Skip to content

Commit

Permalink
Entitlements for System.exit (elastic#114015)
Browse files Browse the repository at this point in the history 
* Entitlements for System.exit

* Respond to Simon's comments

* Rename trampoline -> bridge

* Require exactly one bridge jar

* Use Type helpers to generate descriptor strings

* Various cleanup from PR comments

* Remove null "receiver" for static methods

* Use List<Type> instead of voidDescriptor

* Clarifying comment

* Whoops, getMethod

* SuppressForbidden System.exit

* Spotless

* Use embedded provider plugin to keep ASM off classpath

* Oops... forgot the punchline

* Move ASM license to impl

* Use ProviderLocator and simplify bridgeJar logic

* Avoid eager resolution of configurations during task configuration

* Remove compile-time dependency agent->bridge

---------

Co-authored-by: Mark Vieira <[email protected]>
  • Loading branch information
@prdoyle @mark-vieira
prdoyle and mark-vieira authored Oct 9, 2024
1 parent cd0f9a4 commit 3953331
Show file tree
Hide file tree
Showing 30 changed files with 764 additions and 33 deletions.
2 changes: 1 addition & 1 deletion distribution/tools/entitlement-agent/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
### Entitlement Agent

This is a java agent that instruments sensitive class library methods with calls into the `entitlement-runtime` module to check for permissions granted under the _entitlements_ system.
This is a java agent that instruments sensitive class library methods with calls into the `entitlement-bridge` module to check for permissions granted under the _entitlements_ system.

The entitlements system provides an alternative to the legacy `SecurityManager` system, which is deprecated for removal.
With this agent, the Elasticsearch server can retain some control over which class library methods can be invoked by which callers.
Expand Down
31 changes: 27 additions & 4 deletions distribution/tools/entitlement-agent/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,44 @@
* License v3.0 only", or the "Server Side Public License, v 1".
*/

import static java.util.stream.Collectors.joining

apply plugin: 'elasticsearch.build'
apply plugin: 'elasticsearch.embedded-providers'

embeddedProviders {
impl 'entitlement-agent', project(':distribution:tools:entitlement-agent:impl')
}

configurations {
entitlementRuntime
entitlementBridge
}

dependencies {
entitlementRuntime project(":libs:elasticsearch-entitlement-runtime")
implementation project(":libs:elasticsearch-entitlement-runtime")
entitlementBridge project(":distribution:tools:entitlement-bridge")
compileOnly project(":libs:elasticsearch-core")
compileOnly project(":distribution:tools:entitlement-runtime")
testImplementation project(":test:framework")
testImplementation project(":distribution:tools:entitlement-bridge")
testImplementation project(":distribution:tools:entitlement-agent:impl")
}

tasks.named('test').configure {
systemProperty "tests.security.manager", "false"
dependsOn('jar')
jvmArgs "-javaagent:${ tasks.named('jar').flatMap{ it.archiveFile }.get()}"

// Register an argument provider to avoid eager resolution of configurations
jvmArgumentProviders.add(new CommandLineArgumentProvider() {
@Override
Iterable<String> asArguments() {
return ["-javaagent:${tasks.jar.archiveFile.get()}", "-Des.entitlements.bridgeJar=${configurations.entitlementBridge.singleFile}"]
}
})


// The Elasticsearch build plugin automatically adds all compileOnly deps as testImplementation.
// We must not add the bridge this way because it is also on the boot classpath, and that would lead to jar hell.
classpath -= files(configurations.entitlementBridge)
}

tasks.named('jar').configure {
Expand Down
20 changes: 20 additions & 0 deletions distribution/tools/entitlement-agent/impl/build.gradle
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
*/

apply plugin: 'elasticsearch.build'

dependencies {
compileOnly project(':distribution:tools:entitlement-agent')
implementation 'org.ow2.asm:asm:9.7'
}

tasks.named('forbiddenApisMain').configure {
replaceSignatureFiles 'jdk-signatures'
}

26 changes: 26 additions & 0 deletions distribution/tools/entitlement-agent/impl/licenses/asm-LICENSE.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
Copyright (c) 2012 France Télécom
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holders nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
1 change: 1 addition & 0 deletions distribution/tools/entitlement-agent/impl/licenses/asm-NOTICE.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

18 changes: 18 additions & 0 deletions distribution/tools/entitlement-agent/impl/src/main/java/module-info.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
*/

import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
import org.elasticsearch.entitlement.instrumentation.impl.InstrumentationServiceImpl;

module org.elasticsearch.entitlement.agent.impl {
requires org.objectweb.asm;
requires org.elasticsearch.entitlement.agent;

provides InstrumentationService with InstrumentationServiceImpl;
}
41 changes: 41 additions & 0 deletions ...n/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumentationServiceImpl.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
*/

package org.elasticsearch.entitlement.instrumentation.impl;

import org.elasticsearch.entitlement.instrumentation.InstrumentationService;
import org.elasticsearch.entitlement.instrumentation.Instrumenter;
import org.elasticsearch.entitlement.instrumentation.MethodKey;
import org.objectweb.asm.Type;

import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Map;
import java.util.stream.Stream;

public class InstrumentationServiceImpl implements InstrumentationService {
@Override
public Instrumenter newInstrumenter(String classNameSuffix, Map<MethodKey, Method> instrumentationMethods) {
return new InstrumenterImpl(classNameSuffix, instrumentationMethods);
}

/**
* @return a {@link MethodKey} suitable for looking up the given {@code targetMethod} in the entitlements trampoline
*/
public MethodKey methodKeyForTarget(Method targetMethod) {
Type actualType = Type.getMethodType(Type.getMethodDescriptor(targetMethod));
return new MethodKey(
Type.getInternalName(targetMethod.getDeclaringClass()),
targetMethod.getName(),
Stream.of(actualType.getArgumentTypes()).map(Type::getInternalName).toList(),
Modifier.isStatic(targetMethod.getModifiers())
);
}

}
214 changes: 214 additions & 0 deletions ...pl/src/main/java/org/elasticsearch/entitlement/instrumentation/impl/InstrumenterImpl.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the "Elastic License
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
* Public License v 1"; you may not use this file except in compliance with, at
* your election, the "Elastic License 2.0", the "GNU Affero General Public
* License v3.0 only", or the "Server Side Public License, v 1".
*/

package org.elasticsearch.entitlement.instrumentation.impl;

import org.elasticsearch.entitlement.instrumentation.Instrumenter;
import org.elasticsearch.entitlement.instrumentation.MethodKey;
import org.objectweb.asm.AnnotationVisitor;
import org.objectweb.asm.ClassReader;
import org.objectweb.asm.ClassVisitor;
import org.objectweb.asm.ClassWriter;
import org.objectweb.asm.MethodVisitor;
import org.objectweb.asm.Opcodes;
import org.objectweb.asm.Type;

import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Method;
import java.util.Map;
import java.util.stream.Stream;

import static org.objectweb.asm.ClassWriter.COMPUTE_FRAMES;
import static org.objectweb.asm.ClassWriter.COMPUTE_MAXS;
import static org.objectweb.asm.Opcodes.ACC_STATIC;
import static org.objectweb.asm.Opcodes.GETSTATIC;
import static org.objectweb.asm.Opcodes.INVOKEINTERFACE;
import static org.objectweb.asm.Opcodes.INVOKESTATIC;
import static org.objectweb.asm.Opcodes.INVOKEVIRTUAL;

public class InstrumenterImpl implements Instrumenter {
/**
* To avoid class name collisions during testing without an agent to replace classes in-place.
*/
private final String classNameSuffix;
private final Map<MethodKey, Method> instrumentationMethods;

public InstrumenterImpl(String classNameSuffix, Map<MethodKey, Method> instrumentationMethods) {
this.classNameSuffix = classNameSuffix;
this.instrumentationMethods = instrumentationMethods;
}

public ClassFileInfo instrumentClassFile(Class<?> clazz) throws IOException {
ClassFileInfo initial = getClassFileInfo(clazz);
return new ClassFileInfo(initial.fileName(), instrumentClass(Type.getInternalName(clazz), initial.bytecodes()));
}

public static ClassFileInfo getClassFileInfo(Class<?> clazz) throws IOException {
String internalName = Type.getInternalName(clazz);
String fileName = "/" + internalName + ".class";
byte[] originalBytecodes;
try (InputStream classStream = clazz.getResourceAsStream(fileName)) {
if (classStream == null) {
throw new IllegalStateException("Classfile not found in jar: " + fileName);
}
originalBytecodes = classStream.readAllBytes();
}
return new ClassFileInfo(fileName, originalBytecodes);
}

@Override
public byte[] instrumentClass(String className, byte[] classfileBuffer) {
ClassReader reader = new ClassReader(classfileBuffer);
ClassWriter writer = new ClassWriter(reader, COMPUTE_FRAMES | COMPUTE_MAXS);
ClassVisitor visitor = new EntitlementClassVisitor(Opcodes.ASM9, writer, className);
reader.accept(visitor, 0);
return writer.toByteArray();
}

class EntitlementClassVisitor extends ClassVisitor {
final String className;

EntitlementClassVisitor(int api, ClassVisitor classVisitor, String className) {
super(api, classVisitor);
this.className = className;
}

@Override
public void visit(int version, int access, String name, String signature, String superName, String[] interfaces) {
super.visit(version, access, name + classNameSuffix, signature, superName, interfaces);
}

@Override
public MethodVisitor visitMethod(int access, String name, String descriptor, String signature, String[] exceptions) {
var mv = super.visitMethod(access, name, descriptor, signature, exceptions);
boolean isStatic = (access & ACC_STATIC) != 0;
var key = new MethodKey(
className,
name,
Stream.of(Type.getArgumentTypes(descriptor)).map(Type::getInternalName).toList(),
isStatic
);
var instrumentationMethod = instrumentationMethods.get(key);
if (instrumentationMethod != null) {
// LOGGER.debug("Will instrument method {}", key);
return new EntitlementMethodVisitor(Opcodes.ASM9, mv, isStatic, descriptor, instrumentationMethod);
} else {
// LOGGER.trace("Will not instrument method {}", key);
}
return mv;
}
}

static class EntitlementMethodVisitor extends MethodVisitor {
private final boolean instrumentedMethodIsStatic;
private final String instrumentedMethodDescriptor;
private final Method instrumentationMethod;
private boolean hasCallerSensitiveAnnotation = false;

EntitlementMethodVisitor(
int api,
MethodVisitor methodVisitor,
boolean instrumentedMethodIsStatic,
String instrumentedMethodDescriptor,
Method instrumentationMethod
) {
super(api, methodVisitor);
this.instrumentedMethodIsStatic = instrumentedMethodIsStatic;
this.instrumentedMethodDescriptor = instrumentedMethodDescriptor;
this.instrumentationMethod = instrumentationMethod;
}

@Override
public AnnotationVisitor visitAnnotation(String descriptor, boolean visible) {
if (visible && descriptor.endsWith("CallerSensitive;")) {
hasCallerSensitiveAnnotation = true;
}
return super.visitAnnotation(descriptor, visible);
}

@Override
public void visitCode() {
pushEntitlementChecksObject();
pushCallerClass();
forwardIncomingArguments();
invokeInstrumentationMethod();
super.visitCode();
}

private void pushEntitlementChecksObject() {
mv.visitMethodInsn(
INVOKESTATIC,
"org/elasticsearch/entitlement/api/EntitlementProvider",
"checks",
"()Lorg/elasticsearch/entitlement/api/EntitlementChecks;",
false
);
}

private void pushCallerClass() {
if (hasCallerSensitiveAnnotation) {
mv.visitMethodInsn(
INVOKESTATIC,
"jdk/internal/reflect/Reflection",
"getCallerClass",
Type.getMethodDescriptor(Type.getType(Class.class)),
false
);
} else {
mv.visitFieldInsn(
GETSTATIC,
Type.getInternalName(StackWalker.Option.class),
"RETAIN_CLASS_REFERENCE",
Type.getDescriptor(StackWalker.Option.class)
);
mv.visitMethodInsn(
INVOKESTATIC,
Type.getInternalName(StackWalker.class),
"getInstance",
Type.getMethodDescriptor(Type.getType(StackWalker.class), Type.getType(StackWalker.Option.class)),
false
);
mv.visitMethodInsn(
INVOKEVIRTUAL,
Type.getInternalName(StackWalker.class),
"getCallerClass",
Type.getMethodDescriptor(Type.getType(Class.class)),
false
);
}
}

private void forwardIncomingArguments() {
int localVarIndex = 0;
if (instrumentedMethodIsStatic == false) {
mv.visitVarInsn(Opcodes.ALOAD, localVarIndex++);
}
for (Type type : Type.getArgumentTypes(instrumentedMethodDescriptor)) {
mv.visitVarInsn(type.getOpcode(Opcodes.ILOAD), localVarIndex);
localVarIndex += type.getSize();
}

}

private void invokeInstrumentationMethod() {
mv.visitMethodInsn(
INVOKEINTERFACE,
Type.getInternalName(instrumentationMethod.getDeclaringClass()),
instrumentationMethod.getName(),
Type.getMethodDescriptor(instrumentationMethod),
true
);
}
}

// private static final Logger LOGGER = LogManager.getLogger(Instrumenter.class);

public record ClassFileInfo(String fileName, byte[] bytecodes) {}
}
10 changes: 10 additions & 0 deletions ...es/META-INF/services/org.elasticsearch.entitlement.instrumentation.InstrumentationService
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the "Elastic License
# 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
# Public License v 1"; you may not use this file except in compliance with, at
# your election, the "Elastic License 2.0", the "GNU Affero General Public
# License v3.0 only", or the "Server Side Public License, v 1".
#

org.elasticsearch.entitlement.instrumentation.impl.InstrumentationServiceImpl
Loading

0 comments on commit 3953331

Please sign in to comment.