github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-19 04:45:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add missing APM entitlements (#123462)

Browse source
This commit is contained in:
Lorenzo Dematté 2025-03-04 08:32:59 +01:00 committed by GitHub
parent 4d2cb53ed7
commit c663e3ded8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 5 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
View file

@ -34,6 +34,7 @@ import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEn
import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;
import java.lang.instrument.Instrumentation;
import java.lang.reflect.Constructor;
@ -262,15 +263,17 @@ public class EntitlementInitialization {
var serverPolicy = new Policy("server", serverScopes);
// agents run without a module, so this is a special hack for the apm agent
// this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
// See also modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
List<Entitlement> agentEntitlements = List.of(
new CreateClassLoaderEntitlement(),
new ManageThreadsEntitlement(),
new SetHttpsConnectionPropertiesEntitlement(),
new OutboundNetworkEntitlement(),
new WriteSystemPropertiesEntitlement(Set.of("AsyncProfiler.safemode")),
new LoadNativeLibrariesEntitlement(),
new FilesEntitlement(
List.of(
FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ),
FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ),
FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
FileData.ofPath(Path.of("/proc/meminfo"), READ),
FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ)
)

6
modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
View file

@ -83,9 +83,3 @@ org.elasticsearch.telemetry.apm:
- elastic.apm.application_packages
- elastic.apm.stack_trace_limit
- elastic.apm.span_stack_trace_min_duration
elastic.apm.agent:
- set_https_connection_properties
- write_system_properties:
properties:
- AsyncProfiler.safemode
- load_native_libraries

3
muted-tests.yml
View file

@ -290,9 +290,6 @@ tests:
- class: org.elasticsearch.xpack.esql.heap_attack.HeapAttackIT
method: testEnrichExplosionManyMatches
issue: https://github.com/elastic/elasticsearch/issues/122913
- class: org.elasticsearch.test.apmintegration.TracesApmIT
method: testApmIntegration
issue: https://github.com/elastic/elasticsearch/issues/122129
- class: org.elasticsearch.repositories.gcs.GoogleCloudStorageServiceTests
method: testClientsAreNotSharedAcrossRepositories
issue: https://github.com/elastic/elasticsearch/issues/123090