From a58dd34d396a467ab841c3d27d14bfe4e06c758e Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Wed, 26 Feb 2025 09:34:20 +0100
Subject: [PATCH 1/4] Add missing APM entitlements

---
 modules/apm/src/main/plugin-metadata/entitlement-policy.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml b/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
index d80db1b99a1d1..c3ff3aea9ef73 100644
--- a/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
@@ -89,3 +89,5 @@ elastic.apm.agent:
       properties:
         - AsyncProfiler.safemode
   - load_native_libraries
+  - manage_threads
+  - outbound_network

From 4738240941a3b3fb099a7b299ae176f744d4b5b5 Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Thu, 27 Feb 2025 12:10:16 +0100
Subject: [PATCH 2/4] Moving all APM agent permissions to the agent policy

---
 .../EntitlementInitialization.java               | 16 +++++++++++++++-
 .../main/plugin-metadata/entitlement-policy.yaml |  8 --------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
index 60bd52a02ab54..67c36a8bb89e4 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -33,6 +33,8 @@
 import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
 import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
+import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;
 
 import java.lang.instrument.Instrumentation;
 import java.lang.reflect.Constructor;
@@ -242,7 +244,14 @@ private static PolicyManager createPolicyManager() {
         if (trustStorePath != null) {
             Collections.addAll(
                 serverScopes,
-                new Scope("org.bouncycastle.fips.tls", List.of(new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))))),
+                new Scope(
+                    "org.bouncycastle.fips.tls",
+                    List.of(
+                        new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))),
+                        new OutboundNetworkEntitlement(),
+                        new ManageThreadsEntitlement()
+                    )
+                ),
                 new Scope(
                     "org.bouncycastle.fips.core",
                     // read to lib dir is required for checksum validation
@@ -255,9 +264,14 @@ private static PolicyManager createPolicyManager() {
         var serverPolicy = new Policy("server", serverScopes);
         // agents run without a module, so this is a special hack for the apm agent
         // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
+        // See also modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
         List<Entitlement> agentEntitlements = List.of(
             new CreateClassLoaderEntitlement(),
             new ManageThreadsEntitlement(),
+            new SetHttpsConnectionPropertiesEntitlement(),
+            new OutboundNetworkEntitlement(),
+            new WriteSystemPropertiesEntitlement(Set.of("AsyncProfiler.safemode")),
+            new LoadNativeLibrariesEntitlement(),
             new FilesEntitlement(
                 List.of(
                     FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ),
diff --git a/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml b/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
index c3ff3aea9ef73..216c67c492260 100644
--- a/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
@@ -83,11 +83,3 @@ org.elasticsearch.telemetry.apm:
         - elastic.apm.application_packages
         - elastic.apm.stack_trace_limit
         - elastic.apm.span_stack_trace_min_duration
-elastic.apm.agent:
-  - set_https_connection_properties
-  - write_system_properties:
-      properties:
-        - AsyncProfiler.safemode
-  - load_native_libraries
-  - manage_threads
-  - outbound_network

From e5183d9e701a9892dcf2fa9323fc371f59e21033 Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Thu, 27 Feb 2025 12:20:16 +0100
Subject: [PATCH 3/4] Unmute APM tests

---
 muted-tests.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/muted-tests.yml b/muted-tests.yml
index 502b9a3ab0634..ae8710e2a37c3 100644
--- a/muted-tests.yml
+++ b/muted-tests.yml
@@ -301,12 +301,6 @@ tests:
 - class: org.elasticsearch.xpack.esql.heap_attack.HeapAttackIT
   method: testEnrichExplosionManyMatches
   issue: https://github.com/elastic/elasticsearch/issues/122913
-- class: org.elasticsearch.test.apmintegration.TracesApmIT
-  method: testApmIntegration
-  issue: https://github.com/elastic/elasticsearch/issues/122129
-- class: org.elasticsearch.test.apmintegration.MetricsApmIT
-  method: testApmIntegration
-  issue: https://github.com/elastic/elasticsearch/issues/123022
 - class: org.elasticsearch.repositories.gcs.GoogleCloudStorageServiceTests
   method: testClientsAreNotSharedAcrossRepositories
   issue: https://github.com/elastic/elasticsearch/issues/123090

From 80defc517c53a8cf6a97b8762f80d6e6413a86f7 Mon Sep 17 00:00:00 2001
From: Lorenzo Dematte <lorenzo.dematte@elastic.co>
Date: Mon, 3 Mar 2025 15:14:27 +0100
Subject: [PATCH 4/4] removed jar/zip paths, added logs dir

---
 .../entitlement/initialization/EntitlementInitialization.java  | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
index 72b7d7540ee9b..6dc3f99c7b381 100644
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -273,8 +273,7 @@ private static PolicyManager createPolicyManager() {
             new LoadNativeLibrariesEntitlement(),
             new FilesEntitlement(
                 List.of(
-                    FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ),
-                    FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ),
+                    FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
                     FileData.ofPath(Path.of("/proc/meminfo"), READ),
                     FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ)
                 )