aSymbol; - target: aTarget; - actions: actionsArray; - yourself - ] - - Permission class >> name: aSymbol target: aTarget action: action [ - - ^self - name: aSymbol - target: aTarget - actions: {action} - ] - - Permission class >> allowing: aSymbol target: aTarget actions: actionsArray [ - - ^(self - name: aSymbol - target: aTarget - actions: actionsArray) allow - ] - - Permission class >> allowing: aSymbol target: aTarget action: action [ - - ^(self - name: aSymbol - target: aTarget - actions: {action}) allow - ] - - Permission class >> denying: aSymbol target: aTarget actions: actionsArray [ - - ^(self - name: aSymbol - target: aTarget - actions: actionsArray) deny - ] - - Permission class >> denying: aSymbol target: aTarget action: action [ - - ^(self - name: aSymbol - target: aTarget - actions: {action}) deny - ] - - Permission class >> granting: aSymbol target: aTarget actions: actionsArray [ - - ^(self - name: aSymbol - target: aTarget - actions: actionsArray) allow - ] - - Permission class >> granting: aSymbol target: aTarget action: action [ - - ^(self - name: aSymbol - target: aTarget - actions: {action}) allow - ] - - check: aPermission for: anObject [ - - ^(self implies: aPermission) - ifTrue: [self isAllowing] - ifFalse: [anObject isUntrusted not] - ] - - implies: aPermission [ - - aPermission name = name ifFalse: [^false]. - (self target notNil and: [aPermission target notNil]) - ifTrue: - [(self target isString and: [aPermission target isString]) - ifTrue: [(self target match: aPermission target) ifFalse: [^false]] - ifFalse: [self target == aPermission target ifFalse: [^false]]]. - (self actions notNil and: [aPermission actions notNil]) - ifTrue: - [aPermission actions size = 1 - ifTrue: [^self actions includes: (aPermission at: 1)]. - ^aPermission actions allSatisfy: [:each | self actions includes: each]]. - ^true - ] - - action: anObject [ - - self actions: {anObject} - ] - - actions [ - - ^actions - ] - - actions: anObject [ - - actions isNil - ifFalse: [self error: 'can set permission actions only once']. - (actions allSatisfy: [:each | each isSymbol]) - ifFalse: [self error: 'actions must be symbols']. - actions := anObject copy asArray - ] - - allow [ - - positive isNil ifFalse: [self error: 'can set allow/deny only once']. - positive := true - ] - - allowing [ - - | savePositive result | - savePositive := positive. - positive := true. - result := self copy. - positive := savePositive. - ^result - ] - - deny [ - - positive isNil ifFalse: [self error: 'can set allow/deny only once']. - positive := false - ] - - denying [ - - | savePositive result | - savePositive := positive. - positive := false. - result := self copy. - positive := savePositive. - ^result - ] - - isAllowing [ - - ^positive - ] - - name [ - - ^name - ] - - name: anObject [ - - name isNil ifFalse: [self error: 'can set permission name only once']. - anObject isSymbol - ifFalse: [self error: 'permission name must be a symbol']. - name := anObject copy - ] - - target [ - - ^target - ] - - target: anObject [ - - target isNil ifFalse: [self error: 'can set permission target only once']. - (target allSatisfy: [:each | each isSymbol]) - ifFalse: [self error: 'target must be symbols']. - target := anObject copy - ] -] - - - -Object subclass: SecurityPolicy [ - | dictionary owner | - - - - - addPermission: aPermission [ - - owner isNil - ifFalse: [thisContext securityCheckFor: #securityManagement target: owner]. - dictionary isNil ifTrue: [dictionary := IdentityDictionary new]. - (dictionary at: aPermission name ifAbsentPut: [OrderedCollection new]) - add: aPermission allowing - ] - - removePermission: aPermission [ - - owner isNil - ifFalse: [thisContext securityCheckFor: #securityManagement target: owner]. - dictionary isNil ifTrue: [dictionary := IdentityDictionary new]. - (dictionary at: aPermission name ifAbsentPut: [OrderedCollection new]) - add: aPermission denying - ] - - withOwner: aClass [ - - ^(self copy) - owner: aClass; - yourself - ] - - owner: aClass [ - - thisContext securityCheckFor: #securityManagement target: aClass. - dictionary := dictionary deepCopy. - owner := aClass. - ^self - ] - - check: aPermission [ - - ^(dictionary at: aPermission name ifAbsent: [#()]) - inject: owner isUntrusted not - into: [:old :perm | (perm implies: aPermission) ifTrue: [perm isAllowing] ifFalse: [old]] - ] - - implies: aPermission [ - - ^(dictionary at: aPermission name ifAbsent: [#()]) inject: false - into: [:old :perm | (perm implies: aPermission) ifTrue: [perm isAllowing] ifFalse: [old]] - ] -] - -- 1.7.10.4