opensearch-project · kumargu · Nov 27, 2024 · Mar 27, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -433,12 +433,18 @@ gradle.projectsEvaluated {
 
     project.tasks.withType(Test) { task ->
       if (task != null) {
-        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
+        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_23) {
           task.jvmArgs += ["-Djava.security.manager=allow"]
         }
         if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
           task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
         }
+
+        // Add Java Agent for security sandboxing
+        if (!(project.path in [':build-tools', ":libs:agent-sm:bootstrap", ":libs:agent-sm:agent"])) {
+          dependsOn(project(':libs:agent-sm:agent').prepareAgent)
+          jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
+        }
       }
     }
 

@@ -110,12 +110,12 @@ dependencies {
   api 'com.netflix.nebula:gradle-info-plugin:12.1.6'
   api 'org.apache.rat:apache-rat:0.15'
   api "commons-io:commons-io:${props.getProperty('commonsio')}"
-  api "net.java.dev.jna:jna:5.14.0"
+  api "net.java.dev.jna:jna:5.16.0"
   api 'com.gradleup.shadow:shadow-gradle-plugin:8.3.5'
   api 'org.jdom:jdom2:2.0.6.1'
   api "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${props.getProperty('kotlin')}"
   api 'de.thetaphi:forbiddenapis:3.8'
-  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.6'
+  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.12'
   api "org.yaml:snakeyaml:${props.getProperty('snakeyaml')}"
   api 'org.apache.maven:maven-model:3.9.6'
   api 'com.networknt:json-schema-validator:1.2.0'

@@ -115,7 +115,8 @@ public void execute(Task t) {
                             test.jvmArgs("--illegal-access=warn");
                         }
                     }
-                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0) {
+                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0
+                        && test.getJavaVersion().compareTo(JavaVersion.VERSION_24) < 0) {
                         test.jvmArgs("-Djava.security.manager=allow");
                     }
                 }

@@ -77,9 +77,9 @@
 import java.util.stream.Stream;
 
 public class DistroTestPlugin implements Plugin<Project> {
-    private static final String SYSTEM_JDK_VERSION = "21.0.6+7";
+    private static final String SYSTEM_JDK_VERSION = "23.0.2+7";
     private static final String SYSTEM_JDK_VENDOR = "adoptium";
-    private static final String GRADLE_JDK_VERSION = "21.0.6+7";
+    private static final String GRADLE_JDK_VERSION = "23.0.2+7";
     private static final String GRADLE_JDK_VENDOR = "adoptium";
 
     // all distributions used by distro tests. this is temporary until tests are per distribution

@@ -8,4 +8,5 @@
 
 grant {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };
@@ -38,6 +38,9 @@ CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, String pla
       into('lib') {
         with libFiles()
       }
+      into('agent') {
+        with agentFiles()
+      }
       into('config') {
         dirPermissions {
           unix 0750
@@ -226,3 +229,9 @@ subprojects {
 
   group = "org.opensearch.distribution"
 }
+
+tasks.each {
+  if (it.name.startsWith("build")) {
+    it.dependsOn project(':libs:agent-sm:agent').assemble
+  }
+}
@@ -357,6 +357,18 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
       }
     }
 
+    agentFiles = {
+      copySpec {
+        from(project(':libs:agent-sm:agent').prepareAgent) {
+          include '**/*.jar'
+          exclude '**/*-javadoc.jar'
+          exclude '**/*-sources.jar'
+          // strip the version since jvm.options is using agent without version
+          rename("opensearch-agent-${project.version}.jar", "opensearch-agent.jar")
+        }
+      }
+    }
+
     modulesFiles = { platform ->
       copySpec {
         eachFile {

@@ -77,7 +77,7 @@ ${error.file}
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=${loggc}:utctime,pid,tags:filecount=32,filesize=64m
 
 # Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
-18-:-Djava.security.manager=allow
+18-23:-Djava.security.manager=allow
 
 # JDK 20+ Incubating Vector Module for SIMD optimizations;
 # disabling may reduce performance on vector optimized lucene
@@ -89,3 +89,6 @@ ${error.file}
 # See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
+# It should be JDK-24 (but we cannot bring JDK-24 since Gradle does not support it yet)
+21-:-javaagent:agent/opensearch-agent.jar
@@ -85,7 +85,7 @@ static List<String> systemJvmOptions() {
     }
 
     private static String allowSecurityManagerOption() {
-        if (Runtime.version().feature() > 17) {
+        if (Runtime.version().feature() > 17 && Runtime.version().feature() < 24) {
             return "-Djava.security.manager=allow";
         } else {
             return "";

@@ -82,7 +82,7 @@ if (System.getProperty('idea.active') == 'true') {
         runConfigurations {
           defaults(JUnit) {
             vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'
-            if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
+            if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion < JavaVersion.VERSION_24) {
               vmParameters += ' -Djava.security.manager=allow'
             }
           }

@@ -3,7 +3,7 @@ opensearch        = "3.0.0"
 lucene            = "10.1.0"
 
 bundled_jdk_vendor = "adoptium"
-bundled_jdk = "21.0.6+7"
+bundled_jdk = "23.0.2+7"
 
 # optional dependencies
 spatial4j         = "0.7"

@@ -106,6 +106,7 @@ configure([
   project(":libs:opensearch-secure-sm"),
   project(":libs:opensearch-ssl-config"),
   project(":libs:opensearch-x-content"),
+  project(":libs:agent-sm:agent-policy"),
   project(":modules:aggs-matrix-stats"),
   project(":modules:analysis-common"),
   project(":modules:geo"),

@@ -0,0 +1,26 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+apply plugin: 'opensearch.build'
+apply plugin: 'opensearch.publish'
+
+ext {
+  failOnJavadocWarning = false
+}
+
+base {
+  archivesName = 'opensearch-agent-policy'
+}
+
+disableTasks('forbiddenApisMain')
+
+test.enabled = false
+testingConventions.enabled = false
@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/**
+ * Java Agent Policy
+ */
+package org.opensearch;
@@ -0,0 +1,51 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.secure_sm.policy;
+
+import java.io.PrintWriter;
+import java.util.LinkedList;
+import java.util.List;
+
+public class GrantEntry {
+    public String codeBase;
+    private final LinkedList<PermissionEntry> permissionEntries = new LinkedList<>();
+
+    public void add(PermissionEntry entry) {
+        permissionEntries.add(entry);
+    }
+
+    public List<PermissionEntry> permissionElements() {
+        return permissionEntries;
+    }
+
+    public void write(PrintWriter out) {
+        out.print("grant");
+        if (codeBase != null) {
+            out.print(" Codebase \"");
+            out.print(codeBase);
+            out.print("\"");
+        }
+        out.println(" {");
+        for (PermissionEntry pe : permissionEntries) {
+            out.print("  permission ");
+            out.print(pe.permission);
+            if (pe.name != null) {
+                out.print(" \"");
+                out.print(pe.name);
+                out.print("\"");
+            }
+            if (pe.action != null) {
+                out.print(", \"");
+                out.print(pe.action);
+                out.print("\"");
+            }
+            out.println(";");
+        }
+        out.println("};");
+    }
+}
@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+package org.opensearch.secure_sm.policy;
+
+import java.io.PrintWriter;
+import java.util.Objects;
+
+public class PermissionEntry {
+    public String permission;
+    public String name;
+    public String action;
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(permission, name, action);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == this) return true;
+
+        return obj instanceof PermissionEntry that
+            && Objects.equals(this.permission, that.permission)
+            && Objects.equals(this.name, that.name)
+            && Objects.equals(this.action, that.action);
+    }
+
+    public void write(PrintWriter out) {
+        out.print("permission ");
+        out.print(permission);
+        if (name != null) {
+            out.print(" \"");
+            out.print(name.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\\\\\\""));
+            out.print('"');
+        }
+        if (action != null) {
+            out.print(", \"");
+            out.print(action);
+            out.print('"');
+        }
+        out.println(";");
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,4 +8,5 @@ @@
     grant {
       permission java.net.SocketPermission "*", "connect,resolve";
+      permission java.net.NetPermission "accessUnixDomainSocket";
     };