give read access to code

rjernst · rjernst · commit 21b1748b6478 · 2025-08-28T07:55:25.000-07:00
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java
@@ -115,7 +115,13 @@ private static List<Scope> createServerEntitlements(Path pidFile) {
                 )
             ),
             new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())),
-            new Scope("java.xml", List.of(new ReadJdkImageEntitlement())),
+            new Scope("java.xml", List.of(
+                new ReadJdkImageEntitlement(),
+                // java.xml does some reflective stuff that reads calling jars, so allow reading the codebases
+                // of any code in the system so that they can all use java.xml
+                new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(LIB, READ))),
+                new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(MODULES, READ))),
+                new FilesEntitlement(List.of(FilesEntitlement.FileData.ofBaseDirPath(PLUGINS, READ))))),
             new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),
             new Scope(
                 "org.apache.lucene.core",
