diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te index d30067925..13e359a8e 100644 --- a/microdroid/system/private/domain.te +++ b/microdroid/system/private/domain.te @@ -233,6 +233,9 @@ allow domain cgroup_rc_file:file r_file_perms; allow domain task_profiles_file:file r_file_perms; allow domain task_profiles_api_file:file r_file_perms; +# Allow all processes to connect to PRNG seeder daemon. +unix_socket_connect(domain, prng_seeder, prng_seeder) + # cgroupfs directories can be created, but not files within them. neverallow domain cgroup:file create; neverallow domain cgroup_v2:file create; @@ -323,6 +326,7 @@ neverallow { domain -init } kernel:security setsecparam; # Only the kernel hwrng thread should be able to read from the HW RNG. neverallow { domain + -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG -shell # For CTS, restricted to just getattr in shell.te -ueventd # To create the /dev/hw_random file } hw_random_device:chr_file *; diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te index da5436151..6f037a38d 100644 --- a/microdroid/system/private/file.te +++ b/microdroid/system/private/file.te @@ -24,3 +24,6 @@ type e2fs_exec, system_file_type, exec_type, file_type; type encryptedstore_file, file_type; type encryptedstore_fs, fs_type, contextmount_type; + +# Filesystem entry for for PRNG seeder socket. +type prng_seeder_socket, file_type, coredomain_socket; diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts index 0ccb250bd..8d9ad85d4 100644 --- a/microdroid/system/private/file_contexts +++ b/microdroid/system/private/file_contexts @@ -66,6 +66,7 @@ /dev/rtc[0-9] u:object_r:rtc_device:s0 /dev/socket(/.*)? u:object_r:socket_device:s0 /dev/socket/adbd u:object_r:adbd_socket:s0 +/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0 /dev/socket/property_service u:object_r:property_socket:s0 /dev/socket/statsdw u:object_r:statsdw_socket:s0 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0 @@ -120,6 +121,7 @@ /system/bin/encryptedstore u:object_r:encryptedstore_exec:s0 /system/bin/mke2fs u:object_r:e2fs_exec:s0 /system/bin/kexec_load u:object_r:kexec_exec:s0 +/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0 /system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0 /system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0 /system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0 diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te index 283775eca..5ad30e5b7 100644 --- a/microdroid/system/private/init.te +++ b/microdroid/system/private/init.te @@ -435,3 +435,6 @@ allow init fuse:dir { search getattr }; set_prop(init, property_type) allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay }; + +# PRNG seeder daemon socket is created and listened on by init before forking. +allow init prng_seeder:unix_stream_socket { create bind listen }; diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te new file mode 100644 index 000000000..24d96ef09 --- /dev/null +++ b/microdroid/system/private/prng_seeder.te @@ -0,0 +1,14 @@ +# PRNG seeder daemon +# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from +# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its +# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a +# fixed size block of entropy then disconnect. No other IO is performed. +type prng_seeder, domain, coredomain; + +type prng_seeder_exec, system_file_type, exec_type, file_type; +init_daemon_domain(prng_seeder) + +# Socket open and listen are performed by init. +allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept }; +allow prng_seeder hw_random_device:chr_file { read open }; +allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };