Remove java.xml from system modules #133671
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
rjernst
added
:Core/Infra/Core
elasticsearchmachine
added
Team:Core/Infra
|
Pinging @elastic/es-core-infra (Team:Core/Infra) |
prdoyle
approved these changes
Aug 27, 2025
| @@ -610,5 +612,12 @@ static void javaDesktopFileAccess() throws Exception { | |||
| new FileImageInputStream(file.toFile()).close(); | |||
| } | |||
|
|
|||
| @EntitlementTest(expectedAccess = ALWAYS_DENIED) | |||
| static void javaXmlFileRequest() throws Exception { | |||
| // java.xml is part of the jdk, but not a system module. this checks it can't access the network | |||
| /** | ||
| * Internal entitlement to read code from the jdk, ie jrt urls | ||
| */ | ||
| public class ReadJdkCodeEntitlement implements Entitlement { |
| package org.elasticsearch.entitlement.runtime.policy.entitlements; | ||
|
|
||
| /** | ||
| * Internal entitlement to read code from the jdk, ie jrt urls |
There was a problem hiding this comment.
This description could use a little refinement, I think. Anyone seeing ReadJdkCodeEntitlement can be trusted to infer that it's an entitlement for reading JDK code, but their question would be: what does that actually mean? I think it means allowing the opening of connections with URLs using the jrt protocol.
The actual implementation does not seem to be limited to just reading resources within the jar, but I suppose writes to jrt URLs would be forbidden by other means?
There was a problem hiding this comment.
yeah the jdk images are read only. I updated the javadoc.
There was a problem hiding this comment.
I also tweaked the entitlement name to make it a little clearer what can be read
|
Looks like this needs further entitlements to read any jar on the classpath. |
|
Looks like granting java.xml read access to the but I suppose |
mosche
approved these changes
Aug 28, 2025
|
Hi @rjernst, I've created a changelog YAML for you. |
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
This was referenced Aug 30, 2025
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
💔 Backport failed
You can use sqren/backport to manually backport by running |
rjernst
added a commit
to rjernst/elasticsearch
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 30, 2025
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
java.xml is part of the jdk, but it's really a utility module that shouldn't have direct access to network or files. This commit excludes java.xml from system modules. Note that since it is part of the jdk, it does need access to read jdk classes, so a new internal entitlement is also added to allow reading jrt urls.