Skip to content

Commit

Permalink
Add a restricted security policy for CRIU
Browse files Browse the repository at this point in the history
Signed-off-by: Zainab Fatmi <[email protected]>
  • Loading branch information
Zainab Fatmi committed Nov 14, 2022
1 parent 8a57641 commit 1fb2d90
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -28,21 +28,21 @@
import java.security.Provider;

/**
* The CRIUSECProvider is a security provider that is used as follows when CRIU
* is enabled. During the checkpoint phase, all other security providers are
* removed, except CRIUSECProvider, and the digests are cleared, to ensure that
* no state is saved during checkpoint that is then restored during the restore
* phase. During the resore phase, CRIUSECProvider is removed and the other
* security providers are added back.
* The CRIUSEC is a security provider that is used as follows when CRIU is
* enabled. During the checkpoint phase, all other security providers are
* removed, except CRIUSEC, and the digests are cleared, to ensure that no
* state is saved during checkpoint that is then restored during the restore
* phase. During the resore phase, CRIUSEC is removed and the other security
* providers are added back.
*/
public final class CRIUSECProvider extends Provider {
public final class CRIUSEC extends Provider {

private static final long serialVersionUID = -3240458633432287743L;

public CRIUSECProvider() {
public CRIUSEC() {
super("CRIUSEC", "1", "CRIUSEC Provider");

String packageName = CRIUSECProvider.class.getPackage().getName() + ".";
String packageName = CRIUSEC.class.getPackage().getName() + ".";

String[] aliases = new String[] { "SHA",
"SHA1",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@

import sun.security.util.Debug;

/*[IF CRIU_SUPPORT]*/
import openj9.internal.criu.InternalCRIUSupport;
/*[ENDIF] CRIU_SUPPORT*/

/**
* Configures the security providers when in restricted security mode.
*/
Expand Down Expand Up @@ -72,8 +76,18 @@ public String[] run() {
}
});
userEnabledFIPS = Boolean.parseBoolean(props[0]);
String securitySetting = props[1];
// If semeru.fips is true, then ignore semeru.restrictedsecurity, use userSecurityNum 1.
userSecuritySetting = userEnabledFIPS ? "1" : props[1];
if (Boolean.parseBoolean(props[0])) {
securitySetting = "1";
}
/*[IF CRIU_SUPPORT]*/
// If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
if (InternalCRIUSupport.isCheckpointAllowed()) {
securitySetting = "2";
}
/*[ENDIF] CRIU_SUPPORT*/
userSecuritySetting = securitySetting;
userEnabledSecurity = !isNullOrBlank(userSecuritySetting);
isSecuritySupported = "Linux".equalsIgnoreCase(props[2])
&& supportPlatforms.contains(props[3]);
Expand All @@ -86,14 +100,24 @@ private RestrictedSecurityConfigurator() {

/**
* Restricted security mode will be enabled only if the semeru.fips system
* property is true (default as false).
* property is true (default as false), or semeru.restrictedsecurity is set,
* or CRIU checkpoint mode is enabled.
*
* @return true if restricted security is enabled
*/
public static boolean isEnabled() {
return securityEnabled;
}

/*[IF CRIU_SUPPORT]*/
/**
* Disables the restricted security mode.
*/
public static void disable() {
securityEnabled = false;
}
/*[ENDIF] CRIU_SUPPORT*/

/**
* Remove the security providers and only add the restricted security providers.
*
Expand Down
20 changes: 20 additions & 0 deletions src/java.base/share/conf/security/java.security
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,26 @@ RestrictedSecurity1.javax.net.ssl.keyStore = NONE

RestrictedSecurity1.securerandom.provider = SunPKCS11-NSS-FIPS
RestrictedSecurity1.securerandom.algorithm = PKCS11

RestrictedSecurity2.desc.name = CRIU
RestrictedSecurity2.desc.number = 1
RestrictedSecurity2.desc.policy = Security
RestrictedSecurity2.desc.sunsetDate = 2030-01-01

RestrictedSecurity2.tls.disabledNamedCurves =
RestrictedSecurity2.tls.disabledAlgorithms =
RestrictedSecurity2.tls.ephemeralDHKeySize =
RestrictedSecurity2.tls.legacyAlgorithms =

RestrictedSecurity2.jce.certpath.disabledAlgorithms =
RestrictedSecurity2.jce.legacyAlgorithms =
RestrictedSecurity2.jce.provider.1 = openj9.internal.criu.CRIUSEC

RestrictedSecurity2.keystore.type =
RestrictedSecurity2.javax.net.ssl.keyStore =

RestrictedSecurity2.securerandom.provider = CRIUSEC
RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
#endif

#
Expand Down

0 comments on commit 1fb2d90

Please sign in to comment.