Make sandbox scope less

Author: Markoutte

utbot-framework/src/main/kotlin/org/utbot/framework/concrete/MockValueConstructor.kt

@@ -45,8 +45,6 @@ import org.mockito.Mockito
 import org.mockito.stubbing.Answer
 import org.objectweb.asm.Type
 import org.utbot.common.withAccessibility
-import java.security.AccessController
-import java.security.PrivilegedAction
 
 /**
  * Constructs values (including mocks) from models.
@@ -226,7 +224,7 @@ class MockValueConstructor(
     }
 
     private fun generateMockitoMock(clazz: Class<*>, mocks: Map<ExecutableId, List<UtModel>>): Any {
-        return AccessController.doPrivileged(PrivilegedAction { Mockito.mock(clazz, generateMockitoAnswer(mocks)) })
+        return Mockito.mock(clazz, generateMockitoAnswer(mocks))
     }
 
     private fun computeConcreteValuesForMethods(

utbot-framework/src/main/kotlin/org/utbot/framework/concrete/UtModelConstructor.kt

@@ -30,8 +30,6 @@ import org.utbot.framework.plugin.api.util.objectClassId
 import org.utbot.framework.plugin.api.util.shortClassId
 import org.utbot.framework.util.valueToClassId
 import java.lang.reflect.Modifier
-import java.security.AccessController
-import java.security.PrivilegedAction
 import java.util.IdentityHashMap
 
 /**
@@ -83,7 +81,7 @@ internal class UtModelConstructor(
      *
      * Handles cache on stateBefore values.
      */
-    override fun construct(value: Any?, classId: ClassId): UtModel = AccessController.doPrivileged(PrivilegedAction {
+    override fun construct(value: Any?, classId: ClassId): UtModel =
         when (value) {
             null -> UtNullModel(classId)
             is Unit -> UtVoidModel
@@ -108,7 +106,6 @@ internal class UtModelConstructor(
             is Class<*> -> constructFromClass(value)
             else -> constructFromAny(value)
         }
-    })
 
     // Q: Is there a way to get rid of duplicated code?
 

utbot-instrumentation/src/main/kotlin/org/utbot/instrumentation/instrumentation/InvokeInstrumentation.kt

@@ -2,6 +2,7 @@ package org.utbot.instrumentation.instrumentation
 
 import org.utbot.common.withAccessibility
 import org.utbot.framework.plugin.api.util.signature
+import org.utbot.instrumentation.process.sandbox
 import java.lang.reflect.Constructor
 import java.lang.reflect.InvocationTargetException
 import java.lang.reflect.Method
@@ -54,7 +55,7 @@ class InvokeInstrumentation : Instrumentation<Result<*>> {
                 is Method ->
                     withAccessibility {
                         runCatching {
-                            invoke(thisObject, *realArgs.toTypedArray()).let {
+                            sandbox { invoke(thisObject, *realArgs.toTypedArray()) }.let {
                                 if (returnType != Void.TYPE) it else Unit
                             } // invocation on method returning void will return null, so we replace it with Unit
                         }
@@ -63,7 +64,7 @@ class InvokeInstrumentation : Instrumentation<Result<*>> {
                 is Constructor<*> ->
                     withAccessibility {
                         runCatching {
-                            newInstance(*realArgs.toTypedArray())
+                            sandbox { newInstance(*realArgs.toTypedArray()) }
                         }
                     }
 

utbot-instrumentation/src/main/kotlin/org/utbot/instrumentation/process/ChildProcess.kt

@@ -134,7 +134,7 @@ private fun loop(instrumentation: Instrumentation<*>) {
                 }
                 System.err.println("warmup finished in $time ms")
             }
-            is Protocol.InvokeMethodCommand -> sandbox {
+            is Protocol.InvokeMethodCommand -> {
                 val resultCmd = try {
                     val clazz = HandlerClassesLoader.loadClass(cmd.className)
                     val res = instrumentation.invoke(

utbot-instrumentation/src/main/kotlin/org/utbot/instrumentation/process/Security.kt

@@ -13,9 +13,9 @@ import java.security.PermissionCollection
 import java.security.Permissions
 import java.security.Policy
 import java.security.PrivilegedAction
+import java.security.PrivilegedActionException
 import java.security.ProtectionDomain
 import java.security.cert.Certificate
-import java.util.PropertyPermission
 
 internal fun permissions(block: SimplePolicy.() -> Unit) {
     val policy = Policy.getPolicy()
@@ -52,8 +52,11 @@ internal fun <T> sandbox(block: () -> T): T {
 internal fun <T> sandbox(file: URI, block: () -> T): T {
     val path = Paths.get(file)
     val perms = mutableListOf<Permission>(
-        RuntimePermission("*"),
-        PropertyPermission("org.mockito.internal.*", "read,write"),
+        RuntimePermission("accessDeclaredMembers"),
+        RuntimePermission("getProtectionDomain"),
+        RuntimePermission("accessClassInPackage.*"),
+        RuntimePermission("getClassLoader"),
+        RuntimePermission("reflectionFactoryAccess"),
         ReflectPermission("*"),
     )
     val allCodeSource = CodeSource(null, emptyArray<Certificate>())
@@ -72,12 +75,11 @@ internal fun <T> sandbox(permission: List<Permission>, cs: CodeSource, block: ()
 
 internal fun <T> sandbox(perms: PermissionCollection, cs: CodeSource, block: () -> T): T {
     val acc = AccessControlContext(arrayOf(ProtectionDomain(cs, perms)))
-    return AccessController.doPrivileged(
-        PrivilegedAction {
-            block()
-        },
-        acc
-    )
+    return try {
+        AccessController.doPrivileged(PrivilegedAction { block() }, acc)
+    } catch (e: PrivilegedActionException) {
+        throw e.exception
+    }
 }
 
 /**