fix forbidden

rjernst · rjernst · commit f4ebc5aa4313 · 2025-10-30T20:32:25.000-07:00
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -32,7 +32,6 @@
 import org.elasticsearch.core.AbstractRefCounted;
 import org.elasticsearch.core.CheckedConsumer;
 import org.elasticsearch.core.IOUtils;
-import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
 import org.elasticsearch.entitlement.runtime.api.NotEntitledException;
@@ -483,16 +482,7 @@ static void initializeNatives(final Path tmpFile, final boolean mlockAll, final
         }
 
         if (IOUtils.LINUX) {
-            // The coredump filter determines which types of memory are added to core dumps. By default, Java
-            // includes memory mapped files, bits 2 and 3. Here we disable those bits. Note that the VM
-            // has special options to disable these, but the filter is then inherited from the parent process
-            // which is the server CLI, which is also a JVM so it has these bits set. Thus, we set it explicitly.
-            // See https://man7.org/linux/man-pages/man5/core.5.html for more info on the relevant bits of the filter
-            try {
-                Files.writeString(PathUtils.get("/proc/self/coredump_filter"), "0x23");
-            } catch (IOException e) {
-                throw new RuntimeException("Could not set coredump filter", e);
-            }
+            setCoredumpFilter();
         }
 
         // init lucene random seed. it will use /dev/urandom where available:
@@ -609,6 +599,20 @@ static Map<String, Set<String>> findPluginsWithNativeAccess(Map<String, Policy>
         return pluginsWithNativeAccess;
     }
 
+    @SuppressForbidden(reason = "access proc filesystem")
+    private static void setCoredumpFilter() {
+        // The coredump filter determines which types of memory are added to core dumps. By default, Java
+        // includes memory mapped files, bits 2 and 3. Here we disable those bits. Note that the VM
+        // has special options to disable these, but the filter is then inherited from the parent process
+        // which is the server CLI, which is also a JVM so it has these bits set. Thus, we set it explicitly.
+        // See https://man7.org/linux/man-pages/man5/core.5.html for more info on the relevant bits of the filter
+        try {
+            Files.writeString(Path.of("/proc/self/coredump_filter"), "0x23");
+        } catch (IOException e) {
+            throw new RuntimeException("Could not set coredump filter", e);
+        }
+    }
+
     // -- instance
 
     private static volatile Elasticsearch INSTANCE;
