From 396369c99fec75e75defe27f4749c866c72bb14b Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Mon, 17 Feb 2025 07:27:42 -0800 Subject: [PATCH] Instrument methods on File that require read permissions (#122544) This commit adds instrumentation for File methods that require read permissions. see #122109 for the write side --- .../bridge/EntitlementChecker.java | 30 ++++++++ .../entitlement/qa/test/FileCheckActions.java | 70 ++++++++++++++++++ .../api/ElasticsearchEntitlementChecker.java | 72 +++++++++++++++++++ .../plugin-metadata/entitlement-policy.yaml | 5 ++ .../plugin-metadata/entitlement-policy.yaml | 5 ++ .../plugin-metadata/entitlement-policy.yaml | 16 +++++ 6 files changed, 198 insertions(+) diff --git a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java index 9fc234e904750..640e0d06cc4b9 100644 --- a/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java +++ b/libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java @@ -10,6 +10,8 @@ package org.elasticsearch.entitlement.bridge; import java.io.File; +import java.io.FileFilter; +import java.io.FilenameFilter; import java.io.InputStream; import java.io.PrintStream; import java.io.PrintWriter; @@ -512,6 +514,12 @@ public interface EntitlementChecker { // // old io (ie File) + void check$java_io_File$canExecute(Class callerClass, File file); + + void check$java_io_File$canRead(Class callerClass, File file); + + void check$java_io_File$canWrite(Class callerClass, File file); + void check$java_io_File$createNewFile(Class callerClass, File file); void check$java_io_File$$createTempFile(Class callerClass, String prefix, String suffix, File directory); @@ -520,6 +528,28 @@ public interface EntitlementChecker { void check$java_io_File$deleteOnExit(Class callerClass, File file); + void check$java_io_File$exists(Class callerClass, File file); + + void check$java_io_File$isDirectory(Class callerClass, File file); + + void check$java_io_File$isFile(Class callerClass, File file); + + void check$java_io_File$isHidden(Class callerClass, File file); + + void check$java_io_File$lastModified(Class callerClass, File file); + + void check$java_io_File$length(Class callerClass, File file); + + void check$java_io_File$list(Class callerClass, File file); + + void check$java_io_File$list(Class callerClass, File file, FilenameFilter filter); + + void check$java_io_File$listFiles(Class callerClass, File file); + + void check$java_io_File$listFiles(Class callerClass, File file, FileFilter filter); + + void check$java_io_File$listFiles(Class callerClass, File file, FilenameFilter filter); + void check$java_io_File$mkdir(Class callerClass, File file); void check$java_io_File$mkdirs(Class callerClass, File file); diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java index 29736a46040e3..9a6c59e204728 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java @@ -46,6 +46,21 @@ static Path readWriteFile() { return testRootDir.resolve("read_write_file"); } + @EntitlementTest(expectedAccess = PLUGINS) + static void fileCanExecute() throws IOException { + readFile().toFile().canExecute(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileCanRead() throws IOException { + readFile().toFile().canRead(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileCanWrite() throws IOException { + readFile().toFile().canWrite(); + } + @EntitlementTest(expectedAccess = PLUGINS) static void fileCreateNewFile() throws IOException { readWriteDir().resolve("new_file").toFile().createNewFile(); @@ -70,6 +85,61 @@ static void fileDeleteOnExit() throws IOException { toDelete.toFile().deleteOnExit(); } + @EntitlementTest(expectedAccess = PLUGINS) + static void fileExists() throws IOException { + readFile().toFile().exists(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileIsDirectory() throws IOException { + readFile().toFile().isDirectory(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileIsFile() throws IOException { + readFile().toFile().isFile(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileIsHidden() throws IOException { + readFile().toFile().isHidden(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileLastModified() throws IOException { + readFile().toFile().lastModified(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileLength() throws IOException { + readFile().toFile().length(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileList() throws IOException { + readDir().toFile().list(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileListWithFilter() throws IOException { + readDir().toFile().list((dir, name) -> true); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileListFiles() throws IOException { + readDir().toFile().listFiles(); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileListFilesWithFileFilter() throws IOException { + readDir().toFile().listFiles(pathname -> true); + } + + @EntitlementTest(expectedAccess = PLUGINS) + static void fileListFilesWithFilenameFilter() throws IOException { + readDir().toFile().listFiles((dir, name) -> true); + } + @EntitlementTest(expectedAccess = PLUGINS) static void fileMkdir() throws IOException { Path mkdir = readWriteDir().resolve("mkdir"); diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java index d2bd17a52246e..aba0ab57feb22 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java @@ -14,6 +14,8 @@ import org.elasticsearch.entitlement.runtime.policy.PolicyManager; import java.io.File; +import java.io.FileFilter; +import java.io.FilenameFilter; import java.io.IOException; import java.io.InputStream; import java.io.PrintStream; @@ -955,6 +957,21 @@ public void checkSelectorProviderInheritedChannel(Class callerClass, Selector // old io (ie File) + @Override + public void check$java_io_File$canExecute(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$canRead(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$canWrite(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + @Override public void check$java_io_File$createNewFile(Class callerClass, File file) { policyManager.checkFileWrite(callerClass, file); @@ -975,6 +992,61 @@ public void checkSelectorProviderInheritedChannel(Class callerClass, Selector policyManager.checkFileWrite(callerClass, file); } + @Override + public void check$java_io_File$exists(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$isDirectory(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$isFile(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$isHidden(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$lastModified(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$length(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$list(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$list(Class callerClass, File file, FilenameFilter filter) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$listFiles(Class callerClass, File file) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$listFiles(Class callerClass, File file, FileFilter filter) { + policyManager.checkFileRead(callerClass, file); + } + + @Override + public void check$java_io_File$listFiles(Class callerClass, File file, FilenameFilter filter) { + policyManager.checkFileRead(callerClass, file); + } + @Override public void check$java_io_File$mkdir(Class callerClass, File file) { policyManager.checkFileWrite(callerClass, file); diff --git a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml index 53049c74b6a47..f22076b360b6a 100644 --- a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml @@ -1,3 +1,8 @@ io.netty.common: - outbound_network - manage_threads + - files: + - path: "/etc/os-release" + mode: "read" + - path: "/usr/lib/os-release" + mode: "read" diff --git a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml index 1562b806a82d8..7a3f2c11d69ba 100644 --- a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml @@ -6,3 +6,8 @@ io.netty.common: - inbound_network - outbound_network - manage_threads + - files: + - path: "/etc/os-release" + mode: "read" + - path: "/usr/lib/os-release" + mode: "read" diff --git a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml index 0695c8e5766f8..90367da4cbceb 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml @@ -8,7 +8,23 @@ io.netty.common: - manage_threads - inbound_network - outbound_network + - files: + - path: "/etc/os-release" + mode: "read" + - path: "/usr/lib/os-release" + mode: "read" org.opensaml.xmlsec.impl: - write_system_properties: properties: - org.apache.xml.security.ignoreLineBreaks +org.opensaml.saml.impl: + - files: + - relative_path: idp-docs-metadata.xml + relative_to: config + mode: read + - relative_path: idp-metadata.xml + relative_to: config + mode: read + - relative_path: saml-metadata.xml + relative_to: config + mode: read