7 months ago · 494ec9f124
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -34,6 +34,7 @@ import org.elasticsearch.entitlement.runtime.policy.entitlements.ManageThreadsEn
 
				 import org.elasticsearch.entitlement.runtime.policy.entitlements.OutboundNetworkEntitlement;
			
 
				 import org.elasticsearch.entitlement.runtime.policy.entitlements.ReadStoreAttributesEntitlement;
			
 
				 import org.elasticsearch.entitlement.runtime.policy.entitlements.SetHttpsConnectionPropertiesEntitlement;
			
 
				+import org.elasticsearch.entitlement.runtime.policy.entitlements.WriteSystemPropertiesEntitlement;
			
 
				 
			
 
				 import java.lang.instrument.Instrumentation;
			
 
				 import java.lang.reflect.Constructor;
			
@@ -262,15 +263,17 @@ public class EntitlementInitialization {
 
				         var serverPolicy = new Policy("server", serverScopes);
			
 
				         // agents run without a module, so this is a special hack for the apm agent
			
 
				         // this should be removed once https://github.com/elastic/elasticsearch/issues/109335 is completed
			
 
				+        // See also modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
			
 
				         List<Entitlement> agentEntitlements = List.of(
			
 
				             new CreateClassLoaderEntitlement(),
			
 
				             new ManageThreadsEntitlement(),
			
 
				             new SetHttpsConnectionPropertiesEntitlement(),
			
 
				             new OutboundNetworkEntitlement(),
			
 
				+            new WriteSystemPropertiesEntitlement(Set.of("AsyncProfiler.safemode")),
			
 
				+            new LoadNativeLibrariesEntitlement(),
			
 
				             new FilesEntitlement(
			
 
				                 List.of(
			
 
				-                    FileData.ofPath(Path.of("/co/elastic/apm/agent/"), READ),
			
 
				-                    FileData.ofPath(Path.of("/agent/co/elastic/apm/agent/"), READ),
			
 
				+                    FileData.ofPath(bootstrapArgs.logsDir(), READ_WRITE),
			
 
				                     FileData.ofPath(Path.of("/proc/meminfo"), READ),
			
 
				                     FileData.ofPath(Path.of("/sys/fs/cgroup/"), READ)
			
 
				                 )
			
--- a/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/modules/apm/src/main/plugin-metadata/entitlement-policy.yaml
@@ -83,9 +83,3 @@ org.elasticsearch.telemetry.apm:
 
				         - elastic.apm.application_packages
			
 
				         - elastic.apm.stack_trace_limit
			
 
				         - elastic.apm.span_stack_trace_min_duration
			
 
				-elastic.apm.agent:
			
 
				-  - set_https_connection_properties
			
 
				-  - write_system_properties:
			
 
				-      properties:
			
 
				-        - AsyncProfiler.safemode
			
 
				-  - load_native_libraries