Initial push

make/conf/module-loader-map.conf

@@ -94,48 +94,26 @@ PLATFORM_MODULES_windows= \
 
 NATIVE_ACCESS_MODULES= \
     java.base \
-    java.datatransfer \
     java.desktop \
     java.instrument \
-    java.logging \
     java.management \
-    java.management.rmi \
-    java.naming \
-    java.net.http \
     java.prefs \
     java.rmi \
-    java.scripting \
-    java.se \
     java.security.jgss \
-    java.security.sasl \
     java.smartcardio \
-    java.sql \
-    java.sql.rowset \
-    java.transaction.xa \
-    java.xml \
-    java.xml.crypto \
     jdk.accessibility \
-    jdk.charsets \
+    jdk.attach \
     jdk.crypto.cryptoki \
-    jdk.dynalink \
-    jdk.httpserver \
-    jdk.incubator.vector \
+    jdk.crypto.mscapi \
+    jdk.hotspot.agent \
     jdk.internal.le \
     jdk.internal.vm.ci \
+    jdk.jdi \
     jdk.jfr \
-    jdk.jsobject \
-    jdk.localedata \
+    jdk.jpackage \
     jdk.management \
     jdk.management.agent \
-    jdk.management.jfr \
-    jdk.naming.dns \
-    jdk.naming.rmi \
     jdk.net \
-    jdk.nio.mapmode \
     jdk.sctp \
     jdk.security.auth \
-    jdk.security.jgss \
-    jdk.unsupported \
-    jdk.xml.dom \
-    jdk.zipfs \
     #

make/test/BuildTestLib.gmk

@@ -64,7 +64,7 @@ $(eval $(call SetupJavaCompilation, BUILD_TEST_LIB_JAR, \
     BIN := $(TEST_LIB_SUPPORT)/test-lib_classes, \
     HEADERS := $(TEST_LIB_SUPPORT)/test-lib_headers, \
     JAR := $(TEST_LIB_SUPPORT)/test-lib.jar, \
-    DISABLED_WARNINGS := try deprecation rawtypes unchecked serial cast removal preview dangling-doc-comments, \
+    DISABLED_WARNINGS := try deprecation rawtypes unchecked serial cast removal preview restricted dangling-doc-comments, \
     JAVAC_FLAGS := --add-exports java.base/sun.security.util=ALL-UNNAMED \
         --add-exports java.base/jdk.internal.classfile=ALL-UNNAMED \
         --add-exports java.base/jdk.internal.classfile.attribute=ALL-UNNAMED \

src/hotspot/share/classfile/vmClassMacros.hpp

@@ -77,6 +77,7 @@
   do_klass(StackOverflowError_klass,                    java_lang_StackOverflowError                          ) \
   do_klass(IllegalMonitorStateException_klass,          java_lang_IllegalMonitorStateException                ) \
   do_klass(Reference_klass,                             java_lang_ref_Reference                               ) \
+  do_klass(IllegalCallerException_klass,                java_lang_IllegalCallerException                      ) \
                                                                                                                 \
   /* ref klasses and set reference types */                                                                     \
   do_klass(SoftReference_klass,                         java_lang_ref_SoftReference                           ) \

src/hotspot/share/classfile/vmSymbols.hpp

@@ -217,6 +217,7 @@ class SerializeClosure;
   template(java_lang_CloneNotSupportedException,      "java/lang/CloneNotSupportedException")     \
   template(java_lang_IllegalAccessException,          "java/lang/IllegalAccessException")         \
   template(java_lang_IllegalArgumentException,        "java/lang/IllegalArgumentException")       \
+  template(java_lang_IllegalCallerException,          "java/lang/IllegalCallerException")         \
   template(java_lang_IllegalStateException,           "java/lang/IllegalStateException")          \
   template(java_lang_IllegalMonitorStateException,    "java/lang/IllegalMonitorStateException")   \
   template(java_lang_IllegalThreadStateException,     "java/lang/IllegalThreadStateException")    \
@@ -627,7 +628,7 @@ class SerializeClosure;
   template(object_object_object_signature,            "(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;") \
   template(string_string_string_signature,            "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;") \
   template(string_string_signature,                   "(Ljava/lang/String;)Ljava/lang/String;")                   \
-  template(classloader_string_long_signature,         "(Ljava/lang/ClassLoader;Ljava/lang/String;)J")             \
+  template(classloader_class_string_string_long_signature,         "(Ljava/lang/ClassLoader;Ljava/lang/Class;Ljava/lang/String;Ljava/lang/String;)J")             \
   template(byte_array_void_signature,                 "([B)V")                                                    \
   template(char_array_void_signature,                 "([C)V")                                                    \
   template(int_int_void_signature,                    "(II)V")                                                    \

src/hotspot/share/prims/nativeLookup.cpp

@@ -272,17 +272,24 @@ address NativeLookup::lookup_style(const methodHandle& method, char* pure_name,
   }
 
   // Otherwise call static method findNative in ClassLoader
+
   Klass*   klass = vmClasses::ClassLoader_klass();
-  Handle name_arg = java_lang_String::create_from_str(jni_name, CHECK_NULL);
+  Handle jni_class(THREAD, method->method_holder()->java_mirror());
+  Handle jni_name_arg = java_lang_String::create_from_str(jni_name, CHECK_NULL);
+  Handle java_name_arg = java_lang_String::create_from_str(method->name()->as_C_string(), CHECK_NULL);
+
+  JavaCallArguments args;
+  args.push_oop(loader);
+  args.push_oop(jni_class);
+  args.push_oop(jni_name_arg);
+  args.push_oop(java_name_arg);
 
   JavaValue result(T_LONG);
   JavaCalls::call_static(&result,
                          klass,
                          vmSymbols::findNative_name(),
-                         vmSymbols::classloader_string_long_signature(),
-                         // Arguments
-                         loader,
-                         name_arg,
+                         vmSymbols::classloader_class_string_string_long_signature(),
+                         &args,
                          CHECK_NULL);
   entry = (address) (intptr_t) result.get_jlong();
 
@@ -409,6 +416,14 @@ address NativeLookup::lookup_base(const methodHandle& method, TRAPS) {
   entry = lookup_entry_prefixed(method, CHECK_NULL);
   if (entry != nullptr) return entry;
 
+
+  if (THREAD->has_pending_exception()) {
+    oop exception = THREAD->pending_exception();
+    if (exception->is_a(vmClasses::IllegalCallerException_klass())) {
+      // we already have a pending exception from the restricted method check, just return
+      return nullptr;
+    }
+  }
   // Native function not found, throw UnsatisfiedLinkError
   stringStream ss;
   ss.print("'");

src/hotspot/share/runtime/arguments.cpp

@@ -304,6 +304,8 @@ bool needs_module_property_warning = false;
 #define UPGRADE_PATH_LEN 12
 #define ENABLE_NATIVE_ACCESS "enable.native.access"
 #define ENABLE_NATIVE_ACCESS_LEN 20
+#define ILLEGAL_NATIVE_ACCESS "illegal.native.access"
+#define ILLEGAL_NATIVE_ACCESS_LEN 21
 
 // Return TRUE if option matches 'property', or 'property=', or 'property.'.
 static bool matches_property_suffix(const char* option, const char* property, size_t len) {
@@ -325,6 +327,7 @@ bool Arguments::is_internal_module_property(const char* property) {
         matches_property_suffix(property_suffix, LIMITMODS, LIMITMODS_LEN) ||
         matches_property_suffix(property_suffix, PATH, PATH_LEN) ||
         matches_property_suffix(property_suffix, UPGRADE_PATH, UPGRADE_PATH_LEN) ||
+        matches_property_suffix(property_suffix, ILLEGAL_NATIVE_ACCESS, ILLEGAL_NATIVE_ACCESS_LEN) ||
         matches_property_suffix(property_suffix, ENABLE_NATIVE_ACCESS, ENABLE_NATIVE_ACCESS_LEN)) {
       return true;
     }
@@ -2263,6 +2266,10 @@ jint Arguments::parse_each_vm_init_arg(const JavaVMInitArgs* args, bool* patch_m
       if (!create_numbered_module_property("jdk.module.enable.native.access", tail, enable_native_access_count++)) {
         return JNI_ENOMEM;
       }
+    } else if (match_option(option, "--illegal-native-access=", &tail)) {
+      if (!create_module_property("jdk.module.illegal.native.access", tail, InternalProperty)) {
+        return JNI_ENOMEM;
+      }
     } else if (match_option(option, "--limit-modules=", &tail)) {
       if (!create_module_property("jdk.module.limitmods", tail, InternalProperty)) {
         return JNI_ENOMEM;

src/java.base/share/classes/java/lang/ClassLoader.java

@@ -2445,7 +2445,16 @@ static NativeLibrary loadLibrary(Class<?> fromClass, String name) {
     /*
      * Invoked in the VM class linking code.
      */
-    static long findNative(ClassLoader loader, String entryName) {
+    static long findNative(ClassLoader loader, Class<?> clazz, String entryName, String javaName) {
+        long addr = findNativeInternal(loader, entryName);
+        if (addr != 0 && loader != null) {
+            Reflection.ensureNativeAccess(clazz, clazz, javaName);
+        }
+        return addr;
+    }
+
+    // @@@: Avoid duplication!
+    static long findNativeInternal(ClassLoader loader, String entryName) {
         if (loader == null) {
             return BootLoader.getNativeLibraries().find(entryName);
         } else {

src/java.base/share/classes/java/lang/Module.java

@@ -307,15 +307,23 @@ private Module moduleForNativeAccess() {
     void ensureNativeAccess(Class<?> owner, String methodName, Class<?> currentClass) {
         // The target module whose enableNativeAccess flag is ensured
         Module target = moduleForNativeAccess();
-        if (!EnableNativeAccess.isNativeAccessEnabled(target)) {
-            if (ModuleBootstrap.hasEnableNativeAccessFlag()) {
+        ModuleBootstrap.IllegalNativeAccess illegalNativeAccess = ModuleBootstrap.illegalNativeAccess();
+        if (illegalNativeAccess != ModuleBootstrap.IllegalNativeAccess.ALLOW &&
+                !EnableNativeAccess.isNativeAccessEnabled(target)) {
+            if (illegalNativeAccess == ModuleBootstrap.IllegalNativeAccess.DENY) {
                 throw new IllegalCallerException("Illegal native access from: " + this);
-            }
-            if (EnableNativeAccess.trySetEnableNativeAccess(target)) {
+            } else if (EnableNativeAccess.trySetEnableNativeAccess(target)) {
                 // warn and set flag, so that only one warning is reported per module
                 String cls = owner.getName();
                 String mtd = cls + "::" + methodName;
                 String mod = isNamed() ? "module " + getName() : "an unnamed module";
+                if (currentClass != null) {
+                    // try to extract location of the current class (e.g. jar or folder)
+                    URL url = System.codeSource(currentClass);
+                    if (url != null) {
+                        mod += " (" + url + ")";
+                    }
+                }
                 String modflag = isNamed() ? getName() : "ALL-UNNAMED";
                 String caller = currentClass != null ? currentClass.getName() : "code";
                 System.err.printf("""

src/java.base/share/classes/java/lang/Runtime.java

@@ -36,6 +36,7 @@
 import java.util.StringTokenizer;
 
 import jdk.internal.access.SharedSecrets;
+import jdk.internal.javac.Restricted;
 import jdk.internal.reflect.CallerSensitive;
 import jdk.internal.reflect.Reflection;
 
@@ -828,14 +829,19 @@ public void runFinalization() {
      *             a native library image by the host system.
      * @throws     NullPointerException if {@code filename} is
      *             {@code null}
+     * @throws     IllegalCallerException If the caller is in a module that
+     *             does not have native access enabled.
      * @spec jni/index.html Java Native Interface Specification
      * @see        java.lang.Runtime#getRuntime()
      * @see        java.lang.SecurityException
      * @see        java.lang.SecurityManager#checkLink(java.lang.String)
      */
     @CallerSensitive
+    @Restricted
     public void load(String filename) {
-        load0(Reflection.getCallerClass(), filename);
+        Class<?> caller = Reflection.getCallerClass();
+        Reflection.ensureNativeAccess(caller, Runtime.class, "load");
+        load0(caller, filename);
     }
 
     void load0(Class<?> fromClass, String filename) {
@@ -894,13 +900,18 @@ void load0(Class<?> fromClass, String filename) {
      *             native library image by the host system.
      * @throws     NullPointerException if {@code libname} is
      *             {@code null}
+     * @throws     IllegalCallerException If the caller is in a module that
+     *             does not have native access enabled.
      * @spec jni/index.html Java Native Interface Specification
      * @see        java.lang.SecurityException
      * @see        java.lang.SecurityManager#checkLink(java.lang.String)
      */
     @CallerSensitive
+    @Restricted
     public void loadLibrary(String libname) {
-        loadLibrary0(Reflection.getCallerClass(), libname);
+        Class<?> caller = Reflection.getCallerClass();
+        Reflection.ensureNativeAccess(caller, Runtime.class, "loadLibrary");
+        loadLibrary0(caller, libname);
     }
 
     void loadLibrary0(Class<?> fromClass, String libname) {

src/java.base/share/classes/java/lang/System.java

@@ -70,6 +70,7 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.stream.Stream;
 
+import jdk.internal.javac.Restricted;
 import jdk.internal.logger.LoggerFinderLoader.TemporaryLoggerFinder;
 import jdk.internal.misc.Blocker;
 import jdk.internal.misc.CarrierThreadLocal;
@@ -356,7 +357,7 @@ private static class CallersHolder {
             = Collections.synchronizedMap(new WeakHashMap<>());
     }
 
-    private static URL codeSource(Class<?> clazz) {
+    static URL codeSource(Class<?> clazz) {
         PrivilegedAction<ProtectionDomain> pa = clazz::getProtectionDomain;
         @SuppressWarnings("removal")
         CodeSource cs = AccessController.doPrivileged(pa).getCodeSource();
@@ -2018,14 +2019,19 @@ public static void runFinalization() {
      *             linked with the VM, or the library cannot be mapped to
      *             a native library image by the host system.
      * @throws     NullPointerException if {@code filename} is {@code null}
+     * @throws     IllegalCallerException If the caller is in a module that
+     *             does not have native access enabled.
      *
      * @spec jni/index.html Java Native Interface Specification
      * @see        java.lang.Runtime#load(java.lang.String)
      * @see        java.lang.SecurityManager#checkLink(java.lang.String)
      */
     @CallerSensitive
+    @Restricted
     public static void load(String filename) {
-        Runtime.getRuntime().load0(Reflection.getCallerClass(), filename);
+        Class<?> caller = Reflection.getCallerClass();
+        Reflection.ensureNativeAccess(caller, System.class, "load");
+        Runtime.getRuntime().load0(caller, filename);
     }
 
     /**
@@ -2056,14 +2062,19 @@ public static void load(String filename) {
      *             linked with the VM,  or the library cannot be mapped to a
      *             native library image by the host system.
      * @throws     NullPointerException if {@code libname} is {@code null}
+     * @throws     IllegalCallerException If the caller is in a module that
+     *             does not have native access enabled.
      *
      * @spec jni/index.html Java Native Interface Specification
      * @see        java.lang.Runtime#loadLibrary(java.lang.String)
      * @see        java.lang.SecurityManager#checkLink(java.lang.String)
      */
     @CallerSensitive
+    @Restricted
     public static void loadLibrary(String libname) {
-        Runtime.getRuntime().loadLibrary0(Reflection.getCallerClass(), libname);
+        Class<?> caller = Reflection.getCallerClass();
+        Reflection.ensureNativeAccess(caller, System.class, "loadLibrary");
+        Runtime.getRuntime().loadLibrary0(caller, libname);
     }
 
     /**
@@ -2649,7 +2660,7 @@ public Object classData(Class<?> c) {
 
             @Override
             public long findNative(ClassLoader loader, String entry) {
-                return ClassLoader.findNative(loader, entry);
+                return ClassLoader.findNativeInternal(loader, entry);
             }
 
             @Override

src/java.base/share/classes/java/lang/foreign/package-info.java

@@ -165,10 +165,11 @@
  * In the reference implementation, access to restricted methods can be granted to
  * specific modules using the command line option {@code --enable-native-access=M1,M2, ... Mn},
  * where {@code M1}, {@code M2}, {@code ... Mn} are module names (for the unnamed module,
- * the special value {@code ALL-UNNAMED} can be used). If this option is specified,
- * access to restricted methods are only granted to the modules listed by that option.
- * If this option is not specified, access to restricted methods is enabled for all
- * modules, but access to restricted methods will result in runtime warnings.
+ * the special value {@code ALL-UNNAMED} can be used). Access to restricted methods
+ * from modules not listed by that option is deemed <em>illegal</em>. Clients can
+ * control how illegal access to restricted method is handled, using the command line
+ * option {@code --illegal-native-access}. If this option is not specified,
+ * illegal access to restricted methods will result in runtime warnings.
  *
  * @spec jni/index.html Java Native Interface Specification
  *

src/java.base/share/classes/jdk/internal/foreign/abi/fallback/LibFallback.java

@@ -36,7 +36,7 @@ private LibFallback() {}
 
     static final boolean SUPPORTED = tryLoadLibrary();
 
-    @SuppressWarnings("removal")
+    @SuppressWarnings({"removal", "restricted"})
     private static boolean tryLoadLibrary() {
         return java.security.AccessController.doPrivileged(
                 new java.security.PrivilegedAction<>() {

src/java.base/share/classes/jdk/internal/jimage/NativeImageBuffer.java

@@ -38,6 +38,7 @@ class NativeImageBuffer {
     static {
         java.security.AccessController.doPrivileged(
                 new java.security.PrivilegedAction<Void>() {
+                    @SuppressWarnings("restricted")
                     public Void run() {
                         System.loadLibrary("jimage");
                         return null;