[Security Manager Replacement] Phase off SecurityManager usage in favor of Java Agent

Signed-off-by: Andriy Redko <[email protected]>

Author: reta

build.gradle

@@ -433,11 +433,12 @@ gradle.projectsEvaluated {
 
     project.tasks.withType(Test) { task ->
       if (task != null) {
-        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
-          task.jvmArgs += ["-Djava.security.manager=allow"]
-        }
-        if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
-          task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
+        task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
+
+        // Add Java Agent for security sandboxing
+        if (!(project.path in [':build-tools', ":libs:agent-sm:bootstrap", ":libs:agent-sm:agent"])) {
+          dependsOn(project(':libs:agent-sm:agent').prepareAgent)
+          jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
         }
       }
     }

buildSrc/build.gradle

@@ -110,12 +110,12 @@ dependencies {
   api 'com.netflix.nebula:gradle-info-plugin:12.1.6'
   api 'org.apache.rat:apache-rat:0.15'
   api "commons-io:commons-io:${props.getProperty('commonsio')}"
-  api "net.java.dev.jna:jna:5.14.0"
+  api "net.java.dev.jna:jna:5.16.0"
   api 'com.gradleup.shadow:shadow-gradle-plugin:8.3.5'
   api 'org.jdom:jdom2:2.0.6.1'
   api "org.jetbrains.kotlin:kotlin-stdlib-jdk8:${props.getProperty('kotlin')}"
   api 'de.thetaphi:forbiddenapis:3.8'
-  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.6'
+  api 'com.avast.gradle:gradle-docker-compose-plugin:0.17.12'
   api "org.yaml:snakeyaml:${props.getProperty('snakeyaml')}"
   api 'org.apache.maven:maven-model:3.9.6'
   api 'com.networknt:json-schema-validator:1.2.0'

buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java

@@ -115,9 +115,6 @@ public void execute(Task t) {
                             test.jvmArgs("--illegal-access=warn");
                         }
                     }
-                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0) {
-                        test.jvmArgs("-Djava.security.manager=allow");
-                    }
                 }
             });
             test.getJvmArgumentProviders().add(nonInputProperties);

client/rest-high-level/src/test/resources/org/opensearch/bootstrap/test.policy

@@ -8,4 +8,5 @@
 
 grant {
   permission java.net.SocketPermission "*", "connect,resolve";
+  permission java.net.NetPermission "accessUnixDomainSocket";
 };

distribution/archives/build.gradle

@@ -38,6 +38,9 @@ CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, String pla
       into('lib') {
         with libFiles()
       }
+      into('agent') {
+        with agentFiles()
+      }
       into('config') {
         dirPermissions {
           unix 0750
@@ -226,3 +229,9 @@ subprojects {
 
   group = "org.opensearch.distribution"
 }
+
+tasks.each {
+  if (it.name.startsWith("build")) {
+    it.dependsOn project(':libs:agent-sm:agent').assemble
+  }
+}

distribution/build.gradle

@@ -357,6 +357,18 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
       }
     }
 
+    agentFiles = {
+      copySpec {
+        from(project(':libs:agent-sm:agent').prepareAgent) {
+          include '**/*.jar'
+          exclude '**/*-javadoc.jar'
+          exclude '**/*-sources.jar'
+          // strip the version since jvm.options is using agent without version
+          rename("opensearch-agent-${project.version}.jar", "opensearch-agent.jar")
+        }
+      }
+    }
+
     modulesFiles = { platform ->
       copySpec {
         eachFile {

distribution/src/config/jvm.options

@@ -76,9 +76,6 @@ ${error.file}
 # JDK 9+ GC logging
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=${loggc}:utctime,pid,tags:filecount=32,filesize=64m
 
-# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
-18-:-Djava.security.manager=allow
-
 # JDK 20+ Incubating Vector Module for SIMD optimizations;
 # disabling may reduce performance on vector optimized lucene
 20-:--add-modules=jdk.incubator.vector
@@ -89,3 +86,5 @@ ${error.file}
 # See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
+21-:-javaagent:agent/opensearch-agent.jar

distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java

@@ -77,21 +77,11 @@ static List<String> systemJvmOptions() {
                 // log4j 2
                 "-Dlog4j.shutdownHookEnabled=false",
                 "-Dlog4j2.disable.jmx=true",
-                // security manager
-                allowSecurityManagerOption(),
                 javaLocaleProviders()
             )
         ).stream().filter(e -> e.isEmpty() == false).collect(Collectors.toList());
     }
 
-    private static String allowSecurityManagerOption() {
-        if (Runtime.version().feature() > 17) {
-            return "-Djava.security.manager=allow";
-        } else {
-            return "";
-        }
-    }
-
     private static String maybeShowCodeDetailsInExceptionMessages() {
         if (Runtime.version().feature() >= 14) {
             return "-XX:+ShowCodeDetailsInExceptionMessages";

gradle/ide.gradle

@@ -82,9 +82,7 @@ if (System.getProperty('idea.active') == 'true') {
         runConfigurations {
           defaults(JUnit) {
             vmParameters = '-ea -Djava.locale.providers=SPI,CLDR'
-            if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
-              vmParameters += ' -Djava.security.manager=allow'
-            }
+            vmParameters += ' -javaagent:' + project(':libs:agent-sm:agent').jar.archiveFile.get()
           }
         }
         copyright {

libs/agent-sm/agent/build.gradle

@@ -75,3 +75,7 @@ tasks.test {
 tasks.check {
   dependsOn test
 }
+
+tasks.named('assemble') {
+  dependsOn prepareAgent
+}

libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java

@@ -101,7 +101,7 @@ private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exce
         final AgentBuilder agentBuilder = new AgentBuilder.Default(byteBuddy).with(AgentBuilder.InitializationStrategy.NoOp.INSTANCE)
             .with(AgentBuilder.RedefinitionStrategy.REDEFINITION)
             .with(AgentBuilder.TypeStrategy.Default.REDEFINE)
-            .ignore(ElementMatchers.none())
+            .ignore(ElementMatchers.nameContains("$MockitoMock$")) /* ingore all Mockito mocks */
             .type(systemType)
             .transform(socketTransformer)
             .type(pathType.or(fileChannelType))

libs/build.gradle

@@ -41,20 +41,21 @@ subprojects {
    */
   project.afterEvaluate {
     if (!project.path.equals(':libs:agent-sm:agent')) {
-      configurations.all { Configuration conf ->
-        dependencies.matching { it instanceof ProjectDependency }.all { ProjectDependency dep ->
-          Project depProject = project.project(dep.path)
-          if (depProject != null
-            && (false == depProject.path.equals(':libs:opensearch-core') &&
-                false == depProject.path.equals(':libs:opensearch-common'))
-            && depProject.path.startsWith(':libs')) {
-            throw new InvalidUserDataException("projects in :libs "
-              + "may not depend on other projects libs except "
-              + ":libs:opensearch-core or :libs:opensearch-common but "
-              + "${project.path} depends on ${depProject.path}")
+        configurations.all { Configuration conf ->
+          dependencies.matching { it instanceof ProjectDependency }.all { ProjectDependency dep ->
+            Project depProject = project.project(dep.path)
+            if (depProject != null
+              && (false == depProject.path.equals(':libs:opensearch-core') &&
+                  false == depProject.path.equals(':libs:opensearch-common')&&
+                  false == depProject.path.equals(':libs:agent-sm:agent-policy'))
+              && depProject.path.startsWith(':libs')) {
+              throw new InvalidUserDataException("projects in :libs "
+                + "may not depend on other projects libs except "
+                + ":libs:opensearch-core or :libs:opensearch-common but "
+                + "${project.path} depends on ${depProject.path}")
+            }
           }
         }
-      }
     }
   }
 }

libs/secure-sm/build.gradle

@@ -31,6 +31,7 @@ apply plugin: 'opensearch.publish'
 
 dependencies {
   // do not add non-test compile dependencies to secure-sm without a good reason to do so
+  api project(":libs:agent-sm:agent-policy")
 
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"

libs/secure-sm/src/main/java/org/opensearch/secure_sm/SecureSM.java

@@ -147,7 +147,9 @@ private boolean hasTrustedCallerChain() {
         };
     }
 
-    static final String[] TEST_RUNNER_PACKAGES = new String[] {
+    public static final String[] TEST_RUNNER_PACKAGES = new String[] {
+        // gradle worker
+        "worker\\.org\\.gradle\\.process\\.internal\\.worker\\.GradleWorkerMain*",
         // surefire test runner
         "org\\.apache\\.maven\\.surefire\\.booter\\..*",
         // junit4 test runner

plugins/repository-hdfs/build.gradle

@@ -146,10 +146,6 @@ for (String fixtureName : ['hdfsFixture', 'haHdfsFixture', 'secureHdfsFixture',
     }
     final List<String> miniHDFSArgs = []
 
-    if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_23) {
-      miniHDFSArgs.add('-Djava.security.manager=allow')
-    }
-
     // If it's a secure fixture, then depend on Kerberos Fixture and principals + add the krb5conf to the JVM options
     if (fixtureName.equals('secureHdfsFixture') || fixtureName.equals('secureHaHdfsFixture')) {
       miniHDFSArgs.add("-Djava.security.krb5.conf=${project(':test:fixtures:krb5kdc-fixture').ext.krb5Conf("hdfs")}");

plugins/repository-hdfs/src/test/resources/org/opensearch/bootstrap/test.policy

@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+grant {
+  permission java.net.NetPermission "accessUnixDomainSocket";
+  permission java.net.SocketPermission "*", "connect,resolve";
+};

plugins/repository-s3/src/internalClusterTest/resources/org/opensearch/bootstrap/test.policy

@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+grant {
+  permission java.net.NetPermission "accessUnixDomainSocket";
+  permission java.net.SocketPermission "*", "connect,resolve";
+};

server/build.gradle

@@ -71,6 +71,7 @@ dependencies {
   api project(":libs:opensearch-task-commons")
   implementation project(':libs:opensearch-arrow-spi')
 
+  compileOnly project(":libs:agent-sm:bootstrap")
   compileOnly project(':libs:opensearch-plugin-classloader')
   testRuntimeOnly project(':libs:opensearch-plugin-classloader')
 
@@ -377,9 +378,7 @@ tasks.named("licenseHeaders").configure {
 
 tasks.test {
     environment "node.roles.test", "[]"
-    if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
-        jvmArgs += ["--add-opens", "java.base/java.nio.file=ALL-UNNAMED"]
-    }
+    jvmArgs += ["--add-opens", "java.base/java.nio.file=ALL-UNNAMED", "-Djdk.attach.allowAttachSelf=true", "-XX:+EnableDynamicAgentLoading" ]
 }
 
 tasks.named("sourcesJar").configure {

server/src/main/java/org/opensearch/bootstrap/BootstrapChecks.java

@@ -47,6 +47,7 @@
 import org.opensearch.discovery.DiscoveryModule;
 import org.opensearch.env.Environment;
 import org.opensearch.index.IndexModule;
+import org.opensearch.javaagent.bootstrap.AgentPolicy;
 import org.opensearch.monitor.jvm.JvmInfo;
 import org.opensearch.monitor.process.ProcessProbe;
 import org.opensearch.node.NodeRoleSettings;
@@ -57,6 +58,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.AllPermission;
+import java.security.Policy;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -720,10 +722,10 @@ public final BootstrapCheckResult check(BootstrapContext context) {
 
         @SuppressWarnings("removal")
         boolean isAllPermissionGranted() {
-            final SecurityManager sm = System.getSecurityManager();
-            assert sm != null;
+            final Policy policy = AgentPolicy.getPolicy();
+            assert policy != null;
             try {
-                sm.checkPermission(new AllPermission());
+                AgentPolicy.checkPermission(new AllPermission());
             } catch (final SecurityException e) {
                 return false;
             }

server/src/main/java/org/opensearch/bootstrap/OpenSearch.java

@@ -48,7 +48,6 @@
 
 import java.io.IOException;
 import java.nio.file.Path;
-import java.security.Permission;
 import java.security.Security;
 import java.util.Arrays;
 import java.util.Locale;
@@ -86,19 +85,7 @@ class OpenSearch extends EnvironmentAwareCommand {
     @SuppressWarnings("removal")
     public static void main(final String[] args) throws Exception {
         overrideDnsCachePolicyProperties();
-        /*
-         * We want the JVM to think there is a security manager installed so that if internal policy decisions that would be based on the
-         * presence of a security manager or lack thereof act as if there is a security manager present (e.g., DNS cache policy). This
-         * forces such policies to take effect immediately.
-         */
-        System.setSecurityManager(new SecurityManager() {
-
-            @Override
-            public void checkPermission(Permission perm) {
-                // grant all permissions so that we can later set the security manager to the one that we want
-            }
 
-        });
         LogConfigurator.registerErrorListener();
         final OpenSearch opensearch = new OpenSearch();
         int status = main(args, opensearch, Terminal.DEFAULT);

server/src/main/java/org/opensearch/bootstrap/Security.java

@@ -41,9 +41,10 @@
 import org.opensearch.common.transport.PortsRange;
 import org.opensearch.env.Environment;
 import org.opensearch.http.HttpTransportSettings;
+import org.opensearch.javaagent.bootstrap.AgentPolicy;
 import org.opensearch.plugins.PluginInfo;
 import org.opensearch.plugins.PluginsService;
-import org.opensearch.secure_sm.SecureSM;
+import org.opensearch.secure_sm.policy.PolicyFile;
 import org.opensearch.transport.TcpTransport;
 
 import java.io.IOException;
@@ -59,7 +60,6 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.Permissions;
 import java.security.Policy;
-import java.security.URIParameter;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -144,23 +144,26 @@ static void configure(Environment environment, boolean filterBadDefaults) throws
 
         // enable security policy: union of template and environment-based paths, and possibly plugin permissions
         Map<String, URL> codebases = getCodebaseJarMap(JarHell.parseClassPath());
-        Policy.setPolicy(
+
+        // enable security manager
+        final String[] classesThatCanExit = new String[] {
+            // SecureSM matches class names as regular expressions so we escape the $ that arises from the nested class name
+            OpenSearchUncaughtExceptionHandler.PrivilegedHaltAction.class.getName().replace("$", "\\$"),
+            Command.class.getName() };
+
+        AgentPolicy.setPolicy(
             new OpenSearchPolicy(
                 codebases,
                 createPermissions(environment),
                 getPluginPermissions(environment),
                 filterBadDefaults,
                 createRecursiveDataPathPermission(environment)
-            )
+            ),
+            Set.of() /* trusted hosts */,
+            Set.of() /* trusted file systems */,
+            new AgentPolicy.AnyCanExit(classesThatCanExit)
         );
 
-        // enable security manager
-        final String[] classesThatCanExit = new String[] {
-            // SecureSM matches class names as regular expressions so we escape the $ that arises from the nested class name
-            OpenSearchUncaughtExceptionHandler.PrivilegedHaltAction.class.getName().replace("$", "\\$"),
-            Command.class.getName() };
-        System.setSecurityManager(new SecureSM(classesThatCanExit));
-
         // do some basic tests
         selfTest();
     }
@@ -280,14 +283,14 @@ static Policy readPolicy(URL policyFile, Map<String, URL> codebases) {
                     addCodebaseToSystemProperties(propertiesSet, url, property, aliasProperty);
                 }
 
-                return Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toURI()));
+                return new PolicyFile(policyFile);
             } finally {
                 // clear codebase properties
                 for (String property : propertiesSet) {
                     System.clearProperty(property);
                 }
             }
-        } catch (NoSuchAlgorithmException | URISyntaxException e) {
+        } catch (final RuntimeException e) {
             throw new IllegalArgumentException("unable to parse policy file `" + policyFile + "`", e);
         }
     }