/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ // Policy file for lucene tests. Please keep minimal and avoid wildcards. grant { // contain read access to only what we need: // 3rd party jar resources (where symlinks are not supported), test-files/ resources permission java.io.FilePermission "${common.dir}${/}-", "read"; // 3rd party jar resources (where symlinks are supported) permission java.io.FilePermission "${user.home}${/}.ivy2${/}cache${/}-", "read"; // system jar resources, and let TestIndexWriterOnJRECrash fork its jvm permission java.io.FilePermission "${java.home}${/}-", "read,execute"; // should be enclosed within common.dir, but just in case: permission java.io.FilePermission "${junit4.childvm.cwd}", "read"; // jenkins wants to read outside its sandbox, to use a special linedocs file. // this is best effort and not really supported. permission java.io.FilePermission "/home/jenkins/lucene-data/enwiki.random.lines.txt", "read"; // write only to sandbox permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete"; permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete"; permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete"; permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete"; // needed by gson serialization of junit4 runner: TODO clean that up permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // needed by junit4 runner to capture sysout/syserr: permission java.lang.RuntimePermission "setIO"; // needed by randomized runner to catch failures from other threads: permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; // needed by randomized runner getTopThreadGroup: permission java.lang.RuntimePermission "modifyThreadGroup"; // needed by tests e.g. shutting down executors: permission java.lang.RuntimePermission "modifyThread"; // needed for tons of test hacks etc permission java.lang.RuntimePermission "getStackTrace"; // needed for mock filesystems in tests permission java.lang.RuntimePermission "fileSystemProvider"; // needed for mock filesystems in tests (to capture implCloseChannel) permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; // needed by junit nested compat tests (due to static fields reflection), TODO clean these up: permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar"; permission java.lang.RuntimePermission "accessClassInPackage.sun.util.locale"; permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.fs"; // needed by queryparser/ NLS., TODO clean this up: permission java.lang.RuntimePermission "accessClassInPackage.sun.util"; // needed for test of IOUtils.spins (maybe it can be avoided) permission java.lang.RuntimePermission "getFileStoreAttributes"; // analyzers/morfologik: needed for a horrible context classloader hack for solr in morfologikfilter: nuke this permission java.lang.RuntimePermission "setContextClassLoader"; // analyzers/uima: needed by UIMA message localization... (?) permission java.lang.RuntimePermission "createSecurityManager"; permission java.lang.RuntimePermission "createClassLoader"; // expressions TestCustomFunctions (only on java7?) permission java.lang.RuntimePermission "getClassLoader"; // needed to test unmap hack on platforms that support it permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; // read access to all system properties: permission java.util.PropertyPermission "*", "read"; // write access to only these: // locale randomization permission java.util.PropertyPermission "user.language", "write"; // timezone randomization permission java.util.PropertyPermission "user.timezone", "write"; // used by nested tests? (e.g. TestLeaveFilesIfTestFails). TODO: look into this permission java.util.PropertyPermission "tests.runnested", "write"; // solr properties. TODO: move these out to SolrTestCase permission java.util.PropertyPermission "solr.data.dir", "write"; permission java.util.PropertyPermission "solr.solr.home", "write"; permission java.util.PropertyPermission "solr.directoryFactory", "write"; // replicator: jetty tests require some network permissions: // all possibilities of accepting/binding/connecting on localhost with ports >= 1024: permission java.net.SocketPermission "localhost:1024-", "accept,listen,connect,resolve"; permission java.net.SocketPermission "127.0.0.1:1024-", "accept,listen,connect,resolve"; permission java.net.SocketPermission "[::1]:1024-", "accept,listen,connect,resolve"; // This is a special case, because the network config of the ASF Jenkins server is broken, // see: http://freebsd.1045724.n5.nabble.com/jail-external-and-localhost-distinction-td3967320.html permission java.net.SocketPermission "lucene.zones.apache.org:1024-", "accept,listen,connect,resolve"; // SSL related properties for jetty permission java.security.SecurityPermission "getProperty.ssl.KeyManagerFactory.algorithm"; permission java.security.SecurityPermission "getProperty.ssl.TrustManagerFactory.algorithm"; };