Add implicit temp dir/file checks + add entitlement for OsProbe

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -59,6 +59,7 @@
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
 
+import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ;
 import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE;
 
 /**
@@ -153,6 +154,7 @@ private static PolicyManager createPolicyManager() {
                                 Stream.of(new FilesEntitlement.FileData(tempDir.toString(), READ_WRITE)),
                                 Stream.of(new FilesEntitlement.FileData(configDir.toString(), READ_WRITE)),
                                 Stream.of(new FilesEntitlement.FileData(logsDir.toString(), READ_WRITE)),
+                                Stream.of(new FilesEntitlement.FileData("/etc/os-release", READ)), // for OsProbe
                                 Arrays.stream(dataDirs).map(d -> new FileData(d.toString(), READ_WRITE))
                             ).flatMap(Function.identity()).toList()
                         )

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java

@@ -1164,7 +1164,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     @Override
     public void check$java_nio_file_Files$$createTempFile(Class<?> callerClass, String prefix, String suffix, FileAttribute<?>... attrs) {
-        // TODO
+        policyManager.checkCreateTempFile(callerClass);
     }
 
     @Override
@@ -1174,7 +1174,7 @@ public void checkSelectorProviderInheritedChannel(Class<?> callerClass, Selector
 
     @Override
     public void check$java_nio_file_Files$$createTempDirectory(Class<?> callerClass, String prefix, FileAttribute<?>... attrs) {
-        // TODO
+        policyManager.checkCreateTempFile(callerClass);
     }
 
     @Override

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -305,6 +305,10 @@ public void checkFileWrite(Class<?> callerClass, Path path) {
         }
     }
 
+    public void checkCreateTempFile(Class<?> callerClass) {
+        checkFileWrite(callerClass, tempDir);
+    }
+
     /**
      * Invoked when we try to get an arbitrary {@code FileAttributeView} class. Such a class can modify attributes, like owner etc.;
      * we could think about introducing checks for each of the operations, but for now we over-approximate this and simply deny when it is