From a45bb4d6371f3e215dc7719f09871fcc419f5c0e Mon Sep 17 00:00:00 2001
From: Andriy Redko <drreta@gmail.com>
Date: Mon, 7 Apr 2025 12:42:15 -0400
Subject: [PATCH] Fix FileInterceptor to deduct the access level from the list
 of OpenOption

Signed-off-by: Andriy Redko <drreta@gmail.com>
---
 .../opensearch/javaagent/FileInterceptor.java | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java
index 605aa5a7d31df..823b4e4fe0726 100644
--- a/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java
+++ b/libs/agent-sm/agent/src/main/java/org/opensearch/javaagent/FileInterceptor.java
@@ -12,8 +12,10 @@
 
 import java.io.FilePermission;
 import java.lang.reflect.Method;
+import java.nio.file.OpenOption;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.nio.file.StandardOpenOption;
 import java.security.Policy;
 import java.security.ProtectionDomain;
 import java.util.Collection;
@@ -59,13 +61,21 @@ public static void intercept(@Advice.AllArguments Object[] args, @Advice.Origin
         final Collection<ProtectionDomain> callers = walker.walk(StackCallerProtectionDomainChainExtractor.INSTANCE);
 
         final String name = method.getName();
-        final boolean isMutating = name.equals("copy")
-            || name.equals("move")
-            || name.equals("write")
-            || name.equals("newByteChannel")
-            || name.startsWith("create");
+        boolean isMutating = name.equals("copy") || name.equals("move") || name.equals("write") || name.startsWith("create");
         final boolean isDelete = isMutating == false ? name.startsWith("delete") : false;
 
+        if (isMutating == false && isDelete == false && name.equals("newByteChannel") == true) {
+            if (args.length > 1 && args[1] instanceof OpenOption[] opts) {
+                for (final OpenOption opt : opts) {
+                    if (opt != StandardOpenOption.READ) {
+                        isMutating = true;
+                        break;
+                    }
+                }
+
+            }
+        }
+
         // Check each permission separately
         for (final ProtectionDomain domain : callers) {
             // Handle FileChannel.open() separately to check read/write permissions properly