[Entitlements] Policy and checks for loading native libraries (#120044) (#120623)

Author: ldematte

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -398,4 +398,16 @@ public interface EntitlementChecker {
     void check$sun_nio_ch_DatagramChannelImpl$send(Class<?> callerClass, DatagramChannel that, ByteBuffer src, SocketAddress target);
 
     void check$sun_nio_ch_DatagramChannelImpl$receive(Class<?> callerClass, DatagramChannel that, ByteBuffer dst);
+
+    ////////////////////
+    //
+    // Load native libraries
+    //
+    void check$java_lang_Runtime$load(Class<?> callerClass, Runtime that, String filename);
+
+    void check$java_lang_Runtime$loadLibrary(Class<?> callerClass, Runtime that, String libname);
+
+    void check$java_lang_System$$load(Class<?> callerClass, String filename);
+
+    void check$java_lang_System$$loadLibrary(Class<?> callerClass, String libname);
 }

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/LoadNativeLibrariesCheckActions.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.qa.common;
+
+class LoadNativeLibrariesCheckActions {
+    static void runtimeLoad() {
+        try {
+            Runtime.getRuntime().load("libSomeLibFile.so");
+        } catch (UnsatisfiedLinkError ignored) {
+            // The library does not exist, so we expect to fail loading it
+        }
+    }
+
+    static void systemLoad() {
+        try {
+            System.load("libSomeLibFile.so");
+        } catch (UnsatisfiedLinkError ignored) {
+            // The library does not exist, so we expect to fail loading it
+        }
+    }
+
+    static void runtimeLoadLibrary() {
+        try {
+            Runtime.getRuntime().loadLibrary("SomeLib");
+        } catch (UnsatisfiedLinkError ignored) {
+            // The library does not exist, so we expect to fail loading it
+        }
+    }
+
+    static void systemLoadLibrary() {
+        try {
+            System.loadLibrary("SomeLib");
+        } catch (UnsatisfiedLinkError ignored) {
+            // The library does not exist, so we expect to fail loading it
+        }
+    }
+}

libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java

@@ -192,7 +192,12 @@ static CheckAction alwaysDenied(CheckedRunnable<Exception> action) {
         entry("datagram_channel_bind", forPlugins(NetworkAccessCheckActions::datagramChannelBind)),
         entry("datagram_channel_connect", forPlugins(NetworkAccessCheckActions::datagramChannelConnect)),
         entry("datagram_channel_send", forPlugins(NetworkAccessCheckActions::datagramChannelSend)),
-        entry("datagram_channel_receive", forPlugins(NetworkAccessCheckActions::datagramChannelReceive))
+        entry("datagram_channel_receive", forPlugins(NetworkAccessCheckActions::datagramChannelReceive)),
+
+        entry("runtime_load", forPlugins(LoadNativeLibrariesCheckActions::runtimeLoad)),
+        entry("runtime_load_library", forPlugins(LoadNativeLibrariesCheckActions::runtimeLoadLibrary)),
+        entry("system_load", forPlugins(LoadNativeLibrariesCheckActions::systemLoad)),
+        entry("system_load_library", forPlugins(LoadNativeLibrariesCheckActions::systemLoadLibrary))
     )
         .filter(entry -> entry.getValue().fromJavaVersion() == null || Runtime.version().feature() >= entry.getValue().fromJavaVersion())
         .collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, Map.Entry::getValue));

libs/entitlement/qa/entitlement-allowed-nonmodular/src/main/plugin-metadata/entitlement-policy.yaml

@@ -7,3 +7,4 @@ ALL-UNNAMED:
       properties:
         - es.entitlements.checkSetSystemProperty
         - es.entitlements.checkClearSystemProperty
+  - load_native_libraries

libs/entitlement/qa/entitlement-allowed/src/main/plugin-metadata/entitlement-policy.yaml

@@ -7,3 +7,4 @@ org.elasticsearch.entitlement.qa.common:
       properties:
         - es.entitlements.checkSetSystemProperty
         - es.entitlements.checkClearSystemProperty
+  - load_native_libraries

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.entitlement.runtime.policy.Entitlement;
 import org.elasticsearch.entitlement.runtime.policy.ExitVMEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.InboundNetworkEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.LoadNativeLibrariesEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.OutboundNetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
@@ -92,7 +93,8 @@ private static PolicyManager createPolicyManager() {
                         new ExitVMEntitlement(),
                         new CreateClassLoaderEntitlement(),
                         new InboundNetworkEntitlement(),
-                        new OutboundNetworkEntitlement()
+                        new OutboundNetworkEntitlement(),
+                        new LoadNativeLibrariesEntitlement()
                     )
                 ),
                 new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -732,4 +732,24 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
     public void check$sun_nio_ch_DatagramChannelImpl$receive(Class<?> callerClass, DatagramChannel that, ByteBuffer dst) {
         policyManager.checkInboundNetworkAccess(callerClass);
     }
+
+    @Override
+    public void check$java_lang_Runtime$load(Class<?> callerClass, Runtime that, String filename) {
+        policyManager.checkLoadingNativeLibraries(callerClass);
+    }
+
+    @Override
+    public void check$java_lang_Runtime$loadLibrary(Class<?> callerClass, Runtime that, String libname) {
+        policyManager.checkLoadingNativeLibraries(callerClass);
+    }
+
+    @Override
+    public void check$java_lang_System$$load(Class<?> callerClass, String filename) {
+        policyManager.checkLoadingNativeLibraries(callerClass);
+    }
+
+    @Override
+    public void check$java_lang_System$$loadLibrary(Class<?> callerClass, String libname) {
+        policyManager.checkLoadingNativeLibraries(callerClass);
+    }
 }

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/LoadNativeLibrariesEntitlement.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.entitlement.runtime.policy;
+
+/**
+ * An Entitlement to allow loading native libraries
+ */
+public record LoadNativeLibrariesEntitlement() implements Entitlement {
+    @ExternalEntitlement(esModulesOnly = false)
+    public LoadNativeLibrariesEntitlement {}
+}

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -189,6 +189,13 @@ public void checkReadSensitiveNetworkInformation(Class<?> callerClass) {
         neverEntitled(callerClass, "access sensitive network information");
     }
 
+    /**
+     * Check for operations that can access sensitive network information, e.g. secrets, tokens or SSL sessions
+     */
+    public void checkLoadingNativeLibraries(Class<?> callerClass) {
+        checkEntitlementPresent(callerClass, LoadNativeLibrariesEntitlement.class);
+    }
+
     private String operationDescription(String methodName) {
         // TODO: Use a more human-readable description. Perhaps share code with InstrumentationServiceImpl.parseCheckerMethodName
         return methodName.substring(methodName.indexOf('$'));

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyParser.java

@@ -41,7 +41,8 @@ public class PolicyParser {
         SetHttpsConnectionPropertiesEntitlement.class,
         OutboundNetworkEntitlement.class,
         InboundNetworkEntitlement.class,
-        WriteSystemPropertiesEntitlement.class
+        WriteSystemPropertiesEntitlement.class,
+        LoadNativeLibrariesEntitlement.class
     ).collect(Collectors.toUnmodifiableMap(PolicyParser::getEntitlementTypeName, Function.identity()));
 
     protected final XContentParser policyParser;