Add CRIU security hooks

jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java

@@ -195,6 +195,11 @@ public static String getErrorMessage() {
 	 */
 	private static final int RESTORE_ENVIRONMENT_VARIABLES_PRIORITY = 100;
 	private static final int USER_HOOKS_PRIORITY = 1;
+	/* RESET_DIGESTS_PRIORITY and RESTORE_SECURITY_PROVIDERS_PRIORITY need to
+	 * be higher than any other JVM hook that may require security providers.
+	 */
+	static final int RESET_DIGESTS_PRIORITY = 100;
+	static final int RESTORE_SECURITY_PROVIDERS_PRIORITY = 100;
 
 	private String imageDir;
 	private boolean leaveRunning;
@@ -580,9 +585,13 @@ private static RestoreException throwSetEnvException(Throwable cause) {
 	 *                                       restore
 	 */
 	public synchronized void checkpointJVM() {
-		/* Add env variables restore hook */
+		/* Add env variables restore hook. */
 		registerRestoreEnvVariables();
 
+		/* Add security provider hooks. */
+		SecurityProviders.registerResetDigests();
+		SecurityProviders.registerRestoreSecurityProviders();
+
 		if (InternalCRIUSupport.isCheckpointAllowed()) {
 			init();
 			checkpointJVMImpl(imageDir, leaveRunning, shellJob, extUnixSupport, logLevel, logFile, fileLocks, workDir,

jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/SecurityProviders.java

@@ -0,0 +1,67 @@
+/*[INCLUDE-IF CRIU_SUPPORT]*/
+/*******************************************************************************
+ * Copyright (c) 2022, 2022 IBM Corp. and others
+ *
+ * This program and the accompanying materials are made available under
+ * the terms of the Eclipse Public License 2.0 which accompanies this
+ * distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+ * or the Apache License, Version 2.0 which accompanies this distribution and
+ * is available at https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * This Source Code may also be made available under the following
+ * Secondary Licenses when the conditions for such availability set
+ * forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+ * General Public License, version 2 with the GNU Classpath
+ * Exception [1] and GNU General Public License, version 2 with the
+ * OpenJDK Assembly Exception [2].
+ *
+ * [1] https://www.gnu.org/software/classpath/license.html
+ * [2] http://openjdk.java.net/legal/assembly-exception.html
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 OR LicenseRef-GPL-2.0 WITH Assembly-exception
+ *******************************************************************************/
+package org.eclipse.openj9.criu;
+
+import openj9.internal.criu.InternalCRIUSupport;
+import openj9.internal.criu.security.CRIUConfigurator;
+
+/**
+ * Handles the security providers.
+ * The CRIUSECProvider is a security provider that is used as follows when CRIU
+ * is enabled. During the checkpoint phase, all security providers are removed
+ * from the system properties (which are read from security.java) and CRIUSEC is
+ * added to the system properties. The pre-checkpoint hook clears the digests,
+ * to ensure that no state is saved during checkpoint that would be restored
+ * during the restore phase. During the resore phase, CRIUSEC is removed from
+ * the provider list and the other security providers are added back to the
+ * system properties. A new provider list is created from the system properties.
+ */
+public final class SecurityProviders {
+
+	private SecurityProviders() {}
+
+	/**
+	 * Resets the security digests during checkpoint.
+	 */
+	public static void registerResetDigests() {
+		J9InternalCheckpointHookAPI.registerPreCheckpointHook(
+				CRIUSupport.RESET_DIGESTS_PRIORITY,
+				"Reset the digests", //$NON-NLS-1$
+				() -> openj9.internal.criu.CRIUSECProvider.resetDigests()
+		);
+	}
+
+	/**
+	 * Adds the security providers during restore.
+	 */
+	public static void registerRestoreSecurityProviders() {
+		J9InternalCheckpointHookAPI.registerPostRestoreHook(
+				CRIUSupport.RESTORE_SECURITY_PROVIDERS_PRIORITY,
+				"Restore the security providers", //$NON-NLS-1$
+				() -> {
+					if (InternalCRIUSupport.isCheckpointAllowed()) {
+						CRIUConfigurator.setCRIURestoreMode();
+					}
+				});
+	}
+}

test/functional/cmdLineTests/criu/criuRandomScript.sh

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+#
+# Copyright (c) 2022, 2022 IBM Corp. and others
+#
+# This program and the accompanying materials are made available under
+# the terms of the Eclipse Public License 2.0 which accompanies this
+# distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+# or the Apache License, Version 2.0 which accompanies this distribution and
+# is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# This Source Code may also be made available under the following
+# Secondary Licenses when the conditions for such availability set
+# forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+# General Public License, version 2 with the GNU Classpath
+# Exception [1] and GNU General Public License, version 2 with the
+# OpenJDK Assembly Exception [2].
+#
+# [1] https://www.gnu.org/software/classpath/license.html
+# [2] http://openjdk.java.net/legal/assembly-exception.html
+#
+# SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 OR LicenseRef-GPL-2.0 WITH Assembly-exception
+#
+
+echo "start running script"
+# the expected arguments are:
+# $1 is the TEST_ROOT
+# $2 is the JAVA_COMMAND
+# $3 is the JVM_OPTIONS
+# $4 is the test type
+if [ "$4" = "Checkpoint" ]
+then
+    # append to the file to capture the output before checkpoint and after both restores
+    $2 $3 -XX:+EnableCRIUSupport -cp $1/criu.jar CRIURandomTest >>testOutput 2>&1
+fi
+if [ "$4" = "FirstRestore" ] || [ "$4" = "SecondRestore" ]
+then
+    sleep 2
+    criu restore -D cpData --shell-job
+fi
+cat testOutput
+if [ "$4" = "SecondRestore" ]
+then
+    rm -rf testOutput
+fi
+echo "finished script"

test/functional/cmdLineTests/criu/criuSecurityScript.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+#
+# Copyright (c) 2022, 2022 IBM Corp. and others
+#
+# This program and the accompanying materials are made available under
+# the terms of the Eclipse Public License 2.0 which accompanies this
+# distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+# or the Apache License, Version 2.0 which accompanies this distribution and
+# is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# This Source Code may also be made available under the following
+# Secondary Licenses when the conditions for such availability set
+# forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+# General Public License, version 2 with the GNU Classpath
+# Exception [1] and GNU General Public License, version 2 with the
+# OpenJDK Assembly Exception [2].
+#
+# [1] https://www.gnu.org/software/classpath/license.html
+# [2] http://openjdk.java.net/legal/assembly-exception.html
+#
+# SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 OR LicenseRef-GPL-2.0 WITH Assembly-exception
+#
+
+echo "start running script"
+# the expected arguments are:
+# $1 is the TEST_ROOT
+# $2 is the JAVA_COMMAND
+# $3 is the JVM_OPTIONS
+$2 $3 -XX:+EnableCRIUSupport -cp $1/criu.jar CRIUSecurityTest >testOutput 2>&1
+criu restore -D cpData --shell-job
+cat testOutput
+rm -rf testOutput
+echo "finished script"

test/functional/cmdLineTests/criu/criu_random.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
+
+<!--
+  Copyright (c) 2022, 2022 IBM Corp. and others
+
+  This program and the accompanying materials are made available under
+  the terms of the Eclipse Public License 2.0 which accompanies this
+  distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+  or the Apache License, Version 2.0 which accompanies this distribution and
+  is available at https://www.apache.org/licenses/LICENSE-2.0.
+
+  This Source Code may also be made available under the following
+  Secondary Licenses when the conditions for such availability set
+  forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+  General Public License, version 2 with the GNU Classpath
+  Exception [1] and GNU General Public License, version 2 with the
+  OpenJDK Assembly Exception [2].
+
+  [1] https://www.gnu.org/software/classpath/license.html
+  [2] http://openjdk.java.net/legal/assembly-exception.html
+
+  SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 OR LicenseRef-GPL-2.0 WITH Assembly-exception
+-->
+
+<!DOCTYPE suite SYSTEM "cmdlinetester.dtd">
+
+<suite id="J9 Criu Command-Line Option Tests" timeout="300">
+
+  <test id="Create Criu Checkpoint Image">
+    <command>bash $SCRIPPATH$ $TEST_RESROOT$ $JAVA_COMMAND$ $JVM_OPTIONS$ "Checkpoint"</command>
+    <output type="success" caseSensitive="no" regex="no">Killed</output>
+    <output type="required" caseSensitive="yes" regex="no">Pre-checkpoint</output>
+    <output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+    <output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+    <output type="failure" caseSensitive="yes" regex="no">ERR</output>
+  </test>
+
+  <test id="First Restore of Criu Checkpoint Image">
+    <command>bash $SCRIPPATH$ $TEST_RESROOT$ $JAVA_COMMAND$ $JVM_OPTIONS$ "FirstRestore"</command>
+    <output type="success" caseSensitive="yes" regex="no">First Restore</output>
+    <output type="required" caseSensitive="yes" regex="no">Post-checkpoint</output>
+    <output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+    <output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+    <output type="failure" caseSensitive="yes" regex="no">ERR</output>
+    <output type="failure" caseSensitive="yes" regex="no">Can't open dir cpData: No such file or directory</output>
+  </test>
+
+  <test id="Second Restore of Criu Checkpoint Image">
+    <command>bash $SCRIPPATH$ $TEST_RESROOT$ $JAVA_COMMAND$ $JVM_OPTIONS$ "SecondRestore"</command>
+    <output type="success" caseSensitive="yes" regex="no">Different random values</output>
+    <output type="required" caseSensitive="yes" regex="no">Post-checkpoint</output>
+    <output type="required" caseSensitive="yes" regex="no">Second Restore</output>
+    <output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+    <output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+    <output type="failure" caseSensitive="yes" regex="no">ERR</output>
+    <output type="failure" caseSensitive="yes" regex="no">Can't open dir cpData: No such file or directory</output>
+  </test>
+
+</suite>

test/functional/cmdLineTests/criu/criu_security.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
+
+<!--
+  Copyright (c) 2022, 2022 IBM Corp. and others
+
+  This program and the accompanying materials are made available under
+  the terms of the Eclipse Public License 2.0 which accompanies this
+  distribution and is available at https://www.eclipse.org/legal/epl-2.0/
+  or the Apache License, Version 2.0 which accompanies this distribution and
+  is available at https://www.apache.org/licenses/LICENSE-2.0.
+
+  This Source Code may also be made available under the following
+  Secondary Licenses when the conditions for such availability set
+  forth in the Eclipse Public License, v. 2.0 are satisfied: GNU
+  General Public License, version 2 with the GNU Classpath
+  Exception [1] and GNU General Public License, version 2 with the
+  OpenJDK Assembly Exception [2].
+
+  [1] https://www.gnu.org/software/classpath/license.html
+  [2] http://openjdk.java.net/legal/assembly-exception.html
+
+  SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0 WITH Classpath-exception-2.0 OR LicenseRef-GPL-2.0 WITH Assembly-exception
+-->
+
+<!DOCTYPE suite SYSTEM "cmdlinetester.dtd">
+
+<suite id="J9 Criu Command-Line Option Tests" timeout="300">
+
+  <test id="Create and Restore Criu Checkpoint Image">
+    <command>bash $SCRIPPATH$ $TEST_RESROOT$ $JAVA_COMMAND$ $JVM_OPTIONS$</command>
+    <output type="success" caseSensitive="no" regex="no">Killed</output>
+    <output type="required" caseSensitive="yes" regex="no">Pre-checkpoint</output>
+    <output type="required" caseSensitive="yes" regex="no">Post-checkpoint</output>
+    <output type="failure" caseSensitive="yes" regex="no">CRIU is not enabled</output>
+    <output type="failure" caseSensitive="yes" regex="no">Operation not permitted</output>
+    <output type="failure" caseSensitive="yes" regex="no">ERR</output>
+  </test>
+
+</suite>

test/functional/cmdLineTests/criu/playlist.xml

@@ -77,4 +77,56 @@
 			<impl>openj9</impl>
 		</impls>
 	</test>
+	<test>
+		<testCaseName>cmdLineTester_criu_security</testCaseName>
+		<variations>
+			<variation>-Denable.j9internal.checkpoint.security.api.debug=true</variation>
+		</variations>
+		<command>
+			$(JAVA_COMMAND) $(JVM_OPTIONS) -Xdump \
+			-DSCRIPPATH=$(TEST_RESROOT)$(D)criuSecurityScript.sh -DTEST_RESROOT=$(TEST_RESROOT) \
+			-DJAVA_COMMAND=$(JAVA_COMMAND) -DJVM_OPTIONS=$(Q)$(JVM_OPTIONS)$(Q) \
+			-jar $(CMDLINETESTER_JAR) -config $(Q)$(TEST_RESROOT)$(D)criu_security.xml$(Q) \
+			-explainExcludes -xids all,$(PLATFORM),$(VARIATION) -nonZeroExitWhenError; \
+			$(TEST_STATUS)
+		</command>
+		<features>
+			<feature>CRIU:required</feature>
+		</features>
+		<levels>
+			<level>sanity</level>
+		</levels>
+		<groups>
+			<group>functional</group>
+		</groups>
+		<impls>
+			<impl>openj9</impl>
+		</impls>
+	</test>
+	<test>
+		<testCaseName>cmdLineTester_criu_random</testCaseName>
+		<variations>
+			<variation>-Denable.j9internal.checkpoint.security.api.debug=true</variation>
+		</variations>
+		<command>
+			$(JAVA_COMMAND) $(JVM_OPTIONS) -Xdump \
+			-DSCRIPPATH=$(TEST_RESROOT)$(D)criuRandomScript.sh -DTEST_RESROOT=$(TEST_RESROOT) \
+			-DJAVA_COMMAND=$(JAVA_COMMAND) -DJVM_OPTIONS=$(Q)$(JVM_OPTIONS)$(Q) \
+			-jar $(CMDLINETESTER_JAR) -config $(Q)$(TEST_RESROOT)$(D)criu_random.xml$(Q) \
+			-explainExcludes -xids all,$(PLATFORM),$(VARIATION) -nonZeroExitWhenError; \
+			$(TEST_STATUS)
+		</command>
+		<features>
+			<feature>CRIU:required</feature>
+		</features>
+		<levels>
+			<level>sanity</level>
+		</levels>
+		<groups>
+			<group>functional</group>
+		</groups>
+		<impls>
+			<impl>openj9</impl>
+		</impls>
+	</test>
 </playlist>