Security policies

n1v0lg · n1v0lg · commit bc28f1657c17 · 2025-02-25T16:33:29.000+01:00
diff --git a/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy b/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
@@ -12,6 +12,7 @@ grant {
   permission java.net.SocketPermission "*", "connect";
   // io.netty.util.concurrent.GlobalEventExecutor.startThread
   permission java.lang.RuntimePermission "setContextClassLoader";
+  permission java.lang.RuntimePermission "getClassLoader";
   // Used by jackson bean deserialization
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -16,10 +16,18 @@ grant codeBase "${codebase.netty-common}" {
 
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+
+   // Netty also gets the classloader for some of its internal threads
+   permission java.lang.RuntimePermission "getClassLoader";
 };
 
 grant codeBase "${codebase.netty-transport}" {
    // Netty NioEventLoop wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
    // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
    permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
 };
+
+grant {
+   // Netty also gets the classloader for some of its internal threads
+   permission java.lang.RuntimePermission "getClassLoader";
+}
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -76,7 +76,7 @@ grant codeBase "${codebase.elasticsearch-simdvec}" {
 //// Everything else:
 
 grant {
-  permission java.lang.RuntimePermission "getClassLoader";
+  // permission java.lang.RuntimePermission "getClassLoader";
 
   // needed by vendored Guice
   permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation";
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -122,6 +122,7 @@ grant codeBase "${codebase.netty-common}" {
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+   permission java.lang.RuntimePermission "getClassLoader";
    permission java.net.SocketPermission "*", "accept,connect";
 };
 
diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
@@ -48,6 +48,7 @@ grant codeBase "${codebase.netty-common}" {
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+   permission java.lang.RuntimePermission "getClassLoader";
 };
 
 grant codeBase "${codebase.netty-transport}" {
