[Entitlements] Enable native access based on policies (#120638) (#120770)

Author: ldematte

benchmarks/src/main/java/org/elasticsearch/benchmark/script/ScriptScoreBenchmark.java

@@ -78,7 +78,7 @@ public class ScriptScoreBenchmark {
     private final PluginsService pluginsService = new PluginsService(
         Settings.EMPTY,
         null,
-        PluginsLoader.createPluginsLoader(Set.of(), PluginsLoader.loadPluginsBundles(Path.of(System.getProperty("plugins.dir"))))
+        PluginsLoader.createPluginsLoader(Set.of(), PluginsLoader.loadPluginsBundles(Path.of(System.getProperty("plugins.dir"))), Map.of())
     );
     private final ScriptModule scriptModule = new ScriptModule(Settings.EMPTY, pluginsService.filterPlugins(ScriptPlugin.class).toList());
 

distribution/tools/server-cli/src/main/java/org/elasticsearch/server/cli/SystemJvmOptions.java

@@ -18,6 +18,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Stream;
@@ -69,7 +70,7 @@ static List<String> systemJvmOptions(Settings nodeSettings, final Map<String, St
                 // Pass through distribution type
                 "-Des.distribution.type=" + distroType
             ),
-            maybeEnableNativeAccess(),
+            maybeEnableNativeAccess(useEntitlements),
             maybeOverrideDockerCgroup(distroType),
             maybeSetActiveProcessorCount(nodeSettings),
             maybeSetReplayFile(distroType, isHotspot),
@@ -134,11 +135,18 @@ private static Stream<String> maybeSetActiveProcessorCount(Settings nodeSettings
         return Stream.empty();
     }
 
-    private static Stream<String> maybeEnableNativeAccess() {
+    private static Stream<String> maybeEnableNativeAccess(boolean useEntitlements) {
+        var enableNativeAccessOptions = new ArrayList<String>();
         if (Runtime.version().feature() >= 21) {
-            return Stream.of("--enable-native-access=org.elasticsearch.nativeaccess,org.apache.lucene.core");
+            enableNativeAccessOptions.add("--enable-native-access=org.elasticsearch.nativeaccess,org.apache.lucene.core");
+            if (useEntitlements) {
+                enableNativeAccessOptions.add("--enable-native-access=ALL-UNNAMED");
+                if (Runtime.version().feature() >= 24) {
+                    enableNativeAccessOptions.add("--illegal-native-access=deny");
+                }
+            }
         }
-        return Stream.empty();
+        return enableNativeAccessOptions.stream();
     }
 
     /*

libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java

@@ -182,13 +182,6 @@ public void checkChangeNetworkHandling(Class<?> callerClass) {
         checkChangeJVMGlobalState(callerClass);
     }
 
-    /**
-     * Check for operations that can access sensitive network information, e.g. secrets, tokens or SSL sessions
-     */
-    public void checkReadSensitiveNetworkInformation(Class<?> callerClass) {
-        neverEntitled(callerClass, "access sensitive network information");
-    }
-
     /**
      * Check for operations that can access sensitive network information, e.g. secrets, tokens or SSL sessions
      */

libs/native/src/main/java/org/elasticsearch/nativeaccess/NativeAccessUtil.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.nativeaccess;
+
+public class NativeAccessUtil {
+    /**
+     * Enables native access for the provided module. No-op for JDK 21 or before.
+     */
+    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {}
+
+    public static boolean isNativeAccessEnabled(Module module) {
+        return true;
+    }
+}

libs/native/src/main22/java/org/elasticsearch/nativeaccess/NativeAccessUtil.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.nativeaccess;
+
+public class NativeAccessUtil {
+    /**
+     * Enables native access for the provided module. Available to JDK 22+, required for JDK 24+ when using --illegal-native-access=deny
+     */
+    public static void enableNativeAccess(ModuleLayer.Controller controller, Module module) {
+        controller.enableNativeAccess(module);
+    }
+
+    public static boolean isNativeAccessEnabled(Module module) {
+        return module.isNativeAccessEnabled();
+    }
+}

server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java

@@ -32,6 +32,8 @@
 import org.elasticsearch.core.IOUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
+import org.elasticsearch.entitlement.runtime.policy.LoadNativeLibrariesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.Policy;
 import org.elasticsearch.entitlement.runtime.policy.PolicyParserUtils;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexVersion;
@@ -55,8 +57,12 @@
 import java.security.Permission;
 import java.security.Security;
 import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Stream;
@@ -213,24 +219,27 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
         // load the plugin Java modules and layers now for use in entitlements
         var modulesBundles = PluginsLoader.loadModulesBundles(nodeEnv.modulesFile());
         var pluginsBundles = PluginsLoader.loadPluginsBundles(nodeEnv.pluginsFile());
-        var pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles);
-        bootstrap.setPluginsLoader(pluginsLoader);
+
+        final PluginsLoader pluginsLoader;
 
         if (bootstrap.useEntitlements()) {
             LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");
 
             var pluginData = Stream.concat(
-                pluginsLoader.moduleBundles()
-                    .stream()
+                modulesBundles.stream()
                     .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
-                pluginsLoader.pluginBundles()
-                    .stream()
+                pluginsBundles.stream()
                     .map(bundle -> new PolicyParserUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
             ).toList();
             var pluginPolicies = PolicyParserUtils.createPluginPolicies(pluginData);
+
+            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));
+
             var pluginsResolver = PluginsResolver.create(pluginsLoader);
             EntitlementBootstrap.bootstrap(pluginPolicies, pluginsResolver::resolveClassToPluginName);
         } else if (RuntimeVersionFeature.isSecurityManagerAvailable()) {
+            // no need to explicitly enable native access for legacy code
+            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, Map.of());
             // install SM after natives, shutdown hooks, etc.
             LogManager.getLogger(Elasticsearch.class).info("Bootstrapping java SecurityManager");
             org.elasticsearch.bootstrap.Security.configure(
@@ -239,8 +248,12 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
                 args.pidFile()
             );
         } else {
+            // TODO: should we throw/interrupt startup in this case?
+            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, Map.of());
             LogManager.getLogger(Elasticsearch.class).warn("Bootstrapping without any protection");
         }
+
+        bootstrap.setPluginsLoader(pluginsLoader);
     }
 
     private static void ensureInitialized(Class<?>... classes) {
@@ -461,6 +474,19 @@ private static Environment createEnvironment(Path configDir, Settings initialSet
         return new Environment(builder.build(), configDir);
     }
 
+    static Map<String, Set<String>> findPluginsWithNativeAccess(Map<String, Policy> policies) {
+        Map<String, Set<String>> pluginsWithNativeAccess = new HashMap<>();
+        for (var kv : policies.entrySet()) {
+            for (var scope : kv.getValue().scopes()) {
+                if (scope.entitlements().stream().anyMatch(entitlement -> entitlement instanceof LoadNativeLibrariesEntitlement)) {
+                    var modulesToEnable = pluginsWithNativeAccess.computeIfAbsent(kv.getKey(), k -> new HashSet<>());
+                    modulesToEnable.add(scope.moduleName());
+                }
+            }
+        }
+        return pluginsWithNativeAccess;
+    }
+
     // -- instance
 
     private static volatile Elasticsearch INSTANCE;

server/src/main/java/org/elasticsearch/plugins/PluginsLoader.java

@@ -11,10 +11,12 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.elasticsearch.common.Strings;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.jdk.JarHell;
 import org.elasticsearch.jdk.ModuleQualifiedExportsService;
+import org.elasticsearch.nativeaccess.NativeAccessUtil;
 
 import java.io.IOException;
 import java.lang.ModuleLayer.Controller;
@@ -173,21 +175,32 @@ public static Set<PluginBundle> loadPluginsBundles(Path pluginsDirectory) {
     /**
      * Constructs a new PluginsLoader
      *
-     * @param modules           The set of module bundles present on the filesystem
-     * @param plugins           The set of plugin bundles present on the filesystem
+     * @param modules The set of module bundles present on the filesystem
+     * @param plugins The set of plugin bundles present on the filesystem
+     * @param pluginsWithNativeAccess A map plugin name -> set of module names for which we want to enable native access
      */
-    public static PluginsLoader createPluginsLoader(Set<PluginBundle> modules, Set<PluginBundle> plugins) {
-        return createPluginsLoader(modules, plugins, true);
+    public static PluginsLoader createPluginsLoader(
+        Set<PluginBundle> modules,
+        Set<PluginBundle> plugins,
+        Map<String, Set<String>> pluginsWithNativeAccess
+    ) {
+        return createPluginsLoader(modules, plugins, pluginsWithNativeAccess, true);
     }
 
     /**
      * Constructs a new PluginsLoader
      *
-     * @param modules           The set of module bundles present on the filesystem
-     * @param plugins           The set of plugin bundles present on the filesystem
+     * @param modules The set of module bundles present on the filesystem
+     * @param plugins The set of plugin bundles present on the filesystem
+     * @param pluginsWithNativeAccess A map plugin name -> set of module names for which we want to enable native access
      * @param withServerExports {@code true} to add server module exports
      */
-    public static PluginsLoader createPluginsLoader(Set<PluginBundle> modules, Set<PluginBundle> plugins, boolean withServerExports) {
+    public static PluginsLoader createPluginsLoader(
+        Set<PluginBundle> modules,
+        Set<PluginBundle> plugins,
+        Map<String, Set<String>> pluginsWithNativeAccess,
+        boolean withServerExports
+    ) {
         Map<String, List<ModuleQualifiedExportsService>> qualifiedExports;
         if (withServerExports) {
             qualifiedExports = new HashMap<>(ModuleQualifiedExportsService.getBootServices());
@@ -207,7 +220,8 @@ public static PluginsLoader createPluginsLoader(Set<PluginBundle> modules, Set<P
             Set<URL> systemLoaderURLs = JarHell.parseModulesAndClassPath();
             for (PluginBundle bundle : sortedBundles) {
                 PluginsUtils.checkBundleJarHell(systemLoaderURLs, bundle, transitiveUrls);
-                loadPluginLayer(bundle, loadedPluginLayers, qualifiedExports);
+                var modulesWithNativeAccess = pluginsWithNativeAccess.getOrDefault(bundle.plugin.getName(), Set.of());
+                loadPluginLayer(bundle, loadedPluginLayers, qualifiedExports, modulesWithNativeAccess);
             }
         }
 
@@ -245,7 +259,8 @@ public Set<PluginBundle> pluginBundles() {
     private static void loadPluginLayer(
         PluginBundle bundle,
         Map<String, LoadedPluginLayer> loaded,
-        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports
+        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports,
+        Set<String> modulesWithNativeAccess
     ) {
         String name = bundle.plugin.getName();
         logger.debug(() -> "Loading bundle: " + name);
@@ -276,7 +291,8 @@ private static void loadPluginLayer(
             pluginParentLoader,
             extendedPlugins,
             spiLayerAndLoader,
-            qualifiedExports
+            qualifiedExports,
+            modulesWithNativeAccess
         );
         final ClassLoader pluginClassLoader = pluginLayerAndLoader.loader();
 
@@ -323,7 +339,8 @@ private static LayerAndLoader createPluginLayerAndLoader(
         ClassLoader pluginParentLoader,
         List<LoadedPluginLayer> extendedPlugins,
         LayerAndLoader spiLayerAndLoader,
-        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports
+        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports,
+        Set<String> modulesWithNativeAccess
     ) {
         final PluginDescriptor plugin = bundle.plugin;
         if (plugin.getModuleName().isPresent()) {
@@ -332,7 +349,7 @@ private static LayerAndLoader createPluginLayerAndLoader(
                 Stream.ofNullable(spiLayerAndLoader != null ? spiLayerAndLoader.layer() : null),
                 extendedPlugins.stream().map(LoadedPluginLayer::spiModuleLayer)
             ).toList();
-            return createPluginModuleLayer(bundle, pluginParentLoader, parentLayers, qualifiedExports);
+            return createPluginModuleLayer(bundle, pluginParentLoader, parentLayers, qualifiedExports, modulesWithNativeAccess);
         } else if (plugin.isStable()) {
             logger.debug(() -> "Loading bundle: " + plugin.getName() + ", non-modular as synthetic module");
             return LayerAndLoader.ofUberModuleLoader(
@@ -341,7 +358,8 @@ private static LayerAndLoader createPluginLayerAndLoader(
                     ModuleLayer.boot(),
                     "synthetic." + toModuleName(plugin.getName()),
                     bundle.allUrls,
-                    Set.of("org.elasticsearch.server") // TODO: instead of denying server, allow only jvm + stable API modules
+                    Set.of("org.elasticsearch.server"), // TODO: instead of denying server, allow only jvm + stable API modules
+                    modulesWithNativeAccess
                 )
             );
         } else {
@@ -363,15 +381,17 @@ static LayerAndLoader createSpiModuleLayer(
             urlsToPaths(urls),
             parentLoader,
             parentLayers,
-            qualifiedExports
+            qualifiedExports,
+            Set.of()
         );
     }
 
     static LayerAndLoader createPluginModuleLayer(
         PluginBundle bundle,
         ClassLoader parentLoader,
         List<ModuleLayer> parentLayers,
-        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports
+        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports,
+        Set<String> modulesWithNativeAccess
     ) {
         assert bundle.plugin.getModuleName().isPresent();
         return createModuleLayer(
@@ -380,7 +400,8 @@ static LayerAndLoader createPluginModuleLayer(
             urlsToPaths(bundle.urls),
             parentLoader,
             parentLayers,
-            qualifiedExports
+            qualifiedExports,
+            modulesWithNativeAccess
         );
     }
 
@@ -390,7 +411,8 @@ static LayerAndLoader createModuleLayer(
         Path[] paths,
         ClassLoader parentLoader,
         List<ModuleLayer> parentLayers,
-        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports
+        Map<String, List<ModuleQualifiedExportsService>> qualifiedExports,
+        Set<String> modulesWithNativeAccess
     ) {
         logger.debug(() -> "Loading bundle: creating module layer and loader for module " + moduleName);
         var finder = ModuleFinder.of(paths);
@@ -408,6 +430,7 @@ static LayerAndLoader createModuleLayer(
         exposeQualifiedExportsAndOpens(pluginModule, qualifiedExports);
         // configure qualified exports/opens to other modules/plugins
         addPluginExportsServices(qualifiedExports, controller);
+        enableNativeAccess(moduleName, modulesWithNativeAccess, controller);
         logger.debug(() -> "Loading bundle: created module layer and loader for module " + moduleName);
         return new LayerAndLoader(controller.layer(), privilegedFindLoader(controller.layer(), moduleName));
     }
@@ -518,4 +541,18 @@ protected void addOpens(String pkg, Module target) {
             addExportsService(qualifiedExports, exportsService, module.getName());
         }
     }
+
+    private static void enableNativeAccess(String mainModuleName, Set<String> modulesWithNativeAccess, Controller controller) {
+        for (var moduleName : modulesWithNativeAccess) {
+            var module = controller.layer().findModule(moduleName);
+            module.ifPresentOrElse(m -> NativeAccessUtil.enableNativeAccess(controller, m), () -> {
+                assert false
+                    : Strings.format(
+                        "Native access not enabled for module [%s]: not a valid module name in layer [%s]",
+                        moduleName,
+                        mainModuleName
+                    );
+            });
+        }
+    }
 }