Add rules for prng_seeder The process has the exclusive access to /dev/hw_random. It instead opens provides a socket (/dev/prng_seeder/socket) which any process can connect to to get random numbers. This CL is basically a Microdroid version of aosp/2215051 Bug: 247781653 Test: same as aosp/I0a7e339115a2cf6b819730dcf5f8b189a339c57d * Verify prng_seeder daemon is running and has the correct label (via ps -Z) * Verify prng_seeder socket present and has correct label (via ls -Z) * Verify no SELinux denials * strace a libcrypto process and verify it reads seeding data from prng_seeder (e.g. strace bssl rand -hex 1024) * strace seeder daemon to observe incoming connections (e.g. strace -f -p `pgrep prng_seeder`) Change-Id: I3483132ead0f5d101b5b3365f78cc36d89528f0e

commit: 02df74af6de29f7299a35b15abc3982acd562d54 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue Dec 20 19:27:49 2022 +0900
committer: Jiyong Park <jiyong@google.com> Tue Dec 20 22:01:57 2022 +0900
tree: c79496607444f752c21392fdf3241ee62a5b30ee
parent: 3e61a33df59cd6848721000d36d286bd456b49eb [diff]
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index d300679..13e359a 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te

@@ -233,6 +233,9 @@
 allow domain task_profiles_file:file r_file_perms;
 allow domain task_profiles_api_file:file r_file_perms;
 
+# Allow all processes to connect to PRNG seeder daemon.
+unix_socket_connect(domain, prng_seeder, prng_seeder)
+
 # cgroupfs directories can be created, but not files within them.
 neverallow domain cgroup:file create;
 neverallow domain cgroup_v2:file create;
@@ -323,6 +326,7 @@
 # Only the kernel hwrng thread should be able to read from the HW RNG.
 neverallow {
   domain
+  -prng_seeder # PRNG seeder daemon periodically reseeds itself from HW RNG
   -shell # For CTS, restricted to just getattr in shell.te
   -ueventd # To create the /dev/hw_random file
 } hw_random_device:chr_file *;

diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index da54361..6f037a3 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te

@@ -24,3 +24,6 @@
 
 type encryptedstore_file, file_type;
 type encryptedstore_fs, fs_type, contextmount_type;
+
+# Filesystem entry for for PRNG seeder socket.
+type prng_seeder_socket, file_type, coredomain_socket;

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 0ccb250..8d9ad85 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -66,6 +66,7 @@
 /dev/rtc[0-9]      u:object_r:rtc_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
+/dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/statsdw	u:object_r:statsdw_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
@@ -120,6 +121,7 @@
 /system/bin/encryptedstore       u:object_r:encryptedstore_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0
 /system/bin/kexec_load           u:object_r:kexec_exec:s0
+/system/bin/prng_seeder          u:object_r:prng_seeder_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/task_profiles/cgroups_[0-9]+\.json               u:object_r:cgroup_desc_api_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -435,3 +435,6 @@
 set_prop(init, property_type)
 
 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };

diff --git a/microdroid/system/private/prng_seeder.te b/microdroid/system/private/prng_seeder.te
new file mode 100644
index 0000000..24d96ef
--- /dev/null
+++ b/microdroid/system/private/prng_seeder.te

@@ -0,0 +1,14 @@
+# PRNG seeder daemon
+# Started from early init, maintains a FIPS approved DRBG which it periodically reseeds from
+# /dev/hw_random.  When BoringSSL (libcrypto) in other processes needs seeding data for its
+# internal DRBGs it will connect to /dev/socket/prng_seeder and the daemon will write a
+# fixed size block of entropy then disconnect.  No other IO is performed.
+type prng_seeder, domain, coredomain;
+
+type prng_seeder_exec, system_file_type, exec_type, file_type;
+init_daemon_domain(prng_seeder)
+
+# Socket open and listen are performed by init.
+allow prng_seeder prng_seeder:unix_stream_socket { read write getattr accept };
+allow prng_seeder hw_random_device:chr_file { read open };
+allow prng_seeder kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
commit	02df74af6de29f7299a35b15abc3982acd562d54	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue Dec 20 19:27:49 2022 +0900
committer	Jiyong Park <jiyong@google.com>	Tue Dec 20 22:01:57 2022 +0900
tree	c79496607444f752c21392fdf3241ee62a5b30ee
parent	3e61a33df59cd6848721000d36d286bd456b49eb [diff]