ibmruntimes · ZainabF92 · Sep 11, 2022 · Nov 14, 2022 · ZainabF92 · Nov 14, 2022
diff --git a/...openj9/internal/criu/CRIUSECProvider.java → ...classes/openj9/internal/criu/CRIUSEC.java b/...openj9/internal/criu/CRIUSECProvider.java → ...classes/openj9/internal/criu/CRIUSEC.java
@@ -28,21 +28,21 @@
 import java.security.Provider;
 
 /**
- * The CRIUSECProvider is a security provider that is used as follows when CRIU
- * is enabled. During the checkpoint phase, all other security providers are
- * removed, except CRIUSECProvider, and the digests are cleared, to ensure that
- * no state is saved during checkpoint that is then restored during the restore
- * phase. During the resore phase, CRIUSECProvider is removed and the other
- * security providers are added back.
+ * The CRIUSEC is a security provider that is used as follows when CRIU is
+ * enabled. During the checkpoint phase, all other security providers are
+ * removed, except CRIUSEC, and the digests are cleared, to ensure that no
+ * state is saved during checkpoint that is then restored during the restore
+ * phase. During the resore phase, CRIUSEC is removed and the other security
+ * providers are added back.
  */
-public final class CRIUSECProvider extends Provider {
+public final class CRIUSEC extends Provider {
 
  private static final long serialVersionUID = -3240458633432287743L;
 
- public CRIUSECProvider() {
+ public CRIUSEC() {
  super("CRIUSEC", "1", "CRIUSEC Provider");
 
- String packageName = CRIUSECProvider.class.getPackage().getName() + ".";
+ String packageName = CRIUSEC.class.getPackage().getName() + ".";
 
  String[] aliases = new String[] { "SHA",
  "SHA1",

diff --git a/.../src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java b/.../src/java.base/share/classes/openj9/internal/security/RestrictedSecurityConfigurator.java
@@ -37,6 +37,10 @@
 
 import sun.security.util.Debug;
 
+/*[IF CRIU_SUPPORT]*/
+import openj9.internal.criu.InternalCRIUSupport;
+/*[ENDIF] CRIU_SUPPORT*/
+
 /**
  * Configures the security providers when in restricted security mode.
  */
@@ -72,8 +76,18 @@ public String[] run() {
  }
  });
  userEnabledFIPS = Boolean.parseBoolean(props[0]);
+ String securitySetting = props[1];
  // If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1.
- userSecuritySetting = userEnabledFIPS ? "1" : props[1];
+ if (Boolean.parseBoolean(props[0])) {
+ securitySetting = "1";
+ }
+ /*[IF CRIU_SUPPORT]*/
+ // If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
+ if (InternalCRIUSupport.isCheckpointAllowed()) {
+ securitySetting = "2";
+ }
+ /*[ENDIF] CRIU_SUPPORT*/
+ userSecuritySetting = securitySetting;
  userEnabledSecurity = !isNullOrBlank(userSecuritySetting);
  isSecuritySupported = "Linux".equalsIgnoreCase(props[2])
  && supportPlatforms.contains(props[3]);
@@ -86,14 +100,24 @@ private RestrictedSecurityConfigurator() {
 
  /**
  * Restricted security mode will be enabled only if the semeru.fips system
- * property is true (default as false).
+ * property is true (default as false), or semeru.restrictedsecurity is set,
+ * or CRIU checkpoint mode is enabled.
  *
  * @return true if restricted security is enabled
  */
  public static boolean isEnabled() {
  return securityEnabled;
  }
 
+/*[IF CRIU_SUPPORT]*/
+ /**
+ * Disables the restricted security mode.
+ */
+ public static void disable() {
+ securityEnabled = false;
+ }
+/*[ENDIF] CRIU_SUPPORT*/
+
  /**
  * Remove the security providers and only add the restricted security providers.
  *

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -135,6 +135,26 @@ RestrictedSecurity1.javax.net.ssl.keyStore = NONE
 
 RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
 RestrictedSecurity1.securerandom.algorithm = PKCS11
+
+RestrictedSecurity2.desc.name = CRIU
+RestrictedSecurity2.desc.number = 1
+RestrictedSecurity2.desc.policy = Security
+RestrictedSecurity2.desc.sunsetDate = 2030-01-01
+
+RestrictedSecurity2.tls.disabledNamedCurves =
+RestrictedSecurity2.tls.disabledAlgorithms =
+RestrictedSecurity2.tls.ephemeralDHKeySize =
+RestrictedSecurity2.tls.legacyAlgorithms =
+
+RestrictedSecurity2.jce.certpath.disabledAlgorithms =
+RestrictedSecurity2.jce.legacyAlgorithms =
+RestrictedSecurity2.jce.provider.1 = openj9.internal.criu.CRIUSEC
+
+RestrictedSecurity2.keystore.type =
+RestrictedSecurity2.javax.net.ssl.keyStore =
+
+RestrictedSecurity2.securerandom.provider = CRIUSEC
+RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
 #endif
 
 #