ff0cf6f2a8
Cherry-pick note: This contains the original AOSP change plus
an addition to private/compat/32.0/32.0.ignore.cil which
does not _appear_ to be required on AOSP and future releases
but is required for tm-dev. If needed we can add this to
AOSP later.
Bug: 243933553
Test: m sepolicy_freeze_test
Change-Id: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
Merged-In: Idc011c66dfe71aa6c8dfdbc0b0377d2957571b83
(cherry picked from commit 96268c6622)
17 lines
898 B
Text
17 lines
898 B
Text
# PRNG seeder daemon
|
|
# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
|
|
# /dev/hw_random. When BoringSSL (libcrypto) in other processes needs seeding data for its
|
|
# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
|
|
# fixed size block of entropy then disconnect. No other IO is performed.
|
|
typeattribute prng_seeder coredomain;
|
|
|
|
# mlstrustedsubject required in order to allow connections from trusted app domains.
|
|
typeattribute prng_seeder mlstrustedsubject;
|
|
|
|
type prng_seeder_exec, system_file_type, exec_type, file_type;
|
|
init_daemon_domain(prng_seeder)
|
|
|
|
# Socket open and listen are performed by init.
|
|
allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
|
|
allow prng_seeder hw_random_device:chr_file { read open };
|
|
allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
|