1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// Policy file to prevent tests from writing outside the test sandbox directory
// (must be given as a sysprop: tests.sandbox.dir)
// This policy also disallows stuff like listening on network ports of interfaces
// different than 127.0.0.1.
// PLEASE NOTE: You may need to enable other permissions when new tests are added,
// everything not allowed here is forbidden!
grant {
// permissions for file access, write access only to sandbox:
permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute,write";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}-", "read,execute,write,delete";
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
// all possibilities of accepting/binding connections on localhost with ports >=1024:
permission java.net.SocketPermission "localhost:1024-", "accept,listen";
permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen";
permission java.net.SocketPermission "[::1]:1024-", "accept,listen";
// This is a special case, because the network config of the ASF Jenkins server is broken,
// see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html
permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen";
// Allow connecting to the internet anywhere
permission java.net.SocketPermission "*", "connect,resolve";
// Basic permissions needed for Lucene to work:
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.reflect.ReflectPermission "*";
permission java.lang.RuntimePermission "*";
// These two *have* to be spelled out a separate
permission java.lang.management.ManagementPermission "control";
permission java.lang.management.ManagementPermission "monitor";
// Solr needs those:
permission java.net.NetPermission "*";
permission java.sql.SQLPermission "*";
permission java.util.logging.LoggingPermission "control";
permission javax.management.MBeanPermission "*", "*";
permission javax.management.MBeanServerPermission "*";
permission javax.management.MBeanTrustPermission "*";
permission javax.security.auth.AuthPermission "*";
permission javax.security.auth.PrivateCredentialPermission "org.apache.hadoop.security.Credentials * \"*\"", "read";
permission java.security.SecurityPermission "putProviderProperty.SaslPlainServer";
permission java.security.SecurityPermission "insertProvider.SaslPlainServer";
permission javax.xml.bind.JAXBPermission "setDatatypeConverter";
// TIKA uses BouncyCastle and that registers new provider for PDF parsing + MSOffice parsing. Maybe report as bug!
permission java.security.SecurityPermission "putProviderProperty.BC";
permission java.security.SecurityPermission "insertProvider.BC";
// Needed for some things in DNS caching in the JVM
permission java.security.SecurityPermission "getProperty.networkaddress.cache.ttl";
permission java.security.SecurityPermission "getProperty.networkaddress.cache.negative.ttl";
// SSL related properties for Solr tests
permission java.security.SecurityPermission "getProperty.ssl.*";
};
|
