Add rules for prng_seeder The process has the exclusive access to /dev/hw_random. It instead opens provides a socket (/dev/prng_seeder/socket) which any process can connect to to get random numbers. This CL is basically a Microdroid version of aosp/2215051 Bug: 247781653 Test: same as aosp/I0a7e339115a2cf6b819730dcf5f8b189a339c57d * Verify prng_seeder daemon is running and has the correct label (via ps -Z) * Verify prng_seeder socket present and has correct label (via ls -Z) * Verify no SELinux denials * strace a libcrypto process and verify it reads seeding data from prng_seeder (e.g. strace bssl rand -hex 1024) * strace seeder daemon to observe incoming connections (e.g. strace -f -p `pgrep prng_seeder`) Change-Id: I3483132ead0f5d101b5b3365f78cc36d89528f0e

commit: 02df74af6de29f7299a35b15abc3982acd562d54 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue Dec 20 19:27:49 2022 +0900
committer: Jiyong Park <jiyong@google.com> Tue Dec 20 22:01:57 2022 +0900
tree: c79496607444f752c21392fdf3241ee62a5b30ee
parent: 3e61a33df59cd6848721000d36d286bd456b49eb [diff] [blame]
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 283775e..5ad30e5 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -435,3 +435,6 @@
 set_prop(init, property_type)
 
 allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+
+# PRNG seeder daemon socket is created and listened on by init before forking.
+allow init prng_seeder:unix_stream_socket { create bind listen };
commit	02df74af6de29f7299a35b15abc3982acd562d54	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue Dec 20 19:27:49 2022 +0900
committer	Jiyong Park <jiyong@google.com>	Tue Dec 20 22:01:57 2022 +0900
tree	c79496607444f752c21392fdf3241ee62a5b30ee
parent	3e61a33df59cd6848721000d36d286bd456b49eb [diff] [blame]