Forbid granting the all permission in production

Running with the all permission java.security.AllPermission granted is
equivalent to disabling the security manager. This commit adds a
bootstrap check that forbids running with this permission granted.

Relates #27548

core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java

@@ -38,6 +38,7 @@ import java.io.BufferedReader;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.AllPermission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -210,6 +211,7 @@ final class BootstrapChecks {
         checks.add(new OnOutOfMemoryErrorCheck());
         checks.add(new EarlyAccessCheck());
         checks.add(new G1GCCheck());
+        checks.add(new AllPermissionCheck());
         return Collections.unmodifiableList(checks);
     }
 
@@ -692,4 +694,27 @@ final class BootstrapChecks {
 
     }
 
+    static class AllPermissionCheck implements BootstrapCheck {
+
+        @Override
+        public final BootstrapCheckResult check(BootstrapContext context) {
+            if (isAllPermissionGranted()) {
+                return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security");
+            }
+            return BootstrapCheckResult.success();
+        }
+
+        boolean isAllPermissionGranted() {
+            final SecurityManager sm = System.getSecurityManager();
+            assert sm != null;
+            try {
+                sm.checkPermission(new AllPermission());
+            } catch (final SecurityException e) {
+                return false;
+            }
+            return true;
+        }
+
+    }
+
 }

core/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java

@@ -45,7 +45,6 @@ import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.instanceOf;
 import static org.hamcrest.Matchers.hasToString;
-import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
@@ -690,6 +689,26 @@ public class BootstrapChecksTests extends ESTestCase {
         BootstrapChecks.check(defaultContext, true, Collections.singletonList(nonJava8Check), "testG1GCCheck");
     }
 
+    public void testAllPermissionCheck() throws NodeValidationException {
+        final AtomicBoolean isAllPermissionGranted = new AtomicBoolean(true);
+        final BootstrapChecks.AllPermissionCheck allPermissionCheck = new BootstrapChecks.AllPermissionCheck() {
+            @Override
+            boolean isAllPermissionGranted() {
+                return isAllPermissionGranted.get();
+            }
+        };
+
+        final List<BootstrapCheck> checks = Collections.singletonList(allPermissionCheck);
+        final NodeValidationException e = expectThrows(
+                NodeValidationException.class,
+                () -> BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck"));
+        assertThat(e, hasToString(containsString("granting the all permission effectively disables security")));
+
+        // if all permissions are not granted, nothing should happen
+        isAllPermissionGranted.set(false);
+        BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck");
+    }
+
     public void testAlwaysEnforcedChecks() {
         final BootstrapCheck check = new BootstrapCheck() {
             @Override

docs/reference/setup/bootstrap-checks.asciidoc

@@ -227,3 +227,9 @@ have issues that can lead to index corruption when the G1GC collector is
 enabled.  The versions impacted are those earlier than the version of
 HotSpot that shipped with JDK 8u40. The G1GC check detects these early
 versions of the HotSpot JVM.
+
+=== All permission check
+
+The all permission check ensures that the security policy used during bootstrap
+does not grant the `java.security.AllPermission` to Elasticsearch. Running with
+the all permission granted is equivalent to disabling the security manager.