Allow file read permissions in plugins (#69643)

This commit adds back allowing FilePermission for reading files in
plugins. This is a temporary measure until plugins are automatically
granted read permissions for files within their own configuration
directory.

closes #69464

qa/evil-tests/src/test/java/org/elasticsearch/bootstrap/PolicyUtilTests.java

@@ -210,6 +210,9 @@ void assertIllegalPermissions(List<String> illegalPermissions, PolicyParser pars
     }
 
     static final List<String> PLUGIN_TEST_PERMISSIONS = List.of(
+        // TODO: move this back to module test permissions, see https://github.com/elastic/elasticsearch/issues/69464
+        "java.io.FilePermission /foo/bar read",
+
         "java.lang.reflect.ReflectPermission suppressAccessChecks",
         "java.lang.RuntimePermission createClassLoader",
         "java.lang.RuntimePermission getClassLoader",
@@ -270,7 +273,6 @@ public void testPrivateCredentialPermissionAllowed() throws Exception {
     }
 
     static final List<String> MODULE_TEST_PERMISSIONS = List.of(
-        "java.io.FilePermission /foo/bar read",
         "java.io.FilePermission /foo/bar write",
         "java.lang.RuntimePermission getFileStoreAttributes",
         "java.lang.RuntimePermission accessUserInformation"

server/src/main/java/org/elasticsearch/bootstrap/PolicyUtil.java

@@ -91,6 +91,9 @@ public boolean test(Permission permission) {
     private static final PermissionMatcher ALLOWED_MODULE_PERMISSIONS;
     static {
         List<Permission> namedPermissions = List.of(
+            // TODO: remove read permission, see https://github.com/elastic/elasticsearch/issues/69464
+            createFilePermission("<<ALL FILES>>", "read"),
+
             new ReflectPermission("suppressAccessChecks"),
             new RuntimePermission("createClassLoader"),
             new RuntimePermission("getClassLoader"),