Bug 558929 - Must handle relative FilePermission paths

Both ConditionalPermissionAdmin and PermissionAdmin must handle relative
paths be relative to a bundles data area.

Change-Id: Ic9565bf368d9cad8b2676e0b2a1bb6d1b1d77cec
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>

4 files changed, 190 insertions, 67 deletions

diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java
index 8b2d82837..58a6fe975 100644
--- a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java
+++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java
@@ -46,6 +46,7 @@ import org.osgi.service.condpermadmin.ConditionalPermissionUpdate;
 import org.osgi.service.permissionadmin.PermissionAdmin;
 import org.osgi.service.permissionadmin.PermissionInfo;
 
+@SuppressWarnings("deprecation")
 public class SecurityAdminUnitTests extends AbstractBundleTests {
 
 	private static final PermissionInfo[] SOCKET_INFOS = new PermissionInfo[] {new PermissionInfo("java.net.SocketPermission", "localhost", "accept")}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
@@ -56,6 +57,8 @@ public class SecurityAdminUnitTests extends AbstractBundleTests {
 			new PermissionInfo("java.io.FilePermission", "<<ALL FILES>>", "write") //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
 	};
 
+	private static final PermissionInfo[] RELATIVE_EXEC_FILE_INFOS = new PermissionInfo[] {new PermissionInfo("java.io.FilePermission", "bin/*", "execute")};
+
 	private static final PermissionInfo[] RUNTIME_INFOS = new PermissionInfo[] {new PermissionInfo("java.lang.RuntimePermission", "exitVM", null)}; //$NON-NLS-1$ //$NON-NLS-2$
 
 	private static final ConditionInfo[] ALLLOCATION_CONDS = new ConditionInfo[] {new ConditionInfo("org.osgi.service.condpermadmin.BundleLocationCondition", new String[] {"*"})}; //$NON-NLS-1$ //$NON-NLS-2$
@@ -91,27 +94,27 @@ public class SecurityAdminUnitTests extends AbstractBundleTests {
 			private static final long serialVersionUID = 3258131349494708277L;
 
 			// A simple PermissionCollection that only has AllPermission
-		@Override
+			@Override
 			public void add(Permission permission) {
 				//no adding to this policy
 			}
 
-		@Override
+			@Override
 			public boolean implies(Permission permission) {
 				return true;
 			}
 
-		@Override
+			@Override
 			public Enumeration elements() {
 				return new Enumeration() {
 					int cur = 0;
 
-			@Override
+					@Override
 					public boolean hasMoreElements() {
 						return cur < 1;
 					}
 
-			@Override
+					@Override
 					public Object nextElement() {
 						if (cur == 0) {
 							cur = 1;
@@ -125,12 +128,12 @@ public class SecurityAdminUnitTests extends AbstractBundleTests {
 
 		Policy.setPolicy(new Policy() {
 
-		@Override
+			@Override
 			public PermissionCollection getPermissions(CodeSource codesource) {
 				return allPermissions;
 			}
 
-		@Override
+			@Override
 			public void refresh() {
 				// nothing
 			}
@@ -1052,15 +1055,115 @@ public class SecurityAdminUnitTests extends AbstractBundleTests {
 	}
 
 	public void testBug286307() {
-		Bundle test = installTestBundle("test.bug286307"); //$NON-NLS-1$
+		Bundle test = installTestBundle("test.bug286307");
 		AccessControlContext acc = test.adapt(AccessControlContext.class);
-		testPermission(acc, new FilePermission("test", "read"), true); //$NON-NLS-1$ //$NON-NLS-2$
+		testPermission(acc, new FilePermission("test", "read"), true);
+		testPermission(acc, new AllPermission(), false);
+	}
+
+	public void testRelativeFilePermission() {
+		Bundle test = installTestBundle(TEST_BUNDLE);
+		File dataArea = test.getDataFile("");
+		File testFile = new File(dataArea, "testFile.txt");
+		File testExecutable = new File(dataArea, "bin/execFile");
+		AccessControlContext acc = test.adapt(AccessControlContext.class);
+
+		// test set by location
+		pa.setPermissions(test.getLocation(), RELATIVE_EXEC_FILE_INFOS);
+
+		testPermission(acc, new FilePermission(testFile.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true);
 		testPermission(acc, new AllPermission(), false);
+
+		// clear location
+		pa.setPermissions(test.getLocation(), null);
+		// goes back to all permission by default
+		testPermission(acc, new FilePermission(testFile.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "execute"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true);
+		testPermission(acc, new AllPermission(), true);
+
+		// test set by conditions
+		ConditionalPermissionUpdate update = cpa.newConditionalPermissionUpdate();
+		List rows = update.getConditionalPermissionInfos();
+		rows.add(cpa.newConditionalPermissionInfo(null, getLocationConditions(test.getLocation(), false), RELATIVE_EXEC_FILE_INFOS, ConditionalPermissionInfo.ALLOW));
+		assertTrue("failed to commit", update.commit());
+
+		testPermission(acc, new FilePermission(testFile.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true);
+		testPermission(acc, new AllPermission(), false);
+
+		// update condition to only have read only, not that a bundle always
+		// implicitly has r/w permission to its data area
+		update = cpa.newConditionalPermissionUpdate();
+		rows = update.getConditionalPermissionInfos();
+		rows.clear();
+		rows.add(cpa.newConditionalPermissionInfo(null, getLocationConditions(test.getLocation(), false), READONLY_INFOS, ConditionalPermissionInfo.ALLOW));
+		assertTrue("failed to commit", update.commit());
+
+		testPermission(acc, new FilePermission(testFile.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), false);
+		testPermission(acc, new AllPermission(), false);
+
+		// clear the conditions
+		update = cpa.newConditionalPermissionUpdate();
+		update.getConditionalPermissionInfos().clear();
+		assertTrue("failed to commit", update.commit());
+
+		// test that the default permissions of PA do not handle relative
+		pa.setDefaultPermissions(RELATIVE_EXEC_FILE_INFOS);
+
+		testPermission(acc, new FilePermission(testFile.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true);
+		testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), false);
+		testPermission(acc, new AllPermission(), false);
+
+		// go back to default all permission
+		pa.setDefaultPermissions(null);
+		testPermission(acc, new AllPermission(), true);
+
+		// Test that the ACC returned from CPA.getAccessControlContext does not handle relative file permissions
+		update = cpa.newConditionalPermissionUpdate();
+		rows = update.getConditionalPermissionInfos();
+		rows.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {SIGNER_CONDITION1}, RELATIVE_EXEC_FILE_INFOS, ConditionalPermissionInfo.ALLOW));
+		assertTrue("failed to commit", update.commit());
+
+		File relativeExecutable = new File("bin/executableFile");
+		acc = cpa.getAccessControlContext(new String[] {"cn=t1,c=FR;cn=test1,c=US"});
+		testPermission(acc, new FilePermission(relativeExecutable.getAbsolutePath(), "execute"), false);
+
+		// update CPA to use absolute path
+		update = cpa.newConditionalPermissionUpdate();
+		rows = update.getConditionalPermissionInfos();
+		rows.clear();
+		PermissionInfo[] absExectInfos = new PermissionInfo[] {new PermissionInfo("java.io.FilePermission", relativeExecutable.getAbsolutePath(), "execute")};
+		rows.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {SIGNER_CONDITION1}, absExectInfos, ConditionalPermissionInfo.ALLOW));
+		assertTrue("failed to commit", update.commit());
+
+		testPermission(acc, new FilePermission(relativeExecutable.getAbsolutePath(), "execute"), true);
 	}
 
 	private void checkInfos(ConditionalPermissionInfo testInfo1, ConditionalPermissionInfo testInfo2) {
-		assertTrue("Infos are not equal: " + testInfo1.getEncoded() + " " + testInfo2.getEncoded(), testInfo1.equals(testInfo2)); //$NON-NLS-1$ //$NON-NLS-2$
-		assertEquals("Info hash code is not equal", testInfo1.hashCode(), testInfo2.hashCode()); //$NON-NLS-1$
+		assertTrue("Infos are not equal: " + testInfo1.getEncoded() + " " + testInfo2.getEncoded(), testInfo1.equals(testInfo2));
+		assertEquals("Info hash code is not equal", testInfo1.hashCode(), testInfo2.hashCode());
 	}
 
 	private void checkBadInfo(String encoded) {
diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java
index ab5a53b36..cb057962e 100644
--- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java
+++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2008, 2017 IBM Corporation and others.
+ * Copyright (c) 2008, 2020 IBM Corporation and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -14,6 +14,7 @@
 package org.eclipse.osgi.internal.permadmin;
 
 import java.io.File;
+import java.io.FilePermission;
 import java.lang.reflect.Constructor;
 import java.security.AccessController;
 import java.security.AllPermission;
@@ -33,19 +34,31 @@ public final class PermissionInfoCollection extends PermissionCollection {
 	static private final Class<?> oneStringClassArray[] = new Class[] {String.class};
 	static private final Class<?> noArgClassArray[] = new Class[] {};
 	static private final Class<?>[][] permClassArrayArgs = new Class[][] {noArgClassArray, oneStringClassArray, twoStringClassArray};
+	static private final String ALL_PERMISSION_NAME = AllPermission.class.getName();
+	static final String FILE_PERMISSION_NAME = FilePermission.class.getName();
+	static final String ALL_FILES = "<<ALL FILES>>"; //$NON-NLS-1$
 
-	/* @GuardedBy(cachedPermisssionCollections) */
+	/* @GuardedBy(cachedPermissionCollections) */
 	private final Map<Class<? extends Permission>, PermissionCollection> cachedPermissionCollections = new HashMap<>();
+	private final Map<BundlePermissions, PermissionCollection> cachedRelativeFilePermissionCollections;
 	private final boolean hasAllPermission;
 	private final PermissionInfo[] permInfos;
 
 	public PermissionInfoCollection(PermissionInfo[] permInfos) {
 		this.permInfos = permInfos;
 		boolean tempAllPermissions = false;
-		for (int i = 0; i < permInfos.length && !tempAllPermissions; i++)
-			if (permInfos[i].getType().equals(AllPermission.class.getName()))
+		boolean allAbsolutePaths = true;
+		for (PermissionInfo info : permInfos) {
+			if (ALL_PERMISSION_NAME.equals(info.getType())) {
 				tempAllPermissions = true;
+			} else if (FILE_PERMISSION_NAME.equals(info.getType())) {
+				if (!(new File(info.getActions()).isAbsolute())) {
+					allAbsolutePaths = false;
+				}
+			}
+		}
 		this.hasAllPermission = tempAllPermissions;
+		this.cachedRelativeFilePermissionCollections = allAbsolutePaths ? null : new HashMap<BundlePermissions, PermissionCollection>();
 		setReadOnly(); // collections are managed with ConditionalPermissionAdmin
 	}
 
@@ -62,13 +75,14 @@ public final class PermissionInfoCollection extends PermissionCollection {
 
 	@Override
 	public boolean implies(Permission perm) {
+		return implies(null, perm);
+	}
+
+	boolean implies(final BundlePermissions bundlePermissions, Permission perm) {
 		if (hasAllPermission)
 			return true;
 		final Class<? extends Permission> permClass = perm.getClass();
-		PermissionCollection collection;
-		synchronized (cachedPermissionCollections) {
-			collection = cachedPermissionCollections.get(permClass);
-		}
+		PermissionCollection collection = getCachedCollection(bundlePermissions, permClass);
 		// must populate the collection outside of the lock to prevent class loader deadlock
 		if (collection == null) {
 			collection = perm.newPermissionCollection();
@@ -80,10 +94,9 @@ public final class PermissionInfoCollection extends PermissionCollection {
 				AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {
 					@Override
 					public Object run() throws Exception {
-						addPermissions(targetCollection, permClass);
+						addPermissions(bundlePermissions, targetCollection, permClass);
 						return null;
 					}
-
 				});
 
 			} catch (Exception e) {
@@ -92,23 +105,43 @@ public final class PermissionInfoCollection extends PermissionCollection {
 				}
 				throw new SecurityException("Exception creating permissions: " + permClass + ": " + e.getMessage(), e); //$NON-NLS-1$ //$NON-NLS-2$
 			}
-			synchronized (cachedPermissionCollections) {
-				// check to see if another thread beat this thread at adding the collection
-				PermissionCollection exists = cachedPermissionCollections.get(permClass);
-				if (exists != null)
-					collection = exists;
-				else
+			collection = cacheCollection(bundlePermissions, permClass, collection);
+		}
+		return collection.implies(perm);
+	}
+
+	PermissionCollection getCachedCollection(BundlePermissions bundlePermissions, Class<? extends Permission> permClass) {
+		synchronized (cachedPermissionCollections) {
+			if (bundlePermissions != null && cachedRelativeFilePermissionCollections != null && FILE_PERMISSION_NAME.equals(permClass.getName())) {
+				return cachedRelativeFilePermissionCollections.get(bundlePermissions);
+			}
+			return cachedPermissionCollections.get(permClass);
+		}
+	}
+
+	private PermissionCollection cacheCollection(BundlePermissions bundlePermissions, Class<? extends Permission> permClass, PermissionCollection collection) {
+		synchronized (cachedPermissionCollections) {
+			// check to see if another thread beat this thread at adding the collection
+			boolean relativeFiles = bundlePermissions != null && cachedRelativeFilePermissionCollections != null && FILE_PERMISSION_NAME.equals(permClass.getName());
+			PermissionCollection exists = relativeFiles ? cachedRelativeFilePermissionCollections.get(bundlePermissions) : cachedPermissionCollections.get(permClass);
+			if (exists != null) {
+				collection = exists;
+			} else {
+				if (relativeFiles) {
+					cachedRelativeFilePermissionCollections.put(bundlePermissions, collection);
+				} else {
 					cachedPermissionCollections.put(permClass, collection);
+				}
 			}
+			return collection;
 		}
-		return collection.implies(perm);
 	}
 
 	PermissionInfo[] getPermissionInfos() {
 		return permInfos;
 	}
 
-	void addPermissions(PermissionCollection collection, Class<? extends Permission> permClass) throws Exception {
+	void addPermissions(BundlePermissions bundlePermissions, PermissionCollection collection, Class<? extends Permission> permClass) throws Exception {
 		String permClassName = permClass.getName();
 		Constructor<? extends Permission> constructor = null;
 		int numArgs = -1;
@@ -121,8 +154,9 @@ public final class PermissionInfoCollection extends PermissionCollection {
 				// ignore
 			}
 		}
-		if (constructor == null)
+		if (constructor == null) {
 			throw new NoSuchMethodException(permClass.getName() + ".<init>()"); //$NON-NLS-1$
+		}
 		/*
 		 * TODO: We need to cache the permission constructors to enhance performance (see bug 118813).
 		 */
@@ -135,13 +169,17 @@ public final class PermissionInfoCollection extends PermissionCollection {
 				if (numArgs > 1) {
 					args[1] = permInfo.getActions();
 				}
-				if (permInfo.getType().equals("java.io.FilePermission")) { //$NON-NLS-1$
+				if (permInfo.getType().equals(FILE_PERMISSION_NAME)) {
 					// map FilePermissions for relative names to the bundle's data area
-					if (!args[0].equals("<<ALL FILES>>")) { //$NON-NLS-1$
+					if (!args[0].equals(ALL_FILES)) {
 						File file = new File(args[0]);
 						if (!file.isAbsolute()) { // relative name
-							// TODO need to figure out how to do relative FilePermissions from the dataFile
-							continue;
+							File target = bundlePermissions == null ? null : bundlePermissions.getBundle().getDataFile(permInfo.getName());
+							if (target == null) {
+								// ignore if we cannot find the data area
+								continue;
+							}
+							args[0] = target.getPath();
 						}
 					}
 				}
@@ -153,6 +191,9 @@ public final class PermissionInfoCollection extends PermissionCollection {
 	void clearPermissionCache() {
 		synchronized (cachedPermissionCollections) {
 			cachedPermissionCollections.clear();
+			if (cachedRelativeFilePermissionCollections != null) {
+				cachedRelativeFilePermissionCollections.clear();
+			}
 		}
 	}
 }
diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java
index 17072314f..b9bd97bd4 100644
--- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java
+++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2008, 2017 IBM Corporation and others.
+ * Copyright (c) 2008, 2020 IBM Corporation and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -95,13 +95,6 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi
 	private final PermissionInfo[] impliedPermissionInfos;
 	private final EquinoxSecurityManager supportedSecurityManager;
 
-	private SecurityAdmin(EquinoxSecurityManager supportedSecurityManager, PermissionInfo[] impliedPermissionInfos, PermissionInfoCollection permAdminDefaults) {
-		this.supportedSecurityManager = supportedSecurityManager;
-		this.impliedPermissionInfos = impliedPermissionInfos;
-		this.permAdminDefaults = permAdminDefaults;
-		this.permissionStorage = null;
-	}
-
 	public SecurityAdmin(EquinoxSecurityManager supportedSecurityManager, PermissionData permissionStorage) {
 		this.supportedSecurityManager = supportedSecurityManager;
 		this.permissionStorage = permissionStorage;
@@ -160,7 +153,7 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi
 			curPermAdminDefaults = permAdminDefaults;
 		}
 		if (locationCollection != null)
-			return locationCollection.implies(permission);
+			return locationCollection.implies(bundlePermissions, permission);
 		// if conditional admin table is empty the fall back to defaults
 		if (curCondAdminTable.isEmpty())
 			return curPermAdminDefaults != null ? curPermAdminDefaults.implies(permission) : DEFAULT_DEFAULT.implies(permission);
@@ -281,8 +274,7 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi
 
 	@Override
 	public AccessControlContext getAccessControlContext(String[] signers) {
-		SecurityAdmin snapShot = getSnapShot();
-		return new AccessControlContext(new ProtectionDomain[] {createProtectionDomain(createMockBundle(signers), snapShot)});
+		return new AccessControlContext(new ProtectionDomain[] {createProtectionDomain(createMockBundle(signers), this)});
 	}
 
 	/**
@@ -317,19 +309,6 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi
 		return setConditionalPermissionInfo(name, conds, perms, true);
 	}
 
-	private SecurityAdmin getSnapShot() {
-		SecurityAdmin sa;
-		synchronized (lock) {
-			sa = new SecurityAdmin(supportedSecurityManager, impliedPermissionInfos, permAdminDefaults);
-			SecurityRow[] rows = condAdminTable.getRows();
-			SecurityRow[] rowsSnapShot = new SecurityRow[rows.length];
-			for (int i = 0; i < rows.length; i++)
-				rowsSnapShot[i] = new SecurityRow(sa, rows[i].getName(), rows[i].getConditionInfos(), rows[i].getPermissionInfos(), rows[i].getAccessDecision());
-			sa.condAdminTable = new SecurityTable(sa, rowsSnapShot);
-		}
-		return sa;
-	}
-
 	private ConditionalPermissionInfo setConditionalPermissionInfo(String name, ConditionInfo[] conds, PermissionInfo[] perms, boolean firstTry) {
 		ConditionalPermissionUpdate update = newConditionalPermissionUpdate();
 		List<ConditionalPermissionInfo> rows = update.getConditionalPermissionInfos();
@@ -427,8 +406,8 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi
 		PermissionInfo[] results = new PermissionInfo[permissionInfos.length];
 		for (int i = 0; i < permissionInfos.length; i++) {
 			results[i] = permissionInfos[i];
-			if ("java.io.FilePermission".equals(permissionInfos[i].getType())) { //$NON-NLS-1$
-				if (!"<<ALL FILES>>".equals(permissionInfos[i].getName())) { //$NON-NLS-1$
+			if (PermissionInfoCollection.FILE_PERMISSION_NAME.equals(permissionInfos[i].getType())) {
+				if (!PermissionInfoCollection.ALL_FILES.equals(permissionInfos[i].getName())) {
 					File file = new File(permissionInfos[i].getName());
 					if (!file.isAbsolute()) { // relative name
 						try {
diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java
index 64bdc0eb9..0dbb366ee 100644
--- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java
+++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2008, 2016 IBM Corporation and others.
+ * Copyright (c) 2008, 2020 IBM Corporation and others.
  *
  * This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
@@ -339,12 +339,12 @@ public final class SecurityRow implements ConditionalPermissionInfo {
 
 	Decision evaluate(BundlePermissions bundlePermissions, Permission permission) {
 		if (bundleConditions == null || bundlePermissions == null)
-			return evaluatePermission(permission);
+			return evaluatePermission(bundlePermissions, permission);
 		Condition[] conditions = getConditions(bundlePermissions);
 		if (conditions == ABSTAIN_LIST)
 			return DECISION_ABSTAIN;
 		if (conditions == SATISFIED_LIST)
-			return evaluatePermission(permission);
+			return evaluatePermission(bundlePermissions, permission);
 
 		boolean empty = true;
 		List<Condition> postponedConditions = null;
@@ -370,7 +370,7 @@ public final class SecurityRow implements ConditionalPermissionInfo {
 			} else { // postponed case
 				if (postponedPermCheck == null)
 					// perform a permission check now
-					postponedPermCheck = evaluatePermission(permission);
+					postponedPermCheck = evaluatePermission(bundlePermissions, permission);
 				if (postponedPermCheck == DECISION_ABSTAIN)
 					return postponedPermCheck; // no need to postpone the condition if the row abstains
 				// this row will deny or allow the permission; must queue the postponed condition
@@ -387,7 +387,7 @@ public final class SecurityRow implements ConditionalPermissionInfo {
 		}
 		if (postponedPermCheck != null)
 			return new Decision(postponedPermCheck.decision | SecurityTable.POSTPONED, postponedConditions.toArray(new Condition[postponedConditions.size()]), this, bundlePermissions);
-		return evaluatePermission(permission);
+		return evaluatePermission(bundlePermissions, permission);
 	}
 
 	private boolean isPostponed(Condition condition) {
@@ -395,8 +395,8 @@ public final class SecurityRow implements ConditionalPermissionInfo {
 		return condition.isPostponed() && securityAdmin.getSupportedSecurityManager() != null;
 	}
 
-	private Decision evaluatePermission(Permission permission) {
-		return permissionInfoCollection.implies(permission) ? (deny ? DECISION_DENIED : DECISION_GRANTED) : DECISION_ABSTAIN;
+	private Decision evaluatePermission(BundlePermissions bundlePermissions, Permission permission) {
+		return permissionInfoCollection.implies(bundlePermissions, permission) ? (deny ? DECISION_DENIED : DECISION_GRANTED) : DECISION_ABSTAIN;
 	}
 
 	@Override