[Security Manager Replacement] Native Java Agent (dynamic code rewrit…

…ing, must be low overhead) Signed-off-by: Andriy Redko <[email protected]> Signed-off-by: Andriy Redko <[email protected]>
opensearch-project · Feb 23, 2025 · ec22ea6 · ec22ea6
1 parent 8447737
commit ec22ea6
Show file tree

Hide file tree

Showing 38 changed files with 4,535 additions and 63 deletions.
diff --git a/build.gradle b/build.gradle
@@ -433,12 +433,18 @@ gradle.projectsEvaluated {
 
     project.tasks.withType(Test) { task ->
       if (task != null) {
-        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17) {
+        if (BuildParams.runtimeJavaVersion > JavaVersion.VERSION_17 && BuildParams.runtimeJavaVersion <= JavaVersion.VERSION_23) {
           task.jvmArgs += ["-Djava.security.manager=allow"]
         }
         if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
           task.jvmArgs += ["--add-modules=jdk.incubator.vector"]
         }
+
+        // Add Java Agent for security sandboxing
+        if (!(project.path in [':build-tools', ":test:framework", ":libs:agent-sm:bootstrap", ":libs:agent-sm:agent"])) {
+          dependsOn(project(':libs:agent-sm:agent').copyJars)
+          jvmArgs += ["-javaagent:" + project(':libs:agent-sm:agent').jar.archiveFile.get()]
+        }
       }
     }
 

diff --git a/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java
@@ -115,7 +115,8 @@ public void execute(Task t) {
                             test.jvmArgs("--illegal-access=warn");
                         }
                     }
-                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0) {
+                    if (test.getJavaVersion().compareTo(JavaVersion.VERSION_17) > 0
+                        && test.getJavaVersion().compareTo(JavaVersion.VERSION_24) < 0) {
                         test.jvmArgs("-Djava.security.manager=allow");
                     }
                 }

diff --git a/distribution/src/config/jvm.options b/distribution/src/config/jvm.options
@@ -77,7 +77,7 @@ ${error.file}
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=${loggc}:utctime,pid,tags:filecount=32,filesize=64m
 
 # Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380)
-18-:-Djava.security.manager=allow
+18-23:-Djava.security.manager=allow
 
 # JDK 20+ Incubating Vector Module for SIMD optimizations;
 # disabling may reduce performance on vector optimized lucene
@@ -89,3 +89,5 @@ ${error.file}
 # See please https://bugs.openjdk.org/browse/JDK-8341127 (openjdk/jdk#21283)
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.setAsTypeCache
 23:-XX:CompileCommand=dontinline,java/lang/invoke/MethodHandle.asTypeUncached
+
+24:-javaagent:agent/opensearch-agent-3.0.0-SNAPSHOT.jar
diff --git a/...bution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/...bution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
@@ -85,7 +85,7 @@ static List<String> systemJvmOptions() {
     }
 
     private static String allowSecurityManagerOption() {
-        if (Runtime.version().feature() > 17) {
+        if (Runtime.version().feature() > 17 && Runtime.version().feature() < 24) {
             return "-Djava.security.manager=allow";
         } else {
             return "";

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -65,7 +65,7 @@ junit             = "4.13.2"
 hamcrest          = "2.1"
 mockito           = "5.14.2"
 objenesis         = "3.3"
-bytebuddy         = "1.15.10"
+bytebuddy         = "1.17.0"
 
 # benchmark dependencies
 jmh               = "1.35"

diff --git a/gradle/missing-javadoc.gradle b/gradle/missing-javadoc.gradle
@@ -106,6 +106,7 @@ configure([
   project(":libs:opensearch-secure-sm"),
   project(":libs:opensearch-ssl-config"),
   project(":libs:opensearch-x-content"),
+  project(":libs:agent-sm:agent-policy"),
   project(":modules:aggs-matrix-stats"),
   project(":modules:analysis-common"),
   project(":modules:geo"),

diff --git a/libs/agent-sm/agent-policy/build.gradle b/libs/agent-sm/agent-policy/build.gradle
@@ -0,0 +1,32 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+// This file is intentionally blank. All configuration of the
+// distribution is done in the parent project.
+
+// See please https://docs.gradle.org/8.5/userguide/upgrading_version_8.html#deprecated_missing_project_directory
+
+apply plugin: 'opensearch.build'
+apply plugin: 'opensearch.publish'
+
+ext {
+  // Do not fail on 'warning: using incubating module(s): jdk.incubator.vector'
+  failOnJavadocWarning = false
+}
+
+base {
+  archivesName = 'opensearch-agent-policy'
+}
+
+disableTasks('forbiddenApisMain')
+
+test.enabled = false
+testingConventions.enabled = false