Update sepolicy prebuilts for PRNG seeder changes.
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev. If needed we can add this to
AOSP later.
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
This commit is contained in:
Pete Bentley
parent
efa9e1111a
commit
ff0cf6f2a8
12 changed files with 40 additions and 1 deletions
|
|
@ -159,6 +159,7 @@ neverallow app_zygote {
|
|||
neverallow app_zygote {
|
||||
domain
|
||||
-app_zygote
|
||||
-prng_seeder
|
||||
userdebug_or_eng(`-su')
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
userdebug_or_eng(`-traced_perf')
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@
|
|||
mdns_service
|
||||
nearby_service
|
||||
persist_wm_debug_prop
|
||||
prng_seeder
|
||||
proc_watermark_boost_factor
|
||||
proc_watermark_scale_factor
|
||||
remotelyprovisionedkeypool_service
|
||||
|
|
|
|||
|
|
@ -112,6 +112,9 @@ allow domain linkerconfig_file:file r_file_perms;
|
|||
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
|
||||
allow domain boringssl_self_test_marker:dir search;
|
||||
|
||||
# Allow all processes to connect to PRNG seeder daemon.
|
||||
unix_socket_connect(domain, prng_seeder, prng_seeder)
|
||||
|
||||
# No domains other than a select few can access the misc_block_device. This
|
||||
# block device is reserved for OTA use.
|
||||
# Do not assert this rule on userdebug/eng builds, due to some devices using
|
||||
|
|
@ -496,6 +499,7 @@ full_treble_only(`
|
|||
-logd # Logging by writing to logd Unix domain socket is public API
|
||||
-netd # netdomain needs this
|
||||
-mdnsd # netdomain needs this
|
||||
-prng_seeder # Any process using libcrypto needs this
|
||||
userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
|
||||
-init
|
||||
-tombstoned # linker to tombstoned
|
||||
|
|
|
|||
|
|
@ -115,3 +115,8 @@ type sepolicy_metadata_file, file_type;
|
|||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
||||
# property labeled.
|
||||
type sepolicy_test_file, file_type;
|
||||
|
||||
# Filesystem entry for for PRNG seeder socket. Processes require
|
||||
# write permission on this to connect, and needs to be mlstrustedobject
|
||||
# in to satisfy MLS constraints for trusted domains.
|
||||
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
|
|
|
|||
|
|
@ -149,6 +149,7 @@
|
|||
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
|
||||
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
|
||||
/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
|
||||
/dev/socket/property_service u:object_r:property_socket:s0
|
||||
/dev/socket/racoon u:object_r:racoon_socket:s0
|
||||
/dev/socket/recovery u:object_r:recovery_socket:s0
|
||||
|
|
@ -220,6 +221,7 @@
|
|||
/system/bin/bcc u:object_r:rs_exec:s0
|
||||
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
|
||||
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
|
||||
/system/bin/prng_seeder u:object_r:prng_seeder_exec:s0
|
||||
/system/bin/charger u:object_r:charger_exec:s0
|
||||
/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
|
||||
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
|
||||
|
|
|
|||
|
|
@ -108,6 +108,9 @@ neverallow { domain -init } keystore_listen_prop:property_service set;
|
|||
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
||||
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
||||
|
||||
# PRNG seeder daemon socket is created and listened on by init before forking.
|
||||
allow init prng_seeder:unix_stream_socket { create bind listen };
|
||||
|
||||
# Devices with kernels where CONFIG_HIST_TRIGGERS isn't enabled will
|
||||
# attempt to write a non exisiting 'synthetic_events' file, when setting
|
||||
# up synthetic events. This is a no-op in tracefs.
|
||||
|
|
|
|||
17
prebuilts/api/33.0/private/prng_seeder.te
Normal file
17
prebuilts/api/33.0/private/prng_seeder.te
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# PRNG seeder daemon
|
||||
# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
|
||||
# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
|
||||
# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
|
||||
# fixed size block of entropy then disconnect. No other IO is performed.
|
||||
typeattribute prng_seeder coredomain;
|
||||
|
||||
# mlstrustedsubject required in order to allow connections from trusted app domains.
|
||||
typeattribute prng_seeder mlstrustedsubject;
|
||||
|
||||
type prng_seeder_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(prng_seeder)
|
||||
|
||||
# Socket open and listen are performed by init.
|
||||
allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
|
||||
allow prng_seeder hw_random_device:chr_file { read open };
|
||||
allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
|
||||
|
|
@ -421,6 +421,7 @@ neverallow { domain -init } kernel:security setsecparam;
|
|||
# Only the kernel hwrng thread should be able to read from the HW RNG.
|
||||
neverallow {
|
||||
domain
|
||||
-prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
|
||||
-shell # For CTS, restricted to just getattr in shell.te
|
||||
-ueventd # To create the /dev/hw_random file
|
||||
} hw_random_device:chr_file *;
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ neverallow hal_configstore_server {
|
|||
domain
|
||||
-hal_configstore_server
|
||||
-logd
|
||||
-prng_seeder
|
||||
userdebug_or_eng(`-su')
|
||||
-tombstoned
|
||||
userdebug_or_eng(`-heapprofd')
|
||||
|
|
|
|||
2
prebuilts/api/33.0/public/prng_seeder.te
Normal file
2
prebuilts/api/33.0/public/prng_seeder.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# PRNG seeder daemon
|
||||
type prng_seeder, domain;
|
||||
|
|
@ -281,7 +281,8 @@ get_prop(vendor_init, device_config_vendor_system_native_boot_prop)
|
|||
###
|
||||
|
||||
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
|
||||
neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
|
||||
neverallow_establish_socket_comms(vendor_init, {
|
||||
domain -init -logd -prng_seeder -su -vendor_init });
|
||||
|
||||
# The vendor_init domain is only entered via an exec based transition from the
|
||||
# init domain, never via setcon().
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@
|
|||
mdns_service
|
||||
nearby_service
|
||||
persist_wm_debug_prop
|
||||
prng_seeder
|
||||
proc_watermark_boost_factor
|
||||
proc_watermark_scale_factor
|
||||
remotelyprovisionedkeypool_service
|
||||
|
|
|
|||
Loading…
Reference in a new issue