128 lines
5.1 KiB
Plaintext
128 lines
5.1 KiB
Plaintext
/*
|
|
* Licensed to Elasticsearch under one or more contributor
|
|
* license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright
|
|
* ownership. Elasticsearch licenses this file to you under
|
|
* the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing,
|
|
* software distributed under the License is distributed on an
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
* KIND, either express or implied. See the License for the
|
|
* specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
// Policy file to prevent tests from writing outside the test sandbox directory
|
|
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
|
|
// everything not allowed here is forbidden!
|
|
|
|
grant {
|
|
|
|
// contain read access to only what we need:
|
|
// project base directory
|
|
permission java.io.FilePermission "${project.basedir}${/}target${/}-", "read";
|
|
// read permission for lib sigar
|
|
permission java.io.FilePermission "${project.basedir}${/}lib/sigar{/}-", "read";
|
|
// mvn custom ./m2/repository for dependency jars
|
|
permission java.io.FilePermission "${m2.repository}${/}-", "read";
|
|
// system jar resources
|
|
permission java.io.FilePermission "${java.home}${/}-", "read";
|
|
// per-jvm directory
|
|
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write";
|
|
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
|
|
|
|
permission java.nio.file.LinkPermission "symbolic";
|
|
permission groovy.security.GroovyCodeSourcePermission "/groovy/script";
|
|
|
|
// Allow connecting to the internet anywhere
|
|
permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
|
|
|
|
// Basic permissions needed for Lucene / Elasticsearch to work:
|
|
permission java.util.PropertyPermission "*", "read,write";
|
|
|
|
// needed by junit4's gson usage
|
|
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
|
|
|
|
// needed by scripting engines, etc
|
|
permission java.lang.RuntimePermission "createClassLoader";
|
|
|
|
// needed by lucene SPI currently
|
|
permission java.lang.RuntimePermission "getClassLoader";
|
|
|
|
// needed by GroovyScriptEngineService
|
|
permission java.lang.RuntimePermission "closeClassLoader";
|
|
|
|
// needed by ImmutableSettings
|
|
permission java.lang.RuntimePermission "getenv.*";
|
|
|
|
// needed by BootStrap, etc
|
|
permission java.lang.RuntimePermission "exitVM.*";
|
|
|
|
// needed by RandomizedTest.globalTempDir()
|
|
permission java.lang.RuntimePermission "shutdownHooks";
|
|
|
|
// needed by PluginManager
|
|
permission java.lang.RuntimePermission "setFactory";
|
|
|
|
// needed by LuceneTestCase/TestRuleLimitSysouts
|
|
permission java.lang.RuntimePermission "setIO";
|
|
|
|
// needed by junit4 ThreadLeakControl
|
|
permission java.lang.RuntimePermission "modifyThread";
|
|
permission java.lang.RuntimePermission "modifyThreadGroup";
|
|
|
|
// needed by groovy scripting
|
|
permission java.lang.RuntimePermission "getProtectionDomain";
|
|
|
|
// needed for natives calls
|
|
permission java.lang.RuntimePermission "loadLibrary.*";
|
|
permission java.lang.RuntimePermission "createSecurityManager";
|
|
|
|
// reflection hacks:
|
|
// needed for Striped64 (what is this doing), also enables unmap hack
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
|
|
// needed for mock filesystems in tests (to capture implCloseChannel)
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
|
// needed by groovy engine
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
|
|
// needed to get file descriptor statistics
|
|
permission java.lang.RuntimePermission "accessClassInPackage.sun.management";
|
|
|
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
|
permission java.lang.RuntimePermission "getStackTrace";
|
|
|
|
// needed by RandomizedRunner
|
|
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
|
|
|
|
permission java.lang.RuntimePermission "usePolicy";
|
|
|
|
// needed by JMX instead of getFileSystemAttributes, seems like a bug...
|
|
permission java.lang.RuntimePermission "getFileStoreAttributes";
|
|
|
|
// needed by lucene mockfilesystems
|
|
permission java.lang.RuntimePermission "fileSystemProvider";
|
|
|
|
// needed by plugin manager to set unix permissions
|
|
permission java.lang.RuntimePermission "accessUserInformation";
|
|
|
|
// These two *have* to be spelled out a separate
|
|
permission java.lang.management.ManagementPermission "control";
|
|
permission java.lang.management.ManagementPermission "monitor";
|
|
|
|
permission java.net.NetPermission "*";
|
|
permission java.util.logging.LoggingPermission "control";
|
|
permission javax.management.MBeanPermission "*", "*";
|
|
permission javax.management.MBeanServerPermission "*";
|
|
permission javax.management.MBeanTrustPermission "*";
|
|
|
|
// Needed for some things in DNS caching in the JVM
|
|
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
|
|
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
|
|
|
|
};
|