From 3627b95dde56cec52208cc5ccff1cae215b63e0f Mon Sep 17 00:00:00 2001 From: Chris Hegarty <62058229+ChrisHegarty@users.noreply.github.com> Date: Thu, 16 Sep 2021 08:33:24 +0100 Subject: [PATCH] Laxify SecureSM to allow creation of the JDK's innocuous threads (#77789) Co-authored-by: Elastic Machine --- .../main/java/org/elasticsearch/secure_sm/SecureSM.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java index 9bcf2fa37f596..11a88f544948f 100644 --- a/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java +++ b/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java @@ -154,6 +154,12 @@ private void debugThreadGroups(final ThreadGroup caller, final ThreadGroup targe private static final Permission MODIFY_THREAD_PERMISSION = new RuntimePermission("modifyThread"); private static final Permission MODIFY_ARBITRARY_THREAD_PERMISSION = new ThreadPermission("modifyArbitraryThread"); + // Returns true if the given thread is an instance of the JDK's InnocuousThread. + private static boolean isInnocuousThread(Thread t) { + final Class c = t.getClass(); + return c.getModule() == Object.class.getModule() && c.getName().equals("jdk.internal.misc.InnocuousThread"); + } + protected void checkThreadAccess(Thread t) { Objects.requireNonNull(t); @@ -166,7 +172,7 @@ protected void checkThreadAccess(Thread t) { if (target == null) { return; // its a dead thread, do nothing. - } else if (source.parentOf(target) == false) { + } else if (source.parentOf(target) == false && isInnocuousThread(t) == false) { checkPermission(MODIFY_ARBITRARY_THREAD_PERMISSION); } }