RFE: support safely wrapping restricted FFM calls
Alan Bateman
Alan.Bateman at oracle.com
Thu Nov 16 15:22:06 UTC 2023
On 15/11/2023 17:13, Rob Spoor wrote:
> Hello all,
>
> I'm working on a module that makes working with FFM easier; think of
> something like JNA. For instance, it allows creating structures
> without having to manually manage var handles etc.
>
> My module uses restricted mehods like AddressLayout.withTargetLayout
> to support pointers. Those correctly give warnings if I don't use
> --enable-native-access. This is where I've identified a potential
> security risk. Native access would need to be enabled for *my* module,
> which would allow modules that use my module to call these restricted
> methods indirectly and without needing native access enabled
> themselves. This means that any malicious module could piggy-back on
> the native access that would be enabled for my module.
>
> I can implement my own access checks using the following:
>
> StackWalker.getInstance(Set.of(Option.RETAIN_CLASS_REFERENCE))
> .getCallerClass()
> .getModule()
> .isNativeAccessEnabled()
>
> However, that would mean users of my module would need to provide
> access using two different mechanisms.
These kind of stack walker checks based on problematic as it be
something further up that stack that you have to authenticate rather
than the direct caller. So I agree with Maurizio, this looks like a case
where you using a Lookup object would be better.
-Alan
More information about the core-libs-dev
mailing list