diff --git a/x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy index 0310ce4542dbb..2862704694112 100644 --- a/x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy @@ -1,10 +1,14 @@ grant { + // PD: Doesn't actually appear to use this. Contains no callers to anything that calls checkSetFactory permission java.lang.RuntimePermission "setFactory"; // ApacheXMLSecurityInitializer + // PD: Done permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "read,write"; + // PD: Dup! permission java.security.SecurityPermission "org.apache.xml.security.register"; + // PD: TODO Not sure how to check this one // needed during initialization of OpenSAML library where xml security algorithms are registered // see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220 // and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52 @@ -12,5 +16,6 @@ grant { permission java.security.SecurityPermission "org.apache.xml.security.register"; // needed for multiple server implementations used in tests + // PD: TODO: Why aren't tests failing? permission java.net.SocketPermission "*", "accept,connect"; }; diff --git a/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy index 8ec8ff9ad4ddc..16ab59ba2e17f 100644 --- a/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy @@ -8,22 +8,29 @@ grant { // required by: com.google.api.client.json.JsonParser#parseValue // also required by AWS SDK for client configuration + // PD: Always granted permission java.lang.RuntimePermission "accessDeclaredMembers"; + // PD: Always granted permission java.lang.RuntimePermission "getClassLoader"; // required by: com.google.api.client.json.GenericJson# // also by AWS SDK for Jackson's ObjectMapper + // PD: TODO: What entitlement does this map to? permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // required to add google certs to the gcs client trustore + // PD: Done permission java.lang.RuntimePermission "setFactory"; // gcs client opens socket connections for to access repository // also, AWS Bedrock client opens socket connections and needs resolve for to access to resources + // PD: TODO Add outgoing network permission java.net.SocketPermission "*", "connect,resolve"; // AWS Clients always try to access the credentials and config files, even if we configure otherwise + // PD: TODO Add these permission java.io.FilePermission "${user.home}/.aws/credentials", "read"; permission java.io.FilePermission "${user.home}/.aws/config", "read"; + // PD: Always granted permission java.util.PropertyPermission "http.proxyHost", "read"; }; diff --git a/x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy index 16701ab74d8c9..bc759dc7dee3b 100644 --- a/x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy @@ -1,4 +1,5 @@ grant { // needed for multiple server implementations used in tests + // PD: TODO: Why aren't tests failing? permission java.net.SocketPermission "*", "accept,connect"; }; diff --git a/x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy index 67fc731ea29de..21c431a7e6b4b 100644 --- a/x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy @@ -6,5 +6,6 @@ */ grant { + // PD: TODO outgoing network? permission java.net.SocketPermission "*", "connect"; }; diff --git a/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy b/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy index 9b3e5e0c72209..588423d03054a 100644 --- a/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy +++ b/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy @@ -1,5 +1,6 @@ // Needed for painless script to run grant { // needed to create the classloader which allows plugins to extend other plugins + // PD: We think this isn't doing anything. https://elastic.slack.com/archives/C07HQL9TNP6/p1740683230530729?thread_ts=1740683097.110529&cid=C07HQL9TNP6 permission java.lang.RuntimePermission "createClassLoader"; }; diff --git a/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy b/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy index 1bf45f6d697a6..0681368ad9ff2 100644 --- a/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy +++ b/x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy @@ -1,7 +1,9 @@ grant { // needed for Windows named pipes in machine learning + // PD: Done permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write"; // needed for ojalgo linear programming solver + // PD: Always granted permission java.lang.RuntimePermission "accessDeclaredMembers"; };