Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a restricted security policy for CRIU #592

Draft
wants to merge 2 commits into
base: openj9
Choose a base branch
from
Draft

Add a restricted security policy for CRIU #592

wants to merge 2 commits into from

Conversation

ZainabF92
Copy link

@ZainabF92 ZainabF92 commented Nov 11, 2022
edited
Loading

Corresponding PR: eclipse-openj9/openj9#16314

This (the second commit) will enable the security restriction policy for InstantOn, it needs to be merged after openj9-openjdk-jdk11#586.

These changes still need to be tested, I only did preliminary testing. For the WAS workload that loads SunEC during checkpoint which causes a crash during restore, this change should output a trace to help locate the code that loads SunEC and disable it (@taoliult can help with that if needed).

Signed-off-by: Zainab Fatmi zainab@ibm.com

@taoliult
Java Restricted Security Mode
8a57641 
Signed-off-by: Tao Liu <tao.liu@ibm.com>
JasonFengJ9
JasonFengJ9 reviewed Nov 11, 2022
View reviewed changes
closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
/*[IF CRIU_SUPPORT]*/
// If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
if (InternalCRIUSupport.isCheckpointAllowed()) {
securitySetting = "2";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean the fips mode is not compatible w/ CRIU?

closed/src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java Show resolved Hide resolved
src/java.base/share/conf/security/java.security Show resolved Hide resolved
Add a restricted security policy for CRIU
1fb2d90 
Signed-off-by: Zainab Fatmi <zainab@ibm.com>
ZainabF92
ZainabF92 commented Nov 14, 2022
View reviewed changes
closed/src/java.base/share/classes/openj9/internal/criu/CRIUSEC.java
*/
public final class CRIUSECProvider extends Provider {
public final class CRIUSEC extends Provider {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: The provider name needs to be the same as the class name, since the class name is used by the restrictive mode configurator to determine if a provider is allowed or not.

ZainabF92
ZainabF92 commented Nov 14, 2022
View reviewed changes
src/java.base/share/conf/security/java.security
RestrictedSecurity2.javax.net.ssl.keyStore =

RestrictedSecurity2.securerandom.provider = CRIUSEC
RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taoliult SecureRandom is still iterating through the provider list, instead of only instantiating this specified provider.

@taoliult
Copy link
Contributor

taoliult commented Nov 14, 2022
edited
Loading

@ZainabF92 @JasonFengJ9

From Zainab's checkpoint log file, if you see the following output, saying The provider XXXXX is not allowed in the restricted security mode, and then the stack output. That works as design, if the provider XXXXX is not listed in the java.security by using property "RestrictedSecurityN.jce.provider.N=", when in the restricted security mode.

[err] semerufips: Checking the provider sun.security.smartcardio.SunPCSC in the restricted security mode.
[err] semerufips: The provider SunPCSC is not allowed in the restricted security mode.
Stack trace:
	at openj9.internal.security.RestrictedSecurityProperties.isProviderAllowed(RestrictedSecurityProperties.java:449)
	at openj9.internal.security.RestrictedSecurityProperties.isProviderAllowed(RestrictedSecurityProperties.java:478)
	at java.util.ServiceLoader.loadProvider(ServiceLoader.java:920)
	at java.util.ServiceLoader$ModuleServicesLookupIterator.hasNext(ServiceLoader.java:1102)
	at java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1333)
	at java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1418)
	at sun.security.jca.ProviderConfig$ProviderLoader.load(ProviderConfig.java:353)
	at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:263)
	at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257)
	at java.security.AccessController.doPrivileged(AccessController.java:691)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:257)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:237)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
	at java.security.Security.getProvider(Security.java:500)
	at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:276)
	at java.security.SecureRandom.<init>(SecureRandom.java:228)
	at java.io.File$TempDirectory.<clinit>(File.java:1955)
	at java.io.File.createTempFile(File.java:2115)
	at org.eclipse.osgi.storagemanager.StorageManager.initializeInstanceFile(StorageManager.java:201)
	at org.eclipse.osgi.storagemanager.StorageManager.open(StorageManager.java:722)
	at org.eclipse.osgi.storage.Storage.getChildStorageManager(Storage.java:2194)
	at org.eclipse.osgi.storage.Storage.getInfoInputStream(Storage.java:2211)
	at org.eclipse.osgi.storage.Storage.<init>(Storage.java:256)
	at org.eclipse.osgi.storage.Storage.createStorage(Storage.java:184)
	at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:108)
	at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:53)
	at org.eclipse.osgi.launch.EquinoxFactory.newFramework(EquinoxFactory.java:35)
	at org.eclipse.osgi.launch.EquinoxFactory.newFramework(EquinoxFactory.java:30)
	at com.ibm.ws.kernel.launch.internal.FrameworkManager.initFramework(FrameworkManager.java:591)
	at com.ibm.ws.kernel.launch.internal.FrameworkManager.launchFramework(FrameworkManager.java:284)
	at com.ibm.ws.kernel.launch.internal.LauncherDelegateImpl.doFrameworkLaunch(LauncherDelegateImpl.java:114)
	at com.ibm.ws.kernel.launch.internal.LauncherDelegateImpl.launchFramework(LauncherDelegateImpl.java:100)
	at com.ibm.ws.kernel.boot.internal.KernelBootstrap.go(KernelBootstrap.java:214)
	at com.ibm.ws.kernel.boot.Launcher.handleActions(Launcher.java:241)
	at com.ibm.ws.kernel.boot.Launcher.createPlatform(Launcher.java:117)
	at com.ibm.ws.kernel.boot.cmdline.EnvCheck.main(EnvCheck.java:59)
	at com.ibm.ws.kernel.boot.cmdline.EnvCheck.main(EnvCheck.java:35)

And as Zainab mentioned, these stacks may usually from the SecureRandom.java, "at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:276)".

That is because, in the SecureRandom.java, if in the restricted security mode, we will check the secure random provider. If the loaded secure random provider equals to the secure random provider specified in the java.security by property "RestrictedSecurityN.securerandom.provider" and "RestrictedSecurityN.securerandom.algorithm", then we will use it.

And in the SecureRandom.java, the loaded providers will return in a list by calling "Providers.getProviderList().providers()". And in this method, it will get all the non-java.base providers by using the class loader in the ServiceLoader.java. And in the ServiceLoader.java, before the provider is loaded, we add a check to check if the provider is allowed in the restricted security mode. If it is not allowed, then we won't loaded it and print out the calling stacks. That is why, from the log file when enable the restricted security log output, the stack trace always print out after the check "The provider XXXXX is not allowed in the restricted security mode".

And from Zainab's checkpoint log file, I see a "NoSuchMethodError" from the CRIU's code. @JasonFengJ9 This "NoSuchMethodError" may need to take a look.

[err] Exception in thread "Default Executor-thread-1" 
[err] java.lang.NoSuchMethodError: org/eclipse/openj9/criu/CRIUSupport.registerPreSnapshotHook(Ljava/lang/Runnable;)Lorg/eclipse/openj9/criu/CRIUSupport; (loaded from jrt:/openj9.criu by <Bootstrap Loader>) called from class io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9 (loaded from file:/criu/20220718_zainab/wlp/lib/io.openliberty.checkpoint_1.0.67.jar by org.eclipse.osgi.internal.loader.EquinoxClassLoader@5ad0af39[io.openliberty.checkpoint:1.0.67.cl220820220718-1101(id=145)]).
[err] 	at io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9.dump(ExecuteCRIU_OpenJ9.java:39)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.checkpoint(CheckpointImpl.java:375)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.checkpointOrExitOnFailure(CheckpointImpl.java:314)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.check(CheckpointImpl.java:309)
[err] 	at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.checkServerReady(FeatureManager.java:824)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.update(FeatureManager.java:787)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.processFeatureChanges(FeatureManager.java:887)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager$1.run(FeatureManager.java:673)
[err] 	at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:245)
[err] 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[err] 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[err] 	at java.base/java.lang.Thread.run(Thread.java:839)

@JasonFengJ9
Copy link
Member

java.lang.NoSuchMethodError: org/eclipse/openj9/criu/CRIUSupport.registerPreSnapshotHook(Ljava/lang/Runnable;)Lorg/eclipse/openj9/criu/CRIUSupport; (loaded from jrt:/openj9.criu by ) called from class io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9 (loaded from file:/criu/20220718_zainab/wlp/lib/io.openliberty.checkpoint_1.0.67.jar by org.eclipse.osgi.internal.loader.EquinoxClassLoader@5ad0af39[io.openliberty.checkpoint:1.0.67.cl220820220718-1101(id=145)])

This is a known issue. The API name CRIUSupport.registerPreSnapshotHook() has been changed. Pls rebase and build.

@taoliult
Copy link
Contributor

@JasonFengJ9
Zainab told me that you will be taking over this PR from her. So please help on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JasonFengJ9 JasonFengJ9 JasonFengJ9 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ZainabF92 @taoliult @JasonFengJ9