Add a restricted security policy for CRIU

Signed-off-by: Zainab Fatmi <zainab@ibm.com>
ibmruntimes · Nov 11, 2022 · cbee774 · cbee774
1 parent 8a57641
commit cbee774
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/.../src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java b/.../src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
@@ -37,6 +37,10 @@
 
 import sun.security.util.Debug;
 
+/*[IF CRIU_SUPPORT]*/
+import openj9.internal.criu.InternalCRIUSupport;
+/*[ENDIF] CRIU_SUPPORT*/
+
 /**
  * Configures the security providers when in restricted security mode.
  */
@@ -72,8 +76,18 @@ public String[] run() {
                     }
                 });
         userEnabledFIPS = Boolean.parseBoolean(props[0]);
+        String securitySetting = props[1];
         // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1.
-        userSecuritySetting = userEnabledFIPS ? "1" : props[1];
+        if (Boolean.parseBoolean(props[0])) {
+            securitySetting = "1";
+        }
+ /*[IF CRIU_SUPPORT]*/
+        // If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
+        if (InternalCRIUSupport.isCheckpointAllowed()) {
+            securitySetting = "2";
+        }
+ /*[ENDIF] CRIU_SUPPORT*/
+        userSecuritySetting = securitySetting;
         userEnabledSecurity = !isNullOrBlank(userSecuritySetting);
         isSecuritySupported = "Linux".equalsIgnoreCase(props[2])
                 && supportPlatforms.contains(props[3]);
@@ -86,14 +100,24 @@ private RestrictedSecurityConfigurator() {
 
     /**
      * Restricted security mode will be enabled only if the semeru.fips system
-     * property is true (default as false).
+     * property is true (default as false), or semeru.restrictedsecurity is set,
+     * or CRIU checkpoint mode is enabled.
      *
      * @return true if restricted security is enabled
      */
     public static boolean isEnabled() {
         return securityEnabled;
     }
 
+/*[IF CRIU_SUPPORT]*/
+    /**
+     * Disables the restricted security mode.
+     */
+    public static void disable() {
+        securityEnabled = false;
+    }
+/*[ENDIF] CRIU_SUPPORT*/
+
     /**
      * Remove the security providers and only add the restricted security providers.
      *

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -135,6 +135,26 @@ RestrictedSecurity1.javax.net.ssl.keyStore = NONE
 
 RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
 RestrictedSecurity1.securerandom.algorithm = PKCS11
+
+RestrictedSecurity2.desc.name = CRIU
+RestrictedSecurity2.desc.number = 1
+RestrictedSecurity2.desc.policy = Security
+RestrictedSecurity2.desc.sunsetDate = 2030-01-01
+
+RestrictedSecurity2.tls.disabledNamedCurves =
+RestrictedSecurity2.tls.disabledAlgorithms =
+RestrictedSecurity2.tls.ephemeralDHKeySize =
+RestrictedSecurity2.tls.legacyAlgorithms =
+
+RestrictedSecurity2.jce.certpath.disabledAlgorithms =
+RestrictedSecurity2.jce.legacyAlgorithms =
+RestrictedSecurity2.jce.provider.1 = openj9.internal.criu.CRIUSECProvider
+
+RestrictedSecurity2.keystore.type =
+RestrictedSecurity2.javax.net.ssl.keyStore =
+
+RestrictedSecurity2.securerandom.provider = CRIUSEC
+RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
 #endif
 
 #