From 0c6ec82317300a8b5b4a89620009326b93b61878 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Thu, 7 Dec 2017 12:57:48 -0500 Subject: [PATCH] Grant Netty necessary permissions When using the security networking implementations, the Netty jars that are in play are those that are loaded in the X-Pack classloader. This means that permissions granted to the Netty jars loaded in the transport-netty4 module classloader do nothing. Instead, we have to grant the same permissions to the Netty jars in the X-Pack classloader. This commit does this. Relates elastic/x-pack-elasticsearch#3247 Original commit: elastic/x-pack-elasticsearch@91780597b9185ddef00a8c257f9bff85c4ea8191 --- .../main/plugin-metadata/plugin-security.policy | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/plugin/src/main/plugin-metadata/plugin-security.policy b/plugin/src/main/plugin-metadata/plugin-security.policy index 974c7b373a9..9157c2fab47 100644 --- a/plugin/src/main/plugin-metadata/plugin-security.policy +++ b/plugin/src/main/plugin-metadata/plugin-security.policy @@ -21,10 +21,6 @@ grant { permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "setPolicy"; - // Netty SelectorUtil wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854 - // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely! - permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; - // needed for multiple server implementations used in tests permission java.net.SocketPermission "*", "accept,connect"; @@ -32,6 +28,17 @@ grant { permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; }; +grant codeBase "${codebase.netty-common}" { + // for reading the system-wide configuration for the backlog of established sockets + permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read"; +}; + +grant codeBase "${codebase.netty-transport}" { + // Netty NioEventLoop wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854 + // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely! + permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write"; +}; + grant codeBase "${codebase.elasticsearch-rest-client}" { // rest client uses system properties which gets the default proxy permission java.net.NetPermission "getProxySelector";