Forbid granting the all permission in production
Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548
This commit is contained in:
parent
379d51fcfa
commit
d8c28044da
|
@ -38,6 +38,7 @@ import java.io.BufferedReader;
|
|||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.AllPermission;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
@ -210,6 +211,7 @@ final class BootstrapChecks {
|
|||
checks.add(new OnOutOfMemoryErrorCheck());
|
||||
checks.add(new EarlyAccessCheck());
|
||||
checks.add(new G1GCCheck());
|
||||
checks.add(new AllPermissionCheck());
|
||||
return Collections.unmodifiableList(checks);
|
||||
}
|
||||
|
||||
|
@ -692,4 +694,27 @@ final class BootstrapChecks {
|
|||
|
||||
}
|
||||
|
||||
static class AllPermissionCheck implements BootstrapCheck {
|
||||
|
||||
@Override
|
||||
public final BootstrapCheckResult check(BootstrapContext context) {
|
||||
if (isAllPermissionGranted()) {
|
||||
return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security");
|
||||
}
|
||||
return BootstrapCheckResult.success();
|
||||
}
|
||||
|
||||
boolean isAllPermissionGranted() {
|
||||
final SecurityManager sm = System.getSecurityManager();
|
||||
assert sm != null;
|
||||
try {
|
||||
sm.checkPermission(new AllPermission());
|
||||
} catch (final SecurityException e) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -45,7 +45,6 @@ import static org.hamcrest.CoreMatchers.containsString;
|
|||
import static org.hamcrest.CoreMatchers.equalTo;
|
||||
import static org.hamcrest.CoreMatchers.instanceOf;
|
||||
import static org.hamcrest.Matchers.hasToString;
|
||||
import static org.mockito.Matchers.eq;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
@ -690,6 +689,26 @@ public class BootstrapChecksTests extends ESTestCase {
|
|||
BootstrapChecks.check(defaultContext, true, Collections.singletonList(nonJava8Check), "testG1GCCheck");
|
||||
}
|
||||
|
||||
public void testAllPermissionCheck() throws NodeValidationException {
|
||||
final AtomicBoolean isAllPermissionGranted = new AtomicBoolean(true);
|
||||
final BootstrapChecks.AllPermissionCheck allPermissionCheck = new BootstrapChecks.AllPermissionCheck() {
|
||||
@Override
|
||||
boolean isAllPermissionGranted() {
|
||||
return isAllPermissionGranted.get();
|
||||
}
|
||||
};
|
||||
|
||||
final List<BootstrapCheck> checks = Collections.singletonList(allPermissionCheck);
|
||||
final NodeValidationException e = expectThrows(
|
||||
NodeValidationException.class,
|
||||
() -> BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck"));
|
||||
assertThat(e, hasToString(containsString("granting the all permission effectively disables security")));
|
||||
|
||||
// if all permissions are not granted, nothing should happen
|
||||
isAllPermissionGranted.set(false);
|
||||
BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck");
|
||||
}
|
||||
|
||||
public void testAlwaysEnforcedChecks() {
|
||||
final BootstrapCheck check = new BootstrapCheck() {
|
||||
@Override
|
||||
|
|
|
@ -227,3 +227,9 @@ have issues that can lead to index corruption when the G1GC collector is
|
|||
enabled. The versions impacted are those earlier than the version of
|
||||
HotSpot that shipped with JDK 8u40. The G1GC check detects these early
|
||||
versions of the HotSpot JVM.
|
||||
|
||||
=== All permission check
|
||||
|
||||
The all permission check ensures that the security policy used during bootstrap
|
||||
does not grant the `java.security.AllPermission` to Elasticsearch. Running with
|
||||
the all permission granted is equivalent to disabling the security manager.
|
||||
|
|
Loading…
Reference in New Issue