Add entitlement checks for java.lang.ClassLoader (#119027) (#119519)

Backport of #119027 from main.

Author: prdoyle

libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java

@@ -26,6 +26,20 @@ public interface EntitlementChecker {
 
     void check$java_lang_Runtime$halt(Class<?> callerClass, Runtime runtime, int status);
 
+    // ClassLoader ctor
+    void check$java_lang_ClassLoader$(Class<?> callerClass);
+
+    void check$java_lang_ClassLoader$(Class<?> callerClass, ClassLoader parent);
+
+    void check$java_lang_ClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
+
+    // SecureClassLoader ctor
+    void check$java_security_SecureClassLoader$(Class<?> callerClass);
+
+    void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent);
+
+    void check$java_security_SecureClassLoader$(Class<?> callerClass, String name, ClassLoader parent);
+
     // URLClassLoader constructors
     void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls);
 

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -20,6 +20,7 @@
 import org.elasticsearch.entitlement.instrumentation.Transformer;
 import org.elasticsearch.entitlement.runtime.api.ElasticsearchEntitlementChecker;
 import org.elasticsearch.entitlement.runtime.policy.CreateClassLoaderEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.Entitlement;
 import org.elasticsearch.entitlement.runtime.policy.ExitVMEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyManager;
@@ -93,9 +94,17 @@ private static PolicyManager createPolicyManager() throws IOException {
         // TODO(ES-10031): Decide what goes in the elasticsearch default policy and extend it
         var serverPolicy = new Policy(
             "server",
-            List.of(new Scope("org.elasticsearch.server", List.of(new ExitVMEntitlement(), new CreateClassLoaderEntitlement())))
+            List.of(
+                new Scope("org.elasticsearch.base", List.of(new CreateClassLoaderEntitlement())),
+                new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
+                new Scope("org.elasticsearch.server", List.of(new ExitVMEntitlement(), new CreateClassLoaderEntitlement()))
+            )
         );
-        return new PolicyManager(serverPolicy, pluginPolicies, EntitlementBootstrap.bootstrapArgs().pluginResolver(), ENTITLEMENTS_MODULE);
+        // agents run without a module, so this is a special hack for the apm agent
+        // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
+        List<Entitlement> agentEntitlements = List.of(new CreateClassLoaderEntitlement());
+        var resolver = EntitlementBootstrap.bootstrapArgs().pluginResolver();
+        return new PolicyManager(serverPolicy, agentEntitlements, pluginPolicies, resolver, ENTITLEMENTS_MODULE);
     }
 
     private static Map<String, Policy> createPluginPolicies(Collection<EntitlementBootstrap.PluginData> pluginData) throws IOException {
@@ -120,12 +129,12 @@ private static Policy loadPluginPolicy(Path pluginRoot, boolean isModular, Strin
 
         // TODO: should this check actually be part of the parser?
         for (Scope scope : policy.scopes) {
-            if (moduleNames.contains(scope.name) == false) {
+            if (moduleNames.contains(scope.moduleName) == false) {
                 throw new IllegalStateException(
                     Strings.format(
                         "Invalid module name in policy: plugin [%s] does not have module [%s]; available modules [%s]; policy file [%s]",
                         pluginName,
-                        scope.name,
+                        scope.moduleName,
                         String.join(", ", moduleNames),
                         policyFile
                     )

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -27,6 +27,7 @@
  * The trampoline module loads this object via SPI.
  */
 public class ElasticsearchEntitlementChecker implements EntitlementChecker {
+
     private final PolicyManager policyManager;
 
     public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
@@ -43,6 +44,36 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
         policyManager.checkExitVM(callerClass);
     }
 
+    @Override
+    public void check$java_lang_ClassLoader$(Class<?> callerClass) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_lang_ClassLoader$(Class<?> callerClass, ClassLoader parent) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_lang_ClassLoader$(Class<?> callerClass, String name, ClassLoader parent) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_security_SecureClassLoader$(Class<?> callerClass) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_security_SecureClassLoader$(Class<?> callerClass, ClassLoader parent) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
+    @Override
+    public void check$java_security_SecureClassLoader$(Class<?> callerClass, String name, ClassLoader parent) {
+        policyManager.checkCreateClassLoader(callerClass);
+    }
+
     @Override
     public void check$java_net_URLClassLoader$(Class<?> callerClass, URL[] urls) {
         policyManager.checkCreateClassLoader(callerClass);

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -17,34 +17,31 @@
 import java.lang.StackWalker.StackFrame;
 import java.lang.module.ModuleFinder;
 import java.lang.module.ModuleReference;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.IdentityHashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import static java.lang.StackWalker.Option.RETAIN_CLASS_REFERENCE;
 import static java.util.Objects.requireNonNull;
+import static java.util.stream.Collectors.groupingBy;
 
 public class PolicyManager {
     private static final Logger logger = LogManager.getLogger(PolicyManager.class);
 
-    static class ModuleEntitlements {
-        public static final ModuleEntitlements NONE = new ModuleEntitlements(List.of());
-        private final IdentityHashMap<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType;
+    record ModuleEntitlements(Map<Class<? extends Entitlement>, List<Entitlement>> entitlementsByType) {
+        public static final ModuleEntitlements NONE = new ModuleEntitlements(Map.of());
 
-        ModuleEntitlements(List<Entitlement> entitlements) {
-            this.entitlementsByType = entitlements.stream()
-                .collect(Collectors.toMap(Entitlement::getClass, e -> new ArrayList<>(List.of(e)), (a, b) -> {
-                    a.addAll(b);
-                    return a;
-                }, IdentityHashMap::new));
+        ModuleEntitlements {
+            entitlementsByType = Map.copyOf(entitlementsByType);
+        }
+
+        public static ModuleEntitlements from(List<Entitlement> entitlements) {
+            return new ModuleEntitlements(entitlements.stream().collect(groupingBy(Entitlement::getClass)));
         }
 
         public boolean hasEntitlement(Class<? extends Entitlement> entitlementClass) {
@@ -56,9 +53,10 @@ public <E extends Entitlement> Stream<E> getEntitlements(Class<E> entitlementCla
         }
     }
 
-    final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new HashMap<>();
+    final Map<Module, ModuleEntitlements> moduleEntitlementsMap = new ConcurrentHashMap<>();
 
     protected final Map<String, List<Entitlement>> serverEntitlements;
+    protected final List<Entitlement> agentEntitlements;
     protected final Map<String, Map<String, List<Entitlement>>> pluginsEntitlements;
     private final Function<Class<?>, String> pluginResolver;
 
@@ -85,12 +83,14 @@ private static Set<Module> findSystemModules() {
     private final Module entitlementsModule;
 
     public PolicyManager(
-        Policy defaultPolicy,
+        Policy serverPolicy,
+        List<Entitlement> agentEntitlements,
         Map<String, Policy> pluginPolicies,
         Function<Class<?>, String> pluginResolver,
         Module entitlementsModule
     ) {
-        this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(defaultPolicy));
+        this.serverEntitlements = buildScopeEntitlementsMap(requireNonNull(serverPolicy));
+        this.agentEntitlements = agentEntitlements;
         this.pluginsEntitlements = requireNonNull(pluginPolicies).entrySet()
             .stream()
             .collect(Collectors.toUnmodifiableMap(Map.Entry::getKey, e -> buildScopeEntitlementsMap(e.getValue())));
@@ -99,15 +99,15 @@ public PolicyManager(
     }
 
     private static Map<String, List<Entitlement>> buildScopeEntitlementsMap(Policy policy) {
-        return policy.scopes.stream().collect(Collectors.toUnmodifiableMap(scope -> scope.name, scope -> scope.entitlements));
+        return policy.scopes.stream().collect(Collectors.toUnmodifiableMap(scope -> scope.moduleName, scope -> scope.entitlements));
     }
 
     public void checkStartProcess(Class<?> callerClass) {
         neverEntitled(callerClass, "start process");
     }
 
     private void neverEntitled(Class<?> callerClass, String operationDescription) {
-        var requestingModule = requestingModule(callerClass);
+        var requestingModule = requestingClass(callerClass);
         if (isTriviallyAllowed(requestingModule)) {
             return;
         }
@@ -139,49 +139,45 @@ public void checkSetGlobalHttpsConnectionProperties(Class<?> callerClass) {
     }
 
     private void checkEntitlementPresent(Class<?> callerClass, Class<? extends Entitlement> entitlementClass) {
-        var requestingModule = requestingModule(callerClass);
-        if (isTriviallyAllowed(requestingModule)) {
+        var requestingClass = requestingClass(callerClass);
+        if (isTriviallyAllowed(requestingClass)) {
             return;
         }
 
-        ModuleEntitlements entitlements = getEntitlementsOrThrow(callerClass, requestingModule);
+        ModuleEntitlements entitlements = getEntitlements(requestingClass);
         if (entitlements.hasEntitlement(entitlementClass)) {
             logger.debug(
                 () -> Strings.format(
-                    "Entitled: caller [%s], module [%s], type [%s]",
-                    callerClass,
-                    requestingModule.getName(),
+                    "Entitled: class [%s], module [%s], entitlement [%s]",
+                    requestingClass,
+                    requestingClass.getModule().getName(),
                     entitlementClass.getSimpleName()
                 )
             );
             return;
         }
         throw new NotEntitledException(
             Strings.format(
-                "Missing entitlement: caller [%s], module [%s], type [%s]",
-                callerClass,
-                requestingModule.getName(),
+                "Missing entitlement: class [%s], module [%s], entitlement [%s]",
+                requestingClass,
+                requestingClass.getModule().getName(),
                 entitlementClass.getSimpleName()
             )
         );
     }
 
-    ModuleEntitlements getEntitlementsOrThrow(Class<?> callerClass, Module requestingModule) {
-        ModuleEntitlements cachedEntitlement = moduleEntitlementsMap.get(requestingModule);
-        if (cachedEntitlement != null) {
-            if (cachedEntitlement == ModuleEntitlements.NONE) {
-                throw new NotEntitledException(buildModuleNoPolicyMessage(callerClass, requestingModule) + "[CACHED]");
-            }
-            return cachedEntitlement;
-        }
+    ModuleEntitlements getEntitlements(Class<?> requestingClass) {
+        return moduleEntitlementsMap.computeIfAbsent(requestingClass.getModule(), m -> computeEntitlements(requestingClass));
+    }
 
+    private ModuleEntitlements computeEntitlements(Class<?> requestingClass) {
+        Module requestingModule = requestingClass.getModule();
         if (isServerModule(requestingModule)) {
-            var scopeName = requestingModule.getName();
-            return getModuleEntitlementsOrThrow(callerClass, requestingModule, serverEntitlements, scopeName);
+            return getModuleScopeEntitlements(requestingClass, serverEntitlements, requestingModule.getName());
         }
 
         // plugins
-        var pluginName = pluginResolver.apply(callerClass);
+        var pluginName = pluginResolver.apply(requestingClass);
         if (pluginName != null) {
             var pluginEntitlements = pluginsEntitlements.get(pluginName);
             if (pluginEntitlements != null) {
@@ -191,60 +187,53 @@ ModuleEntitlements getEntitlementsOrThrow(Class<?> callerClass, Module requestin
                 } else {
                     scopeName = requestingModule.getName();
                 }
-                return getModuleEntitlementsOrThrow(callerClass, requestingModule, pluginEntitlements, scopeName);
+                return getModuleScopeEntitlements(requestingClass, pluginEntitlements, scopeName);
             }
         }
 
-        moduleEntitlementsMap.put(requestingModule, ModuleEntitlements.NONE);
-        throw new NotEntitledException(buildModuleNoPolicyMessage(callerClass, requestingModule));
-    }
+        if (requestingModule.isNamed() == false) {
+            // agents are the only thing running non-modular
+            return ModuleEntitlements.from(agentEntitlements);
+        }
 
-    private static String buildModuleNoPolicyMessage(Class<?> callerClass, Module requestingModule) {
-        return Strings.format("Missing entitlement policy: caller [%s], module [%s]", callerClass, requestingModule.getName());
+        logger.warn("No applicable entitlement policy for class [{}]", requestingClass.getName());
+        return ModuleEntitlements.NONE;
     }
 
-    private ModuleEntitlements getModuleEntitlementsOrThrow(
+    private ModuleEntitlements getModuleScopeEntitlements(
         Class<?> callerClass,
-        Module module,
         Map<String, List<Entitlement>> scopeEntitlements,
         String moduleName
     ) {
         var entitlements = scopeEntitlements.get(moduleName);
         if (entitlements == null) {
-            // Module without entitlements - remember we don't have any
-            moduleEntitlementsMap.put(module, ModuleEntitlements.NONE);
-            throw new NotEntitledException(buildModuleNoPolicyMessage(callerClass, module));
+            logger.warn("No applicable entitlement policy for module [{}], class [{}]", moduleName, callerClass);
+            return ModuleEntitlements.NONE;
         }
-        // We have a policy for this module
-        var classEntitlements = new ModuleEntitlements(entitlements);
-        moduleEntitlementsMap.put(module, classEntitlements);
-        return classEntitlements;
+        return ModuleEntitlements.from(entitlements);
     }
 
     private static boolean isServerModule(Module requestingModule) {
         return requestingModule.isNamed() && requestingModule.getLayer() == ModuleLayer.boot();
     }
 
     /**
-     * Walks the stack to determine which module's entitlements should be checked.
+     * Walks the stack to determine which class should be checked for entitlements.
      *
-     * @param callerClass when non-null will be used if its module is suitable;
+     * @param callerClass when non-null will be returned;
      *                    this is a fast-path check that can avoid the stack walk
      *                    in cases where the caller class is available.
-     * @return the requesting module, or {@code null} if the entire call stack
+     * @return the requesting class, or {@code null} if the entire call stack
      * comes from the entitlement library itself.
      */
-    Module requestingModule(Class<?> callerClass) {
+    Class<?> requestingClass(Class<?> callerClass) {
         if (callerClass != null) {
-            var callerModule = callerClass.getModule();
-            if (callerModule != null && entitlementsModule.equals(callerModule) == false) {
-                // fast path
-                return callerModule;
-            }
+            // fast path
+            return callerClass;
         }
-        Optional<Module> module = StackWalker.getInstance(RETAIN_CLASS_REFERENCE)
-            .walk(frames -> findRequestingModule(frames.map(StackFrame::getDeclaringClass)));
-        return module.orElse(null);
+        Optional<Class<?>> result = StackWalker.getInstance(RETAIN_CLASS_REFERENCE)
+            .walk(frames -> findRequestingClass(frames.map(StackFrame::getDeclaringClass)));
+        return result.orElse(null);
     }
 
     /**
@@ -253,33 +242,25 @@ Module requestingModule(Class<?> callerClass) {
      *
      * @throws NullPointerException if the requesting module is {@code null}
      */
-    Optional<Module> findRequestingModule(Stream<Class<?>> classes) {
-        return classes.map(Objects::requireNonNull)
-            .map(PolicyManager::moduleOf)
-            .filter(m -> m != entitlementsModule)  // Ignore the entitlements library itself entirely
-            .skip(1)                            // Skip the sensitive method itself
+    Optional<Class<?>> findRequestingClass(Stream<Class<?>> classes) {
+        return classes.filter(c -> c.getModule() != entitlementsModule)  // Ignore the entitlements library
+            .skip(1)                                           // Skip the sensitive caller method
             .findFirst();
     }
 
-    private static Module moduleOf(Class<?> c) {
-        var result = c.getModule();
-        if (result == null) {
-            throw new NullPointerException("Entitlements system does not support non-modular class [" + c.getName() + "]");
-        } else {
-            return result;
-        }
-    }
-
-    private static boolean isTriviallyAllowed(Module requestingModule) {
+    /**
+     * @return true if permission is granted regardless of the entitlement
+     */
+    private static boolean isTriviallyAllowed(Class<?> requestingClass) {
         if (logger.isTraceEnabled()) {
             logger.trace("Stack trace for upcoming trivially-allowed check", new Exception());
         }
-        if (requestingModule == null) {
+        if (requestingClass == null) {
             logger.debug("Entitlement trivially allowed: no caller frames outside the entitlement library");
             return true;
         }
-        if (systemModules.contains(requestingModule)) {
-            logger.debug("Entitlement trivially allowed from system module [{}]", requestingModule.getName());
+        if (systemModules.contains(requestingClass.getModule())) {
+            logger.debug("Entitlement trivially allowed from system module [{}]", requestingClass.getModule().getName());
             return true;
         }
         logger.trace("Entitlement not trivially allowed");