From 1e23a291d6203b171683e8773fa30a986605a388 Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Sat, 22 Feb 2025 13:29:29 -0800 Subject: [PATCH 1/7] Add platform property to files entitlement Some file paths are OS specific. This commit adds a `platform` property to each file in a files entitlement that can be used to limit that file to a specific platform. --- .../EntitlementInitialization.java | 21 ++-- .../runtime/policy/FileAccessTree.java | 4 + .../policy/entitlements/FilesEntitlement.java | 115 +++++++++++++++--- .../plugin-metadata/entitlement-policy.yaml | 3 + .../plugin-metadata/entitlement-policy.yaml | 3 + .../plugin-metadata/entitlement-policy.yaml | 3 + 6 files changed, 125 insertions(+), 24 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java index b4d95ceb011e4..877ebf0964eb6 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java @@ -65,6 +65,7 @@ import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ; import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode.READ_WRITE; +import static org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Platform.LINUX; /** * Called by the agent during {@code agentmain} to configure the entitlement system, @@ -179,22 +180,22 @@ private static PolicyManager createPolicyManager() { FileData.ofPath(bootstrapArgs.repoDirResolver().apply(""), READ_WRITE), // OS release on Linux - FileData.ofPath(Path.of("/etc/os-release"), READ), - FileData.ofPath(Path.of("/etc/system-release"), READ), - FileData.ofPath(Path.of("/usr/lib/os-release"), READ), + FileData.ofPath(Path.of("/etc/os-release"), READ).withPlatform(LINUX), + FileData.ofPath(Path.of("/etc/system-release"), READ).withPlatform(LINUX), + FileData.ofPath(Path.of("/usr/lib/os-release"), READ).withPlatform(LINUX), // read max virtual memory areas - FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ), - FileData.ofPath(Path.of("/proc/meminfo"), READ), + FileData.ofPath(Path.of("/proc/sys/vm/max_map_count"), READ).withPlatform(LINUX), + FileData.ofPath(Path.of("/proc/meminfo"), READ).withPlatform(LINUX), // load averages on Linux - FileData.ofPath(Path.of("/proc/loadavg"), READ), + FileData.ofPath(Path.of("/proc/loadavg"), READ).withPlatform(LINUX), // control group stats on Linux. cgroup v2 stats are in an unpredicable // location under `/sys/fs/cgroup`, so unfortunately we have to allow // read access to the entire directory hierarchy. - FileData.ofPath(Path.of("/proc/self/cgroup"), READ), - FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ), + FileData.ofPath(Path.of("/proc/self/cgroup"), READ).withPlatform(LINUX), + FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ).withPlatform(LINUX), // // io stats on Linux - FileData.ofPath(Path.of("/proc/self/mountinfo"), READ), - FileData.ofPath(Path.of("/proc/diskstats"), READ) + FileData.ofPath(Path.of("/proc/self/mountinfo"), READ).withPlatform(LINUX), + FileData.ofPath(Path.of("/proc/diskstats"), READ).withPlatform(LINUX) ) ) ) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java index 660459f06d58b..e4d340bcae36e 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java @@ -30,6 +30,10 @@ private FileAccessTree(FilesEntitlement filesEntitlement, PathLookup pathLookup) List readPaths = new ArrayList<>(); List writePaths = new ArrayList<>(); for (FilesEntitlement.FileData fileData : filesEntitlement.filesData()) { + var platform = fileData.platform(); + if (platform != null && platform.isCurrent() == false) { + continue; + } var mode = fileData.mode(); var paths = fileData.resolvePaths(pathLookup); paths.forEach(path -> { diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java index 21b54ba51ca87..0496eee0eec40 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java @@ -39,26 +39,55 @@ public enum BaseDir { HOME } + public enum Platform { + LINUX, + MACOS, + WINDOWS; + + private static final Platform current = findCurrent(); + + private static Platform findCurrent() { + String os = System.getProperty("os.name"); + if (os.startsWith("Linux")) { + return LINUX; + } else if (os.startsWith("Mac OS")) { + return MACOS; + } else if (os.startsWith("Windows")) { + return WINDOWS; + } else { + throw new AssertionError("Unsupported platform [" + os + "]"); + } + } + + public boolean isCurrent() { + return this == current; + } + } + public sealed interface FileData { Stream resolvePaths(PathLookup pathLookup); Mode mode(); + Platform platform(); + + FileData withPlatform(Platform platform); + static FileData ofPath(Path path, Mode mode) { - return new AbsolutePathFileData(path, mode); + return new AbsolutePathFileData(path, mode, null); } static FileData ofRelativePath(Path relativePath, BaseDir baseDir, Mode mode) { - return new RelativePathFileData(relativePath, baseDir, mode); + return new RelativePathFileData(relativePath, baseDir, mode, null); } static FileData ofPathSetting(String setting, Mode mode) { - return new PathSettingFileData(setting, mode); + return new PathSettingFileData(setting, mode, null); } static FileData ofRelativePathSetting(String setting, BaseDir baseDir, Mode mode) { - return new RelativePathSettingFileData(setting, baseDir, mode); + return new RelativePathSettingFileData(setting, baseDir, mode, null); } } @@ -91,32 +120,70 @@ default Stream resolvePaths(PathLookup pathLookup) { } } - private record AbsolutePathFileData(Path path, Mode mode) implements FileData { + private record AbsolutePathFileData(Path path, Mode mode, Platform platform) implements FileData { @Override public Stream resolvePaths(PathLookup pathLookup) { return Stream.of(path); } + + @Override + public FileData withPlatform(Platform platform) { + if (platform == platform()) { + return this; + } + return new AbsolutePathFileData(path, mode, platform); + } } - private record RelativePathFileData(Path relativePath, BaseDir baseDir, Mode mode) implements FileData, RelativeFileData { + private record RelativePathFileData(Path relativePath, BaseDir baseDir, Mode mode, Platform platform) + implements + FileData, + RelativeFileData { @Override public Stream resolveRelativePaths(PathLookup pathLookup) { return Stream.of(relativePath); } + + @Override + public FileData withPlatform(Platform platform) { + if (platform == platform()) { + return this; + } + return new RelativePathFileData(relativePath, baseDir, mode, platform); + } } - private record PathSettingFileData(String setting, Mode mode) implements FileData { + private record PathSettingFileData(String setting, Mode mode, Platform platform) implements FileData { @Override public Stream resolvePaths(PathLookup pathLookup) { return resolvePathSettings(pathLookup, setting); } + + @Override + public FileData withPlatform(Platform platform) { + if (platform == platform()) { + return this; + } + return new PathSettingFileData(setting, mode, platform); + } } - private record RelativePathSettingFileData(String setting, BaseDir baseDir, Mode mode) implements FileData, RelativeFileData { + private record RelativePathSettingFileData(String setting, BaseDir baseDir, Mode mode, Platform platform) + implements + FileData, + RelativeFileData { @Override public Stream resolveRelativePaths(PathLookup pathLookup) { return resolvePathSettings(pathLookup, setting); } + + @Override + public FileData withPlatform(Platform platform) { + if (platform == platform()) { + return this; + } + return new RelativePathSettingFileData(setting, baseDir, mode, platform); + } } private static Stream resolvePathSettings(PathLookup pathLookup, String setting) { @@ -137,6 +204,18 @@ private static Mode parseMode(String mode) { } } + private static Platform parsePlatform(String platform) { + if (platform.equals("linux")) { + return Platform.LINUX; + } else if (platform.equals("macos")) { + return Platform.MACOS; + } else if (platform.equals("windows")) { + return Platform.WINDOWS; + } else { + throw new PolicyValidationException("invalid platform: " + platform + ", valid values: [linux, macos, windows]"); + } + } + private static BaseDir parseBaseDir(String baseDir) { return switch (baseDir) { case "config" -> BaseDir.CONFIG; @@ -163,6 +242,7 @@ public static FilesEntitlement build(List paths) { String pathSetting = file.remove("path_setting"); String relativePathSetting = file.remove("relative_path_setting"); String modeAsString = file.remove("mode"); + String platformAsString = file.remove("mode"); if (file.isEmpty() == false) { throw new PolicyValidationException("unknown key(s) [" + file + "] in a listed file for files entitlement"); @@ -179,38 +259,45 @@ public static FilesEntitlement build(List paths) { throw new PolicyValidationException("files entitlement must contain 'mode' for every listed file"); } Mode mode = parseMode(modeAsString); + Platform platform = null; + if (platformAsString != null) { + platform = parsePlatform(platformAsString); + } BaseDir baseDir = null; if (relativeTo != null) { baseDir = parseBaseDir(relativeTo); } + final FileData fileData; if (relativePathAsString != null) { if (baseDir == null) { throw new PolicyValidationException("files entitlement with a 'relative_path' must specify 'relative_to'"); } Path relativePath = Path.of(relativePathAsString); - if (relativePath.isAbsolute()) { + if (platform == null || platform.isCurrent() && relativePath.isAbsolute()) { throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative"); } - filesData.add(FileData.ofRelativePath(relativePath, baseDir, mode)); + fileData = FileData.ofRelativePath(relativePath, baseDir, mode); } else if (pathAsString != null) { Path path = Path.of(pathAsString); - if (path.isAbsolute() == false) { + if (platform == null || platform.isCurrent() && path.isAbsolute() == false) { throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute"); } - filesData.add(FileData.ofPath(path, mode)); + fileData = FileData.ofPath(path, mode); } else if (pathSetting != null) { - filesData.add(FileData.ofPathSetting(pathSetting, mode)); + fileData = FileData.ofPathSetting(pathSetting, mode); } else if (relativePathSetting != null) { if (baseDir == null) { throw new PolicyValidationException("files entitlement with a 'relative_path_setting' must specify 'relative_to'"); } - filesData.add(FileData.ofRelativePathSetting(relativePathSetting, baseDir, mode)); + fileData = FileData.ofRelativePathSetting(relativePathSetting, baseDir, mode); } else { throw new AssertionError("File entry validation error"); } + + filesData.add(fileData.withPlatform(platform)); } return new FilesEntitlement(filesData); } diff --git a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml index ec454ad3202d8..82da7aa188047 100644 --- a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml @@ -4,10 +4,13 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" + platform: linux - path: "/usr/lib/os-release" mode: "read" + platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read + platform: linux com.azure.identity: - files: - relative_path: "storage-azure/" #/config/storage-azure/azure-federated-token diff --git a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml index 430c925add8dd..e29dec3444093 100644 --- a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml @@ -9,7 +9,10 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" + platform: linux - path: "/usr/lib/os-release" mode: "read" + platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read + platform: linux diff --git a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml index 99dd7d5c1380f..6a79e50cb2944 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml @@ -15,10 +15,13 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" + platform: linux - path: "/usr/lib/os-release" mode: "read" + platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read + platform: linux org.opensaml.xmlsec.impl: - write_system_properties: properties: From 61cd09be0dcf123575db9417fdd69266d4f76123 Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Sat, 22 Feb 2025 18:28:45 -0800 Subject: [PATCH 2/7] fix logic --- .../runtime/policy/entitlements/FilesEntitlement.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java index 0496eee0eec40..bda06a14c9ec8 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java @@ -276,13 +276,13 @@ public static FilesEntitlement build(List paths) { } Path relativePath = Path.of(relativePathAsString); - if (platform == null || platform.isCurrent() && relativePath.isAbsolute()) { + if ((platform == null || platform.isCurrent()) && relativePath.isAbsolute()) { throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative"); } fileData = FileData.ofRelativePath(relativePath, baseDir, mode); } else if (pathAsString != null) { Path path = Path.of(pathAsString); - if (platform == null || platform.isCurrent() && path.isAbsolute() == false) { + if ((platform == null || platform.isCurrent()) && path.isAbsolute() == false) { throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute"); } fileData = FileData.ofPath(path, mode); From eb5d5d8a5d8476e36354e109891bc34a6c91df31 Mon Sep 17 00:00:00 2001 From: Ryan Ernst Date: Sat, 22 Feb 2025 19:25:19 -0800 Subject: [PATCH 3/7] silly copy paste --- .../runtime/policy/entitlements/FilesEntitlement.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java index bda06a14c9ec8..94ddf02661a56 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java @@ -242,7 +242,7 @@ public static FilesEntitlement build(List paths) { String pathSetting = file.remove("path_setting"); String relativePathSetting = file.remove("relative_path_setting"); String modeAsString = file.remove("mode"); - String platformAsString = file.remove("mode"); + String platformAsString = file.remove("platform"); if (file.isEmpty() == false) { throw new PolicyValidationException("unknown key(s) [" + file + "] in a listed file for files entitlement"); From 342a23a1213e8aff660b3edcb021cf1448d13271 Mon Sep 17 00:00:00 2001 From: Moritz Mack Date: Mon, 24 Feb 2025 09:06:55 +0100 Subject: [PATCH 4/7] platform specific named pipe for windows --- .../plugin/ml/src/main/plugin-metadata/entitlement-policy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/x-pack/plugin/ml/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/ml/src/main/plugin-metadata/entitlement-policy.yaml index 664b7d83315de..5fa5ca8813919 100644 --- a/x-pack/plugin/ml/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/ml/src/main/plugin-metadata/entitlement-policy.yaml @@ -7,3 +7,6 @@ org.elasticsearch.ml: - relative_path: "ml-local-data/" relative_to: data mode: read_write + - path: \\.\pipe\ + mode: read_write + platform: windows From db4f96b0faea896a2cbb7b2cea9f33ff93d51f5f Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Mon, 24 Feb 2025 10:39:32 +0100 Subject: [PATCH 5/7] Skip absolute/relative path validation if platform is "any" (null) --- .../runtime/policy/entitlements/FilesEntitlement.java | 4 ++-- .../src/main/plugin-metadata/entitlement-policy.yaml | 3 --- .../src/main/plugin-metadata/entitlement-policy.yaml | 3 --- .../security/src/main/plugin-metadata/entitlement-policy.yaml | 3 --- 4 files changed, 2 insertions(+), 11 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java index 94ddf02661a56..43ae22ea25087 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/entitlements/FilesEntitlement.java @@ -276,13 +276,13 @@ public static FilesEntitlement build(List paths) { } Path relativePath = Path.of(relativePathAsString); - if ((platform == null || platform.isCurrent()) && relativePath.isAbsolute()) { + if (platform != null && platform.isCurrent() && relativePath.isAbsolute()) { throw new PolicyValidationException("'relative_path' [" + relativePathAsString + "] must be relative"); } fileData = FileData.ofRelativePath(relativePath, baseDir, mode); } else if (pathAsString != null) { Path path = Path.of(pathAsString); - if ((platform == null || platform.isCurrent()) && path.isAbsolute() == false) { + if (platform != null && platform.isCurrent() && path.isAbsolute() == false) { throw new PolicyValidationException("'path' [" + pathAsString + "] must be absolute"); } fileData = FileData.ofPath(path, mode); diff --git a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml index 82da7aa188047..ec454ad3202d8 100644 --- a/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/repository-azure/src/main/plugin-metadata/entitlement-policy.yaml @@ -4,13 +4,10 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" - platform: linux - path: "/usr/lib/os-release" mode: "read" - platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read - platform: linux com.azure.identity: - files: - relative_path: "storage-azure/" #/config/storage-azure/azure-federated-token diff --git a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml index e29dec3444093..430c925add8dd 100644 --- a/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml +++ b/modules/transport-netty4/src/main/plugin-metadata/entitlement-policy.yaml @@ -9,10 +9,7 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" - platform: linux - path: "/usr/lib/os-release" mode: "read" - platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read - platform: linux diff --git a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml index 6a79e50cb2944..99dd7d5c1380f 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml @@ -15,13 +15,10 @@ io.netty.common: - files: - path: "/etc/os-release" mode: "read" - platform: linux - path: "/usr/lib/os-release" mode: "read" - platform: linux - path: "/proc/sys/net/core/somaxconn" mode: read - platform: linux org.opensaml.xmlsec.impl: - write_system_properties: properties: From d81923c07917e98d07c10fe961821a78f93ca171 Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Mon, 24 Feb 2025 15:33:40 +0100 Subject: [PATCH 6/7] Some missing entitlements preventing serverless to start --- .../entitlement/initialization/EntitlementInitialization.java | 4 +++- .../security/src/main/plugin-metadata/entitlement-policy.yaml | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java index 877ebf0964eb6..04e7bfddb15ed 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java @@ -253,7 +253,9 @@ private static PolicyManager createPolicyManager() { new FilesEntitlement( List.of( FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ), - FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ) + FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ), + FileData.ofPath(Path.of("/proc/meminfo"), READ), + FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ) ) ) ); diff --git a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml index 99dd7d5c1380f..a6f29cb2ad7ea 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml @@ -37,3 +37,6 @@ org.opensaml.saml.impl: - relative_path: metadata.xml relative_to: config mode: read + - relative_path: "saml/" + relative_to: config + mode: read From d2f3c19ec894b4ed14238746ee625c2f845e31bd Mon Sep 17 00:00:00 2001 From: Lorenzo Dematte Date: Mon, 24 Feb 2025 15:39:18 +0100 Subject: [PATCH 7/7] Revert "Some missing entitlements preventing serverless to start" This reverts commit d81923c07917e98d07c10fe961821a78f93ca171. --- .../entitlement/initialization/EntitlementInitialization.java | 4 +--- .../security/src/main/plugin-metadata/entitlement-policy.yaml | 3 --- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java index 04e7bfddb15ed..877ebf0964eb6 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java @@ -253,9 +253,7 @@ private static PolicyManager createPolicyManager() { new FilesEntitlement( List.of( FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ), - FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ), - FileData.ofPath(Path.of("/proc/meminfo"), READ), - FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ) + FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ) ) ) ); diff --git a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml index a6f29cb2ad7ea..99dd7d5c1380f 100644 --- a/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml +++ b/x-pack/plugin/security/src/main/plugin-metadata/entitlement-policy.yaml @@ -37,6 +37,3 @@ org.opensaml.saml.impl: - relative_path: metadata.xml relative_to: config mode: read - - relative_path: "saml/" - relative_to: config - mode: read