mirror of https://github.com/apache/lucene.git
124 lines
5.5 KiB
Plaintext
124 lines
5.5 KiB
Plaintext
/*
|
|
* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
// Policy file for lucene tests. Please keep minimal and avoid wildcards.
|
|
|
|
grant {
|
|
// let TestIndexWriterOnJRECrash fork its jvm
|
|
permission java.io.FilePermission "${java.home}${/}-", "read,execute";
|
|
|
|
// test-files/ resources
|
|
permission java.io.FilePermission "${common.dir}${/}-", "read";
|
|
// classpath-as-file, eg getDataPath, and only rarely (this acts like a JDK bug...)
|
|
permission java.io.FilePermission ".", "read";
|
|
|
|
// write only to sandbox
|
|
permission java.io.FilePermission "${tests.linedocsfile}", "read";
|
|
permission java.io.FilePermission "${java.io.tmpdir}", "read,write";
|
|
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete";
|
|
|
|
// misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created
|
|
permission java.nio.file.LinkPermission "hard";
|
|
|
|
// needed by RamUsageEstimator, and randomizedtesting runner to identify test methods.
|
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
|
// needed by certain tests to capture sysout/syserr:
|
|
permission java.lang.RuntimePermission "setIO";
|
|
// needed by luke and randomized runner to catch failures from other threads:
|
|
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
|
|
// needed by tests e.g. shutting down executors:
|
|
permission java.lang.RuntimePermission "modifyThread";
|
|
// needed for tons of test hacks etc
|
|
permission java.lang.RuntimePermission "getStackTrace";
|
|
// needed for mock filesystems in tests
|
|
permission java.lang.RuntimePermission "fileSystemProvider";
|
|
// needed by cyberneko usage by benchmarks on J9
|
|
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util";
|
|
|
|
// Needed for DirectIODirectory to retrieve block size
|
|
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
|
|
|
// TestLockFactoriesMultiJVM opens a random port on 127.0.0.1 (port 0 = ephemeral port range):
|
|
permission java.net.SocketPermission "127.0.0.1:0", "accept,listen,resolve";
|
|
// Replicator tests connect to ephemeral ports
|
|
permission java.net.SocketPermission "127.0.0.1:1024-", "connect,resolve";
|
|
|
|
// read access to all system properties:
|
|
permission java.util.PropertyPermission "*", "read";
|
|
// write access to only these:
|
|
// locale randomization
|
|
permission java.util.PropertyPermission "user.language", "write";
|
|
// timezone randomization
|
|
permission java.util.PropertyPermission "user.timezone", "write";
|
|
|
|
// CMS randomization
|
|
permission java.util.PropertyPermission "lucene.cms.override_core_count", "write";
|
|
|
|
// used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this
|
|
permission java.util.PropertyPermission "tests.runnested", "write";
|
|
|
|
// allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
|
|
permission java.security.SecurityPermission "createAccessControlContext";
|
|
|
|
// Hunspell regression and validation tests can read from external files
|
|
// specified in system properties.
|
|
permission java.io.FilePermission "${hunspell.repo.path}${/}-", "read";
|
|
permission java.io.FilePermission "${hunspell.corpora}${/}-", "read";
|
|
permission java.io.FilePermission "${hunspell.dictionaries}", "read";
|
|
permission java.io.FilePermission "${hunspell.dictionaries}${/}-", "read";
|
|
};
|
|
|
|
// Permissions for jacoco code coverage
|
|
grant {
|
|
// permission to write the per-jvm code coverage output
|
|
permission java.io.FilePermission "${user.dir}${/}jacoco.exec", "write";
|
|
// needed by jacoco to dump coverage on shutdown
|
|
permission java.lang.RuntimePermission "shutdownHooks";
|
|
// needed by jacoco to instrument classes
|
|
permission java.lang.RuntimePermission "defineClass";
|
|
// needed by jacoco for God knows what.
|
|
permission java.lang.RuntimePermission "createClassLoader";
|
|
};
|
|
|
|
// Grant all permissions to Gradle test runner classes.
|
|
grant codeBase "file:${gradle.lib.dir}${/}-" {
|
|
permission java.security.AllPermission;
|
|
};
|
|
|
|
grant codeBase "file:${gradle.worker.jar}" {
|
|
permission java.security.AllPermission;
|
|
};
|
|
|
|
grant {
|
|
// Allow reading gradle worker JAR.
|
|
permission java.io.FilePermission "${gradle.worker.jar}", "read";
|
|
// Allow reading from classpath JARs (resources).
|
|
permission java.io.FilePermission "${gradle.user.home}${/}-", "read";
|
|
};
|
|
|
|
// Grant permissions to certain test-related JARs (https://github.com/apache/lucene/pull/13146)
|
|
grant codeBase "file:${randomizedtesting.jar}" {
|
|
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
permission java.lang.RuntimePermission "modifyThreadGroup";
|
|
};
|
|
grant codeBase "file:${junit.jar}" {
|
|
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
};
|
|
grant codeBase "file:${lucene.test.framework}${/}-" {
|
|
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
};
|