5353import java .nio .file .spi .FileSystemProvider ;
5454import java .util .ArrayList ;
5555import java .util .Arrays ;
56+ import java .util .Collections ;
5657import java .util .HashMap ;
5758import java .util .List ;
5859import java .util .Map ;
@@ -137,76 +138,84 @@ private static PolicyManager createPolicyManager() {
137138 var pathLookup = new PathLookup (getUserHome (), bootstrapArgs .configDir (), bootstrapArgs .dataDirs (), bootstrapArgs .tempDir ());
138139 Path logsDir = EntitlementBootstrap .bootstrapArgs ().logsDir ();
139140
140- // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
141- var serverPolicy = new Policy (
142- "server" ,
143- List .of (
144- new Scope ("org.elasticsearch.base" , List .of (new CreateClassLoaderEntitlement ())),
145- new Scope ("org.elasticsearch.xcontent" , List .of (new CreateClassLoaderEntitlement ())),
146- new Scope (
147- "org.elasticsearch.server" ,
148- List .of (
149- new ExitVMEntitlement (),
150- new ReadStoreAttributesEntitlement (),
151- new CreateClassLoaderEntitlement (),
152- new InboundNetworkEntitlement (),
153- new OutboundNetworkEntitlement (),
154- new LoadNativeLibrariesEntitlement (),
155- new ManageThreadsEntitlement (),
156- new FilesEntitlement (
157- Stream .concat (
158- Stream .of (
159- FileData .ofPath (bootstrapArgs .tempDir (), READ_WRITE ),
160- FileData .ofPath (bootstrapArgs .configDir (), READ ),
161- FileData .ofPath (bootstrapArgs .logsDir (), READ_WRITE ),
162- // OS release on Linux
163- FileData .ofPath (Path .of ("/etc/os-release" ), READ ),
164- FileData .ofPath (Path .of ("/etc/system-release" ), READ ),
165- FileData .ofPath (Path .of ("/usr/lib/os-release" ), READ ),
166- // read max virtual memory areas
167- FileData .ofPath (Path .of ("/proc/sys/vm/max_map_count" ), READ ),
168- FileData .ofPath (Path .of ("/proc/meminfo" ), READ ),
169- // load averages on Linux
170- FileData .ofPath (Path .of ("/proc/loadavg" ), READ ),
171- // control group stats on Linux. cgroup v2 stats are in an unpredicable
172- // location under `/sys/fs/cgroup`, so unfortunately we have to allow
173- // read access to the entire directory hierarchy.
174- FileData .ofPath (Path .of ("/proc/self/cgroup" ), READ ),
175- FileData .ofPath (Path .of ("/sys/fs/cgroup/" ), READ ),
176- // // io stats on Linux
177- FileData .ofPath (Path .of ("/proc/self/mountinfo" ), READ ),
178- FileData .ofPath (Path .of ("/proc/diskstats" ), READ )
179- ),
180- Arrays .stream (bootstrapArgs .dataDirs ()).map (d -> FileData .ofPath (d , READ ))
181- ).toList ()
182- )
183- )
184- ),
185- new Scope ("org.apache.httpcomponents.httpclient" , List .of (new OutboundNetworkEntitlement ())),
186- new Scope ("io.netty.transport" , List .of (new InboundNetworkEntitlement (), new OutboundNetworkEntitlement ())),
187- new Scope (
188- "org.apache.lucene.core" ,
189- List .of (
190- new LoadNativeLibrariesEntitlement (),
191- new ManageThreadsEntitlement (),
192- new FilesEntitlement (
193- Stream .concat (
194- Stream .of (FileData .ofPath (bootstrapArgs .configDir (), READ )),
195- Arrays .stream (bootstrapArgs .dataDirs ()).map (d -> FileData .ofPath (d , READ_WRITE ))
196- ).toList ()
197- )
141+ List <Scope > serverScopes = new ArrayList <>();
142+ Collections .addAll (
143+ serverScopes ,
144+ new Scope ("org.elasticsearch.base" , List .of (new CreateClassLoaderEntitlement ())),
145+ new Scope ("org.elasticsearch.xcontent" , List .of (new CreateClassLoaderEntitlement ())),
146+ new Scope (
147+ "org.elasticsearch.server" ,
148+ List .of (
149+ new ExitVMEntitlement (),
150+ new ReadStoreAttributesEntitlement (),
151+ new CreateClassLoaderEntitlement (),
152+ new InboundNetworkEntitlement (),
153+ new OutboundNetworkEntitlement (),
154+ new LoadNativeLibrariesEntitlement (),
155+ new ManageThreadsEntitlement (),
156+ new FilesEntitlement (
157+ Stream .concat (
158+ Stream .of (
159+ FileData .ofPath (bootstrapArgs .tempDir (), READ_WRITE ),
160+ FileData .ofPath (bootstrapArgs .configDir (), READ ),
161+ FileData .ofPath (bootstrapArgs .logsDir (), READ_WRITE ),
162+ // OS release on Linux
163+ FileData .ofPath (Path .of ("/etc/os-release" ), READ ),
164+ FileData .ofPath (Path .of ("/etc/system-release" ), READ ),
165+ FileData .ofPath (Path .of ("/usr/lib/os-release" ), READ ),
166+ // read max virtual memory areas
167+ FileData .ofPath (Path .of ("/proc/sys/vm/max_map_count" ), READ ),
168+ FileData .ofPath (Path .of ("/proc/meminfo" ), READ ),
169+ // load averages on Linux
170+ FileData .ofPath (Path .of ("/proc/loadavg" ), READ ),
171+ // control group stats on Linux. cgroup v2 stats are in an unpredicable
172+ // location under `/sys/fs/cgroup`, so unfortunately we have to allow
173+ // read access to the entire directory hierarchy.
174+ FileData .ofPath (Path .of ("/proc/self/cgroup" ), READ ),
175+ FileData .ofPath (Path .of ("/sys/fs/cgroup/" ), READ ),
176+ // // io stats on Linux
177+ FileData .ofPath (Path .of ("/proc/self/mountinfo" ), READ ),
178+ FileData .ofPath (Path .of ("/proc/diskstats" ), READ )
179+ ),
180+ Arrays .stream (bootstrapArgs .dataDirs ()).map (d -> FileData .ofPath (d , READ ))
181+ ).toList ()
198182 )
199- ),
200- new Scope ("org.apache.logging.log4j.core" , List .of (new ManageThreadsEntitlement ())),
201- new Scope (
202- "org.elasticsearch.nativeaccess" ,
203- List .of (
204- new LoadNativeLibrariesEntitlement (),
205- new FilesEntitlement (List .of (FileData .ofRelativePath (Path .of ("" ), FilesEntitlement .BaseDir .DATA , READ_WRITE )))
183+ )
184+ ),
185+ new Scope ("org.apache.httpcomponents.httpclient" , List .of (new OutboundNetworkEntitlement ())),
186+ new Scope ("io.netty.transport" , List .of (new InboundNetworkEntitlement (), new OutboundNetworkEntitlement ())),
187+ new Scope (
188+ "org.apache.lucene.core" ,
189+ List .of (
190+ new LoadNativeLibrariesEntitlement (),
191+ new ManageThreadsEntitlement (),
192+ new FilesEntitlement (
193+ Stream .concat (
194+ Stream .of (FileData .ofPath (bootstrapArgs .configDir (), READ )),
195+ Arrays .stream (bootstrapArgs .dataDirs ()).map (d -> FileData .ofPath (d , READ_WRITE ))
196+ ).toList ()
206197 )
207198 )
199+ ),
200+ new Scope ("org.apache.logging.log4j.core" , List .of (new ManageThreadsEntitlement ())),
201+ new Scope (
202+ "org.elasticsearch.nativeaccess" ,
203+ List .of (
204+ new LoadNativeLibrariesEntitlement (),
205+ new FilesEntitlement (List .of (FileData .ofRelativePath (Path .of ("" ), FilesEntitlement .BaseDir .DATA , READ_WRITE )))
206+ )
208207 )
209208 );
209+
210+ Path trustStorePath = trustStorePath ();
211+ if (trustStorePath != null ) {
212+ serverScopes .add (
213+ new Scope ("org.bouncycastle.fips.tls" , List .of (new FilesEntitlement (List .of (FileData .ofPath (trustStorePath , READ )))))
214+ );
215+ }
216+
217+ // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
218+ var serverPolicy = new Policy ("server" , serverScopes );
210219 // agents run without a module, so this is a special hack for the apm agent
211220 // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
212221 List <Entitlement > agentEntitlements = List .of (new CreateClassLoaderEntitlement (), new ManageThreadsEntitlement ());
@@ -230,6 +239,11 @@ private static Path getUserHome() {
230239 return PathUtils .get (userHome );
231240 }
232241
242+ private static Path trustStorePath () {
243+ String trustStore = System .getProperty ("javax.net.ssl.trustStore" );
244+ return trustStore != null ? Path .of (trustStore ) : null ;
245+ }
246+
233247 private static Stream <InstrumentationService .InstrumentationInfo > fileSystemProviderChecks () throws ClassNotFoundException ,
234248 NoSuchMethodException {
235249 var fileSystemProviderClass = FileSystems .getDefault ().provider ().getClass ();
0 commit comments