Isolated SocketPermissions to Netty (#23057)
Netty 4.1.8 wraps connect and accept operations in doPrivileged blocks. This means that we not need to give permissions to the entire transport module. Additionally this commit deletes the privileged socket channel and privileged server socket chanel.
This commit is contained in:
parent
9f60924ed5
commit
a331405aff
|
@ -32,6 +32,7 @@ import io.netty.channel.ChannelOption;
|
|||
import io.netty.channel.FixedRecvByteBufAllocator;
|
||||
import io.netty.channel.RecvByteBufAllocator;
|
||||
import io.netty.channel.nio.NioEventLoopGroup;
|
||||
import io.netty.channel.socket.nio.NioServerSocketChannel;
|
||||
import io.netty.handler.codec.ByteToMessageDecoder;
|
||||
import io.netty.handler.codec.http.HttpContentCompressor;
|
||||
import io.netty.handler.codec.http.HttpContentDecompressor;
|
||||
|
@ -76,7 +77,6 @@ import org.elasticsearch.threadpool.ThreadPool;
|
|||
import org.elasticsearch.transport.BindTransportException;
|
||||
import org.elasticsearch.transport.netty4.Netty4OpenChannelsHandler;
|
||||
import org.elasticsearch.transport.netty4.Netty4Utils;
|
||||
import org.elasticsearch.transport.netty4.channel.PrivilegedNioServerSocketChannel;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
|
@ -289,7 +289,7 @@ public class Netty4HttpServerTransport extends AbstractLifecycleComponent implem
|
|||
|
||||
serverBootstrap.group(new NioEventLoopGroup(workerCount, daemonThreadFactory(settings,
|
||||
HTTP_SERVER_WORKER_THREAD_NAME_PREFIX)));
|
||||
serverBootstrap.channel(PrivilegedNioServerSocketChannel.class);
|
||||
serverBootstrap.channel(NioServerSocketChannel.class);
|
||||
|
||||
serverBootstrap.childHandler(configureServerChannelHandler());
|
||||
|
||||
|
|
|
@ -32,6 +32,8 @@ import io.netty.channel.ChannelOption;
|
|||
import io.netty.channel.FixedRecvByteBufAllocator;
|
||||
import io.netty.channel.RecvByteBufAllocator;
|
||||
import io.netty.channel.nio.NioEventLoopGroup;
|
||||
import io.netty.channel.socket.nio.NioServerSocketChannel;
|
||||
import io.netty.channel.socket.nio.NioSocketChannel;
|
||||
import io.netty.util.concurrent.Future;
|
||||
import org.apache.logging.log4j.message.ParameterizedMessage;
|
||||
import org.apache.logging.log4j.util.Supplier;
|
||||
|
@ -62,8 +64,6 @@ import org.elasticsearch.transport.TcpTransport;
|
|||
import org.elasticsearch.transport.TransportRequestOptions;
|
||||
import org.elasticsearch.transport.TransportServiceAdapter;
|
||||
import org.elasticsearch.transport.TransportSettings;
|
||||
import org.elasticsearch.transport.netty4.channel.PrivilegedNioServerSocketChannel;
|
||||
import org.elasticsearch.transport.netty4.channel.PrivilegedNioSocketChannel;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.InetSocketAddress;
|
||||
|
@ -191,7 +191,7 @@ public class Netty4Transport extends TcpTransport<Channel> {
|
|||
private Bootstrap createBootstrap() {
|
||||
final Bootstrap bootstrap = new Bootstrap();
|
||||
bootstrap.group(new NioEventLoopGroup(workerCount, daemonThreadFactory(settings, TRANSPORT_CLIENT_BOSS_THREAD_NAME_PREFIX)));
|
||||
bootstrap.channel(PrivilegedNioSocketChannel.class);
|
||||
bootstrap.channel(NioSocketChannel.class);
|
||||
|
||||
bootstrap.handler(getClientChannelInitializer());
|
||||
|
||||
|
@ -275,7 +275,7 @@ public class Netty4Transport extends TcpTransport<Channel> {
|
|||
final ServerBootstrap serverBootstrap = new ServerBootstrap();
|
||||
|
||||
serverBootstrap.group(new NioEventLoopGroup(workerCount, workerFactory));
|
||||
serverBootstrap.channel(PrivilegedNioServerSocketChannel.class);
|
||||
serverBootstrap.channel(NioServerSocketChannel.class);
|
||||
|
||||
serverBootstrap.childHandler(getServerChannelInitializer(name, settings));
|
||||
|
||||
|
|
|
@ -1,47 +0,0 @@
|
|||
/*
|
||||
* Licensed to Elasticsearch under one or more contributor
|
||||
* license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright
|
||||
* ownership. Elasticsearch licenses this file to you under
|
||||
* the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.elasticsearch.transport.netty4.channel;
|
||||
|
||||
import io.netty.channel.socket.nio.NioServerSocketChannel;
|
||||
import org.elasticsearch.SpecialPermission;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.PrivilegedActionException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Wraps netty calls to {@link java.nio.channels.ServerSocketChannel#accept()} in
|
||||
* {@link AccessController#doPrivileged(PrivilegedAction)} blocks. This is necessary to limit
|
||||
* {@link java.net.SocketPermission} to the transport module.
|
||||
*/
|
||||
public class PrivilegedNioServerSocketChannel extends NioServerSocketChannel {
|
||||
|
||||
@Override
|
||||
protected int doReadMessages(List<Object> buf) throws Exception {
|
||||
SpecialPermission.check();
|
||||
try {
|
||||
return AccessController.doPrivileged((PrivilegedExceptionAction<Integer>) () -> super.doReadMessages(buf));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw (Exception) e.getCause();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
/*
|
||||
* Licensed to Elasticsearch under one or more contributor
|
||||
* license agreements. See the NOTICE file distributed with
|
||||
* this work for additional information regarding copyright
|
||||
* ownership. Elasticsearch licenses this file to you under
|
||||
* the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing,
|
||||
* software distributed under the License is distributed on an
|
||||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
* KIND, either express or implied. See the License for the
|
||||
* specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
|
||||
package org.elasticsearch.transport.netty4.channel;
|
||||
|
||||
import io.netty.channel.socket.nio.NioSocketChannel;
|
||||
import org.elasticsearch.SpecialPermission;
|
||||
|
||||
import java.net.SocketAddress;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.PrivilegedActionException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
|
||||
/**
|
||||
* Wraps netty calls to {@link java.nio.channels.SocketChannel#connect(SocketAddress)} in
|
||||
* {@link AccessController#doPrivileged(PrivilegedAction)} blocks. This is necessary to limit
|
||||
* {@link java.net.SocketPermission} to the transport module.
|
||||
*/
|
||||
public class PrivilegedNioSocketChannel extends NioSocketChannel {
|
||||
|
||||
@Override
|
||||
protected boolean doConnect(SocketAddress remoteAddress, SocketAddress localAddress) throws Exception {
|
||||
SpecialPermission.check();
|
||||
try {
|
||||
return AccessController.doPrivileged((PrivilegedExceptionAction<Boolean>) () -> super.doConnect(remoteAddress, localAddress));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw (Exception) e.getCause();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -17,14 +17,12 @@
|
|||
* under the License.
|
||||
*/
|
||||
|
||||
grant {
|
||||
// netty makes and accepts socket connections
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.netty-common-4.1.8.Final.jar}" {
|
||||
// for reading the system-wide configuration for the backlog of established sockets
|
||||
permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
|
||||
|
||||
// netty makes and accepts socket connections
|
||||
permission java.net.SocketPermission "*", "accept,connect";
|
||||
};
|
||||
|
||||
grant codeBase "${codebase.netty-transport-4.1.8.Final.jar}" {
|
||||
|
|
|
@ -28,6 +28,7 @@ import io.netty.channel.ChannelInitializer;
|
|||
import io.netty.channel.SimpleChannelInboundHandler;
|
||||
import io.netty.channel.nio.NioEventLoopGroup;
|
||||
import io.netty.channel.socket.SocketChannel;
|
||||
import io.netty.channel.socket.nio.NioSocketChannel;
|
||||
import io.netty.handler.codec.http.DefaultFullHttpRequest;
|
||||
import io.netty.handler.codec.http.FullHttpRequest;
|
||||
import io.netty.handler.codec.http.FullHttpResponse;
|
||||
|
@ -43,7 +44,6 @@ import io.netty.handler.codec.http.HttpVersion;
|
|||
import org.elasticsearch.common.collect.Tuple;
|
||||
import org.elasticsearch.common.unit.ByteSizeUnit;
|
||||
import org.elasticsearch.common.unit.ByteSizeValue;
|
||||
import org.elasticsearch.transport.netty4.channel.PrivilegedNioSocketChannel;
|
||||
|
||||
import java.io.Closeable;
|
||||
import java.net.SocketAddress;
|
||||
|
@ -82,7 +82,7 @@ class Netty4HttpClient implements Closeable {
|
|||
private final Bootstrap clientBootstrap;
|
||||
|
||||
Netty4HttpClient() {
|
||||
clientBootstrap = new Bootstrap().channel(PrivilegedNioSocketChannel.class).group(new NioEventLoopGroup());
|
||||
clientBootstrap = new Bootstrap().channel(NioSocketChannel.class).group(new NioEventLoopGroup());
|
||||
}
|
||||
|
||||
public Collection<FullHttpResponse> get(SocketAddress remoteAddress, String... uris) throws InterruptedException {
|
||||
|
|
Loading…
Reference in New Issue