Skip to content

[Entitlements] Add a check for filesystem mismatch #123744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Feb 28, 2025
Merged

[Entitlements] Add a check for filesystem mismatch #123744

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f455917
check for filesystem mismatch
ldematte Feb 28, 2025
ae4472c
spotless
ldematte Feb 28, 2025
4d9b96f
lower logging level, check for write too
ldematte Feb 28, 2025
c37af7b
lower logging level
ldematte Feb 28, 2025
a6cc96c
Merge remote-tracking branch 'upstream/main' into entitlements/filesy…
ldematte Feb 28, 2025
34585ae
Merge branch 'main' into entitlements/filesystem-mismatch-check
ldematte Feb 28, 2025
e4e5576
iter
ldematte Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ...ntitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/FileAccessTree.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@

package org.elasticsearch.entitlement.runtime.policy;

import org.elasticsearch.core.Strings;
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement.Mode;
import org.elasticsearch.logging.LogManager;
Expand Down Expand Up @@ -202,6 +203,7 @@ static String normalizePath(Path path) {
}

private boolean checkPath(String path, String[] paths) {
logger.debug(() -> Strings.format("checking [%s] against [%s]", path, String.join(",", paths)));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more trace level? It could be extremely verbose?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I always mix them up! I will fix all 3 of them

if (paths.length == 0) {
return false;
}
Expand All @@ -219,6 +221,7 @@ private boolean checkPath(String path, String[] paths) {
}

private static boolean isParent(String maybeParent, String path) {
logger.debug(() -> Strings.format("checking isParent [%s] for [%s]", maybeParent, path));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this could log a lot.

return path.startsWith(maybeParent) && path.startsWith(FILE_SEPARATOR, maybeParent.length());
}

Expand Down
25 changes: 25 additions & 0 deletions ...entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@

package org.elasticsearch.entitlement.runtime.policy;

import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
Expand Down Expand Up @@ -61,6 +62,8 @@ public class PolicyManager {
static final String SERVER_COMPONENT_NAME = "(server)";
static final String APM_AGENT_COMPONENT_NAME = "(APM agent)";

static final Class<?> DEFAULT_FILESYSTEM_CLASS = PathUtils.getDefaultFileSystem().getClass();

/**
* @param componentName the plugin name; or else one of the special component names
* like {@link #SERVER_COMPONENT_NAME} or {@link #APM_AGENT_COMPONENT_NAME}.
Expand Down Expand Up @@ -305,7 +308,26 @@ public void checkFileRead(Class<?> callerClass, File file) {
checkFileRead(callerClass, file.toPath());
}

private static boolean isPathOnDefaultFilesystem(Path path) {
var pathFileSystemClass = path.getFileSystem().getClass();
if (path.getFileSystem().getClass() != DEFAULT_FILESYSTEM_CLASS) {
logger.debug(
() -> Strings.format(
"File entitlement trivially allowed: path [%s] is for a different FileSystem class [%s], default is [%s]",
path.toString(),
pathFileSystemClass.getName(),
DEFAULT_FILESYSTEM_CLASS.getName()
)
);
return false;
}
return true;
}

public void checkFileRead(Class<?> callerClass, Path path) {
if (isPathOnDefaultFilesystem(path) == false) {
return;
}
var requestingClass = requestingClass(callerClass);
if (isTriviallyAllowed(requestingClass)) {
return;
Expand All @@ -332,6 +354,9 @@ public void checkFileWrite(Class<?> callerClass, File file) {
}

public void checkFileWrite(Class<?> callerClass, Path path) {
if (isPathOnDefaultFilesystem(path) == false) {
return;
}
var requestingClass = requestingClass(callerClass);
if (isTriviallyAllowed(requestingClass)) {
return;
Expand Down