Remove accept SocketPermissions from core (#22622)

This is related to #22116. Core no longer needs SocketPermission accept. This permission is relegated to the transport-netty4 module and (for tests) to the mocksocket jar.
2017-01-20 09:27:45 -06:00 · 2017-01-20 09:27:45 -06:00 · bc16162d21
parent 239ed0c912
commit bc16162d21
3 changed files with 11 additions and 1 deletions
--- a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
@ -56,7 +56,7 @@ grant {
  permission org.elasticsearch.SpecialPermission;

  // Allow connecting to the internet anywhere
-  permission java.net.SocketPermission "*", "accept,connect,resolve";
+  permission java.net.SocketPermission "*", "connect,resolve";

  // Allow read access to all system properties
  permission java.util.PropertyPermission "*", "read";
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@ -62,3 +62,8 @@ grant codeBase "${codebase.junit-4.11.jar}" {
  // needed for TestClass creation
  permission java.lang.RuntimePermission "accessDeclaredMembers";
 };
+
+grant codeBase "${codebase.mocksocket-1.1.jar}" {
+  // mocksocket accepts socket connections
+  permission java.net.SocketPermission "*", "accept";
+};
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@ -17,6 +17,11 @@
 * under the License.
 */

+grant {
+   // netty accepts socket connections
+   permission java.net.SocketPermission "*", "accept";
+};
+
 grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" {
   // for reading the system-wide configuration for the backlog of established sockets
   permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";