elastic · prdoyle · May 1, 2025
diff --git a/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/EvilSecurityTests.java b/qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/EvilSecurityTests.java
diff --git a/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java b/server/src/main/java/org/elasticsearch/bootstrap/Elasticsearch.java
@@ -41,7 +41,6 @@
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexVersion;
 import org.elasticsearch.jdk.JarHell;
-import org.elasticsearch.jdk.RuntimeVersionFeature;
 import org.elasticsearch.monitor.jvm.HotThreads;
 import org.elasticsearch.monitor.jvm.JvmInfo;
 import org.elasticsearch.monitor.os.OsProbe;
@@ -62,7 +61,6 @@
 import java.lang.reflect.InvocationTargetException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.Permission;
 import java.security.Security;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -77,7 +75,6 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static org.elasticsearch.bootstrap.BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING;
 import static org.elasticsearch.nativeaccess.WindowsFunctions.ConsoleCtrlHandler.CTRL_CLOSE_EVENT;
 
 /**
@@ -133,20 +130,6 @@ private static Bootstrap initPhase1() {
         final boolean useEntitlements = true;
         try {
             initSecurityProperties();
-
-            /*
-             * We want the JVM to think there is a security manager installed so that if internal policy decisions that would be based on
-             * the presence of a security manager or lack thereof act as if there is a security manager present (e.g., DNS cache policy).
-             * This forces such policies to take effect immediately.
-             */
-            if (useEntitlements == false && RuntimeVersionFeature.isSecurityManagerAvailable()) {
-                org.elasticsearch.bootstrap.Security.setSecurityManager(new SecurityManager() {
-                    @Override
-                    public void checkPermission(Permission perm) {
-                        // grant all permissions so that we can later set the security manager to the one that we want
-                    }
-                });
-            }
             LogConfigurator.registerErrorListener();
 
             BootstrapInfo.init();
@@ -242,61 +225,47 @@ private static void initPhase2(Bootstrap bootstrap) throws IOException {
 
         final PluginsLoader pluginsLoader;
 
-        if (bootstrap.useEntitlements()) {
-            LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");
-
-            var pluginData = Stream.concat(
-                modulesBundles.stream()
-                    .map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
-                pluginsBundles.stream()
-                    .map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
-            ).toList();
-
-            var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger);
-            var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version());
-            var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists(
-                System.getProperty(SERVER_POLICY_PATCH_NAME),
-                Build.current().version(),
-                false,
-                "server",
-                PolicyManager.SERVER_LAYER_MODULES.stream().map(Module::getName).collect(Collectors.toUnmodifiableSet())
-            );
+        LogManager.getLogger(Elasticsearch.class).info("Bootstrapping Entitlements");
+
+        var pluginData = Stream.concat(
+            modulesBundles.stream()
+                .map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), false)),
+            pluginsBundles.stream().map(bundle -> new PolicyUtils.PluginData(bundle.getDir(), bundle.pluginDescriptor().isModular(), true))
+        ).toList();
+
+        var pluginPolicyPatches = collectPluginPolicyPatches(modulesBundles, pluginsBundles, logger);
+        var pluginPolicies = PolicyUtils.createPluginPolicies(pluginData, pluginPolicyPatches, Build.current().version());
+        var serverPolicyPatch = PolicyUtils.parseEncodedPolicyIfExists(
+            System.getProperty(SERVER_POLICY_PATCH_NAME),
+            Build.current().version(),
+            false,
+            "server",
+            PolicyManager.SERVER_LAYER_MODULES.stream().map(Module::getName).collect(Collectors.toUnmodifiableSet())
+        );
 
-            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));
-
-            var scopeResolver = ScopeResolver.create(pluginsLoader.pluginLayers(), APM_AGENT_PACKAGE_NAME);
-            Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
-                .collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
-            EntitlementBootstrap.bootstrap(
-                serverPolicyPatch,
-                pluginPolicies,
-                scopeResolver::resolveClassToScope,
-                nodeEnv.settings()::getValues,
-                nodeEnv.dataDirs(),
-                nodeEnv.repoDirs(),
-                nodeEnv.configDir(),
-                nodeEnv.libDir(),
-                nodeEnv.modulesDir(),
-                nodeEnv.pluginsDir(),
-                sourcePaths,
-                nodeEnv.logsDir(),
-                nodeEnv.tmpDir(),
-                args.pidFile(),
-                Set.of(EntitlementSelfTester.class)
-            );
-            EntitlementSelfTester.entitlementSelfTest();
-        } else {
-            assert RuntimeVersionFeature.isSecurityManagerAvailable();
-            // no need to explicitly enable native access for legacy code
-            pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, Map.of());
-            // install SM after natives, shutdown hooks, etc.
-            LogManager.getLogger(Elasticsearch.class).info("Bootstrapping java SecurityManager");
-            org.elasticsearch.bootstrap.Security.configure(
-                nodeEnv,
-                SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(args.nodeSettings()),
-                args.pidFile()
-            );
-        }
+        pluginsLoader = PluginsLoader.createPluginsLoader(modulesBundles, pluginsBundles, findPluginsWithNativeAccess(pluginPolicies));
+
+        var scopeResolver = ScopeResolver.create(pluginsLoader.pluginLayers(), APM_AGENT_PACKAGE_NAME);
+        Map<String, Path> sourcePaths = Stream.concat(modulesBundles.stream(), pluginsBundles.stream())
+            .collect(Collectors.toUnmodifiableMap(bundle -> bundle.pluginDescriptor().getName(), PluginBundle::getDir));
+        EntitlementBootstrap.bootstrap(
+            serverPolicyPatch,
+            pluginPolicies,
+            scopeResolver::resolveClassToScope,
+            nodeEnv.settings()::getValues,
+            nodeEnv.dataDirs(),
+            nodeEnv.repoDirs(),
+            nodeEnv.configDir(),
+            nodeEnv.libDir(),
+            nodeEnv.modulesDir(),
+            nodeEnv.pluginsDir(),
+            sourcePaths,
+            nodeEnv.logsDir(),
+            nodeEnv.tmpDir(),
+            args.pidFile(),
+            Set.of(EntitlementSelfTester.class)
+        );
+        EntitlementSelfTester.entitlementSelfTest();
 
         bootstrap.setPluginsLoader(pluginsLoader);
     }