Forbid granting the all permission in production
Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548
This commit is contained in:
parent
379d51fcfa
commit
d8c28044da
|
@ -38,6 +38,7 @@ import java.io.BufferedReader;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.nio.file.Files;
|
import java.nio.file.Files;
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
|
import java.security.AllPermission;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
@ -210,6 +211,7 @@ final class BootstrapChecks {
|
||||||
checks.add(new OnOutOfMemoryErrorCheck());
|
checks.add(new OnOutOfMemoryErrorCheck());
|
||||||
checks.add(new EarlyAccessCheck());
|
checks.add(new EarlyAccessCheck());
|
||||||
checks.add(new G1GCCheck());
|
checks.add(new G1GCCheck());
|
||||||
|
checks.add(new AllPermissionCheck());
|
||||||
return Collections.unmodifiableList(checks);
|
return Collections.unmodifiableList(checks);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -692,4 +694,27 @@ final class BootstrapChecks {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static class AllPermissionCheck implements BootstrapCheck {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public final BootstrapCheckResult check(BootstrapContext context) {
|
||||||
|
if (isAllPermissionGranted()) {
|
||||||
|
return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security");
|
||||||
|
}
|
||||||
|
return BootstrapCheckResult.success();
|
||||||
|
}
|
||||||
|
|
||||||
|
boolean isAllPermissionGranted() {
|
||||||
|
final SecurityManager sm = System.getSecurityManager();
|
||||||
|
assert sm != null;
|
||||||
|
try {
|
||||||
|
sm.checkPermission(new AllPermission());
|
||||||
|
} catch (final SecurityException e) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -45,7 +45,6 @@ import static org.hamcrest.CoreMatchers.containsString;
|
||||||
import static org.hamcrest.CoreMatchers.equalTo;
|
import static org.hamcrest.CoreMatchers.equalTo;
|
||||||
import static org.hamcrest.CoreMatchers.instanceOf;
|
import static org.hamcrest.CoreMatchers.instanceOf;
|
||||||
import static org.hamcrest.Matchers.hasToString;
|
import static org.hamcrest.Matchers.hasToString;
|
||||||
import static org.mockito.Matchers.eq;
|
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
import static org.mockito.Mockito.verify;
|
import static org.mockito.Mockito.verify;
|
||||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||||
|
@ -690,6 +689,26 @@ public class BootstrapChecksTests extends ESTestCase {
|
||||||
BootstrapChecks.check(defaultContext, true, Collections.singletonList(nonJava8Check), "testG1GCCheck");
|
BootstrapChecks.check(defaultContext, true, Collections.singletonList(nonJava8Check), "testG1GCCheck");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testAllPermissionCheck() throws NodeValidationException {
|
||||||
|
final AtomicBoolean isAllPermissionGranted = new AtomicBoolean(true);
|
||||||
|
final BootstrapChecks.AllPermissionCheck allPermissionCheck = new BootstrapChecks.AllPermissionCheck() {
|
||||||
|
@Override
|
||||||
|
boolean isAllPermissionGranted() {
|
||||||
|
return isAllPermissionGranted.get();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
final List<BootstrapCheck> checks = Collections.singletonList(allPermissionCheck);
|
||||||
|
final NodeValidationException e = expectThrows(
|
||||||
|
NodeValidationException.class,
|
||||||
|
() -> BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck"));
|
||||||
|
assertThat(e, hasToString(containsString("granting the all permission effectively disables security")));
|
||||||
|
|
||||||
|
// if all permissions are not granted, nothing should happen
|
||||||
|
isAllPermissionGranted.set(false);
|
||||||
|
BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck");
|
||||||
|
}
|
||||||
|
|
||||||
public void testAlwaysEnforcedChecks() {
|
public void testAlwaysEnforcedChecks() {
|
||||||
final BootstrapCheck check = new BootstrapCheck() {
|
final BootstrapCheck check = new BootstrapCheck() {
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -227,3 +227,9 @@ have issues that can lead to index corruption when the G1GC collector is
|
||||||
enabled. The versions impacted are those earlier than the version of
|
enabled. The versions impacted are those earlier than the version of
|
||||||
HotSpot that shipped with JDK 8u40. The G1GC check detects these early
|
HotSpot that shipped with JDK 8u40. The G1GC check detects these early
|
||||||
versions of the HotSpot JVM.
|
versions of the HotSpot JVM.
|
||||||
|
|
||||||
|
=== All permission check
|
||||||
|
|
||||||
|
The all permission check ensures that the security policy used during bootstrap
|
||||||
|
does not grant the `java.security.AllPermission` to Elasticsearch. Running with
|
||||||
|
the all permission granted is equivalent to disabling the security manager.
|
||||||
|
|
Loading…
Reference in New Issue