From ad71c64f2a0c8c408a8037334ecb56eb1465456a Mon Sep 17 00:00:00 2001 From: Andrew Ross Date: Tue, 15 Apr 2025 14:08:59 -0700 Subject: [PATCH] Intercept java.net.Socket::connect Signed-off-by: Andrew Ross --- .../main/java/org/opensearch/javaagent/Agent.java | 14 +++++++------- .../javaagent/SocketChannelInterceptorTests.java | 3 +++ .../resources/org/opensearch/bootstrap/test.policy | 11 +++++++++++ .../resources/org/opensearch/bootstrap/test.policy | 11 +++++++++++ .../resources/org/opensearch/bootstrap/test.policy | 11 +++++++++++ 5 files changed, 43 insertions(+), 7 deletions(-) create mode 100644 modules/repository-url/src/test/resources/org/opensearch/bootstrap/test.policy create mode 100644 plugins/discovery-ec2/src/test/resources/org/opensearch/bootstrap/test.policy create mode 100644 plugins/repository-s3/src/test/resources/org/opensearch/bootstrap/test.policy diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java index f3129b6bb8b54..dc8fb61257e72 100644 --- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java +++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/Agent.java @@ -11,6 +11,7 @@ import org.opensearch.javaagent.bootstrap.AgentPolicy; import java.lang.instrument.Instrumentation; +import java.net.Socket; import java.nio.channels.FileChannel; import java.nio.channels.SocketChannel; import java.nio.file.Files; @@ -71,8 +72,9 @@ public static void agentmain(String agentArguments, Instrumentation instrumentat initAgent(instrumentation); } - private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exception { - final Junction systemType = ElementMatchers.isSubTypeOf(SocketChannel.class); + private static AgentBuilder createAgentBuilder() throws Exception { + final Junction socketType = ElementMatchers.isSubTypeOf(SocketChannel.class) + .or(ElementMatchers.isSubTypeOf(Socket.class)); final Junction pathType = ElementMatchers.isSubTypeOf(Files.class); final Junction fileChannelType = ElementMatchers.isSubTypeOf(FileChannel.class); @@ -98,11 +100,11 @@ private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exce ); final ByteBuddy byteBuddy = new ByteBuddy().with(Implementation.Context.Disabled.Factory.INSTANCE); - final AgentBuilder agentBuilder = new AgentBuilder.Default(byteBuddy).with(AgentBuilder.InitializationStrategy.NoOp.INSTANCE) + return new AgentBuilder.Default(byteBuddy).with(AgentBuilder.InitializationStrategy.NoOp.INSTANCE) .with(AgentBuilder.RedefinitionStrategy.REDEFINITION) .with(AgentBuilder.TypeStrategy.Default.REDEFINE) .ignore(ElementMatchers.nameContains("$MockitoMock$")) /* ingore all Mockito mocks */ - .type(systemType) + .type(socketType) .transform(socketTransformer) .type(pathType.or(fileChannelType)) .transform(fileTransformer) @@ -118,12 +120,10 @@ private static AgentBuilder createAgentBuilder(Instrumentation inst) throws Exce Advice.to(RuntimeHaltInterceptor.class).on(ElementMatchers.named("halt")) ) ); - - return agentBuilder; } private static void initAgent(Instrumentation instrumentation) throws Exception { - AgentBuilder agentBuilder = createAgentBuilder(instrumentation); + AgentBuilder agentBuilder = createAgentBuilder(); agentBuilder.installOn(instrumentation); } } diff --git a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SocketChannelInterceptorTests.java b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SocketChannelInterceptorTests.java index 3a4a7b5576ebb..709bf37cc3873 100644 --- a/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SocketChannelInterceptorTests.java +++ b/libs/agent-sm/agent/src/test/java/org/opensearch/javaagent/SocketChannelInterceptorTests.java @@ -13,6 +13,7 @@ import java.io.IOException; import java.net.InetAddress; import java.net.InetSocketAddress; +import java.net.Socket; import java.net.UnixDomainSocketAddress; import java.nio.channels.SocketChannel; @@ -28,6 +29,8 @@ public void testConnections() throws IOException { assertThrows(SecurityException.class, () -> channel.connect(new InetSocketAddress("opensearch.org", 80))); } + + assertThrows(SecurityException.class, () -> new Socket("localhost", 9200)); } @Test diff --git a/modules/repository-url/src/test/resources/org/opensearch/bootstrap/test.policy b/modules/repository-url/src/test/resources/org/opensearch/bootstrap/test.policy new file mode 100644 index 0000000000000..d12a572391ffb --- /dev/null +++ b/modules/repository-url/src/test/resources/org/opensearch/bootstrap/test.policy @@ -0,0 +1,11 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +grant { + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/plugins/discovery-ec2/src/test/resources/org/opensearch/bootstrap/test.policy b/plugins/discovery-ec2/src/test/resources/org/opensearch/bootstrap/test.policy new file mode 100644 index 0000000000000..d12a572391ffb --- /dev/null +++ b/plugins/discovery-ec2/src/test/resources/org/opensearch/bootstrap/test.policy @@ -0,0 +1,11 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +grant { + permission java.net.SocketPermission "*", "connect"; +}; diff --git a/plugins/repository-s3/src/test/resources/org/opensearch/bootstrap/test.policy b/plugins/repository-s3/src/test/resources/org/opensearch/bootstrap/test.policy new file mode 100644 index 0000000000000..d12a572391ffb --- /dev/null +++ b/plugins/repository-s3/src/test/resources/org/opensearch/bootstrap/test.policy @@ -0,0 +1,11 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +grant { + permission java.net.SocketPermission "*", "connect"; +};