diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java index e59fb20a54861..aa8ab6aad4e17 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/module-info.java @@ -18,4 +18,5 @@ requires java.logging; requires java.net.http; requires jdk.net; + requires java.desktop; } diff --git a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java index eb8e572b53532..2558b0acdba96 100644 --- a/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java +++ b/libs/entitlement/qa/entitlement-test-plugin/src/main/java/org/elasticsearch/entitlement/qa/test/FileCheckActions.java @@ -35,6 +35,8 @@ import java.util.zip.ZipException; import java.util.zip.ZipFile; +import javax.imageio.stream.FileImageInputStream; + import static java.nio.charset.Charset.defaultCharset; import static java.nio.file.StandardOpenOption.CREATE; import static java.nio.file.StandardOpenOption.WRITE; @@ -561,5 +563,13 @@ static void httpResponseBodySubscribersOfFile_FileOpenOptions_readOnly() { HttpResponse.BodySubscribers.ofFile(readFile(), CREATE, WRITE); } + @EntitlementTest(expectedAccess = ALWAYS_DENIED) + static void javaDesktopFileAccess() throws Exception { + // Test file access from a java.desktop class. We explicitly exclude that module from the "system modules", so we expect + // any sensitive operation from java.desktop to fail. + var file = EntitledActions.createTempFileForRead(); + new FileImageInputStream(file.toFile()).close(); + } + private FileCheckActions() {} } diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java index 931a8ba5d53fc..bed5d094b058e 100644 --- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java +++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java @@ -67,6 +67,8 @@ public class PolicyManager { static final Class DEFAULT_FILESYSTEM_CLASS = PathUtils.getDefaultFileSystem().getClass(); + static final Set MODULES_EXCLUDED_FROM_SYSTEM_MODULES = Set.of("java.desktop"); + /** * @param componentName the plugin name; or else one of the special component names * like {@link #SERVER_COMPONENT_NAME} or {@link #APM_AGENT_COMPONENT_NAME}. @@ -141,7 +143,13 @@ private static Set findSystemModules() { // entitlements is a "system" module, we can do anything from it Stream.of(PolicyManager.class.getModule()), // anything in the boot layer is also part of the system - ModuleLayer.boot().modules().stream().filter(m -> systemModulesDescriptors.contains(m.getDescriptor())) + ModuleLayer.boot() + .modules() + .stream() + .filter( + m -> systemModulesDescriptors.contains(m.getDescriptor()) + && MODULES_EXCLUDED_FROM_SYSTEM_MODULES.contains(m.getName()) == false + ) ).collect(Collectors.toUnmodifiableSet()); }