Remove accept SocketPermissions from core (#22622)

This is related to #22116. Core no longer needs SocketPermission accept. This permission is relegated to the transport-netty4 module and (for tests) to the mocksocket jar.
elastic · Jan 20, 2017 · bc16162 · bc16162
1 parent 239ed0c
commit bc16162
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -56,7 +56,7 @@ grant {
   permission org.elasticsearch.SpecialPermission;
 
   // Allow connecting to the internet anywhere
-  permission java.net.SocketPermission "*", "accept,connect,resolve";
+  permission java.net.SocketPermission "*", "connect,resolve";
 
   // Allow read access to all system properties
   permission java.util.PropertyPermission "*", "read";

diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -62,3 +62,8 @@ grant codeBase "${codebase.junit-4.11.jar}" {
   // needed for TestClass creation
   permission java.lang.RuntimePermission "accessDeclaredMembers";
 };
+
+grant codeBase "${codebase.mocksocket-1.1.jar}" {
+  // mocksocket accepts socket connections
+  permission java.net.SocketPermission "*", "accept";
+};
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -17,6 +17,11 @@
  * under the License.
  */
 
+grant {
+   // netty accepts socket connections
+   permission java.net.SocketPermission "*", "accept";
+};
+
 grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" {
    // for reading the system-wide configuration for the backlog of established sockets
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";