[foreign-memaccess+abi] RFR: 8310659: The jar tool should support allowing access to restricted methods from executable jars [v3]

Maurizio Cimadamore mcimadamore at openjdk.org
Tue Jun 27 14:38:32 UTC 2023 

On Tue, 27 Jun 2023 14:17:13 GMT, Maurizio Cimadamore <mcimadamore at openjdk.org> wrote:

>> Jorn Vernee has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   missed changes
>
> src/java.base/share/classes/sun/launcher/LauncherHelper.java line 600:
> 
>> 598:                 addExportsOrOpens(opens, true);
>> 599:             }
>> 600:             if (Boolean.parseBoolean(mainAttrs.getValue(ENABLE_NATIVE_ACCESS))) {
> 
> From a design perspective there are two options here:
> * `false` means "ignore" (which is what is being implemented here)
> * `false` means `no native access`.
> 
> The latter seems a bit odd - but I'd like to remind the behavior of what happens when `--enable-native-access foo` is specified, and access to restricted method occurs in a module other than `foo`. In that case we throw an exception (e.g. we validate strictly, because a command line option was found).
> 
> Jar could do a similar thing:
> * if no manifest attribute is specified, do the current warning behavior
> * if attribute is set to `true`, do not warn
> * if attribute is set to `false`, access to restricted methods in this jar are simply not allowed and must fail with exception

I had a chat with @AlanBateman. He agrees that seeing "Enable-Native-Access:false" strongly suggests of a deny-like behavior (e.g. access should fail). That said, if we just did that, then it would be possible to have an `--enable-native-access` command line option and a manifest attribute pulling in different directions (e.g. enable vs. disable).

Ideally, we'd like a value-less attribute (e.g. `EnableNativeAccess:`) so that there's no confusion re. true/false. But that is not allowed by the manifest attribute grammar.

The next best thing seems to be `EnableNativeAccess:ALL-UNNAMED`. E.g. we only allow the name of the module we're allowed to enable native access for (the unnamed module). If, in the future, jars will start supporting multiple modules, we can enhance the attribute to accept a comma separated list.

This is slightly less confusing. There's no "deny" state, and no possibilities for the attribute to conflict with the command line option.

-------------

PR Review Comment: https://git.openjdk.org/panama-foreign/pull/843#discussion_r1243859508

More information about the panama-dev mailing list