Skip to content

Commit a63cc7a

Browse files
ldematteldematte
committed
More missing policies
1 parent 3774f2c commit a63cc7a

File tree

5 files changed

+49
-33
lines changed

5 files changed

+49
-33
lines changed

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

Lines changed: 32 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,12 @@ private static PolicyManager createPolicyManager() {
150150
"org.elasticsearch.base",
151151
List.of(
152152
new CreateClassLoaderEntitlement(),
153-
new FilesEntitlement(List.of(FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)))
153+
new FilesEntitlement(
154+
List.of(
155+
FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
156+
FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
157+
)
158+
)
154159
)
155160
),
156161
new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
@@ -165,34 +170,32 @@ private static PolicyManager createPolicyManager() {
165170
new LoadNativeLibrariesEntitlement(),
166171
new ManageThreadsEntitlement(),
167172
new FilesEntitlement(
168-
Stream.concat(
169-
Stream.of(
170-
// Base ES directories
171-
FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
172-
FileData.ofPath(bootstrapArgs.configDir(), READ),
173-
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
174-
FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE),
175-
176-
// OS release on Linux
177-
FileData.ofPath(Path.of("/etc/os-release"), READ),
178-
FileData.ofPath(Path.of("/etc/system-release"), READ),
179-
FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
180-
// read max virtual memory areas
181-
FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
182-
FileData.ofPath(Path.of("/proc/meminfo"), READ),
183-
// load averages on Linux
184-
FileData.ofPath(Path.of("/proc/loadavg"), READ),
185-
// control group stats on Linux. cgroup v2 stats are in an unpredicable
186-
// location under `/sys/fs/cgroup`, so unfortunately we have to allow
187-
// read access to the entire directory hierarchy.
188-
FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
189-
FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
190-
// // io stats on Linux
191-
FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
192-
FileData.ofPath(Path.of("/proc/diskstats"), READ)
193-
),
194-
getRepositoryFileData(bootstrapArgs)
195-
).toList()
173+
List.of(
174+
// Base ES directories
175+
FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
176+
FileData.ofPath(bootstrapArgs.configDir(), READ),
177+
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
178+
FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE),
179+
FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE),
180+
181+
// OS release on Linux
182+
FileData.ofPath(Path.of("/etc/os-release"), READ),
183+
FileData.ofPath(Path.of("/etc/system-release"), READ),
184+
FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
185+
// read max virtual memory areas
186+
FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
187+
FileData.ofPath(Path.of("/proc/meminfo"), READ),
188+
// load averages on Linux
189+
FileData.ofPath(Path.of("/proc/loadavg"), READ),
190+
// control group stats on Linux. cgroup v2 stats are in an unpredicable
191+
// location under `/sys/fs/cgroup`, so unfortunately we have to allow
192+
// read access to the entire directory hierarchy.
193+
FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
194+
FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
195+
// // io stats on Linux
196+
FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
197+
FileData.ofPath(Path.of("/proc/diskstats"), READ)
198+
)
196199
)
197200
)
198201
),
@@ -250,10 +253,6 @@ private static PolicyManager createPolicyManager() {
250253
);
251254
}
252255

253-
private static Stream<FileData> getRepositoryFileData(EntitlementBootstrap.BootstrapArgs bootstrapArgs) {
254-
return Stream.of(FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE));
255-
}
256-
257256
private static Path getUserHome() {
258257
String userHome = System.getProperty("user.home");
259258
if (userHome == null) {

modules/analysis-common/src/main/plugin-metadata/entitlement-policy.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
org.elasticsearch.analysis.common:
2+
- files:
3+
- relative_path: analysis
4+
relative_to: config
5+
mode: read

modules/reindex/src/main/plugin-metadata/entitlement-policy.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
11
ALL-UNNAMED:
22
- manage_threads
33
- outbound_network
4+
- files:
5+
- relative_path: ""
6+
relative_to: config
7+
mode: read

plugins/analysis-icu/src/main/plugin-metadata/entitlement-policy.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
org.elasticsearch.analysis.icu:
2+
- files:
3+
- relative_path: ""
4+
relative_to: config
5+
mode: read

x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,6 @@ org.elasticsearch.searchablesnapshots:
33
- relative_path: snapshot_cache
44
relative_to: data
55
mode: read_write
6+
- relative_path: indices
7+
relative_to: data
8+
mode: read_write

0 commit comments

Comments
 (0)