From 5d8dc569cb5696c81bb602d14da30c3cf16a665e Mon Sep 17 00:00:00 2001
From: Jason Tedor <jason@tedor.me>
Date: Wed, 10 Aug 2016 11:47:22 -0400
Subject: [PATCH 1/2] Mark halting the virtual machine as privileged

Today in the uncaught exception handler, we attempt to halt the virtual
machine on fatal errors. Yet, halting the virtual machine requires
privileges which might not be granted to the caller when the exception
is thrown for example from a scripting engine. This means that if an
OutOfMemoryError or another fatal error is hit inside a script, the
virtual machine will not exit because the halt call will be denied for
securiry privileges. In this commit, we mark this halt call as trusted
so that the virtual machine can be halted if a fatal error is
encountered in a script.
---
 .../ElasticsearchUncaughtExceptionHandler.java       | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java b/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
index 405e919fabd49..4b2dadc2cc631 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
@@ -25,6 +25,8 @@
 import org.elasticsearch.common.logging.Loggers;
 
 import java.io.IOError;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Objects;
 import java.util.function.Supplier;
 
@@ -87,8 +89,14 @@ void onNonFatalUncaught(final String threadName, final Throwable t) {
     // visible for testing
     @SuppressForbidden(reason = "halt")
     void halt(int status) {
-        // we halt to prevent shutdown hooks from running
-        Runtime.getRuntime().halt(status);
+        AccessController.doPrivileged(new PrivilegedAction<Void>() {
+            @Override
+            public Void run() {
+                // we halt to prevent shutdown hooks from running
+                Runtime.getRuntime().halt(status);
+                return null;
+            }
+        });
     }
 
 }

From 65369a6a04e41cafb9018cf0d414728ab2ca439f Mon Sep 17 00:00:00 2001
From: Jason Tedor <jason@tedor.me>
Date: Wed, 10 Aug 2016 12:38:31 -0400
Subject: [PATCH 2/2] Everything in its right place

This commit removes a suppress forbidden annotation to the right
place. This suppress forbidden annotation appeared in the wrong place
after the forbidden method that it was suppressing was moved to a method
on an anonymous class.
---
 .../bootstrap/ElasticsearchUncaughtExceptionHandler.java        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java b/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
index 4b2dadc2cc631..45d54ed4a6211 100644
--- a/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
+++ b/core/src/main/java/org/elasticsearch/bootstrap/ElasticsearchUncaughtExceptionHandler.java
@@ -87,9 +87,9 @@ void onNonFatalUncaught(final String threadName, final Throwable t) {
     }
 
     // visible for testing
-    @SuppressForbidden(reason = "halt")
     void halt(int status) {
         AccessController.doPrivileged(new PrivilegedAction<Void>() {
+            @SuppressForbidden(reason = "halt")
             @Override
             public Void run() {
                 // we halt to prevent shutdown hooks from running