mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-05 20:48:22 +00:00
c457499cb2
This commit modifies the Kernel32Library to use direct mapping instead of a proxy class when doing native calls on Windows platforms. It also adds the "createSecurityManager" permission to the tests.policy file, and adds unit tests that should have failed when the Java security manager is enabled. Closes #9802
117 lines
4.7 KiB
Plaintext
117 lines
4.7 KiB
Plaintext
/*
|
|
* Licensed to Elasticsearch under one or more contributor
|
|
* license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright
|
|
* ownership. Elasticsearch licenses this file to you under
|
|
* the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing,
|
|
* software distributed under the License is distributed on an
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
* KIND, either express or implied. See the License for the
|
|
* specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
// Policy file to prevent tests from writing outside the test sandbox directory
|
|
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
|
|
// everything not allowed here is forbidden!
|
|
|
|
grant {
|
|
// permissions for file access, write access only to sandbox:
|
|
permission java.io.FilePermission "<<ALL FILES>>", "read";
|
|
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,write";
|
|
permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,write,delete";
|
|
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
|
|
permission java.nio.file.LinkPermission "symbolic";
|
|
permission groovy.security.GroovyCodeSourcePermission "/groovy/script";
|
|
|
|
// Allow connecting to the internet anywhere
|
|
permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
|
|
|
|
// Basic permissions needed for Lucene / Elasticsearch to work:
|
|
permission java.util.PropertyPermission "*", "read,write";
|
|
|
|
// needed by junit4's gson usage
|
|
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
|
|
// needed by scripting engines, etc
|
|
permission java.lang.RuntimePermission "createClassLoader";
|
|
|
|
// needed by lucene SPI currently
|
|
permission java.lang.RuntimePermission "getClassLoader";
|
|
|
|
// needed by GroovyScriptEngineService
|
|
permission java.lang.RuntimePermission "closeClassLoader";
|
|
|
|
// needed by ImmutableSettings
|
|
permission java.lang.RuntimePermission "getenv.*";
|
|
|
|
// needed by BootStrap, etc
|
|
permission java.lang.RuntimePermission "exitVM.*";
|
|
|
|
// needed by RandomizedTest.globalTempDir()
|
|
permission java.lang.RuntimePermission "shutdownHooks";
|
|
|
|
// needed by PluginManager
|
|
permission java.lang.RuntimePermission "setFactory";
|
|
|
|
// needed by LuceneTestCase/TestRuleLimitSysouts
|
|
permission java.lang.RuntimePermission "setIO";
|
|
|
|
// needed by junit4 ThreadLeakControl
|
|
permission java.lang.RuntimePermission "modifyThread";
|
|
permission java.lang.RuntimePermission "modifyThreadGroup";
|
|
|
|
// needed by groovy scripting
|
|
permission java.lang.RuntimePermission "getProtectionDomain";
|
|
|
|
// needed for natives calls
|
|
permission java.lang.RuntimePermission "loadLibrary.*";
|
|
permission java.lang.RuntimePermission "createSecurityManager";
|
|
|
|
// reflection hacks:
|
|
// needed for Striped64 (what is this doing), also enables unmap hack
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
|
|
// needed for mock filesystems in tests (to capture implCloseChannel)
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
|
// needed by groovy engine
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
|
|
|
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
|
permission java.lang.RuntimePermission "getStackTrace";
|
|
|
|
// needed by RandomizedRunner
|
|
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
|
|
|
|
permission java.lang.RuntimePermission "usePolicy";
|
|
|
|
// needed by JMX instead of getFileSystemAttributes, seems like a bug...
|
|
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
|
|
|
// needed by lucene mockfilesystems
|
|
permission java.lang.RuntimePermission "fileSystemProvider";
|
|
|
|
// needed by plugin manager to set unix permissions
|
|
permission java.lang.RuntimePermission "accessUserInformation";
|
|
|
|
// These two *have* to be spelled out a separate
|
|
permission java.lang.management.ManagementPermission "control";
|
|
permission java.lang.management.ManagementPermission "monitor";
|
|
|
|
permission java.net.NetPermission "*";
|
|
permission java.util.logging.LoggingPermission "control";
|
|
permission javax.management.MBeanPermission "*", "*";
|
|
permission javax.management.MBeanServerPermission "*";
|
|
permission javax.management.MBeanTrustPermission "*";
|
|
|
|
// Needed for some things in DNS caching in the JVM
|
|
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
|
|
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
|
|
|
|
};
|