Add pidfile access for server

Server may have a pid file specified which needs write access.

Author: rjernst

libs/entitlement/src/main/java/org/elasticsearch/entitlement/bootstrap/EntitlementBootstrap.java

@@ -44,7 +44,8 @@ public record BootstrapArgs(
         Path configDir,
         Path libDir,
         Path logsDir,
-        Path tempDir
+        Path tempDir,
+        Path pidFile
     ) {
         public BootstrapArgs {
             requireNonNull(pluginPolicies);
@@ -83,6 +84,7 @@ public static BootstrapArgs bootstrapArgs() {
      * @param libDir         the lib directory for Elasticsearch
      * @param tempDir        the temp directory for Elasticsearch
      * @param logsDir        the log directory for Elasticsearch
+     * @param pidFile        path to a pid file for Elasticsearch, or {@code null} if one was not specified
      */
     public static void bootstrap(
         Map<String, Policy> pluginPolicies,
@@ -94,7 +96,8 @@ public static void bootstrap(
         Path configDir,
         Path libDir,
         Path logsDir,
-        Path tempDir
+        Path tempDir,
+        Path pidFile
     ) {
         logger.debug("Loading entitlement agent");
         if (EntitlementBootstrap.bootstrapArgs != null) {
@@ -110,7 +113,8 @@ public static void bootstrap(
             configDir,
             libDir,
             logsDir,
-            tempDir
+            tempDir,
+            pidFile
         );
         exportInitializationToAgent();
         loadAgent(findAgentJar());

libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java

@@ -147,6 +147,37 @@ private static PolicyManager createPolicyManager() {
         );
 
         List<Scope> serverScopes = new ArrayList<>();
+        List<FileData> serverModuleFileDatas = new ArrayList<>();
+        Collections.addAll(
+            serverModuleFileDatas,
+            // Base ES directories
+            FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
+            FileData.ofPath(bootstrapArgs.configDir(), READ),
+            FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
+            FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE),
+            FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),
+
+            // OS release on Linux
+            FileData.ofPath(Path.of("/etc/os-release"), READ),
+            FileData.ofPath(Path.of("/etc/system-release"), READ),
+            FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
+            // read max virtual memory areas
+            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
+            FileData.ofPath(Path.of("/proc/meminfo"), READ),
+            // load averages on Linux
+            FileData.ofPath(Path.of("/proc/loadavg"), READ),
+            // control group stats on Linux. cgroup v2 stats are in an unpredicable
+            // location under `/sys/fs/cgroup`, so unfortunately we have to allow
+            // read access to the entire directory hierarchy.
+            FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
+            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
+            // // io stats on Linux
+            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
+            FileData.ofPath(Path.of("/proc/diskstats"), READ)
+        );
+        if (bootstrapArgs.pidFile() != null) {
+            serverModuleFileDatas.add(FileData.ofPath(bootstrapArgs.pidFile(), READ_WRITE));
+        }
         Collections.addAll(
             serverScopes,
             new Scope(
@@ -172,34 +203,7 @@ private static PolicyManager createPolicyManager() {
                     new OutboundNetworkEntitlement(),
                     new LoadNativeLibrariesEntitlement(),
                     new ManageThreadsEntitlement(),
-                    new FilesEntitlement(
-                        List.of(
-                            // Base ES directories
-                            FileData.ofPath(bootstrapArgs.tempDir(), READ_WRITE),
-                            FileData.ofPath(bootstrapArgs.configDir(), READ),
-                            FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
-                            FileData.ofRelativePath(Path.of(""), DATA, READ_WRITE),
-                            FileData.ofRelativePath(Path.of(""), SHARED_REPO, READ_WRITE),
-
-                            // OS release on Linux
-                            FileData.ofPath(Path.of("/etc/os-release"), READ),
-                            FileData.ofPath(Path.of("/etc/system-release"), READ),
-                            FileData.ofPath(Path.of("/usr/lib/os-release"), READ),
-                            // read max virtual memory areas
-                            FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ),
-                            FileData.ofPath(Path.of("/proc/meminfo"), READ),
-                            // load averages on Linux
-                            FileData.ofPath(Path.of("/proc/loadavg"), READ),
-                            // control group stats on Linux. cgroup v2 stats are in an unpredicable
-                            // location under `/sys/fs/cgroup`, so unfortunately we have to allow
-                            // read access to the entire directory hierarchy.
-                            FileData.ofPath(Path.of("/proc/self/cgroup"), READ),
-                            FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ),
-                            // // io stats on Linux
-                            FileData.ofPath(Path.of("/proc/self/mountinfo"), READ),
-                            FileData.ofPath(Path.of("/proc/diskstats"), READ)
-                        )
-                    )
+                    new FilesEntitlement(serverModuleFileDatas)
                 )
             ),
             new Scope("org.apache.httpcomponents.httpclient", List.of(new OutboundNetworkEntitlement())),