lucene/tools/junit4/tests.policy - lucene-solr - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 // Policy file for lucene tests. Please keep minimal and avoid wildcards.

 grant {
   // contain read access to only what we need:
   // 3rd party jar resources (where symlinks are not supported), test-files/ resources
   permission java.io.FilePermission "${common.dir}${/}-", "read";
   // 3rd party jar resources (where symlinks are supported)
   permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
   // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
   permission java.io.FilePermission "${java.home}${/}-", "read,execute";
   // should be enclosed within common.dir, but just in case:
   permission java.io.FilePermission "${junit4.childvm.cwd}", "read";

   // write only to sandbox
   permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
   permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
   permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
   permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
   permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
   permission java.io.FilePermission "${tests.linedocsfile}", "read";

   // misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created
   permission java.nio.file.LinkPermission "hard";
   // needed by SSD detection tests in TestIOUtils (creates symlinks)
   permission java.nio.file.LinkPermission "symbolic";

   // needed by gson serialization of junit4 runner: TODO clean that up
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   // needed by junit4 runner to capture sysout/syserr:
   permission java.lang.RuntimePermission "setIO";
   // needed by randomized runner to catch failures from other threads:
   permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
   // needed by randomized runner getTopThreadGroup:
   permission java.lang.RuntimePermission "modifyThreadGroup";
   // needed by tests e.g. shutting down executors:
   permission java.lang.RuntimePermission "modifyThread";
   // needed for tons of test hacks etc
   permission java.lang.RuntimePermission "getStackTrace";
   // needed for mock filesystems in tests
   permission java.lang.RuntimePermission "fileSystemProvider";
   // needed for test of IOUtils.spins (maybe it can be avoided)
   permission java.lang.RuntimePermission "getFileStoreAttributes";
   // analyzers/uima: needed by lucene expressions' JavascriptCompiler
   permission java.lang.RuntimePermission "createClassLoader";
   // needed to test unmap hack on platforms that support it
   permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
   // needed by cyberneko usage by benchmarks on J9
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util";
   // needed by jacoco to dump coverage
   permission java.lang.RuntimePermission "shutdownHooks";
   // needed by org.apache.logging.log4j
   permission java.lang.RuntimePermission "getenv.*";
   permission java.lang.RuntimePermission "getClassLoader";
   permission java.lang.RuntimePermission "setContextClassLoader";

   // TestLockFactoriesMultiJVM opens a random port on 127.0.0.1 (port 0 = ephemeral port range):
   permission java.net.SocketPermission "127.0.0.1:0", "accept,listen,resolve";

   // read access to all system properties:
   permission java.util.PropertyPermission "*", "read";
   // write access to only these:
   // locale randomization
   permission java.util.PropertyPermission "user.language", "write";
   // timezone randomization
   permission java.util.PropertyPermission "user.timezone", "write";

   // CMS randomization
   permission java.util.PropertyPermission "lucene.cms.override_core_count", "write";
   permission java.util.PropertyPermission "lucene.cms.override_spins", "write";

   // used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this
   permission java.util.PropertyPermission "tests.runnested", "write";

   // solr properties. TODO: move these out to SolrTestCase
   permission java.util.PropertyPermission "solr.data.dir", "write";
   permission java.util.PropertyPermission "solr.solr.home", "write";
   permission java.util.PropertyPermission "solr.directoryFactory", "write";

   // replicator: jetty tests require some network permissions:
   // all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
   permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
   permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
   permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";

   // SSL related properties for jetty
   permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
   permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";

   // allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
   permission java.security.SecurityPermission "createAccessControlContext";
 };
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	// Policy file for lucene tests. Please keep minimal and avoid wildcards.

	grant {
	// contain read access to only what we need:
	// 3rd party jar resources (where symlinks are not supported), test-files/ resources
	permission java.io.FilePermission "${common.dir}${/}-", "read";
	// 3rd party jar resources (where symlinks are supported)
	permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read";
	// system jar resources, and let TestIndexWriterOnJRECrash fork its jvm
	permission java.io.FilePermission "${java.home}${/}-", "read,execute";
	// should be enclosed within common.dir, but just in case:
	permission java.io.FilePermission "${junit4.childvm.cwd}", "read";

	// write only to sandbox
	permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
	permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
	permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
	permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
	permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
	permission java.io.FilePermission "${tests.linedocsfile}", "read";

	// misc HardlinkCopyDirectoryWrapper needs this to test if hardlinks can be created
	permission java.nio.file.LinkPermission "hard";
	// needed by SSD detection tests in TestIOUtils (creates symlinks)
	permission java.nio.file.LinkPermission "symbolic";

	// needed by gson serialization of junit4 runner: TODO clean that up
	permission java.lang.RuntimePermission "accessDeclaredMembers";
	permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
	// needed by junit4 runner to capture sysout/syserr:
	permission java.lang.RuntimePermission "setIO";
	// needed by randomized runner to catch failures from other threads:
	permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
	// needed by randomized runner getTopThreadGroup:
	permission java.lang.RuntimePermission "modifyThreadGroup";
	// needed by tests e.g. shutting down executors:
	permission java.lang.RuntimePermission "modifyThread";
	// needed for tons of test hacks etc
	permission java.lang.RuntimePermission "getStackTrace";
	// needed for mock filesystems in tests
	permission java.lang.RuntimePermission "fileSystemProvider";
	// needed for test of IOUtils.spins (maybe it can be avoided)
	permission java.lang.RuntimePermission "getFileStoreAttributes";
	// analyzers/uima: needed by lucene expressions' JavascriptCompiler
	permission java.lang.RuntimePermission "createClassLoader";
	// needed to test unmap hack on platforms that support it
	permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
	// needed by cyberneko usage by benchmarks on J9
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.xerces.util";
	// needed by jacoco to dump coverage
	permission java.lang.RuntimePermission "shutdownHooks";
	// needed by org.apache.logging.log4j
	permission java.lang.RuntimePermission "getenv.*";
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission "setContextClassLoader";

	// TestLockFactoriesMultiJVM opens a random port on 127.0.0.1 (port 0 = ephemeral port range):
	permission java.net.SocketPermission "127.0.0.1:0", "accept,listen,resolve";

	// read access to all system properties:
	permission java.util.PropertyPermission "*", "read";
	// write access to only these:
	// locale randomization
	permission java.util.PropertyPermission "user.language", "write";
	// timezone randomization
	permission java.util.PropertyPermission "user.timezone", "write";

	// CMS randomization
	permission java.util.PropertyPermission "lucene.cms.override_core_count", "write";
	permission java.util.PropertyPermission "lucene.cms.override_spins", "write";

	// used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this
	permission java.util.PropertyPermission "tests.runnested", "write";

	// solr properties. TODO: move these out to SolrTestCase
	permission java.util.PropertyPermission "solr.data.dir", "write";
	permission java.util.PropertyPermission "solr.solr.home", "write";
	permission java.util.PropertyPermission "solr.directoryFactory", "write";

	// replicator: jetty tests require some network permissions:
	// all possibilities of accepting/binding/connecting on localhost with ports >= 1024:
	permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve";
	permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve";
	permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve";

	// SSL related properties for jetty
	permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm";
	permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm";

	// allows LuceneTestCase#runWithRestrictedPermissions to execute with lower (or no) permission
	permission java.security.SecurityPermission "createAccessControlContext";
	};