Hi,
Here is a patch that removes the security framework from the vm side
and the smalltalk side. It needs a review before applying.
Gwen
>From e0ac0616c7afbc5009b560c0d8d67303543cb731 Mon Sep 17 00:00:00 2001
From: Gwenael Casaccio <[email protected]>
Date: Mon, 7 Jan 2013 16:10:31 +0100
Subject: [PATCH 1/2] remove security framework
---
kernel/Behavior.st | 10 --
kernel/BindingDict.st | 3 +-
kernel/Class.st | 18 +-
kernel/ContextPart.st | 90 ----------
kernel/Metaclass.st | 5 -
kernel/Object.st | 16 --
kernel/SysExcept.st | 45 -----
libgst/Makefile.am | 6 +-
libgst/comp.c | 13 --
libgst/dict.c | 7 +-
libgst/dict.h | 1 -
libgst/files.c | 1 -
libgst/gst-parse.c | 10 +-
libgst/gstpriv.h | 26 ---
libgst/interp.c | 18 --
libgst/opt.c | 20 +--
libgst/prims.def | 35 ----
libgst/security.c | 303 ----------------------------------
libgst/security.h | 79 ---------
libgst/sym.c | 29 +---
packages.xml | 1 -
packages/stinst/parser/STSymTable.st | 7 +-
tests/Makefile.am | 2 +-
tests/testsuite.at | 1 -
24 files changed, 18 insertions(+), 728 deletions(-)
delete mode 100644 libgst/security.c
delete mode 100644 libgst/security.h
diff --git a/kernel/Behavior.st b/kernel/Behavior.st
index 90a5441..415e62c 100644
--- a/kernel/Behavior.st
+++ b/kernel/Behavior.st
@@ -1292,16 +1292,6 @@ method dictionary, and iterating over the class hierarchy.'>
^'<no name>'
]
- securityPolicy [
- <category: 'support for lightweight classes'>
- ^self asClass securityPolicy
- ]
-
- securityPolicy: aSecurityPolicy [
- <category: 'support for lightweight classes'>
- self shouldNotImplement
- ]
-
printOn: aStream in: aNamespace [
"Answer the class name when the class is referenced from aNamespace
- a dummy one, since Behavior does not support names."
diff --git a/kernel/BindingDict.st b/kernel/BindingDict.st
index bbc2da9..cda7a92 100644
--- a/kernel/BindingDict.st
+++ b/kernel/BindingDict.st
@@ -264,8 +264,7 @@ more speed.'>
[assoc := VariableBinding
key: assoc key
value: assoc value
- environment: self].
- assoc makeUntrusted: environment isUntrusted].
+ environment: self]].
^super primAt: index put: assoc
]
diff --git a/kernel/Class.st b/kernel/Class.st
index 18918e2..b2819c2 100644
--- a/kernel/Class.st
+++ b/kernel/Class.st
@@ -33,7 +33,7 @@
�
ClassDescription subclass: Class [
- | name comment category environment classVariables sharedPools securityPolicy pragmaHandlers |
+ | name comment category environment classVariables sharedPools pragmaHandlers |
<category: 'Language-Implementation'>
<comment: 'I am THE class object. My instances are the classes of the system.
@@ -588,22 +588,6 @@ the class category.'>
aStream nextPutAll: (self nameIn: Smalltalk)
]
- securityPolicy [
- <category: 'security'>
- ^securityPolicy
- ]
-
- securityPolicy: aSecurityPolicy [
- <category: 'security'>
- securityPolicy := aSecurityPolicy withOwner: self
- ]
-
- check: aPermission [
- <category: 'security'>
- self securityPolicy isNil ifTrue: [^self isUntrusted not].
- ^self securityPolicy check: aPermission
- ]
-
registerHandler: aBlock forPragma: pragma [
"While compiling methods, on every encounter of the pragma
with the given name, call aBlock with the CompiledMethod and
diff --git a/kernel/ContextPart.st b/kernel/ContextPart.st
index 9f69d60..e57cec3 100644
--- a/kernel/ContextPart.st
+++ b/kernel/ContextPart.st
@@ -465,96 +465,6 @@ methods that can be used in inspection or debugging.'>
ctx := ctx parentContext]
]
- securityCheckForName: name [
- <category: 'security checks'>
- self isUntrusted ifFalse: [^self].
- ^self
- doSecurityCheckForName: name
- actions: #()
- target: nil
- ]
-
- securityCheckForName: name action: action [
- <category: 'security checks'>
- self isUntrusted ifFalse: [^self].
- ^self
- doSecurityCheckForName: name
- actions: {action}
- target: nil
- ]
-
- securityCheckForName: name target: target [
- <category: 'security checks'>
- self isUntrusted ifFalse: [^self].
- ^self
- doSecurityCheckForName: name
- actions: #()
- target: target
- ]
-
- securityCheckForName: name actions: actions target: target [
- <category: 'security checks'>
- self isUntrusted ifFalse: [^self].
- ^self
- doSecurityCheckForName: name
- actions: actions
- target: target
- ]
-
- doSecurityCheckForName: name actions: actions target: target [
- <category: 'security checks'>
- | perm ctx |
- perm := (Permission new)
- name: name actions: actions;
- target: target.
- (self checkSecurityFor: perm) ifFalse: [(SecurityError for: perm) signal]
- ]
-
- checkSecurityFor: perm [
- <category: 'security checks'>
- "First of all, check against the static permissions for this
- context."
-
- | state foundAnnotation |
- (self receiver class check: perm) ifFalse: [^false].
-
- "Then, check the dynamic permissions. So:
- 1) check if a method was specifically denying access,
- 2) look for a deeper context whose static permissions
- denies access, but stop if a method is specifically
- granting access."
- self method isAnnotated
- ifTrue:
- [foundAnnotation := false.
- self method attributesDo:
- [:each |
- | newPerm |
- each selector = #permission:
- ifTrue:
- [newPerm := each arguments at: 1.
- (newPerm implies: perm)
- ifTrue:
- ["Should we check if the granted permission is statically
- available? Of course, you can only grant permissions if you
- own them statically, so the real question is, should we
- check perm or newPerm? The answer is perm (which has
- already been found to be available), hence we can skip
- an expensive static permission check. Suppose we have a
- method that grants access to all files: it makes more sense
- if it means ``grant access to all files allowed by the class
- security policy'', rather than ``grant access to all files if
- the security policy allows it, else do not grant access to
- any file''."
-
- foundAnnotation := true.
- state := newPerm isAllowing]]].
- foundAnnotation ifTrue: [^state]].
-
- "Nope, no special regulations were found in this method. Look in the
- parent context, and grant permission if the bottom is reached."
- ^self parentContext isNil or: [self parentContext checkSecurityFor: perm]
- ]
-
continue: anObject [
"Resume execution from the receiver, faking that the context on
top of it in the execution chain has returned anObject. The
diff --git a/kernel/Metaclass.st b/kernel/Metaclass.st
index 7f601d9..7d8fcf9 100644
--- a/kernel/Metaclass.st
+++ b/kernel/Metaclass.st
@@ -264,10 +264,6 @@ it should be...the Smalltalk metaclass system is strange and complex.'>
ifFalse:
[SystemExceptions.MutationError
signal: 'Cannot change shape of variable class']].
- newSuperclass isUntrusted & self class isUntrusted not
- ifTrue:
- [SystemExceptions.MutationError
- signal: 'Cannot move trusted class below untrusted superclass'].
needToRecompileMetaclasses := false.
aClass classPool isNil
ifTrue: [aClass setClassVariables: classVarDict]
@@ -368,7 +364,6 @@ it should be...the Smalltalk metaclass system is strange and complex.'>
setInstanceSpec: shape instVars: arrayOfInstVarNames size;
setClassVariables: classVarDict;
setSharedPools: sharedPoolNames;
- makeUntrusted: theSuperclass isUntrusted;
category: categoryName;
yourself
]
diff --git a/kernel/Object.st b/kernel/Object.st
index ecf9c5b..3d18a2c 100644
--- a/kernel/Object.st
+++ b/kernel/Object.st
@@ -1024,14 +1024,6 @@ All classes in the system are subclasses of me.'>
]
- isUntrusted [
- "Answer whether the object is to be considered untrusted."
-
- <category: 'built ins'>
- <primitive: VMpr_Object_isUntrusted>
-
- ]
-
makeReadOnly: aBoolean [
"Set whether the object's indexed instance variables can be written"
@@ -1040,14 +1032,6 @@ All classes in the system are subclasses of me.'>
SystemExceptions.WrongClass signalOn: aBoolean mustBe: Boolean
]
- makeUntrusted: aBoolean [
- "Set whether the object is to be considered untrusted."
-
- <category: 'built ins'>
- <primitive: VMpr_Object_makeUntrusted>
- SystemExceptions.WrongClass signalOn: aBoolean mustBe: Boolean
- ]
-
makeWeak [
"Make the object a 'weak' one. When an object is only referenced by weak
objects, it is collected and the slots in the weak objects are changed to
diff --git a/kernel/SysExcept.st b/kernel/SysExcept.st
index d749ffa..9d38b5f 100644
--- a/kernel/SysExcept.st
+++ b/kernel/SysExcept.st
@@ -946,51 +946,6 @@ Error subclass: VMError [
�
Namespace current: SystemExceptions [
-VMError subclass: SecurityError [
- | failedPermission |
-
- <category: 'Language-Exceptions'>
- <comment: 'I am an error raised when an untrusted object tries to do an insecure
-operation.'>
-
- SecurityError class >> signal: aPermission [
- "Raise the exception, setting to aPermission the permission
- that was tested and failed."
-
- <category: 'accessing'>
- ^(self new)
- failedPermission: aPermission;
- signal
- ]
-
- description [
- "Answer a textual description of the exception."
-
- <category: 'accessing'>
- ^'insecure operation in an untrusted context'
- ]
-
- failedPermission [
- "Answer the permission that was tested and that failed."
-
- <category: 'accessing'>
- ^failedPermission
- ]
-
- failedPermission: anObject [
- "Set which permission was tested and failed."
-
- <category: 'accessing'>
- failedPermission := anObject
- ]
-]
-
-]
-
-
-�
-Namespace current: SystemExceptions [
-
VMError subclass: VerificationError [
<category: 'Language-Exceptions'>
diff --git a/libgst/Makefile.am b/libgst/Makefile.am
index 4393388..8841ea4 100644
--- a/libgst/Makefile.am
+++ b/libgst/Makefile.am
@@ -35,8 +35,8 @@ libgst_la_SOURCES = \
sym.c dict.c oop.c opt.c \
save.c cint.c heap.c input.c \
sysdep.c callin.c xlat.c mpz.c \
- print.c alloc.c security.c re.c \
- interp.c real.c sockets.c events.c
+ print.c alloc.c re.c interp.c \
+ real.c sockets.c events.c
# definitions for genprims
@@ -94,7 +94,7 @@ noinst_HEADERS = \
print.h alloc.h genprims.h gst-parse.h \
genpr-parse.h genbc.h genbc-decl.h \
genbc-impl.h genvm-parse.h genvm.h \
- security.h superop1.inl superop2.inl \
+ superop1.inl superop2.inl \
sysdep/common/files.c sysdep/common/time.c sysdep/cygwin/files.c \
sysdep/cygwin/findexec.c sysdep/cygwin/mem.c sysdep/cygwin/signals.c \
sysdep/cygwin/time.c sysdep/cygwin/timer.c sysdep/posix/files.c \
diff --git a/libgst/comp.c b/libgst/comp.c
index 9cc5986..6873a1a 100644
--- a/libgst/comp.c
+++ b/libgst/comp.c
@@ -2473,11 +2473,6 @@ install_method (OOP methodOOP, OOP classOOP, mst_Boolean untrusted)
{
oldMethod = _gst_identity_dictionary_at (methodDictionaryOOP,
selector);
- if (!IS_NIL (oldMethod) && !IS_OOP_UNTRUSTED (oldMethod))
- {
- _gst_errorf ("cannot redefine a trusted method as untrusted");
- EXIT_COMPILATION ();
- }
}
MAKE_OOP_READONLY (methodOOP, true);
@@ -2666,13 +2661,6 @@ method_new (method_header header,
method = (gst_compiled_method) instantiate_with (_gst_compiled_method_class,
numByteCodes, &methodOOP);
- if (_gst_curr_method)
- MAKE_OOP_UNTRUSTED (methodOOP, _gst_curr_method->v_method.untrusted);
- else
- MAKE_OOP_UNTRUSTED (methodOOP,
- IS_OOP_UNTRUSTED (_gst_this_context_oop)
- || IS_OOP_UNTRUSTED (class));
-
method->header = header;
method->descriptor = methodDesc;
method->literals = literals;
@@ -2695,7 +2683,6 @@ method_new (method_header header,
block = (gst_compiled_block) OOP_TO_OBJ (blockOOP);
if (IS_NIL (block->method))
{
- MAKE_OOP_UNTRUSTED (blockOOP, IS_OOP_UNTRUSTED (methodOOP));
block->method = methodOOP;
block->literals = literals;
}
diff --git a/libgst/dict.c b/libgst/dict.c
index 6d9bf9d..542c42a 100644
--- a/libgst/dict.c
+++ b/libgst/dict.c
@@ -674,10 +674,10 @@ static const class_definition class_info[] = {
"ClassDescription", NULL, NULL, NULL },
{&_gst_class_class, &_gst_class_description_class,
- GST_ISP_FIXED, true, 8,
+ GST_ISP_FIXED, true, 7,
"Class",
"name comment category environment classVariables sharedPools "
- "securityPolicy pragmaHandlers",
+ "pragmaHandlers",
NULL, NULL },
{&_gst_metaclass_class, &_gst_class_description_class,
@@ -956,7 +956,7 @@ init_metaclass (OOP metaclassOOP)
_gst_make_instance_variable_array (_gst_nil_oop,
"superClass methodDictionary instanceSpec subClasses "
"instanceVariables name comment category environment "
- "classVariables sharedPools securityPolicy "
+ "classVariables sharedPools "
"pragmaHandlers");
metaclass->instanceSpec = GST_ISP_INTMARK | GST_ISP_FIXED |
@@ -991,7 +991,6 @@ init_class (OOP class_oop, const class_definition *ci)
class->methodDictionary = _gst_nil_oop;
class->comment = _gst_nil_oop;
class->category = _gst_nil_oop;
- class->securityPolicy = _gst_nil_oop;
class->pragmaHandlers = _gst_nil_oop;
}
diff --git a/libgst/dict.h b/libgst/dict.h
index f1bc693..93224c9 100644
--- a/libgst/dict.h
+++ b/libgst/dict.h
@@ -303,7 +303,6 @@ typedef struct gst_class
OOP environment;
OOP classVariables; /* dictionary of name->value pairs */
OOP sharedPools;
- OOP securityPolicy;
OOP pragmaHandlers;
}
*gst_class;
diff --git a/libgst/files.c b/libgst/files.c
index 724d66a..ec33933 100644
--- a/libgst/files.c
+++ b/libgst/files.c
@@ -239,7 +239,6 @@ static const char standard_files[] = {
"FileSegment.st\0"
"FileDescr.st\0"
"SymLink.st\0"
- "Security.st\0"
"WeakObjects.st\0"
"ObjMemory.st\0"
diff --git a/libgst/gst-parse.c b/libgst/gst-parse.c
index 922ef55..639d946 100644
--- a/libgst/gst-parse.c
+++ b/libgst/gst-parse.c
@@ -327,11 +327,7 @@ _gst_get_current_namespace (void)
mst_Boolean
_gst_untrusted_parse (void)
{
- if (!_gst_current_parser)
- return false;
-
- return (_gst_current_parser->untrustedContext
- || IS_OOP_UNTRUSTED (_gst_current_parser->currentClass));
+ return false;
}
void
@@ -413,7 +409,7 @@ _gst_parse_method (OOP currentClass, OOP currentCategory)
incPtr = INC_SAVE_POINTER ();
parser_init (&p);
p.state = PARSE_METHOD;
- p.untrustedContext = IS_OOP_UNTRUSTED (_gst_this_context_oop);
+ p.untrustedContext = false;
p.current_namespace = _gst_nil_oop;
_gst_set_compilation_class (currentClass);
_gst_set_compilation_category (currentCategory);
@@ -446,7 +442,7 @@ _gst_parse_chunks (OOP currentNamespace)
_gst_current_parser = &p;
incPtr = INC_SAVE_POINTER ();
parser_init (&p);
- p.untrustedContext = IS_OOP_UNTRUSTED (_gst_this_context_oop);
+ p.untrustedContext = false;
if (currentNamespace)
p.current_namespace = currentNamespace;
p.state = PARSE_DOIT;
diff --git a/libgst/gstpriv.h b/libgst/gstpriv.h
index 1f2eea9..93b8042 100644
--- a/libgst/gstpriv.h
+++ b/libgst/gstpriv.h
@@ -219,15 +219,6 @@
#endif
-/* ENABLE_SECURITY enables security checks in the primitives as well as
- special marking of untrusted objects. Note that the code in the
- class library to perform the security checks will be present
- notwithstanding the setting of this flag, but they will be disabled
- because the corresponding primitives will be made non-working. We
- define it here with no configure-time options because it causes
- testsuite failures. */
-#define ENABLE_SECURITY
-
/* OPTIMIZE disables many checks, including consistency checks at GC
time and bounds checking on instance variable accesses (not on #at:
and #at:put: which would violate language semantics). It can a)
@@ -367,22 +358,6 @@ enum {
(((oop)->flags &= ~F_READONLY), \
((oop)->flags |= (ro) ? F_READONLY : 0))
-#ifdef ENABLE_SECURITY
-
-/* Answer whether an object, OOP, is untrusted. */
-#define IS_OOP_UNTRUSTED(oop) \
- (!IS_INT ((oop)) && ((oop)->flags & F_UNTRUSTED))
-
-/* Set whether an object, OOP, is trusted or untrusted. */
-#define MAKE_OOP_UNTRUSTED(oop, untr) \
- (((oop)->flags &= ~F_UNTRUSTED), \
- ((oop)->flags |= (untr) ? F_UNTRUSTED : 0))
-
-#else
-#define IS_OOP_UNTRUSTED(oop) (false)
-#define MAKE_OOP_UNTRUSTED(oop, untr) ((void)0)
-#endif
-
/* Set whether an object, OOP, has ephemeron semantics. */
#define MAKE_OOP_EPHEMERON(oop) \
(oop)->flags |= F_EPHEMERON;
@@ -608,7 +583,6 @@ extern OOP _gst_nil_oop
#include "xlat.h"
#include "mpz.h"
#include "print.h"
-#include "security.h"
#include "real.h"
#include "sockets.h"
diff --git a/libgst/interp.c b/libgst/interp.c
index 35aa325..3b74614 100644
--- a/libgst/interp.c
+++ b/libgst/interp.c
@@ -582,21 +582,6 @@ static void * const *dispatch_vec;
#define PARENT_CONTEXT(contextOOP) \
( ((gst_method_context) OOP_TO_OBJ (contextOOP)) ->parentContext)
-/* Set whether the old context was a trusted one. Untrusted contexts
- are those whose receiver or sender is untrusted. */
-#define UPDATE_CONTEXT_TRUSTFULNESS(contextOOP, parentContextOOP) \
- MAKE_OOP_UNTRUSTED (contextOOP, \
- IS_OOP_UNTRUSTED (_gst_self) | \
- IS_OOP_UNTRUSTED (parentContextOOP));
-
-/* Set whether the current context is an untrusted one. Untrusted contexts
- are those whose receiver or sender is untrusted. */
-#define IS_THIS_CONTEXT_UNTRUSTED() \
- (UPDATE_CONTEXT_TRUSTFULNESS(_gst_this_context_oop, \
- PARENT_CONTEXT (_gst_this_context_oop)) \
- & F_UNTRUSTED)
-
-
/* Context management
The contexts make up a linked list. Their structure is:
@@ -769,8 +754,6 @@ empty_context_stack (void)
context->spOffset = FROM_INT (sp - context->contextStack);
context->ipOffset = FROM_INT (ip - method_base);
- UPDATE_CONTEXT_TRUSTFULNESS (_gst_this_context_oop, context->parentContext);
-
/* Even if the JIT is active, the current context might have no
attached native_ip -- in fact it has one only if we are being
called from activate_new_context -- so we have to `invent'
@@ -863,7 +846,6 @@ activate_new_context (int size,
FROM_INT ((sp - thisContext->contextStack) - sendArgs);
thisContext->ipOffset = FROM_INT (ip - method_base);
- UPDATE_CONTEXT_TRUSTFULNESS (_gst_this_context_oop, thisContext->parentContext);
_gst_this_context_oop = oop;
return (newContext);
diff --git a/libgst/opt.c b/libgst/opt.c
index ed728e1..32f01f6 100644
--- a/libgst/opt.c
+++ b/libgst/opt.c
@@ -1231,11 +1231,7 @@ typedef struct partially_constructed_array {
CHECK_LITERAL (n); \
if (IS_INT (literals[(n)]) || \
!is_a_kind_of (OOP_CLASS (literals[(n)]), _gst_lookup_key_class)) \
- return ("LookupKey expected"); \
- else if (store \
- && untrusted \
- && !IS_OOP_UNTRUSTED (literals[(n)])) \
- return ("Invalid global variable access");
+ return ("LookupKey expected");
#define LIT_VARIABLE_CLASS(n) \
/* Special case classes because of super and {...} */ \
@@ -1314,7 +1310,6 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth)
int size, bc_len, num_temps, stack_depth,
num_literals, num_rec_vars, num_ro_rec_vars;
- mst_Boolean untrusted;
const char *error;
gst_uchar *bp;
OOP *literals, methodClass, last_used_literal;
@@ -1331,7 +1326,6 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth)
methodClass = GET_METHOD_CLASS (methodOOP);
num_literals = NUM_METHOD_LITERALS (methodOOP);
num_rec_vars = CLASS_FIXED_FIELDS (methodClass);
- untrusted = IS_OOP_UNTRUSTED (methodOOP);
if (is_a_kind_of (OOP_CLASS (methodOOP), _gst_compiled_method_class))
{
@@ -1379,17 +1373,7 @@ _gst_verify_method (OOP methodOOP, int *num_outer_temps, int depth)
else
return "invalid class";
- if (untrusted)
- {
- OOP class_oop;
- for (class_oop = methodClass; IS_OOP_UNTRUSTED (class_oop);
- class_oop = SUPERCLASS (class_oop))
- ;
-
- num_ro_rec_vars = CLASS_FIXED_FIELDS (class_oop);
- }
- else
- num_ro_rec_vars = 0;
+ num_ro_rec_vars = 0;
#ifdef DEBUG_VERIFIER
printf ("Verifying %O (max. stack depth = %d):\n", methodOOP, stack_depth);
diff --git a/libgst/prims.def b/libgst/prims.def
index ecfbed5..7e8eaaf 100644
--- a/libgst/prims.def
+++ b/libgst/prims.def
@@ -5169,41 +5169,6 @@ primitive VMpr_SystemDictionary_debug [succeed]
}
�
-/* Object isUntrusted */
-primitive VMpr_Object_isUntrusted [succeed]
-{
- OOP oop1;
- _gst_primitives_executed++;
-
- oop1 = STACKTOP ();
- SET_STACKTOP_BOOLEAN (IS_OOP_UNTRUSTED (oop1));
- PRIM_SUCCEEDED;
-}
-
-/* Object makeUntrusted: */
-primitive VMpr_Object_makeUntrusted [succeed,fail]
-{
- OOP oop1;
- OOP oop2;
- _gst_primitives_executed++;
-
- oop2 = POP_OOP ();
- oop1 = STACKTOP ();
- if (oop2 == _gst_true_oop)
- {
- MAKE_OOP_UNTRUSTED (oop1, true);
- PRIM_SUCCEEDED;
- }
- else if (oop2 == _gst_false_oop)
- {
- MAKE_OOP_UNTRUSTED (oop1, false);
- PRIM_SUCCEEDED;
- }
-
- UNPOP (1);
- PRIM_FAILED;
-}
-
/* Object isReadOnly */
primitive VMpr_Object_isReadOnly [succeed]
{
diff --git a/libgst/security.c b/libgst/security.c
deleted file mode 100644
index f758284..0000000
--- a/libgst/security.c
+++ /dev/null
@@ -1,303 +0,0 @@
-/******************************** -*- C -*- ****************************
- *
- * Security-related routines.
- *
- *
- ***********************************************************************/
-
-/***********************************************************************
- *
- * Copyright 2003, 2006 Free Software Foundation, Inc.
- * Written by Paolo Bonzini.
- *
- * This file is part of GNU Smalltalk.
- *
- * GNU Smalltalk is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2, or (at your option) any later
- * version.
- *
- * Linking GNU Smalltalk statically or dynamically with other modules is
- * making a combined work based on GNU Smalltalk. Thus, the terms and
- * conditions of the GNU General Public License cover the whole
- * combination.
- *
- * In addition, as a special exception, the Free Software Foundation
- * give you permission to combine GNU Smalltalk with free software
- * programs or libraries that are released under the GNU LGPL and with
- * independent programs running under the GNU Smalltalk virtual machine.
- *
- * You may copy and distribute such a system following the terms of the
- * GNU GPL for GNU Smalltalk and the licenses of the other code
- * concerned, provided that you include the source code of that other
- * code when and as the GNU GPL requires distribution of source code.
- *
- * Note that people who make modified versions of GNU Smalltalk are not
- * obligated to grant this special exception for their modified
- * versions; it is their choice whether to do so. The GNU General
- * Public License gives permission to release a modified version without
- * this exception; this exception also makes it possible to release a
- * modified version which carries forward this exception.
- *
- * GNU Smalltalk is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * GNU Smalltalk; see the file COPYING. If not, write to the Free Software
- * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- ***********************************************************************/
-
-#include "gstpriv.h"
-
-/* Answer whether the permission permissionOOP (typically found in a
- SecurityPolicy object) implies the (name,target,action) tuple
- (which a primitive asks to test). */
-static mst_Boolean check_against_permission (OOP permissionOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP);
-
-static mst_Boolean string_match (char *pattern,
- char *string,
- int plen,
- int slen);
-
-static mst_Boolean permission_is_allowing (OOP permissionOOP);
-
-/* Answer whether the permission permissionOOP (typically found in a
- SecurityPolicy object) implies the (name,target,action) tuple
- (which a primitive asks to test). */
-static mst_Boolean check_against_policy (OOP policyOOP,
- OOP ownerOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP);
-
-static mst_Boolean check_static_permission (OOP receiverOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP);
-
-mst_Boolean
-check_against_permission (OOP permissionOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP)
-{
- gst_permission perm = (gst_permission) OOP_TO_OBJ (permissionOOP);
- gst_object actionArray = OOP_TO_OBJ (perm->actions);
- if (perm->name != nameOOP)
- return (false);
-
- if (!IS_NIL (perm->target) && !IS_NIL (targetOOP))
- {
- mst_Boolean match_target;
- match_target = (targetOOP == perm->target);
- if (!match_target
- && (OOP_CLASS (targetOOP) != _gst_symbol_class
- || OOP_CLASS (perm->target) != _gst_symbol_class)
- && (OOP_CLASS (targetOOP) == _gst_string_class
- || OOP_CLASS (targetOOP) == _gst_symbol_class)
- && (OOP_CLASS (perm->target) == _gst_string_class
- || OOP_CLASS (perm->target) == _gst_symbol_class))
- match_target = string_match ((char *) OOP_TO_OBJ (perm->target)->data,
- (char *) OOP_TO_OBJ (targetOOP)->data,
- oop_num_fields (perm->target),
- oop_num_fields (targetOOP));
-
- if (!match_target)
- return (false);
- }
-
- if (!IS_NIL (perm->actions) && !IS_NIL (actionOOP))
- {
- int n = oop_num_fields (perm->actions);
- int i;
- for (i = 0; ;)
- {
- if (actionArray->data[i] == actionOOP)
- break;
-
- if (++i == n)
- return (false);
- }
- }
-
- return (true);
-}
-
-mst_Boolean
-string_match (char *pattern,
- char *string,
- int plen,
- int slen)
-{
- int i;
-
- for (;;)
- {
- /* If the string has ended, try to match trailing *'s in the
- pattern. */
- if (slen == 0)
- {
- while (plen > 0 && *pattern == '*')
- pattern++, plen--;
-
- return (plen == 0);
- }
-
- /* If the pattern has ended, fail, because we know that slen > 0. */
- if (plen == 0)
- return (false);
-
- switch (*pattern)
- {
- case '*':
- /* Skip multiple * wildcards, they don't matter. */
- do
- pattern++, plen--;
- while (*pattern == '*');
-
- /* Try to be greedy at first, then try shorter matches. */
- for (i = slen; i > 0; i--)
- if (string_match (pattern, string + i, plen, slen - i))
- return (true);
-
- /* Continue with a void match for the *'s. */
- break;
-
- default:
- /* Not a wildcard, match a single character. */
- if (*pattern != *string)
- return (false);
-
- /* fall through */
-
- case '#':
- pattern++, string++, plen--, slen--;
- break;
- }
- }
-}
-
-mst_Boolean
-permission_is_allowing (OOP permissionOOP)
-{
- gst_permission perm = (gst_permission) OOP_TO_OBJ (permissionOOP);
- return perm->positive != _gst_false_oop;
-}
-
-mst_Boolean
-check_against_policy (OOP policyOOP,
- OOP ownerOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP)
-{
- gst_security_policy policy;
- OOP *first, *last;
- OOP ocOOP;
- mst_Boolean result;
-
- if (IS_NIL (policyOOP))
- return (true);
-
- policy = (gst_security_policy) OOP_TO_OBJ (policyOOP);
- ocOOP = dictionary_at (policy->dictionary, nameOOP);
-
- result = !IS_OOP_UNTRUSTED (ownerOOP);
- if (IS_NIL (ocOOP))
- return result;
-
- first = ordered_collection_begin (ocOOP);
- last = ordered_collection_end (ocOOP);
- for (; first < last; first++)
- if (check_against_permission (*first, nameOOP, targetOOP, actionOOP))
- result = permission_is_allowing (*first);
-
- return result;
-}
-
-mst_Boolean
-check_static_permission (OOP receiverOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP)
-{
- OOP classOOP = _gst_get_class_object (OOP_CLASS (receiverOOP));
- gst_class class = (gst_class) OOP_TO_OBJ (classOOP);
- OOP policyOOP = class->securityPolicy;
-
- return check_against_policy (policyOOP, classOOP,
- nameOOP, targetOOP, actionOOP);
-}
-
-mst_Boolean _gst_check_permission (OOP contextOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP)
-{
- gst_method_context context;
- mst_Boolean state, found_annotation;
-
- do
- {
- OOP infoOOP;
- gst_method_info info;
- int num_attributes, i;
-
- context = (gst_method_context) OOP_TO_OBJ (contextOOP);
- state = check_static_permission (context->receiver,
- nameOOP, targetOOP, actionOOP);
-
- if (!state)
- break;
-
- infoOOP = get_method_info (context->method);
- info = (gst_method_info) OOP_TO_OBJ (infoOOP);
- num_attributes = NUM_INDEXABLE_FIELDS (infoOOP);
- found_annotation = false;
- for (i = 0; i < num_attributes; i++)
- {
- gst_message attr = (gst_message) OOP_TO_OBJ (info->attributes[i]);
- gst_object attr_args;
- OOP permissionOOP;
-
- if (attr->selector != _gst_permission_symbol)
- continue;
-
- attr_args = OOP_TO_OBJ (attr->args);
- permissionOOP = attr_args->data[0];
- if (check_against_permission (permissionOOP,
- nameOOP, targetOOP, actionOOP))
- {
- /* Should we check if the granted permission is statically
- available? Of course, you can only grant permissions if you
- own them statically, so the real question is, should we
- check perm or newPerm? The answer is perm (which has
- already been found to be available), hence we can skip
- an expensive static permission check. Suppose we have a
- method that grants access to all files: it makes more sense
- if it means ``grant access to all files allowed by the class
- security policy'', rather than ``grant access to all files if
- the security policy allows it, else do not grant access to
- any file''. */
-
- state = permission_is_allowing (permissionOOP);
- found_annotation = false;
- }
- }
-
- if (found_annotation)
- break;
-
- contextOOP = context->parentContext;
- }
- while (!IS_NIL (contextOOP));
-
- return (state);
-}
-
diff --git a/libgst/security.h b/libgst/security.h
deleted file mode 100644
index 8857cf7..0000000
--- a/libgst/security.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/******************************** -*- C -*- ****************************
- *
- * Security-related routine definitions.
- *
- *
- ***********************************************************************/
-
-/***********************************************************************
- *
- * Copyright 2003, 2006 Free Software Foundation, Inc.
- * Written by Paolo Bonzini.
- *
- * This file is part of GNU Smalltalk.
- *
- * GNU Smalltalk is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2, or (at your option) any later
- * version.
- *
- * Linking GNU Smalltalk statically or dynamically with other modules is
- * making a combined work based on GNU Smalltalk. Thus, the terms and
- * conditions of the GNU General Public License cover the whole
- * combination.
- *
- * In addition, as a special exception, the Free Software Foundation
- * give you permission to combine GNU Smalltalk with free software
- * programs or libraries that are released under the GNU LGPL and with
- * independent programs running under the GNU Smalltalk virtual machine.
- *
- * You may copy and distribute such a system following the terms of the
- * GNU GPL for GNU Smalltalk and the licenses of the other code
- * concerned, provided that you include the source code of that other
- * code when and as the GNU GPL requires distribution of source code.
- *
- * Note that people who make modified versions of GNU Smalltalk are not
- * obligated to grant this special exception for their modified
- * versions; it is their choice whether to do so. The GNU General
- * Public License gives permission to release a modified version without
- * this exception; this exception also makes it possible to release a
- * modified version which carries forward this exception.
- *
- * GNU Smalltalk is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
- * more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * GNU Smalltalk; see the file COPYING. If not, write to the Free Software
- * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- *
- ***********************************************************************/
-
-
-#ifndef GST_SECURITY_H
-#define GST_SECURITY_H
-
-typedef struct gst_permission
-{
- OBJ_HEADER;
- OOP name;
- OOP actions;
- OOP target;
- OOP positive;
-} *gst_permission;
-
-typedef struct gst_security_policy
-{
- OBJ_HEADER;
- OOP dictionary;
- OOP owner;
-} *gst_security_policy;
-
-mst_Boolean _gst_check_permission (OOP contextOOP,
- OOP nameOOP,
- OOP targetOOP,
- OOP actionOOP)
- ATTRIBUTE_HIDDEN;
-
-#endif /* GST_SECURITY_H */
diff --git a/libgst/sym.c b/libgst/sym.c
index 6c8d1f4..bbc3e9d 100644
--- a/libgst/sym.c
+++ b/libgst/sym.c
@@ -245,12 +245,6 @@ intern_string_fast (const char *str, OOP *pTestOOP);
found. */
static int instance_variable_index (OOP symbol);
-/* This checks if the INDEX-th instance variable among those that the
- current class declares is read-only. Read-only index variables are
- those that are declared by a trusted super-class of an untrusted
- subclass. */
-static mst_Boolean is_instance_variable_read_only (int index);
-
/* This looks for SYMBOL among the arguments and temporary variables
that the current scope sees, and returns the entry in the symbol
list for the variable if it is found. */
@@ -1002,7 +996,7 @@ _gst_find_variable (symbol_entry * se,
if (index >= 0)
{
fill_symbol_entry (se, SCOPE_RECEIVER,
- is_instance_variable_read_only (index),
+ false,
symbol, index, 0);
return (true);
}
@@ -1015,30 +1009,11 @@ _gst_find_variable (symbol_entry * se,
index = _gst_add_forced_object (varAssoc);
fill_symbol_entry (se, SCOPE_GLOBAL,
- (_gst_curr_method->v_method.untrusted
- && !IS_OOP_UNTRUSTED (varAssoc)),
+ false,
varAssoc, index, 0);
return (true);
}
-static mst_Boolean
-is_instance_variable_read_only (int index)
-{
- int numVars;
- OOP class_oop;
-
- if (!_gst_curr_method->v_method.untrusted)
- return (false);
-
- for (class_oop = _gst_curr_method->v_method.currentClass;
- IS_OOP_UNTRUSTED (class_oop);
- class_oop = SUPERCLASS (class_oop))
- ;
-
- numVars = CLASS_FIXED_FIELDS (class_oop);
- return index + 1 <= numVars;
-}
-
static int
instance_variable_index (OOP symbol)
{
diff --git a/packages.xml b/packages.xml
index 2c78064..c6d0e8c 100644
--- a/packages.xml
+++ b/packages.xml
@@ -146,7 +146,6 @@
<file>Object.st</file>
<file>Time.st</file>
<file>FileStream.st</file>
- <file>Security.st</file>
<file>OrderColl.st</file>
<file>CCallable.st</file>
<file>CCallback.st</file>
diff --git a/packages/stinst/parser/STSymTable.st b/packages/stinst/parser/STSymTable.st
index 905b5d1..abf5297 100644
--- a/packages/stinst/parser/STSymTable.st
+++ b/packages/stinst/parser/STSymTable.st
@@ -271,21 +271,18 @@ Object subclass: STSymbolTable [
declareEnvironment: aBehavior [
<category: 'declaring'>
- | i canAlwaysStore inSandbox |
+ | i |
environment := aBehavior.
- inSandbox := thisContext isUntrusted.
i := -1.
- canAlwaysStore := aBehavior isUntrusted.
aBehavior withAllSuperclasses reverseDo:
[:class |
- canAlwaysStore := canAlwaysStore and: [class isUntrusted].
class instVarNames do:
[:iv |
instVars at: iv asSymbol
put: (STVariable
id: (i := i + 1)
scope: 0
- canStore: (canAlwaysStore or: [inSandbox not]))]].
+ canStore: true)]].
self declareGlobals
]
diff --git a/tests/Makefile.am b/tests/Makefile.am
index f227386..8d9f2a9 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -15,7 +15,7 @@ lists.ok lists.st lists1.ok lists1.st lists2.ok lists2.st matrix.ok \
matrix.st methcall.ok methcall.st mutate.ok mutate.st nestedloop.ok \
nestedloop.st objects.ok objects.st objinst.ok \
objinst.st processes.ok processes.st prodcons.ok prodcons.st quit.ok \
-quit.st random-bench.ok random-bench.st untrusted.ok untrusted.st sets.ok \
+quit.st random-bench.ok random-bench.st sets.ok \
sets.st sieve.ok sieve.st strcat.ok strcat.st strings.ok strings.st \
pools.ok pools.st Ansi.st AnsiDB.st AnsiInit.st AnsiLoad.st AnsiRun.st \
stcompiler.st stcompiler.ok shape.st shape.ok
diff --git a/tests/testsuite.at b/tests/testsuite.at
index 7e33bf3..d661b3d 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -46,7 +46,6 @@ AT_DIFF_TEST([cobjects.st])
AT_DIFF_TEST([compiler.st])
AT_DIFF_TEST([fileext.st])
AT_DIFF_TEST([mutate.st])
-AT_DIFF_TEST([untrusted.st])
AT_DIFF_TEST([getopt.st])
AT_DIFF_TEST([quit.st])
AT_DIFF_TEST([pools.st])
--
1.7.10.4
>From 2205c4cd10d7295a1b686feb09e2ae3b81ca1c82 Mon Sep 17 00:00:00 2001
From: Gwenael Casaccio <[email protected]>
Date: Mon, 7 Jan 2013 16:12:10 +0100
Subject: [PATCH 2/2] remove the Smalltalk code
---
kernel/Security.st | 270 ----------------------------------------------------
1 file changed, 270 deletions(-)
delete mode 100644 kernel/Security.st
diff --git a/kernel/Security.st b/kernel/Security.st
deleted file mode 100644
index 93cb7f5..0000000
--- a/kernel/Security.st
+++ /dev/null
@@ -1,270 +0,0 @@
-"======================================================================
-|
-| Security-related Class Definitions
-|
-|
- ======================================================================"
-
-"======================================================================
-|
-| Copyright 2003
-| Free Software Foundation, Inc.
-| Written by Paolo Bonzini.
-|
-| This file is part of the GNU Smalltalk class library.
-|
-| The GNU Smalltalk class library is free software; you can redistribute it
-| and/or modify it under the terms of the GNU Lesser General Public License
-| as published by the Free Software Foundation; either version 2.1, or (at
-| your option) any later version.
-|
-| The GNU Smalltalk class library is distributed in the hope that it will be
-| useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
-| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser
-| General Public License for more details.
-|
-| You should have received a copy of the GNU Lesser General Public License
-| along with the GNU Smalltalk class library; see the file COPYING.LIB.
-| If not, write to the Free Software Foundation, 59 Temple Place - Suite
-| 330, Boston, MA 02110-1301, USA.
-|
- ======================================================================"
-
-
-�
-Object subclass: Permission [
- | name actions target positive |
-
- <category: 'Language-Security'>
- <comment: 'I am the basic class that represents whether operations that could harm
-the system''s security are allowed or denied.'>
-
- Permission class >> name: aSymbol target: aTarget actions: actionsArray [
- <category: 'testing'>
- ^(self new)
- name: aSymbol;
- target: aTarget;
- actions: actionsArray;
- yourself
- ]
-
- Permission class >> name: aSymbol target: aTarget action: action [
- <category: 'testing'>
- ^self
- name: aSymbol
- target: aTarget
- actions: {action}
- ]
-
- Permission class >> allowing: aSymbol target: aTarget actions: actionsArray [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: actionsArray) allow
- ]
-
- Permission class >> allowing: aSymbol target: aTarget action: action [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: {action}) allow
- ]
-
- Permission class >> denying: aSymbol target: aTarget actions: actionsArray [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: actionsArray) deny
- ]
-
- Permission class >> denying: aSymbol target: aTarget action: action [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: {action}) deny
- ]
-
- Permission class >> granting: aSymbol target: aTarget actions: actionsArray [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: actionsArray) allow
- ]
-
- Permission class >> granting: aSymbol target: aTarget action: action [
- <category: 'testing'>
- ^(self
- name: aSymbol
- target: aTarget
- actions: {action}) allow
- ]
-
- check: aPermission for: anObject [
- <category: 'testing'>
- ^(self implies: aPermission)
- ifTrue: [self isAllowing]
- ifFalse: [anObject isUntrusted not]
- ]
-
- implies: aPermission [
- <category: 'testing'>
- aPermission name = name ifFalse: [^false].
- (self target notNil and: [aPermission target notNil])
- ifTrue:
- [(self target isString and: [aPermission target isString])
- ifTrue: [(self target match: aPermission target) ifFalse: [^false]]
- ifFalse: [self target == aPermission target ifFalse: [^false]]].
- (self actions notNil and: [aPermission actions notNil])
- ifTrue:
- [aPermission actions size = 1
- ifTrue: [^self actions includes: (aPermission at: 1)].
- ^aPermission actions allSatisfy: [:each | self actions includes: each]].
- ^true
- ]
-
- action: anObject [
- <category: 'accessing'>
- self actions: {anObject}
- ]
-
- actions [
- <category: 'accessing'>
- ^actions
- ]
-
- actions: anObject [
- <category: 'accessing'>
- actions isNil
- ifFalse: [self error: 'can set permission actions only once'].
- (actions allSatisfy: [:each | each isSymbol])
- ifFalse: [self error: 'actions must be symbols'].
- actions := anObject copy asArray
- ]
-
- allow [
- <category: 'accessing'>
- positive isNil ifFalse: [self error: 'can set allow/deny only once'].
- positive := true
- ]
-
- allowing [
- <category: 'accessing'>
- | savePositive result |
- savePositive := positive.
- positive := true.
- result := self copy.
- positive := savePositive.
- ^result
- ]
-
- deny [
- <category: 'accessing'>
- positive isNil ifFalse: [self error: 'can set allow/deny only once'].
- positive := false
- ]
-
- denying [
- <category: 'accessing'>
- | savePositive result |
- savePositive := positive.
- positive := false.
- result := self copy.
- positive := savePositive.
- ^result
- ]
-
- isAllowing [
- <category: 'accessing'>
- ^positive
- ]
-
- name [
- <category: 'accessing'>
- ^name
- ]
-
- name: anObject [
- <category: 'accessing'>
- name isNil ifFalse: [self error: 'can set permission name only once'].
- anObject isSymbol
- ifFalse: [self error: 'permission name must be a symbol'].
- name := anObject copy
- ]
-
- target [
- <category: 'accessing'>
- ^target
- ]
-
- target: anObject [
- <category: 'accessing'>
- target isNil ifFalse: [self error: 'can set permission target only once'].
- (target allSatisfy: [:each | each isSymbol])
- ifFalse: [self error: 'target must be symbols'].
- target := anObject copy
- ]
-]
-
-
-�
-Object subclass: SecurityPolicy [
- | dictionary owner |
-
- <category: 'Language-Security'>
- <comment: 'I am the class that represents which operations that could harm
-the system''s security are allowed or denied to a particular class. If
-a class does not have a policy, it is allowed everything if it is trusted,
-and denied everything if it is untrusted'>
-
- addPermission: aPermission [
- <category: 'modifying'>
- owner isNil
- ifFalse: [thisContext securityCheckFor: #securityManagement target: owner].
- dictionary isNil ifTrue: [dictionary := IdentityDictionary new].
- (dictionary at: aPermission name ifAbsentPut: [OrderedCollection new])
- add: aPermission allowing
- ]
-
- removePermission: aPermission [
- <category: 'modifying'>
- owner isNil
- ifFalse: [thisContext securityCheckFor: #securityManagement target: owner].
- dictionary isNil ifTrue: [dictionary := IdentityDictionary new].
- (dictionary at: aPermission name ifAbsentPut: [OrderedCollection new])
- add: aPermission denying
- ]
-
- withOwner: aClass [
- <category: 'modifying'>
- ^(self copy)
- owner: aClass;
- yourself
- ]
-
- owner: aClass [
- <category: 'modifying'>
- thisContext securityCheckFor: #securityManagement target: aClass.
- dictionary := dictionary deepCopy.
- owner := aClass.
- ^self
- ]
-
- check: aPermission [
- <category: 'querying'>
- ^(dictionary at: aPermission name ifAbsent: [#()])
- inject: owner isUntrusted not
- into: [:old :perm | (perm implies: aPermission) ifTrue: [perm isAllowing] ifFalse: [old]]
- ]
-
- implies: aPermission [
- <category: 'querying'>
- ^(dictionary at: aPermission name ifAbsent: [#()]) inject: false
- into: [:old :perm | (perm implies: aPermission) ifTrue: [perm isAllowing] ifFalse: [old]]
- ]
-]
-
--
1.7.10.4
_______________________________________________
help-smalltalk mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-smalltalk
