Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a restricted security policy for CRIU #592

Draft
wants to merge 2 commits into
base: openj9
Choose a base branch
from

Conversation

ZainabF92
Copy link

@ZainabF92 ZainabF92 commented Nov 11, 2022

Corresponding PR: eclipse-openj9/openj9#16314

This (the second commit) will enable the security restriction policy for InstantOn, it needs to be merged after openj9-openjdk-jdk11#586.

These changes still need to be tested, I only did preliminary testing. For the WAS workload that loads SunEC during checkpoint which causes a crash during restore, this change should output a trace to help locate the code that loads SunEC and disable it (@taoliult can help with that if needed).

Signed-off-by: Zainab Fatmi [email protected]

/*[IF CRIU_SUPPORT]*/
// If CRIU checkpoint mode is enabled, use the 2nd restricted security policy.
if (InternalCRIUSupport.isCheckpointAllowed()) {
securitySetting = "2";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean the fips mode is not compatible w/ CRIU?

*/
public final class CRIUSECProvider extends Provider {
public final class CRIUSEC extends Provider {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: The provider name needs to be the same as the class name, since the class name is used by the restrictive mode configurator to determine if a provider is allowed or not.

RestrictedSecurity2.javax.net.ssl.keyStore =

RestrictedSecurity2.securerandom.provider = CRIUSEC
RestrictedSecurity2.securerandom.algorithm = SHA1PRNG
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@taoliult SecureRandom is still iterating through the provider list, instead of only instantiating this specified provider.

@taoliult
Copy link
Contributor

taoliult commented Nov 14, 2022

@ZainabF92 @JasonFengJ9

From Zainab's checkpoint log file, if you see the following output, saying The provider XXXXX is not allowed in the restricted security mode, and then the stack output. That works as design, if the provider XXXXX is not listed in the java.security by using property "RestrictedSecurityN.jce.provider.N=", when in the restricted security mode.

[err] semerufips: Checking the provider sun.security.smartcardio.SunPCSC in the restricted security mode.
[err] semerufips: The provider SunPCSC is not allowed in the restricted security mode.
Stack trace:
	at openj9.internal.security.RestrictedSecurityProperties.isProviderAllowed(RestrictedSecurityProperties.java:449)
	at openj9.internal.security.RestrictedSecurityProperties.isProviderAllowed(RestrictedSecurityProperties.java:478)
	at java.util.ServiceLoader.loadProvider(ServiceLoader.java:920)
	at java.util.ServiceLoader$ModuleServicesLookupIterator.hasNext(ServiceLoader.java:1102)
	at java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1333)
	at java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1418)
	at sun.security.jca.ProviderConfig$ProviderLoader.load(ProviderConfig.java:353)
	at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:263)
	at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257)
	at java.security.AccessController.doPrivileged(AccessController.java:691)
	at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:257)
	at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:237)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:266)
	at sun.security.jca.ProviderList.getIndex(ProviderList.java:296)
	at sun.security.jca.ProviderList.getProviderConfig(ProviderList.java:280)
	at sun.security.jca.ProviderList.getProvider(ProviderList.java:286)
	at java.security.Security.getProvider(Security.java:500)
	at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:276)
	at java.security.SecureRandom.<init>(SecureRandom.java:228)
	at java.io.File$TempDirectory.<clinit>(File.java:1955)
	at java.io.File.createTempFile(File.java:2115)
	at org.eclipse.osgi.storagemanager.StorageManager.initializeInstanceFile(StorageManager.java:201)
	at org.eclipse.osgi.storagemanager.StorageManager.open(StorageManager.java:722)
	at org.eclipse.osgi.storage.Storage.getChildStorageManager(Storage.java:2194)
	at org.eclipse.osgi.storage.Storage.getInfoInputStream(Storage.java:2211)
	at org.eclipse.osgi.storage.Storage.<init>(Storage.java:256)
	at org.eclipse.osgi.storage.Storage.createStorage(Storage.java:184)
	at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:108)
	at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:53)
	at org.eclipse.osgi.launch.EquinoxFactory.newFramework(EquinoxFactory.java:35)
	at org.eclipse.osgi.launch.EquinoxFactory.newFramework(EquinoxFactory.java:30)
	at com.ibm.ws.kernel.launch.internal.FrameworkManager.initFramework(FrameworkManager.java:591)
	at com.ibm.ws.kernel.launch.internal.FrameworkManager.launchFramework(FrameworkManager.java:284)
	at com.ibm.ws.kernel.launch.internal.LauncherDelegateImpl.doFrameworkLaunch(LauncherDelegateImpl.java:114)
	at com.ibm.ws.kernel.launch.internal.LauncherDelegateImpl.launchFramework(LauncherDelegateImpl.java:100)
	at com.ibm.ws.kernel.boot.internal.KernelBootstrap.go(KernelBootstrap.java:214)
	at com.ibm.ws.kernel.boot.Launcher.handleActions(Launcher.java:241)
	at com.ibm.ws.kernel.boot.Launcher.createPlatform(Launcher.java:117)
	at com.ibm.ws.kernel.boot.cmdline.EnvCheck.main(EnvCheck.java:59)
	at com.ibm.ws.kernel.boot.cmdline.EnvCheck.main(EnvCheck.java:35)

And as Zainab mentioned, these stacks may usually from the SecureRandom.java, "at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:276)".

That is because, in the SecureRandom.java, if in the restricted security mode, we will check the secure random provider. If the loaded secure random provider equals to the secure random provider specified in the java.security by property "RestrictedSecurityN.securerandom.provider" and "RestrictedSecurityN.securerandom.algorithm", then we will use it.

And in the SecureRandom.java, the loaded providers will return in a list by calling "Providers.getProviderList().providers()". And in this method, it will get all the non-java.base providers by using the class loader in the ServiceLoader.java. And in the ServiceLoader.java, before the provider is loaded, we add a check to check if the provider is allowed in the restricted security mode. If it is not allowed, then we won't loaded it and print out the calling stacks. That is why, from the log file when enable the restricted security log output, the stack trace always print out after the check "The provider XXXXX is not allowed in the restricted security mode".

And from Zainab's checkpoint log file, I see a "NoSuchMethodError" from the CRIU's code. @JasonFengJ9 This "NoSuchMethodError" may need to take a look.

[err] Exception in thread "Default Executor-thread-1" 
[err] java.lang.NoSuchMethodError: org/eclipse/openj9/criu/CRIUSupport.registerPreSnapshotHook(Ljava/lang/Runnable;)Lorg/eclipse/openj9/criu/CRIUSupport; (loaded from jrt:/openj9.criu by <Bootstrap Loader>) called from class io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9 (loaded from file:/criu/20220718_zainab/wlp/lib/io.openliberty.checkpoint_1.0.67.jar by org.eclipse.osgi.internal.loader.EquinoxClassLoader@5ad0af39[io.openliberty.checkpoint:1.0.67.cl220820220718-1101(id=145)]).
[err] 	at io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9.dump(ExecuteCRIU_OpenJ9.java:39)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.checkpoint(CheckpointImpl.java:375)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.checkpointOrExitOnFailure(CheckpointImpl.java:314)
[err] 	at io.openliberty.checkpoint.internal.CheckpointImpl.check(CheckpointImpl.java:309)
[err] 	at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.checkServerReady(FeatureManager.java:824)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.update(FeatureManager.java:787)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager.processFeatureChanges(FeatureManager.java:887)
[err] 	at com.ibm.ws.kernel.feature.internal.FeatureManager$1.run(FeatureManager.java:673)
[err] 	at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:245)
[err] 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[err] 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[err] 	at java.base/java.lang.Thread.run(Thread.java:839)

@JasonFengJ9
Copy link
Member

java.lang.NoSuchMethodError: org/eclipse/openj9/criu/CRIUSupport.registerPreSnapshotHook(Ljava/lang/Runnable;)Lorg/eclipse/openj9/criu/CRIUSupport; (loaded from jrt:/openj9.criu by ) called from class io.openliberty.checkpoint.internal.openj9.ExecuteCRIU_OpenJ9 (loaded from file:/criu/20220718_zainab/wlp/lib/io.openliberty.checkpoint_1.0.67.jar by org.eclipse.osgi.internal.loader.EquinoxClassLoader@5ad0af39[io.openliberty.checkpoint:1.0.67.cl220820220718-1101(id=145)])

This is a known issue. The API name CRIUSupport.registerPreSnapshotHook() has been changed. Pls rebase and build.

@taoliult
Copy link
Contributor

@JasonFengJ9
Zainab told me that you will be taking over this PR from her. So please help on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants