| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| // Policy file for lucene tests. Please keep minimal and avoid wildcards. |
| |
| grant { |
| // let TestIndexWriterOnJRECrash fork its jvm |
| permission java.io.FilePermission "${java.home}${/}-", "read,execute"; |
| |
| // test-files/ resources |
| permission java.io.FilePermission "${common.dir}${/}-", "read"; |
| // classpath-as-file, eg getDataPath, and only rarely (this acts like a JDK bug...) |
| permission java.io.FilePermission ".", "read"; |
| |
| // write only to sandbox |
| permission java.io.FilePermission "${tests.linedocsfile}", "read"; |
| permission java.io.FilePermission "${java.io.tmpdir}", "read,write"; |
| permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read,write,delete"; |
| |
| // misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created |
| permission java.nio.file.LinkPermission "hard"; |
| // needed by SSD detection tests in TestIOUtils (creates symlinks) |
| permission java.nio.file.LinkPermission "symbolic"; |
| |
| // needed by randomizedtesting runner to identify test methods. |
| permission java.lang.RuntimePermission "accessDeclaredMembers"; |
| // needed by certain tests to capture sysout/syserr: |
| permission java.lang.RuntimePermission "setIO"; |
| // needed by randomized runner to catch failures from other threads: |
| permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; |
| // needed by randomized runner getTopThreadGroup: |
| permission java.lang.RuntimePermission "modifyThreadGroup"; |
| // needed by tests e.g. shutting down executors: |
| permission java.lang.RuntimePermission "modifyThread"; |
| // needed for tons of test hacks etc |
| permission java.lang.RuntimePermission "getStackTrace"; |
| // needed for mock filesystems in tests |
| permission java.lang.RuntimePermission "fileSystemProvider"; |
| // analyzers/uima: needed by lucene expressions' JavascriptCompiler |
| permission java.lang.RuntimePermission "createClassLoader"; |
| // needed to test unmap hack on platforms that support it |
| permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; |
| permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; |
| // needed by cyberneko usage by benchmarks on J9 |
| permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util"; |
| // needed by org.apache.logging.log4j |
| permission java.lang.RuntimePermission "getenv.*"; |
| permission java.lang.RuntimePermission "getClassLoader"; |
| permission java.lang.RuntimePermission "setContextClassLoader"; |
| |
| // Needed for loading native library (lucene:misc:native) in lucene:misc |
| permission java.lang.RuntimePermission "getFileStoreAttributes"; |
| permission java.lang.RuntimePermission "writeFileDescriptor"; |
| |
| // TestLockFactoriesMultiJVM opens a random port on 127.0.0.1 (port 0 = ephemeral port range): |
| permission java.net.SocketPermission "127.0.0.1:0", "accept,listen,resolve"; |
| |
| // read access to all system properties: |
| permission java.util.PropertyPermission "*", "read"; |
| // write access to only these: |
| // locale randomization |
| permission java.util.PropertyPermission "user.language", "write"; |
| // timezone randomization |
| permission java.util.PropertyPermission "user.timezone", "write"; |
| |
| // CMS randomization |
| permission java.util.PropertyPermission "lucene.cms.override_core_count", "write"; |
| |
| // used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this |
| permission java.util.PropertyPermission "tests.runnested", "write"; |
| |
| // solr properties. TODO: move these out to SolrTestCase |
| permission java.util.PropertyPermission "solr.data.dir", "write"; |
| permission java.util.PropertyPermission "solr.solr.home", "write"; |
| permission java.util.PropertyPermission "solr.directoryFactory", "write"; |
| |
| // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission |
| permission java.security.SecurityPermission "createAccessControlContext"; |
| |
| // Hunspell regression and validation tests can read from external files |
| // specified in system properties. |
| permission java.io.FilePermission "${hunspell.repo.path}${/}-", "read"; |
| permission java.io.FilePermission "${hunspell.corpora}${/}-", "read"; |
| permission java.io.FilePermission "${hunspell.dictionaries}", "read"; |
| permission java.io.FilePermission "${hunspell.dictionaries}${/}-", "read"; |
| }; |
| |
| // Permissions to support ant build |
| grant { |
| permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read"; |
| permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete"; |
| permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete"; |
| permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write"; |
| // needed by jacoco to dump coverage on shutdown |
| permission java.lang.RuntimePermission "shutdownHooks"; |
| }; |
| |
| // Grant all permissions to Gradle test runner classes. |
| grant codeBase "file:${gradle.lib.dir}${/}-" { |
| permission java.security.AllPermission; |
| }; |
| |
| grant codeBase "file:${gradle.worker.jar}" { |
| permission java.security.AllPermission; |
| }; |
| |
| grant { |
| // Allow reading gradle worker JAR. |
| permission java.io.FilePermission "${gradle.worker.jar}", "read"; |
| // Allow reading from classpath JARs (resources). |
| permission java.io.FilePermission "${gradle.user.home}${/}-", "read"; |
| }; |
| |