From 3c498b108bc051cd4fea573b61b4cbfc3f171c97 Mon Sep 17 00:00:00 2001
From: Chris Hegarty <62058229+ChrisHegarty@users.noreply.github.com>
Date: Thu, 16 Sep 2021 08:33:24 +0100
Subject: [PATCH 1/2] Laxify SecureSM to allow creation of the JDK's innocuous
 threads (#77789)

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
---
 .../main/java/org/elasticsearch/secure_sm/SecureSM.java   | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
index 67505c2da556d..a21e2ea764859 100644
--- a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
+++ b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
@@ -153,6 +153,12 @@ private void debugThreadGroups(final ThreadGroup caller, final ThreadGroup targe
     private static final Permission MODIFY_THREAD_PERMISSION = new RuntimePermission("modifyThread");
     private static final Permission MODIFY_ARBITRARY_THREAD_PERMISSION = new ThreadPermission("modifyArbitraryThread");
 
+    // Returns true if the given thread is an instance of the JDK's InnocuousThread.
+    private static boolean isInnocuousThread(Thread t) {
+        final Class<?> c = t.getClass();
+        return c.getModule() == Object.class.getModule() && c.getName().equals("jdk.internal.misc.InnocuousThread");
+    }
+
     protected void checkThreadAccess(Thread t) {
         Objects.requireNonNull(t);
 
@@ -165,7 +171,7 @@ protected void checkThreadAccess(Thread t) {
 
         if (target == null) {
             return;    // its a dead thread, do nothing.
-        } else if (source.parentOf(target) == false) {
+        } else if (source.parentOf(target) == false && isInnocuousThread(t) == false) {
             checkPermission(MODIFY_ARBITRARY_THREAD_PERMISSION);
         }
     }

From 6e67a5b115cdd9a342f3cd851558e96f3b2f28dd Mon Sep 17 00:00:00 2001
From: Przemyslaw Gomulka <przemyslaw.gomulka@elastic.co>
Date: Wed, 23 Nov 2022 15:11:44 +0100
Subject: [PATCH 2/2] change the check for jdk.base codebase. jdk8 does not
 know about modules

---
 .../src/main/java/org/elasticsearch/secure_sm/SecureSM.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
index a21e2ea764859..0daf7b3622b38 100644
--- a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
+++ b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java
@@ -156,7 +156,7 @@ private void debugThreadGroups(final ThreadGroup caller, final ThreadGroup targe
     // Returns true if the given thread is an instance of the JDK's InnocuousThread.
     private static boolean isInnocuousThread(Thread t) {
         final Class<?> c = t.getClass();
-        return c.getModule() == Object.class.getModule() && c.getName().equals("jdk.internal.misc.InnocuousThread");
+        return c.getClassLoader() == null && c.getName().equals("jdk.internal.misc.InnocuousThread");
     }
 
     protected void checkThreadAccess(Thread t) {