From bc16162d21a8d014f2766ac7c5086417ffe24697 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Fri, 20 Jan 2017 09:27:45 -0600
Subject: [PATCH] Remove accept SocketPermissions from core (#22622)

This is related to #22116. Core no longer needs SocketPermission
accept. This permission is relegated to the transport-netty4 module
and (for tests) to the mocksocket jar.
---
 .../resources/org/elasticsearch/bootstrap/security.policy    | 2 +-
 .../org/elasticsearch/bootstrap/test-framework.policy        | 5 +++++
 .../src/main/plugin-metadata/plugin-security.policy          | 5 +++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
index 07ce6663505..fec8476fb16 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -56,7 +56,7 @@ grant {
   permission org.elasticsearch.SpecialPermission;
 
   // Allow connecting to the internet anywhere
-  permission java.net.SocketPermission "*", "accept,connect,resolve";
+  permission java.net.SocketPermission "*", "connect,resolve";
 
   // Allow read access to all system properties
   permission java.util.PropertyPermission "*", "read";
diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index 43fbe43f220..795800007a9 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -62,3 +62,8 @@ grant codeBase "${codebase.junit-4.11.jar}" {
   // needed for TestClass creation
   permission java.lang.RuntimePermission "accessDeclaredMembers";
 };
+
+grant codeBase "${codebase.mocksocket-1.1.jar}" {
+  // mocksocket accepts socket connections
+  permission java.net.SocketPermission "*", "accept";
+};
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index 491df4e28ea..1118675817c 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -17,6 +17,11 @@
  * under the License.
  */
 
+grant {
+   // netty accepts socket connections
+   permission java.net.SocketPermission "*", "accept";
+};
+
 grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" {
    // for reading the system-wide configuration for the backlog of established sockets
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";