/* * Licensed to Elasticsearch under one or more contributor * license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright * ownership. Elasticsearch licenses this file to you under * the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ // Policy file to prevent tests from writing outside the test sandbox directory // PLEASE NOTE: You may need to enable other permissions when new tests are added, // everything not allowed here is forbidden! grant { // contain read access to only what we need: // project base directory permission java.io.FilePermission "${project.basedir}${/}-", "read"; // mvn custom ./m2/repository for dependency jars permission java.io.FilePermission "${m2.repository}{/}-", "read"; // maven default repo for settings.xml etc. permission java.io.FilePermission "${user.home}${/}.m2${/}-", "read"; // system jar resources permission java.io.FilePermission "${java.home}${/}-", "read"; permission java.io.FilePermission "${junit4.childvm.cwd}", "read,write"; permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,write,delete"; permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete"; permission java.nio.file.LinkPermission "symbolic"; permission groovy.security.GroovyCodeSourcePermission "/groovy/script"; // Allow connecting to the internet anywhere permission java.net.SocketPermission "*", "accept,listen,connect,resolve"; // Basic permissions needed for Lucene / Elasticsearch to work: permission java.util.PropertyPermission "*", "read,write"; // needed by junit4's gson usage permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // needed by scripting engines, etc permission java.lang.RuntimePermission "createClassLoader"; // needed by lucene SPI currently permission java.lang.RuntimePermission "getClassLoader"; // needed by GroovyScriptEngineService permission java.lang.RuntimePermission "closeClassLoader"; // needed by ImmutableSettings permission java.lang.RuntimePermission "getenv.*"; // needed by BootStrap, etc permission java.lang.RuntimePermission "exitVM.*"; // needed by RandomizedTest.globalTempDir() permission java.lang.RuntimePermission "shutdownHooks"; // needed by PluginManager permission java.lang.RuntimePermission "setFactory"; // needed by LuceneTestCase/TestRuleLimitSysouts permission java.lang.RuntimePermission "setIO"; // needed by junit4 ThreadLeakControl permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; // needed by groovy scripting permission java.lang.RuntimePermission "getProtectionDomain"; // needed for natives calls permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "createSecurityManager"; // reflection hacks: // needed for Striped64 (what is this doing), also enables unmap hack permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; // needed for mock filesystems in tests (to capture implCloseChannel) permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; // needed by groovy engine permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; // needed to get file descriptor statistics permission java.lang.RuntimePermission "accessClassInPackage.sun.management"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "getStackTrace"; // needed by RandomizedRunner permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission java.lang.RuntimePermission "usePolicy"; // needed by JMX instead of getFileSystemAttributes, seems like a bug... permission java.lang.RuntimePermission "getFileStoreAttributes"; // needed by lucene mockfilesystems permission java.lang.RuntimePermission "fileSystemProvider"; // needed by plugin manager to set unix permissions permission java.lang.RuntimePermission "accessUserInformation"; // These two *have* to be spelled out a separate permission java.lang.management.ManagementPermission "control"; permission java.lang.management.ManagementPermission "monitor"; permission java.net.NetPermission "*"; permission java.util.logging.LoggingPermission "control"; permission javax.management.MBeanPermission "*", "*"; permission javax.management.MBeanServerPermission "*"; permission javax.management.MBeanTrustPermission "*"; // Needed for some things in DNS caching in the JVM permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl"; permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl"; };