Adapt JDK-8338411: Implement JEP 486: Permanently Disable the Security Manager.

Author: mur47x111

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/JavaLangSubstitutions.java

@@ -428,6 +428,7 @@ private static String getProperty(String key, String def) {
      * passed to the image builder.
      */
     @Alias @RecomputeFieldValue(kind = Kind.FromAlias, isFinal = true) //
+    @TargetElement(onlyWith =  JDK21OrEarlier.class)
     private static int allowSecurityManager = 1;
 
     /**
@@ -440,6 +441,7 @@ private static String getProperty(String key, String def) {
      */
     @Substitute
     @SuppressWarnings({"removal", "javadoc"})
+    @TargetElement(onlyWith =  JDK21OrEarlier.class)
     private static void setSecurityManager(SecurityManager sm) {
         if (sm != null) {
             /* Read the property collected at isolate creation as that is what happens on the JVM */

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/SecuritySubstitutions.java

@@ -75,7 +75,7 @@
  * All security checks are disabled.
  */
 
-@TargetClass(java.security.AccessController.class)
+@TargetClass(value = java.security.AccessController.class, onlyWith = JDK21OrEarlier.class)
 @Platforms(InternalPlatform.NATIVE_ONLY.class)
 @SuppressWarnings({"unused"})
 final class Target_java_security_AccessController {
@@ -432,11 +432,11 @@ public boolean test(Class<?> originalClass) {
     }
 }
 
-@TargetClass(value = java.security.Policy.class, innerClass = "PolicyInfo")
+@TargetClass(value = java.security.Policy.class, innerClass = "PolicyInfo", onlyWith = JDK21OrEarlier.class)
 final class Target_java_security_Policy_PolicyInfo {
 }
 
-@TargetClass(java.security.Policy.class)
+@TargetClass(value = java.security.Policy.class, onlyWith = JDK21OrEarlier.class)
 final class Target_java_security_Policy {
 
     @Delete //
@@ -503,7 +503,7 @@ public boolean implies(ProtectionDomain domain, Permission permission) {
  * version is more fool-proof in case someone manually registers security providers for reflective
  * instantiation.
  */
-@TargetClass(className = "sun.security.provider.PolicySpiFile")
+@TargetClass(className = "sun.security.provider.PolicySpiFile", onlyWith = JDK21OrEarlier.class)
 @SuppressWarnings({"unused", "static-method", "deprecation"})
 final class Target_sun_security_provider_PolicySpiFile {
 
@@ -536,7 +536,7 @@ private void engineRefresh() {
 }
 
 @Delete("Substrate VM does not use SecurityManager, so loading a security policy file would be misleading")
-@TargetClass(className = "sun.security.provider.PolicyFile")
+@TargetClass(className = "sun.security.provider.PolicyFile", onlyWith = JDK21OrEarlier.class)
 final class Target_sun_security_provider_PolicyFile {
 }
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/jdk/Target_java_security_AccessControlContext.java

@@ -32,9 +32,10 @@
 import com.oracle.svm.core.annotate.Substitute;
 import com.oracle.svm.core.annotate.TargetClass;
 
+import com.oracle.svm.core.annotate.TargetElement;
 import sun.security.util.Debug;
 
-@TargetClass(java.security.AccessControlContext.class)
+@TargetClass(value = java.security.AccessControlContext.class, onlyWith =  JDK21OrEarlier.class)
 final class Target_java_security_AccessControlContext {
 
     @Alias //

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/JavaThreads.java

@@ -382,7 +382,9 @@ static void initializeNewThread(
 
         PlatformThreads.setThreadStatus(fromTarget(tjlt), ThreadStatus.NEW);
 
-        tjlt.inheritedAccessControlContext = acc != null ? acc : AccessController.getContext();
+        if (JavaVersionUtil.JAVA_SPEC == 21) {
+            tjlt.inheritedAccessControlContext = acc != null ? acc : AccessController.getContext();
+        }
 
         initNewThreadLocalsAndLoader(tjlt, inheritThreadLocals, parent);
 

substratevm/src/com.oracle.svm.core/src/com/oracle/svm/core/thread/Target_java_lang_Thread.java

@@ -31,6 +31,8 @@
 import java.util.Map;
 import java.util.Objects;
 
+import com.oracle.svm.core.jdk.JDKUtils;
+import jdk.graal.compiler.serviceprovider.JavaVersionUtil;
 import org.graalvm.nativeimage.IsolateThread;
 import org.graalvm.nativeimage.Platforms;
 import org.graalvm.nativeimage.impl.InternalPlatform;
@@ -115,6 +117,7 @@ public final class Target_java_lang_Thread {
      */
     @Alias //
     @RecomputeFieldValue(kind = RecomputeFieldValue.Kind.Reset) //
+    @TargetElement(onlyWith = JDK21OrEarlier.class)
     public AccessControlContext inheritedAccessControlContext;
 
     @Alias //
@@ -252,7 +255,9 @@ private Target_java_lang_Thread(String name, int characteristics, boolean bound)
 
         this.name = (name != null) ? name : "";
         this.tid = Target_java_lang_Thread_ThreadIdentifiers.next();
-        this.inheritedAccessControlContext = Target_java_lang_Thread_Constants.NO_PERMISSIONS_ACC;
+        if (JavaVersionUtil.JAVA_SPEC == 21) {
+            this.inheritedAccessControlContext = Target_java_lang_Thread_Constants.NO_PERMISSIONS_ACC;
+        }
 
         boolean inheritThreadLocals = (characteristics & NO_INHERIT_THREAD_LOCALS) == 0;
         JavaThreads.initNewThreadLocalsAndLoader(this, inheritThreadLocals, Thread.currentThread());
@@ -538,6 +543,7 @@ boolean isTerminated() {
 final class Target_java_lang_Thread_Constants {
     // Checkstyle: stop
     @SuppressWarnings("removal") //
+    @TargetElement(onlyWith = JDK21OrEarlier.class)
     @Alias static AccessControlContext NO_PERMISSIONS_ACC;
 
     @Alias static ThreadGroup VTHREAD_GROUP;

substratevm/src/com.oracle.svm.hosted/src/com/oracle/svm/hosted/jdk/AccessControlContextReplacerFeature.java

@@ -86,6 +86,11 @@ public void duringSetup(DuringSetupAccess access) {
         access.registerObjectReplacer(AccessControlContextReplacerFeature::replaceAccessControlContext);
     }
 
+    @Override
+    public boolean isInConfiguration(IsInConfigurationAccess access) {
+        return JavaVersionUtil.JAVA_SPEC <= 21;
+    }
+
     private static boolean isSimpleContext(AccessControlContext ctx) {
         /*
          * In addition to aforementioned allow-listed contexts we also allow inclusion of very