Skip to content

First pass at entitlement policy review #123636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

First pass at entitlement policy review #123636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions x-pack/plugin/identity-provider/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,21 @@
grant {
// PD: Doesn't actually appear to use this. Contains no callers to anything that calls checkSetFactory
permission java.lang.RuntimePermission "setFactory";

// ApacheXMLSecurityInitializer
// PD: Done
permission java.util.PropertyPermission "org.apache.xml.security.ignoreLineBreaks", "read,write";
// PD: Dup!
permission java.security.SecurityPermission "org.apache.xml.security.register";

// PD: TODO Not sure how to check this one
// needed during initialization of OpenSAML library where xml security algorithms are registered
// see https://github.com/apache/santuario-java/blob/e79f1fe4192de73a975bc7246aee58ed0703343d/src/main/java/org/apache/xml/security/utils/JavaUtils.java#L205-L220
// and https://git.shibboleth.net/view/?p=java-opensaml.git;a=blob;f=opensaml-xmlsec-impl/src/main/java/org/opensaml/xmlsec/signature/impl/SignatureMarshaller.java;hb=db0eaa64210f0e32d359cd6c57bedd57902bf811#l52
// which uses it in the opensaml-xmlsec-impl
permission java.security.SecurityPermission "org.apache.xml.security.register";

// needed for multiple server implementations used in tests
// PD: TODO: Why aren't tests failing?
permission java.net.SocketPermission "*", "accept,connect";
};
7 changes: 7 additions & 0 deletions x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,22 +8,29 @@
grant {
// required by: com.google.api.client.json.JsonParser#parseValue
// also required by AWS SDK for client configuration
// PD: Always granted
permission java.lang.RuntimePermission "accessDeclaredMembers";
// PD: Always granted
permission java.lang.RuntimePermission "getClassLoader";

// required by: com.google.api.client.json.GenericJson#<init>
// also by AWS SDK for Jackson's ObjectMapper
// PD: TODO: What entitlement does this map to?
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

// required to add google certs to the gcs client trustore
// PD: Done
permission java.lang.RuntimePermission "setFactory";

// gcs client opens socket connections for to access repository
// also, AWS Bedrock client opens socket connections and needs resolve for to access to resources
// PD: TODO Add outgoing network
permission java.net.SocketPermission "*", "connect,resolve";

// AWS Clients always try to access the credentials and config files, even if we configure otherwise
// PD: TODO Add these
permission java.io.FilePermission "${user.home}/.aws/credentials", "read";
permission java.io.FilePermission "${user.home}/.aws/config", "read";
// PD: Always granted
permission java.util.PropertyPermission "http.proxyHost", "read";
};
1 change: 1 addition & 0 deletions x-pack/plugin/logstash/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
grant {
// needed for multiple server implementations used in tests
// PD: TODO: Why aren't tests failing?
permission java.net.SocketPermission "*", "accept,connect";
};
1 change: 1 addition & 0 deletions x-pack/plugin/ml-package-loader/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,6 @@
*/

grant {
// PD: TODO outgoing network?
permission java.net.SocketPermission "*", "connect";
};
1 change: 1 addition & 0 deletions x-pack/plugin/ml/src/main/plugin-metadata/plugin-security-test.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
// Needed for painless script to run
grant {
// needed to create the classloader which allows plugins to extend other plugins
// PD: We think this isn't doing anything. https://elastic.slack.com/archives/C07HQL9TNP6/p1740683230530729?thread_ts=1740683097.110529&cid=C07HQL9TNP6
permission java.lang.RuntimePermission "createClassLoader";
};
2 changes: 2 additions & 0 deletions x-pack/plugin/ml/src/main/plugin-metadata/plugin-security.policy
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
grant {
// needed for Windows named pipes in machine learning
// PD: Done
permission java.io.FilePermission "\\\\.\\pipe\\*", "read,write";

// needed for ojalgo linear programming solver
// PD: Always granted
permission java.lang.RuntimePermission "accessDeclaredMembers";
};