From 5246408a3c8e4f27badc57834c6757a79e0edc95 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Fri, 13 Jan 2017 14:36:45 -0600
Subject: [PATCH 1/4] Remove accept from core

---
 .../resources/org/elasticsearch/bootstrap/security.policy     | 2 +-
 .../org/elasticsearch/bootstrap/test-framework.policy         | 4 ++++
 .../src/main/plugin-metadata/plugin-security.policy           | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
index 07ce6663505be..fec8476fb16af 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/security.policy
@@ -56,7 +56,7 @@ grant {
   permission org.elasticsearch.SpecialPermission;
 
   // Allow connecting to the internet anywhere
-  permission java.net.SocketPermission "*", "accept,connect,resolve";
+  permission java.net.SocketPermission "*", "connect,resolve";
 
   // Allow read access to all system properties
   permission java.util.PropertyPermission "*", "read";
diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index 43fbe43f220f4..4cca1ed3a643c 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -33,6 +33,10 @@ grant codeBase "${codebase.securemock-1.2.jar}" {
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 };
 
+grant codeBase "${codebase.mocksocket-1.1.jar}" {
+  permission java.net.SocketPermission "*", "accept";
+};
+
 grant codeBase "${codebase.lucene-test-framework-6.4.0-snapshot-084f7a0.jar}" {
   // needed by RamUsageTester
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index 491df4e28ea40..a3bd00a29cc73 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -17,6 +17,10 @@
  * under the License.
  */
 
+ grant {
+   permission java.net.SocketPermission "*", "accept";
+ };
+
 grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" {
    // for reading the system-wide configuration for the backlog of established sockets
    permission java.io.FilePermission "/proc/sys/net/core/somaxconn", "read";

From 0a3e47328d1f6b8d2a4c5d6eb4731e74a5ec5dc5 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Fri, 13 Jan 2017 16:48:34 -0600
Subject: [PATCH 2/4] Give reindex accept permission

---
 .../plugin-metadata/plugin-security.policy    | 23 +++++++++++++++++++
 .../plugin-metadata/plugin-security.policy    |  4 ++--
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 modules/reindex/src/main/plugin-metadata/plugin-security.policy

diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
new file mode 100644
index 0000000000000..6b18a39df7bdf
--- /dev/null
+++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
@@ -0,0 +1,23 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+grant {
+   permission java.net.SocketPermission "*", "accept";
+};
+
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index a3bd00a29cc73..d7bbfd9443a9f 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -17,9 +17,9 @@
  * under the License.
  */
 
- grant {
+grant {
    permission java.net.SocketPermission "*", "accept";
- };
+};
 
 grant codeBase "${codebase.netty-common-4.1.7.Final.jar}" {
    // for reading the system-wide configuration for the backlog of established sockets

From c20759f48804eb296d9aea465b1152b60d552893 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Fri, 13 Jan 2017 17:13:10 -0600
Subject: [PATCH 3/4] Add comments

---
 .../org/elasticsearch/bootstrap/test-framework.policy    | 9 +++++----
 .../src/main/plugin-metadata/plugin-security.policy      | 1 +
 .../src/main/plugin-metadata/plugin-security.policy      | 1 +
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index 4cca1ed3a643c..795800007a9cc 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -33,10 +33,6 @@ grant codeBase "${codebase.securemock-1.2.jar}" {
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 };
 
-grant codeBase "${codebase.mocksocket-1.1.jar}" {
-  permission java.net.SocketPermission "*", "accept";
-};
-
 grant codeBase "${codebase.lucene-test-framework-6.4.0-snapshot-084f7a0.jar}" {
   // needed by RamUsageTester
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
@@ -66,3 +62,8 @@ grant codeBase "${codebase.junit-4.11.jar}" {
   // needed for TestClass creation
   permission java.lang.RuntimePermission "accessDeclaredMembers";
 };
+
+grant codeBase "${codebase.mocksocket-1.1.jar}" {
+  // mocksocket accepts socket connections
+  permission java.net.SocketPermission "*", "accept";
+};
diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
index 6b18a39df7bdf..0df3cab3fb346 100644
--- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
@@ -18,6 +18,7 @@
  */
 
 grant {
+   // transport module is used in tests and accepts socket connections
    permission java.net.SocketPermission "*", "accept";
 };
 
diff --git a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
index d7bbfd9443a9f..1118675817c51 100644
--- a/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-netty4/src/main/plugin-metadata/plugin-security.policy
@@ -18,6 +18,7 @@
  */
 
 grant {
+   // netty accepts socket connections
    permission java.net.SocketPermission "*", "accept";
 };
 

From 1647a2be4d4e499133d79fbc8436c07424dd0816 Mon Sep 17 00:00:00 2001
From: Tim Brooks <tim@uncontended.net>
Date: Thu, 19 Jan 2017 10:31:52 -0600
Subject: [PATCH 4/4] Remove unneeded permissions and security file

---
 .../plugin-metadata/plugin-security.policy    | 24 -------------------
 1 file changed, 24 deletions(-)
 delete mode 100644 modules/reindex/src/main/plugin-metadata/plugin-security.policy

diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
deleted file mode 100644
index 0df3cab3fb346..0000000000000
--- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Licensed to Elasticsearch under one or more contributor
- * license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright
- * ownership. Elasticsearch licenses this file to you under
- * the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-grant {
-   // transport module is used in tests and accepts socket connections
-   permission java.net.SocketPermission "*", "accept";
-};
-