feedback

Author: rjernst

libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java

@@ -614,7 +614,7 @@ static void javaDesktopFileAccess() throws Exception {
 
     @EntitlementTest(expectedAccess = ALWAYS_DENIED)
     static void javaXmlFileRequest() throws Exception {
-        // java.xml is part of the jdk, but not a system module. this checks it can't access the network
+        // java.xml is part of the jdk, but not a system module. this checks it can't access files
         var saxParser = SAXParserFactory.newInstance().newSAXParser();
         saxParser.parse(readFile().toFile(), new DefaultHandler());
     }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/ReadJdkCodeEntitlement.java

@@ -10,6 +10,10 @@
 package org.elasticsearch.entitlement.runtime.policy.entitlements;
 
 /**
- * Internal entitlement to read code from the jdk, ie jrt urls
+ * Internal entitlement to read code from the jdk.
+ *
+ * Concretely this means the code can open jrt urls. Since the java
+ * runtime images (jrt) are read only, this implicitly only allows
+ * reading those urls.
  */
 public class ReadJdkCodeEntitlement implements Entitlement {}