[8.x][Entitlements] Add file read entitlement check to library load functions #122494 (#122624)

ldematte · web-flow · commit 5426cd9bb65e · 2025-02-15T05:08:48.000+11:00
* [Entitlements] Add file read entitlement check to library load functions #122494 * Missing variant
diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/LoadNativeLibrariesCheckActions.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/LoadNativeLibrariesCheckActions.java
@@ -12,15 +12,15 @@
 class LoadNativeLibrariesCheckActions {
     static void runtimeLoad() {
         try {
-            Runtime.getRuntime().load("libSomeLibFile.so");
+            Runtime.getRuntime().load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());
         } catch (UnsatisfiedLinkError ignored) {
             // The library does not exist, so we expect to fail loading it
         }
     }
 
     static void systemLoad() {
         try {
-            System.load("libSomeLibFile.so");
+            System.load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());
         } catch (UnsatisfiedLinkError ignored) {
             // The library does not exist, so we expect to fail loading it
         }
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
@@ -828,7 +828,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     @Override
     public void check$java_lang_Runtime$load(Class<?> callerClass, Runtime that, String filename) {
-        // TODO: check filesystem entitlement READ
+        policyManager.checkFileRead(callerClass, Path.of(filename));
         policyManager.checkLoadingNativeLibraries(callerClass);
     }
 
@@ -839,7 +839,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     @Override
     public void check$java_lang_System$$load(Class<?> callerClass, String filename) {
-        // TODO: check filesystem entitlement READ
+        policyManager.checkFileRead(callerClass, Path.of(filename));
         policyManager.checkLoadingNativeLibraries(callerClass);
     }
 
diff --git a/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/api/Java19ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main19/java/org/elasticsearch/entitlement/runtime/api/Java19ElasticsearchEntitlementChecker.java
@@ -73,7 +73,7 @@ public Java19ElasticsearchEntitlementChecker(PolicyManager policyManager) {
 
     @Override
     public void check$java_lang_foreign_SymbolLookup$$libraryLookup(Class<?> callerClass, Path path, MemorySession session) {
-        // TODO: check filesystem entitlement READ
+        policyManager.checkFileRead(callerClass, path);
         policyManager.checkLoadingNativeLibraries(callerClass);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,15 +12,15 @@`
`12`	`12`	`class LoadNativeLibrariesCheckActions {`
`13`	`13`	`static void runtimeLoad() {`
`14`	`14`	`try {`
`15`		`- Runtime.getRuntime().load("libSomeLibFile.so");`
	`15`	`+ Runtime.getRuntime().load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());`
`16`	`16`	`} catch (UnsatisfiedLinkError ignored) {`
`17`	`17`	`// The library does not exist, so we expect to fail loading it`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`static void systemLoad() {`
`22`	`22`	`try {`
`23`		`- System.load("libSomeLibFile.so");`
	`23`	`+ System.load(FileCheckActions.readDir().resolve("libSomeLibFile.so").toString());`
`24`	`24`	`} catch (UnsatisfiedLinkError ignored) {`
`25`	`25`	`// The library does not exist, so we expect to fail loading it`
`26`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -828,7 +828,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector`
`828`	`828`
`829`	`829`	`@Override`
`830`	`830`	`public void check$java_lang_Runtime$load(Class<?> callerClass, Runtime that, String filename) {`
`831`		`- // TODO: check filesystem entitlement READ`
	`831`	`+ policyManager.checkFileRead(callerClass, Path.of(filename));`
`832`	`832`	`policyManager.checkLoadingNativeLibraries(callerClass);`
`833`	`833`	`}`
`834`	`834`
`@@ -839,7 +839,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector`
`839`	`839`
`840`	`840`	`@Override`
`841`	`841`	`public void check$java_lang_System$$load(Class<?> callerClass, String filename) {`
`842`		`- // TODO: check filesystem entitlement READ`
	`842`	`+ policyManager.checkFileRead(callerClass, Path.of(filename));`
`843`	`843`	`policyManager.checkLoadingNativeLibraries(callerClass);`
`844`	`844`	`}`
`845`	`845`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ public Java19ElasticsearchEntitlementChecker(PolicyManager policyManager) {`
`73`	`73`
`74`	`74`	`@Override`
`75`	`75`	`public void check$java_lang_foreign_SymbolLookup$$libraryLookup(Class<?> callerClass, Path path, MemorySession session) {`
`76`		`- // TODO: check filesystem entitlement READ`
	`76`	`+ policyManager.checkFileRead(callerClass, path);`
`77`	`77`	`policyManager.checkLoadingNativeLibraries(callerClass);`
`78`	`78`	`}`
`79`	`79`	`}`