Handle system policy correctly.
Just suck in the system policy, so its compatible with any version of java. It means it also respects configuration (e.g. for monitoring agents) Closes #14704
This commit is contained in:
parent
85ce81c34e
commit
720ebe347d
|
@ -182,11 +182,18 @@ final class Bootstrap {
|
||||||
* option for elasticsearch.yml etc to turn off our security manager completely,
|
* option for elasticsearch.yml etc to turn off our security manager completely,
|
||||||
* for example if you want to have your own configuration or just disable.
|
* for example if you want to have your own configuration or just disable.
|
||||||
*/
|
*/
|
||||||
|
// TODO: remove this: http://www.openbsd.org/papers/hackfest2015-pledge/mgp00005.jpg
|
||||||
static final String SECURITY_SETTING = "security.manager.enabled";
|
static final String SECURITY_SETTING = "security.manager.enabled";
|
||||||
|
/**
|
||||||
|
* option for elasticsearch.yml to fully respect the system policy, including bad defaults
|
||||||
|
* from java.
|
||||||
|
*/
|
||||||
|
// TODO: remove this hack when insecure defaults are removed from java
|
||||||
|
static final String SECURITY_FILTER_BAD_DEFAULTS_SETTING = "security.manager.filter_bad_defaults";
|
||||||
|
|
||||||
private void setupSecurity(Settings settings, Environment environment) throws Exception {
|
private void setupSecurity(Settings settings, Environment environment) throws Exception {
|
||||||
if (settings.getAsBoolean(SECURITY_SETTING, true)) {
|
if (settings.getAsBoolean(SECURITY_SETTING, true)) {
|
||||||
Security.configure(environment);
|
Security.configure(environment, settings.getAsBoolean(SECURITY_FILTER_BAD_DEFAULTS_SETTING, true));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -21,6 +21,7 @@ package org.elasticsearch.bootstrap;
|
||||||
|
|
||||||
import org.elasticsearch.common.SuppressForbidden;
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
|
|
||||||
|
import java.net.SocketPermission;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
import java.security.CodeSource;
|
import java.security.CodeSource;
|
||||||
import java.security.Permission;
|
import java.security.Permission;
|
||||||
|
@ -40,12 +41,18 @@ final class ESPolicy extends Policy {
|
||||||
|
|
||||||
final Policy template;
|
final Policy template;
|
||||||
final Policy untrusted;
|
final Policy untrusted;
|
||||||
|
final Policy system;
|
||||||
final PermissionCollection dynamic;
|
final PermissionCollection dynamic;
|
||||||
final Map<String,Policy> plugins;
|
final Map<String,Policy> plugins;
|
||||||
|
|
||||||
public ESPolicy(PermissionCollection dynamic, Map<String,Policy> plugins) {
|
public ESPolicy(PermissionCollection dynamic, Map<String,Policy> plugins, boolean filterBadDefaults) {
|
||||||
this.template = Security.readPolicy(getClass().getResource(POLICY_RESOURCE), JarHell.parseClassPath());
|
this.template = Security.readPolicy(getClass().getResource(POLICY_RESOURCE), JarHell.parseClassPath());
|
||||||
this.untrusted = Security.readPolicy(getClass().getResource(UNTRUSTED_RESOURCE), new URL[0]);
|
this.untrusted = Security.readPolicy(getClass().getResource(UNTRUSTED_RESOURCE), new URL[0]);
|
||||||
|
if (filterBadDefaults) {
|
||||||
|
this.system = new SystemPolicy(Policy.getPolicy());
|
||||||
|
} else {
|
||||||
|
this.system = Policy.getPolicy();
|
||||||
|
}
|
||||||
this.dynamic = dynamic;
|
this.dynamic = dynamic;
|
||||||
this.plugins = plugins;
|
this.plugins = plugins;
|
||||||
}
|
}
|
||||||
|
@ -75,7 +82,7 @@ final class ESPolicy extends Policy {
|
||||||
}
|
}
|
||||||
|
|
||||||
// otherwise defer to template + dynamic file permissions
|
// otherwise defer to template + dynamic file permissions
|
||||||
return template.implies(domain, permission) || dynamic.implies(permission);
|
return template.implies(domain, permission) || dynamic.implies(permission) || system.implies(domain, permission);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -92,4 +99,39 @@ final class ESPolicy extends Policy {
|
||||||
// return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
|
// return UNSUPPORTED_EMPTY_COLLECTION since it is safe.
|
||||||
return super.getPermissions(codesource);
|
return super.getPermissions(codesource);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: remove this hack when insecure defaults are removed from java
|
||||||
|
|
||||||
|
// default policy file states:
|
||||||
|
// "It is strongly recommended that you either remove this permission
|
||||||
|
// from this policy file or further restrict it to code sources
|
||||||
|
// that you specify, because Thread.stop() is potentially unsafe."
|
||||||
|
// not even sure this method still works...
|
||||||
|
static final Permission BAD_DEFAULT_NUMBER_ONE = new RuntimePermission("stopThread");
|
||||||
|
|
||||||
|
// default policy file states:
|
||||||
|
// "allows anyone to listen on dynamic ports"
|
||||||
|
// specified exactly because that is what we want, and fastest since it won't imply any
|
||||||
|
// expensive checks for the implicit "resolve"
|
||||||
|
static final Permission BAD_DEFAULT_NUMBER_TWO = new SocketPermission("localhost:0", "listen");
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wraps the Java system policy, filtering out bad default permissions that
|
||||||
|
* are granted to all domains. Note, before java 8 these were even worse.
|
||||||
|
*/
|
||||||
|
static class SystemPolicy extends Policy {
|
||||||
|
final Policy delegate;
|
||||||
|
|
||||||
|
SystemPolicy(Policy delegate) {
|
||||||
|
this.delegate = delegate;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean implies(ProtectionDomain domain, Permission permission) {
|
||||||
|
if (BAD_DEFAULT_NUMBER_ONE.equals(permission) || BAD_DEFAULT_NUMBER_TWO.equals(permission)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return delegate.implies(domain, permission);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,11 +109,13 @@ final class Security {
|
||||||
/**
|
/**
|
||||||
* Initializes SecurityManager for the environment
|
* Initializes SecurityManager for the environment
|
||||||
* Can only happen once!
|
* Can only happen once!
|
||||||
|
* @param environment configuration for generating dynamic permissions
|
||||||
|
* @param filterBadDefaults true if we should filter out bad java defaults in the system policy.
|
||||||
*/
|
*/
|
||||||
static void configure(Environment environment) throws Exception {
|
static void configure(Environment environment, boolean filterBadDefaults) throws Exception {
|
||||||
|
|
||||||
// enable security policy: union of template and environment-based paths, and possibly plugin permissions
|
// enable security policy: union of template and environment-based paths, and possibly plugin permissions
|
||||||
Policy.setPolicy(new ESPolicy(createPermissions(environment), getPluginPermissions(environment)));
|
Policy.setPolicy(new ESPolicy(createPermissions(environment), getPluginPermissions(environment), filterBadDefaults));
|
||||||
|
|
||||||
// enable security manager
|
// enable security manager
|
||||||
System.setSecurityManager(new SecureSM());
|
System.setSecurityManager(new SecureSM());
|
||||||
|
@ -192,11 +194,33 @@ final class Security {
|
||||||
/** returns dynamic Permissions to configured paths and bind ports */
|
/** returns dynamic Permissions to configured paths and bind ports */
|
||||||
static Permissions createPermissions(Environment environment) throws IOException {
|
static Permissions createPermissions(Environment environment) throws IOException {
|
||||||
Permissions policy = new Permissions();
|
Permissions policy = new Permissions();
|
||||||
|
addClasspathPermissions(policy);
|
||||||
addFilePermissions(policy, environment);
|
addFilePermissions(policy, environment);
|
||||||
addBindPermissions(policy, environment.settings());
|
addBindPermissions(policy, environment.settings());
|
||||||
return policy;
|
return policy;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Adds access to classpath jars/classes for jar hell scan, etc */
|
||||||
|
@SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
|
||||||
|
static void addClasspathPermissions(Permissions policy) throws IOException {
|
||||||
|
// add permissions to everything in classpath
|
||||||
|
// really it should be covered by lib/, but there could be e.g. agents or similar configured)
|
||||||
|
for (URL url : JarHell.parseClassPath()) {
|
||||||
|
Path path;
|
||||||
|
try {
|
||||||
|
path = PathUtils.get(url.toURI());
|
||||||
|
} catch (URISyntaxException e) {
|
||||||
|
throw new RuntimeException(e);
|
||||||
|
}
|
||||||
|
// resource itself
|
||||||
|
policy.add(new FilePermission(path.toString(), "read,readlink"));
|
||||||
|
// classes underneath
|
||||||
|
if (Files.isDirectory(path)) {
|
||||||
|
policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", "read,readlink"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds access to all configurable paths.
|
* Adds access to all configurable paths.
|
||||||
*/
|
*/
|
||||||
|
@ -233,7 +257,9 @@ final class Security {
|
||||||
String httpRange = settings.get("http.netty.port",
|
String httpRange = settings.get("http.netty.port",
|
||||||
settings.get("http.port",
|
settings.get("http.port",
|
||||||
NettyHttpServerTransport.DEFAULT_PORT_RANGE));
|
NettyHttpServerTransport.DEFAULT_PORT_RANGE));
|
||||||
policy.add(new SocketPermission("localhost:" + httpRange, "listen,resolve"));
|
// listen is always called with 'localhost' but use wildcard to be sure, no name service is consulted.
|
||||||
|
// see SocketPermission implies() code
|
||||||
|
policy.add(new SocketPermission("*:" + httpRange, "listen,resolve"));
|
||||||
// transport is waaaay overengineered
|
// transport is waaaay overengineered
|
||||||
Map<String, Settings> profiles = settings.getGroups("transport.profiles", true);
|
Map<String, Settings> profiles = settings.getGroups("transport.profiles", true);
|
||||||
if (!profiles.containsKey(NettyTransport.DEFAULT_PROFILE)) {
|
if (!profiles.containsKey(NettyTransport.DEFAULT_PROFILE)) {
|
||||||
|
@ -253,7 +279,9 @@ final class Security {
|
||||||
// a profile is only valid if its the default profile, or if it has an actual name and specifies a port
|
// a profile is only valid if its the default profile, or if it has an actual name and specifies a port
|
||||||
boolean valid = NettyTransport.DEFAULT_PROFILE.equals(name) || (Strings.hasLength(name) && profileSettings.get("port") != null);
|
boolean valid = NettyTransport.DEFAULT_PROFILE.equals(name) || (Strings.hasLength(name) && profileSettings.get("port") != null);
|
||||||
if (valid) {
|
if (valid) {
|
||||||
policy.add(new SocketPermission("localhost:" + transportRange, "listen,resolve"));
|
// listen is always called with 'localhost' but use wildcard to be sure, no name service is consulted.
|
||||||
|
// see SocketPermission implies() code
|
||||||
|
policy.add(new SocketPermission("*:" + transportRange, "listen,resolve"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,13 +21,6 @@
|
||||||
// On startup, BootStrap reads environment and adds additional permissions
|
// On startup, BootStrap reads environment and adds additional permissions
|
||||||
// for configured paths and network binding to these.
|
// for configured paths and network binding to these.
|
||||||
|
|
||||||
//// System code permissions:
|
|
||||||
//// These permissions apply to the JDK itself:
|
|
||||||
|
|
||||||
grant codeBase "file:${{java.ext.dirs}}/*" {
|
|
||||||
permission java.security.AllPermission;
|
|
||||||
};
|
|
||||||
|
|
||||||
//// SecurityManager impl:
|
//// SecurityManager impl:
|
||||||
//// Must have all permissions to properly perform access checks
|
//// Must have all permissions to properly perform access checks
|
||||||
|
|
||||||
|
|
|
@ -49,7 +49,7 @@ public class ESPolicyUnitTests extends ESTestCase {
|
||||||
Permission all = new AllPermission();
|
Permission all = new AllPermission();
|
||||||
PermissionCollection allCollection = all.newPermissionCollection();
|
PermissionCollection allCollection = all.newPermissionCollection();
|
||||||
allCollection.add(all);
|
allCollection.add(all);
|
||||||
ESPolicy policy = new ESPolicy(allCollection, Collections.emptyMap());
|
ESPolicy policy = new ESPolicy(allCollection, Collections.emptyMap(), true);
|
||||||
// restrict ourselves to NoPermission
|
// restrict ourselves to NoPermission
|
||||||
PermissionCollection noPermissions = new Permissions();
|
PermissionCollection noPermissions = new Permissions();
|
||||||
assertFalse(policy.implies(new ProtectionDomain(null, noPermissions), new FilePermission("foo", "read")));
|
assertFalse(policy.implies(new ProtectionDomain(null, noPermissions), new FilePermission("foo", "read")));
|
||||||
|
@ -63,7 +63,7 @@ public class ESPolicyUnitTests extends ESTestCase {
|
||||||
public void testNullLocation() throws Exception {
|
public void testNullLocation() throws Exception {
|
||||||
assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
|
assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
|
||||||
PermissionCollection noPermissions = new Permissions();
|
PermissionCollection noPermissions = new Permissions();
|
||||||
ESPolicy policy = new ESPolicy(noPermissions, Collections.emptyMap());
|
ESPolicy policy = new ESPolicy(noPermissions, Collections.emptyMap(), true);
|
||||||
assertFalse(policy.implies(new ProtectionDomain(new CodeSource(null, (Certificate[])null), noPermissions), new FilePermission("foo", "read")));
|
assertFalse(policy.implies(new ProtectionDomain(new CodeSource(null, (Certificate[])null), noPermissions), new FilePermission("foo", "read")));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -96,13 +96,10 @@ public class BootstrapForTesting {
|
||||||
try {
|
try {
|
||||||
// initialize paths the same exact way as bootstrap
|
// initialize paths the same exact way as bootstrap
|
||||||
Permissions perms = new Permissions();
|
Permissions perms = new Permissions();
|
||||||
// add permissions to everything in classpath
|
Security.addClasspathPermissions(perms);
|
||||||
|
// crazy jython
|
||||||
for (URL url : JarHell.parseClassPath()) {
|
for (URL url : JarHell.parseClassPath()) {
|
||||||
Path path = PathUtils.get(url.toURI());
|
Path path = PathUtils.get(url.toURI());
|
||||||
// resource itself
|
|
||||||
perms.add(new FilePermission(path.toString(), "read,readlink"));
|
|
||||||
// classes underneath
|
|
||||||
perms.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", "read,readlink"));
|
|
||||||
|
|
||||||
// crazy jython...
|
// crazy jython...
|
||||||
String filename = path.getFileName().toString();
|
String filename = path.getFileName().toString();
|
||||||
|
@ -141,7 +138,7 @@ public class BootstrapForTesting {
|
||||||
|
|
||||||
// read test-framework permissions
|
// read test-framework permissions
|
||||||
final Policy testFramework = Security.readPolicy(Bootstrap.class.getResource("test-framework.policy"), JarHell.parseClassPath());
|
final Policy testFramework = Security.readPolicy(Bootstrap.class.getResource("test-framework.policy"), JarHell.parseClassPath());
|
||||||
final Policy esPolicy = new ESPolicy(perms, getPluginPermissions());
|
final Policy esPolicy = new ESPolicy(perms, getPluginPermissions(), true);
|
||||||
Policy.setPolicy(new Policy() {
|
Policy.setPolicy(new Policy() {
|
||||||
@Override
|
@Override
|
||||||
public boolean implies(ProtectionDomain domain, Permission permission) {
|
public boolean implies(ProtectionDomain domain, Permission permission) {
|
||||||
|
|
Loading…
Reference in New Issue