git: openjdk/leyden: hermetic-java-runtime: Co-locate {default,exempt}_*.policy files with javax.crypto.JceSecurity in jimage for hermetic Java support.
duke
duke at openjdk.org
Fri Mar 29 19:48:06 UTC 2024
Changeset: c1c5fc68
Author: Jiangli Zhou <jianglizhou at google.com>
Date: 2024-03-29 12:36:35 +0000
URL: https://git.openjdk.org/leyden/commit/c1c5fc686c1452550e1b3663a320fba652248505
Co-locate {default,exempt}_*.policy files with javax.crypto.JceSecurity in jimage for hermetic Java support.
The files include (as in regular JDK binary):
- conf/security/policy/limited/default_US_export.policy
- conf/security/policy/limited/default_local.policy
- conf/security/policy/limited/exempt_local.policy
- conf/security/policy/unlimited/default_US_export.policy
- conf/security/policy/unlimited/default_local.policy
For the hermetic case, I'm currently writing these files in jimage with {limited|unlimited}_ prefix added to the file names. The files are placed under /java.base/javax/crypto. E.g. conf/security/policy/limited/default_US_export.policy is written as /java.base/javax/crypto/limited_default_US_export.policy, and conf/security/policy/unlimited/default_local.policy is written as /java.base/javax/crypto/unlimited_default_local.policy. That avoids adding new packages for javax/crypto/limited and javax/crypto/unlimited in java.base module.
Currently the hermetic case is handled in hermeticJurisdictionPolicies() without consolidating code for handling the hermetic and non-hermetic cases.
! make/Images.gmk
! src/java.base/share/classes/javax/crypto/JceSecurity.java.template
More information about the leyden-dev
mailing list