From 469842f378eb5c6fe716583df005ef4c4dd2a5c5 Mon Sep 17 00:00:00 2001
From: Karen X <karenxyr@gmail.com>
Date: Fri, 23 Jan 2026 00:56:54 +0000
Subject: [PATCH 1/4] [GRPC] Add security policy for transport-grpc

Signed-off-by: Karen X <karenxyr@gmail.com>
---
 CHANGELOG.md                                                   | 1 +
 .../src/main/plugin-metadata/plugin-security.policy            | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fb4938940f7f..b5ec485a8ca60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Adding BackWardCompatibility test for remote publication enabled cluster ([#20221](https://github.com/opensearch-project/OpenSearch/pull/20221))
 - Support for hll field mapper to support cardinality rollups ([#20129](https://github.com/opensearch-project/OpenSearch/pull/20129))
 - Introduce new libs/netty4 module to share common implementation between netty-based plugins and modules (transport-netty4, transport-reactor-netty4) ([#20447](https://github.com/opensearch-project/OpenSearch/pull/20447))
+- Add security policy to allow deleting temporary socket files in `java.io.tmpdir` in `transport-grpc` module ([#20463](https://github.com/opensearch-project/OpenSearch/pull/20463))
 
 ### Changed
 - Handle custom metadata files in subdirectory-store ([#20157](https://github.com/opensearch-project/OpenSearch/pull/20157))
diff --git a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
index 398de576b6c5a..990fed6ef19eb 100644
--- a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
@@ -15,4 +15,7 @@ grant codeBase "${codebase.grpc-netty-shaded}" {
 
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "*", "setContextClassLoader";
+
+   // Netty on Windows creates temporary files for pipe-based IPC during NIO selector initialization
+   permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
 };

From dfb1d74051b2eced4d4563624a9777f4929d6982 Mon Sep 17 00:00:00 2001
From: Karen X <karenxyr@gmail.com>
Date: Fri, 23 Jan 2026 01:05:01 +0000
Subject: [PATCH 2/4] more granular

Signed-off-by: Karen X <karenxyr@gmail.com>
---
 .../src/main/plugin-metadata/plugin-security.policy           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
index 990fed6ef19eb..38691d183f1a5 100644
--- a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
@@ -16,6 +16,6 @@ grant codeBase "${codebase.grpc-netty-shaded}" {
    // Netty sets custom classloader for some of its internal threads
    permission java.lang.RuntimePermission "*", "setContextClassLoader";
 
-   // Netty on Windows creates temporary files for pipe-based IPC during NIO selector initialization
-   permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
+   // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files
+   permission java.io.FilePermission "${java.io.tmpdir}${/}socket_*", "delete";
 };

From acd58557f954714cbcb164de8bc39c09561c624e Mon Sep 17 00:00:00 2001
From: Karen X <karenxyr@gmail.com>
Date: Tue, 3 Feb 2026 21:20:19 -0800
Subject: [PATCH 3/4] Update
 modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy

Co-authored-by: Andriy Redko <drreta@gmail.com>
Signed-off-by: Karen X <karenxyr@gmail.com>
---
 .../src/main/plugin-metadata/plugin-security.policy             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
index 38691d183f1a5..394379e3d85f7 100644
--- a/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/transport-grpc/src/main/plugin-metadata/plugin-security.policy
@@ -17,5 +17,5 @@ grant codeBase "${codebase.grpc-netty-shaded}" {
    permission java.lang.RuntimePermission "*", "setContextClassLoader";
 
    // Netty on Windows uses WEPollSelectorImpl which needs to delete temporary socket files
-   permission java.io.FilePermission "${java.io.tmpdir}${/}socket_*", "delete";
+   permission java.net.NetPermission "accessUnixDomainSocket";
 };

From 53adec5bf60342e6139cfc7a50d8ccecf956be95 Mon Sep 17 00:00:00 2001
From: Karen X <karenxyr@gmail.com>
Date: Thu, 5 Feb 2026 13:56:27 -0800
Subject: [PATCH 4/4] update changelog

Signed-off-by: Karen X <karenxyr@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 96d8e4154ce50..23f98bdcde81c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [Unreleased 3.x]
 ### Added
 - Support expected cluster name with validation in CCS Sniff mode ([#20532](https://github.com/opensearch-project/OpenSearch/pull/20532))
-- Add security policy to allow deleting temporary socket files in `java.io.tmpdir` in `transport-grpc` module ([#20463](https://github.com/opensearch-project/OpenSearch/pull/20463))
+- Add security policy to allow `accessUnixDomainSocket` in `transport-grpc` module ([#20463](https://github.com/opensearch-project/OpenSearch/pull/20463))
 
 ### Changed