-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only grant connect,accept
permissions to transport-netty4
#22116
Comments
+1 In general Netty needs some love with respect to handling the security manager correctly so we'll have some work to do here. |
I've been able to make the modifications to netty necessary to move the "accept" permission to the transport plugin and get the transport and core tests passing (with creation of a mocksocket jar). I've had some issues with the azure plugin. That plugin uses com.sun.net.httpserver.HttpsServer for running some tests. it appears to me that HttpsServer is not calling doPriviledge when accepting connections.
|
@tbrooks8 amazing progress, would you mind linking the netty PRs / issues with this issue so we can track them. Also for all core changes can you make sure you open smallish PRs if possible?
that is super annoying. I am not 100% sure what we can do about this, I think first of all we gotta fix it in the JDK such that down the road we can remove whatever hack we add here. |
I push the work that I have completed on the mocksocket here: https://github.com/elastic/mocksocket I have opened a Netty PR (netty/netty#6146) I will start making PRs to ES as I split up the work. |
cool stuff - can you make the |
I have opened a PR to integrate mocksocket into ElasticSearch. And replace raw usages of Sockets and ServerSockets in the ES tests. |
Based on the discussion in the status meeting today, I investigated applying permissions based on files opposed to a separate jar. So I migrated
With that change, any tests involving the This approach seems to provide a way forward. Although my approach is certainly naive and hardcoded. I'm not immediately clear on what approach to take in order to make this solution robust. I see that we currently parse the classpath and build up some system properties. Currently this works pretty well for jars. However, in the case of our code it is constantly rewriting the So when you run the "core" tests the following codebases are parsed:
And for discovery-azure-classic plugin tests:
Our method of parsing the "shortName" means that the property will be I could work on implementing proper handling of this. Such as parsing these into:
Those system properties could be accessed in security policy files to give certain packages permissions. Maybe this is not the easiest way forward? It's entirely possible that I missing a better way of doing this. Also - I'm not sure what implications those changes would have for the distribution (when all the packages / modules are different jars). |
++ this sounds like a plan @tbrooks8
I think that will be fine since we don't use this in distribution. Our tests will catch if something is wrong since they use the real zip / tar.gz |
I've spiked on this here. I've been learning more about the
combined with:
allows all of the tests for those packages to pass. There are a few things about this that are kind of ugly. If you run the tests in an IDE (like IntelliJ) the main classes remain in directories. If you run the tests using Gradle the main classes are placed in an JAR. This means that for test "framework" you must use two permissions for
I think that tomorrow I should explore moving the starting of the HTTPS and HTTP servers to the MockSocket JAR. And if that works then we should still be able to isolate all |
Updates:
|
I've started exploring what is involved in removing Here are some preliminary findings:
So maybe these classes (or some of the code) will need to be moved to a dependency? Or something else? As Simon pointed out various plugins (ec2, etc) will need permissions granted to a number of their dependencies (EC2Client, etc). I have not figured out complete lists of these yet. |
For
yeah I think all the repositories need resolve an connect granted. |
@s1monw I do not know if moving |
+1 |
As a quick update - it does appear that if I grant permissions to a plugin, that does successfully grant permissions to all of the dependency jars. So after I add the However, I identified a few other issues. In two places in core we currently need connect/resolve. In Thoughts? Maybe this is similar to the |
This is related to elastic#22116. A logIfNecessary() call makes a call to NetworkInterface.getInterfaceAddresses() requiring SocketPermission connect privileges. By moving this to bootstrap the logging call can be made before installing the SecurityManager.
hmm I am starting to think maybe removing |
This is related to #22116. A logIfNecessary() call makes a call to NetworkInterface.getInterfaceAddresses() requiring SocketPermission connect privileges. By moving this to bootstrap the logging call can be made before installing the SecurityManager.
I opened #22534 to wrap the |
This is related to elastic#22116. netty channels require socket `connect` and `accept` privileges. Netty does not currently wrap these operations with `doPrivileged` blocks. These changes extend the netty channels and wrap calls to the relevant super methods in doPrivileged blocks.
|
this might happen here? |
Yep. I agree that looks like a connect. Thanks. I must of missed that. |
This is related to #22116. netty channels require socket `connect` and `accept` privileges. Netty does not currently wrap these operations with `doPrivileged` blocks. These changes extend the netty channels and wrap calls to the relevant super methods in doPrivileged blocks.
This is related to #22116. A number of modules (reindex, etc) use the rest client. The rest client opens connections using the apache http client. To avoid throwing SecurityException when using the SecurityManager these operations must be privileged. This is tricky because connections are opened within the httpclient code on its reactor thread. The way I confronted this was to wrap the creation of the client (and creation of reactor thread) in a doPrivileged block. The new thread inherits the existing security context.
This is related to #22116. Certain plugins (discovery-azure-classic, discovery-ec2, discovery-gce, repository-azure, repository-gcs, and repository-s3) open socket connections. As SocketPermissions are transitioned out of core, these plugins will require connect permission. This pull request wraps operations that require these permissions in doPrivileged blocks.
I've looked into what is involved in moving @s1monw suggested that I move both of the core
And the functionality seems to depend on I guess there are a couple of options:
Also - should this be completed in multiple PRs? Like an initial PR that moves |
ok I think we start with URLRepository and take it from there? I didn't see how much FSRepo was involved here so sorry for pushing that direction. The cleanups would be nice but lets focus on the connect/accept permissions for now. |
This is related to #22116. Core no longer needs SocketPermission accept. This permission is relegated to the transport-netty4 module and (for tests) to the mocksocket jar.
This is related to #22116. URLRepository requires SocketPermission connect. This commit introduces a new module called "repository-url" where URLRepository will reside. With the new module, permissions can be removed from core.
This is related to elastic#22116. Core no longer needs `SocketPermission` `connect`. This permission is relegated to these modules/plugins: - transport-netty4 module - reindex module - repository-url module - discovery-azure-classic plugin - discovery-ec2 plugin - discovery-gce plugin - repository-azure plugin - repository-gcs plugin - repository-hdfs plugin - repository-s3 plugin And for tests: - mocksocket jar - rest client - httpcore-nio jar - httpasyncclient jar
I opened the PR #22797 that should removed |
) This is related to #22116. The repository-hdfs plugin opens socket connections. As SocketPermission is transitioned out of core, hdfs will require connect permission. This pull request wraps operations that require this permission in doPrivileged blocks.
This is related to #22116. Core no longer needs `SocketPermission` `connect`. This permission is relegated to these modules/plugins: - transport-netty4 module - reindex module - repository-url module - discovery-azure-classic plugin - discovery-ec2 plugin - discovery-gce plugin - repository-azure plugin - repository-gcs plugin - repository-hdfs plugin - repository-s3 plugin And for tests: - mocksocket jar - rest client - httpcore-nio jar - httpasyncclient jar
As part of #22116 we are going to forbid usage of api java.net.URL#openStream(). However in a number of places across the we use this method to read files from the local filesystem. This commit introduces a helper method openFileURLStream(URL url) to read files from URLs. It does specific validation to only ensure that file:/ urls are read. Additionlly, this commit removes unneeded method FileSystemUtil.newBufferedReader(URL, Charset). This method used the openStream () method which will soon be forbidden. Instead we use the Files.newBufferedReader(Path, Charset).
This is related to #22116. This commit adds calls that require SocketPermission connect to forbidden APIs. The following calls are now forbidden: - java.net.URL#openStream() - java.net.URLConnection#connect() - java.net.URLConnection#getInputStream() - java.net.Socket#connect(java.net.SocketAddress) - java.net.Socket#connect(java.net.SocketAddress, int) - java.nio.channels.SocketChannel#open(java.net.SocketAddress) - java.nio.channels.SocketChannel#connect(java.net.SocketAddress)
@tbrooks8 I think we are done here... congrats! |
Closing as everything has been merged. |
Today we still grant a quite scary permission to core:
But since we now have netty4 moved to a module we can potentially move this to into the modules security policy. Yet, there are a bunch of things that needs fixing until we can do that:
accept,connect
to the test-framework we might run into trouble since our tests will just inherit that permission ie. if unit and pseudo integ-tests are run since we don't grant this to a codebase. We might want to add some kind ofMockSocket
project just like SecureMock that we can grant this permission to and where we can depend on for testing.doPrivileged
blocks that needs fixingaccept
from the list.here is an example of a missing
doPrivileged
block ie here:The text was updated successfully, but these errors were encountered: