Plugins policies

Author: ldematte

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -138,7 +138,16 @@ private static PolicyManager createPolicyManager() {
         var serverPolicy = new Policy(
             "server",
             List.of(
-                new Scope("org.elasticsearch.base", List.of(new CreateClassLoaderEntitlement())),
+                new Scope("org.elasticsearch.base",
+                    List.of(
+                        new CreateClassLoaderEntitlement(),
+                        new FilesEntitlement(
+                            List.of(
+                                FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
+                            )
+                        )
+                    )
+                ),
                 new Scope("org.elasticsearch.xcontent", List.of(new CreateClassLoaderEntitlement())),
                 new Scope(
                     "org.elasticsearch.server",
@@ -175,6 +184,8 @@ private static PolicyManager createPolicyManager() {
                                 // // io stats on Linux
                                 FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
                                 FileData.ofPath(Path.of("/proc/diskstats"), READ)
+
+                                //TODO: use FileData.ofPathSetting("repositories.fs.location", READ_WRITE)
                             )
                         )
                     )
@@ -189,6 +200,17 @@ private static PolicyManager createPolicyManager() {
                         new FilesEntitlement(
                             List.of(
                                 FileData.ofPath(bootstrapArgs.configDir(), READ),
+                                FileData.ofPath(bootstrapArgs.tempDir(), READ),
+                                FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
+                            )
+                        )
+                    )
+                ),
+                new Scope(
+                    "org.apache.lucene.misc",
+                    List.of(
+                        new FilesEntitlement(
+                            List.of(
                                 FileData.ofRelativePath(Path.of(""), FilesEntitlement.BaseDir.DATA, READ_WRITE)
                             )
                         )

modules/ingest-geoip/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,5 @@
+org.elasticsearch.ingest.geoip:
+  - files:
+      - relative_path: "ingest-geoip"
+        relative_to: config
+        mode: read

modules/ingest-user-agent/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,5 @@
+org.elasticsearch.ingest.useragent:
+  - files:
+      - relative_path: ingest-user-agent
+        relative_to: config
+        mode: read

x-pack/plugin/blob-cache/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,5 @@
+org.elasticsearch.blobcache:
+  - files:
+      - relative_path: ""
+        relative_to: data
+        mode: read_write

x-pack/plugin/core/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,3 +1,13 @@
+org.elasticsearch.xcore:
+  - files:
+    - relative_path: ""
+      relative_to: config
+      mode: read
+org.elasticsearch.sslconfig:
+  - files:
+    - relative_path: ""
+      relative_to: config
+      mode: read
 org.apache.httpcomponents.httpclient:
   - outbound_network # For SamlRealm
   - manage_threads

x-pack/plugin/searchable-snapshots/src/main/plugin-metadata/entitlement-policy.yaml

@@ -0,0 +1,5 @@
+org.elasticsearch.searchablesnapshots:
+  - files:
+      - relative_path: snapshot_cache
+        relative_to: data
+        mode: read_write

x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml

@@ -1,5 +1,9 @@
 org.elasticsearch.security:
   - set_https_connection_properties # for CommandLineHttpClient
+  - files:
+      - relative_path: ""
+        relative_to: config
+        mode: read
 io.netty.transport:
   - manage_threads
   - inbound_network