Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.

Resolves: rhbz#1997360
2021-08-30 17:03:02 +01:00 · 2021-08-30 17:03:02 +01:00 · 5db4334bb9
parent 25304fcaf5
commit 5db4334bb9
2 changed files with 25 additions and 1 deletions
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@ -343,7 +343,7 @@
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        7
-%global rpmrelease      1
+%global rpmrelease      2
 #%%global tagsuffix      ""
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -1222,6 +1222,7 @@ Patch1007: rh1915071-always_initialise_configurator_access.patch
 Patch1008: rh1929465-improve_system_FIPS_detection.patch
 # RH1996182: Login to the NSS software token in FIPS mode
 Patch1009: rh1996182-login_to_nss_software_token.patch
+Patch1010: rh1996182-extend_security_policy.patch

 #############################################
 #
@ -1622,6 +1623,7 @@ popd # openjdk
 %patch1007
 %patch1008
 %patch1009
+%patch1010

 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -2313,6 +2315,10 @@ require "copy_jdk_configs.lua"
 %endif

 %changelog
+* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-2
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
+- Resolves: rhbz#1997360
+
 * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
 - Add patch to login to the NSS software token when in FIPS mode.
 - Resolves: rhbz#1997360
--- a/rh1996182-extend_security_policy.patch
+++ b/rh1996182-extend_security_policy.patch
@ -0,0 +1,18 @@
+commit 598fe421216b0a437fa36ee91a29966599867aa3
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Mon Aug 30 16:12:52 2021 +0100
+
+    RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
+
+diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
+index ab59a334cd..5db744ff17 100644
+--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
+@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
+ grant codeBase "jrt:/jdk.crypto.cryptoki" {
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.com.sun.crypto.provider";
+    permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+     permission java.lang.RuntimePermission
+                    "accessClassInPackage.sun.security.*";
+     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";