Skip to content

Commit 37e46a2

Browse files
rjernstrjernst
committed
native permission
1 parent a65a2ba commit 37e46a2

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@
2424
import org.elasticsearch.entitlement.runtime.policy.entitlements.CreateClassLoaderEntitlement;
2525
import org.elasticsearch.entitlement.runtime.policy.entitlements.Entitlement;
2626
import org.elasticsearch.entitlement.runtime.policy.entitlements.ExitVMEntitlement;
27+
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
28+
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.FileData;
2729
import org.elasticsearch.entitlement.runtime.policy.entitlements.InboundNetworkEntitlement;
2830
import org.elasticsearch.entitlement.runtime.policy.entitlements.LoadNativeLibrariesEntitlement;
2931
import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
@@ -37,13 +39,16 @@
3739
import java.nio.file.Path;
3840
import java.nio.file.spi.FileSystemProvider;
3941
import java.util.ArrayList;
42+
import java.util.Arrays;
4043
import java.util.HashMap;
4144
import java.util.List;
4245
import java.util.Map;
4346
import java.util.Set;
4447
import java.util.stream.Collectors;
4548
import java.util.stream.Stream;
4649

50+
import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
51+
4752
/**
4853
* Called by the agent during {@code agentmain} to configure the entitlement system,
4954
* instantiate and configure an {@link EntitlementChecker},
@@ -109,6 +114,7 @@ private static Class<?>[] findClassesToRetransform(Class<?>[] loadedClasses, Set
109114

110115
private static PolicyManager createPolicyManager() {
111116
Map<String, Policy> pluginPolicies = EntitlementBootstrap.bootstrapArgs().pluginPolicies();
117+
Path[] dataDirs = EntitlementBootstrap.bootstrapArgs().dataDirs();
112118

113119
// TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
114120
var serverPolicy = new Policy(
@@ -129,7 +135,10 @@ private static PolicyManager createPolicyManager() {
129135
new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),
130136
new Scope("io.netty.transport", List.of(new InboundNetworkEntitlement(), new OutboundNetworkEntitlement())),
131137
new Scope("org.apache.lucene.core", List.of(new LoadNativeLibrariesEntitlement())),
132-
new Scope("org.elasticsearch.nativeaccess", List.of(new LoadNativeLibrariesEntitlement()))
138+
new Scope("org.elasticsearch.nativeaccess",
139+
List.of(
140+
new LoadNativeLibrariesEntitlement(),
141+
new FilesEntitlement(Arrays.asList(dataDirs).stream().map(d -> new FileData(d.toString(), READ_WRITE)).toList())))
133142
)
134143
);
135144
// agents run without a module, so this is a special hack for the apm agent

0 commit comments

Comments
 (0)