From 203af5865dec6592de00cdf8f790f76cf8da4385 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Wed, 12 Feb 2025 14:13:23 +0100
Subject: [PATCH 01/12] Upgrade to Netty 4.1.118.Final

---
 build-tools-internal/version.properties |  2 +-
 gradle/verification-metadata.xml        | 70 +++++++++++++++++++++++++
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/build-tools-internal/version.properties b/build-tools-internal/version.properties
index a0c663b19a0c6..7a86706257690 100644
--- a/build-tools-internal/version.properties
+++ b/build-tools-internal/version.properties
@@ -14,7 +14,7 @@ log4j             = 2.19.0
 slf4j             = 2.0.6
 ecsLogging        = 1.2.0
 jna               = 5.12.1
-netty             = 4.1.115.Final
+netty             = 4.1.118.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
 awsv1sdk            = 1.12.270
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 64efd8e439df1..060daea30c953 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -1426,6 +1426,11 @@
             <sha256 value="4a7b331d3770c566ab70eb02a0d1feed63b95cf6e4d68c8fe778c4c9de2d116d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-buffer" version="4.1.118.Final">
+         <artifact name="netty-buffer-4.1.118.Final.jar">
+            <sha256 value="0eea4e8666a9636a28722661d8ba5fa8564477e75fec6dd2ff3e324e361f8b3c" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-buffer" version="4.1.42.Final">
          <artifact name="netty-buffer-4.1.42.Final.jar">
             <sha256 value="7b0171a4e8bcd573e08d9f2bba053c67b557ab5012106a5982ccbae5743814c0" origin="Generated by Gradle"/>
@@ -1436,6 +1441,11 @@
             <sha256 value="cd189afb70ec6eacfcdfdd3a5f472b4e705a5c91d5bd3ef0386421f2ae15ec77" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-codec" version="4.1.118.Final">
+         <artifact name="netty-codec-4.1.118.Final.jar">
+            <sha256 value="4abd215fd1ed7ce86509d169cc9cbede5042176c265a79b3b70602b017226c3f" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-codec" version="4.1.42.Final">
          <artifact name="netty-codec-4.1.42.Final.jar">
             <sha256 value="e96ced697fb7df589da7c20c995e01f75a9cb246be242bbc4cd3b4af424ff189" origin="Generated by Gradle"/>
@@ -1446,26 +1456,51 @@
             <sha256 value="23dd6806bcc326855f13e69838c6411d0490e6b1aeb12e217a19a3dd6ad3f10d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-codec-dns" version="4.1.118.Final">
+         <artifact name="netty-codec-dns-4.1.118.Final.jar">
+            <sha256 value="e115e42ca1e3cc8d85e3a632d8faa102d18c0ebc1fa4511af30bec79f8c147d4" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-codec-http" version="4.1.115.Final">
          <artifact name="netty-codec-http-4.1.115.Final.jar">
             <sha256 value="e6dbe971c59373bbae9802021c63b9bc1d8800fead382863d67e79e79b023166" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-codec-http" version="4.1.118.Final">
+         <artifact name="netty-codec-http-4.1.118.Final.jar">
+            <sha256 value="09822d785e9a794838031ddd5346cf419b30c036a981c2e277a062bea884174b" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-codec-http2" version="4.1.115.Final">
          <artifact name="netty-codec-http2-4.1.115.Final.jar">
             <sha256 value="cbed9829a5d582e91e314e209edce9a0c2eb369f23bb4fb74a5bc8b7990222c2" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-codec-http2" version="4.1.118.Final">
+         <artifact name="netty-codec-http2-4.1.118.Final.jar">
+            <sha256 value="68da0b1a34dceb00a6f9f6f788fb2f6b7b9e4adba8c70658ac2bd7eb898b97ae" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-codec-socks" version="4.1.115.Final">
          <artifact name="netty-codec-socks-4.1.115.Final.jar">
             <sha256 value="e9b1cc744dc6195894450b1fd4d271a821ab167fe21ae3c459b27cdadc70e81f" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-codec-socks" version="4.1.118.Final">
+         <artifact name="netty-codec-socks-4.1.118.Final.jar">
+            <sha256 value="094465e3cfb3aef0fca38ed82b801f53a6c8be7ae1f83ab0c1b2e8ece2586840" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-common" version="4.1.115.Final">
          <artifact name="netty-common-4.1.115.Final.jar">
             <sha256 value="39f1b5a2aaa4eab5d036dfd0486e35a4276df412e092d36b2d88b494705a134d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-common" version="4.1.118.Final">
+         <artifact name="netty-common-4.1.118.Final.jar">
+            <sha256 value="65cce901ecf0f9d6591cc7750772614ab401a84415dc9aec9da4d046f0f9a77c" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-common" version="4.1.42.Final">
          <artifact name="netty-common-4.1.42.Final.jar">
             <sha256 value="3d0a918d78292eeca02a7bb2188daa4e5053b6e29b71e6308309033e121242b5" origin="Generated by Gradle"/>
@@ -1476,6 +1511,11 @@
             <sha256 value="5972028cc863b74927ce0d11fb8d58f65da2560bef5602fe8ce8903bd306ca07" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-handler" version="4.1.118.Final">
+         <artifact name="netty-handler-4.1.118.Final.jar">
+            <sha256 value="26e3f8a5e859fd62cf3c13dc6d75e4e18879f000a5d0ad7f58f8679675d23dae" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-handler" version="4.1.42.Final">
          <artifact name="netty-handler-4.1.42.Final.jar">
             <sha256 value="11eda86500c33b9d386719b5419f513fd9c097d13894f25dd0c75b610d636e03" origin="Generated by Gradle"/>
@@ -1486,11 +1526,21 @@
             <sha256 value="807e67cfb17136927d11db42df62031169d1fa0883e13f254906994c84ffbe87" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-handler-proxy" version="4.1.118.Final">
+         <artifact name="netty-handler-proxy-4.1.118.Final.jar">
+            <sha256 value="fef926126f44c668968dd3e2389c2552981d452e6dfc23b1f9bd03db92c21f96" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-resolver" version="4.1.115.Final">
          <artifact name="netty-resolver-4.1.115.Final.jar">
             <sha256 value="7b3455d14f59828765a00573bc3967dc59379e874bd62a67eb1926d6512109d1" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-resolver" version="4.1.118.Final">
+         <artifact name="netty-resolver-4.1.118.Final.jar">
+            <sha256 value="3170c225972c18b6850d28add60db15bb28d83c4e3d5b686ca220e0bd7273c8a" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-resolver" version="4.1.42.Final">
          <artifact name="netty-resolver-4.1.42.Final.jar">
             <sha256 value="89768242b6b7cce9bd9f5945ad21d1b4bae515c6b1bf03a8af5d1899779cebc9" origin="Generated by Gradle"/>
@@ -1501,11 +1551,21 @@
             <sha256 value="4aca31593e5896c64ab7e041bbc6c0d851bd9634ec3a4354208141a35576619f" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-resolver-dns" version="4.1.118.Final">
+         <artifact name="netty-resolver-dns-4.1.118.Final.jar">
+            <sha256 value="c0e0fdaffaba849e3145b2b96288fc8fc6f3b2a623cf72aaba708288348e4938" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-transport" version="4.1.115.Final">
          <artifact name="netty-transport-4.1.115.Final.jar">
             <sha256 value="c3d71faaa736ffd2c9260ab0b498024b814c39c7d764bea8113fa98de6e2bdd2" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-transport" version="4.1.118.Final">
+         <artifact name="netty-transport-4.1.118.Final.jar">
+            <sha256 value="ab3751e717daef9c8d91e4d74728a48730bd8530b72e2466b222b2ea3fb07db9" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-transport" version="4.1.42.Final">
          <artifact name="netty-transport-4.1.42.Final.jar">
             <sha256 value="dfa817a156ea263aa9ad8364a2e226527665c9722aca40a7945f228c2c14f1da" origin="Generated by Gradle"/>
@@ -1516,6 +1576,11 @@
             <sha256 value="40aa67b4463cca0ab346e393c87f6c37e8954d18ec8b78567d95b55aa1f2b3aa" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-transport-classes-epoll" version="4.1.118.Final">
+         <artifact name="netty-transport-classes-epoll-4.1.118.Final.jar">
+            <sha256 value="bd86e6d41e1f6053f9577931655236259778ab045646e1e6ab04150f070864f3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-transport-native-epoll" version="4.1.42.Final">
          <artifact name="netty-transport-native-epoll-4.1.42.Final.jar">
             <sha256 value="3c7d659b3bd773e0ea9b7517d2d6baffa275a3d2ae8eb4c10cb8f0a7724b11d5" origin="Generated by Gradle"/>
@@ -1526,6 +1591,11 @@
             <sha256 value="4b03e716272657c296b0204b57c140b2b2ca96b1a746c92da41f595892ec6d88" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.118.Final">
+         <artifact name="netty-transport-native-unix-common-4.1.118.Final.jar">
+            <sha256 value="69b16793d7b41ea76a762bd2bd144fc4f7c39c156a7a59ebf69baeb560fb10b7" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.42.Final">
          <artifact name="netty-transport-native-unix-common-4.1.42.Final.jar">
             <sha256 value="508fba9128da78bd775ba854d71917ceb2b00b95a7600254f54a277a06761a86" origin="Generated by Gradle"/>

From 2ead335b7a5c75133dd7a85694a4ccf95fb5a9d4 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Wed, 12 Feb 2025 16:03:27 +0100
Subject: [PATCH 02/12] Package tests check

---
 build-tools-internal/version.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build-tools-internal/version.properties b/build-tools-internal/version.properties
index 7a86706257690..a0c663b19a0c6 100644
--- a/build-tools-internal/version.properties
+++ b/build-tools-internal/version.properties
@@ -14,7 +14,7 @@ log4j             = 2.19.0
 slf4j             = 2.0.6
 ecsLogging        = 1.2.0
 jna               = 5.12.1
-netty             = 4.1.118.Final
+netty             = 4.1.115.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
 awsv1sdk            = 1.12.270

From 9d6610ba7708d98d0bb7dd829bb518b4dc84fb25 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Wed, 12 Feb 2025 16:58:22 +0100
Subject: [PATCH 03/12] Failures unrelated

---
 build-tools-internal/version.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build-tools-internal/version.properties b/build-tools-internal/version.properties
index a0c663b19a0c6..7a86706257690 100644
--- a/build-tools-internal/version.properties
+++ b/build-tools-internal/version.properties
@@ -14,7 +14,7 @@ log4j             = 2.19.0
 slf4j             = 2.0.6
 ecsLogging        = 1.2.0
 jna               = 5.12.1
-netty             = 4.1.115.Final
+netty             = 4.1.118.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
 awsv1sdk            = 1.12.270

From 028f1b1b8ca9073f7236e57806aed862b47519e6 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Fri, 14 Feb 2025 12:00:59 +0100
Subject: [PATCH 04/12] More logging in packaging tests

---
 .../java/org/elasticsearch/packaging/util/ServerUtils.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
index ea71308b11940..2b1ee52aebacc 100644
--- a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
+++ b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
@@ -158,15 +158,18 @@ private static void waitForXpack(Installation installation) {
         int retries = 60;
         while (retries > 0) {
             retries -= 1;
-            try (Socket s = new Socket(InetAddress.getLoopbackAddress(), installation.port)) {
+            try (Socket ignored = new Socket(InetAddress.getLoopbackAddress(), installation.port)) {
+                logger.info("Connection established on retry {}", 60 - retries);
                 return;
             } catch (IOException e) {
                 // ignore, only want to establish a connection
+                logger.error("IOException while trying to connect to Elasticsearch", e);
             }
 
             try {
                 Thread.sleep(2000);
             } catch (InterruptedException interrupted) {
+                logger.error("Interrupted!");
                 Thread.currentThread().interrupt();
                 return;
             }
@@ -175,6 +178,8 @@ private static void waitForXpack(Installation installation) {
             FileUtils.logAllLogs(installation.logs, logger);
         }
 
+        logger.error("Elasticsearch (with x-pack) did not start");
+
         throw new RuntimeException("Elasticsearch (with x-pack) did not start");
     }
 

From f92fd6f7fe2d4898c684ec286f419a4bb8d0cdbf Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Fri, 14 Feb 2025 13:07:08 +0100
Subject: [PATCH 05/12] More

---
 .../java/org/elasticsearch/packaging/util/ServerUtils.java     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
index 2b1ee52aebacc..19b47495f301b 100644
--- a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
+++ b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
@@ -160,6 +160,9 @@ private static void waitForXpack(Installation installation) {
             retries -= 1;
             try (Socket ignored = new Socket(InetAddress.getLoopbackAddress(), installation.port)) {
                 logger.info("Connection established on retry {}", 60 - retries);
+                if (installation != null) {
+                    FileUtils.logAllLogs(installation.logs, logger);
+                }
                 return;
             } catch (IOException e) {
                 // ignore, only want to establish a connection

From 9c3bc7628a88c9d2563147c2944f79177f1fcc9b Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Fri, 14 Feb 2025 13:20:35 +0100
Subject: [PATCH 06/12] Increase timeout

---
 .../src/test/java/org/elasticsearch/packaging/util/Shell.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
index 42348b1fe2644..15dbb36c66cdb 100644
--- a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
+++ b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
@@ -171,7 +171,7 @@ private Result runScriptIgnoreExitCode(String[] command) {
 
         try {
             Process process = builder.start();
-            if (process.waitFor(10, TimeUnit.MINUTES) == false) {
+            if (process.waitFor(20, TimeUnit.MINUTES) == false) {
                 if (process.isAlive()) {
                     process.destroyForcibly();
                 }

From 2f3bbaab5b8219cd2fefb29c4139076bcba4ed47 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Fri, 14 Feb 2025 16:04:20 +0100
Subject: [PATCH 07/12] Why security manager why

---
 .../org/elasticsearch/packaging/util/ServerUtils.java  | 10 +---------
 .../java/org/elasticsearch/packaging/util/Shell.java   |  2 +-
 .../org/elasticsearch/bootstrap/security.policy        |  2 ++
 3 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
index 19b47495f301b..ea71308b11940 100644
--- a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
+++ b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/ServerUtils.java
@@ -158,21 +158,15 @@ private static void waitForXpack(Installation installation) {
         int retries = 60;
         while (retries > 0) {
             retries -= 1;
-            try (Socket ignored = new Socket(InetAddress.getLoopbackAddress(), installation.port)) {
-                logger.info("Connection established on retry {}", 60 - retries);
-                if (installation != null) {
-                    FileUtils.logAllLogs(installation.logs, logger);
-                }
+            try (Socket s = new Socket(InetAddress.getLoopbackAddress(), installation.port)) {
                 return;
             } catch (IOException e) {
                 // ignore, only want to establish a connection
-                logger.error("IOException while trying to connect to Elasticsearch", e);
             }
 
             try {
                 Thread.sleep(2000);
             } catch (InterruptedException interrupted) {
-                logger.error("Interrupted!");
                 Thread.currentThread().interrupt();
                 return;
             }
@@ -181,8 +175,6 @@ private static void waitForXpack(Installation installation) {
             FileUtils.logAllLogs(installation.logs, logger);
         }
 
-        logger.error("Elasticsearch (with x-pack) did not start");
-
         throw new RuntimeException("Elasticsearch (with x-pack) did not start");
     }
 
diff --git a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
index 15dbb36c66cdb..42348b1fe2644 100644
--- a/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
+++ b/qa/packaging/src/test/java/org/elasticsearch/packaging/util/Shell.java
@@ -171,7 +171,7 @@ private Result runScriptIgnoreExitCode(String[] command) {
 
         try {
             Process process = builder.start();
-            if (process.waitFor(20, TimeUnit.MINUTES) == false) {
+            if (process.waitFor(10, TimeUnit.MINUTES) == false) {
                 if (process.isAlive()) {
                     process.destroyForcibly();
                 }
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
index 55abdc84fc8fb..664412cca5894 100644
--- a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -76,6 +76,8 @@ grant codeBase "${codebase.elasticsearch-simdvec}" {
 //// Everything else:
 
 grant {
+  permission java.lang.RuntimePermission "getClassLoader";
+
   // needed by vendored Guice
   permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation";
 

From bc28f1657c1789affe5ea977c16d1db124a47cc9 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Tue, 25 Feb 2025 16:33:29 +0100
Subject: [PATCH 08/12] Security policies

---
 .../src/main/plugin-metadata/plugin-security.policy       | 1 +
 .../src/main/plugin-metadata/plugin-security.policy       | 8 ++++++++
 .../resources/org/elasticsearch/bootstrap/security.policy | 2 +-
 .../org/elasticsearch/bootstrap/test-framework.policy     | 1 +
 .../src/main/plugin-metadata/plugin-security.policy       | 1 +
 5 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy b/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
index 8a7c623597376..5ba18621d58ee 100644
--- a/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
@@ -12,6 +12,7 @@ grant {
   permission java.net.SocketPermission "*", "connect";
   // io.netty.util.concurrent.GlobalEventExecutor.startThread
   permission java.lang.RuntimePermission "setContextClassLoader";
+  permission java.lang.RuntimePermission "getClassLoader";
   // Used by jackson bean deserialization
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index ed278af96d926..748645b39b78e 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -16,6 +16,9 @@ grant codeBase "${codebase.netty-common}" {
 
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+
+   // Netty also gets the classloader for some of its internal threads
+   permission java.lang.RuntimePermission "getClassLoader";
 };
 
 grant codeBase "${codebase.netty-transport}" {
@@ -23,3 +26,8 @@ grant codeBase "${codebase.netty-transport}" {
    // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
    permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
 };
+
+grant {
+   // Netty also gets the classloader for some of its internal threads
+   permission java.lang.RuntimePermission "getClassLoader";
+}
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
index 664412cca5894..4911708b27c4f 100644
--- a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -76,7 +76,7 @@ grant codeBase "${codebase.elasticsearch-simdvec}" {
 //// Everything else:
 
 grant {
-  permission java.lang.RuntimePermission "getClassLoader";
+  // permission java.lang.RuntimePermission "getClassLoader";
 
   // needed by vendored Guice
   permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation";
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index ada61c118ec3c..d2bab71cdf06d 100644
--- a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -122,6 +122,7 @@ grant codeBase "${codebase.netty-common}" {
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+   permission java.lang.RuntimePermission "getClassLoader";
    permission java.net.SocketPermission "*", "accept,connect";
 };
 
diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
index d814dfbb1c117..474b936f2a5c0 100644
--- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
+++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
@@ -48,6 +48,7 @@ grant codeBase "${codebase.netty-common}" {
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
+   permission java.lang.RuntimePermission "getClassLoader";
 };
 
 grant codeBase "${codebase.netty-transport}" {

From 3d954a90d184b8a09e837ff1b546a1d1c93783fb Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Tue, 25 Feb 2025 16:37:16 +0100
Subject: [PATCH 09/12] Clean up

---
 .../src/main/plugin-metadata/plugin-security.policy      | 1 +
 .../src/main/plugin-metadata/plugin-security.policy      | 9 +--------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy b/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
index 5ba18621d58ee..3aeeb6bde3914 100644
--- a/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/repository-azure/src/main/plugin-metadata/plugin-security.policy
@@ -12,6 +12,7 @@ grant {
   permission java.net.SocketPermission "*", "connect";
   // io.netty.util.concurrent.GlobalEventExecutor.startThread
   permission java.lang.RuntimePermission "setContextClassLoader";
+  // io.netty.util.concurrent.GlobalEventExecutor.startThread
   permission java.lang.RuntimePermission "getClassLoader";
   // Used by jackson bean deserialization
   permission java.lang.RuntimePermission "accessDeclaredMembers";
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index 748645b39b78e..dbf8e728c1606 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -14,10 +14,8 @@ grant codeBase "${codebase.netty-common}" {
    // netty makes and accepts socket connections
    permission java.net.SocketPermission "*", "accept,connect";
 
-   // Netty sets custom classloader for some of its internal threads
+   // Netty gets and sets classloaders for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
-
-   // Netty also gets the classloader for some of its internal threads
    permission java.lang.RuntimePermission "getClassLoader";
 };
 
@@ -26,8 +24,3 @@ grant codeBase "${codebase.netty-transport}" {
    // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
    permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";
 };
-
-grant {
-   // Netty also gets the classloader for some of its internal threads
-   permission java.lang.RuntimePermission "getClassLoader";
-}

From 4f15118606bbfcb6d4ac21f1d135cbeb0fd74f82 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Tue, 25 Feb 2025 16:42:13 +0100
Subject: [PATCH 10/12] Clean up verification metadata

---
 gradle/verification-metadata.xml              | 110 ------------------
 .../elasticsearch/bootstrap/security.policy   |   2 -
 .../bootstrap/test-framework.policy           |   2 +-
 .../plugin-metadata/plugin-security.policy    |   2 +-
 4 files changed, 2 insertions(+), 114 deletions(-)

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 8de92877364d0..526891c7abb2e 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -1404,186 +1404,76 @@
             <sha256 value="a3ebec96768ee4a2d3db44597e84cea2d0bdd68ca04822397980ea9f67075a86" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-buffer" version="4.1.115.Final">
-         <artifact name="netty-buffer-4.1.115.Final.jar">
-            <sha256 value="4a7b331d3770c566ab70eb02a0d1feed63b95cf6e4d68c8fe778c4c9de2d116d" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-buffer" version="4.1.118.Final">
          <artifact name="netty-buffer-4.1.118.Final.jar">
             <sha256 value="0eea4e8666a9636a28722661d8ba5fa8564477e75fec6dd2ff3e324e361f8b3c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-buffer" version="4.1.42.Final">
-         <artifact name="netty-buffer-4.1.42.Final.jar">
-            <sha256 value="7b0171a4e8bcd573e08d9f2bba053c67b557ab5012106a5982ccbae5743814c0" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-codec" version="4.1.115.Final">
-         <artifact name="netty-codec-4.1.115.Final.jar">
-            <sha256 value="cd189afb70ec6eacfcdfdd3a5f472b4e705a5c91d5bd3ef0386421f2ae15ec77" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-codec" version="4.1.118.Final">
          <artifact name="netty-codec-4.1.118.Final.jar">
             <sha256 value="4abd215fd1ed7ce86509d169cc9cbede5042176c265a79b3b70602b017226c3f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec" version="4.1.42.Final">
-         <artifact name="netty-codec-4.1.42.Final.jar">
-            <sha256 value="e96ced697fb7df589da7c20c995e01f75a9cb246be242bbc4cd3b4af424ff189" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-codec-dns" version="4.1.115.Final">
-         <artifact name="netty-codec-dns-4.1.115.Final.jar">
-            <sha256 value="23dd6806bcc326855f13e69838c6411d0490e6b1aeb12e217a19a3dd6ad3f10d" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-codec-dns" version="4.1.118.Final">
          <artifact name="netty-codec-dns-4.1.118.Final.jar">
             <sha256 value="e115e42ca1e3cc8d85e3a632d8faa102d18c0ebc1fa4511af30bec79f8c147d4" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http" version="4.1.115.Final">
-         <artifact name="netty-codec-http-4.1.115.Final.jar">
-            <sha256 value="e6dbe971c59373bbae9802021c63b9bc1d8800fead382863d67e79e79b023166" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-codec-http" version="4.1.118.Final">
          <artifact name="netty-codec-http-4.1.118.Final.jar">
             <sha256 value="09822d785e9a794838031ddd5346cf419b30c036a981c2e277a062bea884174b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http2" version="4.1.115.Final">
-         <artifact name="netty-codec-http2-4.1.115.Final.jar">
-            <sha256 value="cbed9829a5d582e91e314e209edce9a0c2eb369f23bb4fb74a5bc8b7990222c2" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-codec-http2" version="4.1.118.Final">
          <artifact name="netty-codec-http2-4.1.118.Final.jar">
             <sha256 value="68da0b1a34dceb00a6f9f6f788fb2f6b7b9e4adba8c70658ac2bd7eb898b97ae" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-socks" version="4.1.115.Final">
-         <artifact name="netty-codec-socks-4.1.115.Final.jar">
-            <sha256 value="e9b1cc744dc6195894450b1fd4d271a821ab167fe21ae3c459b27cdadc70e81f" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-codec-socks" version="4.1.118.Final">
          <artifact name="netty-codec-socks-4.1.118.Final.jar">
             <sha256 value="094465e3cfb3aef0fca38ed82b801f53a6c8be7ae1f83ab0c1b2e8ece2586840" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-common" version="4.1.115.Final">
-         <artifact name="netty-common-4.1.115.Final.jar">
-            <sha256 value="39f1b5a2aaa4eab5d036dfd0486e35a4276df412e092d36b2d88b494705a134d" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-common" version="4.1.118.Final">
          <artifact name="netty-common-4.1.118.Final.jar">
             <sha256 value="65cce901ecf0f9d6591cc7750772614ab401a84415dc9aec9da4d046f0f9a77c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-common" version="4.1.42.Final">
-         <artifact name="netty-common-4.1.42.Final.jar">
-            <sha256 value="3d0a918d78292eeca02a7bb2188daa4e5053b6e29b71e6308309033e121242b5" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-handler" version="4.1.115.Final">
-         <artifact name="netty-handler-4.1.115.Final.jar">
-            <sha256 value="5972028cc863b74927ce0d11fb8d58f65da2560bef5602fe8ce8903bd306ca07" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-handler" version="4.1.118.Final">
          <artifact name="netty-handler-4.1.118.Final.jar">
             <sha256 value="26e3f8a5e859fd62cf3c13dc6d75e4e18879f000a5d0ad7f58f8679675d23dae" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-handler" version="4.1.42.Final">
-         <artifact name="netty-handler-4.1.42.Final.jar">
-            <sha256 value="11eda86500c33b9d386719b5419f513fd9c097d13894f25dd0c75b610d636e03" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-handler-proxy" version="4.1.115.Final">
-         <artifact name="netty-handler-proxy-4.1.115.Final.jar">
-            <sha256 value="807e67cfb17136927d11db42df62031169d1fa0883e13f254906994c84ffbe87" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-handler-proxy" version="4.1.118.Final">
          <artifact name="netty-handler-proxy-4.1.118.Final.jar">
             <sha256 value="fef926126f44c668968dd3e2389c2552981d452e6dfc23b1f9bd03db92c21f96" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-resolver" version="4.1.115.Final">
-         <artifact name="netty-resolver-4.1.115.Final.jar">
-            <sha256 value="7b3455d14f59828765a00573bc3967dc59379e874bd62a67eb1926d6512109d1" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-resolver" version="4.1.118.Final">
          <artifact name="netty-resolver-4.1.118.Final.jar">
             <sha256 value="3170c225972c18b6850d28add60db15bb28d83c4e3d5b686ca220e0bd7273c8a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-resolver" version="4.1.42.Final">
-         <artifact name="netty-resolver-4.1.42.Final.jar">
-            <sha256 value="89768242b6b7cce9bd9f5945ad21d1b4bae515c6b1bf03a8af5d1899779cebc9" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-resolver-dns" version="4.1.115.Final">
-         <artifact name="netty-resolver-dns-4.1.115.Final.jar">
-            <sha256 value="4aca31593e5896c64ab7e041bbc6c0d851bd9634ec3a4354208141a35576619f" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-resolver-dns" version="4.1.118.Final">
          <artifact name="netty-resolver-dns-4.1.118.Final.jar">
             <sha256 value="c0e0fdaffaba849e3145b2b96288fc8fc6f3b2a623cf72aaba708288348e4938" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport" version="4.1.115.Final">
-         <artifact name="netty-transport-4.1.115.Final.jar">
-            <sha256 value="c3d71faaa736ffd2c9260ab0b498024b814c39c7d764bea8113fa98de6e2bdd2" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-transport" version="4.1.118.Final">
          <artifact name="netty-transport-4.1.118.Final.jar">
             <sha256 value="ab3751e717daef9c8d91e4d74728a48730bd8530b72e2466b222b2ea3fb07db9" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport" version="4.1.42.Final">
-         <artifact name="netty-transport-4.1.42.Final.jar">
-            <sha256 value="dfa817a156ea263aa9ad8364a2e226527665c9722aca40a7945f228c2c14f1da" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-transport-classes-epoll" version="4.1.115.Final">
-         <artifact name="netty-transport-classes-epoll-4.1.115.Final.jar">
-            <sha256 value="40aa67b4463cca0ab346e393c87f6c37e8954d18ec8b78567d95b55aa1f2b3aa" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-transport-classes-epoll" version="4.1.118.Final">
          <artifact name="netty-transport-classes-epoll-4.1.118.Final.jar">
             <sha256 value="bd86e6d41e1f6053f9577931655236259778ab045646e1e6ab04150f070864f3" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport-native-epoll" version="4.1.42.Final">
-         <artifact name="netty-transport-native-epoll-4.1.42.Final.jar">
-            <sha256 value="3c7d659b3bd773e0ea9b7517d2d6baffa275a3d2ae8eb4c10cb8f0a7724b11d5" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.115.Final">
-         <artifact name="netty-transport-native-unix-common-4.1.115.Final.jar">
-            <sha256 value="4b03e716272657c296b0204b57c140b2b2ca96b1a746c92da41f595892ec6d88" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.118.Final">
          <artifact name="netty-transport-native-unix-common-4.1.118.Final.jar">
             <sha256 value="69b16793d7b41ea76a762bd2bd144fc4f7c39c156a7a59ebf69baeb560fb10b7" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.42.Final">
-         <artifact name="netty-transport-native-unix-common-4.1.42.Final.jar">
-            <sha256 value="508fba9128da78bd775ba854d71917ceb2b00b95a7600254f54a277a06761a86" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="io.opencensus" name="opencensus-api" version="0.30.0">
          <artifact name="opencensus-api-0.30.0.jar">
             <sha256 value="421cbc06d9fb56fcf07332553677ddea04a47079b30955567c8a80b34689ed32" origin="Generated by Gradle"/>
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
index 4911708b27c4f..55abdc84fc8fb 100644
--- a/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/server/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -76,8 +76,6 @@ grant codeBase "${codebase.elasticsearch-simdvec}" {
 //// Everything else:
 
 grant {
-  // permission java.lang.RuntimePermission "getClassLoader";
-
   // needed by vendored Guice
   permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.vm.annotation";
 
diff --git a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index d2bab71cdf06d..0e206a2005e74 100644
--- a/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/server/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -120,7 +120,7 @@ grant codeBase "${codebase.httpasyncclient}" {
 grant codeBase "${codebase.netty-common}" {
    // for reading the system-wide configuration for the backlog of established sockets
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
-   // Netty sets custom classloader for some of its internal threads
+   // Netty gets and sets classloaders for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.net.SocketPermission "*", "accept,connect";
diff --git a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
index 474b936f2a5c0..b4791207a15bf 100644
--- a/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
+++ b/x-pack/plugin/security/src/main/plugin-metadata/plugin-security.policy
@@ -46,7 +46,7 @@ grant {
 grant codeBase "${codebase.netty-common}" {
    // for reading the system-wide configuration for the backlog of established sockets
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";
-   // Netty sets custom classloader for some of its internal threads
+   // Netty gets and sets classloaders for some of its internal threads
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
 };

From 2d0a95889379f424e1d1ebcd05cafc97e11f2561 Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Wed, 26 Feb 2025 10:10:42 +0100
Subject: [PATCH 11/12] Update docs/changelog/122371.yaml

---
 docs/changelog/122371.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 docs/changelog/122371.yaml

diff --git a/docs/changelog/122371.yaml b/docs/changelog/122371.yaml
new file mode 100644
index 0000000000000..ba85e4d97c682
--- /dev/null
+++ b/docs/changelog/122371.yaml
@@ -0,0 +1,5 @@
+pr: 122371
+summary: Upgrade Netty to `4.1.118.Final`
+area: Network
+type: upgrade
+issues: []

From 8a6cd3eeedf8667144c6e0420b47a981b4e2ea8c Mon Sep 17 00:00:00 2001
From: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
Date: Wed, 26 Feb 2025 10:27:27 +0100
Subject: [PATCH 12/12] Delete docs/changelog/122371.yaml

---
 docs/changelog/122371.yaml | 5 -----
 1 file changed, 5 deletions(-)
 delete mode 100644 docs/changelog/122371.yaml

diff --git a/docs/changelog/122371.yaml b/docs/changelog/122371.yaml
deleted file mode 100644
index ba85e4d97c682..0000000000000
--- a/docs/changelog/122371.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-pr: 122371
-summary: Upgrade Netty to `4.1.118.Final`
-area: Network
-type: upgrade
-issues: []