changeset 1481:e6bb9489faac

8139905: Add a convenience AccessControlContext factory Reviewed-by: hannesw, sundar
author attila
date Wed, 21 Oct 2015 10:41:54 +0200
parents 490cafd88488
children d35aa8beb997
files src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/ClassLoaderGetterContextProvider.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/ClassMap.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/DynamicLinkerFactory.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/TypeConverterFactory.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CallerSensitiveDynamicMethod.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CheckRestrictedPackage.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/ClassString.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/OverloadedDynamicMethod.java src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/internal/AccessControlContextFactory.java src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/AccessControlContextFactory.java src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornCallSiteDescriptor.java src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornLinker.java
diffstat 13 files changed, 211 insertions(+), 141 deletions(-) [+]
line wrap: on
line diff
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/ClassLoaderGetterContextProvider.java	Tue Oct 20 23:34:46 2015 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,110 +0,0 @@
-/*
- * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * This file is available under and governed by the GNU General Public
- * License version 2 only, as published by the Free Software Foundation.
- * However, the following notice accompanied the original version of this
- * file, and Oracle licenses the original version of this file under the BSD
- * license:
- */
-/*
-   Copyright 2009-2013 Attila Szegedi
-
-   Licensed under both the Apache License, Version 2.0 (the "Apache License")
-   and the BSD License (the "BSD License"), with licensee being free to
-   choose either of the two at their discretion.
-
-   You may not use this file except in compliance with either the Apache
-   License or the BSD License.
-
-   If you choose to use this file in compliance with the Apache License, the
-   following notice applies to you:
-
-       You may obtain a copy of the Apache License at
-
-           http://www.apache.org/licenses/LICENSE-2.0
-
-       Unless required by applicable law or agreed to in writing, software
-       distributed under the License is distributed on an "AS IS" BASIS,
-       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-       implied. See the License for the specific language governing
-       permissions and limitations under the License.
-
-   If you choose to use this file in compliance with the BSD License, the
-   following notice applies to you:
-
-       Redistribution and use in source and binary forms, with or without
-       modification, are permitted provided that the following conditions are
-       met:
-       * Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-       * Redistributions in binary form must reproduce the above copyright
-         notice, this list of conditions and the following disclaimer in the
-         documentation and/or other materials provided with the distribution.
-       * Neither the name of the copyright holder nor the names of
-         contributors may be used to endorse or promote products derived from
-         this software without specific prior written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
-       IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-       TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
-       PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT HOLDER
-       BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-package jdk.internal.dynalink;
-
-import java.security.AccessControlContext;
-import java.security.Permissions;
-import java.security.ProtectionDomain;
-
-/**
- * This class exposes a canonical {@link AccessControlContext} with a single {@link RuntimePermission} for
- * {@code "getClassLoader"} permission that is used by other parts of the code to narrow their set of permissions when
- * they're retrieving class loaders in privileged blocks.
- */
-final class ClassLoaderGetterContextProvider {
-    /**
-     * Canonical instance of {@link AccessControlContext} with a single {@link RuntimePermission} for
-     * {@code "getClassLoader"} permission.
-     */
-    static final AccessControlContext GET_CLASS_LOADER_CONTEXT;
-    static {
-        final Permissions perms = new Permissions();
-        perms.add(new RuntimePermission("getClassLoader"));
-        GET_CLASS_LOADER_CONTEXT = new AccessControlContext(
-                new ProtectionDomain[] { new ProtectionDomain(null, perms) });
-    }
-
-    private ClassLoaderGetterContextProvider() {
-    }
-}
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/ClassMap.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/ClassMap.java	Wed Oct 21 10:41:54 2015 +0200
@@ -85,12 +85,14 @@
 
 import java.lang.ref.Reference;
 import java.lang.ref.SoftReference;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.WeakHashMap;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.internal.InternalTypeUtilities;
 
 /**
@@ -100,6 +102,9 @@
  * @param <T> the type of the values in the map
  */
 abstract class ClassMap<T> {
+    private static final AccessControlContext GET_CLASS_LOADER_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext("getClassLoader");
+
     private final ConcurrentMap<Class<?>, T> map = new ConcurrentHashMap<>();
     private final Map<Class<?>, Reference<T>> weakMap = new WeakHashMap<>();
     private final ClassLoader classLoader;
@@ -155,7 +160,7 @@
             public Boolean run() {
                 return InternalTypeUtilities.canReferenceDirectly(classLoader, clazz.getClassLoader());
             }
-        }, ClassLoaderGetterContextProvider.GET_CLASS_LOADER_CONTEXT);
+        }, GET_CLASS_LOADER_CONTEXT);
 
         // If allowed to strongly reference, put it in the fast map
         if(canReferenceDirectly) {
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/DynamicLinkerFactory.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/DynamicLinkerFactory.java	Wed Oct 21 10:41:54 2015 +0200
@@ -86,6 +86,7 @@
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodType;
 import java.lang.invoke.MutableCallSite;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
@@ -101,6 +102,7 @@
 import java.util.Set;
 import java.util.function.Supplier;
 import jdk.internal.dynalink.beans.BeansLinker;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.linker.GuardedInvocation;
 import jdk.internal.dynalink.linker.GuardedInvocationTransformer;
 import jdk.internal.dynalink.linker.GuardingDynamicLinker;
@@ -128,6 +130,9 @@
  * category usually includes {@link BeansLinker}.
  */
 public final class DynamicLinkerFactory {
+    private static final AccessControlContext GET_CLASS_LOADER_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext("getClassLoader");
+
     /**
      * Default value for {@link #setUnstableRelinkThreshold(int) unstable relink
      * threshold}.
@@ -495,7 +500,7 @@
             public ClassLoader run() {
                 return Thread.currentThread().getContextClassLoader();
             }
-        }, ClassLoaderGetterContextProvider.GET_CLASS_LOADER_CONTEXT);
+        }, GET_CLASS_LOADER_CONTEXT);
     }
 
     private static void addClasses(final Set<Class<? extends GuardingDynamicLinker>> knownLinkerClasses,
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/TypeConverterFactory.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/TypeConverterFactory.java	Wed Oct 21 10:41:54 2015 +0200
@@ -88,11 +88,13 @@
 import java.lang.invoke.MethodHandles.Lookup;
 import java.lang.invoke.MethodType;
 import java.lang.invoke.WrongMethodTypeException;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.function.Supplier;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.linker.ConversionComparator;
 import jdk.internal.dynalink.linker.ConversionComparator.Comparison;
 import jdk.internal.dynalink.linker.GuardedInvocation;
@@ -107,6 +109,8 @@
  * instances and creates appropriate converters for method handles.
  */
 final class TypeConverterFactory {
+    private static final AccessControlContext GET_CLASS_LOADER_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext("getClassLoader");
 
     private final GuardingTypeConverterFactory[] factories;
     private final ConversionComparator[] comparators;
@@ -172,7 +176,7 @@
             public ClassLoader run() {
                 return clazz.getClassLoader();
             }
-        }, ClassLoaderGetterContextProvider.GET_CLASS_LOADER_CONTEXT);
+        }, GET_CLASS_LOADER_CONTEXT);
     }
 
     /**
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CallerSensitiveDynamicMethod.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CallerSensitiveDynamicMethod.java	Wed Oct 21 10:41:54 2015 +0200
@@ -91,9 +91,11 @@
 import java.lang.reflect.Member;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import jdk.internal.dynalink.CallSiteDescriptor;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.linker.support.Lookup;
 
 /**
@@ -103,6 +105,10 @@
  * every request.
  */
 class CallerSensitiveDynamicMethod extends SingleDynamicMethod {
+    private static final AccessControlContext GET_LOOKUP_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext(
+                    CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+
     // Typed as "AccessibleObject" as it can be either a method or a constructor.
     // If we were Java8-only, we could use java.lang.reflect.Executable
     private final AccessibleObject target;
@@ -148,8 +154,8 @@
     @Override
     MethodHandle getTarget(final CallSiteDescriptor desc) {
         final MethodHandles.Lookup lookup = AccessController.doPrivileged(
-                (PrivilegedAction<MethodHandles.Lookup>)()->desc.getLookup(), null,
-                CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+                (PrivilegedAction<MethodHandles.Lookup>)()->desc.getLookup(),
+                GET_LOOKUP_CONTEXT);
 
         if(target instanceof Method) {
             final MethodHandle mh = Lookup.unreflect(lookup, (Method)target);
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CheckRestrictedPackage.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/CheckRestrictedPackage.java	Wed Oct 21 10:41:54 2015 +0200
@@ -86,15 +86,15 @@
 import java.lang.reflect.Modifier;
 import java.security.AccessControlContext;
 import java.security.AccessController;
-import java.security.Permissions;
 import java.security.PrivilegedAction;
-import java.security.ProtectionDomain;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 
 /**
  * A utility class to check whether a given class is in a package with restricted access e.g. "sun.*" etc.
  */
 class CheckRestrictedPackage {
-    private static final AccessControlContext NO_PERMISSIONS_CONTEXT = createNoPermissionsContext();
+    private static final AccessControlContext NO_PERMISSIONS_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext();
 
     /**
      * Returns true if the class is either not public, or it resides in a package with restricted access.
@@ -131,8 +131,4 @@
         }
         return false;
     }
-
-    private static AccessControlContext createNoPermissionsContext() {
-        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, new Permissions()) });
-    }
 }
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/ClassString.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/ClassString.java	Wed Oct 21 10:41:54 2015 +0200
@@ -85,11 +85,12 @@
 
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodType;
+import java.security.AccessControlContext;
 import java.security.AccessController;
-import java.security.Permission;
 import java.security.PrivilegedAction;
 import java.util.LinkedList;
 import java.util.List;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.internal.InternalTypeUtilities;
 import jdk.internal.dynalink.linker.LinkerServices;
 import jdk.internal.dynalink.linker.support.TypeUtilities;
@@ -100,7 +101,8 @@
  * JLS.
  */
 final class ClassString {
-    private static final Permission GET_CLASS_LOADER_PERMISSION = new RuntimePermission("getClassLoader");
+    private static final AccessControlContext GET_CLASS_LOADER_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext("getClassLoader");
 
     /**
      * An anonymous inner class used solely to represent the "type" of null values for method applicability checking.
@@ -158,7 +160,7 @@
                 }
                 return true;
             }
-        }, null, GET_CLASS_LOADER_PERMISSION);
+        }, GET_CLASS_LOADER_CONTEXT);
     }
 
     List<MethodHandle> getMaximallySpecifics(final List<MethodHandle> methods, final LinkerServices linkerServices, final boolean varArg) {
--- a/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/OverloadedDynamicMethod.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/beans/OverloadedDynamicMethod.java	Wed Oct 21 10:41:54 2015 +0200
@@ -87,9 +87,7 @@
 import java.lang.invoke.MethodType;
 import java.security.AccessControlContext;
 import java.security.AccessController;
-import java.security.Permissions;
 import java.security.PrivilegedAction;
-import java.security.ProtectionDomain;
 import java.text.Collator;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -101,6 +99,7 @@
 import java.util.Set;
 import jdk.internal.dynalink.CallSiteDescriptor;
 import jdk.internal.dynalink.beans.ApplicableOverloadedMethods.ApplicabilityTest;
+import jdk.internal.dynalink.internal.AccessControlContextFactory;
 import jdk.internal.dynalink.internal.InternalTypeUtilities;
 import jdk.internal.dynalink.linker.LinkerServices;
 
@@ -231,14 +230,10 @@
         }
     }
 
-    private static final AccessControlContext GET_CALL_SITE_CLASS_LOADER_CONTEXT;
-    static {
-        final Permissions perms = new Permissions();
-        perms.add(new RuntimePermission("getClassLoader"));
-        perms.add(CallSiteDescriptor.GET_LOOKUP_PERMISSION);
-        GET_CALL_SITE_CLASS_LOADER_CONTEXT = new AccessControlContext(
-                new ProtectionDomain[] { new ProtectionDomain(null, perms) });
-    }
+    private static final AccessControlContext GET_CALL_SITE_CLASS_LOADER_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext(
+                    new RuntimePermission("getClassLoader"),
+                    CallSiteDescriptor.GET_LOOKUP_PERMISSION);
 
     private static ClassLoader getCallSiteClassLoader(final CallSiteDescriptor callSiteDescriptor) {
         return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/internal/dynalink/internal/AccessControlContextFactory.java	Wed Oct 21 10:41:54 2015 +0200
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.dynalink.internal;
+
+import java.security.AccessControlContext;
+import java.security.Permission;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+import java.util.stream.Stream;
+
+/**
+ * Utility class for creating permission-restricting {@link AccessControlContext}s.
+ */
+public final class AccessControlContextFactory {
+    private AccessControlContextFactory () {
+    }
+
+    /**
+     * Creates an access control context with no permissions.
+     * @return an access control context with no permissions.
+     */
+    public static AccessControlContext createAccessControlContext() {
+        return createAccessControlContext(new Permission[0]);
+    }
+
+    /**
+     * Creates an access control context limited to only the specified permissions.
+     * @param permissions the permissions for the newly created access control context.
+     * @return a new access control context limited to only the specified permissions.
+     */
+    public static AccessControlContext createAccessControlContext(final Permission... permissions) {
+        final Permissions perms = new Permissions();
+        for(final Permission permission: permissions) {
+            perms.add(permission);
+        }
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    /**
+     * Creates an access control context limited to only the {@link RuntimePermission}s
+     * of the given names.
+     * @param runtimePermissionNames the names of runtime permissions for the
+     * newly created access control context.
+     * @return a new access control context limited to only the runtime
+     * permissions with the specified names.
+     */
+    public static AccessControlContext createAccessControlContext(final String... runtimePermissionNames) {
+        return createAccessControlContext(makeRuntimePermissions(runtimePermissionNames));
+    }
+
+    private static Permission[] makeRuntimePermissions(final String... runtimePermissionNames) {
+        return Stream.of(runtimePermissionNames).map(RuntimePermission::new).toArray(Permission[]::new);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/AccessControlContextFactory.java	Wed Oct 21 10:41:54 2015 +0200
@@ -0,0 +1,77 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.nashorn.internal.runtime;
+
+import java.security.AccessControlContext;
+import java.security.Permission;
+import java.security.Permissions;
+import java.security.ProtectionDomain;
+import java.util.stream.Stream;
+
+/**
+ * Utility class for creating permission-restricting {@link AccessControlContext}s.
+ */
+public final class AccessControlContextFactory {
+    private AccessControlContextFactory () {
+    }
+
+    /**
+     * Creates an access control context with no permissions.
+     * @return an access control context with no permissions.
+     */
+    public static AccessControlContext createAccessControlContext() {
+        return createAccessControlContext(new Permission[0]);
+    }
+
+    /**
+     * Creates an access control context limited to only the specified permissions.
+     * @param permissions the permissions for the newly created access control context.
+     * @return a new access control context limited to only the specified permissions.
+     */
+    public static AccessControlContext createAccessControlContext(final Permission... permissions) {
+        final Permissions perms = new Permissions();
+        for(final Permission permission: permissions) {
+            perms.add(permission);
+        }
+        return new AccessControlContext(new ProtectionDomain[] { new ProtectionDomain(null, perms) });
+    }
+
+    /**
+     * Creates an access control context limited to only the {@link RuntimePermission}s
+     * of the given names.
+     * @param runtimePermissionNames the names of runtime permissions for the
+     * newly created access control context.
+     * @return a new access control context limited to only the runtime
+     * permissions with the specified names.
+     */
+    public static AccessControlContext createAccessControlContext(final String... runtimePermissionNames) {
+        return createAccessControlContext(makeRuntimePermissions(runtimePermissionNames));
+    }
+
+    private static Permission[] makeRuntimePermissions(final String... runtimePermissionNames) {
+        return Stream.of(runtimePermissionNames).map(RuntimePermission::new).toArray(Permission[]::new);
+    }
+}
--- a/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/ScriptFunction.java	Wed Oct 21 10:41:54 2015 +0200
@@ -29,12 +29,12 @@
 import static jdk.nashorn.internal.runtime.ECMAErrors.typeError;
 import static jdk.nashorn.internal.runtime.ScriptRuntime.UNDEFINED;
 import static jdk.nashorn.internal.runtime.UnwarrantedOptimismException.INVALID_PROGRAM_POINT;
-
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodHandles.Lookup;
 import java.lang.invoke.MethodType;
 import java.lang.invoke.SwitchPoint;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
@@ -127,6 +127,9 @@
     // Marker object for lazily initialized prototype object
     private static final Object LAZY_PROTOTYPE = new Object();
 
+    private static final AccessControlContext GET_LOOKUP_PERMISSION_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext(CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+
     private static PropertyMap createStrictModeMap(final PropertyMap map) {
         final int flags = Property.NOT_ENUMERABLE | Property.NOT_CONFIGURABLE;
         PropertyMap newMap = map;
@@ -961,8 +964,8 @@
 
     private static Lookup getLookupPrivileged(final CallSiteDescriptor desc) {
         // NOTE: we'd rather not make NashornCallSiteDescriptor.getLookupPrivileged public.
-        return AccessController.doPrivileged((PrivilegedAction<Lookup>)()->desc.getLookup(), null,
-                CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+        return AccessController.doPrivileged((PrivilegedAction<Lookup>)()->desc.getLookup(),
+                GET_LOOKUP_PERMISSION_CONTEXT);
     }
 
     private GuardedInvocation createApplyOrCallCall(final boolean isApply, final CallSiteDescriptor desc, final LinkRequest request, final Object[] args) {
--- a/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornCallSiteDescriptor.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornCallSiteDescriptor.java	Wed Oct 21 10:41:54 2015 +0200
@@ -28,6 +28,7 @@
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodHandles.Lookup;
 import java.lang.invoke.MethodType;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.concurrent.ConcurrentHashMap;
@@ -35,6 +36,7 @@
 import jdk.internal.dynalink.CallSiteDescriptor;
 import jdk.internal.dynalink.support.AbstractCallSiteDescriptor;
 import jdk.nashorn.internal.ir.debug.NashornTextifier;
+import jdk.nashorn.internal.runtime.AccessControlContextFactory;
 import jdk.nashorn.internal.runtime.ScriptRuntime;
 
 /**
@@ -106,6 +108,9 @@
         }
     };
 
+    private static final AccessControlContext GET_LOOKUP_PERMISSION_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext(CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+
     private final MethodHandles.Lookup lookup;
     private final String operator;
     private final String operand;
@@ -208,8 +213,8 @@
         if (csd instanceof NashornCallSiteDescriptor) {
             return ((NashornCallSiteDescriptor)csd).lookup;
         }
-        return AccessController.doPrivileged((PrivilegedAction<Lookup>)()->csd.getLookup(), null,
-                CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+        return AccessController.doPrivileged((PrivilegedAction<Lookup>)()->csd.getLookup(),
+                GET_LOOKUP_PERMISSION_CONTEXT);
     }
 
     @Override
--- a/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornLinker.java	Tue Oct 20 23:34:46 2015 +0200
+++ b/src/jdk.scripting.nashorn/share/classes/jdk/nashorn/internal/runtime/linker/NashornLinker.java	Wed Oct 21 10:41:54 2015 +0200
@@ -31,6 +31,7 @@
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.Collection;
@@ -53,6 +54,7 @@
 import jdk.nashorn.api.scripting.ScriptObjectMirror;
 import jdk.nashorn.api.scripting.ScriptUtils;
 import jdk.nashorn.internal.objects.NativeArray;
+import jdk.nashorn.internal.runtime.AccessControlContextFactory;
 import jdk.nashorn.internal.runtime.JSType;
 import jdk.nashorn.internal.runtime.ListAdapter;
 import jdk.nashorn.internal.runtime.ScriptFunction;
@@ -64,6 +66,9 @@
  * includes {@link ScriptFunction} and its subclasses) as well as {@link Undefined}.
  */
 final class NashornLinker implements TypeBasedGuardingDynamicLinker, GuardingTypeConverterFactory, ConversionComparator {
+    private static final AccessControlContext GET_LOOKUP_PERMISSION_CONTEXT =
+            AccessControlContextFactory.createAccessControlContext(CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+
     private static final ClassValue<MethodHandle> ARRAY_CONVERTERS = new ClassValue<MethodHandle>() {
         @Override
         protected MethodHandle computeValue(final Class<?> type) {
@@ -171,7 +176,7 @@
             public MethodHandles.Lookup run() {
                 return lookupSupplier.get();
             }
-        }, null, CallSiteDescriptor.GET_LOOKUP_PERMISSION);
+        }, GET_LOOKUP_PERMISSION_CONTEXT);
     }
 
     /**