security++

Client/src/main/java/com/baseband/client/BaseBand.java

@@ -29,11 +29,11 @@ import java.util.ArrayList;
 @Mod(modid = "baseband")
 public class BaseBand {
     public static int majorVersion = 1;
-    public static int buildNumber = 226;
-    public static String hash = "748755645be3deeb";
+    public static int buildNumber = 230;
+    public static String hash = "ec94c2de63a0191e";
 
     public static String name = "BaseBand";
-    public long timeOfCompile = 1695849907385L;
+    public long timeOfCompile = 1695853741523L;
     public CommandManager commandRegistry;
     public EventBus eventBus;
     public ArrayList<Module> modules = new ArrayList<>();

Loader/src/main/java/org/baseband/launcher/classloader/CustomClassloader.java

@@ -7,16 +7,16 @@
 
 package org.baseband.launcher.classloader;
 
-import de.tudbut.security.DataKeeper;
-import de.tudbut.security.StrictnessBuilder;
+import de.tudbut.security.*;
 import de.tudbut.security.permissionmanager.CallClassRestriction;
 import de.tudbut.security.permissionmanager.HideErrorRestriction;
+import de.tudbut.security.permissionmanager.PermissionOR;
 import net.minecraft.launchwrapper.Launch;
 import org.baseband.launcher.launch.Loader;
 import org.baseband.launcher.util.BBPermissionManager;
+import org.baseband.launcher.util.MixinRestriction;
 import org.spongepowered.asm.service.MixinService;
 import org.spongepowered.asm.service.mojang.MixinServiceLaunchWrapper;
-import de.tudbut.security.AccessKiller;
 import sun.misc.Unsafe;
 
 import java.io.IOException;
@@ -37,7 +37,7 @@ public class CustomClassloader extends ClassLoader {
         AccessKiller.killReflectionFor(CustomClassloader.class, CustomMixinServer.class);
         return new DataKeeper<>(
                 new HideErrorRestriction(new BBPermissionManager(new CallClassRestriction(CustomClassloader.class, CustomMixinServer.class))),
-                StrictnessBuilder.create().property("Restriction.CallClass.MaxDistance", 8).build(),
+                Loader.defaultStrictness,
                 new HashMap<>()
         );
     }
@@ -117,9 +117,15 @@ public class CustomClassloader extends ClassLoader {
 
         private CustomMixinServer() {}
 
+        private final PermissionManager accessControl = new BBPermissionManager(new MixinRestriction());
+        private final Strictness strictness = Loader.defaultStrictness;
+
         @Override
         public byte[] getClassBytes(String name, String transformedName) throws IOException {
-            if (name.startsWith("com.baseband")) {
+            if(!accessControl.checkCaller(strictness)) {
+                accessControl.crash(strictness);
+            }
+            if (name.startsWith("com.baseband.client.mixin")) {
                 final byte[][] bytes = {null};
                 encryptedClasses.access(accessor -> Loader.classKey.access(classKey -> bytes[0] = classKey.getValue().decryptByte(accessor.getValue().get(name))));
                 if (bytes[0] != null) {
@@ -131,7 +137,10 @@ public class CustomClassloader extends ClassLoader {
 
         @Override
         public byte[] getClassBytes(String name, boolean runTransformers) throws ClassNotFoundException, IOException {
-            if (name.startsWith("com.baseband")) {
+            if(!accessControl.checkCaller(strictness)) {
+                accessControl.crash(strictness);
+            }
+            if (name.startsWith("com.baseband.client.mixin")) {
                 final byte[][] bytes = {null};
                 encryptedClasses.access(accessor -> Loader.classKey.access(classKey -> bytes[0] = classKey.getValue().decryptByte(accessor.getValue().get(name))));
                 if (bytes[0] != null) {

Loader/src/main/java/org/baseband/launcher/launch/Loader.java

@@ -6,10 +6,7 @@
 
 package org.baseband.launcher.launch;
 
-import de.tudbut.security.DataKeeper;
-import de.tudbut.security.PermissionManager;
-import de.tudbut.security.Strictness;
-import de.tudbut.security.StrictnessBuilder;
+import de.tudbut.security.*;
 import de.tudbut.security.permissionmanager.CallClassRestriction;
 import de.tudbut.security.permissionmanager.ClassLoaderRestriction;
 import de.tudbut.security.permissionmanager.HideErrorRestriction;
@@ -43,17 +40,27 @@ public class Loader {
     public static DataKeeper<Key> classKey;
     public static DataKeeper<Key> objectKey;
     public static DataKeeper<PermissionManager> permissionManager;
-    public static Strictness defaultStrictness;
+    public static final Strictness defaultStrictness = StrictnessBuilder.create()
+                    .property("Restriction.CallClass.MaxDistance", 10)
+                    .property("Restriction.ClassLoader.MaxDistance", 10)
+                    .property("Restriction.Mixin.MaxDistance", 10)
+                    .property("Restriction.CallClass.RestrictLambda", true) // only allow immediate calls
+                    .property("Restriction.ClassLoader.RestrictLambda", true)
+                    .build();
+
+    static {
+        AccessKiller.killFieldAccess(Loader.class, "defaultStrictness");
+    }
 
     public static void initiate() {
 
+
         PermissionManager mainPermissionManager =
                 new HideErrorRestriction(
                         new BBPermissionManager(
                                 new PermissionOR(
                                         new CallClassRestriction(Loader.class, CustomClassloader.class, CustomClassloader.customMixinServerClass),
                                         new ClassLoaderRestriction(CustomClassloader.class))));
-        defaultStrictness = StrictnessBuilder.create().property("Restriction.CallClass.MaxDistance", 10).property("Restriction.ClassLoader.MaxDistance", 10).build();
 
         permissionManager = new DataKeeper<>(mainPermissionManager, defaultStrictness, mainPermissionManager);
 

Loader/src/main/java/org/baseband/launcher/util/BBPermissionManager.java

@@ -64,9 +64,9 @@ public class BBPermissionManager extends Restriction {
 
     @Override
     public boolean checkCaller(Strictness strictnessLevel) {
-        if(!(System.getSecurityManager() instanceof BaseBandSecurityManager)) {
+        /*if(!(System.getSecurityManager() instanceof BaseBandSecurityManager)) {
             return false;
-        }
+        }*/
 
         //// TudbuT // Are you sure this is this a good idea? it will be called a LOT.
 

Loader/src/main/java/org/baseband/launcher/util/MixinRestriction.java

@@ -0,0 +1,44 @@
+package org.baseband.launcher.util;
+
+import de.tudbut.security.PermissionManager;
+import de.tudbut.security.Strictness;
+import de.tudbut.security.permissionmanager.Restriction;
+
+public class MixinRestriction extends Restriction {
+    private static final String pkg = "org.spongepowered.mixin";
+
+    public MixinRestriction(PermissionManager parent) {
+        super(parent);
+    }
+    public MixinRestriction() {
+        super(null);
+    }
+
+    @Override
+    public boolean checkCaller(Strictness strictnessLevel) {
+        StackTraceElement[] st = Thread.currentThread().getStackTrace();
+        StackTraceElement[] elements;
+        if (strictnessLevel.hasProperty("Restriction.Mixin.MaxDistance")) {
+            int maxDist = strictnessLevel.getIntProperty("Restriction.Mixin.MaxDistance");
+            if (st.length > maxDist) {
+                elements = new StackTraceElement[maxDist];
+                System.arraycopy(st, 0, elements, 0, maxDist);
+                st = elements;
+            }
+        }
+
+        boolean isCalledByAllowed = false;
+        elements = st;
+        int var5 = st.length;
+
+        for(int var6 = 0; var6 < var5; ++var6) {
+            StackTraceElement element = elements[var6];
+            if (element.getClassName().startsWith(pkg)) {
+                isCalledByAllowed = true;
+                break;
+            }
+        }
+
+        return isCalledByAllowed && super.checkCaller(strictnessLevel);
+    }
+}