[META] Replace Java Security Manager (JSM)

Please describe the end goal of this project

The SecurityManager is going to be disabled permanently in JDK-24 (see please https://openjdk.org/projects/jdk/24/). The purpose of this issue is to explore the possible replacements or/and suggest path forward. So far we have identified the following options:

maintain OpenJDK fork (as mentioned by @pfirmstone)
native Java Agent (dynamic code rewriting, must be low overhead)
Class loader protection
SystemCallFilter (as mentioned by @rmuir)
eBPF (should be on Windows any day now), probably the same category as SystemCallFilter
lightweight in-process VMs (https://github.com/hyperlight-dev/hyperlight)
~GraalVM isolates / sandboxing (https://www.graalvm.org/latest/security-guide/sandboxing/)~ - no Java (Espresso) support, see please https://github.com/opensearch-project/OpenSearch/issues/1687#issuecomment-2485435858 and https://graalvm.slack.com/archives/CPSD12R71/p1731769241953729)
JFR events

So far I am excluding the "radical" solutions:

WebAssembly / WASM
Project Leyden (in development)
JPMS (https://github.com/opensearch-project/OpenSearch/issues/1588)

Supporting References

RFC: https://github.com/opensearch-project/OpenSearch/issues/1687

Issues

[ ] #16633

Related component

Other

opensearch-project / OpenSearch

[META] Replace Java Security Manager (JSM) #16634

Please describe the end goal of this project

Supporting References

Issues

Related component