Skip to content

Commit

Permalink
Reintroduce entitlement check on System.exit (#119757) (#119782)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ldematte
ldematte authored Jan 9, 2025
1 parent 0a0dac3 commit f8cddd0
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ...tlement/bridge/src/main/java/org/elasticsearch/entitlement/bridge/EntitlementChecker.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ public interface EntitlementChecker {

void check$java_lang_Runtime$halt(Class<?> callerClass, Runtime runtime, int status);

void check$java_lang_System$$exit(Class<?> callerClass, int status);

////////////////////
//
// ClassLoader ctor
Expand Down
6 changes: 6 additions & 0 deletions ...on/src/main/java/org/elasticsearch/entitlement/qa/common/RestEntitlementsCheckAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ static CheckAction alwaysDenied(Runnable action) {
private static final Map<String, CheckAction> checkActions = Map.ofEntries(
entry("runtime_exit", deniedToPlugins(RestEntitlementsCheckAction::runtimeExit)),
entry("runtime_halt", deniedToPlugins(RestEntitlementsCheckAction::runtimeHalt)),
entry("system_exit", deniedToPlugins(RestEntitlementsCheckAction::systemExit)),
entry("create_classloader", forPlugins(RestEntitlementsCheckAction::createClassLoader)),
entry("processBuilder_start", deniedToPlugins(RestEntitlementsCheckAction::processBuilder_start)),
entry("processBuilder_startPipeline", deniedToPlugins(RestEntitlementsCheckAction::processBuilder_startPipeline)),
Expand Down Expand Up @@ -153,6 +154,11 @@ private static void runtimeHalt() {
Runtime.getRuntime().halt(123);
}

@SuppressForbidden(reason = "Specifically testing System.exit")
private static void systemExit() {
System.exit(123);
}

private static void createClassLoader() {
try (var classLoader = new URLClassLoader("test", new URL[0], RestEntitlementsCheckAction.class.getClassLoader())) {
logger.info("Created URLClassLoader [{}]", classLoader.getName());
Expand Down
5 changes: 5 additions & 0 deletions .../main/java/org/elasticsearch/entitlement/runtime/api/ElasticsearchEntitlementChecker.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,11 @@ public ElasticsearchEntitlementChecker(PolicyManager policyManager) {
policyManager.checkExitVM(callerClass);
}

@Override
public void check$java_lang_System$$exit(Class<?> callerClass, int status) {
policyManager.checkExitVM(callerClass);
}

@Override
public void check$java_lang_ClassLoader$(Class<?> callerClass) {
policyManager.checkCreateClassLoader(callerClass);
Expand Down

0 comments on commit f8cddd0

Please sign in to comment.