[Entitlements] Refactor Network Entitlement

[ldematte]

This PR introduces specific Inbound (listen/accept/receive) and Outbound (connect/send) network entitlements, in place of the current NetworkEntitlement with actions.

Some changes are almost 1-1, with the exception of listen (bind): the SecurityManager "listen" permission is applied to every bind function (sometimes indirectly from a ctor); on server or datagram sockets, this should be thought as an inbound operation; on client sockets, it should not. I changed the checks and policies to reflect that.

Additional changes:

• removal of the instrumentation of HttpClientBuilderImpl#bind, as discussed during this PR review
• addition of missing checks in a second implementation of HttpClient#send/sendAsync

Relates to ES-10355

[elasticsearchmachine]

Pinging @elastic/es-core-infra (Team:Core/Infra)

[mosche]

Inbound?

[prdoyle]

Ooohh nice catch.

[ldematte]

Nope, this is on purpose: as I wrote in the description, I believe that bind on a client socket should be inbound outbound.
True, it was "listen" before, but "listen" was separate, a "3rd option", maybe also for this reason.
On a client socket, bind will make the OS bind :) this side of the connection to a port and interface/address, instead of using any local address/any available port.

[ldematte]

As opposed to bind on a server socket, which is basically a pre-step for accept, so it is definitely inbound. But correct me if you think this is incorrect

[mosche]

Makes sense, totally missed your comment in the description 👍

[mosche]

Inbound?

[ldematte]

Same as above

[mosche]

lgtm

[elasticsearchmachine]

💔 Backport failed

Status	Branch	Result
❌	8.x	Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 120391