Merge "Add rules for prng_seeder" am: f59f5d2eba
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2364952 Change-Id: I3665fbd4ffa736fc25b3b4ba0d8533af64a85ede Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Jiyong Park
Automerger Merge Worker
commit
2053d9c986
5 changed files with 26 additions and 0 deletions
|
|
@ -233,6 +233,9 @@ allow domain cgroup_rc_file:file r_file_perms;
|
|||
allow domain task_profiles_file:file r_file_perms;
|
||||
allow domain task_profiles_api_file:file r_file_perms;
|
||||
|
||||
# Allow all processes to connect to PRNG seeder daemon.
|
||||
unix_socket_connect(domain, prng_seeder, prng_seeder)
|
||||
|
||||
# cgroupfs directories can be created, but not files within them.
|
||||
neverallow domain cgroup:file create;
|
||||
neverallow domain cgroup_v2:file create;
|
||||
|
|
@ -323,6 +326,7 @@ neverallow { domain -init } kernel:security setsecparam;
|
|||
# Only the kernel hwrng thread should be able to read from the HW RNG.
|
||||
neverallow {
|
||||
domain
|
||||
-prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
|
||||
-shell # For CTS, restricted to just getattr in shell.te
|
||||
-ueventd # To create the /dev/hw_random file
|
||||
} hw_random_device:chr_file *;
|
||||
|
|
|
|||
|
|
@ -24,3 +24,6 @@ type e2fs_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
type encryptedstore_file, file_type;
|
||||
type encryptedstore_fs, fs_type, contextmount_type;
|
||||
|
||||
# Filesystem entry for for PRNG seeder socket.
|
||||
type prng_seeder_socket, file_type, coredomain_socket;
|
||||
|
|
|
|||
|
|
@ -66,6 +66,7 @@
|
|||
/dev/rtc[0-9] u:object_r:rtc_device:s0
|
||||
/dev/socket(/.*)? u:object_r:socket_device:s0
|
||||
/dev/socket/adbd u:object_r:adbd_socket:s0
|
||||
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
|
||||
/dev/socket/property_service u:object_r:property_socket:s0
|
||||
/dev/socket/statsdw u:object_r:statsdw_socket:s0
|
||||
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
|
||||
|
|
@ -120,6 +121,7 @@
|
|||
/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
|
||||
/system/bin/mke2fs u:object_r:e2fs_exec:s0
|
||||
/system/bin/kexec_load u:object_r:kexec_exec:s0
|
||||
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
|
||||
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
|
||||
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
|
||||
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
|
||||
|
|
|
|||
|
|
@ -435,3 +435,6 @@ allow init fuse:dir { search getattr };
|
|||
set_prop(init, property_type)
|
||||
|
||||
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
|
||||
|
||||
# PRNG seeder daemon socket is created and listened on by init before forking.
|
||||
allow init prng_seeder:unix_stream_socket { create bind listen };
|
||||
|
|
|
|||
14
microdroid/system/private/prng_seeder.te
Normal file
14
microdroid/system/private/prng_seeder.te
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
# PRNG seeder daemon
|
||||
# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
|
||||
# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
|
||||
# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
|
||||
# fixed size block of entropy then disconnect. No other IO is performed.
|
||||
type prng_seeder, domain, coredomain;
|
||||
|
||||
type prng_seeder_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(prng_seeder)
|
||||
|
||||
# Socket open and listen are performed by init.
|
||||
allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
|
||||
allow prng_seeder hw_random_device:chr_file { read open };
|
||||
allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
|
||||
Loading…
Reference in a new issue