OpenSearch/dev-tools/tests.policy

117 lines
4.7 KiB
Plaintext
Raw Normal View History

/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
// Policy file to prevent tests from writing outside the test sandbox directory
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
// everything not allowed here is forbidden!
grant {
// permissions for file access, write access only to sandbox:
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,write";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,write,delete";
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
permission java.nio.file.LinkPermission "symbolic";
permission groovy.security.GroovyCodeSourcePermission "/groovy/script";
// Allow connecting to the internet anywhere
permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
// Basic permissions needed for Lucene / Elasticsearch to work:
permission java.util.PropertyPermission "*", "read,write";
// needed by junit4's gson usage
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
// needed by scripting engines, etc
permission java.lang.RuntimePermission "createClassLoader";
// needed by lucene SPI currently
permission java.lang.RuntimePermission "getClassLoader";
// needed by GroovyScriptEngineService
permission java.lang.RuntimePermission "closeClassLoader";
// needed by ImmutableSettings
permission java.lang.RuntimePermission "getenv.*";
// needed by BootStrap, etc
permission java.lang.RuntimePermission "exitVM.*";
// needed by RandomizedTest.globalTempDir()
permission java.lang.RuntimePermission "shutdownHooks";
// needed by PluginManager
permission java.lang.RuntimePermission "setFactory";
// needed by LuceneTestCase/TestRuleLimitSysouts
permission java.lang.RuntimePermission "setIO";
// needed by junit4 ThreadLeakControl
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
// needed by groovy scripting
permission java.lang.RuntimePermission "getProtectionDomain";
// needed for natives calls
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "createSecurityManager";
// reflection hacks:
// needed for Striped64 (what is this doing), also enables unmap hack
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
// needed for mock filesystems in tests (to capture implCloseChannel)
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
2015-02-25 15:32:18 -05:00
// needed by groovy engine
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "getStackTrace";
// needed by RandomizedRunner
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission java.lang.RuntimePermission "usePolicy";
// needed by JMX instead of getFileSystemAttributes, seems like a bug...
permission java.lang.RuntimePermission "getFileStoreAttributes";
// needed by lucene mockfilesystems
permission java.lang.RuntimePermission "fileSystemProvider";
// needed by plugin manager to set unix permissions
permission java.lang.RuntimePermission "accessUserInformation";
// These two *have* to be spelled out a separate
permission java.lang.management.ManagementPermission "control";
permission java.lang.management.ManagementPermission "monitor";
permission java.net.NetPermission "*";
permission java.util.logging.LoggingPermission "control";
permission javax.management.MBeanPermission "*", "*";
permission javax.management.MBeanServerPermission "*";
permission javax.management.MBeanTrustPermission "*";
// Needed for some things in DNS caching in the JVM
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
};