github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-24 23:27:25 -04:00
Code Issues Projects Releases Packages Wiki Activity

Reintroduce entitlement check on System.exit (#119757)

Browse source
This commit is contained in:
Lorenzo Dematté 2025-01-08 18:30:07 +01:00 committed by GitHub
parent b34e278e8b
commit 78890e9312
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
libs/entitlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
View file

@ -37,6 +37,8 @@ public interface EntitlementChecker {
void check$java_lang_Runtime$halt(Class<?> callerClass, Runtime runtime, int status);
void check$java_lang_System$$exit(Class<?> callerClass, int status);
////////////////////
//
// ClassLoader ctor

6
libs/entitlement/qa/common/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java
View file

@ -83,6 +83,7 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
private static final Map<String, CheckAction> checkActions = Map.ofEntries(
entry("runtime_exit", deniedToPlugins(RestEntitlementsCheckAction::runtimeExit)),
entry("runtime_halt", deniedToPlugins(RestEntitlementsCheckAction::runtimeHalt)),
entry("system_exit", deniedToPlugins(RestEntitlementsCheckAction::systemExit)),
entry("create_classloader", forPlugins(RestEntitlementsCheckAction::createClassLoader)),
entry("processBuilder_start", deniedToPlugins(RestEntitlementsCheckAction::processBuilder_start)),
entry("processBuilder_startPipeline", deniedToPlugins(RestEntitlementsCheckAction::processBuilder_startPipeline)),
@ -153,6 +154,11 @@ public class RestEntitlementsCheckAction extends BaseRestHandler {
Runtime.getRuntime().halt(123);
}
@SuppressForbidden(reason = "Specifically testing System.exit")
private static void systemExit() {
System.exit(123);
}
private static void createClassLoader() {
try (var classLoader = new URLClassLoader("test", new URL[0], RestEntitlementsCheckAction.class.getClassLoader())) {
logger.info("Created URLClassLoader [{}]", classLoader.getName());

5
libs/entitlement/src/main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
View file

@ -51,6 +51,11 @@ public class ElasticsearchEntitlementChecker implements EntitlementChecker {
policyManager.checkExitVM(callerClass);
}
@Override
public void check$java_lang_System$$exit(Class<?> callerClass, int status) {
policyManager.checkExitVM(callerClass);
}
@Override
public void check$java_lang_ClassLoader$(Class<?> callerClass) {
policyManager.checkCreateClassLoader(callerClass);