Skip to content

Grant manage_threads to java.desktop for Tika #134454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 11, 2025
Merged

Grant manage_threads to java.desktop for Tika #134454

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9b33eb5
Grant manage_threads to java.desktop for Tika
prdoyle Sep 10, 2025
32c353c
Merge branch 'main' into disposer-entitlements
prdoyle Sep 10, 2025
51f3d85
Produce a PolicyScope for excluded system modules.
prdoyle Sep 10, 2025
135d74b
TODO with Jira link
prdoyle Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion ...itlement/src/main/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlements.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,13 @@ private static List<Scope> createServerEntitlements(Path pidFile) {
new FilesEntitlement(serverModuleFileDatas)
)
),
new Scope("java.desktop", List.of(new LoadNativeLibrariesEntitlement())),
new Scope(
"java.desktop",
List.of(
new LoadNativeLibrariesEntitlement(),
new ManageThreadsEntitlement() // For sun.java2d.Disposer
)
),
new Scope(
"java.xml",
List.of(
Expand Down
2 changes: 1 addition & 1 deletion ...entitlement/src/main/java/org/elasticsearch/entitlement/runtime/policy/PolicyManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ public enum ComponentKind {
* If this kind corresponds to a single component, this is that component's name;
* otherwise null.
*/
final String componentName;
public final String componentName;

ComponentKind(String componentName) {
this.componentName = componentName;
Expand Down
33 changes: 33 additions & 0 deletions ...ent/src/test/java/org/elasticsearch/entitlement/bootstrap/HardcodedEntitlementsTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
*/

package org.elasticsearch.entitlement.bootstrap;

import org.elasticsearch.test.ESTestCase;
import org.elasticsearch.test.ESTestCase.WithEntitlementsOnTestCode;

import java.io.ByteArrayInputStream;

import javax.imageio.stream.MemoryCacheImageInputStream;

import static java.nio.charset.StandardCharsets.UTF_8;

@WithEntitlementsOnTestCode
public class HardcodedEntitlementsTests extends ESTestCase {

/**
* The Tika library can do some things we don't ordinarily want to allow.
* <p>
* Note that {@link MemoryCacheImageInputStream} doesn't even use {@code Disposer} in JDK 26,
* so it's an open question how much effort this deserves.
*/
public void testTikaPDF() {
new MemoryCacheImageInputStream(new ByteArrayInputStream("test test".getBytes(UTF_8)));
}
}
12 changes: 11 additions & 1 deletion test/framework/src/main/java/org/elasticsearch/bootstrap/TestScopeResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,24 @@

import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ALL_UNNAMED;
import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.PLUGIN;
import static org.elasticsearch.entitlement.runtime.policy.PolicyManager.ComponentKind.SERVER;

public record TestScopeResolver(Map<String, PolicyManager.PolicyScope> scopeMap) {

private static final Logger logger = LogManager.getLogger(TestScopeResolver.class);

PolicyManager.PolicyScope getScope(Class<?> callerClass) {
var callerCodeSource = callerClass.getProtectionDomain().getCodeSource();
assert callerCodeSource != null;
if (callerCodeSource == null) {
// This case happens for JDK modules. Usually those are trivially allowed, but some are excluded,
// and those end up here.
// We have no test build info for those modules, so for now, let's just guess.
if (callerClass.getPackageName().equals("sun.java2d")) {
return new PolicyManager.PolicyScope(SERVER, SERVER.componentName, "java.desktop");
} else {
throw new IllegalArgumentException("Cannot identify scope for JDK class [" + callerClass + "]");
}
}

var location = callerCodeSource.getLocation().toString();
var scope = scopeMap.get(location);
Expand Down
4 changes: 4 additions & 0 deletions ...amework/src/main/java/org/elasticsearch/entitlement/runtime/policy/TestPolicyManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,10 @@ public final void clearModuleEntitlementsCache() {

@Override
protected boolean isTrustedSystemClass(Class<?> requestingClass) {
if (requestingClass.getPackageName().startsWith("sun.java2d")) {
// This is part of the java.desktop module
return false;
}
ClassLoader loader = requestingClass.getClassLoader();
return loader == null || loader == ClassLoader.getPlatformClassLoader();
}
Expand Down